HIPAA-compliant patient portal rebuilt for 200k users
Replacing a portal so frustrating that patients were calling the front desk instead of using it.
Session abandonment was 38% — most users gave up before seeing their test results. PHI sat in a mix of encrypted and unencrypted columns, audit logs were incomplete, and four medium-severity pen test findings had gone unresolved for a year. A new state audit cycle forced action.
Six weeks embedded with compliance and clinical IT before any design work. The core UX problem was a 9-step verification flow on every login. We moved to device-bound trusted sessions with step-up verification only for sensitive actions, migrated PHI to field-level encrypted columns, and ran three staged pen tests during development rather than at the end.
Abandonment dropped from 38% to 9%. Both post-launch audits closed with zero critical findings. Front-desk call volume for portal-handleable tasks fell 31% in the first quarter.
I've been through three portal migrations in my career. This is the first one where compliance wasn't bolted on at the end — it shaped every decision from day one.
Have a Similar
Challenge?
Let's discuss how we can help you achieve similar results.
Start a Conversation