Language: 🇺🇸 🇲🇽 🇷🇺
Updated June 2026 · 50-state health-privacy map

Legal Infrastructure for Healthcare SaaS & AI

I am Sergei Tokmakov, a California attorney. I help digital health startups, healthcare AI companies, and telehealth platforms build the legal foundation they need: HIPAA-compliant agreements, BAAs, Terms of Service, and a privacy stack mapped to all 50 states plus DC.

50+DC
State privacy laws mapped
10+
Document generators
$2,500
Flat-fee legal package
Sergei Tokmakov, Esq.
Sergei Tokmakov, Esq.
California attorney
CA Bar #279869 →
AI Legal Analyst

Ask my AI Legal Analyst about your healthcare SaaS legal stack?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step. Answers draw on the HIPAA, BAA, DPA, FDA SaMD, and 50-state privacy material on this page.

Common healthcare SaaS questions, always free

Loading the AI Legal Analyst...
Start here

What a healthcare SaaS legal stack actually requires

Every section on this page is folded. Open only what you need. The short version is below; the detail is one click away.

🩺 The 60-second overviewWhy HIPAA is the floor, not the ceiling, and what documents follow from that

If your platform creates, receives, maintains, or transmits protected health information (PHI) for a covered entity, HIPAA pulls you in as a business associate and a Business Associate Agreement (BAA) becomes mandatory. But HIPAA is a federal floor. State medical-privacy and consumer-health-data laws layer on top, and several do not care whether you signed a BAA.

ⓘ The practical takeaway
A complete stack is usually six documents: an MSA with order form, a HIPAA BAA, Terms of Service, a Privacy Policy, a DPA framework, and a compliance gap memo. The state-by-state map further down tells you which of those need state-specific schedules.

Who this page is for

  • Digital health and telehealth startups preparing to sign their first hospital or clinic customer.
  • Healthcare AI companies that need to position their product relative to FDA software-as-a-medical-device rules.
  • Behavioral-health and substance-use-disorder platforms that also touch 42 CFR Part 2 data.
  • Founders selling nationally who need to know which states reach beyond HIPAA.
Request the $2,500 package
Regulatory landscape

The healthcare SaaS regulatory landscape

Four overlapping regimes touch most healthcare SaaS products. Open each for the operative rule.

📋 HIPAA (federal floor)Privacy Rule, Security Rule, Breach Notification Rule, and business-associate liability

HIPAA applies to covered entities and to business associates that handle PHI on their behalf. Since the HITECH amendments, business associates (including SaaS vendors) are directly liable to the HHS Office for Civil Rights, not just contractually liable to their customer.

  • Privacy Rule: limits use and disclosure of PHI; requires minimum-necessary practices.
  • Security Rule: administrative, physical, and technical safeguards for electronic PHI.
  • Breach Notification Rule: notice obligations triggered by an impermissible use or disclosure (see the breach timeline section).
⚠ Common trap
"We only store encrypted PHI, so HIPAA does not apply." Encryption reduces breach risk but does not remove you from business-associate status. If you can touch the PHI, you generally need a BAA.
🏛️ State medical-privacy and consumer-health-data lawsCMIA, MHMDA, CTDPA health amendments, and the data-level-exemption trap

This is where most national products get surprised. Some states regulate consumer health data that HIPAA never reaches, and some comprehensive privacy laws exempt PHI but not the company. The full 50-state map is below.

  • California CMIA can be stricter than HIPAA and carries a private right of action.
  • Washington My Health My Data Act reaches consumer health data outside HIPAA, with a private right of action via the Consumer Protection Act.
  • Oregon, Maryland, New Jersey, Delaware use data-level (not entity-level) HIPAA exemptions, so being a business associate does not exempt your organization.
Jump to the 50-state map →
🤖 FDA software as a medical device (SaMD)When AI clinical software crosses into FDA-regulated territory

If your software provides patient-specific information used to drive a clinical decision, the FDA may regulate it as Software as a Medical Device. A narrow Clinical Decision Support exemption can apply where the basis for a recommendation is transparent enough that a clinician can independently review it. The screening tree is below.

Open the FDA SaMD screening tool →
🌍 GDPR / UK GDPR and the DPA layerWhen non-PHI personal data pulls in a separate data-processing regime

A HIPAA BAA does not satisfy GDPR, and a GDPR-style DPA does not satisfy HIPAA. If you process personal data of EU or UK residents, or non-PHI data subject to US state laws like CCPA/CPRA, you generally need a separate Data Processing Agreement alongside the BAA.

See the BAA vs DPA comparison →
Free tools

Document generators

Free starting drafts. The flagship package is where I tailor and connect these into a coherent, attorney-drafted stack.

🧰 Open the generator libraryHIPAA BAA, healthcare NDAs, SaaS terms, privacy policies, and more
How it fits together

How healthcare SaaS documents fit together

Six layers, each doing a distinct job. Open for the stack diagram.

🧱 The six-layer document stackFrom the master agreement down to the compliance gap memo
1Master Services Agreement + Order FormThe commercial backbone: subscription terms, fees, SLAs, liability, IP.
2HIPAA Business Associate AgreementPHI obligations, with a 42 CFR Part 2 / CMIA schedule where the data demands it.
3Terms of ServiceEnd-user terms, clinical disclaimers, acceptable use, FDA status language.
4Privacy PolicyHIPAA, CMIA, and state consumer-health-data disclosures; standalone where a state requires it.
5Data Processing Agreement frameworkGDPR / CCPA processor obligations for non-PHI personal data.
6Compliance gap memoA read on your vendor stack and which state schedules you actually need.
Decision point

BAA vs DPA: when you need which (or both)

A frequent and expensive confusion. They cover different data under different laws.

⚖️ Side-by-side comparisonDifferent regulators, different data, often both required
DimensionHIPAA BAAData Processing Agreement
Governing lawHIPAA / HITECH (US)GDPR Art. 28, UK GDPR, CCPA/CPRA
Data coveredProtected health information (PHI)Personal data generally (analytics, marketing, HR)
Triggered byHandling PHI for a covered entityProcessing personal data of EU/UK or in-scope state residents
Breach clock60 days from discovery (HIPAA)72 hours to supervisory authority (GDPR)
Satisfies the other?No, a BAA does not satisfy GDPRNo, a DPA does not satisfy HIPAA
✓ Bottom line
Most healthcare SaaS companies operating nationally need both. The flagship package includes a DPA framework alongside the BAA so non-PHI data is not left uncovered.
Interactive

HIPAA breach penalty calculator

A rough exposure estimate using the current per-violation tiers. Open to run it.

🧮 Estimate potential HIPAA penalty exposureRecords affected × culpability tier, with annual cap context
Per-violation range···
Illustrative exposure···
Annual cap per category$2,067,813
Penalty amounts are inflation-adjusted federal figures. This is an educational estimate, not a prediction of any specific enforcement outcome.
⚠ Beyond federal penalties
State attorneys general can bring separate actions, and breach events frequently trigger class-action litigation. Total exposure is usually larger than the federal figure alone.
Self-assessment

HIPAA compliance checklist for SaaS

A working checklist. Progress is saved in your browser for this session.

📑 Open the compliance checklistAdministrative, technical, and contractual safeguards

Contractual

Administrative

Technical

0 of 9 complete

Time-critical

HIPAA breach notification timeline

The clock runs from discovery, not from when you finish investigating. Open the timeline.

⏱️ The notification clock, step by stepBusiness-associate, covered-entity, HHS, and media tracks
Day 0
Discovery of the breach
The clock starts. As a business associate, your BAA may require notice to the covered entity within 24 to 72 hours, far shorter than the statutory outer limit.
Without unreasonable delay
Business associate notifies the covered entity
Provide the identification of affected individuals and the information needed for the covered entity to meet its own obligations.
By day 60
Covered entity notifies affected individuals
Individual notice is due without unreasonable delay and no later than 60 days from discovery.
Breaches of 500+ individuals
HHS and media notice
Notice to HHS without unreasonable delay (and within 60 days), plus prominent media notice in the affected jurisdiction.
Annually
Smaller breaches logged to HHS
Breaches affecting fewer than 500 individuals are reported to HHS in an annual log.
⚠ Check your BAA first
Many hospital BAAs impose a notice window much shorter than 60 days. The contractual clock usually controls your operational deadline.
Screening tool

Is your AI product a medical device?

A quick screen, not a regulatory determination. Open to step through it.

🔬 FDA SaMD screening questionsDoes the software drive a clinical decision, and can a clinician review the basis?
1. Does your software provide patient-specific information used to make a clinical diagnosis or treatment decision?
ⓘ Screening only
This tree is a starting point. An actual SaMD determination turns on intended use and specific functionality and should be confirmed with counsel before you make regulatory representations.
50 states + DC

State health-privacy laws beyond HIPAA

HIPAA is the floor. This map shows, for every state plus DC, the health-privacy posture and what it implies for your documents. Color-coded by tier: red/amber for special health-data regimes, blue for comprehensive privacy laws, green for HIPAA-plus-baseline.

General information, not legal advice. These state summaries are general information current as of June 2026, prepared by Sergei Tokmakov (CA Bar #279869). State privacy and health-data laws change frequently, several entries below reflect statutes with future effective dates or pending bills, and the precise application to your product depends on facts I would confirm in an engagement. Nothing here creates an attorney-client relationship. The flagship engagement confirms the specifics for your particular states and data flows.
🎯 Pick a state to see what it implicatesSelect a state for its tier, the governing law, and which package documents it affects
🗺️ Open the full 50-state + DC tableSearchable and filterable by tier; one-line implication per state

StateGoverning law / postureWhat it implies for your stack
⚠ A few entries warrant a second look before you rely on them
Several states (for example Michigan, North Carolina, and North Dakota) are flagged because their client-facing effect turns on breach-statute scope or pending-bill status. I re-verify those against current statutory text in the engagement.
Standout states

Must-flag states: the ones that change the stack

Five states (plus two structural traps) most often force extra documents or schedules. Each is folded.

🐻 California: CMIA + CCPA/CPRAA SaaS vendor can itself be a "provider of health care" under CMIA

Under CMIA Civil Code 56.06, a SaaS vendor that maintains medical information or offers health or wellness software, mobile apps, or reproductive/sexual-health digital services can itself be deemed a "provider of health care" directly subject to the CMIA. CMIA can be more stringent than HIPAA and carries a private right of action.

⚠ What to add
CMIA-specific terms (patient authorization, CMIA-compliant disclosure limits, AB 713 de-identification standards). You cannot rely solely on the HIPAA BAA plus the CCPA's HIPAA/CMIA exemptions.
🌲 Washington: My Health My Data Act (RCW 19.373)Private right of action; reaches consumer health data outside HIPAA

MHMDA exempts HIPAA PHI and intermingled data held by a covered entity or business associate, but any consumer health data collected outside the HIPAA-covered stream (direct-to-consumer, app, or web data) falls squarely within it.

That triggers opt-in consent to collect, separate consent to share, valid authorization to sell, a distinct consumer-health-data privacy policy linked on the homepage, consumer access and deletion rights, and a geofencing ban, all backed by a private right of action via the Washington Consumer Protection Act.

Read the full MHMDA guide →
Texas: HB 300 / Medical Records Privacy Act + SB 1188Heaviest lift: broad covered-entity reach plus US data-localization for EHRs

Texas defines "covered entity" far more broadly than HIPAA, reaching any out-of-state vendor that handles PHI of Texas residents, and adds 90-day privacy training, electronic-disclosure limits, and breach notice to the Texas AG at a 250-resident threshold.

⚠ SB 1188 data-localization (effective Jan 1, 2026)
EHRs of Texas patients, including backups, caching, replication, and disaster recovery at cloud and subcontractor facilities, must be physically stored in the United States. The law also mandates role-based access controls and disclosure of AI used in diagnosis or treatment.
🎰 Nevada: SB 370 consumer health data (NRS 603A)Fully exempts HIPAA data, but reaches DTC and pre-relationship health data

SB 370 fully exempts both HIPAA-covered entities and HIPAA PHI, so a vendor acting solely as a HIPAA business associate processing only PHI is generally exempt. But any consumer health data collected outside the HIPAA-covered relationship (direct-to-consumer app data, marketing, or pre-relationship intake) triggers SB 370.

That means a separate consumer-health-data privacy policy, prior affirmative opt-in consent to collect and (separately) to share, written authorization to sell, and a prohibition on geofencing around health-care facilities. Enforced by the Nevada AG; no private right of action.

🌳 Connecticut: CTDPA health-data amendments (PA 23-56)Consent, sale ban, and a 1,750-foot geofencing prohibition

PHI handled under the BAA is exempt at the entity and data level, but any consumer health data the vendor touches outside HIPAA (behavioral-health-adjacent app data, marketing, geolocation) triggers PA 23-56: opt-in consent to process, a ban on selling consumer health data without consent, and a prohibition on geofencing within 1,750 feet of any mental-health, reproductive, or sexual-health facility.

🪤 Structural trap: data-level HIPAA exemptions (OR, MD, NJ, DE)Being a business associate does not exempt your company as an organization

Three comprehensive-law states do not grant an entity-level HIPAA exemption, so being a HIPAA business associate does not exempt the SaaS as an organization. Oregon (OCPA) and Maryland (MODPA) exempt only PHI at the data level; New Jersey (NJDPA) exempts PHI at the data level and does not exempt HIPAA-regulated entities.

For all three, the MSA and privacy-policy stack must build full controller/processor obligations (including opt-in consent for health-condition/diagnosis data) on top of the BAA. Maryland goes further with a strict-necessity minimization rule and an absolute ban on selling sensitive/consumer-health data regardless of consent. Delaware (DPDPA) is the related outlier: no entity-level exemption, a 35,000-consumer threshold with no revenue floor, and coverage of nonprofits.

🧠 Structural trap: behavioral-health / SUD overlay (IL, MI, MN, NY, PA + 42 CFR Part 2)State consent rules stricter than HIPAA, layered on Part 2

For behavioral-health and substance-use-disorder customers, several states layer consent rules stricter than HIPAA on top of 42 CFR Part 2: the Michigan Mental Health Code (MCL 330.1748), the Minnesota Health Records Act (144.293, requiring signed consent even for treatment, payment, or operations), New York Mental Hygiene Law 33.13, and Pennsylvania's Act 148 (HIV), Mental Health Procedures Act, and Drug and Alcohol Abuse Control Act.

Illinois adds BIPA/GIPA private-right-of-action exposure for any biometric or genetic data. Consent flows and the BAA/MSA must permit honoring these more-stringent state authorizations.

Washington deep-dive

Washington consumer-health-data library

Washington's My Health My Data Act (RCW 19.373) reaches consumer health data far beyond HIPAA, with a private right of action. These guides go deeper than the 50-state map on the issues a mental-health, behavioral-health, or AI-health SaaS hits most.

🗺️ Open the Washington MHMDA libraryMy Health My Data, HIPAA-vs-MHMDA, AI-health checklists, processor contracts, breach analysis
By product type

Which documents do you need?

Four common healthcare SaaS shapes and the documents each typically needs. Open to compare.

🧩 Match your product to a document setTelehealth, analytics, behavioral-health, and wellness-app patterns
📹
Telehealth platform
Handles PHI for clinics; integrates with their systems.
  • MSA + Order Form
  • HIPAA BAA
  • Terms of Service with clinical disclaimer
  • Privacy Policy (state-specific)
📊
Healthcare analytics SaaS
Runs analytics on patient records via API.
  • MSA + DPA framework
  • HIPAA BAA + subcontractor BAAs
  • De-identification terms (AB 713 where CA)
  • SLA / API license
🧠
Behavioral-health / SUD app
Touches mental-health and Part 2 data.
  • HIPAA BAA with 42 CFR Part 2 schedule
  • State mental-health consent terms
  • Privacy Policy with consumer-health-data disclosures
  • MHMDA / SB 370 controls where applicable
Consumer wellness app (no PHI)
Direct-to-consumer; no covered-entity relationship.
  • Terms of Service
  • Consumer-health-data Privacy Policy (WA, NV, CT)
  • DPA for analytics vendors
  • Geofencing and consent controls
Avoid these

7 legal mistakes healthcare SaaS startups make

The recurring, expensive ones. Open the list.

🚩 The seven most common mistakesFrom "encryption means no BAA" to "a BAA covers GDPR"
Mistake 1
Assuming encryption removes HIPAA obligations
Encryption mitigates breach risk but does not strip business-associate status.
Fix: Sign a BAA whenever you can touch PHI, encrypted or not.
Mistake 2
Treating a BAA as if it satisfies GDPR
A BAA addresses HIPAA PHI; it does nothing for EU/UK personal data.
Fix: Add a DPA framework for non-PHI personal data.
Mistake 3
Ignoring state laws because "HIPAA preempts"
HIPAA is a floor. CMIA, MHMDA, and others survive and add requirements.
Fix: Map your user states against the 50-state table above.
Mistake 4
Bundling consumer-health-data disclosures into the general privacy policy
Washington and Nevada require a standalone consumer-health-data policy linked on the homepage.
Fix: Maintain a separate, linked consumer-health-data privacy policy.
Mistake 5
Skipping subcontractor BAAs
Hosting, monitoring, and support vendors that can touch PHI need their own BAAs.
Fix: Flow down BAAs to every PHI-touching subprocessor.
Mistake 6
Making FDA representations without a SaMD analysis
Marketing a clinical-decision feature can pull you into device regulation.
Fix: Run the SaMD screen and align ToS disclaimers to it.
Mistake 7
Relying on a BAA's 60-day clock when the contract says 72 hours
Your operational breach deadline is usually the contractual one, not the statutory outer limit.
Fix: Build your incident runbook around the shortest applicable clock.
Sequencing

90-day legal launch roadmap

A practical order of operations for a pre-launch healthcare SaaS. Open the phases.

🗓️ Pre-launch, launch, and post-launch phasesWhat to do before the first hospital signature, and after
Days 1-30Foundation
Map your data flows and identify which are PHI vs non-PHI.
Draft the MSA, BAA, and Terms of Service.
Run the SaMD screen if you have any clinical-decision features.
Days 31-60Compliance build
Stand up the Privacy Policy and any state-specific consumer-health-data policy.
Sign subcontractor BAAs across your PHI-touching vendor stack.
Document security policies, training, and the breach runbook.
Days 61-90Go-to-market readiness
Prepare an enterprise procurement packet (security exhibits, DPA, SLA).
Confirm state-specific schedules for your target customer states.
Close the gaps in the compliance gap memo before your first signature.
Why this matters

Real enforcement against tech vendors

Regulators have pursued technology vendors, not just hospitals. Open for representative actions.

⚖️ Representative enforcement themesTracking pixels, business-associate failures, and consumer-health-data actions
ⓘ Note on figures
These describe enforcement themes and the kinds of conduct regulators have targeted. I confirm the current posture and any specific settlement figures against primary sources during an engagement rather than relying on a marketing page.
Theme
Web tracking pixels on health sites
Regulators and plaintiffs have targeted analytics and advertising pixels that transmitted health-related browsing data without authorization, including on the public pages of HIPAA-covered organizations.
Theme
Business-associate security failures
OCR has pursued vendors whose inadequate safeguards led to PHI breaches, reinforcing that business associates are directly liable, not merely contractually exposed.
Theme
Consumer-health-data actions
State and federal authorities have pursued apps and platforms over sale and sharing of consumer health data collected outside the HIPAA-covered stream.
Reference

Healthcare SaaS legal glossary

Tap a card to flip it for the definition. Open the deck.

🔖 Flip-card glossaryPHI, BAA, DPA, SaMD, CMIA, MHMDA, and more
Value

How my pricing compares

A flat fee against the usual BigLaw and mid-firm ranges for the same stack. Open the table.

💲 Flat fee vs hourly firm rangesSame six-document stack, very different invoices
The stackBigLawMid-firmTerms.Law
MSA + Order Form$6,000+$2,500+Included
HIPAA BAA (+ Part 2 schedule)$4,000+$1,800+Included
Terms of Service + Privacy Policy$6,000+$2,500+Included
DPA framework$3,000+$1,500+Included
Compliance gap memo$3,000+$1,200+Included
Total$22,000+$9,500+$2,500 flat

Ranges are illustrative of typical market pricing, not quotes from specific firms. My flat fee includes one round of revisions; overflow beyond the package estimate bills at $240 per hour.

Work with me

Attorney services for healthcare SaaS

Three ways to engage, from a single-document review to ongoing counsel. Open to compare.

🤝 Compare the three engagement optionsDocument review, the flagship package, and ongoing counsel
Document Review
$500 flat
One existing document gets an attorney pass: risks flagged, revisions recommended.
  • One document reviewed
  • Written risk flags
  • Recommended revisions
Ongoing Health Tech Counsel
$1,500/month
Fractional counsel for an in-market healthcare SaaS: redlines, questions, updates.
  • Customer and vendor redlines
  • Privacy and compliance questions
  • Monthly check-ins

Prefer a written opinion first? The $240 Written Attorney Consultation is the lower-friction entry point.

Questions

Frequently asked questions

Each answer is folded. Open the ones you need.

What legal documents does a healthcare SaaS company need?

At minimum: Terms of Service, Privacy Policy, a HIPAA BAA, and a SaaS subscription agreement. If you integrate with hospital systems or handle PHI through APIs, you also need a DPA, an API license, and an SLA. Companies selling to enterprises typically need an MSA/SOW framework as well.

When is a HIPAA Business Associate Agreement required?

Whenever your platform creates, receives, maintains, or transmits PHI on behalf of a covered entity (hospital, clinic, insurer). That includes cloud-hosting PHI, processing claims data, or running analytics on patient records. Even storing encrypted PHI generally triggers the requirement.

Which states have health-privacy laws beyond HIPAA?

Several. Washington (MHMDA), Nevada (SB 370), and Connecticut (CTDPA health amendments) regulate consumer health data outside HIPAA. California's CMIA can be stricter than HIPAA with a private right of action. Texas adds data-localization duties. Oregon, Maryland, New Jersey, and Delaware use data-level rather than entity-level HIPAA exemptions. See the 50-state table above; the applicable laws depend on where your users are.

Do digital health startups need a DPA in addition to a BAA?

Often yes. A BAA covers HIPAA PHI; a DPA covers general personal data under GDPR, UK GDPR, and CCPA/CPRA. They are not interchangeable, and most companies operating nationally need both.

What does the $2,500 Healthcare SaaS Legal Package include?

An MSA with order form, a HIPAA BAA (with a 42 CFR Part 2 / CMIA schedule where needed), Terms of Service, a Privacy Policy, a DPA framework, and a compliance gap memo across your vendor stack, with one revision round. Overflow beyond the package estimate bills at $240 per hour.

Is the AI Legal Analyst on this page legal advice?

No. It is attorney-supervised AI that provides legal information, not legal advice, and using it does not create an attorney-client relationship. For advice tailored to your facts, the engagement is where that happens.

Build your healthcare SaaS legal stack

The flagship package gives you the full six-document stack, tailored to your product, your vendors, and the states your users live in. Flat fee, one revision round, no surprises.

Healthcare SaaS Legal Package · $2,500 flat

Sergei Tokmakov, Esq., CA Bar #279869. Attorney advertising. Prefer a written opinion first? The $240 Written Attorney Consultation is the lower-friction entry.

📍California city lawyer pagesLocal demand-letter and business-law resources
Request package · $2,500