Snapshot
The Challenge
Our client is a digital health company focused on chronic disease management — specifically Type 2 diabetes and hypertension. Their clinical model pairs patients with remote care coordinators who monitor vital signs, adjust care plans, and conduct video check-ins between in-person visits.
The founder, a physician with 20 years of clinical experience, had been managing the pilot program using a combination of Zoom, spreadsheets, and manual phone calls. The clinical outcomes were strong — pilot patients showed a 1.8-point average A1C reduction over 6 months. But the manual workflow couldn’t scale beyond 50 patients per coordinator.
The product requirements were clinically specific:
Patient mobile app
Daily vitals logging (blood glucose, blood pressure, weight, medication adherence), secure messaging with care coordinators, video visit scheduling and participation, care plan viewing, educational content delivery.
Provider dashboard
Patient panel with risk stratification, real-time vitals monitoring with configurable alerts (e.g., blood glucose >300 mg/dL triggers immediate notification), care plan management, video visit interface, clinical documentation with structured notes, and billing code tracking for reimbursement.
EHR integration
Bidirectional data exchange with Epic, Cerner, and athenahealth via SMART on FHIR. Patient demographics, problem lists, medications, and lab results pulled from the EHR. Care coordinator notes and vitals data pushed back to the EHR so the primary care physician has a complete record.
HIPAA compliance
All data encrypted at rest and in transit. Access controls with audit logging. BAA-covered infrastructure. PHI handling procedures documented and enforced.
Budget
$130K maximum. The seed funding needed to cover 12 months of operations, clinical staff, and regulatory work — not just software.
Timeline
5 months to launch, driven by a contract with a health system that required a live platform by a specific date.
Our Approach
Architecture and HIPAA Foundation
Week 1–2
Clinical workflow mapping. We spent two weeks understanding the clinical workflow — not from a requirements document, but from watching care coordinators work with pilot patients. We observed video visits, vitals review sessions, and care plan adjustments. This revealed requirements the founder hadn’t articulated: coordinators needed to see 6 months of vitals trends at a glance, not just today’s numbers. Patients needed medication reminders timed to their specific regimen, not generic daily reminders.
Week 3–4
HIPAA-compliant infrastructure. Before writing application code, we built the compliant infrastructure foundation on AWS HIPAA-eligible services:
- VPC with private subnets for application and database layers
- RDS PostgreSQL with encryption at rest (AES-256) and automated encrypted backups
- S3 with server-side encryption for document storage
- CloudTrail for API audit logging
- AWS WAF for application-layer protection
- All services covered under AWS’s BAA
We also implemented application-level security: field-level encryption for PHI fields in the database, comprehensive audit logging (who accessed what patient data, when, from where), role-based access control (patient, coordinator, physician, admin), automatic session timeout after 15 minutes of inactivity, and MFA for all provider accounts.
Core Platform Build
Patient mobile app (React Native):
Built as a single cross-platform codebase for iOS and Android. Key screens: daily vitals entry (blood glucose, blood pressure, weight — with validation ranges configured per patient by their coordinator), medication adherence tracker with push notification reminders, secure in-app messaging (encrypted, HIPAA-compliant), video visit lobby and session interface (Twilio Video integration), care plan viewer, and educational content library.
Design decision:
We used a large-button, high-contrast interface designed for an older patient population. Font sizes defaulted to 18px minimum. Touch targets were 48px minimum. The vitals entry flow was optimized for completion in under 60 seconds — because every second of friction reduces adherence in chronic disease populations.
Provider dashboard (React web app)
Patient panel showing all assigned patients with color-coded risk indicators (green/yellow/red based on configurable vital sign thresholds). Click into any patient for: vitals trend charts (glucose, BP, weight over 30/90/180 days), medication adherence percentage, upcoming and past visits, messaging thread, care plan editor, and clinical documentation templates.
The alert system
Configurable per-patient vital sign thresholds. When a patient’s reading exceeds their threshold — e.g., blood glucose >300 mg/dL or systolic BP >180 — the coordinator receives an immediate push notification, the patient appears at the top of their panel in red, and an audit record is created documenting when the alert was triggered and when it was acknowledged.
EHR Integration (FHIR)
This was the most technically complex phase. We built FHIR R4 integration with three EHR systems using the SMART on FHIR authorization framework.
What we built
- OAuth2-based SMART on FHIR authorization flow for each EHR
- Patient matching: given a patient’s name, DOB, and MRN, identify the correct FHIR patient resource across the connected EHR
- Data pull: demographics, active problem list, current medications, recent lab results (A1C, metabolic panel, lipid panel)
- Data push: care coordinator encounter notes formatted as FHIR DocumentReference resources, vitals data as FHIR Observation resources
- Sync scheduling: initial pull at patient enrollment, then daily incremental sync for medications and labs
The FHIR reality
FHIR R4 is a standard, but every EHR implements it slightly differently. Epic’s FHIR endpoints return data in subtly different structures than Cerner’s. Medication resources from athenahealth use different coding systems than Epic. We built a normalization layer that maps each EHR’s FHIR output to our internal data model, handling the inconsistencies transparently.
Testing, Compliance, and Launch
Clinical accuracy testing
We tested vital sign alert thresholds against 500 synthetic patient datasets. Verified that every threshold violation triggered the correct alert within 30 seconds. Tested edge cases: readings exactly at the threshold, rapid successive readings, readings entered during a video visit.
Security assessment
Engaged a third-party security firm for a focused assessment: penetration testing of the web and mobile applications, review of PHI handling procedures, verification of encryption implementation, and audit log completeness testing. Two medium-severity findings were remediated before launch.
Compliance documentation
Produced: HIPAA Security Risk Assessment, data flow diagrams showing PHI movement through the system, Business Associate Agreements with all subprocessors (AWS, Twilio, SendGrid), incident response procedures, and breach notification plan.
Launch
Deployed to production. First 20 patients migrated from the spreadsheet-based pilot within the first week. Care coordinators were trained on the new platform in a 2-hour session — the interface was intuitive enough that most features required minimal instruction.
The Results
Business outcomes:
The health system contract was fulfilled on time — the platform launched 1 week ahead of the 5-month deadline
Patient capacity per coordinator increased 3.6x (50 → 180), fundamentally changing the unit economics of the care model
The founder used the traction data (1,200 patients, 78% adherence, 1.8-point A1C reduction) to raise a $4.5M Series A 6 months post-launch
Two additional health systems signed contracts based on the initial deployment’s clinical outcomes
Client Quote
“I’m a physician, not a technologist. I needed a team that could translate clinical requirements into software without me having to explain what a care plan is or why medication adherence matters. Gigabit’s team spent their first two weeks watching my coordinators work with patients. They understood the clinical workflow before they wrote a line of code. That’s why the product works — it was designed for how care actually happens, not how an engineer imagines it happens.”
Investment Summary
Building healthcare software?
We build HIPAA-aware platforms with genuine clinical workflow understanding — not just checkbox compliance. Telehealth, patient portals, EHR integration, and clinical AI.