⚙
Key Assumptions
Data Strategy
Aggregator-first for 24 months
Data Aggregator / 1upHealth / Particle for production clinical data. Direct EHR (Epic SMART on FHIR) built in parallel starting Month 6.
Cloud Platform
Microsoft Azure (decided)
Azure Health Data Services, Entra ID RBAC, Confidential Computing. Microsoft agreement required for healthcare terms and committed spend.
Schedule Buffer
20% buffer applied to all milestones
Base dates + 20% buffer = milestone dates shown. Buffer accounts for vendor delays, hiring ramp, and scope discovery.
Hiring Ramp
2-4 weeks to get initial team
SMEs, developers, and key staff onboarded in Weeks 1-4. Assumes contract-first for speed, FTE conversion for key roles by Month 6.
Current State
Demo-ready, 4-door architecture built
Platform Dashboard, Patient Portal, Marketplace Portal, Clinician Portal — all demo-wired. 115 user stories defined, 465 story points estimated.
Funding Assumption
Pre-seed / Angel — lean execution
Program designed for capital-efficient execution. Contract-heavy initially, converting to FTE as revenue proves out. Azure startup credits pursued.
📅
Program Timeline — 24 Months
Workstream
M1
M2
M3
M4
M5
M6
M7-9
M10-12
M13-15
M16-18
M19-21
M22-24
Phase 0 — Foundation & Team (Months 1-2)
Hiring & OnboardingCore team assembly
Microsoft Azure AgreementEA/CSP + BAA + credits
Dependencies
▶ PARALLEL — Azure & Aggregator run simultaneously (different counterparties)
▶ BOTH BLOCK → Pipeline (M2) — need Azure tenant + Aggregator contract before data flows
Aggregator Vendor SelectionEvaluate, contract, BAA
Legal & Compliance SetupPrivacy policy, ToS, DUA template
Phase 1 — Core Platform Build (Months 2-6)
Gate
Azure ✓ + Aggregator ✓ required → Pipeline starts
Pipeline ✓ → unlocks Consent & Marketplace (real data)
Consent V1 + MKTPL V1 → Platform V1 Ready
Azure InfrastructureTenant, FHIR, VNet, Entra ID
Aggregator → Azure PipelineData pull, normalize, store
Clear IntegrationPatient + clinician identity
Velo PaymentsPatient payouts, KYC, 1099
Consent Engine (Prod)Real-time propagation, jurisdiction
Marketplace Engine (Prod)Real queries, attribution, billing
CI/CD & DevOpsGitHub Actions, Terraform, monitoring
Security HardeningPen test, vuln scan, IR playbook
Twilio + SendGridMFA, email notifications
20% Schedule BufferPhase 1 contingency
Phase 2 — Scale & Direct Integrations (Months 6-12)
Dependencies
▶ PARALLEL — Claims & Recon run concurrently (different engineers)
Platform V1 ✓ → First Revenue possible
Security ✓ → SOC 2 observation can begin
First Buyer OnboardedFull DUA, real queries, revenue
Epic SMART on FHIRApp Orchard application + sandbox
Claims Engine (Prod)X12 ingestion, validation
Reconciliation Engine (Prod)Double-entry, variance, queues
SOC 2 Type IIReadiness + observation period
Zoho One IntegrationCRM + Books (AR/AP)
20% Schedule BufferPhase 2 contingency
Phase 3 — Market Expansion & Direct EHR (Months 12-24)
Surescripts / NCPDPDirect Rx data access
X12 EDI ClearinghouseDirect claims connectivity
Scale to 10 BuyersRevenue growth, market expansion
Scale to 10K PatientsPatient acquisition
Series A ReadinessMetrics, deck, data room
⚖
Critical Path & Dependencies
The critical chain determines the minimum possible timeline. Any slip on critical-path items directly delays downstream milestones. Non-critical items have float and can absorb delays within buffer.
Azure
→
Pipeline
→
Consent
→
Marketplace
→
Platform V1
→
First Revenue
→
Scale
→
Series A
Slip Impact Analysis
| Component | Slip Duration | Impact | Mitigation |
|---|---|---|---|
| Aggregator Contract | +2 weeks | Absorbed by buffer | Pre-negotiate with 2 vendors |
| Aggregator Contract | +6 weeks | Exceeds buffer, scope cut needed | Defer Claims to Phase 3 |
| Azure Provisioning | +2 weeks | Absorbed by buffer | Use Azure Quickstart templates |
| Azure Provisioning | +4 weeks | Beta slips 2 weeks | Fast-track with Microsoft rep |
| Clear Integration | +3 weeks | Absorbed — not on critical path | Use manual verification interim |
| Consent Engine | +2 weeks | Beta slips 2 weeks (critical path) | Reduce scope to core consent only |
| Marketplace Engine | +3 weeks | GA slips 3 weeks (critical path) | Ship with limited query types |
| SOC 2 Observation | +4 weeks | Enterprise deals delayed | Start observation 2 weeks earlier |
| Velo Payments | +2 weeks | Absorbed — payout not on critical path | Manual payouts interim |
🏆
Key Milestones (with 20% Buffer)
1
Team Assembled & Contracts Signed
Month 2 (base: Week 6 → buffered: Week 7)
Core team onboarded (6-8 people). Azure agreement signed. Aggregator contract + BAA executed. Velo Payments approved.
Buffer: 1 week added for contract negotiation delays
2
Azure Infrastructure Live
Month 3 (base: Week 10 → buffered: Week 12)
Azure tenant, FHIR server, Entra ID, VNet, private endpoints all operational. CI/CD pipeline running. Dev/staging/prod environments separated.
Buffer: 2 weeks for Azure provisioning and config issues
3
First Patient Data in Azure
Month 4 (base: Week 14 → buffered: Week 17)
Aggregator pipeline live. First real patient (or pilot cohort) authorizes data pull. FHIR resources stored in Azure. Consent engine wired to real data.
Buffer: 3 weeks for aggregator API integration and data normalization
4
Platform V1 — Production Ready
Month 6 (base: Week 22 → buffered: Week 26)
All 4 doors running on real data. Consent propagation live. Patient payouts operational. Security pen test passed. Identity verification live.
Buffer: 4 weeks for integration debugging and security remediation
5
First Revenue — Buyer Onboarded
Month 7 (base: Week 26 → buffered: Week 31)
First data buyer completes 4-stakeholder approval, signs DUA, and runs first paid query. Revenue attribution flows to patient earnings. 80/20 split operational.
Buffer: 5 weeks for buyer sales cycle and legal review
6
SOC 2 Type II Certification
Month 14 (base: Month 12 → buffered: Month 14)
SOC 2 Type II report issued. 3-month observation period complete. All controls operating effectively. Enterprise buyer prerequisite met.
Buffer: 2 months for remediation during observation
7
10 Buyers + 10K Patients
Month 22 (base: Month 18 → buffered: Month 22)
Market traction proven. 10 paying buyers. 10,000 patients with linked data. Monthly recurring revenue established. Unit economics validated.
Buffer: 4 months for market development and sales cycle variance
8
Series A Ready
Month 24
Revenue metrics, SOC 2, 10+ buyers, 10K+ patients, direct EHR integrations underway, claims engine live. Data room prepared. Pitch deck updated with real metrics.
👥
Hiring Plan — Weeks 1-4 Initial, Scaling Through Month 12
Strategy: Contract-first for speed (2-4 week onboarding). Convert high-performers to FTE by Month 6. SMEs engaged as fractional advisors from Day 1.
Full-Stack Engineer (Sr.)
Contract → FTE
Week 1-2 · 2 engineers
Core platform build: Azure FHIR integration, consent engine, marketplace query engine, portal production-hardening. Node.js/Python, Azure, FHIR R4 experience required.
Healthcare Data Engineer
Contract → FTE
Week 1-2 · 1 engineer
Aggregator integration, FHIR normalization, data pipeline (Azure Data Factory / Functions). HL7/FHIR, clinical terminology mapping (ICD-10, SNOMED, LOINC, RxNorm).
DevOps / Cloud Engineer
Contract
Week 2-3 · 1 engineer
Azure infrastructure, Terraform IaC, CI/CD, monitoring, security hardening. Sets up the foundation then transitions to part-time maintenance.
HIPAA Compliance SME
Fractional Advisor
Week 1 · 10-15 hrs/week
BAA chain, privacy policy, consent architecture review, SOC 2 readiness, state law compliance. Critical for investor credibility and buyer trust. Engaged through Month 12+.
Healthcare Attorney
Fractional / Outside Counsel
Week 1 · As needed
Vendor contracts (Azure, aggregator, Velo), DUA template, patient ToS, compensation agreement, clinical trial consent. Healthcare regulatory expertise required.
Security Engineer
Contract
Week 3-4 · 1 engineer
Pen testing, vulnerability management, incident response playbook, Azure Sentinel setup, network segmentation validation. Engaged through SOC 2 certification.
Product Manager
FTE
Month 2-3 · 1 PM
Owns backlog prioritization, sprint planning, stakeholder communication. Manages 115 user stories across 11 sections. Healthcare product experience preferred.
QA / Test Engineer
Contract
Month 3 · 1 engineer
Test automation, integration testing, security testing. Validates consent propagation, attribution accuracy, payout correctness. Ramps up as features ship.
Sales / BD (Healthcare)
FTE
Month 4-5 · 1 person
Buyer pipeline development. Pharma, CRO, and health system relationships. Needed 1-2 months before first buyer milestone to build pipeline. Commission-based comp structure.
📝
Vendor Agreements & Microsoft Azure
All vendor agreements must include BAAs where PHI is involved. Microsoft Azure agreement is the foundation — healthcare terms, committed spend, and startup credits.
Microsoft Azure
Enterprise Agreement
Agreement type: Microsoft Customer Agreement (MCA) or Cloud Solution Provider (CSP) through a healthcare-focused partner.
Key terms to negotiate: HIPAA BAA (auto-accepted via Online Services Terms), HITRUST CSF inheritance, US-only data residency, committed spend discount (vs. pay-as-you-go), Azure credits via Microsoft for Startups (up to $150K), named account manager, Professional Direct support tier.
Services covered: Azure Health Data Services, Entra ID, Key Vault, Application Insights, Azure Functions, Confidential Computing, Azure Sentinel, API Management.
Process: Apply to Microsoft for Startups (Founders Hub) immediately. If accepted, credits are available within 1-2 weeks. For enterprise terms, engage a CSP partner or Microsoft healthcare account team. BAA is accepted digitally — no negotiation needed.
Key terms to negotiate: HIPAA BAA (auto-accepted via Online Services Terms), HITRUST CSF inheritance, US-only data residency, committed spend discount (vs. pay-as-you-go), Azure credits via Microsoft for Startups (up to $150K), named account manager, Professional Direct support tier.
Services covered: Azure Health Data Services, Entra ID, Key Vault, Application Insights, Azure Functions, Confidential Computing, Azure Sentinel, API Management.
Process: Apply to Microsoft for Startups (Founders Hub) immediately. If accepted, credits are available within 1-2 weeks. For enterprise terms, engage a CSP partner or Microsoft healthcare account team. BAA is accepted digitally — no negotiation needed.
Target: Month 1-2 · Signed by end of Month 2
Health Data Aggregator (Data Aggregator / 1upHealth / Particle)
MSA + BAA
Agreement type: Master Services Agreement with HIPAA BAA addendum.
Key terms: Per-patient pricing (typically $1-5/patient/month), data freshness SLA (24hr), uptime SLA (99.9%), BAA with breach notification within 24hrs, data retention on termination, API rate limits, EHR network coverage guarantees.
Evaluation criteria: Consumer-directed data model (patient authorizes), FHIR R4 output quality, EHR network breadth, HIPAA compliance maturity, pricing flexibility for startup stage.
Process: Parallel evaluation of 2-3 vendors in Month 1. Sandbox testing in Week 3-4. Contract signed by end of Month 2.
Key terms: Per-patient pricing (typically $1-5/patient/month), data freshness SLA (24hr), uptime SLA (99.9%), BAA with breach notification within 24hrs, data retention on termination, API rate limits, EHR network coverage guarantees.
Evaluation criteria: Consumer-directed data model (patient authorizes), FHIR R4 output quality, EHR network breadth, HIPAA compliance maturity, pricing flexibility for startup stage.
Process: Parallel evaluation of 2-3 vendors in Month 1. Sandbox testing in Week 3-4. Contract signed by end of Month 2.
Target: Month 1-2 · Signed by end of Month 2
Velo Payments
Platform Agreement
Agreement type: Velo Payments Platform Agreement with Custom connected accounts.
Key terms: ACH disbursement pricing (~$0.80/transfer), split-payment orchestration (80/20), 1099-NEC generation and filing, KYC for connected accounts (patients), healthcare-specific compliance review.
Process: Platform application online (1-2 weeks review). Healthcare money movement may trigger additional compliance questions (2-4 weeks total). No BAA needed — Velo handles financial data, not PHI.
Key terms: ACH disbursement pricing (~$0.80/transfer), split-payment orchestration (80/20), 1099-NEC generation and filing, KYC for connected accounts (patients), healthcare-specific compliance review.
Process: Platform application online (1-2 weeks review). Healthcare money movement may trigger additional compliance questions (2-4 weeks total). No BAA needed — Velo handles financial data, not PHI.
Target: Month 2-3 · Approved by end of Month 3
Clear
BAA + Integration Agreement
Agreement type: Developer agreement with HIPAA BAA for identity verification of PHI-accessing users.
Key terms: IAL2 identity proofing, per-verification pricing, uptime SLA, BAA covering identity data, integration support, NIST 800-63 compliance.
Process: Business verification application (2-4 weeks). Compliance review for healthcare use case. Sandbox access. BAA execution. Production go-live.
Key terms: IAL2 identity proofing, per-verification pricing, uptime SLA, BAA covering identity data, integration support, NIST 800-63 compliance.
Process: Business verification application (2-4 weeks). Compliance review for healthcare use case. Sandbox access. BAA execution. Production go-live.
Target: Month 2-4 · Live by end of Month 4
Zoho One
Subscription Agreement
Agreement type: Zoho One subscription (all apps). Self-serve, no negotiation needed.
Key terms: ~$45/user/month (annual). Covers CRM, Books, Invoice, Desk. API access included. No BAA (Zoho handles business data, not PHI — buyer invoicing and AP/AR only).
Process: Sign up and configure. 1-2 days for basic setup. API integration with Door 3 and payouts engine in Month 6-7.
Key terms: ~$45/user/month (annual). Covers CRM, Books, Invoice, Desk. API access included. No BAA (Zoho handles business data, not PHI — buyer invoicing and AP/AR only).
Process: Sign up and configure. 1-2 days for basic setup. API integration with Door 3 and payouts engine in Month 6-7.
Target: Month 6 · Low priority, self-serve
SendGrid + Twilio
API Agreements
Agreement type: Self-serve API agreements. Both are Twilio companies.
Key terms: SendGrid: transactional email (~$20/month starter). Twilio: SMS MFA (~$0.0079/message). Healthcare A2P 10DLC registration required for SMS (1-2 weeks). No BAA needed for notification-only use (no PHI in messages).
Process: Sign up, configure templates, register 10DLC. Production-ready in days.
Key terms: SendGrid: transactional email (~$20/month starter). Twilio: SMS MFA (~$0.0079/message). Healthcare A2P 10DLC registration required for SMS (1-2 weeks). No BAA needed for notification-only use (no PHI in messages).
Process: Sign up, configure templates, register 10DLC. Production-ready in days.
Target: Month 3 · Self-serve, quick setup
⚠
Risk Register
| # | Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|---|
| 1 | Aggregator data quality / coverage gaps | Medium | High | Evaluate 2-3 vendors in parallel. Include data quality SLAs in contract. Build normalization layer that handles variation. Plan for supplemental direct integrations. |
| 2 | Hiring delays — specialized healthcare engineers scarce | High | Medium | Contract-first strategy allows broader talent pool. Engage recruiting firm specializing in health tech. Accept remote-first. 20% buffer absorbs 2-3 week delays. |
| 3 | Microsoft Azure startup credits rejected | Low | Medium | Apply early (Week 1). If rejected, negotiate CSP partner pricing. Azure pay-as-you-go is viable at early scale. Budget accordingly. |
| 4 | Buyer sales cycle longer than expected | High | High | Start BD in Month 4, not Month 6. Target mid-market pharma (faster decision cycles). Offer pilot pricing. 20% buffer on revenue milestone. Prepare 2-3 buyer prospects in parallel. |
| 5 | HIPAA breach during early operations | Low | High | Security engineer from Week 3. IR playbook by Month 3. Pen test before V1 launch. BAA chain complete before any PHI flows. Cyber insurance policy in place. |
| 6 | Patient acquisition slower than projected | Medium | Medium | Start with provider partnerships (clinicians refer patients). Partner with patient advocacy groups. Compensation model ($$ for data) is a differentiator. 10K target has 4-month buffer. |
| 7 | Epic SMART on FHIR approval delayed beyond 6 months | Medium | Low | Not a blocker — aggregator covers production data for 24 months. Direct Epic is a cost optimization, not a dependency. Delays push to Phase 3. |
| 8 | Regulatory changes (state privacy laws, HIPAA updates) | Medium | Medium | Fractional HIPAA SME monitors regulatory changes. Consent engine designed for jurisdiction-aware rules. Version-controlled consent rule management. |
━
Parallel Tracks Summary
Track A — Platform Core (Months 1-6): Azure setup, aggregator integration, consent engine, marketplace engine, identity, payouts. Founder + 4-5 engineers + 2 SMEs. Goal: V1 production-ready.
Track B — Legal & Compliance (Months 1-6): Vendor contracts, BAA chain, privacy policy, DUA template, patient agreements, SOC 2 readiness kickoff. Founder + attorney + HIPAA SME. Goal: legally operational.
Track C — Security & Infrastructure (Months 2-5): Azure hardening, pen testing, IR playbook, monitoring, DR setup. DevOps + Security engineer. Goal: pen test passed, production-secure.
Track D — Revenue (Months 4-12): Buyer prospecting, DUA negotiation, first revenue, scale to 10 buyers. BD hire + founder. Goal: proving revenue model.
Track E — Direct Integrations (Months 6-24): Epic SMART on FHIR, Surescripts, X12 EDI. Healthcare data engineer. Goal: reduce aggregator dependency, improve data freshness and unit economics.