Case StudiesHelios Health
HealthcareHelios Health

4.8-Star Telemedicine App in 14 Weeks

We rebuilt the patient portal from scratch on Next.js with a HIPAA-compliant AWS architecture. Implemented end-to-end encryption, audit logging, and auto-scaling that handled 10x the original load.

14 weeks (May 2025 – Aug 2025)
2 fullstack engineers, 1 mobile engineer, 1 security specialist, 1 designer, 1 PM
Next.jsAWSHIPAATwilioPostgreSQLRedis
Start a Similar ProjectBook a Discovery Call

500K

Patients Onboarded

10x the original 50K capacity, with headroom tested to 750K

4.8★

App Store Rating

Up from 2.1 stars before the rebuild (based on 3,200+ reviews)

0

HIPAA Audit Findings

Passed third-party audit on first attempt — previously had 17 critical gaps

38%

Reduction in No-Shows

Automated reminders + easy rescheduling via the portal

The Challenge

What We Were Up Against

Helios Health's patient portal was built three years ago by a two-person team on a PHP/jQuery stack. It worked fine for their initial 5,000 patients, but as they onboarded regional clinics, concurrent users jumped to 50K and the system started buckling. Video consultations dropped 1 in 4 calls. The audit logging system had gaps that their compliance officer flagged during a routine HIPAA readiness review — specifically, PHI access events weren't being logged for API-based queries, only for UI interactions. With a Series B round contingent on passing a third-party HIPAA audit, they had 14 weeks to fix everything.

Video Call Reliability

WebRTC implementation was peer-to-peer with no TURN server fallback. 23% of video consultations failed when patients were behind corporate firewalls or on restrictive mobile networks.

HIPAA Audit Logging Gaps

PHI access via the REST API wasn't logged. Only UI-triggered events had audit trails, meaning any integration partner or internal script accessing patient data left no record.

Performance Under Load

Single PHP-FPM server with no caching layer. Page load times averaged 6.2 seconds during morning appointment slots (8–10 AM) when 70% of daily logins occurred.

Mobile Experience

No responsive design — patients on mobile (62% of traffic) were pinch-zooming a desktop layout. App Store reviews averaged 2.1 stars, primarily citing usability issues.

Constraints & Requirements

14-week hard deadline — Series B due diligence required passing a third-party HIPAA audit

Must integrate with 3 existing EHR systems (Epic, Cerner, Athenahealth) via HL7 FHIR

PHI must be encrypted at rest and in transit with key rotation

WCAG 2.1 AA accessibility compliance for patient-facing interfaces

Our Approach

How We Built It

We chose Next.js for the portal rebuild — it gave us SSR for fast initial loads, ISR for provider directories that update daily, and a React component model the team could maintain after handoff. For video, we went with Twilio Video SDK over Daily.co because Twilio had a signed HIPAA BAA and better documentation for custom UI overlays. The entire stack was deployed on AWS with a HIPAA-eligible account configuration.

01

HIPAA Infrastructure & Compliance Audit

Weeks 1–2

Conducted a gap analysis against HIPAA Technical Safeguards. Set up the AWS HIPAA-eligible environment with encrypted VPCs, KMS key management, and CloudTrail logging for all API calls.

HIPAA gap analysis report with 17 findings (12 critical)
AWS HIPAA-eligible account with encrypted VPCs
KMS key management with automatic 90-day rotation
Immutable audit log architecture (append-only DynamoDB + S3 archival)
02

Architecture & Design System

Weeks 3–5

Designed the component library with accessibility baked in from day one. Built the data layer with row-level security in PostgreSQL so every query is automatically scoped to the authenticated patient or provider.

Design system with 34 accessible components (WCAG 2.1 AA)
PostgreSQL schema with row-level security policies
FHIR-compliant data models for patient records
API middleware for automatic PHI access logging
03

Core Portal Rebuild

Weeks 6–11

Built the patient dashboard, appointment scheduling, prescription management, and provider directory. Every component was reviewed for PHI exposure and accessibility compliance.

Patient dashboard with appointment history and upcoming visits
Smart scheduling with provider availability and timezone handling
Prescription management with pharmacy integration
Provider directory with ISR (updates every 4 hours)
04

Video Integration & Load Testing

Weeks 12–14

Integrated Twilio Video with custom waiting room UI, connection quality monitoring, and automatic fallback to audio-only if bandwidth drops below 500kbps. Load tested with 10x target concurrent users.

Twilio Video integration with HIPAA BAA
Custom waiting room with connection quality pre-check
Auto-fallback to audio when bandwidth < 500kbps
Load test results: 500K concurrent users, p95 response 340ms

Key Features

What We Built

HIPAA-Compliant Audit Trail

Every PHI access event — whether from the UI, API, or internal service — is logged to an immutable append-only store with tamper detection.

Technical Detail

Express middleware intercepts all requests touching PHI-tagged database tables. Logs are written to DynamoDB with a SHA-256 chain hash (each entry includes the hash of the previous entry). Nightly archival to S3 Glacier with a separate integrity verification job.

Resilient Video Consultations

Video call completion rate improved from 77% to 98.6% with intelligent network adaptation and TURN server fallback.

Technical Detail

Twilio Video SDK with a custom React wrapper. Connection quality is assessed during a 5-second pre-call check. If ICE candidates fail (corporate firewall), automatic TURN relay kicks in. Bandwidth monitoring triggers resolution scaling: 720p → 480p → audio-only at < 500kbps.

Row-Level Security for Multi-Tenancy

PostgreSQL row-level security ensures patients can only access their own records, even if application-level bugs bypass authorization checks.

Technical Detail

RLS policies bound to the JWT sub claim, set via SET LOCAL at the start of each transaction. Defense in depth: application middleware checks authorization, but the database enforces it independently. This caught two authorization bugs during development before they reached production.

EHR Integration Hub

Standardized integration with Epic, Cerner, and Athenahealth via HL7 FHIR, replacing three separate custom integrations with one unified adapter.

Technical Detail

FHIR R4-compliant adapter with OAuth 2.0 SMART on FHIR for each EHR. Incoming data is normalized to a canonical schema, with bi-directional sync for appointments and clinical notes. Retry queue with exponential backoff handles EHR downtime (Cerner has a 99.7% SLA).

Tech Stack

Why We Chose What We Chose

Frontend

Next.js 14

SSR for fast initial loads, ISR for provider directories. Chose over Remix — needed ISR for semi-static content that Remix doesn't support natively.

Tailwind CSS

Rapid UI development with consistent spacing/color tokens. Design system built on top of Tailwind primitives.

Radix UI

Accessible headless components that met WCAG 2.1 AA out of the box. Reduced accessibility remediation time by ~60%.

Backend

Node.js + Express

Same language as frontend for code sharing (validation schemas, types). Team could context-switch without language overhead.

PostgreSQL 15

Row-level security for PHI isolation. The only major RDBMS with production-grade RLS that supports JWT-based policies.

Redis

Session management with configurable TTL. Also used for rate limiting on authentication endpoints.

Video & Communication

Twilio Video SDK

Signed HIPAA BAA available. Daily.co was a contender but lacked the custom UI overlay API we needed for the waiting room experience.

Twilio SendGrid

Transactional emails for appointment reminders. HIPAA BAA available, and we were already using Twilio for video.

Infrastructure

AWS (HIPAA-eligible)

HIPAA-eligible services with BAA. ECS Fargate for container orchestration without managing EC2 instances.

AWS KMS

Managed encryption key rotation for PHI at rest. 90-day automatic rotation meets HIPAA Technical Safeguard requirements.

CloudTrail + DynamoDB

Immutable audit logging. CloudTrail for AWS-level events, DynamoDB append-only table for application-level PHI access.

Impact

Before & After

Metric

Before

After

Page Load (Morning Peak)

6.2 seconds

1.1 seconds

Video Call Completion

77%

98.6%

App Store Rating

2.1 stars

4.8 stars

HIPAA Audit Findings

17 critical gaps

0 findings

Mobile Usability Score

34/100 (Lighthouse)

96/100

Engineering Quality

How We Ship

Test Coverage

94% on PHI-handling code paths, 82% overall

CI/CD Pipeline

GitHub Actions with SAST scanning and dependency audit on every PR

Monitoring

AWS CloudWatch + Datadog with PHI access anomaly detection

Deploy Frequency

3x/week with automated HIPAA compliance checks in CI

We'd been burned by a vendor who said they understood HIPAA but hadn't actually implemented audit logging correctly. TechWithCare's team walked us through their immutable log architecture in the first week and we knew immediately they were different. The fact that we passed our Series B audit on the first attempt — after having 17 critical findings — is something I still can't quite believe.

D

Dr. Sarah Kim

Chief Medical Officer, Helios Health

Ongoing

What's Next

1

Adding AI-powered symptom triage before video consultations

2

Expanding EHR integrations to include AllScripts and eClinicalWorks

3

Building a patient mobile app (React Native) with offline appointment access

MORE BUILDLESS BREAK

Start building with a team that cares. No credit card required.

Get Started