Alma
999 commits in HIPAA production across reassessments, compliance, audit integrations, and document workflows.
This is the production proof case study. It shows the kind of long-running, failure-sensitive backend ownership that never becomes flashy but becomes indispensable when the system cannot break.
What the work actually demanded
Alma is where the portfolio proves I can operate under healthcare constraints, not just prototype around them. The work covered automated reassessment logic, serializer churn for evolving compliance requirements, document pipelines, and third-party audit integrations.
The constant here was operational care: feature flags, multi-PR rollout strategy, reversible migrations, and background jobs designed to survive large backfills and token-expiring external APIs.
2.7 years of sustained ownership
999 commits, 7 feature areas, 96.4% Python. The story is not one heroic sprint; it is repeated operational ownership under compliance pressure.
The system had to stay boring in the right ways
Clinical backend architecture
Django and DRF for request surfaces, Celery for asynchronous work, PostgreSQL and S3 for durable data, and Brellium for external audit flows.
The seven areas that mattered
- Automated clinical reassessments with backfills, cadence logic, family-based assessment rules, and batch enrollment flows.
- Compliant progress notes and PDF generation where serializer shape and audit requirements kept evolving.
- Brellium audit integration with retries, re-authentication, and production-ready API handling.
- Appointment document management with RBAC and S3-backed lifecycle rules.
- Provider consent rollout decomposed into multiple safe PRs instead of one risky launch.
- Session feedback and reminder systems tied back into the reassessment engine.
- Audit-protection infrastructure for appointment-level compliance state.
Why the implementation choices mattered
In a HIPAA environment, velocity is not the same thing as rush. The engineering challenge is to ship continuously while keeping the failure modes controlled and the audit trail legible.
That kind of work rarely produces a glamorous demo, but it does produce trust. That is the real artifact here.
- Celery handled backfills, reminders, and long-running work that should never block a request.
- Feature flags let production code land safely before provider-facing rollout.
- Multi-PR decomposition kept a sensitive consent feature reviewable and reversible.
999 commits in HIPAA production is the kind of work that doesn’t make demo reels.
It is the work that matters when systems cannot break. That is exactly why it belongs in the portfolio.