Compliance roadmap · prepared for Linda & Alan

SOC 2 now. URAC next.
HITRUST when a customer asks.

Three telehealth accreditations, in the order that spends the least to clear the most. Start with the foundation that's already scoped, add the telehealth-specific seal the VA and payers recognize, and hold the most expensive one until a contract requires it.

Accreditation roadmaplisten
IThe three frameworks

What each one costs, and what it buys.

Stage 1 — now

SOC 2 Type II

Foundation · already scoped
~$20K–$80K

lower with automation tooling (Vanta / Drata) at this org size

3–6 mo + observation window

The baseline security attestation every EHR, payer, and enterprise customer expects. The HIPAA/BAA chain, AES-256 encryption, and audit trail are most of the work — the lowest-cost first hardening step.

Why: Cheapest credible trust signal, fastest to stand up, and table-stakes for any downstream integration conversation. There's no reason not to hold it.

Stage 2 — 6–12 mo

URAC Telehealth Accreditation

The differentiator
~$10K–$30K + consulting

gap assessment $5–7K; retainers $5–7K/mo; v4.0 standards (Sept 2024)

6–9 mo

The telehealth-specific, nationally recognized seal — 61 standards across 8 categories, including new AI-governance and data-privacy modules. The Consumer-to-Provider (C2P) track maps directly to the async-Rx model.

Why: This is what de-risks the VA beachhead and the payer conversations — both recognize URAC. The v4.0 AI-governance standards line up with the AI-assisted LMN workflow, so the hard part is already being built. Affordable and high-signal.

Stage 3 — when a customer demands it

HITRUST r2

Defer until contract-triggered
~$70K–$160K+

up to $1M at enterprise scope; valid 2 yrs with a year-1 interim assessment

6–18 mo

The most rigorous health-data certification — roughly twice the cost and time of SOC 2, with fees to both HITRUST and an authorized external assessor.

Why: Premature pre-revenue. Pursue only when a specific health-system or enterprise contract requires it. The HIPAA Security Rule overhaul (prescriptive May 2026) will push more large customers to ask — so scope it the moment one does, not before.

IIWhy this order

Sequence by cost-to-clear, and never redo work.

01Spend the least to clear the most. SOC 2 unlocks integration and enterprise conversations for the lowest cost — do it first because it's already in flight.
02Buy the telehealth-specific credibility where it actually moves a deal. URAC is the seal the VA and payers recognize; it directly advances the beachhead, not a generic checkbox.
03Don't pre-pay for HITRUST. It's the single most expensive item on this list. Let a customer's procurement requirement trigger it — then the cost has a contract behind it.
04Stack, don't redo. SOC 2 controls feed the URAC submission, and both feed HITRUST later. Sequencing this way means no wasted work — each stage is a down-payment on the next.
IIIRecommendation

Stage 1 immediately. Stage 2 on the VA timeline.

Fold SOC 2 Type II into the work already underway — it's the lowest-cost trust signal and most of the controls are being built anyway. Begin URAC Telehealth in parallel with the VA conversation so the seal lands before procurement asks for it. Leave HITRUST out of the budget until a specific contract puts dollars behind the requirement.

Do now
SOC 2 Type II
~$20–80K · already scoped
Next 6–12 mo
URAC Telehealth
~$10–30K · VA / payer seal
When asked
HITRUST r2
~$70–160K+ · contract-triggered
See where this fits in the engagement

Confidential. Cost and timeline ranges are 2025–2026 market estimates that vary with scope, org size, and remediation needs; treat as planning figures, not quotes. SOC 2 Type II is the recommended first hardening investment. Not indexed. Not for distribution.

Part 5 of 5

1
2
3
4
5
← Part 4
Pricing Decision
How the Rx fee is handled
↺ Back to start
The Walkthrough
Open this in the meeting