Case Study 2: CareBridge Health System - Scenario Paper

Work in Progress

This content is currently being reviewed for accuracy and will be updated soon.

Case Study Prompt

This page is the prompt side of a full-board practice package. Read it first, build your own architecture, and return to the worked assets only after your timed attempt.

Case Study Snapshot

Field	Detail
Start here	This scenario paper
Difficulty	Advanced
Industry	Healthcare
Primary pressure areas	Security, Integration, Data, and Mobile
Recommended prep window	180 minutes preparation + 45 minutes presentation + 45 minutes Q&A
Coverage available	Case Study Overview, Worked Solution, Presentation Notes, Q&A Preparation
Study flow	Attempt this case study paper first, then review the worked solution, presentation notes, and Q&A preparation after your own attempt.

Recommended Approach

Print this case study. Read it twice using the Two-Pass Reading Method once for the narrative and once for implicit requirements. Then build all nine core artifacts inside the full prep window before you open the support pages.

Project Overview

CareBridge Health System is a regional healthcare system headquartered in Charlotte, NC, serving communities across the US Southeast. Founded 35 years ago as a single community hospital, CareBridge has grown through acquisitions into a multi-facility network.

Company profile:

Attribute	Detail
Industry	Healthcare - Hospital System, Outpatient Clinics, Home Health
Headquarters	Charlotte, NC
Employees	8,500 (2,000 physicians, 3,500 facility nurses, 200 home health nurses, 1,200 admin, 800 IT, 1,000 other clinical)
Facilities	3 hospitals, 25 outpatient clinics across 4 counties (NC and SC)
Active patient records	1.2 million
Annual encounters	3.5 million (growing 8% annually)
Registered portal users	400,000 patients
Remote monitoring patients	5,000 enrolled (growing 200/month)

The CEO has authorized a $12 million, 24-month enterprise transformation to replace their legacy patient management system and custom patient portal with a unified platform. Executive sponsors: CIO, CMO, and CNO.

Stakeholder Quotes

CIO: “We need a single view of the patient that every authorized member of the care team can access, whether in the hospital, at a clinic, or visiting a patient’s home. But access must be role-appropriate. A scheduling clerk should never see clinical notes.”

CMO (Dr. Torres): “Our physicians lose 90 minutes per day toggling between systems. I need to see a patient’s last three visits, current medications, active problems, and pending lab orders without opening Epic separately.”

CNO (Maria Santos): “Home health is our fastest-growing division. Those nurses are driving between rural homes with unreliable cell service. They need to be self-sufficient on their mobile device for the entire day.”

CCO (James Park): “After the VIP incident last year, the board is very focused on access controls. I need to run a report at any time showing who accessed a specific patient’s record in the last 90 days and prove that inappropriate access was impossible.”

Current Technology Environment

Epic EHR (Clinical System of Record)

Epic is the primary clinical system, implemented 6 years ago ($45M). It manages clinical encounters, physician orders, medication administration records, clinical notes, and problem lists. Epic will remain the clinical system of record.

• Exposes data via Epic FHIR R4 APIs (read/write) and legacy HL7v2 feeds
• 3.5M encounters/year; supports Patient, Encounter, Observation, MedicationRequest, DiagnosticReport, Condition resources
• Epic Subscription API supports real-time notifications; OAuth 2.0 with SMART on FHIR scopes
• MyChart patient portal used by some departments; leadership wants a unified portal across clinical and non-clinical
• Epic Interconnect middleware handles HL7v2 message routing; Caboodle data warehouse for clinical analytics

Meditech (Legacy - Being Decommissioned)

Retained from two hospital acquisitions 8 years ago for administrative functions: demographics, insurance, scheduling, referral tracking. Vendor ends support in 16 months.

• 850,000 unique patients, 2.1M encounters, 4.5M referral records (8 years of data)
• Data quality issues: 15% duplicate patients, 11% incomplete insurance, inconsistent MRN formatting across facilities (Hospital A: numeric 8-digit; Hospital B: alphanumeric with facility prefix)
• ~40% patient overlap with Epic; 3% orphaned referral records (patient IDs no longer exist)
• No modern API - flat-file export only (fixed-width format) or direct database queries
• Referral data stored in denormalized flat table; some referrals reference departed providers

Laboratory Interfaces

• LabCorp (primary reference lab): 2,500 HL7v2 ORU results/day
• Quest Diagnostics (specialized panels): 800 HL7v2 ORU results/day
• Both deliver to Epic via HL7v2 through Epic Interconnect; lab results needed in new platform for full care coordination
• Critical value alerts must remain through Epic - no parallel notification path
• ~2% of results arrive with patient identifier mismatches (manual reconciliation)

Other Clinical Systems

• Cerner PharmNet: Medication dispensing across 3 hospitals; interfaces with Epic. No direct integration needed, but medication data from Epic should be visible.
• GE Centricity PACS: Radiology imaging. Reports flow to Epic as HL7v2 ORU. Radiology availability should surface in patient health timeline.

Kronos (Workforce Management)

Manages nurse scheduling and time tracking for all nursing staff. Home health division uses Kronos for daily patient visit schedules with geographic routing.

• Home health nurses average 15-20 patient visits/day across ~3,800 square miles
• Schedules finalized by 8 PM prior evening, occasionally updated by 6 AM
• REST API (v3.2, OAuth 2.0) for schedule retrieval; includes patient ID, address, appointment window, visit type, estimated duration

Custom Patient Portal (Legacy - Being Replaced)

10-year-old Java/Apache Struts portal serving 400,000 users. Known security vulnerabilities.

• 99.2% uptime (target: 99.9%); patient satisfaction 2.8/5.0; 62% mobile access but not responsive
• Username/password only, no MFA; 2.3M historical messages (5 years); Stripe bill payment via iframe
• Peak: 18,000 DAU, 2,200 concurrent sessions (Monday 8-10 AM)
• Portal dev team (3 Java developers) will be retrained; no new external hires

Remote Patient Monitoring (Philips)

5,000 patients enrolled with blood pressure, glucose, pulse oximeter, and weight scale devices transmitting via cellular to Philips HealthSuite.

• 15,000 readings/day (3 per patient); growing to ~7,400 patients in 12 months
• REST API (JSON, OAuth 2.0); rate limit 1,000 req/min, 100 readings per request
• Per-patient alert thresholds; RPM nurses (team of 8) currently monitor a separate Philips dashboard
• Generates $2.8M annually in CMS RPM reimbursement (CPT 99453, 99454, 99457, 99458) - accurate time tracking required

Identity and Access Management

• Employees (8,500): Microsoft Entra ID, SSO via SAML 2.0/OIDC, MFA enforced, Entra groups map to departments/roles
• Patients (400,000): Proprietary username/password database, no federation, ~12,000 dormant accounts
• External providers: No portal access today. Referral status communicated via fax/phone

DocuSign

Used for patient consent forms, HIPAA authorizations, and telehealth consent (~50,000 docs/year). Signed documents must be linked to patient records and retained 10 years per state requirements.

Regulatory Requirements

• HIPAA: Privacy Rule, Security Rule, Breach Notification Rule. BAA required with every cloud vendor handling PHI.
• HITECH Act: Meaningful use requirements for EHR and patient data access
• State regulations: NC and SC have different consent requirements, breach notification timelines, and retention periods (NC: 11 years; SC: 10 years)
• Multi-state nurse licensing: 200 home health nurses may hold licenses in NC, SC, or both under the Nurse Licensure Compact. System must track and enforce.

Departmental Structure

• Clinical departments: Cardiology, Oncology, Orthopedics, Neurology, Primary Care - each with distinct physician/specialist populations
• Nursing: Organized by unit (ICU, Med/Surg, ED, L&D) for hospitals; by geographic zone for home health
• Care Coordination: Cross-departmental team managing care transitions, referrals, post-discharge follow-up
• Patient Access: Scheduling, registration, insurance verification - sees demographics but NOT clinical data
• Revenue Cycle: Billing, coding, claims - sees encounter details and diagnoses but NOT full clinical notes

Referral Network

• Internal referrals between departments plus external referrals to/from 350 community physicians and 40 specialty practices
• 8,000 referrals/month (25% external). External providers need limited referral status view only
• Current turnaround: 6.5 days average. Target: 2 days

Business Requirements

Open-Ended Requirements

These requirements describe WHAT the business needs, not HOW to implement.

Patient Data Management (Req 1-7)

1. Unified patient view consolidating clinical and administrative sources with role-appropriate display
2. Care plans with goals, tasks, milestones, and care team assignments spanning encounters and facilities
3. Patient health timeline showing chronological encounters, lab results, medications, vital signs, care plan updates from platform and clinical system
4. Care team composition tracking (primary physician, specialists, nurses, coordinators, social workers) with effective dates
5. Patient demographics maintained in a single system of record, synchronized across connected systems
6. No existing Salesforce footprint; this is a greenfield implementation
7. Disaster recovery plan with documented RPO and RTO targets for all clinical-facing components

Security and Compliance (Req 8-14)

8. PHI encrypted at rest and in transit; encryption keys managed by CareBridge, not the vendor
9. Immutable audit trail of every access, modification, and deletion - retained minimum 7 years
10. Role-based data access per user type (physicians by department, nurses by unit/zone, specialists by referral, care coordinators by program, Patient Access demographics only, Revenue Cycle encounters/Dx only, external providers referral status only)
11. VIP/sensitive patient restriction layer limiting visibility to directly assigned care team
12. Multi-state nurse licensing tracked and enforced for home health assignments; system must validate nurse holds active license in the patient’s state before allowing assignment
13. Consent forms electronically captured, linked to patient records, retained per state mandates (NC: 11 years, SC: 10 years); retention rules enforced automatically
14. State-specific consent requirements tracked separately for NC and SC patients, with the correct consent form version served based on patient home state

Patient Portal (Req 15-21)

15. Modern mobile-responsive portal for 400,000 users: scheduling, lab results, messaging, bill pay, education
16. Patient authentication with email/password + MFA and social identity providers (subject to HIPAA BAA review)
17. Patients view data from both clinical system and new platform in unified experience
18. 99.9% portal uptime with monitoring, alerting, and a degraded-mode fallback when backend systems are unavailable
19. Message response SLA tracking (urgent: 4 hours, routine: 48 hours) with escalation when SLA is at risk
20. Credential migration strategy for 400,000 legacy portal users moving from Java/Struts to the new platform without requiring in-person re-registration
21. Patient-facing content (education materials, post-discharge instructions) available in English and Spanish

Home Health Mobile (Req 22-28)

22. Mobile access to patient history, care plans, and visit schedules including offline capability
23. Visit documentation captured on mobile and synced on connectivity restoration; no data loss
24. Route optimization presenting daily visits in geographic sequence with estimated drive times
25. Remote wipe capability for lost/stolen devices; PHI erased within 15 minutes of report
26. Offline data set pre-loaded each morning over WiFi before nurses depart; includes assigned patients only
27. Conflict resolution strategy when two users edit the same patient record offline simultaneously
28. Device provisioning and management for 200 iPads including OS updates, app deployment, and compliance enforcement

Integration (Req 29-36)

29. Bidirectional clinical system integration (demographics/care plans out, encounters/results in)
30. External lab results accessible alongside other patient data
31. RPM vitals flow into platform with automated threshold alerting; worst-case alert latency documented and clinically validated
32. Daily nurse visit schedule from workforce management available in mobile experience by 6 AM
33. Consent documents electronically signed, auto-linked, stored per retention rules
34. All PHI integrations use encrypted transport, certificate/OAuth authentication, complete audit trail
35. Integration error handling with retry strategies, dead letter queues, monitoring dashboards, and fallback procedures per integration point
36. 2% lab result patient ID mismatches handled via automated matching rules with manual reconciliation queue for unresolved cases

Data Migration (Req 37-44)

37. All historical Meditech data migrated preserving data lineage and audit history
38. Duplicate patients identified and merged with defined survivorship strategy before go-live
39. MRN normalization across three hospital systems (Hospital A: numeric 8-digit; Hospital B: alphanumeric with facility prefix; Epic: own format) into a single Master Patient Index
40. Data quality rules during migration: reject records missing required fields, flag incomplete insurance (11%), route orphaned referrals (3%) to manual review
41. 4.5M referral records migrated with relationships preserved; referrals referencing departed providers mapped to successor or flagged
42. Migration completed before vendor end-of-support (16-month deadline)
43. Parallel-run period validating data integrity before decommission with defined exit criteria
44. Tiered storage strategy for migrated data (hot/warm/cold) based on record age and access frequency

Referral Management (Req 45-49)

45. Internal referral lifecycle tracking with SLA monitoring against 2-day target
46. External providers: secure limited-access referral status view (no full patient record)
47. Auto-routing rules based on referral reason, insurance network, patient location, and provider availability
48. Analytics: turnaround time, completion rates, leakage by department and provider
49. Referral priority classification (routine, urgent, emergent) with differentiated SLA targets

Reporting and Analytics (Req 50-55)

50. Clinical dashboards: care plan adherence, readmission rates, referral turnaround, RPM alert response times
51. Compliance dashboards: VIP access audits, consent completion rates, nurse license expiration alerts, breach notification tracking
52. Operational dashboards: portal usage and adoption trends, home health visit completion rates, integration health and error rates
53. RPM CMS billing reports pulling precise time-tracking data (CPT 99453/99454/99457/99458) for accurate reimbursement documentation
54. Executive dashboard: budget burn rate, phase completion, risk status, adoption metrics across all user populations
55. Self-service reporting for department heads without requiring IT involvement

Performance and Scalability (Req 56-58)

56. Portal page load time under 3 seconds at peak concurrent load (2,200 internal users, 5,000 portal sessions)
57. Platform must handle 8% compound annual growth for 5+ years without re-architecture
58. Sharing model recalculation must not degrade user experience; performance validated at projected 5-year data volumes

Governance and Delivery (Req 59-65)

59. Environment strategy supporting concurrent development, testing, training, production with PHI masking in all non-production environments
60. Governance model defining data ownership per domain, change management classification (emergency/standard/major), and release management cadence
61. Documented capacity planning covering storage, API limits, and sharing model at projected 5-year volumes
62. Role-specific training completed before each phase go-live; legacy portal team (3 Java developers) retrained on the new platform
63. Phased delivery - no big-bang cutover that impacts patient care
64. Clinical impact assessment required before all production changes affecting clinical workflows
65. Post-go-live support model: 12 months managed support with defined transition to internal CoE

Constraints

1. Budget: $12M over 24 months (licensing, implementation, migration, integration, training, 12 months managed support)
2. Timeline: 24 months to full go-live; Meditech decommission by month 16
3. Clinical continuity: No phase go-live may cause >2 hours downtime
4. Epic is non-negotiable: Must complement, not replace
5. Compliance: Platform vendor must execute BAA; HIPAA-compliant from day one
6. Mobile devices: CareBridge provisions iPads; solution must run on iPadOS
7. Data residency: All patient data in US-based data centers
8. Staff capacity: 6 IT FTEs (2 SF admins, 2 devs, 1 integration specialist, 1 data migration specialist) + 4 clinical SMEs
9. Change freeze: Last 2 weeks of December + first week of January
10. Union: 90-day notice before implementing technology changing daily nursing workflows

Risk Register

#	Risk	Likelihood	Impact
R1	Meditech decommission misses 16-month deadline	Medium	Critical
R2	Deduplication reveals higher-than-expected duplicate rate	Medium	High
R3	Physician adoption resistance	High	High
R4	Offline sync data loss for home health	Low	Critical
R5	Patient portal migration causes service disruption	Medium	High
R6	RPM alert latency exceeds clinical threshold	Low	High
R7	Integration point failure cascading to clinical workflows	Medium	Critical
R8	Budget overrun due to integration complexity	Medium	Medium

Deliverables

Produce the following 9 artifacts and present them to the review board:

1. System Landscape Diagram: all systems and connections
2. Data Model / ERD: core patient-centric objects and relationships
3. Role Hierarchy and Sharing Model: access enforcement per user type
4. Integration Architecture: patterns, protocols, data flows per integration point
5. Identity and Access Management: employee SSO, patient auth, external provider access
6. Data Migration Strategy: Meditech to new platform with dedup and quality remediation
7. Governance Framework: data ownership, change management, release management
8. Environment Strategy: sandbox topology, CI/CD, deployment model
9. Phased Delivery Roadmap: sequenced phases with dependencies and go-live criteria

Implicit Requirements

Pay special attention to:

• BAA required with every vendor handling PHI (Salesforce, Philips, DocuSign, middleware)
• 400,000 portal users need credential migration and re-authentication strategy (Req 20)
• RPM CMS billing codes (CPT 99453/99454/99457/99458) require precise time tracking (Req 53)
• 3% orphaned Meditech referrals reference nonexistent patient IDs - handled in migration (Req 41)
• 350+ external physicians need portal access for referral status - no portal exists today
• MRN normalization across 3 hospital systems is a master patient index challenge (Req 39)
• 3,000-4,000 visit records created offline daily must sync without data loss or conflict (Req 23, 27)
• Epic clinical data: the fetch-on-demand vs. persist decision affects PHI duplication and compliance surface
• Sharing model performance at 1.2M patients with Private OWD and Apex-managed sharing (Req 58)
• Licensing cost for 400,000 portal users must fit within $12M budget

Time Management

Allocate your 180 minutes:

• 30 min: Read and extract requirements (two passes)
• 20 min: Security model (Req 8-14)
• 20 min: Integration architecture (Req 29-36)
• 20 min: Data migration strategy (Req 37-44)
• 15 min: System landscape and data model
• 15 min: Identity and access management
• 15 min: Environment strategy and governance (Req 59-65)
• 20 min: Phased delivery roadmap
• 25 min: Review and prepare presentation talking points

---

Always verify against official Salesforce documentation

This content is study material for CTA exam preparation. Content compiled and presented with AI assistance. Not affiliated with Salesforce.