Skip to content

Topical cluster

Healthcare & Compliance

Patterns from shipping compliant apps without a dedicated compliance team. Audit logging, PHI boundaries in App Router, GDPR and CCPA gaps DTC operators miss, and the integration architecture behind regulated healthcare e-commerce. Everything genericized; no client-identifying detail.

12 postsFor: Healthcare CTOs and compliance-adjacent engineering leads

Start here

Hub article

Shipping regulated DTC healthcare without a compliance team

Three repeating patterns I see when DTC brands layer regulated healthcare on commerce, plus the regulated dtc healthcare engineering habits that keep it safe.

14 MIN READ

Go deeper

Third-party scripts and the HIPAA risk nobody reads

HEALTHCARE·APR 23·12 MIN

Third-party scripts and the HIPAA risk nobody reads

Every healthcare site has a script they cannot remember adding. This is why it matters: the OCR bulletin, supply chain risk, and what the privacy policy hides.

READ →

A compliance-aware tooling stack for solo operators

HEALTHCARE·APR 23·10 MIN

A compliance-aware tooling stack for solo operators

Field notes from picking tools when one bad vendor choice sinks a regulated build. The rules I use, the categories I stack, and the stack I actually run.

READ →

Session and token rotation patterns for healthcare apps

HEALTHCARE·APR 23·13 MIN

Session and token rotation patterns for healthcare apps

A working pattern for session and refresh token rotation in regulated apps: sliding sessions, reuse detection, and the rotation that satisfies automatic logoff.

READ →

Running analytics on a regulated site when GA4 is off the table

HEALTHCARE·APR 23·11 MIN

Running analytics on a regulated site when GA4 is off the table

Three patterns for regulated analytics without GA4: server-side measurement, first-party warehouse, and privacy-safe replay. The boundary is architecture.

READ →

PHI boundaries across the Next.js App Router's four surfaces

HEALTHCARE·APR 23·12 MIN

PHI boundaries across the Next.js App Router's four surfaces

Three phi boundaries next.js app router patterns covering server components, client components, server actions, and route handlers, with the code that enforces them.

READ →

Logging production errors in a Next.js app without leaking PHI

HEALTHCARE·APR 23·13 MIN

Logging production errors in a Next.js app without leaking PHI

Three patterns for logging phi errors nextjs apps safely - redact at the emitter, error IDs instead of bodies, and BAA-covered sinks. With example code.

READ →

UX patterns for regulated ecommerce checkout flows

HEALTHCARE·APR 23·12 MIN

UX patterns for regulated ecommerce checkout flows

Three healthcare ecommerce ux patterns for checkouts that split commerce from clinical data, stay Shopify-friendly, and survive the audit they were designed to.

READ →

GDPR and CCPA gaps most DTC operators quietly miss

HEALTHCARE·APR 23·10 MIN

GDPR and CCPA gaps most DTC operators quietly miss

The GDPR CCPA DTC gaps most operators miss - silent consent defaults, server-side sharing treated as sale, data-subject request workflows, and consent-as-state.

READ →

Consent capture patterns for regulated intake flows

HEALTHCARE·APR 23·11 MIN

Consent capture patterns for regulated intake flows

Three anonymized instances of consent capture regulated intake flows, the event-based pattern that survives policy changes, and what it looks like in Postgres.

READ →

Evaluating BAAs and vendor risk for a small team

HEALTHCARE·APR 23·11 MIN

Evaluating BAAs and vendor risk for a small team

A 10-point baa vendor evaluation healthcare checklist I run before any new integration touches a regulated stack, with the questions that actually block a merge.

READ →

Audit logging patterns for regulated Next.js apps

HEALTHCARE·APR 23·13 MIN

Audit logging patterns for regulated Next.js apps

A walkthrough for audit logging healthcare nextjs apps: an append-only Postgres table, a server-action writer, and the pieces that keep it tamper-evident.

READ →

Put this to work

HIPAA-aware Next.js, audit trails, and regulated DTC patterns.

> See the compliant-delivery case studies

Other clusters

Attribution

Attribution & CAPI

Server-side tracking, dedup, and the math behind DTC attribution.

Shopify

DTC Shopify Infrastructure

Theme architecture, metafields, agent-orchestrated builds, Hydrogen decisions.

Solo brand

Creative-Tech Solo Brand

The hybrid creative-director-who-codes operating system.

Pricing

Services Business & Pricing

Productizing services, pricing strategy, and the retainer exit.

Lifecycle

Email & Lifecycle Marketing

Klaviyo flow architecture, retention math, and the LTV playbook.

Agents

AI Agent Engineering

Claude Code sub-agents, MCP servers, skills, and the orchestration stack.

Analytics

Analytics & Data Infrastructure

GA4, BigQuery, and the warehouse-first analytics rebuild.

Conversion

Ecommerce Conversion & UX

PDP patterns, cart decisions, checkout extensions, and the CRO stack.

Programmatic SEO

Programmatic SEO & Content Ops

Scaling content without burning author brand authority.

Paid Social

Paid Social Performance

Meta, TikTok, and Google Ads for DTC operators who also own the data.

Brand

Brand Architecture & Design Systems

Visual identity, naming ladders, and design systems that scale with the business.

Shopify Apps

Shopify App Ecosystem

Selecting, configuring, and replacing the third-party stack on Shopify.

Fractional

Fractional Ops & Service Leadership

Running a high-leverage fractional practice without becoming an agency.

Image AI

Local AI Image Generation

Running Flux, Z-Image, and Qwen locally without the cloud-API bill.

Let’s fix
some problems.

Instead of briefing four vendors, you work with one person across brand, code, infrastructure, compliance, and growth. You get dated receipts, published pricing, and an agent library you own after the engagement ends. You work with me directly. That’s kind of the whole point.

> Start a conversationOr buy a product

or email direct hello@michaeldishmon.com