Why does the pilot scope have to be quoted by email instead of a fixed price?

Because the right minimum scope depends on your facts: whether a covered-entity partner is involved, whether minors or vulnerable adults are participants, which states your participants live in, and whether your pilot collects sensitive or health data. A consumer wellness pilot in one state needs less than a senior-living sensor pilot running with a skilled-nursing partner across three states. Rather than publish a fixed price that would be wrong for half of these, I scope it by email after you tell me what the pilot actually does. The full launch document stack, by contrast, is a fixed flat fee, the $2,500 Healthcare SaaS Legal Package.

The cheapest legal footing to run a pilot

Q: What can I safely defer until launch?

Several things that a full launch needs can usually wait while a small, closed, free pilot runs, as long as the pilot is genuinely limited and the data is contained. Common deferrals are a full master service agreement and order form, a complete data processing agreement framework with every sub-processor papered, a security addendum, reseller or partner terms, and a complete fifty-state privacy build. The point of the pilot scope is to spend the minimum to run safely now and to defer the larger build until the product, the data flows, and the go-to-market are settled. What you should not defer is consent, an accurate description of what the product is not, and a privacy notice that matches reality.

You want to run a small or free pilot of a health, wellness, or senior-living product without paying for the full launch document stack. There is a defensible minimum: a consent and authorization, a product disclaimer and terms that say what the product is not, and a short privacy notice tailored to where your participants live. Here is that scope, what a BAA does and does not add at pilot stage, and what you can safely defer until launch.

Consent and authorization A disclaimer of what the product is not A short state-tailored privacy notice CA Bar #279869

Email me to scope a pilot See the minimum scope

Sergei Tokmakov, Esq. | California Bar #279869

🤖 AI Legal Analyst

Describe your pilot

Tell me what your pilot does, who the participants are, which states they live in, and whether a clinic or facility partner is involved, and I will point to the minimum scope that fits and flag what you can defer. A written scope quote for your pilot comes by email. AI-generated legal information, attorney-supervised, not legal advice.

Tap a situation to ask

Ask the AI about pilot scope

Common questions free, no email

What is the minimum scope for a small or free pilot?

Usually three documents: a participant consent and authorization (signed by the resident or customer and, where appropriate, a family member or authorized representative); a product disclaimer and terms that state plainly what the product is and is not (for example, not a safety or medical monitor, not medical advice); and a short, accurate privacy notice tailored to the states where your participants live. That entry scope is meant to be replaced by the full stack before launch.

Do I need a BAA for a pilot?

Only if the pilot makes you a HIPAA business associate, which happens when a covered-entity partner lets you handle protected health information on its behalf. A direct-to-consumer pilot, or one with a partner that is not a covered entity, usually does not need a BAA, and signing one you cannot meet creates obligations you do not satisfy. If a covered-entity partner is involved and PHI will flow to you, you generally do need a BAA before that data moves, even for a pilot.

What can I safely defer until launch?

For a genuinely small, closed pilot, you can often defer a full MSA and order form, a complete DPA framework with every sub-processor papered, a security addendum, reseller or partner terms, and a complete fifty-state privacy build. What you should not defer is consent, an accurate description of what the product is not, and a privacy notice that matches reality.

Why is the pilot scope quoted by email?

Because the right minimum depends on your facts: whether a covered-entity partner is involved, whether minors or vulnerable adults participate, which states your participants are in, and how sensitive the data is. Rather than publish a fixed price that would be wrong for half of these, I scope it by email after you describe the pilot. The full launch stack, by contrast, is a fixed flat fee: the $2,500 Healthcare SaaS Legal Package.

For a small or free pilot of a health, wellness, or senior-living product, this is the cheapest footing that is still defensible. Three documents, scaled to the pilot, not the launch.

Document 1

Participant consent and authorization?

Get written permission from the resident or customer, and where appropriate a family member or authorized representative, to collect and use their data for the specific pilot. This is the document that lets you lawfully run the pilot on real people. It should name the data you collect, the purpose, who sees it, how long you keep it, and how the participant can withdraw. Where participants are vulnerable adults or a representative signs, the authorization piece matters more, not less.

Do not skip this

Document 2

A product disclaimer and terms: what it is not

State plainly what the product is and, just as important, what it is not. For a health, wellness, or senior-living pilot that usually means: it is not a safety or emergency monitoring service, it is not a medical device, it does not provide medical advice or diagnosis, and participants should not rely on it in place of professional care or a real alert system. This is the document that manages reliance and liability while the product is unproven, and it should match how you describe the pilot to participants.

Manages reliance and liability

Document 3

A short, state-tailored privacy notice

A short privacy notice that accurately describes what you collect, why, who you share it with, and the rights participants have, tailored to the states where your pilot participants actually live. If any participants are in Washington, a separate consumer-health-data privacy posture may be needed; if in California, CMIA-type considerations can apply. The notice does not have to be the full fifty-state build, but it does have to be accurate for your actual participants.

Must match reality

Why these three. Consent gives you the legal basis to collect data from real participants. The disclaimer manages the reliance and liability risk of an unproven product. The privacy notice keeps you honest with participants and regulators about what you actually do. Together they are the smallest set that lets a pilot run without obvious exposure. Everything heavier is usually a launch problem, not a pilot problem.

The scope scales with the facts. A 30-person consumer wellness pilot in one state is the light end. A senior-living sensor pilot running with a skilled-nursing partner across several states, with vulnerable adults and a covered-entity relationship, sits at the heavy end and may pull in a BAA and a fuller privacy posture even at pilot stage. That is why I quote the pilot scope by email rather than publish one price.

The BAA question at pilot stage is the same as at launch: are you a business associate. The pilot does not change the test, only the volume of data.

No BAA needed, usually, when: The pilot is direct to consumers, or runs with a partner that is not a HIPAA covered entity (for example an independent-living community that does not bill Medicare). No covered entity is handing you protected health information on its behalf, so you are usually not a business associate, and a BAA is not legally required. Signing one you cannot satisfy can create breach-notification and safeguard duties keyed to data you do not even hold.

A BAA is needed, generally, when: A covered-entity? partner, such as a clinic or a skilled-nursing facility, will let you create, receive, maintain, or transmit protected health information on its behalf during the pilot. Then you are a business associate,? the covered entity must sign a BAA with you, and you are directly liable to the HHS Office for Civil Rights, even though it is only a pilot. The BAA has to be in place before the protected health information starts flowing, not papered afterward. Source: 45 CFR 160.103 (business associate); business-associate direct liability under HITECH. General information, confirm the current text.

Not sure which side you are on? Walk the covered-entity and business-associate decision tree first. Whether a BAA is needed for your pilot follows directly from whether the pilot makes you a business associate. See the does-HIPAA-apply decision tree linked in the related section.

The whole point of a pilot scope is to avoid paying for launch documents before you know whether the product survives the pilot. Here is the split for a genuinely small, closed pilot.

Have in place before the pilot starts

Participant consent and authorization, with a representative signature where appropriate.
A product disclaimer and terms stating what the product is not.
A short privacy notice accurate for the states your participants live in.
A BAA, only if a covered-entity partner will route protected health information to you.
A basic, honest description of the pilot that matches all of the above.

Usually safe to defer until launch

A full master service agreement and order form.
A complete data processing agreement framework with every sub-processor papered.
A security addendum and formal technical-and-organizational-measures schedule.
Reseller, partner, or channel terms.
A complete fifty-state privacy build and full consumer-health-data program.
An MSA-grade liability cap, indemnity, and warranty negotiation.

Where the line moves. Deferral assumes the pilot is genuinely limited: a small, closed group, contained data, no charging customers as if you had launched, and no covered-entity PHI flowing without a BAA. The moment the pilot starts to look like a soft launch, paying customers, open enrollment, real reliance, or PHI moving, the deferred documents stop being deferrable. The full launch stack is the $2,500 Healthcare SaaS Legal Package.

What is never deferrable. Consent, an accurate description of what the product is not, and a privacy notice that matches reality are never safe to skip, even for a free pilot. Those three are the difference between a defensible pilot and an undocumented data-collection program.

General illustrations, not conclusions about your pilot. Your facts control. Tap each card for the scope.

Direct to consumer

A free 30-user wellness app pilot in one state

Adults sign up directly, one state, no clinic partner, no charging.

Tap for the scope

The light end.

Consent and authorization, a product disclaimer and terms, and a short single-state privacy notice. No BAA, because no covered entity is involved. Defer the MSA, DPA framework, and fifty-state build until launch.

Tap to flip back

Independent living

A sensor pilot in one independent-living community

Residents and families participate; the community does not bill Medicare.

Tap for the scope

Light, plus family consent.

Resident and family or representative consent, a disclaimer that it is not a safety or medical monitor, and a privacy notice for the residents' state. Usually no BAA, since the community is usually not a covered entity. Watch consumer-health-data law for the resident data.

Tap to flip back

Covered-entity partner

A pilot with a clinic that routes patient data to you

A clinic feeds identifiable patient data into your tool during the pilot.

Tap for the scope

Add a BAA, before data flows.

The clinic is a covered entity and PHI flows to you, so you are a business associate. The minimum scope now adds a BAA in place before the data moves, on top of consent, disclaimer, and a privacy notice. This is the heavier end of a pilot.

Tap to flip back

Multi-state

A pilot with participants in several states

Participants in California, Washington, and two other states.

Tap for the scope

Tailor the notice, not all fifty.

Consent and disclaimer as usual, plus a privacy notice tuned to the specific states your participants live in, with Washington and California handled carefully. You still defer the complete fifty-state build, but the notice has to cover your actual footprint.

Tap to flip back

Privacy Policy generatorFirst draft of the short privacy notice Terms of Service generatorProduct terms and disclaimers of what it is not HIPAA BAA generatorBAA starter, for a covered-entity pilot partner Does HIPAA apply to my startupThe decision tree that drives the BAA question Healthcare SaaS HubThe full launch stack and 50-state map Senior-living tech privacyFor sensor and IoT senior-living pilots

What it costs

The minimum pilot scope is quoted by email because the right scope depends on your facts. The full launch stack is a fixed flat fee. A written opinion on a single question sits in between.

Cheapest entry

Minimum pilot scope

Scoped by email

Consent and authorization, a product disclaimer and terms, and a short state-tailored privacy notice, sized to your pilot, plus a BAA only if a covered-entity partner is involved. Because the right scope depends on your facts, I quote it by email after you describe the pilot. There is no fixed online checkout for this tier yet.

Email me to scope a pilot

Written opinion

Written Attorney Consultation

$240 written response

One narrower question answered in writing, for example whether your pilot needs a BAA or what your disclaimer should say. Send the question, a short summary, and any key documents. Not a full document build.

Full launch tier

Healthcare SaaS Legal Package

$2,500 flat

When the pilot graduates to launch: MSA and order form, HIPAA BAA where needed, Terms of Service, Privacy Policy, a DPA framework, and a compliance gap memo across your vendor stack. One revision round.

Request this package · $2,500

The minimum pilot scope has no confirmed online checkout, so it is quoted by email. The $2,500 Healthcare SaaS Legal Package is the confirmed flat-fee launch tier. Overflow on unusually large matters bills at $240 per hour.

What is the minimum legal scope to run a small or free pilot?

Usually three documents: a participant consent and authorization, signed by the resident or customer and, where appropriate, a family member or authorized representative; a product disclaimer and terms that say what the product is and what it is not, for example that it is not a safety monitor and not medical advice; and a short, accurate privacy notice tailored to the states where your participants live. That entry scope is far cheaper than a full launch stack and is meant to be replaced by the full documents before you go to market.

Do I need a BAA for a pilot?

What can I safely defer until launch?

For a genuinely small, closed, free pilot, you can often defer a full MSA and order form, a complete DPA framework with every sub-processor papered, a security addendum, reseller or partner terms, and a complete fifty-state privacy build. What you should not defer is consent, an accurate description of what the product is not, and a privacy notice that matches reality. When the pilot starts to look like a launch, the deferred documents stop being deferrable.

Why is the pilot scope quoted by email instead of a fixed price?

Because the right minimum depends on your facts: whether a covered-entity partner is involved, whether minors or vulnerable adults participate, which states your participants live in, and how sensitive the data is. A consumer wellness pilot in one state needs less than a senior-living sensor pilot with a skilled-nursing partner across several states. Rather than publish a fixed price that would be wrong for half of these, I scope it by email. The full launch stack, by contrast, is a fixed flat fee, the $2,500 Healthcare SaaS Legal Package.