PHI types, record volume, covered-entity status, BAA processors, audit log retention, encryption, access control. Fourteen probing questions. Output: build cost (custom HIPAA) vs HIPAA SaaS (Datica, Aptible, Particle Health) at your shape. The 8-page memo includes architecture sketch, BAA-eligible processor matrix, and the 7 must-haves auditors check.
Custom build cost: HIPAA-aligned architecture (PHI storage, audit logging, BAA-only processors, RBAC/ABAC, encryption at rest + transit, deletion workflows, breach-notification SOP). Scales with PHI category mix, record volume, integration count, and portal count. HIPAA SaaS comparison uses Datica / Aptible / Particle Health / Truework typical 2026 pricing. Both costs include first-year compliance work; ongoing audit + attestation is yearly recurring.
HIPAA SaaS (Datica, Aptible) wins for early-stage health-tech that just needs a compliant runtime — fast time-to-launch, less burden. Custom build wins above ~50K patient records or when you have specific workflow needs. Memo includes the decision matrix.
Business Associate Agreement — required between covered entity and any vendor that handles PHI. AWS, Azure, GCP all sign BAAs at enterprise tier. Many SaaS tools don't — that's where the eligibility matrix matters.
Architecture sketch, BAA-eligible processor matrix, RBAC/ABAC pattern, audit log schema, breach-notification SOP, the 7 must-haves auditors check. About 8 pages.