Signing the BAA is the easy part.

A digital health SaaS signs Business Associate Agreements with its covered-entity customers because customers ask for one before sharing PHI. The team turns on multi-factor authentication, encrypts the laptops, encrypts the cloud, and starts processing real cases. The founders believe the obligations are met. They are not.

A Business Associate Agreement is not a procurement document. It is a contract that triggers federal regulatory authority over the company. From the moment of signing, the HHS Office for Civil Rights (the federal HIPAA regulator) can enforce against the company directly, not just through the customer. Breach notification clocks start. Subprocessors that touch PHI must be papered with their own BAAs. Officers can face personal exposure in egregious cases. The BAA is the moment the regulator gets standing. The program behind it is what keeps the company defensible after.

That program has names that sound like documents and are not. A Security Risk Analysis is an ongoing risk-management program with documented evidence of identification, assessment, prioritization, and mitigation; OCR cites its absence more often than any other deficiency. Immutable audit logs of who accessed which patient record and when. Business Associate Agreements with every subprocessor that can see PHI (cloud, email, error monitoring, analytics, and the LLM provider, with no-training and zero or short retention terms). PHI scrubbed from dev, staging, application logs, error monitoring, and session replay (the most common breach vector at pilot stage). An incident response plan with the 60-day breach-notification clock baked in. None of this is in place because no one told the founders to expect it.

SOC 2 Type II and HITRUST come up next, because enterprise and payer customers ask for them. Founders hear "SOC 2" and think it is a one-time certification. Type II actually requires three to twelve months of documented evidence collection while an auditor watches controls operate; Type I is a point-in-time snapshot, and most enterprise customers will not accept it. HITRUST is a multi-tier framework (e1, i1, r2), multi-year, with hundreds of controls in the r2 tier and an external assessor on the clock. The cost is six figures and the program is permanent. Founders agree to "we will be SOC 2 by year-end" without seeing the operational year inside that sentence.

A breach discovered while the program is incomplete sits in the OCR posture most punitive to the company: willful neglect. Federal penalties run six figures at minimum and reach into the millions if the gap is systemic. Beyond the dollar number, a corrective action plan typically runs three years with required monitoring, reporting, and operational changes that ride on the regulator's calendar, not the company's. Enterprise and payer customers who asked for SOC 2 Type II and HITRUST in diligence will not buy from a vendor under active OCR oversight. Cyber insurance can be voided if controls were misrepresented on the application. Class action plaintiffs use HIPAA as the standard of care in negligence claims. Officers who signed the BAA can face personal exposure in egregious cases. The cost of building the program before processing PHI is small. The cost of building it after a notifiable breach, while the regulator and class counsel are both at the door, is the difference between a company that recovers and one that does not.

We help founders see the program the BAA assumes they already have. What a Security Risk Analysis actually contains and how to make it defensible. Which subprocessor BAAs to execute and which contractual terms the LLM provider must agree to. How to scope PHI out of dev, staging, logs, analytics, error monitoring, and session replay. How to stand up immutable audit logging of PHI access, tenant isolation in a multi-tenant model, and an incident response plan that runs the breach-notification clock against the right counterparty. We sequence SOC 2 Type II and HITRUST against the actual customer pipeline, so the certifications arrive when enterprise deals require them, not after.