Your Product Touches Sensitive Data in a Regulated Environment
That changes everything – the architecture decisions, the integration patterns, the timeline to market. If you’re a health tech startup or vendor that needs senior technical guidance without a full-time headcount, I can help.
Every engagement starts with your situation: what’s blocking you, what’s at risk, and what a good outcome looks like.
Zero to One
Some engagements start before there’s a spec – just a problem worth solving and a deadline that matters. I’ve taken projects from a whiteboard conversation to a deployed product delivering real value, and I know how to build just enough, in the right way, to find out if the idea works. That means opinionated decisions about what to defer, what to get right from the start, and how to keep the path open for what comes next.
Whether you’re a founder validating a product idea or an established team spinning up a new line of business, I’ve done this in regulated environments where the architecture has to survive compliance pressure from day one, not just the first sprint.
Integrations That Actually Work
If your product sits between organizations, you already know integration is where things get complicated. Different systems, different data models, different assumptions on each side – and the documentation rarely tells the full story.
I’ve spent over a decade building integrations across organizational boundaries in healthcare: HL7v2 feeds that need to work across dozens of health systems with different implementations, FHIR APIs where the spec and reality don’t quite match, X12 transactions where the edge cases live in the companion guides nobody reads. I understand the standards, but more importantly I understand the real-world workflows behind them. That’s usually where integration work succeeds or fails.
Compliance and Velocity
It’s 2am. Production is down. Your on-call engineer has traced the issue to a patient record workflow and needs to pull logs to understand what happened. The logs contain PHI. Getting into them requires either waiting for InfoSec to scrub them, or paging the on-call InfoSec engineer to grant temporary access.
Nobody broke the rules. The process is doing exactly what it was designed to do. The problem is that manual processes were the only tool available, because the system was never built to answer the question “who should see this, and under what conditions” any other way.
That’s the bolt-on tax. It compounds over time and shows up in the places you can least afford it – incidents, audits, onboarding new health system customers who need to see evidence before they’ll sign.
Whether it’s HITRUST, SOC 2, or HIPAA, I help you treat security and compliance as product features from day one. Controls that are structural properties of the system, not compensating procedures. Audit logging that reflects how the system actually works. Access patterns that are designed, not improvised. When the assessor shows up, it should feel like a formality, not a fire drill.
Performance at Scale
Sometimes the roadmap is fine but the system isn’t keeping up. Query times creeping, throughput stalling, infrastructure costs outpacing growth. Performance and scalability problems have their own discipline, and they’re different from feature work.
I’ve diagnosed and resolved bottlenecks at the database, application, and infrastructure level in production environments where the fix has to land without taking things down. In regulated environments that means the solution also has to hold up under audit – no shortcuts that create new exposure while solving the performance problem.
Thoughtful AI Integration
I think about AI tooling at two levels: how to make developers faster without making the codebase harder to maintain, and how to give users capabilities that feel genuinely powerful rather than gimmicky.
That means being selective about where a language model actually belongs in the product, and designing workflows that sharpen the human’s judgment rather than bypass it. In a regulated environment, that discipline isn’t optional. AI features that touch sensitive data carry the same compliance obligations as everything else, and the audit trail has to reflect what the system actually did.
Not Sure Where to Start?
That’s fine. Most engagements begin with a conversation, not a contract. Tell me what you’re dealing with and I’ll let you know if I can help.