Legal Infrastructure for Healthcare SaaS & AI
I am Sergei Tokmakov, a California attorney. I help digital health startups, healthcare AI companies, and telehealth platforms build the legal foundation they need: HIPAA-compliant agreements, BAAs, Terms of Service, and a privacy stack mapped to all 50 states plus DC.

Ask my AI Legal Analyst about your healthcare SaaS legal stack?
Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step. Answers draw on the HIPAA, BAA, DPA, FDA SaMD, and 50-state privacy material on this page.
Common healthcare SaaS questions, always free
Healthcare SaaS Legal Stack Scoper8 quick questions, then a likely document + review list. Informational, not legal advice.
Informational only, fictional scoping logic, not legal advice and not a scope of representation. A real matter is confirmed in writing.
What a healthcare SaaS legal stack actually requires
Every section on this page is folded. Open only what you need. The short version is below; the detail is one click away.
🩺 The 60-second overviewWhy HIPAA is the floor, not the ceiling, and what documents follow from that ▾
If your platform creates, receives, maintains, or transmits protected health information (PHI) for a covered entity, HIPAA pulls you in as a business associate and a Business Associate Agreement (BAA) becomes mandatory. But HIPAA is a federal floor. State medical-privacy and consumer-health-data laws layer on top, and several do not care whether you signed a BAA.
Who this page is for
- Digital health and telehealth startups preparing to sign their first hospital or clinic customer.
- Healthcare AI companies that need to position their product relative to FDA software-as-a-medical-device rules.
- Behavioral-health and substance-use-disorder platforms that also touch 42 CFR Part 2 data.
- Founders selling nationally who need to know which states reach beyond HIPAA.
The healthcare SaaS regulatory landscape
Four overlapping regimes touch most healthcare SaaS products. Open each for the operative rule.
📋 HIPAA (federal floor)Privacy Rule, Security Rule, Breach Notification Rule, and business-associate liability ▾
HIPAA applies to covered entities and to business associates that handle PHI on their behalf. Since the HITECH amendments, business associates (including SaaS vendors) are directly liable to the HHS Office for Civil Rights, not just contractually liable to their customer.
- Privacy Rule: limits use and disclosure of PHI; requires minimum-necessary practices.
- Security Rule: administrative, physical, and technical safeguards for electronic PHI.
- Breach Notification Rule: notice obligations triggered by an impermissible use or disclosure (see the breach timeline section).
🏛️ State medical-privacy and consumer-health-data lawsCMIA, MHMDA, CTDPA health amendments, and the data-level-exemption trap ▾
This is where most national products get surprised. Some states regulate consumer health data that HIPAA never reaches, and some comprehensive privacy laws exempt PHI but not the company. The full 50-state map is below.
- California CMIA can be stricter than HIPAA and carries a private right of action.
- Washington My Health My Data Act reaches consumer health data outside HIPAA, with a private right of action via the Consumer Protection Act.
- Oregon, Maryland, New Jersey, Delaware use data-level (not entity-level) HIPAA exemptions, so being a business associate does not exempt your organization.
🤖 FDA software as a medical device (SaMD)When AI clinical software crosses into FDA-regulated territory ▾
If your software provides patient-specific information used to drive a clinical decision, the FDA may regulate it as Software as a Medical Device. A narrow Clinical Decision Support exemption can apply where the basis for a recommendation is transparent enough that a clinician can independently review it. The screening tree is below.
Open the FDA SaMD screening tool →🌍 GDPR / UK GDPR and the DPA layerWhen non-PHI personal data pulls in a separate data-processing regime ▾
A HIPAA BAA does not satisfy GDPR, and a GDPR-style DPA does not satisfy HIPAA. If you process personal data of EU or UK residents, or non-PHI data subject to US state laws like CCPA/CPRA, you generally need a separate Data Processing Agreement alongside the BAA.
See the BAA vs DPA comparison →Document generators
Free starting drafts. The flagship package is where I tailor and connect these into a coherent, attorney-drafted stack.
🧰 Open the generator libraryHIPAA BAA, healthcare NDAs, SaaS terms, privacy policies, and more ▾
How healthcare SaaS documents fit together
Six layers, each doing a distinct job. Open for the stack diagram.
🧱 The six-layer document stackFrom the master agreement down to the compliance gap memo ▾
BAA vs DPA: when you need which (or both)
A frequent and expensive confusion. They cover different data under different laws.
⚖️ Side-by-side comparisonDifferent regulators, different data, often both required ▾
| Dimension | HIPAA BAA | Data Processing Agreement |
|---|---|---|
| Governing law | HIPAA / HITECH (US) | GDPR Art. 28, UK GDPR, CCPA/CPRA |
| Data covered | Protected health information (PHI) | Personal data generally (analytics, marketing, HR) |
| Triggered by | Handling PHI for a covered entity | Processing personal data of EU/UK or in-scope state residents |
| Breach clock | 60 days from discovery (HIPAA) | 72 hours to supervisory authority (GDPR) |
| Satisfies the other? | No, a BAA does not satisfy GDPR | No, a DPA does not satisfy HIPAA |
HIPAA breach penalty calculator
A rough exposure estimate using the current per-violation tiers. Open to run it.
🧮 Estimate potential HIPAA penalty exposureRecords affected × culpability tier, with annual cap context ▾
HIPAA compliance checklist for SaaS
A working checklist. Progress is saved in your browser for this session.
📑 Open the compliance checklistAdministrative, technical, and contractual safeguards ▾
Contractual
Administrative
Technical
0 of 9 complete
HIPAA breach notification timeline
The clock runs from discovery, not from when you finish investigating. Open the timeline.
⏱️ The notification clock, step by stepBusiness-associate, covered-entity, HHS, and media tracks ▾
Is your AI product a medical device?
A quick screen, not a regulatory determination. Open to step through it.
🔬 FDA SaMD screening questionsDoes the software drive a clinical decision, and can a clinician review the basis? ▾
State health-privacy laws beyond HIPAA
HIPAA is the floor. This map shows, for every state plus DC, the health-privacy posture and what it implies for your documents. Color-coded by tier: red/amber for special health-data regimes, blue for comprehensive privacy laws, green for HIPAA-plus-baseline.
🎯 Pick a state to see what it implicatesSelect a state for its tier, the governing law, and which package documents it affects ▾
🗺️ Open the full 50-state + DC tableSearchable and filterable by tier; one-line implication per state ▾
| State | Governing law / posture | What it implies for your stack |
|---|
Must-flag states: the ones that change the stack
Five states (plus two structural traps) most often force extra documents or schedules. Each is folded.
🐻 California: CMIA + CCPA/CPRAA SaaS vendor can itself be a "provider of health care" under CMIA ▾
Under CMIA Civil Code 56.06, a SaaS vendor that maintains medical information or offers health or wellness software, mobile apps, or reproductive/sexual-health digital services can itself be deemed a "provider of health care" directly subject to the CMIA. CMIA can be more stringent than HIPAA and carries a private right of action.
🌲 Washington: My Health My Data Act (RCW 19.373)Private right of action; reaches consumer health data outside HIPAA ▾
MHMDA exempts HIPAA PHI and intermingled data held by a covered entity or business associate, but any consumer health data collected outside the HIPAA-covered stream (direct-to-consumer, app, or web data) falls squarely within it.
That triggers opt-in consent to collect, separate consent to share, valid authorization to sell, a distinct consumer-health-data privacy policy linked on the homepage, consumer access and deletion rights, and a geofencing ban, all backed by a private right of action via the Washington Consumer Protection Act.
Read the full MHMDA guide →⭐ Texas: HB 300 / Medical Records Privacy Act + SB 1188Heaviest lift: broad covered-entity reach plus US data-localization for EHRs ▾
Texas defines "covered entity" far more broadly than HIPAA, reaching any out-of-state vendor that handles PHI of Texas residents, and adds 90-day privacy training, electronic-disclosure limits, and breach notice to the Texas AG at a 250-resident threshold.
🎰 Nevada: SB 370 consumer health data (NRS 603A)Fully exempts HIPAA data, but reaches DTC and pre-relationship health data ▾
SB 370 fully exempts both HIPAA-covered entities and HIPAA PHI, so a vendor acting solely as a HIPAA business associate processing only PHI is generally exempt. But any consumer health data collected outside the HIPAA-covered relationship (direct-to-consumer app data, marketing, or pre-relationship intake) triggers SB 370.
That means a separate consumer-health-data privacy policy, prior affirmative opt-in consent to collect and (separately) to share, written authorization to sell, and a prohibition on geofencing around health-care facilities. Enforced by the Nevada AG; no private right of action.
🌳 Connecticut: CTDPA health-data amendments (PA 23-56)Consent, sale ban, and a 1,750-foot geofencing prohibition ▾
PHI handled under the BAA is exempt at the entity and data level, but any consumer health data the vendor touches outside HIPAA (behavioral-health-adjacent app data, marketing, geolocation) triggers PA 23-56: opt-in consent to process, a ban on selling consumer health data without consent, and a prohibition on geofencing within 1,750 feet of any mental-health, reproductive, or sexual-health facility.
🪤 Structural trap: data-level HIPAA exemptions (OR, MD, NJ, DE)Being a business associate does not exempt your company as an organization ▾
Three comprehensive-law states do not grant an entity-level HIPAA exemption, so being a HIPAA business associate does not exempt the SaaS as an organization. Oregon (OCPA) and Maryland (MODPA) exempt only PHI at the data level; New Jersey (NJDPA) exempts PHI at the data level and does not exempt HIPAA-regulated entities.
For all three, the MSA and privacy-policy stack must build full controller/processor obligations (including opt-in consent for health-condition/diagnosis data) on top of the BAA. Maryland goes further with a strict-necessity minimization rule and an absolute ban on selling sensitive/consumer-health data regardless of consent. Delaware (DPDPA) is the related outlier: no entity-level exemption, a 35,000-consumer threshold with no revenue floor, and coverage of nonprofits.
🧠 Structural trap: behavioral-health / SUD overlay (IL, MI, MN, NY, PA + 42 CFR Part 2)State consent rules stricter than HIPAA, layered on Part 2 ▾
For behavioral-health and substance-use-disorder customers, several states layer consent rules stricter than HIPAA on top of 42 CFR Part 2: the Michigan Mental Health Code (MCL 330.1748), the Minnesota Health Records Act (144.293, requiring signed consent even for treatment, payment, or operations), New York Mental Hygiene Law 33.13, and Pennsylvania's Act 148 (HIV), Mental Health Procedures Act, and Drug and Alcohol Abuse Control Act.
Illinois adds BIPA/GIPA private-right-of-action exposure for any biometric or genetic data. Consent flows and the BAA/MSA must permit honoring these more-stringent state authorizations.
Washington consumer-health-data library
Washington's My Health My Data Act (RCW 19.373) reaches consumer health data far beyond HIPAA, with a private right of action. These guides go deeper than the 50-state map on the issues a mental-health, behavioral-health, or AI-health SaaS hits most.
🗺️ Open the Washington MHMDA libraryMy Health My Data, HIPAA-vs-MHMDA, AI-health checklists, processor contracts, breach analysis ▾
Which documents do you need?
Four common healthcare SaaS shapes and the documents each typically needs. Open to compare.
🧩 Match your product to a document setTelehealth, analytics, behavioral-health, and wellness-app patterns ▾
- MSA + Order Form
- HIPAA BAA
- Terms of Service with clinical disclaimer
- Privacy Policy (state-specific)
- MSA + DPA framework
- HIPAA BAA + subcontractor BAAs
- De-identification terms (AB 713 where CA)
- SLA / API license
- HIPAA BAA with 42 CFR Part 2 schedule
- State mental-health consent terms
- Privacy Policy with consumer-health-data disclosures
- MHMDA / SB 370 controls where applicable
- Terms of Service
- Consumer-health-data Privacy Policy (WA, NV, CT)
- DPA for analytics vendors
- Geofencing and consent controls
7 legal mistakes healthcare SaaS startups make
The recurring, expensive ones. Open the list.
🚩 The seven most common mistakesFrom "encryption means no BAA" to "a BAA covers GDPR" ▾
90-day legal launch roadmap
A practical order of operations for a pre-launch healthcare SaaS. Open the phases.
🗓️ Pre-launch, launch, and post-launch phasesWhat to do before the first hospital signature, and after ▾
Real enforcement against tech vendors
Regulators have pursued technology vendors, not just hospitals. Open for representative actions.
⚖️ Representative enforcement themesTracking pixels, business-associate failures, and consumer-health-data actions ▾
Healthcare SaaS legal glossary
Tap a card to flip it for the definition. Open the deck.
🔖 Flip-card glossaryPHI, BAA, DPA, SaMD, CMIA, MHMDA, and more ▾
How my pricing compares
A flat fee against the usual BigLaw and mid-firm ranges for the same stack. Open the table.
💲 Flat fee vs hourly firm rangesSame six-document stack, very different invoices ▾
| The stack | BigLaw | Mid-firm | Terms.Law |
|---|---|---|---|
| MSA + Order Form | $6,000+ | $2,500+ | Included |
| HIPAA BAA (+ Part 2 schedule) | $4,000+ | $1,800+ | Included |
| Terms of Service + Privacy Policy | $6,000+ | $2,500+ | Included |
| DPA framework | $3,000+ | $1,500+ | Included |
| Compliance gap memo | $3,000+ | $1,200+ | Included |
| Total | $22,000+ | $9,500+ | $2,500 flat |
Ranges are illustrative of typical market pricing, not quotes from specific firms. My flat fee includes one round of revisions; overflow beyond the package estimate bills at $240 per hour.
Attorney services for healthcare SaaS
Three ways to engage, from a single-document review to ongoing counsel. Open to compare.
🤝 Compare the three engagement optionsDocument review, the flagship package, and ongoing counsel ▾
- One document reviewed
- Written risk flags
- Recommended revisions
- MSA + Order Form
- HIPAA BAA (Part 2 / CMIA schedule)
- Terms of Service + Privacy Policy
- DPA framework
- Compliance gap memo
- One revision round
- Customer and vendor redlines
- Privacy and compliance questions
- Monthly check-ins
Prefer a written opinion first? The $240 Written Attorney Consultation is the lower-friction entry point.
Frequently asked questions
Each answer is folded. Open the ones you need.
❓What legal documents does a healthcare SaaS company need?▾
At minimum: Terms of Service, Privacy Policy, a HIPAA BAA, and a SaaS subscription agreement. If you integrate with hospital systems or handle PHI through APIs, you also need a DPA, an API license, and an SLA. Companies selling to enterprises typically need an MSA/SOW framework as well.
❓When is a HIPAA Business Associate Agreement required?▾
Whenever your platform creates, receives, maintains, or transmits PHI on behalf of a covered entity (hospital, clinic, insurer). That includes cloud-hosting PHI, processing claims data, or running analytics on patient records. Even storing encrypted PHI generally triggers the requirement.
❓Which states have health-privacy laws beyond HIPAA?▾
Several. Washington (MHMDA), Nevada (SB 370), and Connecticut (CTDPA health amendments) regulate consumer health data outside HIPAA. California's CMIA can be stricter than HIPAA with a private right of action. Texas adds data-localization duties. Oregon, Maryland, New Jersey, and Delaware use data-level rather than entity-level HIPAA exemptions. See the 50-state table above; the applicable laws depend on where your users are.
❓Do digital health startups need a DPA in addition to a BAA?▾
Often yes. A BAA covers HIPAA PHI; a DPA covers general personal data under GDPR, UK GDPR, and CCPA/CPRA. They are not interchangeable, and most companies operating nationally need both.
❓What does the $2,500 Healthcare SaaS Legal Package include?▾
An MSA with order form, a HIPAA BAA (with a 42 CFR Part 2 / CMIA schedule where needed), Terms of Service, a Privacy Policy, a DPA framework, and a compliance gap memo across your vendor stack, with one revision round. Overflow beyond the package estimate bills at $240 per hour.
❓Is the AI Legal Analyst on this page legal advice?▾
No. It is attorney-supervised AI that provides legal information, not legal advice, and using it does not create an attorney-client relationship. For advice tailored to your facts, the engagement is where that happens.
Build your healthcare SaaS legal stack
The flagship package gives you the full six-document stack, tailored to your product, your vendors, and the states your users live in. Flat fee, one revision round, no surprises.
Sergei Tokmakov, Esq., CA Bar #279869. Attorney advertising. Prefer a written opinion first? The $240 Written Attorney Consultation is the lower-friction entry.