Industry
HIPAA-aligned, FHIR-fluent software, AI, and platform engineering for hospitals, payers, life sciences, and digital-health companies. Senior engineers who have shipped to clinical production — not generalists with a healthcare deck.
The landscape
The reality of clinical engineering: every feature crosses HIPAA, every release touches an EHR integration, every model decision lands in a clinician's workflow, and every audit asks for evidence you produced two quarters ago. Buyers don't want a generic SaaS shop with a healthcare slide — they want engineers who know that PHI minimum-necessary, audit logging granularity, and FHIR resource shaping are first-class concerns, not a procurement checklist to satisfy.
Prosigns has shipped to hospital systems, payers, digital-health companies, and life-sciences firms across the U.S. and Middle East. We design for evidence collection, audit-defensibility, and clinician workflow on day one. Our CITADEL (security/compliance) department co-pilots every engagement with the practice lead — so HIPAA, FHIR, audit logs, and ePHI boundaries are built in, not retrofitted before the security review.
Where we ship
Specific applications we’ve built and operated for healthcare & life sciences buyers. Every example below is grounded in a real shipped engagement.
240+
clinics deployed
Custom EHR-adjacent applications that surface the right data at the right time — for clinicians, care managers, schedulers, and operations. SMART-on-FHIR launches, role-aware dashboards, and write-back when policy permits.
12M
resources synced
Bidirectional EHR integrations (Epic, Cerner, Athena, Meditech) via FHIR R4, HL7 v2, and CCDA. Resource shaping, terminology mapping, and consent-aware data flows.
$4.2M
annual labor savings
Retrieval-augmented generation over clinical guidelines, formularies, and patient context — with citation tracking, refusal patterns for out-of-scope queries, and full audit lineage.
94%
sensitivity at threshold
Detection, segmentation, and triage models for radiology, pathology, and ophthalmology. DICOM pipelines, FDA SaMD-aware design, on-prem and edge deployment options.
+38%
appointment compliance
Patient-facing apps and portals for scheduling, messaging, intake, results, and education. WCAG 2.2 AA, multilingual, EHR-tethered, and consent-aware.
−47%
claims rework
Claims processing, eligibility verification, prior-authorization automation, and contract analytics. ML extraction across structured and unstructured payer documents.
How we engage
Each phase has a deliverable, an owner, and an acceptance criterion specific to healthcare & life sciences delivery.
We start with the data — what PHI flows through the system, who needs it, what minimum-necessary means for each role, and where the consent boundaries are. The output is a privacy threat model and a data-flow diagram that becomes the spine of the architecture review.
HIPAA Security Rule controls mapped to architectural components. Audit log granularity defined before the first commit. ePHI encryption boundaries, key management, BAA-covered subprocessor selection, and data-residency posture all decided up front.
Senior engineers from CORTEX (AI/ML), FORGE (custom software), or NEXUS (cloud) — paired with CITADEL (security) — ship in two-week increments with continuous evaluation against ground-truth datasets and clinician acceptance testing.
Production operations include SLA-backed on-call, quarterly access reviews, monthly evidence collection for SOC 2 / HIPAA / state-level audits, and incident-response drills. Hand off with runbooks or stay on as Managed Services.
Practices in healthcare & life sciences
The capabilities below are scoped to the constraints healthcare & life sciences procurement actually enforces — compliance, audit, data residency, and vendor risk.
Generative AI, agents, computer vision, predictive analytics, and MLOps — engineered for production.
In Healthcare & Life Sciences
RAG over clinical content, medical-imaging models, predictive readmission and revenue cycle — with clinician-in-the-loop checkpoints, citation tracking, and FDA SaMD-aware design where applicable.
SaaS, enterprise applications, legacy modernization, integrations, and mobile.
In Healthcare & Life Sciences
EHR-adjacent platforms, SMART-on-FHIR apps, and patient portals — engineered against HIPAA, audit logging, and clinician workflow constraints, not bolted on.
Cloud architecture, DevOps, SRE, migrations, data engineering.
In Healthcare & Life Sciences
HIPAA-aligned AWS / Azure / GCP architectures with BAA-covered services, encrypted ePHI boundaries, and IaC-backed evidence collection for SOC 2 and HITRUST CSF.
Test automation, performance, accessibility, application security, secure SDLC.
In Healthcare & Life Sciences
Continuous penetration testing, clinical-grade QA (functional + accessibility + security), and ePHI-aware automated test data — with audit reports that pass payer security reviews.
Selected work
$4.2M
annual labor savingsFHIR-aligned retrieval over 12M clinical documents. SOC 2-aligned audit logs, ePHI encryption, citation tracking on every answer, and refusal patterns for out-of-scope queries.
11 months
+38%
appointment complianceSMART-on-FHIR launches into Epic, role-aware patient dashboards, multilingual messaging, and a consent-aware intake flow. Migrated from a legacy portal under a phased strangler-fig rollout.
8 months
Common questions
Yes on both. Our HIPAA program covers administrative, physical, and technical safeguards, with documented risk analysis and incident response. We sign Business Associate Agreements with covered entities and downstream partners, and we maintain a current subprocessor list that is BAA-covered end to end. Audit pack (HIPAA risk analysis summary, incident response plan, training records) available under NDA.
Epic (App Orchard, SMART-on-FHIR launches, Hyperspace contexts), Cerner / Oracle Health, Athena, Meditech, and NextGen, plus FHIR R4 across the major cloud-hosted EHRs. We also integrate with HL7 v2 messaging gateways for legacy interfaces, CCDA exchange for transitions of care, and standard imaging stacks (DICOM, IHE). Where the EHR doesn't expose what's needed, we build secure, audit-logged extensions inside the customer's control plane — not unmonitored screen-scrapers.
Three boundaries. First, vendor selection — we use BAA-covered model endpoints (AWS Bedrock, Azure OpenAI under HIPAA-eligible accounts) or self-hosted models when sovereignty requires it; we don't send ePHI to non-covered providers. Second, system design — minimum-necessary at the prompt boundary, structured redaction of identifiers where the workload allows, and citation/refusal patterns that prevent confident-but-wrong outputs. Third, audit — every clinical AI interaction is logged with input/output, retrieved citations, model version, and user identity, retained per the customer's record schedule.
Yes — for FDA-regulated workflows we follow the IEC 62304 software lifecycle, the predetermined change control plan framework where applicable, and 21 CFR Part 11 electronic record / signature controls for life-sciences eClinical workloads. Our typical engagement involves co-piloting with the customer's regulatory affairs team rather than acting as the IFU/labeling owner; we deliver the engineering, traceability, and validation evidence the customer's submission package requires.
Both. Cloud is the default (AWS, Azure, GCP — under BAAs and HIPAA-eligible service catalogs), but we ship on-prem and hybrid for hospitals with data-sovereignty constraints, government health agencies, and academic medical centers. Self-hosted LLMs (vLLM, TGI), private vector stores, and on-prem imaging pipelines are all in the playbook.
SOC 2 Type II is in flight. We engineer to HITRUST CSF mappings on engagements that require it, and we collect evidence continuously rather than scrambling at audit time. State-level requirements (Texas HB 300, California CMIA, New York SHIELD) are layered into the privacy threat model during the discovery phase. Our compliance posture is published in the Trust Center and available under NDA for procurement.
Discovery and risk modeling (4–6 weeks, $50K–$150K) followed by a focused production build (3–6 months, $250K–$1M) with an ongoing managed-services tail for operations. Department-led: a senior engineer plus the practice lead and a CITADEL (compliance) co-pilot are on every engagement. Most clients begin with a single use case and expand once the trust and operating cadence are proven.
Talk to us
A senior engineer plus the relevant department lead joins the first call. No discovery gauntlet, no junior reps.
