HIPAA compliance isn't a checkbox — it's an architecture decision made at the beginning.
A telehealth startup needed a patient intake and provider management platform that satisfied HIPAA's technical safeguards from day one. Wrong architecture choices made on week 1 become expensive remediation projects before launch. We built the HIPAA-compliant architecture first, then built the product on top of it.
A telehealth startup needed a production HIPAA-compliant application for patient intake, provider scheduling, and secure messaging — and needed a developer who understood HIPAA's technical safeguards, not one who would treat compliance as a post-launch concern.
The telehealth startup's concept was validated — 12 provider partners committed before a product existed, and 40 patient pre-registrations from a landing page. The challenge was the compliance architecture: the founders (a physician and a business operator) understood HIPAA at the policy level but needed a developer who understood HIPAA's technical safeguards in terms of actual implementation decisions.
The technical safeguard requirements that affect architecture: access controls (unique user identification, role-based access to PHI, session management that automatically logs out inactive sessions), audit controls (hardware, software, and procedural mechanisms to record and examine access and activity in systems containing PHI), integrity controls (ensuring PHI is not improperly altered or destroyed), and transmission security (encrypting PHI in transit).
The stack decisions that affect HIPAA compliance: database encryption at rest (Neon provides AES-256 encryption at rest as default); encryption in transit (TLS 1.2+ enforced on all connections); audit logging (every access to a patient record logged with user ID, timestamp, action, and IP address); access controls (Clerk with session timeout configuration, RBAC for provider/admin/patient role separation); and the Business Associate Agreement (BAA) required from every vendor who processes PHI (Vercel, Neon, Clerk, and the email provider all sign BAAs for HIPAA-covered customers).
A production HIPAA-compliant telehealth platform with patient intake, provider scheduling, secure messaging, and the audit logging and access controls that satisfy HIPAA's technical safeguard requirements.
Patient intake and profile management
Patient registration with intake form (demographic information, medical history, insurance information, current medications). FHIR-structured patient data model for interoperability. Secure document upload for insurance cards and ID.
Provider management and scheduling
Provider profiles with specialty, availability, and license information. Appointment scheduling with provider availability calendar. Appointment confirmation and reminders via HIPAA-compliant email (no PHI in the email body — a link to the secure portal).
Secure messaging
Encrypted patient-provider messaging within the portal. No PHI transmitted via standard email. Message retention and deletion policies in the HIPAA-compliant messaging system.
Audit logging
Every access to PHI logged: user ID, organisation ID, patient record accessed, action type, timestamp, and IP address. Audit log retention per HIPAA's 6-year requirement. Admin audit log viewer for compliance reviews.
Access controls and session management
Clerk with 15-minute session timeout for provider-role users accessing PHI. Role-based access: patients see only their own records, providers see records for their patients, admins see all records with full audit trail. Access control violations logged.
One honest number to start.
Fixed-scope, fixed-price. The number below is the starting point — final scope is built from your brief.
A production HIPAA-compliant telehealth platform with patient intake, provider scheduling, secure messaging, and the audit logging and access controls that satisfy HIPAA's technical safeguard requirements.
Three steps, every time.
The same repeatable engagement on every project. No surprises, no mystery, no billable ambiguity.
Brief & discovery.
We send you questions, then get on a call. Output: a written scope with every step, feature, and integration listed.
Build & ship.
Fixed schedule, weekly reviews. No scope creep unless you change the scope — and if you do, we reprice it transparently.
Warranty & retainer.
30-day warranty on every launch. Most clients stay on a monthly retainer for ongoing features and maintenance.
Why Fixed-Price Matters Here
Compliance-critical applications need a developer who will not cut corners on the compliance architecture to save time. Fixed scope with the compliance requirements explicitly specified.
Related engagements.
HIPAA compliance is not a checkbox. It's an architectural requirement that must be built in from the start.
Read more02Healthcare software that's HIPAA-compliant from the first line of code.
Read more03Full-stack means the whole product — not just the parts that are called full-stack on LinkedIn.
Read moreQuestions, answered.
Vercel (BAA available for enterprise plan), Neon (BAA available for business plan), Clerk (BAA available for enterprise plan), and Postmark for transactional email (BAA available). The BAA execution process was managed as part of the project setup. Every vendor in the infrastructure stack that processes PHI has a signed BAA on file.
HIPAA doesn't have a certification — it's a set of required technical safeguards and administrative controls. The application implements the technical safeguards required by HIPAA's Security Rule. The founders are responsible for the administrative safeguards (policies, training, incident response procedures) separately. The technical specification documents how each technical safeguard requirement is addressed.
The patient data model is FHIR-structured (FHIR R4 patient resource schema) to support future interoperability requirements. The current application doesn't expose FHIR APIs externally — that was scoped as a future addition after launch. The FHIR-compatible data model means the migration to external FHIR API support is additive rather than requiring a data model change.
$55,000 for the full HIPAA-compliant telehealth platform. 15 weeks. The additional cost over a standard web application reflects the compliance documentation, audit logging infrastructure, and BAA coordination.
The 12 committed provider partners were onboarded in week 2 post-launch. All 12 were conducting patient appointments through the platform within 3 weeks. Zero security incidents in the first year.
Tell Ryel about your project.
Describe what you’re building and what outcome you need. You’ll have a written, fixed-price scope within the week.