Hi,

I work in the security and privacy business in Europe and I can tell you a bit more about point d. You need to make sure you're bringing also an expert in compliance depending on your jurisdiction (e.g. HIPAA). You might need expert advice to know if you're doing enough to protect private information from patients. A lawyer might have a good knowledge of the regulations, however, a technical expert will also tell you if your measures are enough or if you're falling short and possibly liable.

If you're going to do business with Europe in any length, remember that we do have quite strict guidelines about privacy and is your responsibility to adequately protect patient's information.