An outpatient physical therapy group had grown through acquisition to nine locations — and inherited three different EHR systems along the way, none of which talked to each other. Referrals moved by fax. Appointment reminders went out over personal staff phones. We built a HIPAA-compliant patient portal that unified all nine locations without a single write-back to any of the three legacy EHRs still running the clinics day to day.
Three legacy EHRs, still in active clinical use, none with a modern API. We built the compliance layer first — then the patient experience on top of it.
The client operates nine outpatient physical therapy clinics, three of which joined the group through acquisitions in the past few years. Each acquired clinic came with its own electronic health record system already in place, and none of the three had a modern API or any straightforward way to integrate with the others. From a clinical standpoint, staff at each location could do their job. From an operational standpoint, a patient who had visited two different clinics — which happened often, since patients relocated or were referred between locations — had two separate, disconnected records that no one on staff could see side by side.
The bigger problem was patient-facing communication. Referral documents from outside physicians arrived by fax or unsecured email and were manually re-entered into whichever EHR the receiving clinic used. Appointment reminders were sent by front-desk staff texting patients from personal or shared clinic phones — a real and ongoing HIPAA exposure that leadership knew about but had no immediate alternative to. There was no patient-facing portal at all; every request, from rescheduling an appointment to asking a billing question, went through a phone call.
Any new system had to meet full HIPAA requirements — encryption at rest and in transit, role-based access control, complete audit logging of every access to protected health information, and signed Business Associate Agreements with every vendor touching patient data
Three legacy EHR systems, none with modern APIs, none that could be replaced without risking continuity of care during an active clinical operation
Clinical and front-desk staff needed a system usable with minimal training — many had years of experience with paper and phone-based workflows and limited comfort with new software
Zero tolerance for downtime affecting patient scheduling or access to clinical records
Data retention and handling rules varied slightly across the states the nine clinics operated in, meaning a single hard-coded policy wouldn't hold up everywhere
The natural temptation in a project like this is to treat compliance as a checklist applied at the end — build the portal, then have a security review bolt on encryption and access logs before launch. That approach tends to produce systems where compliance and functionality fight each other, because decisions made early — how patient records are keyed, how access is granted, how data moves between systems — are hard to unwind later without a rebuild. We took the opposite approach here: the audit logging, access control, and data-handling architecture were the first things we designed, before a single patient-facing screen was built.
We split the build into two parallel workstreams — one that connected to the existing clinical systems without disturbing them, and one that gave patients and staff a new, secure way to interact with the practice.
Built a read-only integration layer against each of the three legacy EHRs, using each system's available export or reporting mechanism rather than attempting a direct database connection
Patient demographic and appointment data syncs from each EHR into a unified, canonical patient record on a defined schedule, with real-time sync for appointment changes
No data ever writes back into the legacy EHRs — clinical staff continue documenting care exactly where they always have, with zero disruption to systems still handling active patient treatment
A patient matching process reconciles records for anyone who has visited more than one of the nine locations, so staff at any clinic can see a full, unified visit history
Every sync event is logged with a timestamp and source system, satisfying the audit trail requirement without touching the source EHRs' own logs
Secure patient login replaces phone-only access — patients can now view upcoming appointments, request reschedules, and message the clinic directly
Referral intake moved from fax and email to a secure document upload tied to the patient's unified record, cutting out manual re-entry at the receiving clinic
Secure, HIPAA-compliant messaging (via a Twilio integration covered under a signed BAA) replaced the practice of front-desk staff texting patients from personal phones
Role-based access control gives front-desk staff, clinicians, and billing staff each their own view of exactly the data they need — nothing more, satisfying HIPAA's minimum-necessary-access standard
Every single access to a patient's protected health information — who viewed it, when, and from which clinic — is written to an immutable audit log from day one
🏥 Unified, HIPAA-compliant patient record model — reads from all three legacy EHRs through the read-only bridge, layered with the new patient portal and secure messaging on top. All three legacy EHR systems: completely untouched, still running active clinical documentation.
We deployed the EHR bridge first and let it run silently for six weeks, validating that every patient record matched correctly across the three source systems before a single staff member touched the new portal. Only after that data was proven accurate did we open the portal to staff, clinic by clinic, starting with the location that had the simplest, single-EHR setup and finishing with the three most recently acquired clinics — the ones with the most fragmented historical data and the most to gain from the fix.
Most healthcare software projects start with the patient experience — the scheduling screen, the messaging inbox, the features leadership actually wants to show off — and treat HIPAA compliance as something a security consultant reviews before launch. When the compliance review happens at the end, it routinely forces late, expensive redesigns of decisions made months earlier, because how a patient record is structured determines what access control and audit logging are even possible to add later.
The decision that shaped this project was inverting that order. We designed the canonical patient record, the access control model, and the audit logging architecture first — before any screen existed for a patient or a front-desk staff member to look at. Every feature built afterward, from secure messaging to referral uploads, was built on top of a foundation that was already compliant, rather than retrofitted to become compliant. That is also what made the read-only EHR bridge possible without risk: because the data model was designed for compliance and auditability from day one, adding three more data sources to it was a matter of mapping fields, not redesigning the system.
HIPAA architecture decisions made in week one determine what's possible in month twelve.
This applies to any healthcare organization building patient-facing software, particularly groups that have grown through acquisition and inherited multiple legacy clinical systems. A read-only integration bridge lets you unify patient data across incompatible EHRs without the risk of touching systems still handling active care — and building the compliance layer before the feature set means you're never retrofitting security onto a system that wasn't designed for it.
Referral turnaround — from an outside physician's document arriving to a patient being scheduled — dropped from an average of three days under the fax-and-re-entry process to same-day scheduling at every clinic. Secure messaging fully replaced the practice of staff texting patients from personal phones, closing a compliance exposure leadership had flagged as a standing risk for over a year. In the months since launch, the practice has undergone one internal compliance audit covering the new portal, with zero findings related to access control, encryption, or audit logging.
Scheduling, referral intake, and patient messaging across all 9 clinics
Unified visit history for patients seen at more than one location
Full audit log of every access to protected health information
We build HIPAA-compliant portals designed around your existing clinical systems — not against them.