Case Study 07: VitalGov Health Services — Presentation Notes
AI-Generated Content — Use for Reference Only
This content is AI-generated and has only been validated by AI review processes. It has NOT been reviewed or validated by certified Salesforce CTAs or human subject matter experts. Do not rely on this content as authoritative or completely accurate. Use it solely as a reference point for your own study and preparation. Always verify architectural recommendations against official Salesforce documentation.
Presentation Format
Total time: 30 minutes presentation + 30 minutes Q&A Strategy: Go deep on 3 high-risk decisions, summary-level on 6 supporting artifacts
Opening (2 min)
“VitalGov Health Services must unify four public health programs serving 8 million residents while meeting FedRAMP Moderate and HIPAA simultaneously. The three decisions that determine success: federating 62 county identity providers through a single broker, integrating a 20-year-old mainframe that cannot be modified, and enforcing HIPAA minimum necessary across programs sharing the same constituent record.”
Show System Landscape. Frame the scale: 3,200 state employees, 4,800 county workers across 62 independent agencies, 2.1M Medicaid beneficiaries, $45M over 36 months. State the GovCloud single-org decision.
Deep Dive 1: 62-County Identity Federation (6 min)
“62 counties, each with their own Active Directory. Configuring 62 individual SAML connections in Salesforce is operationally impossible — one misconfiguration during a county AD migration takes down access for that county.”
Azure AD B2C as federation hub. Each county federates their AD with the broker — one trust relationship per county. Salesforce sees a single SAML IdP. County code travels in the SAML assertion, drives JIT provisioning and sharing assignment. Onboarding a new county: one Azure trust + one Salesforce public group, no code deployment. Trade-off: dependency on Azure AD B2C availability, mitigated by 99.99% SLA and FedRAMP authorization.
State employees bypass the broker entirely — direct Okta SAML. Healthcare providers use NPI-verified Experience Cloud login. Public uses ID.me at NIST IAL2 for vital records.
Deep Dive 2: MMIS Mainframe Integration (6 min)
“The MMIS mainframe processes 15,000 eligibility determinations per day. It has no API. It runs COBOL. And we cannot touch it.”
Dual-path pattern: MuleSoft RPA for real-time caseworker lookups (navigate 3270 screens, extract data, sub-5s target), and nightly batch file extracts for bulk data refresh. Caseworker opens a constituent record — Salesforce shows last-known batch data immediately, triggers RPA lookup for real-time confirmation. If RPA fails, caseworker sees batch data with a “last refreshed” timestamp. This is an explicitly temporary bridge until the planned MMIS replacement in 5-7 years.
Risk: MMIS screen changes break RPA. Mitigation: screen change detection in MuleSoft, alerting within 5 minutes of a field layout change. Weekend maintenance windows: graceful degradation to batch-only mode.
Deep Dive 3: HIPAA Minimum Necessary Across Programs (5 min)
“Four programs share one constituent record, but HIPAA says each program can only access what it needs. A WIC nutritionist should not see Medicaid claims. A Medicaid caseworker should not see WIC clinical notes.”
Field-level security via permission set groups per program. The Constituent record is visible to all authorized staff, but field visibility varies by program role. Restriction Rules enforce the boundary. Medicaid caseworkers see all enrollment statuses across programs (needed for eligibility determination) but not clinical detail. WIC staff see demographic data and WIC fields only. Surveillance epidemiologists see de-identified aggregate data from all programs for outbreak analysis.
Audit: Shield Event Monitoring logs every PHI access. HIPAA requires demonstrating who accessed what and when for 7 years. Shield audit trail meets this.
Supporting Artifacts (7 min)
Data Model (1 min): Health Cloud Person Account as Constituent. Program Enrollment child object tracks multi-program participation. Case object polymorphic across programs via record types. Shield encryption on SSN and DOB with deterministic encryption for matching.
Integration (1.5 min): MuleSoft GovCloud handles protocol diversity — HL7 2.5.1 for IIS, FHIR R4 for CDC, X12 EDI for CMS, flat files for USDA, SFTP for 42 county formats. DataWeave transforms normalize county data into canonical schema. Dead letter queue for all failed transactions.
Data Migration (1 min): Medicaid 2.1M beneficiaries first — establishes constituent master. WIC cross-matches against existing records (35% overlap). Vital records load metadata only; images stay in legacy storage. No production PHI in sandboxes.
Governance (1 min): Health IT Governance Board monthly. Program directors own program changes; cross-program changes require board approval. FedRAMP continuous monitoring: quarterly assessments, monthly vulnerability scans, CISO gate before every production deploy.
Environments (1 min): All sandboxes within GovCloud FedRAMP boundary. PHI masking mandatory in all non-production environments. GitHub Enterprise (FedRAMP) for CI/CD.
Roadmap (1.5 min): 36 months. Medicaid first (months 1-14) to validate MMIS integration and build constituent master. Surveillance second (months 10-24) to prove county federation. WIC and vital records last, leveraging existing constituent data. FedRAMP authorization runs parallel for 14 months. County onboarding: 10 pilot counties, then rolling waves of 52.
Transitions
- Opening to Identity: “The first challenge is: who are all these users? 62 counties, each with their own identity system.”
- Identity to MMIS: “Once users can authenticate, the next question is: what data do they see? The most critical data lives on a 20-year-old mainframe.”
- MMIS to HIPAA: “With mainframe data flowing in alongside four programs, the compliance question becomes: who sees which fields from which program?”
- HIPAA to Supporting: “With the three highest-risk decisions covered, let me walk through the remaining artifacts.”
- Supporting to Close: “Before I wrap up, the three risks that keep me up at night and how this architecture addresses them.”
Closing (2 min)
Three risks and mitigation:
- MMIS fragility: RPA with batch fallback; screen change detection; explicit bridge pattern with 5-7 year replacement horizon
- Outbreak surge (10x): Heroku Private Space (FedRAMP) absorbs spike; Bulk API writes at throttled rate; annual drill validates
- County adoption: Pilot with 10 willing counties; identity broker minimizes county-side changes; standardization incentive program in year 2
“This is a government modernization where the architect must balance federal compliance mandates with the reality of 62 independent agencies, a mainframe that cannot be touched, and the possibility that a public health emergency will test every architectural decision at 10x scale.”
Timing Checkpoints
| Segment | Duration | Cumulative |
|---|---|---|
| Opening | 2 min | 2 min |
| Identity Deep Dive | 6 min | 8 min |
| MMIS Deep Dive | 6 min | 14 min |
| HIPAA Deep Dive | 5 min | 19 min |
| Supporting Artifacts | 7 min | 26 min |
| Closing | 2 min | 28 min |
| Buffer | 2 min | 30 min |