How do you handle projects in different time zones?

I use async-first communication with detailed daily updates via Slack or your preferred tool. I maintain 4-6 hours of overlap with US/EU time zones and guarantee a response time under 4 hours during business days. Loom recordings, documented PRs, and shared project boards keep everyone aligned regardless of location.

What's your typical project timeline?

Timelines vary by scope: landing pages and MVPs take 1-2 weeks, mid-size applications 3-4 weeks, and complex platforms 5-6 weeks. Every project starts with a discovery call and scoping document so we agree on milestones, deliverables, and deadlines before any code is written.

Do you provide post-launch support?

Yes. Every project includes 30 days of free post-launch support covering bug fixes, minor adjustments, and deployment assistance. For ongoing maintenance, I offer monthly retainer packages that include monitoring, updates, and priority response times.

What technologies do you specialize in?

I specialize in React, Next.js, Angular, Node.js, NestJS, Express, TypeScript, Python, and Django on the application side. For databases I work with PostgreSQL, MongoDB, Firebase, and Supabase. On the AI side I build with OpenAI, Claude AI, LangChain, and n8n for workflow automation. Infrastructure includes Docker, AWS, Azure, and Vercel.

How do you ensure code quality?

I follow a strict quality process: TypeScript for type safety, automated testing with Jest and Cypress, CI/CD pipelines for every deployment, thorough code reviews, and comprehensive documentation. Every project ships with clean, maintainable code that your team can easily extend.

Can you work with my existing team?

Absolutely. I integrate seamlessly into existing teams using your Git workflow, code standards, and communication tools. I've collaborated with cross-functional teams of designers, PMs, and backend engineers on platforms like GitHub, GitLab, Jira, and Linear.

What's your pricing structure?

I offer both project-based fixed pricing and hourly rates. Fixed-price works best for well-defined scopes, while hourly suits ongoing development or evolving requirements. Every engagement starts with a free discovery call and a detailed proposal so there are no surprises.

How do I get started?

Book a free discovery call or send me a message at contact@waseemahmad.dev. We'll discuss your goals, timeline, and budget, and I'll follow up with a tailored proposal within 48 hours. No commitment required — just a conversation to see if we're a good fit.

Back to Blog

Case StudyJanuary 20, 20266 min read

Building HIPAA-Compliant Healthcare Software: Lessons from PSI Nest

The Challenge

PSI Nest started as a straightforward request: build a practice management system for mental health professionals. But healthcare software is never straightforward. HIPAA compliance adds requirements that touch every layer of the stack, from database encryption to audit logging to access controls. Getting it wrong means fines up to $1.5 million per violation category.

Architecture for Compliance

The stack is NestJS with TypeScript on the backend, React on the frontend, and Neon DB (PostgreSQL) for storage. We deployed on Coolify, a self-hosted platform that gives us full control over the infrastructure, which is essential for HIPAA compliance since you need to sign a Business Associate Agreement with every service that touches PHI (Protected Health Information).

Encryption at Every Layer

All data is encrypted at rest using AES-256 in the database. All data in transit uses TLS 1.3. But HIPAA requires more than basic encryption. Specific PHI fields like patient names, diagnoses, and treatment notes use application-level encryption with rotating keys. Even if someone gains database access, the raw data is unreadable without the application keys.

Access Controls and RBAC

We implemented role-based access control with four roles: practice owner, clinician, front desk, and billing. Each role has granular permissions. A front desk staff member can view appointment schedules but cannot access clinical notes. A billing staff member can see procedure codes but not treatment details. Every permission check happens server-side, never in the client.

Audit Logging

HIPAA requires a complete audit trail of who accessed what PHI and when. We built an immutable audit log that captures every read, write, and delete operation on PHI. The logs are stored in a separate database with write-only access from the application. They include the user, timestamp, action, resource, and the IP address. These logs are retained for six years per HIPAA requirements.

Clinical Workflow Design

Beyond compliance, the system needed to actually improve clinical workflows. We built an appointment scheduler with automated reminders, a patient portal for intake forms and secure messaging, a clinical notes system with templates for common assessment types, and an integrated billing module that generates CMS-1500 claims.

The key insight was involving clinicians in every design decision. Software that is technically compliant but hard to use will be worked around, and workarounds create security gaps.

Results

PSI Nest launched in 12 weeks and passed an independent HIPAA security assessment. The practice reduced administrative time by 40% and eliminated paper-based processes entirely. Patient satisfaction improved because intake and scheduling moved online.

Healthcare software requires a different mindset than typical web development. Security is not a feature; it is the foundation everything else builds on. Have a healthcare project? Let us talk.

HealthcareHIPAANestJSSecurity