I'm a health lawyer specializing in DPC; I'm licensed in CA, CO, and WA. A few things here:
1) California made a terrible attempt at a DPC law that died a horrible death in committee and it will likely require some turn over before another law is capable of being successful. In the meantime, DPCs in California remain vulnerable and need to be very clear about the fact that they don't assume risk. Claims about 24/7 availability for care are more likely to lead to a finding that the practice is bearing risk and therefore constitutes the practice of insurance. Also of note here is how we describe the difference between DPC and traditional delivery.
MedLion was penalized heavily by a Florida court, in part, for making flowery claims about "superior" or "excellent" care. While we all feel strongly that DPC is superior care, we want to be mindful about what we say in our marketing.
2) HIPAA is a floor when it comes to patient privacy, not a ceiling. Many (if not most) states have consumer or patient protection laws that are much more rigorous than HIPAA; California is a perfect example of this.
3) The per visit fee is an interesting market mechanism that actually defines in part the differences between DPC, Concierge, and Boutique medicine models. These are terms of art but generally, DPC has no per visit fee, or if it does, it is less than the periodic membership fee. Concierge charges an "access" fee to be part of the practice and may or may not bill insurance in addition to the access fee. Boutique medicine typically does not bill insurance at all and relies on a cash pay model that may or may not have a membership fee plus a per visit fee. My general advice is to figure out what kind of practice you want to have, what your market will bear, and then let's sort out the legal issues for your ideal practice. Health law is always evolving, and very rarely are their black and white answers. Every practice is unique and you should be wary of a one-size fits all approach to your legal compliance.