Enable global access to expert second opinions from U.S. based specialists, especially for patients in developing countries, through secure, HIPAA and SOC 2 compliant remote consultations.
Built and scaled a global second-opinion telehealth platform - launching the MVP and achieving full HIPAA and SOC 2 compliance through an automated AWS framework.
Enabled a secure market launch, seamless audit approval, and scalable trust with global healthcare partners.
Global access to top US Physicians- PR Newswire
OurExpertDoc is a U.S. based second-opinion telehealth platform founded to make American board-certified specialists accessible to patients worldwide, especially in regions with limited access to U.S. licensed physicians. The vision was to deliver specialist consultations and expert guidance across fields like dermatology, oncology, pulmonology, and endocrinology, without insurance hurdles or long wait times.
To succeed, the founders needed more than just a digital platform - they required.
- Secure, asynchronous consultations across web and mobile
- HIPAA and SOC 2 compliance for handling PHI and doctor communications
- Transparent pricing and international payments
- A seamless user experience for both patients and doctors
The challenge was twofold: design a scalable, feature-rich telehealth platform while also making it audit-ready for HIPAA and SOC 2 in order to support growth and partnerships. Tintash was brought on not just as builders, but as strategic product and compliance collaborators.
Tintash partnered with OurExpertDoc from the ideation stage to build the platform from the ground up. We worked across discovery, product design and engineering to deliver a modular system that could scale globally.
Phase 1: Feature-Rich Telehealth Platform
1. Discovery & Roadmapping
Defined workflows, user roles, and infrastructure for an MVP that could later support full HIPAA and SOC 2 integration without architectural overhauls
2. Real-Time Consultation Interface
Built a secure chat system for report uploads, file sharing, and notifications - creating a personal, responsive consultation experience.
3. Doctor Search & Filtering
Enabled patients to filter by specialty or doctor, view credentials and fees, and book directly.
4. Comprehensive Doctor Onboarding
Developed a credentialing workflow for U.S. licensed physicians, with admin tools for review and approval.
5. Structured Patient History Submission
Designed guided forms to improve accuracy and reduce back-and-forth.
6. Role-Based Admin Panel
Built dashboards with granular permissions so admins could manage operations without accessing PHI, preserving HIPAA boundaries.
Phase 2: Audit-Ready Infrastructure for HIPAA & SOC 2 Compliance
To support a third-party audit and build long-term trust with patients and partners, Tintash led a comprehensive compliance initiative for the AWS-hosted platform. This phase focused on protecting PHI, strengthening operational security, and automating evidence management for continuous compliance.
Compliance Approach Using Drata
Tintash implemented Drata to streamline audit readiness and ongoing monitoring, enabling continuous visibility into compliance posture.
Key Activities
- Automated gap analysis against HIPAA and SOC 2 Trust Criteria
- Mapped controls to AWS infrastructure and Bitbucket repos for full traceability and evidence automation
- Automated evidence collection for IAM configs, access reviews, and encryption logs
- Wazuh based file integrity checks on production servers. Integrated review processes for deployment
- Aligned policy frameworks with NIST 800-53 and HITRUST standards
- Integrated real-time monitoring and alerting through AWS Security Hub and CloudTrail
- Established incident response and business continuity protocols linked to Drata
This approach accelerated audit readiness and reduced future audit prep time by over 40%.
Technical Implementation on AWS
The compliance-ready infrastructure was deployed using HIPAA-eligible AWS services within a secure, isolated VPC framework - ensuring confidentiality, integrity, and availability of Protected Health Information (PHI).
Security & Data Protection
- Enforced encryption at rest (S3, RDS, EBS via KMS) and in transit (TLS 1.2+)
- Protected internal communication with AWS PrivateLink and VPC isolation
- Implemented KMS key rotation and audit logging per HIPAA 164.312 and SOC 2 CC6.1
Identity & Access Management
- Applied least privilege RBAC with mandatory MFA and resource tagging
- Aggregated CloudTrail, Config, GuardDuty, and Security Hub logs into a centralized SIEM integrated with Drata
Network Security
- Used private subnets and VPN for isolation
- Deployed AWS WAF & Shield for DDoS protection and request filtering
- Automated drift detection with AWS Config
Availability & Recovery
- Multi-AZ deployments for redundancy and uptime
- Automated backups with lifecycle management and CloudWatch health monitoring
Operational Controls
- Automated change approvals and deployments via Bitbucket Pipelines
- Integrated email-based incident alerts and AWS Inspector for vulnerability scans
- Linked all evidence and control mappings to Drata for full audit traceability
The platform delivered measurable business and user impact:
- Global Accessibility: Patients worldwide can now obtain expert second opinions from U.S. specialists.
- Regulatory Confidence: Achieved full HIPAA and SOC 2 compliance with zero major findings, making it 100% audit ready.
- Operational Empowerment: Admin teams handle onboarding and refunds independently while maintaining data boundaries.
- Efficiency & Scalability: Established a repeatable framework for continuous compliance and secure future expansion on AWS.
