R3 Health

Patient Portal · MVP Specification

A secure, focused patient portal for lab results.

Scope, features, and HIPAA compliance overview.

Prepared for R3 Health

Prepared by Chernicky Ventures LLC

Date May 2026

Version MVP · v1.0

This document specifies the first release of the R3 Health Patient Portal — a focused, secure web platform that gives patients access to their lab results and gives the R3 Health team a streamlined way to onboard patients and publish reports.

The MVP is intentionally narrow. It delivers four pillars: a clean lab results experience for patients, a one-way comment channel for patient feedback, an admin dashboard for patient onboarding and PDF lab report uploads, and an automated OCR pipeline that extracts values from those PDFs and surfaces them in the patient view. Every layer is designed and built to meet HIPAA requirements from day one.

Features beyond this scope — two-way messaging, scheduling, refill workflows, wearable integrations — are deferred to a future phase to keep the launch timeline tight, the surface area auditable, and the patient experience focused on what matters most: clear, trustworthy lab results.

MVP Scope at a Glance

The table below sets clear expectations on what is included in this release and what is explicitly deferred. Anything not listed in the In Scope column is not part of the MVP build.

In Scope · MVP

Patient login & secure session
Lab results dashboard with panels & biomarkers
Reference ranges, status indicators & trends
One-way comment form (patient → R3)
Admin / Provider login & dashboard
Patient onboarding & secure invite flow
Drag-and-drop PDF lab report upload
Automated OCR extraction with admin review
Patient comments inbox (read-only for staff)
HIPAA-compliant infrastructure & controls
Audit logging across all PHI access

Out of Scope · Future Phase

Two-way messaging / patient inbox replies
Medication refill workflows
Appointment scheduling
Telehealth / video visits
Wearable & device integrations
Billing & payments
Native mobile apps (iOS / Android)
Provider annotations on biomarkers
Patient educational content library

Patient Experience

The patient-facing portal is built around a single, calming idea: results are easy to find, easy to read, and easy to trust. Everything is mobile-responsive and works in any modern browser.

Secure Login

Email and password authentication with optional multi-factor authentication, encrypted sessions, and automatic timeout for inactivity.

Lab Results Dashboard

Results are organized into clear panels — chemistry, lipid, hematology, endocrine, and more — with reference ranges, status indicators In RangeBorderlineOut of Range and trend sparklines across multiple draws.

Biomarker Detail View

Drill down into any individual biomarker for a full historical chart, reference range context, and a plain-language description of what the value represents.

Comments to R3 Health

Patients can submit a comment or question — either tied to a specific result or general — directly to the R3 Health team. The patient sees a confirmation that the message was received. By design, this is a one-way channel; replies are handled by R3 Health staff outside the portal.

Admin & Provider Experience

The internal dashboard is designed for the day-to-day workflow of R3 Health staff: onboard new patients, upload incoming lab reports, verify automated extraction, and read patient feedback.

Patient Roster

Searchable list of every patient, with onboarding status, flagged biomarker counts, and quick filters for outstanding reviews or new comments.

Onboard New Patient

Simple form to create a patient record (name, date of birth, sex, email, assigned provider) and trigger a secure invite email with a one-time first-login link.

Upload Lab Report (PDF)

Drag-and-drop upload, attached to the correct patient. The PDF is encrypted at rest immediately and queued for OCR processing.

OCR Review Queue

Once OCR finishes, extracted values are presented side-by-side with the source PDF. Staff verify or correct each value before publishing to the patient. Low-confidence extractions are flagged automatically.

Patient Comments Inbox

Read-only view of every comment submitted by patients, sorted newest first, with the ability to mark items as reviewed. Replies are handled out-of-band by R3 staff.

Automated OCR Pipeline

Lab reports arrive as PDFs from external labs. Manually transcribing values is slow and error-prone. The MVP includes an automated pipeline that extracts structured lab values from each uploaded PDF and routes them through a brief human verification step before publishing.

Admin uploads PDF

Encrypted storage

Cloud OCR (under BAA)

Mapped to biomarker schema

Admin reviews & approves

Visible to patient

Why a HIPAA-eligible cloud OCR service

Lab PDFs are dense, table-heavy documents. Off-the-shelf text extraction libraries struggle with the layout. Modern document-AI services — AWS Textract and Google Cloud Document AI — are purpose-built for tabular medical and financial documents and reach high accuracy on key-value pairs and tables. Both services are available under a Business Associate Agreement (BAA), making them a HIPAA-eligible choice for processing PHI.

Why a human verification step

Lab values inform clinical conversations. Even highly accurate OCR can misinterpret a decimal point or unit. Every extracted value is held in a review queue and surfaced alongside the source PDF, with low-confidence values flagged for closer attention. Nothing reaches the patient until an R3 Health team member has confirmed it.

Security & HIPAA Compliance

The portal stores and handles Protected Health Information (PHI). HIPAA compliance is treated as a foundation, not a feature — every layer is designed around the three pillars of the HIPAA Security Rule.

BAAs in place from day one. Every third-party service that touches PHI — cloud host, OCR provider, transactional email, identity provider — operates under a signed Business Associate Agreement before launch.

Pillar 1

Administrative Safeguards

Signed Business Associate Agreements with every PHI-handling vendor
Role-based access control: Patient · Admin · Provider, each with least-privilege defaults
Documented workforce training and periodic access-review processes for R3 Health staff
Defined breach-notification and incident-response procedures

Pillar 2

Physical Safeguards

HIPAA-eligible cloud infrastructure (AWS or GCP) with SOC 2 and HITRUST attestations
No PHI stored on local devices — portal accessible only via authenticated web session
Dedicated production environment, isolated from any non-PHI workloads

Pillar 3

Technical Safeguards

TLS 1.2+ for all data in transit; AES-256 encryption at rest for database and PDF storage
Multi-factor authentication required for all admin and provider accounts
Session timeouts, secure cookies, and automatic logout on inactivity
Comprehensive audit logging — every PHI view, upload, edit, and patient comment is recorded with user, timestamp, and action
Patients see only their own data; providers see only their assigned patients
Encrypted backups with documented retention & secure-disposal policy

Technical Foundation

A short, plain-language summary of the platform underneath the product. The stack is deliberately conservative — well-supported, HIPAA-eligible services with strong operational track records.

Web Application

React + TypeScript single-page app, mobile-responsive, served over HTTPS.

Backend API

HIPAA-eligible cloud (AWS or GCP) with a managed application server and a private network.

Database

Managed PostgreSQL with encryption at rest, automated backups, and point-in-time recovery.

PDF Storage

Encrypted object storage with access logging and time-limited signed URLs.

OCR

AWS Textract or Google Cloud Document AI under signed BAA.

Authentication

Managed identity provider with MFA support (e.g., AWS Cognito or Auth0 Healthcare).

Hosting

Single-region production environment with automated backups and monitoring.

Cost Overview

All estimates below are sized to R3 Health's current scale of approximately 3,500 active patients with ongoing growth of 30–50 new patients per month. Cloud and OCR costs scale gradually with patient and lab-report volume; the platform has no per-seat licensing fees or third-party SaaS subscriptions built in.

How to read these numbers. Operational costs are direct third-party fees (cloud, OCR, email) paid monthly to the underlying vendors. One-time setup costs are recommended security and compliance investments before launch. Development of the MVP itself is quoted separately by Chernicky Ventures LLC.

Monthly Operational Costs · Summary

Direct third-party costs at current scale (~3,500 active patients). The detailed AWS line-item breakdown follows below.

AWS Infrastructure

$140–350 / mo · Itemized below — managed Postgres, app compute, storage, networking, security, logging

OCR Processing (Textract)

$65–150 / mo · Form & table analysis on ~1,300–3,000 PDF pages processed per month at steady state

Transactional Email

< $5 / mo · AWS SES for patient invites, password resets, and notifications (covered under AWS BAA)

Error & Performance Monitoring

$0–30 / mo · AWS CloudWatch included; optional Sentry tier for richer error context

Domain

~$1 / mo · Annual domain renewal; ACM SSL certificates included free with AWS

Estimated Monthly Total

$210 – $535 / mo

AWS Infrastructure · Detailed Breakdown

Line-item view of the AWS spend at current scale. Costs assume a production-grade, single-region deployment with Multi-AZ database redundancy and daily encrypted backups.

RDS PostgreSQL

$50–100 / mo · Managed Postgres on db.t4g.small (Multi-AZ) up to db.t4g.medium (Multi-AZ) for headroom. Encryption at rest, automated backups, point-in-time recovery included.

ECS Fargate (App Server)

$30–60 / mo · Two redundant container tasks (0.5–1 vCPU each) for the API. No EC2 instances to patch.

Application Load Balancer

$20–30 / mo · TLS termination, health checks, traffic routing.

S3 Storage (PDFs & backups)

$3–15 / mo · Encrypted at rest with KMS, versioned, lifecycle-managed. Grows ~$1–3/mo per year as lab volume accumulates.

AWS WAF (Web Firewall)

$15–30 / mo · Recommended for HIPAA — protects against OWASP Top 10, rate-limiting, geo-blocking.

CloudWatch (Logs & Metrics)

$5–15 / mo · Application, access, and audit log ingestion + retention.

KMS (Key Management)

$5–10 / mo · Encryption keys for RDS, S3, and Secrets Manager (~3 keys + request volume).

Data Transfer (Egress)

$5–30 / mo · Outbound bandwidth to patients downloading PDFs and using the portal.

Secrets Manager

$3–5 / mo · Database credentials, API keys, encryption secrets.

Route 53 (DNS)

$1–3 / mo · Hosted zone for the portal domain.

VPC NAT / Endpoints

$0–50 / mo · Optional. VPC endpoints to AWS services avoid most NAT Gateway charges.

Cognito (Authentication)

$0 / mo · Free up to 50,000 monthly active users; well below R3's projected scale.

AWS Subtotal

$140 – $350 / mo

All listed services are HIPAA-eligible under the AWS Business Associate Addendum. Lower end of each range reflects a lean launch configuration; upper end reflects comfortable headroom for growth.

OCR volume — sized to functional medicine practice norms. The earlier estimate has been calibrated against R3's likely lab cadence: roughly 50–60% of active patients order labs in a given year, averaging ~2 draws/year, with reports averaging 4–6 pages each. That works out to ~330 draws/month and ~1,300–2,000 OCR pages/month at steady state. If R3 backfills 1–3 years of historical patient labs at launch, expect a one-time spike of $500–$1,500 spread over the migration period. We recommend validating the steady-state estimate against R3's actual lab volume before launch.

One-Time Setup Costs

Direct third-party costs incurred at launch. BAA execution itself carries no fee.

BAA Execution

$0 · Self-serve via AWS Artifact for all HIPAA-eligible AWS services in scope (RDS, S3, Textract, SES, Cognito, KMS, CloudWatch).

Domain Registration

~$15 / year

How Costs Scale With Growth

Most infrastructure costs are largely fixed; OCR and storage grow roughly linearly with lab-report volume. At R3's current growth pace of 30–50 new patients per month, projected monthly operational costs:

3,500 patients · today

$210 – $535 / mo

5,000 patients · ~2–3 years out

$280 – $700 / mo

10,000 patients · long-term

$500 – $1,200 / mo

Per-patient infrastructure cost works out to roughly $0.06–$0.15 per patient per month at current scale — well below most patient-facing SaaS platforms on the market, with the meaningful advantage that R3 Health owns the platform outright with no per-seat lock-in.

Development Investment

Custom development of the MVP is quoted separately by Chernicky Ventures LLC based on the final scope confirmed in this document. Because the platform is purpose-built for R3 Health, there are no recurring software licensing fees, per-seat charges, or vendor lock-in beyond the underlying cloud infrastructure listed above. R3 Health owns the resulting codebase and infrastructure outright.

Data Model Summary

The MVP captures a small, deliberate set of entities. Everything stored is PHI-relevant and audited.

Patient

Identity, contact information, assigned provider, onboarding status.

Lab Draw

Date drawn, fasting status, source PDF reference, lab/source.

Result

Biomarker, value, unit, reference range, status, OCR confidence, review status.

Comment

Patient → R3 message body, timestamp, optional related result, reviewed flag.

User

Account record with role (Patient / Admin / Provider), MFA status, last-login timestamp.

Audit Event

Every PHI access or change — actor, action, target entity, timestamp, IP.

Future Phase Candidates

Features deferred from the MVP that R3 Health has expressed interest in. None of these are part of the current build, but the foundation laid in MVP makes each one straightforward to add in a future phase.

Phase 2

Two-way messaging

Phase 2

Appointment scheduling

Phase 2

Wearable & device integrations

Phase 2

Provider annotations on biomarkers

Phase 2

Patient educational content

Phase 2

Native mobile applications

Phase 2

Refill & medication workflows

Phase 2

Billing & payment integration

Closing

This MVP gives R3 Health a focused, polished, HIPAA-compliant patient portal that does a small number of things exceptionally well. It establishes the secure foundation, the operational workflow, and the visual language that future phases will build on — without taking on scope that would compromise timeline, security review, or the calm clarity of the patient experience.