Orion Health Patient Portal
All Projects
Web

Orion Health Patient Portal

A HIPAA-compliant patient management platform connecting 3M+ patients across 200+ healthcare facilities.

Client
Orion Health
Year
2024
Duration
10 months
Key Outcome
3M+ patients onboarded, 40% reduction in administrative overhead

The Challenge

Healthcare IT is uniquely difficult. You're building for patients who range from digitally fluent millennials to elderly users with limited tech experience. You're navigating HIPAA, state regulations, and facility-specific policies simultaneously. And you're integrating with legacy EHR systems that were never designed for modern API consumption.

Orion Health's previous portal had a 12% patient adoption rate. Our mandate was simple: build something patients actually use.

Research First

Before writing code, we spent four weeks on research:

  • Interviewed 80 patients across age groups and health conditions
  • Shadowed clinical staff at 5 facilities for a combined 40 hours
  • Audited every patient complaint submitted to support in the prior 12 months
  • Reviewed analytics from the existing portal to understand where patients dropped off

The finding: patients didn't use the portal not because they didn't want to — but because they couldn't figure out how. Every critical action was buried 3+ levels deep. The mobile experience was non-functional. Password reset was broken for a significant percentage of email providers.

Architecture Decisions

FHIR-first data model. Rather than build a proprietary data layer, we standardized on HL7 FHIR R4. Every patient record, appointment, and message is a FHIR resource. This made integration with existing EHR systems dramatically simpler and future-proofed the platform for interoperability.

Offline-capable mobile web. Field research showed that 60% of patient portal access happened on mobile devices, often in areas with poor connectivity (waiting rooms, hospital dead zones). We built offline-first using service workers and IndexedDB, so patients could access records and fill forms even without connectivity.

Role-based access at the data layer. HIPAA requires strict access controls. We implemented row-level security in PostgreSQL rather than application-level access control — meaning a compromised API layer still cannot return data to an unauthorized user.

Results

  • 3.1M patients onboarded in the first 8 months
  • 68% mobile adoption rate (up from 12% for the previous portal)
  • 40% reduction in administrative overhead from automated appointment management
  • 100% HIPAA audit pass on first submission
  • 4.6/5 patient satisfaction score in post-launch surveys
All ProjectsStart Your Project