Complete Legal Make-Over for a Medical SaaS Provider

Find out how we overhauled the external and internal LA for a medical SaaS provider–tackling GDPR and HIPAA compliance with over 100+ docs and procedures.
The Client
A SaaS provider for the dental industry offering a digital platform for collaboration and smile design.
The Challange
Current legal documents needed an update to align with future compliance needs. Fast growth and enterprise customers requiring stricter legal frameworks.
The Solution
Complete revamping of internal and external legal architecture and compliance work at an organizational and technical level to align with international data privacy and health regulations.
Ready to build your legal architecture?
Get started
Not yet? Try our Riddle.

External legal architecture:

The foundation of your legal relationships.‍ From terms of service and privacy policies to legal notices and consent capture - think of the externals as anything legal-related that your customers interact with when enjoying your products or services.

Documents Stack

  • General Terms of Service: Detail the conditions governing service provision.
  • Supplemental Terms: Provide additional information and rules specific to various services.
  • Acceptable Use Policy: Defines acceptable and unacceptable conduct when using the services provided.
  • Privacy Policy: Explains how personal data was processed, etc.
  • Cookie Policy: Provides information about the use of cookies and similar technologies.
  • Data Processing Addendum: Governs the processing of Customer Personal Data on behalf
  • Business Associate Agreement: Details how ePHI is handled and protected when providing services to covered entities (as relevant for HIPAA compliance)
  • Subprocessors: Details the identity, location, and role of subprocessors.
  • Security Practices: Outline technical and organizational measures.

Modular Design of Terms: The legal architecture was structured with a modular design at its core. This approach entailed the creation of "General Terms," which set the foundational legal conditions applicable across all services offered by the platform. To accommodate the diversity of services and the specific legal nuances each might entail, "Supplemental Terms" were introduced. These terms added clauses specific to various services, ensuring that the legal framework was both comprehensive and tailored to address the unique aspects of each service offering. Widely adopted across industries, this modular design facilitates streamlined and scalable legal structures that could easily adapt to new services or changes in regulatory requirements.

Defining the Contracting Party and End Users: A critical aspect of the legal documentation revamp was the precise definition of the contracting party–the "Customer." This definition was carefully crafted to distinguish between the contracting entity (such as a dental practice or organization) and the actual end users of the service (the dental professionals, patients, etc.). The documentation also accounted for the edge case scenario where the contracting entity and the end users might be one and the same, ensuring clarity and legal precision in defining the roles and responsibilities of all parties involved.

Disclaimers: Explicit disclaimers were drafted into the legal documents and further incorporated into the services' various onboarding flows and critical points of use. Such disclaimers clarified that the services offered by the platform do not constitute professional advice, confirmed that the digital tools are not classified as medical devices, and stated that the platform does not verify the professional accreditation of its users. As always, disclaimers were essential in setting realistic expectations and mitigating legal risks by clearly outlining the services' scope.

Shared Responsibility Model: The introduction of a shared responsibility model represented a forward-thinking approach to addressing data security and compliance complexities in a collaborative cloud environment. This model delineated the SaaS provider's and customers' responsibilities regarding data protection, cybersecurity measures, and regulatory compliance, setting transparent expectations and clear contractual duties.

Terms Regarding Purchases Through Partners: Specific terms were outlined to accommodate the business model involving sales and service provision through partners. These terms detailed the conditions under which purchases made through partners would be governed, ensuring that the legal relationships between the provider, its partners, and the end customers were clear and compliant with applicable laws.

"Simply Put" Explanations: Recognizing the importance of accessibility and understanding, the legal documents featured "simply put" explanations for all clauses. While not legally binding, this approach aimed to demystify legal jargon and make the terms of service comprehensible to individuals without a legal background. By providing clear, straightforward explanations, the provider ensured that users could fully grasp their rights and obligations, fostering transparency and trust.

Dual Data Privacy Role–Controller and Processor: First, we had to untangle the roles of data controller and processor under various data protection laws, including the GDPR. The SaaS provider recognized its dual role depending on the specific context of data handling activities. As a data controller, the provider determined the purposes and means of processing personal data. As a processor, it processed personal data on behalf of its customers. This distinction was critical in tailoring the provider's legal documents and operational practices to accurately reflect and comply with its responsibilities in each role. By clearly defining these roles in the legal framework, the provider ensured that data processing activities were conducted in a transparent, secure, and legally compliant manner, thereby safeguarding the interests of the provider, its customers, and the end users.

Multiple Jurisdiction Compliance with Privacy Regulations: With a customer base spread across various jurisdictions, each with its own set of privacy laws and regulations, the provider faced the challenge of ensuring universal compliance. This was addressed by implementing a legal and operational framework that was not only compliant with the GDPR, considered the gold standard for data protection, but also flexible enough to adapt to other international and local privacy regulations. The framework included mechanisms for data protection impact assessments, cross-border data transfer protocols, and specific user rights provisions per locale, ensuring that the provider could seamlessly operate and comply with laws in multiple jurisdictions, including HIPAA in the United States, PIPEDA in Canada, and others as applicable.

Business Associate Agreement (BAA) Acceptance via Platform's Legal and Compliance Settings: Recognizing the critical importance of compliance with health information privacy laws, particularly for customers covered under HIPAA in the United States, the provider streamlined the process for executing a Business Associate Agreement (BAA). A BAA is essential for ensuring that any covered entity (or its business associate) that handles protected health information (PHI) complies with HIPAA's stringent requirements. The provider integrated the acceptance and management of the BAA into the platform's Legal and Compliance Settings. This allowed customers to easily review, accept, and manage their BAA directly within the platform. This feature not only simplified the compliance process for customers but also demonstrated the provider's commitment to upholding the highest standards of privacy and data protection.

Internal Legal Architecture

The scaffolding of your compliance efforts - internals keep your business running smoothly.‍ILA includes corporate policies and procedures, employment contracts, and subcontractor due diligence. Drafting, adoption, training, implementing, and review - we will be there every step of the way.

Access Controls, Encryption, and Data-Safeguarding Measures: Robust access control mechanisms to ensure that only authorized personnel could access sensitive information were implemented. This was complemented by state-of-the-art encryption technologies to safeguard data both at rest and in transit. Additional data protection measures, such as regular security audits and network security policies, were also adopted. 

Third-Party Management: With a clear understanding of the risks associated with third-party vendors, especially those filling the role of subprocessors, stringent due diligence processes and compliance checks were established. This approach ensured that all third parties engaged by the provider met the required standards of data protection and privacy compliance.

Incident Response Measures: A robust incident response plan was developed to quickly and effectively address a data breach or security incident. This plan included procedures for incident detection, assessment, containment, eradication, and recovery, as well as communication strategies for notifying affected parties and regulatory authorities as required.

Workforce Training: A well-informed and well-trained workforce is a critical line of defense against cyber threats and compliance mishaps. A comprehensive training program for all employees was implemented, covering a wide range of topics, including data protection principles, privacy regulations, security best practices, and incident response protocols. Regular training sessions ensured that the workforce remained aware of the latest threats and how to prevent them, reinforcing the culture of security and compliance across the organization.

Security and Compliance Whitepaper and Trust Center: Demonstrating commitment to transparency and in order to provide clients with detailed information on security and compliance measures, a Security and Compliance Whitepaper was drafted and made publicly available. This document outlined the technical and organizational measures in place to protect client data, comply with privacy regulations, and ensure service reliability. Additionally, a Trust Center was established on the provider’s website, offering clients and prospects easy access to security policies, compliance certifications, and data protection resources. The Trust Center served as a comprehensive resource for stakeholders seeking assurance about the provider's commitment to security and compliance.

HIPAA Compliance Efforts and Attestation Examination: To bolster trust and ensure regulatory compliance, the SaaS provider undertook significant efforts to align with the Health Insurance Portability and Accountability Act (HIPAA) standards, crucial for protecting patient data within the healthcare sector. This comprehensive initiative involved revising operational and data protection practices to meet HIPAA's stringent requirements. To validate these efforts, a licensed CPA firm was engaged to conduct an attestation examination. This rigorous evaluation culminated in a successful attestation, affirming the provider's adherence to HIPAA.

More Case Studies