How do you handle projects in different time zones?

I use async-first communication with detailed daily updates via Slack or your preferred tool. I maintain 4-6 hours of overlap with US/EU time zones and guarantee a response time under 4 hours during business days. Loom recordings, documented PRs, and shared project boards keep everyone aligned regardless of location.

What's your typical project timeline?

Timelines vary by scope: landing pages and MVPs take 1-2 weeks, mid-size applications 3-4 weeks, and complex platforms 5-6 weeks. Every project starts with a discovery call and scoping document so we agree on milestones, deliverables, and deadlines before any code is written.

Do you provide post-launch support?

Yes. Every project includes 30 days of free post-launch support covering bug fixes, minor adjustments, and deployment assistance. For ongoing maintenance, I offer monthly retainer packages that include monitoring, updates, and priority response times.

What technologies do you specialize in?

I specialize in React, Next.js, Angular, Node.js, NestJS, Express, TypeScript, Python, and Django on the application side. For databases I work with PostgreSQL, MongoDB, Firebase, and Supabase. On the AI side I build with OpenAI, Claude AI, LangChain, and n8n for workflow automation. Infrastructure includes Docker, AWS, Azure, and Vercel.

How do you ensure code quality?

I follow a strict quality process: TypeScript for type safety, automated testing with Jest and Cypress, CI/CD pipelines for every deployment, thorough code reviews, and comprehensive documentation. Every project ships with clean, maintainable code that your team can easily extend.

Can you work with my existing team?

Absolutely. I integrate seamlessly into existing teams using your Git workflow, code standards, and communication tools. I've collaborated with cross-functional teams of designers, PMs, and backend engineers on platforms like GitHub, GitLab, Jira, and Linear.

What's your pricing structure?

I offer both project-based fixed pricing and hourly rates. Fixed-price works best for well-defined scopes, while hourly suits ongoing development or evolving requirements. Every engagement starts with a free discovery call and a detailed proposal so there are no surprises.

How do I get started?

Book a free discovery call or send me a message at contact@waseemahmad.dev. We'll discuss your goals, timeline, and budget, and I'll follow up with a tailored proposal within 48 hours. No commitment required — just a conversation to see if we're a good fit.

Back to Blog

EngineeringJuly 14, 20267 min read

Building a Healthcare Patient Portal: Architecture, Security, and Compliance

What a Patient Portal Actually Needs

A patient portal is not just a website with a login screen. It is a regulated system that handles Protected Health Information (PHI), requires audit logging of every data access, must support secure messaging between patients and providers, and needs to integrate with clinical systems. Done correctly, it dramatically reduces administrative burden and improves patient outcomes. Done incorrectly, it creates compliance liability.

Core Architecture

The stack I use for healthcare portals: Next.js for the frontend, NestJS for the API, PostgreSQL for structured data, and S3 with server-side encryption for documents. All services communicate over TLS. The API runs behind a WAF (Web Application Firewall) that blocks common attack patterns before they reach application code. Infrastructure lives in a HIPAA-eligible environment — AWS or Azure both offer this with a signed BAA.

Authentication and Session Management

Healthcare applications require stronger authentication than typical SaaS. Implement multi-factor authentication as mandatory, not optional. Use short session timeouts (15-30 minutes of inactivity) with explicit re-authentication for sensitive actions like viewing clinical notes or sending messages. Log every authentication event — successful logins, failed attempts, password resets — with timestamp and IP address.

Secure Messaging

Patient-provider messaging must be encrypted at rest and in transit. Store messages in an encrypted database column, not in plain text. Notify providers of new messages via email without including any PHI in the notification — just a link back to the portal. Implement message threading and read receipts. Retain messages for the period required by your jurisdiction's regulations.

Document Management

Patients upload insurance cards, intake forms, and ID documents. Providers upload lab results, imaging, and treatment plans. Store all documents in S3 with server-side encryption using KMS. Generate pre-signed URLs with short expiry (15 minutes) for document access — never expose raw S3 URLs. Run a malware scan on every uploaded file before making it accessible.

Appointment Scheduling

The scheduling system must handle provider availability, appointment types with different durations, recurring appointments, cancellation policies, and automated reminders. Integrate with the provider's existing calendar (Google Calendar or Microsoft 365) to prevent double-booking. Send reminders at 72 hours, 24 hours, and 2 hours before the appointment via the patient's preferred channel.

The Audit Log

Every read, write, and delete operation on PHI must be logged immutably. Store audit logs in a separate database with write-only access from the application. Include: user ID, patient ID, action type, resource accessed, timestamp, and IP address. Retain for six years minimum. Make logs searchable for compliance investigations.

PSI Nest, one of my case study projects, is a full HIPAA-compliant practice management system built with this architecture. Read the case study or reach out to discuss your healthcare project.

HealthcareHIPAASecurityTypeScript