Skip to content
theCodeFlash

Case Study 2: CareBridge Health System - Scenario Paper

Case Study Prompt

This page is the prompt side of a full-board practice package. Read it first, build your own architecture, and return to the worked assets only after your timed attempt.

Case Study Snapshot

Section titled “Case Study Snapshot”
FieldDetail
Start hereThis scenario paper
DifficultyAdvanced
IndustryHealthcare
Primary pressure areasSecurity, Integration, Data, and Mobile
Recommended prep window180 minutes preparation + 45 minutes presentation + 45 minutes Q&A
Coverage availableCase Study Overview, Worked Solution, Presentation Notes, Q&A Preparation
Study flowAttempt this case study paper first, then review the worked solution, presentation notes, and Q&A preparation after your own attempt.

Project Overview

Section titled “Project Overview”

CareBridge Health System is a regional healthcare system headquartered in Charlotte, NC, serving communities across the US Southeast. Founded 35 years ago as a single community hospital, CareBridge has grown through acquisitions into a multi-facility network.

Company profile:

AttributeDetail
IndustryHealthcare - Hospital System, Outpatient Clinics, Home Health
HeadquartersCharlotte, NC
Employees8,500 (2,000 physicians, 3,500 facility nurses, 200 home health nurses, 1,200 admin, 800 IT, 1,000 other clinical)
Facilities3 hospitals, 25 outpatient clinics across 4 counties (NC and SC)
Active patient records1.2 million
Annual encounters3.5 million (growing 8% annually)
Registered portal users400,000 patients
Remote monitoring patients5,000 enrolled (growing 200/month)

The CEO has authorized a $12 million, 24-month enterprise transformation to replace their legacy patient management system and custom patient portal with a unified platform. Executive sponsors: CIO, CMO, and CNO.

Stakeholder Quotes

Section titled “Stakeholder Quotes”

CIO: “We need a single view of the patient that every authorized member of the care team can access, whether in the hospital, at a clinic, or visiting a patient’s home. But access must be role-appropriate. A scheduling clerk should never see clinical notes.”

CMO (Dr. Torres): “Our physicians lose 90 minutes per day toggling between systems. I need to see a patient’s last three visits, current medications, active problems, and pending lab orders without opening Epic separately.”

CNO (Maria Santos): “Home health is our fastest-growing division. Those nurses are driving between rural homes with unreliable cell service. They need to be self-sufficient on their mobile device for the entire day.”

CCO (James Park): “After the VIP incident last year, the board is very focused on access controls. I need to run a report at any time showing who accessed a specific patient’s record in the last 90 days and prove that inappropriate access was impossible.”

Current Technology Environment

Section titled “Current Technology Environment”

Epic EHR (Clinical System of Record)

Section titled “Epic EHR (Clinical System of Record)”

Epic is the primary clinical system, implemented 6 years ago ($45M). It manages clinical encounters, physician orders, medication administration records, clinical notes, and problem lists. Epic will remain the clinical system of record.

  • Exposes data via Epic FHIR R4 APIs (read/write) and legacy HL7v2 feeds
  • 3.5M encounters/year; supports Patient, Encounter, Observation, MedicationRequest, DiagnosticReport, Condition resources
  • Epic Subscription API supports real-time notifications; OAuth 2.0 with SMART on FHIR scopes
  • MyChart patient portal used by some departments; leadership wants a unified portal across clinical and non-clinical
  • Epic Interconnect middleware handles HL7v2 message routing; Caboodle data warehouse for clinical analytics

Meditech (Legacy - Being Decommissioned)

Section titled “Meditech (Legacy - Being Decommissioned)”

Retained from two hospital acquisitions 8 years ago for administrative functions: demographics, insurance, scheduling, referral tracking. Vendor ends support in 16 months.

  • 850,000 unique patients, 2.1M encounters, 4.5M referral records (8 years of data)
  • Data quality issues: 15% duplicate patients, 11% incomplete insurance, inconsistent MRN formatting across facilities (Hospital A: numeric 8-digit; Hospital B: alphanumeric with facility prefix)
  • ~40% patient overlap with Epic; 3% orphaned referral records (patient IDs no longer exist)
  • No modern API - flat-file export only (fixed-width format) or direct database queries
  • Referral data stored in denormalized flat table; some referrals reference departed providers

Laboratory Interfaces

Section titled “Laboratory Interfaces”
  • LabCorp (primary reference lab): 2,500 HL7v2 ORU results/day
  • Quest Diagnostics (specialized panels): 800 HL7v2 ORU results/day
  • Both deliver to Epic via HL7v2 through Epic Interconnect; lab results needed in new platform for full care coordination
  • Critical value alerts must remain through Epic - no parallel notification path
  • ~2% of results arrive with patient identifier mismatches (manual reconciliation)

Other Clinical Systems

Section titled “Other Clinical Systems”
  • Cerner PharmNet: Medication dispensing across 3 hospitals; interfaces with Epic. No direct integration needed, but medication data from Epic should be visible.
  • GE Centricity PACS: Radiology imaging. Reports flow to Epic as HL7v2 ORU. Radiology availability should surface in patient health timeline.

Kronos (Workforce Management)

Section titled “Kronos (Workforce Management)”

Manages nurse scheduling and time tracking for all nursing staff. Home health division uses Kronos for daily patient visit schedules with geographic routing.

  • Home health nurses average 15-20 patient visits/day across ~3,800 square miles
  • Schedules finalized by 8 PM prior evening, occasionally updated by 6 AM
  • REST API (v3.2, OAuth 2.0) for schedule retrieval; includes patient ID, address, appointment window, visit type, estimated duration

Custom Patient Portal (Legacy - Being Replaced)

Section titled “Custom Patient Portal (Legacy - Being Replaced)”

10-year-old Java/Apache Struts portal serving 400,000 users. Known security vulnerabilities.

  • 99.2% uptime (target: 99.9%); patient satisfaction 2.8/5.0; 62% mobile access but not responsive
  • Username/password only, no MFA; 2.3M historical messages (5 years); Stripe bill payment via iframe
  • Peak: 18,000 DAU, 2,200 concurrent sessions (Monday 8-10 AM)
  • Portal dev team (3 Java developers) will be retrained; no new external hires

Remote Patient Monitoring (Philips)

Section titled “Remote Patient Monitoring (Philips)”

5,000 patients enrolled with blood pressure, glucose, pulse oximeter, and weight scale devices transmitting via cellular to Philips HealthSuite.

  • 15,000 readings/day (3 per patient); growing to ~7,400 patients in 12 months
  • REST API (JSON, OAuth 2.0); rate limit 1,000 req/min, 100 readings per request
  • Per-patient alert thresholds; RPM nurses (team of 8) currently monitor a separate Philips dashboard
  • Generates $2.8M annually in CMS RPM reimbursement (CPT 99453, 99454, 99457, 99458) - accurate time tracking required

Identity and Access Management

Section titled “Identity and Access Management”
  • Employees (8,500): Microsoft Entra ID, SSO via SAML 2.0/OIDC, MFA enforced, Entra groups map to departments/roles
  • Patients (400,000): Proprietary username/password database, no federation, ~12,000 dormant accounts
  • External providers: No portal access today. Referral status communicated via fax/phone

DocuSign

Section titled “DocuSign”

Used for patient consent forms, HIPAA authorizations, and telehealth consent (~50,000 docs/year). Signed documents must be linked to patient records and retained 10 years per state requirements.

Regulatory Requirements

Section titled “Regulatory Requirements”
  • HIPAA: Privacy Rule, Security Rule, Breach Notification Rule. BAA required with every cloud vendor handling PHI.
  • HITECH Act: Meaningful use requirements for EHR and patient data access
  • State regulations: NC and SC have different consent requirements, breach notification timelines, and retention periods (NC: 11 years; SC: 10 years)
  • Multi-state nurse licensing: 200 home health nurses may hold licenses in NC, SC, or both under the Nurse Licensure Compact. System must track and enforce.

Departmental Structure

Section titled “Departmental Structure”
  • Clinical departments: Cardiology, Oncology, Orthopedics, Neurology, Primary Care - each with distinct physician/specialist populations
  • Nursing: Organized by unit (ICU, Med/Surg, ED, L&D) for hospitals; by geographic zone for home health
  • Care Coordination: Cross-departmental team managing care transitions, referrals, post-discharge follow-up
  • Patient Access: Scheduling, registration, insurance verification - sees demographics but NOT clinical data
  • Revenue Cycle: Billing, coding, claims - sees encounter details and diagnoses but NOT full clinical notes

Referral Network

Section titled “Referral Network”
  • Internal referrals between departments plus external referrals to/from 350 community physicians and 40 specialty practices
  • 8,000 referrals/month (25% external). External providers need limited referral status view only
  • Current turnaround: 6.5 days average. Target: 2 days

Business Requirements

Section titled “Business Requirements”

Patient Data Management (Req 1-7)

Section titled “Patient Data Management (Req 1-7)”
  1. Unified patient view consolidating clinical and administrative sources with role-appropriate display
  2. Care plans with goals, tasks, milestones, and care team assignments spanning encounters and facilities
  3. Patient health timeline showing chronological encounters, lab results, medications, vital signs, care plan updates from platform and clinical system
  4. Care team composition tracking (primary physician, specialists, nurses, coordinators, social workers) with effective dates
  5. Patient demographics maintained in a single system of record, synchronized across connected systems
  6. No existing Salesforce footprint; this is a greenfield implementation
  7. Disaster recovery plan with documented RPO and RTO targets for all clinical-facing components

Security and Compliance (Req 8-14)

Section titled “Security and Compliance (Req 8-14)”
  1. PHI encrypted at rest and in transit; encryption keys managed by CareBridge, not the vendor
  2. Immutable audit trail of every access, modification, and deletion - retained minimum 7 years
  3. Role-based data access per user type (physicians by department, nurses by unit/zone, specialists by referral, care coordinators by program, Patient Access demographics only, Revenue Cycle encounters/Dx only, external providers referral status only)
  4. VIP/sensitive patient restriction layer limiting visibility to directly assigned care team
  5. Multi-state nurse licensing tracked and enforced for home health assignments; system must validate nurse holds active license in the patient’s state before allowing assignment
  6. Consent forms electronically captured, linked to patient records, retained per state mandates (NC: 11 years, SC: 10 years); retention rules enforced automatically
  7. State-specific consent requirements tracked separately for NC and SC patients, with the correct consent form version served based on patient home state

Patient Portal (Req 15-21)

Section titled “Patient Portal (Req 15-21)”
  1. Modern mobile-responsive portal for 400,000 users: scheduling, lab results, messaging, bill pay, education
  2. Patient authentication with email/password + MFA and social identity providers (subject to HIPAA BAA review)
  3. Patients view data from both clinical system and new platform in unified experience
  4. 99.9% portal uptime with monitoring, alerting, and a degraded-mode fallback when backend systems are unavailable
  5. Message response SLA tracking (urgent: 4 hours, routine: 48 hours) with escalation when SLA is at risk
  6. Credential migration strategy for 400,000 legacy portal users moving from Java/Struts to the new platform without requiring in-person re-registration
  7. Patient-facing content (education materials, post-discharge instructions) available in English and Spanish

Home Health Mobile (Req 22-28)

Section titled “Home Health Mobile (Req 22-28)”
  1. Mobile access to patient history, care plans, and visit schedules including offline capability
  2. Visit documentation captured on mobile and synced on connectivity restoration; no data loss
  3. Route optimization presenting daily visits in geographic sequence with estimated drive times
  4. Remote wipe capability for lost/stolen devices; PHI erased within 15 minutes of report
  5. Offline data set pre-loaded each morning over WiFi before nurses depart; includes assigned patients only
  6. Conflict resolution strategy when two users edit the same patient record offline simultaneously
  7. Device provisioning and management for 200 iPads including OS updates, app deployment, and compliance enforcement

Integration (Req 29-36)

Section titled “Integration (Req 29-36)”
  1. Bidirectional clinical system integration (demographics/care plans out, encounters/results in)
  2. External lab results accessible alongside other patient data
  3. RPM vitals flow into platform with automated threshold alerting; worst-case alert latency documented and clinically validated
  4. Daily nurse visit schedule from workforce management available in mobile experience by 6 AM
  5. Consent documents electronically signed, auto-linked, stored per retention rules
  6. All PHI integrations use encrypted transport, certificate/OAuth authentication, complete audit trail
  7. Integration error handling with retry strategies, dead letter queues, monitoring dashboards, and fallback procedures per integration point
  8. 2% lab result patient ID mismatches handled via automated matching rules with manual reconciliation queue for unresolved cases

Data Migration (Req 37-44)

Section titled “Data Migration (Req 37-44)”
  1. All historical Meditech data migrated preserving data lineage and audit history
  2. Duplicate patients identified and merged with defined survivorship strategy before go-live
  3. MRN normalization across three hospital systems (Hospital A: numeric 8-digit; Hospital B: alphanumeric with facility prefix; Epic: own format) into a single Master Patient Index
  4. Data quality rules during migration: reject records missing required fields, flag incomplete insurance (11%), route orphaned referrals (3%) to manual review
  5. 4.5M referral records migrated with relationships preserved; referrals referencing departed providers mapped to successor or flagged
  6. Migration completed before vendor end-of-support (16-month deadline)
  7. Parallel-run period validating data integrity before decommission with defined exit criteria
  8. Tiered storage strategy for migrated data (hot/warm/cold) based on record age and access frequency

Referral Management (Req 45-49)

Section titled “Referral Management (Req 45-49)”
  1. Internal referral lifecycle tracking with SLA monitoring against 2-day target
  2. External providers: secure limited-access referral status view (no full patient record)
  3. Auto-routing rules based on referral reason, insurance network, patient location, and provider availability
  4. Analytics: turnaround time, completion rates, leakage by department and provider
  5. Referral priority classification (routine, urgent, emergent) with differentiated SLA targets

Reporting and Analytics (Req 50-55)

Section titled “Reporting and Analytics (Req 50-55)”
  1. Clinical dashboards: care plan adherence, readmission rates, referral turnaround, RPM alert response times
  2. Compliance dashboards: VIP access audits, consent completion rates, nurse license expiration alerts, breach notification tracking
  3. Operational dashboards: portal usage and adoption trends, home health visit completion rates, integration health and error rates
  4. RPM CMS billing reports pulling precise time-tracking data (CPT 99453/99454/99457/99458) for accurate reimbursement documentation
  5. Executive dashboard: budget burn rate, phase completion, risk status, adoption metrics across all user populations
  6. Self-service reporting for department heads without requiring IT involvement

Performance and Scalability (Req 56-58)

Section titled “Performance and Scalability (Req 56-58)”
  1. Portal page load time under 3 seconds at peak concurrent load (2,200 internal users, 5,000 portal sessions)
  2. Platform must handle 8% compound annual growth for 5+ years without re-architecture
  3. Sharing model recalculation must not degrade user experience; performance validated at projected 5-year data volumes

Governance and Delivery (Req 59-65)

Section titled “Governance and Delivery (Req 59-65)”
  1. Environment strategy supporting concurrent development, testing, training, production with PHI masking in all non-production environments
  2. Governance model defining data ownership per domain, change management classification (emergency/standard/major), and release management cadence
  3. Documented capacity planning covering storage, API limits, and sharing model at projected 5-year volumes
  4. Role-specific training completed before each phase go-live; legacy portal team (3 Java developers) retrained on the new platform
  5. Phased delivery - no big-bang cutover that impacts patient care
  6. Clinical impact assessment required before all production changes affecting clinical workflows
  7. Post-go-live support model: 12 months managed support with defined transition to internal CoE

Constraints

Section titled “Constraints”
  1. Budget: $12M over 24 months (licensing, implementation, migration, integration, training, 12 months managed support)
  2. Timeline: 24 months to full go-live; Meditech decommission by month 16
  3. Clinical continuity: No phase go-live may cause >2 hours downtime
  4. Epic is non-negotiable: Must complement, not replace
  5. Compliance: Platform vendor must execute BAA; HIPAA-compliant from day one
  6. Mobile devices: CareBridge provisions iPads; solution must run on iPadOS
  7. Data residency: All patient data in US-based data centers
  8. Staff capacity: 6 IT FTEs (2 SF admins, 2 devs, 1 integration specialist, 1 data migration specialist) + 4 clinical SMEs
  9. Change freeze: Last 2 weeks of December + first week of January
  10. Union: 90-day notice before implementing technology changing daily nursing workflows

Risk Register

Section titled “Risk Register”
#RiskLikelihoodImpact
R1Meditech decommission misses 16-month deadlineMediumCritical
R2Deduplication reveals higher-than-expected duplicate rateMediumHigh
R3Physician adoption resistanceHighHigh
R4Offline sync data loss for home healthLowCritical
R5Patient portal migration causes service disruptionMediumHigh
R6RPM alert latency exceeds clinical thresholdLowHigh
R7Integration point failure cascading to clinical workflowsMediumCritical
R8Budget overrun due to integration complexityMediumMedium

Deliverables

Section titled “Deliverables”

Produce the following 9 artifacts and present them to the review board:

  1. System Landscape Diagram: all systems and connections
  2. Data Model / ERD: core patient-centric objects and relationships
  3. Role Hierarchy and Sharing Model: access enforcement per user type
  4. Integration Architecture: patterns, protocols, data flows per integration point
  5. Identity and Access Management: employee SSO, patient auth, external provider access
  6. Data Migration Strategy: Meditech to new platform with dedup and quality remediation
  7. Governance Framework: data ownership, change management, release management
  8. Environment Strategy: sandbox topology, CI/CD, deployment model
  9. Phased Delivery Roadmap: sequenced phases with dependencies and go-live criteria

Always verify against official Salesforce documentation

This content is study material for CTA exam preparation. Content compiled and presented with AI assistance. Not affiliated with Salesforce.

Personal study notes for the Salesforce CTA exam. Content compiled from VJ's study notes, official Salesforce documentation, community sources, and online publicly available content, then organized and presented with AI assistance. Not affiliated with Salesforce. © 2025–2026 VJ Srivastava.