What HIPAA-aligned software actually costs.
PHI types, record volume, covered-entity status, BAA processors, audit log retention, encryption, access control. Fourteen probing questions. Output: build cost (custom HIPAA) vs HIPAA SaaS (Datica, Aptible, Particle Health) at your shape. The full memo includes architecture sketch, BAA-eligible processor matrix, and the 7 must-haves auditors check.
How this is calculated
Custom build cost: HIPAA-aligned architecture (PHI storage, audit logging, BAA-only processors, RBAC/ABAC, encryption at rest + transit, deletion workflows, breach-notification SOP). Scales with PHI category mix, record volume, integration count, and portal count. HIPAA SaaS comparison uses Datica / Aptible / Particle Health / Truework typical 2026 pricing. Both costs include first-year compliance work; ongoing audit + attestation is yearly recurring.
What this does NOT estimate
- HITRUST certification (separate ~6-12 month effort)
- HHS-OCR audit response if triggered
- State-specific overlays (e.g., Texas HB 300, California CMIA)
FAQ
Build vs HIPAA SaaS — when does each win?
HIPAA SaaS (Datica, Aptible) wins for early-stage health-tech that just needs a compliant runtime — fast time-to-launch, less burden. Custom build wins above ~50K patient records or when you have specific workflow needs. Memo includes the decision matrix.
What's a BAA?
Business Associate Agreement — required between covered entity and any vendor that handles PHI. AWS, Azure, GCP all sign BAAs at enterprise tier. Many SaaS tools don't — that's where the eligibility matrix matters.
What's in the memo?
Architecture sketch, BAA-eligible processor matrix, RBAC/ABAC pattern, audit log schema, breach-notification SOP, the 7 must-haves auditors check.