Work
Case Study Healthcare Technology

Prior Authorization Portal

Engineered a healthcare prior authorization platform with secure OAuth authentication, multi-provider workflows and compliance-aligned data handling.

Overview

Prior authorization is one of the most friction-heavy processes in US healthcare - a provider needs to obtain approval from a patient's insurer before delivering certain treatments or prescribing certain medications. The process is typically handled through phone calls, faxes and proprietary insurer portals, each with different interfaces and requirements.

Our client was building a platform to centralize this process: a single portal where providers could submit, track and manage prior authorization requests across multiple insurance carriers. The compliance and security requirements were significant - PHI (Protected Health Information) handling, HIPAA-aligned audit logging and role-based access across provider organizations.

What We Built

Authentication and authorization (Node.js / OAuth 2.0)

The platform serves multiple provider organizations, each with their own user base. We implemented a multi-tenant authentication system using OAuth 2.0 with organization-scoped tokens. Provider organizations can be onboarded independently, with per-organization configuration for SSO (SAML integration for larger health systems) or username/password authentication for smaller practices.

Role-based access was implemented at the API level with a claims-based authorization model. Three roles cover the primary use cases: clinical staff (submit and view), admin (manage users within their organization) and read-only (for billing and review staff). All role assignments are auditable.

Prior authorization workflow engine (Node.js)

Authorization requests go through a defined state machine: draft → submitted → pending insurer response → approved/denied/pending additional info. Each state transition is logged with the acting user, timestamp and any attached documentation.

The workflow engine handles the key complexity in this problem: different insurers have different submission requirements and response formats. We built an insurer adapter layer that normalizes submission data into each carrier's expected format (HL7 FHIR for carriers supporting it, carrier-specific JSON schemas for others) and parses responses back into a common internal representation.

Provider-facing portal (React.js / TailwindCSS)

The UI was designed for clinical environments where users are context-switching frequently and need to find a request's status quickly. The dashboard surface is a filterable list of open requests with status badges, days-pending indicators and action prompts for requests awaiting additional documentation.

The form flow for new submissions adapts based on the selected insurer and procedure - showing only the fields that carrier requires, with inline guidance for common documentation requirements.

PHI handling and audit logging

All PHI fields in the database are encrypted at the column level using AES-256, with key management handled separately from the application database. The audit log captures every read and write of PHI records - not just mutations - to satisfy HIPAA's access logging requirements. Logs are written to an append-only store and exported to the client's compliance team on a monthly cycle.

Technical Decisions Worth Noting

We used TypeScript throughout the Node.js API layer specifically for the typing guarantees in the HL7 FHIR serialization/deserialization path. Healthcare data formats have enough edge cases that we wanted the compiler catching schema mismatches rather than runtime errors - and having strong types across both the API and frontend reduced the surface area for data handling bugs.

The adapter pattern for insurer integrations was a conscious choice to contain the complexity of dealing with multiple incompatible formats. New carrier integrations are added by implementing a single interface and registering the adapter - the core workflow engine doesn't need to change.

Outcome

The platform launched with integrations for three major insurance carriers, covering the majority of the client's provider network's prior authorization volume. Submission turnaround time dropped measurably - the digital submission path removed the phone and fax step for supported carriers, with most submissions reaching the insurer within minutes rather than hours.

The compliance team signed off on the PHI handling and audit trail implementation prior to launch. No audit findings were raised during the client's subsequent internal compliance review.