Carter Med
Strategy brief · Pilot: United States

The patient walks in.
The record is already there.

Carter Med is an offline-first, FHIR-native EHR designed so any participating provider — first across the U.S., then globally — can securely access and contribute to a patient's record, even when the internet is flaky, metered, or gone.

See the marquee journeyJump to open decisions
Offline-first
Local SQLite + delta sync. The clinic keeps working when the internet doesn't.
Portable by design
FHIR R4 / US Core. TEFCA, Carequality, CommonWell from day one.
HIPAA-grade
Granular consent, audit-by-default, encryption everywhere — including the cached record on a kiosk.
01 · Product vision

One record. Wherever the patient is.

Clinicians collaborating around a connected patient record

Vision

Carter Med is a cloud-connected, offline-first EHR that lets any participating clinician — starting in the U.S. and extending globally — securely access and contribute to a patient's longitudinal record. We don't replace hospital systems; we ride on top of TEFCA, Carequality, CommonWell, and FHIR US Core so the record actually moves.

Non-goals

  • — Not a billing/RCM platform. We integrate; we don't compete with Epic Resolute.
  • — Not a hospital-replacement EHR for large IDNs. MVP targets ambulatory, community, and rural settings.
  • — Not a national HIE. We use the ones that exist.
  • — Not a research/AI data lake. Secondary use comes later, with explicit consent.
Patients

Own and carry their history. Contribute symptoms, vitals, allergies offline.

Clinicians

Credentialed via NPI / state license / DEA. Document encounters, place orders.

Facilities

Edge node keeps the clinic running when the WAN drops.

NGOs / Labs

FHIR endpoints to publish results and consume public-health signals.

02 · Personas

Four users. One record between them.

Each persona is on the critical path of the marquee journey. Anyone we drop, the journey breaks.

Maya · 34 · patient
Maya · 34 · patient
Moves between Atlanta and rural Georgia for seasonal work
Today

Re-tells her asthma history at every new clinic. Carries paper printouts that get lost.

With Carter Med

Carries a QR card. New clinics see her meds and allergies before she sits down.

Dr. Patel · family medicine
Dr. Patel · family medicine
Two-provider clinic, intermittent fiber, mostly Medicaid panel
Today

Spends 20 min/visit faxing for outside records. Can't trust med lists.

With Carter Med

Pulls a TEFCA record in 3 seconds, charts offline when the line drops.

Community clinic IT lead
Community clinic IT lead
FQHC with 6 sites, no in-house dev team
Today

Epic is too expensive; current system has no portability.

With Carter Med

Deploys an edge node per site, syncs to cloud, integrates one lab feed.

Public health / NGO consumer
Public health / NGO consumer
State immunization registry, disaster response NGOs
Today

Manual CSV exports, weeks of lag, no consent provenance.

With Carter Med

FHIR endpoint with consented, real-time feeds tagged by source.

02 · Marquee journey

An unknown patient. A new clinic. No prior link.

This is the make-or-break flow. If this works, the product works.

  1. 01

    Patient walks in

    No prior connection to this clinic. They present a Carter Med QR card (or just their name + DOB).

  2. 02

    Identity resolved

    Local MPI matches probabilistically on demographics + QR token. If the WAN is up, query QHIN/Carequality for a federated match.

  3. 03

    Record retrieved

    FHIR bundles pulled from the patient's home network or cached on the edge node. Imaging on-demand, text-first.

  4. 04

    Encounter documented

    Clinician charts offline against US Core resources. Orders, problems, meds, allergies — all queued for sync.

  5. 05

    Synced when possible

    Delta sync over CRDT-friendly version vectors. Conflicts surfaced to clinician, never silently overwritten.

  6. 06

    Patient leaves with their record

    QR/wallet updated. Next provider — across town or across a border — can repeat the cycle.

03 · MVP & roadmap

Ruthless scope. One agile team can get the job done.

Every MVP item earns its place by being on the critical path of the marquee journey. Everything else waits.

MVP · 6–9 months
  • Patient PWA
    Account, demographics, allergies, meds, history; QR identity card; offline cache.
  • Clinician PWA
    Encounter note, problems, meds, allergies, orders (lab + Rx); offline-first.
  • FHIR core server
    US Core resources via Medplum or HAPI FHIR — adopt, don't build.
  • Edge clinic node
    Single-tenant local FHIR replica + sync agent (Docker, runs on a $400 mini-PC).
  • MPI + QR identity
    Probabilistic match (demographics) + patient-held UUID token.
  • Provider credentialing
    NPI lookup + state license + DEA verification at onboarding.
  • Consent ledger
    Patient-controlled share grants, default deny, audit trail.
  • TEFCA query stub
    One QHIN integration (treatment purpose) to retrieve external records.
Phase 2+
  • Imaging (DICOMweb viewer, deferred fetch)
  • Lab interface engine (HL7 v2 → FHIR)
  • ePrescribing (Surescripts) — heavy compliance lift
  • openEHR archetype layer for clinical longevity
  • SMS/USSD fallback channel
  • Biometric (fingerprint) identity
  • Multi-region / federated deployment for non-U.S. data residency
  • Secondary-use / population health module

Defense: imaging, ePrescribing, and lab feeds each carry months of integration and compliance work. Including any of them in MVP guarantees we ship none of them well. We pilot read-only on records and basic charting first.

04 · Using the demo

Five roles. One walk-through each.

The demo is wired for every user type. Sign up as each role, see their profile, upload a document, check the calendar, browse their views. Mock data, no PHI.

Patient

Owns the record. Carries it everywhere.
Sign up Open demo
Sign-up flow
  • Verify identity with email + phone OTP (ID.me / Login.gov in prod).
  • Generate a portable QR card + Apple/Google Wallet pass.
  • Grant first consents (treatment, lab, public-health).
Profile page

Demographics, allergies, meds, problem list, immunizations — pulled from every connected source and de-duplicated.

Document uploads

Upload prior records (PDFs, CCDAs, lab images). OCR + FHIR-mapping queued; raw file kept for provenance.

Calendar

Upcoming visits across clinics, lab draws, refills due. Add a visit manually when offline.

Views in this role
Record timelineConsents & sharingDocumentsQR / Wallet card

Clinician

Charts in 3 clicks. Works offline.
Sign up Open demo
Sign-up flow
  • NPI lookup + state license + DEA verification.
  • Attach to a facility (or request one).
  • Choose specialty templates (FM, peds, urgent care).
Profile page

Provider profile (NPI, taxonomy, licenses, DEA) — surfaced to patients before they consent.

Document uploads

Drop in encounter notes, attach scanned forms, sign orders. All resources US Core compliant.

Calendar

Today's panel with offline indicator, CDS alerts inline, room status, and walk-in slots.

Views in this role
Today's panelPatient chartOrders & e-RxCDS HooksSync queue

Facility / IT

Edge nodes, sync health, credentialing.
Sign up Open demo
Sign-up flow
  • Register clinic NPI + tax ID + sites.
  • Provision an edge node per location (one-line installer).
  • Invite clinicians; bulk-import via CSV.
Profile page

Facility profile: addresses, hours, services, accepted insurance, TEFCA participation.

Document uploads

Policies, BAAs, OCR-uploaded credentialing PDFs, lab interface configs.

Calendar

Site-wide schedule grid across providers and rooms; on-call rotations; downtime windows.

Views in this role
Edge node healthSync conflictsCredentialingConnectorsBulk export ($export)

Public health / NGO

Consented signals. Never raw PHI.
Sign up Open demo
Sign-up flow
  • Register agency with NPI / DUNS + jurisdiction.
  • Scope the read: immunizations, ILI, reportable conditions.
  • Sign DUA — automatic consent enforcement.
Profile page

Agency profile + scoped data-use agreement on file, visible to every contributing patient.

Document uploads

Outbreak briefs, DUAs, exported aggregate reports (CSV / FHIR Bundle).

Calendar

Reporting cadence (daily ILI, weekly imms), DUA renewal dates, scheduled exports.

Views in this role
Coverage mapSignal feedReporting endpointsAudit log

Super admin (Carter Med)

Tenants, incidents, networks, billing.
Sign up Open demo
Sign-up flow
  • Invite-only. Hardware key (WebAuthn) required.
  • Role-scoped: support, SRE, compliance, finance.
  • Every action audited; break-glass requires justification.
Profile page

Internal staff profile with role, on-call status, last access, last key rotation.

Document uploads

Tenant contracts, BAAs, SOC2 evidence, post-mortems, key-rotation logs.

Calendar

On-call schedule, release windows, audit reviews, customer business reviews.

Views in this role
Tenants & MRRIncidentsNetwork statusAudit logFeature flags
How to run the full tour
  1. Start as Patient — generate a QR, upload a prior record, grant consent to "Westside Clinic".
  2. Switch to Clinician — scan the same patient, chart an encounter offline, sign an e-Rx.
  3. Switch to Facility — watch the sync queue drain and resolve a merge conflict.
  4. Switch to Public health — see the immunization count tick up under the consented scope.
  5. Switch to Super admin — open the audit log; every step above is there.
Guided journeys
04 · Technical architecture

Offline is the default state.

Built so a clinic with one bar of LTE feels the same as one on fiber — just slower to sync.

┌─────────────────────────────────────────────────────────────────────┐
│  PATIENT DEVICE (PWA)         │   CLINICIAN DEVICE (PWA)            │
│  ─ IndexedDB / SQLite WASM    │   ─ IndexedDB / SQLite WASM         │
│  ─ Service worker, queue      │   ─ Service worker, queue           │
│  ─ Local FHIR cache           │   ─ Local FHIR cache + drafts       │
└────────────┬──────────────────┴──────────────┬──────────────────────┘
             │                                  │
             │  ⇅  Delta sync (CRDT / vector)   │  ⇅  USB / Wi-Fi / WAN
             ▼                                  ▼
        ┌────────────────────────────────────────────┐
        │  CLINIC EDGE NODE  (Docker, $400 mini-PC)  │
        │  ─ Local FHIR replica (HAPI / Medplum)     │
        │  ─ Sync agent, conflict log                │
        │  ─ Cached value sets (SNOMED/LOINC/RxNorm) │
        └────────────────────┬───────────────────────┘
                             │  ⇅  TLS, OAuth2/SMART
                             ▼
        ┌────────────────────────────────────────────┐
        │  CARTER MED CLOUD  (US region · HIPAA)     │
        │  ─ FHIR R4 / US Core (Medplum or HAPI)     │
        │  ─ MPI · Consent ledger · Audit            │
        │  ─ Identity (SMART on FHIR, OIDC)          │
        └──┬───────────────┬──────────────┬──────────┘
           ▼               ▼              ▼
       TEFCA/QHIN     Carequality     CommonWell
       (treatment)    (broker)        (broker)
Sync

Conflict-aware delta sync

Per-resource version vectors with CRDT semantics for append-only resources (observations, notes). Conflicts on mutable resources (problem list, meds) are surfaced to a clinician — never silently merged.

Payload

Text-first, image-last

Bundles gzip + CBOR over the wire. Large binaries (DICOM, PDFs) are referenced, not embedded; fetched on tap. Value sets pre-cached on the edge node.

Degradation

Graceful tiers

Tier 1: rich PWA. Tier 2: stripped low-end Android view. Tier 3: SMS/USSD lookup ("CMED LOOKUP <token>"). Tier 4: physical sneakernet via signed USB bundles.

05 · Interoperability

We ride the rails that already exist.

Building a new national network is a 10-year, $100M project. We aren't doing that. We're using TEFCA.

Standard / networkRoleBuild · adopt · integrate
FHIR R4 + US Core / USCDIPrimary API and data model. Conformance non-negotiable.Adopt
HL7 v2Ingest legacy ADT, ORM, ORU feeds via Mirth or NextGen Connect.Adopt
DICOMwebImaging fetch on-demand; never embedded in encounter bundles.Adopt (Phase 2)
TEFCA / QHINTreatment-purpose record retrieval at national scale.Integrate
Carequality / CommonWellBrokered record location and exchange — most existing EHRs are on these.Integrate
SMART on FHIR + OAuth2/OIDCProvider auth, app launch, scoped access.Adopt
ICD-10-CM / SNOMED CT / LOINC / RxNormCoded terminologies, offline-cached value sets.License + cache
openEHRArchetype-based clinical modeling for long-term semantic stability.Roadmap
ICD-11 · WHO SMART Guidelines · DHIS2Global roadmap. Don't build, federate.Roadmap

Build vs. adopt — the core call

Adopt Medplum as the FHIR backend for the U.S. MVP. It's TypeScript-native, US-Core conformant, MIT-licensed, has SMART on FHIR built in, and a 1-dev team can deploy it Monday. Fall back to HAPI FHIR (Java) if Medplum's hosted constraints conflict with our edge-node story.

Global hook

For Phase 3+, OpenMRS / Bahmni / DHIS2 already own much of the LMIC ground. We federate to them via FHIR rather than recolonize the space. Same MPI token, different backing store.

06 · The hardest problem

Patient identity without a national ID.

The U.S. legally bans a national patient identifier. Probabilistic matching isn't a fallback — it's the design.

A four-layer identity stack

  1. 1 · Patient-held token (QR card or wallet pass)

    A Carter Med UUID signed by our root. Scannable offline. Works on paper. Re-issuable but the prior token is revoked, not orphaned.

  2. 2 · Master Patient Index with probabilistic matching

    Demographics-based (name, DOB, sex, address history, last-4 SSN where consented). Scoring tuned with held-out evaluation set. Match / possible-match / no-match thresholds reviewed by a human queue.

  3. 3 · Optional biometric (Phase 2)

    Fingerprint or face template stored as a hash, never raw. Opt-in only. Disabled by default in jurisdictions that restrict it.

  4. 4 · Federated reconciliation

    When online, query TEFCA/Carequality/CommonWell matching. Reconcile their UUIDs to our patient. Same mechanism extends internationally — swap the broker, keep the token.

Offline match flow

Clinic edge node holds an MPI shard for the region. New patient: scan QR → exact UUID match against shard. No QR: probabilistic match against cached demographics. Unresolved patients get a provisional ID and reconcile upstream on next sync.

Anti-fraud / anti-duplicate

Every encounter signed by a credentialed provider. Token re-issuance requires either prior provider attestation or a step-up identity proof. Duplicate detection runs nightly server-side and proposes merges, never auto-merges.

07 · Security, privacy & compliance

Compliance is an architectural property, not a checklist.

HIPAA, by construction

AES-256 at rest, TLS 1.3 in transit, access-controlled per resource, audit log on every read/write. BAAs with every infra vendor. Breach-notification runbook from day one.

Provider trust chain

Onboarding verifies NPI (NPPES), state medical licensure (state boards / FSMB), and DEA registration for prescribers. Trust is rooted in our CA and travels via signed JWTs when the provider operates outside their home org.

Granular, portable consent

Patient-controlled share grants per data category (e.g., behavioral health, reproductive, HIV) and per recipient. Grants are FHIR Consent resources, portable across networks, and evaluable offline.

Cached-record encryption

Records cached on shared/kiosk devices are encrypted with a key derived from the clinician's session + device attestation. Logging out wipes the cache. Stolen kiosk = useless data.

Data residency hooks now, federation later

Single-region U.S. cloud at MVP, but the API surface assumes a region attribute on every patient. Phase 3 deploys EU and other regional instances; data crosses borders only via consented exchange, not replication.

08 · Build & operate

A plan that ~4 people can survive.

If the ambition exceeds the team, we say so. Here, MVP fits — barely — by aggressively adopting Medplum and deferring lab/imaging/Rx.

Phase 00–2 months · Foundations
  • Stand up Medplum (managed) + GitHub + CI
  • US Core profiles, OAuth2/OIDC, audit log baseline
  • Sign BAA with hosting + email + SMS vendors
  • Hire / contract: clinical informaticist (0.25 FTE)
Acceptance criteria
  • CI pipeline green on main; staging env reachable over HTTPS.
  • US Core IG validator passes on a seeded Patient/Encounter/Observation.
  • Audit log captures every write with actor + resource + IP.
  • BAAs countersigned and stored in the compliance vault.
Sign-off deliverables
  • Architecture decision record (ADR) pack v1.
  • Signed BAA bundle (hosting, email, SMS, error tracking).
  • Staging URL + read-only demo credentials for the client.
  • Phase 0 sign-off form (client + Frenchy PM).
Phase 12–6 months · MVP build
  • Patient + clinician PWA with offline cache
  • MPI v1 (deterministic + simple probabilistic)
  • QR identity card
  • Edge clinic node (Docker)
  • Provider credentialing flow (NPI + license)
Acceptance criteria
  • Clinician can chart a full encounter offline; sync resolves on reconnect with zero data loss in 50-run soak test.
  • MPI matches the seeded test set at ≥ 95% precision / ≥ 90% recall.
  • QR card scans on iOS + Android and resolves the patient in < 2s on the edge node.
  • Credentialing flow blocks unverified NPIs and logs every verification call.
  • Lighthouse PWA score ≥ 90; offline boot from cold cache in < 3s.
Sign-off deliverables
  • MVP build deployed to staging + recorded walkthrough (Loom).
  • Test report: unit, e2e (Playwright), offline soak, MPI accuracy.
  • Updated ADRs + runbook for the edge node installer.
  • Phase 1 acceptance test script — countersigned by client clinical lead.
Phase 26–9 months · Pilot
  • 2–3 pilot clinics (rural / FQHC)
  • TEFCA QHIN integration (read-only treatment query)
  • Consent ledger v1
  • Weekly clinician feedback loop
Acceptance criteria
  • ≥ 2 pilot sites live in production with real (consented) patients.
  • TEFCA treatment query returns a record in < 5s p95 across 100 sampled queries.
  • Consent ledger is append-only, cryptographically signed, and reproducible from event log.
  • Weekly NPS / friction survey collected for 8 consecutive weeks.
  • Zero P1 incidents open at sign-off; P2s have owners + ETAs.
Sign-off deliverables
  • Pilot go-live checklist (signed per site).
  • TEFCA participation letter + QHIN test report.
  • Pilot metrics dashboard (adoption, sync lag, conflicts, satisfaction).
  • Phase 2 sign-off + go/no-go memo for Phase 3.
Phase 39–18 months · Expand
  • Lab interface (one reference lab via HL7 v2)
  • ePrescribing (Surescripts) — heavy compliance lift
  • Imaging (DICOMweb on-demand)
  • Begin EU regional design + openEHR layer
Acceptance criteria
  • Lab orders + results round-trip end-to-end with one reference lab in production.
  • Surescripts certification passed (NewRx, RxRenewal, RxChange, CancelRx).
  • EPCS controls in place: 2-factor signing, audit trail, DEA-compliant identity proofing.
  • DICOMweb viewer renders studies on-demand without bulk pre-fetch.
  • EU/openEHR design doc reviewed by external clinical advisor.
Sign-off deliverables
  • Surescripts certification letter + EPCS audit package.
  • Lab interface spec + go-live report.
  • Imaging viewer demo + on-call runbook.
  • EU expansion brief + Phase 4 proposal.
  • Final source-code handover + IP transfer per Frenchy Digital TOS.

Team shape (assumed)

1.0 FTE
Full-stack engineer (you)
0.5 FTE
Product / clinical lead
0.25 FTE
Clinical informaticist (contract)
0.25 FTE
Compliance / ops

If real team size is smaller, drop edge node and consent UI from MVP and ship hosted-only with a manual consent process. If larger, pull lab integration into Phase 2.

09 · Top 10 risks

What will kill this if we ignore it.

  1. 01
    MPI accuracy

    Mismatched or merged charts are the worst-case clinical event. Mitigation: conservative thresholds, human-in-the-loop merge queue, audit every match.

  2. 02
    TEFCA integration drag

    QHIN onboarding is months and lawyer-heavy. Mitigation: start in Phase 0, treat it as a parallel workstream, ship pilot without it if it slips.

  3. 03
    Offline conflict resolution UX

    CRDTs are easy; clinical merge UX is hard. Mitigation: limit conflicts by making most resources append-only; design merge UI with pilot clinicians.

  4. 04
    Provider credentialing fraud

    An imposter writing notes is catastrophic. Mitigation: NPI + state board + DEA verification at onboarding, signed encounters, periodic re-verification.

  5. 05
    HIPAA breach via kiosk

    Shared devices leak data. Mitigation: session-scoped cache encryption, auto-wipe, device attestation, no PHI in browser localStorage.

  6. 06
    Vendor lock-in to Medplum

    If we adopt Medplum and outgrow it, migration is real work. Mitigation: keep all data in standard FHIR — Medplum's gift is that exit is just an export.

  7. 07
    Clinical liability ambiguity

    Who's responsible when a federated record is wrong? Mitigation: clear provenance on every resource; display source + last-verified date in the chart.

  8. 08
    Team capacity collapse

    One developer leaves and the project halts. Mitigation: adopt over build, document ruthlessly, no bespoke infrastructure.

  9. 09
    Regulatory drift (state-by-state)

    42 CFR Part 2, state reproductive-health laws, minor consent — all vary. Mitigation: consent engine is data-driven, not coded per state.

  10. 10
    Sustainability / business model

    EHRs that don't get paid die. Mitigation: not a tech problem — surface to founders as a Phase 2 decision (per-provider SaaS vs. grant-funded vs. health-system contract).

10 · Open decisions

What only you can decide.

Each comes with my recommendation. You overrule, you don't ask permission.

DECISION 01

Build vs. adopt the FHIR foundation?

My recommendation

Adopt Medplum.

Why

TypeScript, MIT-licensed, US Core conformant, SMART on FHIR built in. A one-dev team cannot also build a FHIR server. HAPI as a fallback if edge-node licensing is awkward.

DECISION 02

Centralized vs. federated data architecture?

My recommendation

Centralized U.S. region for MVP — but assume regional federation in the schema.

Why

Every resource carries a region attribute from day one. We don't deploy EU until we need to, but we never have to retrofit the data model.

DECISION 03

Connect to TEFCA/Carequality/CommonWell from MVP, or run a closed pilot first?

My recommendation

Closed pilot first; TEFCA in parallel.

Why

Pilot proves the offline + chart loop. TEFCA onboarding runs as a 6-month parallel track. We connect when the paperwork lands, not when we're ready to demo.

DECISION 04

MVP user scope — also lab/imaging on day one?

My recommendation

No. Patients + 2–3 pilot clinics only.

Why

Lab and imaging are each a 3-month integration with its own compliance and vendor surface. Ship the chart loop first; integrations come in Phase 3.

DECISION 05

Funding / runway and real team size?

My recommendation

Open question for the founders.

Why

This plan assumes ~4 people / 1 FTE dev for ~9 months to pilot. If runway is shorter, drop the edge node and consent UI. If longer, pull lab forward.

DECISION 06

Biggest load-bearing assumption?

My recommendation

Pilot clinics will tolerate a thin chart in exchange for portability.

Why

If pilot clinicians demand feature parity with Epic before they'll use us, the MVP scope is wrong and we need a different beachhead (free clinics, NGO sites, refugee health) where portability is itself the killer feature.

"The patient walks in. The record is already there."

If we can't deliver that one sentence in the pilot, nothing else matters.

Scope & engagement

What's included, and what it costs to start.

Fixed-fee build with milestone-based delivery. All payment due at publish. Edits during the first month of maintenance are included.

Engagement tiers
Recommended
Hands-on, solo
$80,000
USD · fixed

We run the full build end-to-end. No external dev team to coordinate with, no committee approvals between milestones. Fastest path to publish.

  • Single point of contact
  • Direct decisions with founder
  • Fixed scope from locked SOW
+ Your developer
$90,000
USD · fixed

We build alongside a developer on your team. Adds code reviews, paired sessions, hand-off documentation, and integration overhead.

  • Paired reviews & PR cycles
  • Shared repo conventions
  • Onboarding & handoff docs
+ Dev + stakeholders
$100,000
USD · fixed

We work with your developer and wait on multi-stakeholder sign-off before each milestone advances. Adds meeting load and idle time.

  • Stakeholder approval gates
  • Extended decision cycles
  • Meeting & alignment time
Consulting / oversight
$110,000
USD · 12 months

You build it. We act as embedded consultants — reviewing architecture, auditing code, validating FHIR & security work, and unblocking decisions.

  • Weekly reviews & QA
  • Architecture & security audits
  • 12-month retainer

All tiers follow the same milestone structure below. Fixed-price tiers include 10% monthly maintenance ($8k–$10k/mo) once published, with first-month edits included. The consulting tier is a 12-month retainer paid monthly.

Anchor scope (Tier 1)
$80,000 USD
20% upfrontMilestone-basedDue at publish10% monthly maintenance

$16,000 due at signing. Remaining $64,000 paid against milestones, with full balance due on publish to production. After the domain is live, a 10% monthly maintenance fee ($8,000/mo) begins in month 1 and covers hosting oversight, dependency updates, security patches, and platform support. Edit requests submitted during the first month of maintenance are included at no extra cost.

Onboarding & scope confirmation

Every engagement starts with a short discovery loop. The $80,000 figure is our anchor estimate for the scope on this page — final pricing is confirmed only after these three steps are complete and both sides sign the locked SOW. No build work or upfront invoice until then.

  1. 01
    Onboarding call
    Intro, stakeholder map, working agreements, NDA.
    Week 0
  2. 02
    Discovery & design workshops
    User-journey deep-dive per role, EHR/aggregator decisions, brand & UI direction.
    Week 0–1
  3. 03
    Scope confirmation & pricing lock
    Final SOW, fixed-fee pricing confirmed, signature required before any build work begins.
    End of week 1
Scope of work
  • FHIR-native data model & US Core R4 resources
  • Patient, clinician, facility, public-health & owner dashboards
  • Signup & identity flows (NPI, license, DEA, MFA, WebAuthn)
  • Aggregator connectors (Metriport, Health Gorilla, Particle, Zus)
  • SMART on FHIR & CDS Hooks demo surfaces
  • Consent engine, tamper-evident audit log, Inferno conformance views
  • Labs (HL7 v2 → FHIR), e-Prescribing, X12 eligibility/prior-auth
  • Marketing site, SEO, sitemap, responsive design system
Build milestones (after scope lock)
  • Kickoff & upfront
    Signed SOW (after scope lock)
    $16,000
    20%
  • Design system & dashboard prototypes
    Week 2–3
    $16,000
    20%
  • Core platform & dashboards
    Week 4–7
    $16,000
    20%
  • Integration & trust layer
    Week 8–11
    $16,000
    20%
  • Publish to production
    Launch day
    $16,000
    20%
Payment terms

20% ($16k) upfront after scope is confirmed and SOW is signed. Balance billed by milestone and fully due at publish.

Processing fees

A 3% processing fee is added to all invoices and paid by the client (card, ACH, wire, or platform fees).

3rd-party services

All API, hosting, and SaaS subscriptions (e.g., Metriport, Health Gorilla, AWS, Twilio, Stripe) are provisioned under client-owned accounts for easy handover and direct billing.

Maintenance & revisions

10% of total ($8k/mo) starting month 1 once live. Edits during month 1 included; later change requests scoped separately.

Start the engagementTour the demo
Revisions & change requests (after month 1)

Month 1 of maintenance covers unlimited small edits to the shipped scope so the platform settles cleanly into production. From month 2 onward, ongoing maintenance keeps the lights on; anything that changes what the product does is scoped and billed separately as a change request.

Included in monthly maintenance
  • Bug fixes on shipped, in-scope features
  • Copy, label, and image swaps on existing pages
  • Minor style tweaks (spacing, color, typography within the design system)
  • Dependency updates, security patches, hosting oversight
  • Monitoring, backups, and platform support
  • Up to 2 hours/month of ad-hoc edits to existing flows
Counts as a change request
  • +New pages, dashboards, roles, or user types
  • +New integrations or third-party connectors
  • +Schema / data model changes and migrations
  • +Redesigns, rebrands, or new design components
  • +Compliance or certification work outside the original SOW
  • +Any edit estimated above 2 hours of build time
How requests are submitted

Email or shared tracker. Each request gets a written estimate (scope, hours, fixed price, ETA) within 3 business days.

Pricing

Fixed-price per request, or $175/hr blended rate for ad-hoc work. Pre-paid blocks (10h / 25h / 50h) discounted 5–15%.

Approval & start

Work begins after written approval of the estimate. Urgent (<48h) requests carry a 1.5× rush multiplier when capacity allows.

Unused maintenance hours do not roll over. Pausing or cancelling maintenance is allowed with 30 days' notice; source code and infrastructure handover terms follow the Frenchy Digital Terms of Service.

Who you'd be working with

Built by Frenchy Digital — Hollywood & Paris.

A 49-person mobile & web app studio founded in 2019. 4.8★ on Clutch, 50+ apps and 100+ web platforms shipped across healthcare, wellness, education, and professional associations.

Headquarters

1517 S Bentley Ave, Unit 204
Los Angeles, CA 90025

European hub: Paris, France · North Africa delivery

Team

49 designers & engineers across iOS, Android, React Native, web, and AI integration.

Track record

HIPAA-compliant work for CGSA, ClinicalEdify, National Dental Association, IglowMed, plus Y Combinator startups and Fortune 500 brands.

Your core pod
Chris Machetto
Chris Machetto
Co-Founder & President
Strategy, scope, architecture

Founded Frenchy Digital in 2019. Leads engagement strategy, technical architecture, and stakeholder alignment. Direct point of contact for the $80k tier.

Yasmine Benmaiza
Yasmine Benmaiza
Head of User Experience
UX, delivery, design system

Co-founder. Runs UX research, design systems, and delivery quality across LA and Paris. Oversees milestone reviews and acceptance.

Theo V. / Michael K. / Rachel
Theo V. / Michael K. / Rachel
Project Manager (one assigned)
Day-to-day, sprints, async standups

Your dedicated PM keeps sprints on rails — agendas, recaps, design reviews, QA passes, and the weekly status note. One PM, named at kickoff.

On the $80k tier you work directly with Chris and a dedicated PM. Yasmine signs off on contracts, billing, and delivery. Engineers and designers are pulled from the 49-person bench as the milestone requires — no offshore handoffs.

Meeting cadence — Tier 1 ($80,000)

A live call rhythm by phase, plus daily async. Every call has an agenda 24h in advance and a written recap within 24h after.

  • Onboarding & scope lock
    Two 60-min discovery workshops + one 30-min stakeholder sync. Daily async on Slack/Loom. Ends with signed SOW.
    3× / weekWeek 0–1
  • Design system & prototypes
    Monday kickoff (45 min) + Thursday design review (60 min). Figma walkthroughs recorded. Async feedback in under 24h.
    2× / weekWeek 2–3
  • Core build & dashboards
    Monday sprint planning (30 min) + Friday demo (45 min). Daily Loom standups from the PM. Milestone sign-off at end of week 7.
    2× / week + daily asyncWeek 4–7
  • Integration & trust layer
    Mid-week integration review + Friday demo. Security & FHIR conformance walkthroughs at week 10 and 11.
    2× / weekWeek 8–11
  • Publish & handoff
    Pre-launch checklist call, publish day war-room, post-launch retro. First-month maintenance edits start immediately after.
    Daily during launch weekWeek 12
Contract signing
  1. 01Discovery loop completes (week 0–1). Scope, deliverables, and milestones locked in writing.
  2. 02SOW + Master Services Agreement issued, referencing the Frenchy Digital Terms & Conditions (effective Jan 1, 2024, last updated Dec 17, 2025).
  3. 03Both sides sign digitally. The 20% upfront invoice ($16,000) is issued only after signature.
  4. 04Per the Terms, payment by any method (wire, ACH, card) constitutes full acceptance of the Agreement. No oral modifications — changes go through written amendment signed by an authorized officer.

Governing law: California. Mandatory arbitration on an individual basis applies to disputes (per §2 and §15 of the Terms).

Source code & IP delivery

Per §3.3 of the Frenchy Digital Terms, on full payment you receive a limited, non-exclusive, non-transferable, revocable license to the Developed IP for your internal business purposes as scoped in the SOW.

  • At each milestone: code is pushed to a private GitHub repo you have read access to from day one.
  • At publish (final 20% paid): repo ownership transferred to your GitHub org, environment variables and credentials handed over, deployment runbook delivered.
  • What's included in the license: all custom application code, design files, FHIR mappings, and documentation produced under the SOW.
  • What stays with Frenchy: internal frameworks, reusable libraries, methodologies, and the Frenchy Brand Assets (§4).

Source code is not released before the final invoice clears. Reverse engineering of Frenchy's internal tooling is prohibited under §3.2. Full Terms: frenchydigital.com/terms-and-conditions.