Remember: I'm not a lawyer. Nothing here is advice; use at your own risk.
Before even thinking about engaging anyone as a customer, think about getting a lawyer. One of your first tasks before or very soon after signing any agreements with a customer is to get Professional Liability Insurance (PLI) (also known as Professional Indemnity Insurance (PII), and also known as "Errors and Omissions," or E&O). Before buying a policy for PLI, get it reviewed by your lawyer. This means that you need a lawyer who knows something about small consultancies or contractors (you probably don't want someone who does wills).
The reason you need this kind of insurance is because you need to be able to defend yourself if a client goes after you for negligence or you have costs for damages awarded in a civil suit.
How could this happen? Let's say that you build a small portal so that people can enter their blood pressure and track it. But there's a bug, and those people can't connect. Your client may claim that because the bug wasn't fixed for a week, you owe them lost revenue.
Some policies will cover defense costs, even if there are no grounds for the suit. This kind of insurance doesn't help with criminal activity or liabilities that are not listed in the policy. So be careful. Sometimes you will have a client who requires you to be covered. An article by Myra Thomas (citation below) notes that "many contractors build the cost of insurance into their fees." Good idea. CoverWallet recommends that people carry $1M per occurrence and $2M per aggregate (i.e., over the policy period). The policy can be designed to provide retroactive coverage. You may want to consider keeping to coverage until applicable statutes of limitation are reached.
I checked a number of online insurance brokers, and the simplest possible policy is around $650 to $1,000 for a year of coverage. But guess what? These online policies do not cover a lot of things that you might be doing: For example, the policy I looked at says you can't "affect or enable" any "medical services," or perform work for companies with greater than 50 employees, or anything regarding databases, domain hosting, search engine optimization (!), or telehealth (and a bunch of other carve-outs). These kinds of carve-outs make me wonder if, even if I am doing work for a healthcare company, can I write a statement of work that is narrowly technical, and not involving any medical topics? I don't know: I'm not a lawyer.
So, you've decided to engage with a client and will performance some data processing for them. They will give you clinical data regarding 500,000 patients. You will sign a BAA.
What happens if your AWS account is broken into and those 500,000 records of patient data are scattered to the wind? Well, you're in big trouble.