Alma
999 commits in HIPAA production across reassessments, compliance, audit integrations, and document workflows.
Long-running, failure-sensitive backend ownership in a regulated environment: reassessment logic, audit integrations, Datadog observability, Celery workflows, and RBAC document management — all shipped without breaking production.
What the work actually demanded
Alma is where the portfolio proves I can operate under healthcare constraints, not just prototype around them. The work covered automated reassessment logic, serializer churn for evolving compliance requirements, document pipelines, and third-party audit integrations.
The constant here was operational care: feature flags, multi-PR rollout strategy, reversible migrations, and background jobs designed to survive large backfills and token-expiring external APIs.
feature areas shipped
automated_reassessments → 72% adoption
compliant_progress_notes → HIPAA-safe workflows
brellium_audit_integration → third-party audit hooks
rbac_document_management → permission-scoped docs
celery_reminders → async therapist comms
datadog_observability → 20% fewer prod errors
serializer_evolution → evolving compliance reqs
over 999 commits · 2.7 years · operational ownershipThe system had to stay boring in the right ways
Clinical backend architecture
Django and DRF for request surfaces, Celery for asynchronous work, PostgreSQL and S3 for durable data, and Brellium for external audit flows.
The seven areas that mattered
- Automated clinical reassessments with backfills, cadence logic, family-based assessment rules, and batch enrollment flows.
- Compliant progress notes and PDF generation where serializer shape and audit requirements kept evolving.
- Brellium audit integration with retries, re-authentication, and production-ready API handling.
- Appointment document management with RBAC and S3-backed lifecycle rules.
- Provider consent rollout decomposed into multiple safe PRs instead of one risky launch.
- Session feedback and reminder systems tied back into the reassessment engine.
- Audit-protection infrastructure for appointment-level compliance state.
Why the implementation choices mattered
In a HIPAA environment, velocity is not the same thing as rush. The engineering challenge is to ship continuously while keeping the failure modes controlled and the audit trail legible.
That kind of work rarely produces a glamorous demo, but it does produce trust. That is the real artifact here.
- Celery handled backfills, reminders, and long-running work that should never block a request.
- Feature flags let production code land safely before provider-facing rollout.
- Multi-PR decomposition kept a sensitive consent feature reviewable and reversible.
The work that holds when the system cannot break.
Long-running, failure-sensitive backend ownership in a regulated environment. The same instinct carries directly into agent infrastructure: build systems that stay inspectable when they matter most.