The Telemedicine Cost Model: What a Platform Actually Costs to Build and Run

This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

Ask five vendors what your telemedicine app will cost and you will get numbers from $40,000 to $800,000 — for what sounds like the same product. The spread is not dishonesty; it is that each quote silently includes a different slice of the real model. If you are a founder pricing a build, a product manager defending a budget, or a hospital IT lead comparing a quote against a SaaS subscription, you need the whole model: what the build actually includes, which run-cost lines appear only after launch, and which multipliers move the total by 2× before a line of code is written. This article gives you that model, a fully worked example with the arithmetic shown, and a downloadable spreadsheet to re-run it with your own assumptions. It builds directly on the platform anatomy — every subsystem on that map is a line item on this one.

Why every quote you got is a different number

Search for telemedicine app development cost and the first page of results will tell you a simple app costs $15,000–$30,000, a medium one $30,000–$70,000, and a complex one anything past $70,000 — with advanced platforms quoted beyond $300,000 (2026 vendor guides). The ranges are not wrong as far as they go. They are answers to different questions.

A $40,000 quote usually prices a demo: one mobile app, a login screen, a video call bolted on through a third-party kit, no compliance work beyond the word "encrypted," and no integrations. A $300,000 quote usually prices a product: two applications (patient and provider), identity and consent, scheduling, a waiting room, documentation, audit logging, the contracts and configuration that make patient data legal to handle, and at least one integration into the surrounding clinical world. The two quotes describe the same idea at two different depths, which is why comparing them by the bottom-line number alone is meaningless.

There is a second, larger omission. Almost every public cost guide prices the build and stays silent about the run — the monthly cost of video transport, storage that grows forever, subscription seats, compliance audits, and the humans on support. Over a three-year life, the run side of our worked example below costs more than five times the build side. A budget that covers only the build is a budget for a launch, not for a product.

So instead of asking "what does a telemedicine app cost," ask the question this article answers: what drives the cost, and what does each driver do to my number?

The Four Multipliers That Set the Budget

Every telemedicine budget — build and run — is the product of four multipliers. Get these four right and your estimate lands within range before any vendor call.

Figure 1. The four multipliers. Each one moves both the build budget and the run budget; the compliance tier and integration count are the two that founders most often underestimate.

Patient volume sets the run cost almost linearly. Twice the visits means twice the video minutes, twice the recordings in storage, twice the identity checks, and — less obviously — more support tickets and a bigger on-call burden. Volume barely changes the build cost: the same codebase serves 500 or 50,000 visits a month, until scale forces re-architecture.

Consultation features decide which subsystems from the platform anatomy you must build. A scheduled one-on-one video visit is the baseline. Group sessions (a caregiver, an interpreter), in-call tools (chat, file share, vitals), recording, asynchronous messaging, and remote patient monitoring each pull in their own storage, their own compliance questions, and their own test surface. The three modalities — live video, store-and-forward, and monitoring — are effectively three different products; supporting a second modality is closer to ×1.5 than +10%.

Compliance tier is the multiplier cheap quotes omit. A wellness product that touches no health data carries a multiplier of ×1.0. The moment your product handles Protected Health Information — PHI, any health data tied to an identifiable person — US law (the HIPAA Security Rule, 45 CFR §164.312) requires access controls, audit logging, integrity protection, authentication, and transmission security, and every vendor that touches that data needs a signed Business Associate Agreement (BAA) — the contract that makes a vendor legally able to handle patient data on your behalf. Building those controls, procuring those contracts, writing the required policies, and running the legally required risk analysis (45 CFR §164.308(a)(1)) adds 30–50% to a build. Selling to hospitals adds a third tier: security questionnaires, SOC 2 reports, sometimes HITRUST — call it ×2 against the wellness baseline.

Integration count is the quietest multiplier. Each connection — electronic health record (EHR), e-prescribing, labs, payments, insurance eligibility — is its own mini-project with its own vendor fees, onboarding queue, and test environment. The integration articles cover the how; for budgeting, treat every integration as weeks of work plus a recurring subscription, and note that the calendar time is often set by the partner's onboarding queue, not by your team.

Compliance tier	What it means	Build multiplier	New run lines
Wellness, no PHI	No identifiable health data anywhere	×1.0	none
PHI / HIPAA	Identifiable health data; HIPAA Security Rule controls + BAAs	×1.3–1.5	risk analysis, pen test, BAA'd infrastructure
Enterprise / hospital sale	PHI + buyer due diligence (SOC 2, sometimes HITRUST)	×1.8–2.2	annual audits, questionnaires, dedicated compliance time

Table 1. The compliance-tier multiplier. The jump from "no PHI" to "PHI" is a legal line, not a feature toggle — the HIPAA article explains exactly what attaches when you cross it.

Budget One: The Build

The build budget is team math. Write it out once and every vendor quote becomes legible.

A clinical-grade first release — patient and provider apps, identity and consent, scheduling, waiting room, live video through a rented video layer, documentation, audit logging, and one payments integration — takes a team of roughly five full-time people about six months: a project manager and a designer (half-time each), two backend engineers, one or two app engineers, and a QA engineer. Here is the arithmetic, out loud:

5 full-time equivalents × 160 hours a month × 6 months = 4,800 hours. At a nearshore agency blended rate of $55/hour: 4,800 × $55 = $264,000. At a US agency blended rate of $160/hour: 4,800 × $160 = $768,000.

Add the compliance tier. For a PHI-handling product, the one-time compliance work — the risk analysis HIPAA requires (45 CFR §164.308(a)(1)(ii)(A)), security policies and procedures, BAA procurement across every vendor, and a first penetration test — adds $25,000–$40,000 in external costs and consultant time on top of the engineering hours already counted. That lands the realistic nearshore build at roughly $290,000–$305,000, and the US-rate build near $800,000. Rate references for 2026: US mid-market firms bill $120–$250/hour; Central and Eastern European teams $35–$70/hour for mainstream work, $60–$85 for senior engineers.

Scope	What ships	Nearshore (≈$55/h)	US rates (≈$160/h)
Lean MVP	One patient app + provider web, rented video, no EHR, no e-Rx, cards only	$130,000–$160,000	$380,000–$460,000
Clinical-grade MVP	Both apps, identity/consent, scheduling, waiting room, docs, audit log, payments	$260,000–$310,000	$740,000–$880,000
Integrated platform	+ EHR read/write, e-prescribing, labs, claims, SSO for clinics	$400,000–$550,000	$1.1M–$1.6M

Table 2. Build budgets by scope at 2026 agency rates. The ranges assume the PHI compliance tier; subtract roughly a quarter for a no-PHI wellness product, add the enterprise tier from Table 1 for hospital sales.

Three notes before you anchor on a row. First, the cheap public quotes are not lying — they price the Lean MVP row at offshore rates with the compliance work left out; now you can see exactly which rows and columns they skipped. Second, the build is sensitive to feature count but brutally sensitive to integration count: each EHR or pharmacy connection adds engineering weeks plus a partner onboarding queue measured in months — sequence them, don't batch them. Third, in-house hiring instead of an agency swaps the hourly rate for salaries plus a 3–6 month hiring ramp; at US salaries the totals converge on the same order of magnitude.

One more build-side decision moves the number by six figures: rent or build the video layer itself. Renting from a video-API vendor (a CPaaS — Communications Platform as a Service) turns real-time video into a metered utility and saves roughly 2–4 engineer-months of build time. Building on an open-source media server (mediasoup, Janus, LiveKit) removes the per-minute meter but adds those engineer-months back, plus a permanent operations duty. The run-cost section makes that trade concrete, and the build-vs-buy video-layer article covers vendor selection in depth.

Budget Two: The Run

The run budget is where telemedicine surprises teams, because most of its lines do not exist on launch day and all of them grow. Here is every recurring line, each with real 2026 numbers, scaled for the worked example we will total in the next section: 5,000 visits a month, 20 minutes each, two participants, all visits recorded.

Figure 2. Two budgets. The build is one-time and visible in every quote; the run is recurring, mostly invisible in quotes, and overtakes the build within two to three years at clinic scale.

Video transport: the line everyone overprices

If you rent the video layer, you pay per participant-minute — one person connected for one minute. The 2026 list prices: Vonage Video API at $0.00395 per participant-minute (volume tiers fall toward $0.0015), Daily at $0.004 after a free monthly allowance, Agora at roughly $0.001 equivalent for standard video, and LiveKit Cloud — which dropped per-minute pricing in 2025 — billing by gigabytes transferred on top of plan tiers. The arithmetic for our example:

5,000 visits × 20 minutes × 2 participants = 200,000 participant-minutes a month. At $0.004: 200,000 × $0.004 = $800 a month.

Eight hundred dollars. Founders routinely spend weeks negotiating this line while signing a $9,000-a-month AI-documentation subscription without a second read. The table — with the column that matters most in healthcare:

Video layer (2026)	List price	Unit	BAA available?	Note
Vonage Video API	$0.00395	participant-minute	Yes — HIPAA program, on request	volume tiers to ~$0.0015
Daily	$0.004	participant-minute	Yes — on HIPAA plan tiers	free allowance, volume discounts
Agora	~$0.99 / 1,000 min	participant-minute (SD/HD bands)	Confirm in writing — enterprise contract	cheapest list price at small scale
LiveKit Cloud	plan + per-GB	bandwidth (GB)	Yes — on eligible plans, confirm tier	ended participant-minute pricing (2025)
Twilio Video	per participant-minute	participant-minute	Yes — HIPAA-eligible products under BAA	EOL announced 2023, extended to Dec 2026, reversed 2024 — product retained
Zoom Video SDK	bundle / quote	session minutes	Yes — eligible healthcare accounts	migration target Twilio once recommended

Table 3. Rented video layers. "BAA available" is binary per vendor and per product — a vendor can sign a BAA for one product line and not another, so confirm your exact SKU in writing before any PHI flows. The Twilio row is a lesson in its own right: a video API was scheduled to die, given three years' notice, then un-cancelled — price vendor lifecycle risk into any rented layer.

Self-hosting replaces the meter with infrastructure plus people. The same 5,000 visits through your own SFU — Selective Forwarding Unit, the media server that routes each participant's stream to the others — generates about 360 MB of server egress per visit (two 1.2 Mbit/s downlinks × 1,200 seconds ÷ 8 bits per byte = 360 MB), so:

5,000 × 360 MB = 1.8 TB egress × $0.09/GB ≈ $162, plus ~$500 for two SFU nodes, ~$150 for TURN relay capacity, ~$100 monitoring ≈ $900 a month.

Comparable to the CPaaS bill at this scale — the real difference is the WebRTC engineer who now carries a pager. The honest rule: rent until your monthly video bill rivals a media engineer's monthly cost (at 2026 rates, roughly 3–4 million participant-minutes a month), unless you already employ that engineer. The SFU comparison in our Video Streaming section covers the self-host candidates.

Recording: the line that compounds

A recorded visit at a composite 1.5 Mbit/s produces about 225 MB per 20-minute session (1.5 Mbit/s × 1,200 s ÷ 8 = 225 MB — the same figure used across this course). Recording has two costs: processing and storage. CPaaS vendors charge roughly $0.005–$0.015 per recorded minute to compose and deliver the file; we model $0.01 × 100,000 visit-minutes = $1,000 a month.

Storage is the compounding part. Each month adds 5,000 × 225 MB = 1,125 GB. On BAA-covered object storage at $0.023/GB-month (AWS S3 Standard list, 2026):

Month 1: 1,125 GB × $0.023 ≈ $26. Month 12: 13,500 GB × $0.023 ≈ $310 a month and climbing.

Now project the pile against retention. Visit recordings, once made part of the record, follow medical-record retention — state law, commonly 5–10 years (HIPAA itself mandates six years for its documentation — policies, assessments — under 45 CFR §164.316(b)(2)(i), a clock people confuse with record retention). At seven years our example holds 94.5 TB: $2,173 a month on Standard storage, or about $378 with a lifecycle policy that moves cold recordings to archive tiers ($0.004/GB-month class). The design decisions — record everything or by exception, retention clock, archive tier — are product decisions with five-figure annual consequences; the recording article covers the compliance side.

The regulated-infrastructure floor

Everything PHI touches must run on infrastructure covered by a BAA. The good news: the big clouds (AWS, Google Cloud, Azure) sign BAAs at no extra charge, and most of their mainstream services are HIPAA-eligible. The cost is not a BAA fee — it is that the boundary forbids cheap shortcuts: no consumer-grade analytics inside the logged-in product, no un-contracted log collector, no free-tier email service carrying appointment details. For our example, the BAA-covered cloud floor — application servers, database, signaling, log pipeline, backups — runs about $2,500 a month, before any media infrastructure.

Per-use clinical services

Three metered services appear in most 2026 builds. Identity verification — proving a new patient is who they claim, per the roles-and-identity article — costs $0.80–$1.50 per check (Stripe Identity lists $1.50; Persona and Veriff sit in the same band); 1,500 new patients a month at $1.50 is $2,250. An AI documentation assistant (the ambient scribe) prices per provider: $59–$299 a month, with $150–$200 the mid-market norm — 60 providers × $150 = $9,000 a month, usually the single largest SaaS line; the AI-scribe article covers what that buys. E-prescribing network access typically prices per prescriber, on the order of $50–$100 a month each (quote-based): 60 × $75 = $4,500.

Integrations as subscriptions

The build section counted integration engineering; the run budget pays integration rent. An EHR integration aggregator — one API that reaches many hospital EHR systems — runs $30,000–$60,000 a year at small scale and $60,000–$150,000 at mid-market (2026 contract data for the Redox class of vendor); we model $45,000/year = $3,750 a month. Direct EHR connections trade that subscription for more engineering and per-health-system project work — the integration decision guide maps the choice.

Compliance as an operation

Compliance is not a launch task; it recurs by law and by contract. The HIPAA risk analysis must be maintained, not framed (45 CFR §164.308(a)(1)(ii)(A)–(B)); the proposed Security Rule update (HHS NPRM, 90 FR 898, January 2025 — still not final as of June 2026) would make annual technical audits and asset inventories explicit requirements; hospital customers expect a current SOC 2 report and a recent penetration test. Realistic 2026 numbers: SOC 2 Type 2 audit $10,000–$30,000 a year for a small platform, penetration test $10,000–$25,000, risk-analysis upkeep and questionnaire time the rest — call it $60,000 a year, $5,000 a month amortized. The first year costs more (readiness work front-loads).

People: maintenance, support, on-call

The largest run line is humans. Maintenance engineering — OS and dependency patching (which the proposed Security Rule update would put on explicit timelines), bug fixes, small features, app-store churn — follows the industry rule of thumb of 15–20% of build cost a year: 18% × $300,000 = $54,000/year = $4,500 a month. Patient-facing support for 5,000 visits (password resets, "my camera doesn't work," refunds) takes about two agents — $9,000 a month nearshore, loaded — and clinical video is a business where someone answers the pager at 2 a.m., adding half an SRE: $4,500 a month. Support plus on-call: $13,500.

The Worked Example: 5,000 Visits a Month, Line by Line

Scenario: a direct-to-consumer urgent-care service. 5,000 video visits a month, 20-minute average, all recorded; 60 active providers, all prescribing, all using the AI scribe; 1,500 new patients a month; one EHR aggregator connection; rented video layer; month 12 of operation.

#	Run line	Month-12 cost	Share
1	Video transport (CPaaS, BAA signed)	$800	1.7%
2	Recording processing (CPaaS)	$1,000	2.1%
3	Recording storage (S3, BAA, month 12)	$310	0.7%
4	BAA-covered cloud floor (app, DB, logs, backups)	$2,500	5.3%
5	Identity verification (1,500 × $1.50)	$2,250	4.8%
6	EHR aggregator subscription	$3,750	8.0%
7	e-Prescribing network (60 × $75)	$4,500	9.6%
8	AI scribe (60 × $150)	$9,000	19.1%
9	Compliance operations (amortized)	$5,000	10.6%
10	Maintenance engineering (18%/yr of build)	$4,500	9.6%
11	Support + on-call	$13,500	28.7%
	Total	$47,110	100%

Table 4. The month-12 run budget for the worked example. Lines 1–3 — everything that is actually "video" — total $2,110, under 4.5 cents of every dollar.

Figure 3. The run budget, visualized. The video lines founders negotiate hardest are the thin slice at the bottom; the lines they skip in planning — people, clinical SaaS, compliance — are the stack.

Three numbers worth saying out loud. Per-visit cost: $47,110 ÷ 5,000 = $9.42 per visit — against a typical US direct-to-consumer urgent-care price of $75–$90 cash (2026), platform cost is roughly 11–12% of revenue. The lean variant: drop the scribe and e-prescribing (a therapy product, say) and the total falls to $33,610 — $6.72 per visit. The three-year picture: $300,000 build + 36 × ~$47,000 ≈ $2.0 million, of which the build is 15%. The quote you negotiated hardest was the smallest number in the model.

The percentages also explain a 2026 pattern: AI features moved the cost center. The scribe line alone (19%) exceeds all video infrastructure combined (4.5%) — when evaluating AI features, price them like payroll, not like API calls; the AI cost article runs that arithmetic.

Build, Buy, or Hybrid

There is a third budget, and for some teams it is the right one: don't build. Off-the-shelf telehealth SaaS — Doxy.me is the canonical example — prices per provider: free for basics, $35/month professional, $50/provider/month for clinics, BAA included even on the free tier (2026 list). Our 60 providers would cost:

60 × $50 = $3,000 a month, zero build, live in a week.

Against $300,000 + $47,000/month, that looks unanswerable — and for a clinic adding video visits to an existing practice, it usually is. The SaaS subscription answers a different question, though. You get a visit; you do not get your product: no custom intake and triage, no automated workflows, no EHR write-back tuned to your operation, no data moat, no brand, no asynchronous care model — and per-provider pricing scales linearly forever, which a thousand-provider platform cannot carry.

Figure 4. The build-buy-hybrid decision in four questions. Most venture-scale products land on hybrid: custom platform, rented video layer, until video volume justifies self-hosting.

The decision compresses to four questions. Is telehealth your product, or a feature of your practice? (Feature → buy.) Do your workflows differentiate you? (No → buy; yes → build something.) Does the per-provider math break at your scale? (60 providers × $50 = $36,000/year vs. a platform — the crossover is strategic long before it is arithmetic.) And if you build: rent or own the video layer? — rent first, revisit at millions of minutes (the hybrid most teams ship). The build-vs-buy-vs-hybrid article treats this decision in full; the scoping article reuses this article's arithmetic to turn a feature list into a number.

The Cost of Getting It Wrong

One line item buys down a risk the rest of the budget cannot absorb, so price the risk explicitly. Under HIPAA's civil-penalty schedule (45 CFR §160.404, 2025 inflation-adjusted amounts applied January 28, 2026), penalties run from $145 per violation at the lowest culpability tier to $73,011 at the top of most tiers, with a cap of $2,190,294 per provision per year — and "per violation" can mean per patient record. Enforcement discretion since 2019 caps annual totals for the lower tiers at $25,000/$100,000/$250,000, which is still a product-killing number for a seed-stage company.

Breaches price even higher: healthcare has been the costliest breach industry for 14 consecutive years, averaging $7.42 million per breach (IBM, 2025), with 279 days the average time to identify and contain. And the clock is law: notification to affected individuals within 60 days of discovery (45 CFR §164.404). Set against those numbers, the worked example's $60,000-a-year compliance line is not overhead; it is underpriced insurance. The common-HIPAA-mistakes article catalogs how teams earn these penalties; the readiness checklist is the antidote.

Common cost-model mistakes — the five we see most in inherited budgets:

Mistake	What it actually costs
Budgeting the demo, not the product	The $40k quote becomes $150k+ once identity, audit logging, and BAAs are added mid-project — rework premium included
No run budget at all	Month-two surprise: storage, subscriptions, support — at our example's scale, ~$47k/month that nobody approved
Analytics installed before the PHI review	Ripping a consumer tracker out of a logged-in product later costs an engineering sprint plus a breach-risk assessment
Ignoring vendor lifecycle risk	A rented video layer can be EOL'd (Twilio announced one, then reversed); migration off a dead API is 2–3 engineer-months on someone else's schedule
Recording everything with no retention design	94.5 TB by year seven in our example; archive-tier lifecycle policies cut that line ~80% if designed on day one

Table 5. Five recurring budget failures. Each is cheap to prevent at design time and expensive to fix after launch.

Where Fora Soft Fits In

We have built video software since 2005 — telemedicine platforms among 239+ shipped projects across video conferencing, streaming, surveillance, e-learning, and OTT — and the estimates above mirror how we actually scope: compliance tier first, because it sets the multiplier; then the feature-to-subsystem map; then the run budget alongside the build, so the month-12 bill is in the plan before the first sprint. If you are pricing a telemedicine build, we will walk your numbers through this exact model — including the lines a cheaper quote would leave out — at our telemedicine app development services.

What to read next

• The anatomy of a telemedicine platform — the subsystem map behind every line item here.
• Choosing the video layer: build on open source vs buy CPaaS — the six-figure decision in depth.
• HIPAA in plain English for product teams — what the compliance multiplier actually buys.

Call to action

• Talk to a telemedicine engineer — book a 30-minute scoping call to talk through your telemedicine app development cost plan.
• See our case studies — 250+ shipped projects across video streaming, WebRTC, OTT, telemedicine, e-learning, surveillance, and AR/VR.
• Download the Telemedicine Cost Model (XLSX) — The article's full cost model as a spreadsheet: build estimate by scope and rate region, all 11 monthly run lines with live formulas, and per-visit unit cost — refill the inputs with your own numbers.

References

1. 45 CFR §164.308 — HIPAA Security Rule, Administrative Safeguards (risk analysis §164.308(a)(1)(ii)(A)–(B)). eCFR, current as of 2026-06. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308 — Tier 1. The legally required, recurring risk analysis behind the compliance-operations line.
2. 45 CFR §164.312 — HIPAA Security Rule, Technical Safeguards. eCFR, current as of 2026-06. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312 — Tier 1. Access control, audit, integrity, authentication, transmission security — the engineering line items of the compliance tier.
3. 45 CFR §164.316(b)(2)(i) — six-year retention for HIPAA documentation. eCFR. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316 — Tier 1. The documentation clock, distinguished in-text from state medical-record retention.
4. 45 CFR §164.404 — Breach Notification Rule, ≤60 days to individual notice. eCFR. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404 — Tier 1.
5. 45 CFR §160.404 — civil money penalty tiers; HHS annual inflation adjustment (2025 multiplier, applied 2026-01-28): $145–$73,011 per violation, $2,190,294 annual cap per provision; 2019 Notice of Enforcement Discretion caps lower tiers at $25k/$100k/$250k. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-A/part-160/subpart-D/section-160.404 — Tier 1 (adjustment amounts as reported by HIPAA Journal, 2026 — Tier 6).
6. HHS OCR — HIPAA Security Rule NPRM, 90 FR 898 (2025-01-06); no final rule as of 2026-06. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html — Tier 1. Proposed mandatory encryption, MFA, asset inventories, annual audits — the forward-looking compliance-operations budget.
7. HHS telehealth.hhs.gov — Telehealth policy updates: CAA 2026 extends Medicare telehealth flexibilities through 2027-12-31. https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates — Tier 1. Demand-side context for volume assumptions.
8. Vonage — Video API pricing ($0.00395/participant-minute; volume tiers; HIPAA program). https://www.vonage.com/communications-apis/video/pricing/ — Tier 4.
9. Daily — Video SDK pricing ($0.004/participant-minute past free allowance; HIPAA plan tiers). https://www.daily.co/pricing/video-sdk/ — Tier 4.
10. Agora — Video Calling pricing (~$0.99/1,000 min standard video). https://www.agora.io/en/pricing/ — Tier 4.
11. LiveKit — pricing and "The end of Participant Minute" (GB-based billing, 2025). https://livekit.com/pricing and https://blog.livekit.io/the-end-of-participant-minute/ — Tier 4.
12. Twilio — "Twilio Video Will Remain a Standalone Product" (changelog, 2024) and Programmable Video EOL extension notice (to 2026-12-05, later reversed). https://www.twilio.com/en-us/changelog/-twilio-video-will-remain-a-standalone-product — Tier 4. The vendor-lifecycle-risk row.
13. AWS — S3 pricing ($0.023/GB-mo Standard; archive classes from $0.004) and data-transfer pricing (~$0.09/GB internet egress); AWS HIPAA/BAA program (no-charge BAA via AWS Artifact). https://aws.amazon.com/s3/pricing/ and https://aws.amazon.com/compliance/hipaa-compliance/ — Tier 4.
14. Stripe — Identity verification pricing ($1.50/verification, first 50 free); band corroborated by Persona/Veriff comparisons (2026). https://stripe.com/identity — Tier 4.
15. Vendr — Redox pricing benchmark: $30k–$60k small deployments, $60k–$150k mid-market, $150k–$300k+ enterprise ACV (2026). https://www.vendr.com/marketplace/redox — Tier 5.
16. Drata / SecureLeap / Bright Defense — SOC 2 cost guides 2026 ($10k–$30k small-co Type 2 audit; $20k–$90k first-year all-in; pen test $10k–$25k). https://drata.com/learn/soc-2/cost — Tier 5/6.
17. Commure / Freed / AAFP estimates — AI medical scribe pricing 2026 ($59–$299/provider/month; $150–$200 mid-market norm). https://www.commure.com/blog-scribe/scribe-pricing — Tier 5.
18. Aalpha / Qubit Labs — offshore software development rates 2026 (US firms $120–$250/h; CEE $35–$70/h mainstream, $60–$85 senior). https://www.aalpha.net/articles/offshore-software-development-hourly-rates/ — Tier 5.
19. IBM — Cost of a Data Breach Report 2025 (healthcare $7.42M average, costliest 14 years running; 279 days to identify and contain). https://www.ibm.com/reports/data-breach — Tier 5.
20. Doxy.me — pricing (free / $35 professional / $50 per provider clinic; BAA on all tiers). https://doxy.me/en/pricing/ — Tier 4. Competitor cost guides (Cleveroad, Topflight, SpaceO, 2026) consulted as Tier 7 competitor reference for the public quote ranges in the opening section; where they conflict with primary pricing pages, the pricing pages win.