HEALTHCARE WORKFLOW SYSTEMS

US private practices with a 20-30% no-show rate and no automated recall for annual visits are losing patients to telehealth and direct primary care -- the recall system is the retention system

We build HIPAA-compliant patient workflow systems for US private practices -- automated recall for preventive care, HIPAA-compliant communication tools with BAA coverage, post-appointment satisfaction surveys, and insurance pre-authorisation tracking workflows.

Request a Healthcare Workflow Audit View the evidence
This is for you if

This is for owners and practice managers of US private healthcare practices who are managing patient retention and compliance workflows with tools that were not built for healthcare.

You run a primary care, specialist, or allied health private practice in the US with a no-show rate above 15%

Your practice has patients overdue for annual wellness visits, preventive screenings, or chronic disease management checks who are not being recalled

Your patient communication tools include standard Gmail, vanilla Calendly, or Google Forms -- none of which have a Business Associate Agreement in place

Your insurance pre-authorisation tracking is managed in a spreadsheet with no automated task or deadline system

Post-ACA competition from telehealth providers and direct primary care models is affecting your new patient acquisition and retention

You are collecting no structured patient satisfaction data after appointments and have no system in place for CAHPS-aligned feedback

What's broken

What's Broken

Patient recall system absent for annual preventive care

US primary care and specialist practices have patients overdue for annual wellness visits, mammograms, colonoscopies, or HbA1c checks who are receiving no automated recall. The practice is not proactively re-engaging patients who are eligible for preventive care billing codes (AWV, CPT 99381-99397, HEDIS measure-eligible preventive screenings). Every unreached patient represents both a missed revenue opportunity -- Annual Wellness Visits are reimbursed by Medicare and most commercial payers -- and a quality-of-care gap. Practices with active recall systems recapture a significant proportion of patients who would otherwise transition to telehealth, direct primary care, or simply lapse without seeking care.

HIPAA-non-compliant communication tools in use

US practices are using standard Gmail, Google Forms, vanilla Calendly, and Typeform to communicate with patients about their health information. None of these tools have a Business Associate Agreement (BAA) in place in their standard commercial configurations. Every patient intake form submitted through an unprotected Google Form, every appointment confirmation email containing a diagnosis or treatment detail sent through standard Gmail, and every scheduling link shared through vanilla Calendly without a BAA is a potential HIPAA violation. The risk is not theoretical: HHS Office for Civil Rights HIPAA enforcement actions regularly target small private practices for exactly this category of violation. Moving to HIPAA-compliant tools -- Kareo, Athenahealth, Jane App with US HIPAA BAA, SimplePractice, or other covered platforms -- eliminates the exposure.

No automated post-appointment patient satisfaction survey

US practices subject to CMS CAHPS surveys or seeking to track patient satisfaction scores have no system collecting structured feedback after each visit. Manual patient satisfaction collection -- paper forms at the front desk, verbal feedback, or no collection at all -- produces data that is not actionable, not comparable over time, and not useful for identifying specific experience gaps. An automated post-appointment survey sent via HIPAA-compliant SMS or email 48 hours after the appointment, using a standardised question set aligned with CAHPS dimensions, produces consistent data that can be tracked by practitioner, by appointment type, and by month. The 48-hour delay is optimal for response rate -- the experience is recent enough to be recalled accurately but the immediate post-appointment pressure has passed.

Insurance pre-authorisation workflow manual and inconsistent

US specialist practices requiring insurance pre-authorisation before procedures are managing pre-auth tracking in a spreadsheet. Pre-auth status is updated manually by the staff member who most recently called the insurance company. Deadlines for pre-auth submission and follow-up are tracked in a shared calendar with no automation. When a staff member is absent, the pre-auth tracking falls behind. Pre-auth denials that require appeal are managed through the same manual process. The result is that pre-auth statuses are not consistently current, some pre-auths are missed, and the practice has no systematic data on pre-auth approval rates by payer or procedure type.

What we engineer

We build HIPAA-compliant patient workflow systems for US private practices using practice management platforms that carry a BAA and automation tools configured for HIPAA-compliant data handling.

HIPAA-compliant patient recall sequences

Automated recall messages for annual preventive care, chronic disease management follow-up, and specialist follow-up, sent through a HIPAA-compliant communication platform with BAA coverage. Triggered by last visit date, diagnosis code, and eligible preventive care interval. Recall messages reference no PHI in the message body; they use generalised language ("It may be time for your annual visit") and direct the patient to call or book online.

HIPAA-compliant communication tool audit and migration

A review of all current patient communication tools -- scheduling, intake, reminder, and follow-up -- against HIPAA BAA requirements. Identification of non-compliant tools. A migration path to HIPAA-compliant replacements with BAA documentation.

Post-appointment patient satisfaction survey

An automated HIPAA-compliant survey sent 48 hours after each appointment through a covered communication channel. Question set aligned with CAHPS dimensions. Results tracked by practitioner, appointment type, and month. Dashboard visible to the practice manager and principal.

Insurance pre-authorisation tracking workflow

A structured workflow system for pre-auth management built in a HIPAA-compliant project management or CRM tool. Each pre-auth request is tracked from submission to decision with a clear status field, deadline, responsible staff member, and escalation trigger. Automated task creation when a new pre-auth is required. Automated deadline reminders sent to the responsible staff member. Pre-auth approval rate tracked by payer and procedure type.

Preventive care billing opportunity tracking

A dashboard showing patients eligible for Annual Wellness Visit, transitional care management, or chronic care management billing codes who have not yet been scheduled, based on last visit date and diagnosis data from the practice management system.

Request a Healthcare Workflow Audit
What changes

What Changes

Before
After
Before Patients overdue for annual preventive care receive no contact; they lapse or move to telehealth
After Recall messages go out automatically for every patient approaching their annual visit interval; Annual Wellness Visit scheduling increases
Before Patient communications sent through Gmail and Google Forms carry HIPAA violation exposure
After All patient communication tools have BAA coverage; HIPAA compliance exposure is eliminated for communication workflows
Before Patient satisfaction data is collected informally or not at all; no trend data exists
After Post-appointment satisfaction surveys run automatically; monthly CAHPS-aligned data is available by practitioner and appointment type
Before Pre-auth tracking is in a spreadsheet; status is current only when someone updates it manually
After Pre-auth status is updated by the workflow system; deadlines trigger automated reminders; no pre-auth falls through because of staff absence
Before Preventive care billing opportunities are missed because no system identifies overdue patients proactively
After The preventive care opportunity dashboard shows the practice manager which patients to prioritise for outreach each week
How it works

Process

  1. 01

    Compliance and workflow audit

    Week 1

    We review all current patient communication tools for HIPAA BAA status. We map the existing recall process, pre-auth tracking process, and satisfaction collection process. We produce a priority list: what creates compliance risk and what creates revenue loss.

  2. 02

    HIPAA-compliant tool selection

    Week 2

    We assess the practice's current practice management platform -- Kareo, Athenahealth, Practice Fusion, or Jane App -- and identify whether the existing platform supports the required workflows with BAA coverage, or whether supplementary tools are required. We produce a tool recommendation with BAA confirmation for each tool.

  3. 03

    Workflow build

    Weeks 3-5

    We build the recall sequences, configure the pre-auth tracking workflow, set up the post-appointment satisfaction survey, and build the preventive care billing opportunity dashboard. All workflows are built in HIPAA-compliant tools with BAA documentation maintained.

  4. 04

    BAA documentation and compliance review

    Week 6

    We compile BAA documentation for all tools in the workflow system. We review the system against HIPAA Security Rule requirements for electronic PHI handling. We produce a compliance documentation package for the practice's records.

  5. 05

    Staff training

    Week 7

    We train the practice manager, billing staff, and front desk on the new workflow tools. Training covers pre-auth tracking, recall management, survey result review, and what to do if a patient opts out of automated communication.

  6. 06

    Performance review

    Month 3

    Three months after go-live, we review Annual Wellness Visit capture rates, patient satisfaction survey response rates, pre-auth denial rates, and compliance documentation currency.

Request a Healthcare Workflow Audit
Common questions

FAQ

What HIPAA-compliant practice management tools should a US private practice use for patient communication?

HIPAA-compliant patient communication tools for a US private practice must have a signed Business Associate Agreement (BAA) in place between the tool vendor and the covered entity (the practice). Tools that provide BAAs for healthcare practices include Kareo (patient messaging and appointment reminders with BAA), Athenahealth (integrated communication with BAA), Jane App (US market version with HIPAA BAA for SMS and email communication), SimplePractice (for mental health and allied health practices, with BAA), Klara (patient messaging platform for specialty practices, HIPAA-compliant with BAA), and Spruce Health (HIPAA-compliant SMS, phone, and secure messaging for small practices). For scheduling, Acuity Scheduling (a Squarespace company) offers a HIPAA-compliant plan with BAA; Calendly offers a HIPAA-compliant version at enterprise tier with BAA. Standard commercial Gmail, Google Workspace for healthcare (with BAA signed through the Google Workspace Admin console), or Microsoft 365 (with BAA signed through the Microsoft health industry agreement) can be HIPAA-compliant for email but require the BAA to be formally executed -- using a personal Gmail account or an organisational Google Workspace account without a signed BAA in place is non-compliant for PHI transmission.

How do I build a HIPAA-compliant automated recall system for annual preventive care in a US primary care practice?

A HIPAA-compliant automated recall system for annual preventive care in a US primary care practice is built by extracting last visit dates and eligible preventive care intervals from the practice management system (Kareo, Athenahealth, or similar), identifying patients who are 30-60 days from their annual visit due date, and triggering a recall message through a HIPAA-compliant communication platform with BAA coverage. The recall message itself must be carefully written to avoid including PHI in the message body -- the message should not name a specific diagnosis, test, or condition. A compliant recall message says something like "It may be time to schedule your annual visit with [Practice Name]. Call us at [number] or book online at [booking link]." The message does not reference the specific preventive care type, the patient's diagnosis, or any clinical detail. If the patient does not respond within 14 days, a second message is sent. The system tracks response and booking rates by patient cohort, allowing the practice to measure the revenue impact of the recall programme on Annual Wellness Visit capture rates and applicable preventive care billing codes.

How do I set up a HIPAA-compliant post-appointment patient satisfaction survey for a US private practice?

A HIPAA-compliant post-appointment patient satisfaction survey for a US private practice is sent through a communication platform with BAA coverage -- options include Klara, Spruce Health, or a HIPAA-compliant email platform such as Google Workspace with signed BAA. The survey is triggered 48 hours after the appointment is marked complete in the practice management system. The survey uses a standardised question set drawn from CAHPS (Consumer Assessment of Healthcare Providers and Systems) dimensions: communication quality, staff courtesy, facility experience, ease of scheduling, and overall experience rating. Survey responses are stored in a HIPAA-compliant data environment -- not in a standard Google Form without BAA. The results are aggregated in a dashboard that shows average scores by practitioner, by appointment type, and by month. For practices subject to CMS Merit-based Incentive Payment System (MIPS) measurement, structured patient satisfaction data is relevant to the Improvement Activities performance category. For practices not subject to MIPS, the data is used internally for practitioner performance review and operational improvement.

How do I build an insurance pre-authorisation tracking workflow for a US specialist practice?

An insurance pre-authorisation tracking workflow for a US specialist practice is built as a structured task management system in a HIPAA-compliant platform -- options include a HIPAA-configured Asana workspace (with BAA at Business tier), a HIPAA-compliant Salesforce Health Cloud instance, or a custom Airtable base with HIPAA BAA in place. Each pre-auth request is a record in the system with fields for: patient name and date of birth, procedure code (CPT), diagnosis code (ICD-10), payer name and plan, date of submission, submitted by, pre-auth reference number, status (submitted, pending, approved, denied, appeal in progress), approval or denial date, appeal deadline, and responsible staff member. When a new pre-auth request is required -- triggered either by a new appointment being booked that requires pre-auth, or by a clinical team request -- the system creates a task with a submission deadline. When the pre-auth is submitted, the record is updated and a follow-up task is created for 5 business days later. When an approval or denial is received, the record is updated and the patient and clinical team are notified through the practice management system. Denied pre-auths trigger an appeal task with a deadline calculated from the denial date. The dashboard shows all open pre-auths, their current status, their deadline, and the responsible staff member.

What is a Business Associate Agreement (BAA) and which practice management tools provide one for US healthcare providers?

A Business Associate Agreement (BAA) is a legally required contract under HIPAA between a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and any vendor or subcontractor -- a Business Associate -- who creates, receives, maintains, or transmits protected health information (PHI) on the covered entity's behalf. HIPAA requires that a BAA be in place before PHI is shared with any third-party tool or vendor. Without a BAA, using a third-party tool to process, store, or transmit PHI is a HIPAA violation regardless of how secure the tool is. Practice management tools that provide BAAs for covered healthcare providers include Kareo, Athenahealth, Practice Fusion, AdvancedMD, DrChrono, SimplePractice, TherapyNotes, and Jane App (US version). Communication tools that provide BAAs include Klara, Spruce Health, Luma Health, and Solutionreach. Cloud storage and productivity tools that provide BAAs include Google Workspace (via the Google Workspace for Healthcare BAA in the Admin console, available on Business Starter tier and above) and Microsoft 365 (via the Microsoft Products and Services Data Protection Addendum, which serves as the BAA for Microsoft cloud services). A BAA is not a one-time document -- it must be maintained, updated when vendor services change, and terminated if the vendor relationship ends. Practices should maintain a BAA log listing every vendor handling PHI and the status of the BAA with each.

Start here

Closing CTA

US private practices are operating in the most competitive and most regulated private healthcare market in the world. Telehealth providers are acquiring patients with lower friction. Direct primary care models are taking panel patients with flat-fee pricing. And traditional private practices are managing patient recall in their heads, tracking pre-auth in a spreadsheet, and sending intake forms through Google Forms without a BAA in place. The workflow system that addresses this is not a luxury. The HIPAA compliance gap is a current risk. The absent recall system is current revenue loss. The missing satisfaction data is a blind spot in practice management. If your private practice has more than 200 active patients and no automated recall system and no HIPAA BAA audit in the past 12 months, a healthcare workflow audit will show you exactly what needs to change.

Request a Healthcare Workflow Audit