Custom healthcare web apps with a real HIPAA-aware architecture
Patient portals, intake flows, triage tools, internal workflows. Senior engineer on subscription, HIPAA-aware from day one. $3,499/mo.
Who this is for
Clinic owner, healthtech founder, or healthcare-ops lead where off-the-shelf EHR does not fit the workflow and the patient portal is clunky.
The pain today
- Off-the-shelf EHR does not match clinical workflow
- Patient portal is a poor third-party bolt-on
- Intake is on paper or an insecure form
- Staff workflow is in spreadsheets and email
- Previous developer shipped code that is not HIPAA-safe
The outcome you get
- Custom healthcare web app on subscription at $3,499/mo
- HIPAA-aware architecture with BAAs in place
- Patient portal, intake, or workflow tool shipped in 6 to 12 weeks
- Audit trails and access controls baked into every surface
- Clean handoff to a full-time engineer or in-house team when ready
What 'HIPAA-aware' actually means in a web app
HIPAA has three main requirements for a web app handling PHI. Administrative safeguards (policies, training, access controls, audit). Physical safeguards (hosting, backups, disaster recovery). Technical safeguards (encryption, authentication, audit logs, transmission security). The common failures are: storing PHI in systems without a BAA, logging PHI into third-party tools, email attachments with PHI, lack of audit trails, and weak access controls. I build around these from day one — encrypted storage, BAA-covered hosting (AWS with BAA, Google Cloud with BAA, or an Aptible-like platform), every sensitive action logged, RBAC enforced everywhere.
Common healthcare apps I build
Intake and triage (digital forms, symptom checkers, pre-visit screening). Scheduling beyond what the EHR provides (cohort scheduling, specialty visit types). Patient portals (message, results, documents, pre-visit). Internal workflow tools (case management, referral tracking, billing workflows). Clinical dashboards for admins and clinicians. Integrations (EHR APIs, labs, imaging). I do not build full EHRs — that is a specialist vendor space (Epic, Cerner, Athena). I build the workflow tools that sit around the EHR, fitting your actual clinical process.
BAAs, hosting, and audit trails
Every healthcare engagement starts with BAAs. AWS and Google Cloud both sign BAAs for their HIPAA-eligible services (S3, EC2, RDS, etc). SendGrid, Twilio, Datadog — all offer BAAs on enterprise plans. Logging services need BAAs if they touch PHI. Database choice matters — PostgreSQL with column-level encryption is common. Audit trails log every read and write to PHI with actor, patient ID, action, timestamp. This is non-negotiable — not because HIPAA requires it in every detail but because you cannot pass an audit or investigate a breach without it.
Pricing and engagement model
Standard $3,499/mo. Pro $4,500/mo. Both include 2 to 4-day delivery, senior engineering, HIPAA-aware architecture. Pro adds priority response and faster cycles. 14-day money-back guarantee. Cancel anytime. 100 percent code ownership under Work Made for Hire. NDA standard (already how I work). Hosting costs are separate (AWS, Google Cloud, Aptible) and billed directly to you — usually $200 to $2,000/month depending on scale. You own the hosting account and the BAAs. I never hold client accounts.
Case: Cuez and GigEasy — performance and MVP-speed playbooks
At Cuez I rescued a broadcast-SaaS API, taking response times from 3 seconds to 300 milliseconds — 10x faster — with 40 percent infra cost reduction. At GigEasy I delivered a Barclays and Bain Capital-backed MVP from scratch in 3 weeks. The first teaches healthcare clients what performance discipline looks like on regulated, real-time systems. The second teaches them what disciplined MVP execution looks like when time to first demo matters. Both play into healthcare apps — clinical workflow tools need to be fast (clinicians do not have patience for slow pages) and MVPs often need to ship before funding runs out.
When a dedicated EHR is enough
If your workflow fits Athena, NextGen, Epic, or a clinic-focused EHR like DrChrono, do not build custom. Configure the EHR. Modern EHRs handle 80 percent of clinical workflows out of the box. Custom work makes sense when the EHR blocks a specific workflow that is strategic to your practice — new service lines, non-standard scheduling, custom intake, specialty-specific reporting. For most single-clinic operators, configuration beats custom build. My target is healthtech founders and larger practices where custom workflow tools materially affect clinical efficiency or patient experience.
Recent proof
A comparable engagement, delivered and documented.
Built and shipped an investor-ready MVP from scratch
Built the entire technological base and delivered MVP in just 3 weeks, enabling a successful rapid launch and investor demo.
Frequently asked questions
The questions prospects ask before they book.
- Do I need a BAA with you?
- Yes, before any engagement that touches PHI. I sign a standard HIPAA Business Associate Agreement in the first week. The BAA defines how I access PHI during development, how I handle breaches, and how data is wiped after the engagement. NDAs are standard separately. For engagements where I never touch real PHI (development against synthetic data only, which is the safer default), the BAA is still useful for production troubleshooting access.
- What hosting do you recommend?
- AWS or Google Cloud with their HIPAA-eligible services and a signed BAA. Aptible is a managed-platform alternative that bundles compliance controls — faster to get running, slightly higher cost. For smaller practices, Aptible is usually the right call. For larger operations with dedicated DevOps budget, direct AWS or GCP is more flexible. You own the hosting account from day one. I configure, you own, standard pattern.
- How do you handle integrations with the EHR?
- Most modern EHRs expose FHIR APIs (Athena, DrChrono, NextGen, Epic) or proprietary APIs (Athena Streaming, Epic App Orchard). I have integrated against FHIR APIs in similar work. For integrations with legacy EHRs without APIs, HL7 messaging via an interface engine (Mirth Connect) is the standard approach. Budget 4 to 8 weeks for EHR integration work; longer for legacy systems. Every integration tested against a sandbox before touching production.
- What about patient-facing mobile apps?
- Web apps that work on mobile browsers cover most patient use cases — message providers, view results, book appointments, complete intake. Native iOS/Android apps are worth the investment only when you need offline access, push notifications, or device features (camera for skin checks, microphone for voice intake). I do not build native mobile apps. For web-only patient portals I ship responsive, PWA-ready code that installs to the home screen.
- How do you handle audit logs?
- Every read and write to PHI logs an immutable audit entry with actor, patient ID, action, timestamp, IP, and user agent. Logs go to a dedicated store separate from application data (AWS CloudTrail, dedicated Postgres schema, or an audit-log service). Retention meets HIPAA's 6-year requirement. Reports for compliance and breach investigation are generated on demand. This is baseline for every healthcare engagement — not an add-on.
Ready to start?
Tell me what you need in 60 seconds. Tailored proposal in your inbox within 6 hours.