Jan 2026 - Present

Tiny Steps CMS

HIPAA-Compliant Practice Management

$45K+

invoiced through the system

The Problem

Four home health agencies were about to commit to seventeen hundred dollars a month for ProviderSoft. Too many menus. Too many features they’d never use. Meanwhile, therapists were driving paper notes to the office. Supervisors were cosigning forms by hand. Credential expirations lived in a spreadsheet — and when one lapsed, nobody knew until the audit.

They needed software that understood how home health therapy actually works — therapists in the field, documenting visits on their phones between appointments, supervisors reviewing from wherever they are, and someone watching every credential expiration before it becomes a liability.

The Solution

Built in two months. Forty-two users across four agencies. The key decision: make the most common workflow — documenting a visit — as fast as physically possible. Open the app, select the patient, fill in the details, sign with your finger, submit. Under three minutes, including the signature.

The credential lockout is the piece I’m proudest of. Sixty-plus credential types per therapist, four of them critical. If a critical credential expires, the system locks the therapist out. No grace period. No workaround. It sounds aggressive — until you realize the alternative is a therapist working with an expired medical clearance and the agency bearing the liability.

The billing pipeline follows every dollar from authorization to visit documentation to invoice generation to payment collection. Nothing falls through the cracks because the system won’t let it.

Production Metrics

Active Users

205

Patients Managed

$45K+

Invoiced

1,433

Credentials Tracked

Agencies Served

99K

Lines of Code

515

Commits in 89 Days

$1.7K/mo

Enterprise Cost Replaced

Architecture Decisions

Agency-Polymorphic PDF Pipeline

13 fillable PDF templates across 4 agencies, each with different layouts and requirements. pdf-lib fills fields programmatically and stamps drawn signatures at computed coordinates. @react-pdf/renderer generates custom reports.

Supervision Routing State Machine

Every visit note flows through a state machine: pending_review → co_signed → ready_for_billing. Supervisors are notified automatically. The system enforces that no visit reaches billing without proper cosignature.

Credential Lockout Engine

PostgreSQL functions evaluate credential expiry on every login. 4 critical credential types trigger immediate account lockout. Non-critical expirations generate warnings. All evaluated server-side — no client-side bypass possible.

SSN Encryption at Rest

AES-256-GCM encryption for all SSN fields. Role-scoped queries ensure that only authorized roles can decrypt. Full HIPAA audit trail with 5,361+ logged events.

Tech Stack

Next.js 16React 19Neon PostgreSQL (HIPAA BAA)Drizzle ORMnext-auth v5Tigris S3pdf-lib@react-pdf/rendererSentryFly.io

What I Learned

Multi-tenant healthcare is hard because no two agencies work the same way. Different forms, different billing cycles, different field positions on every PDF. The polymorphic document pipeline — thirteen templates across four agencies, each with its own layout — was the most complex thing I’ve ever built.

Before this system, expired credentials were caught during audits — after the damage was already done. Automated lockout is the only guarantee. Not a single therapist has worked with expired credentials since launch. That’s the metric I care about most.

Every form submission is validated on both client and server. Every error state is explicitly typed. One hundred sixty-five server actions, zero runtime type errors in production. The type system is the safety net under the safety net.

← All Projects Get in Touch