§ 01 · Healthcare · Full-time · Late 2022
Patient messaging at Nicular
A two-month full-time role building HIPAA-compliant SMS and email reminders for clinician workflows.
Joined a small team at Nicular, a healthcare startup in Dallas, to contribute to the patient-messaging system in production at their clinic customers. My contribution: SMS and email integration through Vonage and GSuite, schema work for per-client communication data, and the HIPAA encryption work for the integrations I owned.
§ 02 - The problem
The problem
Clinics talk to their patients constantly: appointment reminders, refill notifications, follow-up communications. The work is high-volume, low-margin, and unforgiving of mistakes. A wrong message to a wrong patient is not just an embarrassment; under HIPAA, it's a reportable incident with real legal consequences.
Nicular built and operated patient-messaging infrastructure for clinic customers. Each clinic provided their own patient roster and contact preferences (SMS, email, or both); Nicular's system handled the delivery, the templating, the audit trail, and the compliance posture. My team's work was on the messaging delivery layer specifically: the part that takes a clinic-defined reminder schedule and turns it into actual sent messages, reliably, to the correct recipients.
§ 03 - The approach
The approach
The integration split was clean: Vonage for SMS, GSuite for email. Each clinic's patient roster lived in its own dedicated database, populated with the contact information the clinic provided and structured around their specific workflow needs. The communications framework that I contributed to was the layer above this: a reusable set of messaging primitives that different reminder workflows (appointments, refills, follow-ups) could share without each one re-implementing the basics.
The HIPAA-specific work I touched was on the encryption side: making sure data in transit and at rest matched the framework's standards. Some of that was real configuration work for the integrations I owned; some was just calling the right framework methods correctly. The deeper compliance design (recipient verification, audit trail integrity, the architectural decisions about what gets logged where) was owned by senior engineers on the team. I learned about that side of HIPAA by working alongside the patterns they'd established, not by designing them.
§ 04 - My role
My role
Joined as a software developer on the existing team. The role was fully remote. Two months total tenure.
Specifically:
Vonage and GSuite integration. Wrote and maintained the code paths that handed off composed messages to the SMS and email providers and processed the delivery responses.
Per-client database schema work. Designed schema additions for new clinic onboardings and contributed to existing clinics' schemas as their workflows evolved.
Communications framework contributions. Worked within the messaging primitives layer; not the primary author, but added pieces that other reminder workflows reused.
HIPAA encryption work. Configured the encryption framework for the integrations I owned, working within the patterns the senior engineers had established for compliance.
The architecture and overall direction of the messaging system were owned by senior engineers on the team. My contributions sat in the implementation and maintenance layer.
§ 05 - Outcome
Outcome
The work I contributed went into production. The bug fixes shipped, the new integrations worked, the schemas onboarded their clinics. Nothing I shipped went wrong in a way I'm aware of, which for HIPAA-adjacent code is the only outcome that matters.
What I took from the role was the rigor. HIPAA compliance forces a specific kind of attention: the audit trail is not optional, the failure modes are different, and the question "what happens if this message goes to the wrong person" has a real answer that has to be designed for, not bolted on. I came back to T&S after two months, but the rigor stuck. I think about logging, error handling, and recipient-state validation differently because of those two months.