Patient encounter platform — multi-state telehealth → Archiet Traceability Audit
Analysis date: 2026-05-30
Industry: healthcare
Stack: flask
Compliance regimes: hipaa
Integrations supplied: Twilio, SendGrid, Stripe
Notes: Multi-state telehealth provider; needs HIPAA artifact bundle for the auditor + per-state PHI residency.
Executive summary
Headline finding. Archiet can generate 93.75% of Patient encounter platform — multi-state telehealth's in-scope architecture directly — assessed across 16 concerns against hipaa, with 0 gap(s) requiring custom work. On the evidence below this is a strong fit. We recommend the customer adopt Archiet as the primary code-generation platform and wrap the small custom surface alongside the generated application. A current-state assessment, severity-ranked gap analysis, and a phased 30/60/90-day adoption roadmap follow.
Coverage at a glance: 93.75% can-generate, 6.25% partial, 0.0% cannot-generate, 0.0% requires-custom. Each row below is graded against the four-level Sceptre rubric:
- ✅ CAN GENERATE — Feature ships in Archiet today.
- ⚠️ PARTIAL — Some aspects ship; some require custom work.
- ❌ CANNOT GENERATE — Not currently available in Archiet.
- 🔧 REQUIRES CUSTOM — Needs custom templates or manual implementation.
Coverage at a glance
- ✅ CAN GENERATE: 93.75% of in-scope concerns
- ⚠️ PARTIAL: 6.25%
- ❌ CANNOT GENERATE: 0.0%
- 🔧 REQUIRES CUSTOM: 0.0%
Customer-supplied components
The customer named the following components / capabilities. The support matrix below maps Archiet's coverage to the same shape:
- Patient encounter records
- Provider directory + scheduling
- BAA-tracked vendor flows
- PHI audit trail per CFR §164.312(b)
- Insurance claim submission
Architecture Principles
| Concern | Archiet support | Evidence |
|---|---|---|
| API-first + DDD service boundaries | ✅ CAN GENERATE | DDD patterns (entity, aggregate_root, value_object, domain_event, repository, query) implemented across all 12 stacks via stack renderers + multi-stack DDD templates. |
| OpenAPI-authoritative contract | ✅ CAN GENERATE | OpenAPI 3.1 spec is authoritative; routes generated from it; Pydantic / dataclass schemas track the spec. |
| Security by default | ✅ CAN GENERATE | JWT auth via httpOnly cookies, RBAC, encryption-at-rest config, audit trail capability when enabled. G01 OAuth provider chain (Google / GitHub / SAML / Okta / Azure AD / custom OIDC) ships per build. |
| ArchiMate motivation traceability | ✅ CAN GENERATE | ArchiMate motivation elements (Goal/Outcome/Requirement/Constraint/Principle) drive the genome. Each principle becomes ≥ 1 acceptance criterion. |
Multi-Tenancy + Auth
| Concern | Archiet support | Evidence |
|---|---|---|
| Workspace-scoped multi-tenancy + RLS | ✅ CAN GENERATE | Workspace-scoped models with workspace_id everywhere; RLS policies via the rls_policy_generator; Query.all() linter blocks unscoped queries. |
| Universal OAuth + SSO chain | ✅ CAN GENERATE | JWT auth via httpOnly cookies, RBAC, encryption-at-rest config, audit trail capability when enabled. G01 OAuth provider chain (Google / GitHub / SAML / Okta / Azure AD / custom OIDC) ships per build. |
Audit + Observability
| Concern | Archiet support | Evidence |
|---|---|---|
| Tamper-evident audit log | ✅ CAN GENERATE | G05 audit_log_reader generator emits append-only, hash-chained audit_events with /api/audit/events + /api/audit/verify routes; Postgres trigger blocks UPDATE/DELETE; SIEM exporters for Splunk / Datadog / CloudWatch. |
| Structured logs + APM integrations | ✅ CAN GENERATE | Templates for Datadog, New Relic, Sentry, Honeycomb. Structured logging (JSON + request_id correlation) baked into every stack. |
| Acceptance-criteria quality gate | ✅ CAN GENERATE | Acceptance-criteria runner (static + dynamic tier) measures behavioural correctness; nightly benchmark publishes pass-rates per (solution × stack) at /benchmark; > 5pp regression alarms via the nightly task. |
Compliance Overlays
| Concern | Archiet support | Evidence |
|---|---|---|
| HIPAA Security Rule package | ✅ CAN GENERATE | C01 HIPAA overlay emits compliance/hipaa/{control_matrix.md, baa_tracking.md, risk_assessment.md, breach_notification_runbook.md, phi_data_flow.mmd} + phi_audit_decorator + phi_field_registry. |
Capabilities
| Concern | Archiet support | Evidence |
|---|---|---|
| Payments orchestration | ✅ CAN GENERATE | G02 payment_orchestration generator: Stripe / Paystack / Flutterwave / Paddle / iDEAL / ACH adapters; SCA / 3DS handling; webhook idempotency; subscription lifecycle (start / pause / cancel / dunning); per-tenant credentials via IntegrationCredential. |
| Saga / outbox / compensating tx | ✅ CAN GENERATE | G07 saga + outbox + compensating-transactions generator emits the long-running cross-service workflow scaffold with tracked saga state, outbox pattern for at-least-once event publication, and compensating actions for failed steps. |
Integrations
| Concern | Archiet support | Evidence |
|---|---|---|
| Third-party vendor adapters | ✅ CAN GENERATE | Integration templates ship for: Twilio, SendGrid, Stripe. Each has a vendor adapter with auth model, retry/backoff, circuit breaker; per-tenant credentials via IntegrationCredential.config_json. |
Stack + Delivery
| Concern | Archiet support | Evidence |
|---|---|---|
| Production stack support | ✅ CAN GENERATE | Stack flask is one of the 12 production-tier stacks. DDD templates, capability injection, and compliance overlays all wire into this stack. |
| CI/CD + IaC | ✅ CAN GENERATE | .github/workflows/deploy.yml + Docker + docker-compose. Terraform / Kubernetes manifests / Helm charts available where the stack supports them. Wiring guard + contamination detector + secrets-scan run in CI. |
| White-label / agency tier | ⚠️ PARTIAL | Generated apps support per-workspace branding (logo, colors, typography); white-label API for consultancies to ship under their own brand is in-flight per the enterprise-lane plan (M04). |
Recommendation
Archiet covers 93.75% of the in-scope architecture concerns directly. The customer can adopt Archiet as the primary codegen platform; the remaining 6.2% of concerns are either partial (degrade-cleanly) or wrap-around custom code the customer plugs in alongside the generated app.
Recommended adoption roadmap (30 / 60 / 90 days)
- Now (week 1): Generate the covered surface — adopt the 93.75% Archiet produces directly and stand up the running application as the integration baseline.
- Next (30–60 days): Implement the High-severity gap items above as custom modules against the generated contracts; prioritize auth, multi-tenancy, and any compliance-driven controls first.
- Later (60–90 days): Close the Medium-severity custom items, automate evidence collection in CI, and re-run this audit to track gap closure quarter over quarter.
Audit produced by the Archiet customer audit factory. The same factory is available to the customer's procurement team — the report you're reading was generated deterministically from the customer profile above and can be regenerated against any future Archiet release to track gap closure.