'/%3e%3cpath%20d='M534.104%20592.554C517.522%20607.15%20492.036%20605.65%20479.37%20587.55C432.827%20521.038%20409.925%20440.343%20415.135%20358.545C420.344%20276.748%20453.298%20199.61%20507.904%20139.54C522.764%20123.194%20548.234%20124.939%20562.83%20141.521L608.023%20192.862C622.619%20209.444%20620.638%20234.536%20607.101%20251.994C581.387%20285.156%20565.941%20325.498%20563.237%20367.978C560.53%20410.458%20570.733%20452.433%20592.032%20488.59C603.245%20507.624%20602.027%20532.765%20585.445%20547.361L534.104%20592.554Z'%20fill='url(%23paint1_linear_154_257)'/%3e%3cpath%20d='M404.368%20499.661L455.381%20493.203L438.013%20356L387%20362.458L404.368%20499.661Z'%20fill='white'/%3e%3cpath%20d='M349%20408.709L355.956%20459.657L492.983%20440.947L486.026%20390L349%20408.709Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_154_257'%20x1='170'%20y1='492.5'%20x2='449'%20y2='508.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%236648E0'/%3e%3cstop%20offset='1'%20stop-color='%23413AC9'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint1_linear_154_257'%20x1='429'%20y1='384'%20x2='549.5'%20y2='380.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%235B51FF'/%3e%3cstop%20offset='1'%20stop-color='%233428E6'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Lessons From Building a Solo Healthcare SaaS: What MealCircle Taught Me
First-person lessons from building MealCircle as a solo founder — HIPAA compliance tradeoffs, what to build vs buy, launch sequencing mistakes, and what I'd do differently.
Why I'm Publishing This
MealCircle is a retention-first clinical nutrition SaaS I built for dietitians — solo, from scratch, HIPAA-compliant, with multi-tenant architecture and EHR integration. It's the product I point to when Opexia clients ask whether I've actually shipped healthcare software myself.
This article is the honest version of what building it taught me — not a fundraising narrative, but a technical post-mortem written for engineers and founders who are about to do something similar.
What I Got Right
Starting with HIPAA architecture, not retrofitting it
The biggest risk in healthcare SaaS is building a functional product and then trying to bolt on HIPAA compliance before enterprise sales conversations. The compliance work changes the data model, the infrastructure design, and the third-party tool selection — retrofitting it is significantly more expensive than starting with it.
Every database table had a practice_id and row-level security from migration 1. CloudTrail was enabled before the first line of application code. AWS Secrets Manager was the only way credentials entered the system. See the HIPAA engineering checklist for the full architecture I started with.
Multi-tenant isolation at the database layer
I used PostgreSQL row-level security to enforce tenant isolation structurally — not just in application code. This means a code bug cannot leak cross-tenant data. Hospital security audits want to see this kind of structural isolation, not application-layer assertions. The full implementation is in the MealCircle multi-tenant database design article.
Building the retention model before the feature set
Most nutrition apps have meal logging. MealCircle's differentiation is adherence tracking and retention risk scoring. I built the data model for adherence before I built the meal logging UI. That sequencing forced every product decision to be evaluated against the retention thesis. Features that didn't generate adherence data got deprioritized.
What I Got Wrong
Delaying Stripe billing by three months
Covered in detail in the billing article, but the short version: billing delay creates technical debt and you lose three months of revenue data that would have informed pricing decisions earlier.
Over-engineering the analytics pipeline for v1
I built a full async analytics pipeline for the retention risk scores in v1 — Celery workers, Redis queue, the works. In practice, the scores only needed to refresh daily. A simple nightly cron job would have been fine for the first year. I spent 3–4 weeks on infrastructure that a pg_cron scheduled query would have handled.
Not setting clear EHR integration scope early enough
I spent two months evaluating Epic App Orchard before deciding to build against FHIR R4 with a middleware separation. That decision was correct, but I should have reached it in week one — the Epic App Orchard approval timeline makes it clear upfront that direct integration is a multi-month process. Adopting a middleware-first EHR strategy earlier would have freed that time for retention feature work.
The Build vs Buy Decisions
| Component | Decision | Rationale | |---|---|---| | Auth | Supabase Auth | HIPAA-eligible, saves weeks | | Payments | Stripe | PCI handled, webhook reliability | | Email | SendGrid (BAA) | HIPAA BAA available | | Infrastructure | AWS | HIPAA BAA, KMS, audit logging | | Database | PostgreSQL on RDS | Row-level security, familiar | | EHR integration | FHIR middleware pattern | Vendor-agnostic, scalable |
The common thread: buy anything that is a solved problem with a HIPAA BAA available. Build anything that is your core differentiation.
What This Means for Opexia Clients
Building and shipping MealCircle changes the conversations I have with Opexia clients. I'm not advising on healthcare SaaS architecture from theory — I've made the actual HIPAA trade-offs, hit the actual multi-tenant edge cases, and shipped the actual production system.
When a client asks whether custom PM software is the right investment, I can point them to the build vs buy framework and then to MealCircle as evidence that custom healthcare SaaS built right is a defensible, maintainable product — not an expensive one-off.
Visit mealcircle.co to see the product, or mealcircle.co/founding for the origin story.
If you're building a healthcare SaaS product and want a technical partner who has shipped one — start a conversation.
Related Service
Custom Practice Management
Deep-dive into our engineering approach, capabilities, and technical specifications.
Written by Sheharyar Amin
Founder & Lead Engineer, Opexia