How Halo Health shipped a HIPAA-aware patient-facing mobile app in 11 weeks

The brief

Halo Health is a UK-based digital health company supporting chronic-care patients between appointments. They had clinical validation, NHS pilot interest, and 80+ paper-prototype screens — but no working mobile app. Their previous agency had over-promised native iOS+Android from a 2-person team, missed three deadlines, and quietly walked away.

The Halo board wanted a working mobile app live on both stores within 12 weeks. The previous attempt had eaten 5 months and £42,000 with nothing to show for it. They'd rather pull the plug than start the same conversation with a sixth agency.

The constraints

• 12-week deadline: a board meeting was the launch trigger
• HIPAA-aware architecture: patient data, US expansion already on the roadmap
• Both stores, day-1 release: not "Android coming next quarter"
• Bluetooth medical-device integration: two specific glucometer brands
• Offline mode: works on a train, syncs when reconnected
• Accessibility: patients skew older — WCAG 2.1 AA was non-negotiable

Why React Native (not native)

We pushed back on the previous agency's plan for fully native iOS + Android in 12 weeks. That would have needed 4 senior engineers and we'd have shipped one platform on time and the other 6 weeks late.

Instead: React Native with Expo, with two thin native modules for the Bluetooth glucometer integrations. Same UX on both platforms, one team, one codebase, two store releases on the same day. We documented this trade-off publicly in our pillar guide: React Native vs Flutter vs native.

The architecture

Patient data was the gravity well. Every architectural choice flowed from making it HIPAA-defensible.

• App: React Native + Expo (managed workflow + EAS Build)
• State: Zustand + TanStack Query (offline cache via React Query persistor)
• Local DB: WatermelonDB for offline-first patient logs
• Backend: Node.js + Fastify on AWS, deployed to a HIPAA-eligible region
• Storage: Postgres (RDS) + encrypted S3 buckets, per-tenant KMS keys
• Native modules: Thin Swift + Kotlin bridges for the two glucometer SDKs
• Auth: Cognito with HIPAA-eligible service tier, biometric login on device
• Observability: Sentry (with PII scrubbing), CloudWatch, custom audit log

The 11-week timeline

Total: $35,000 fixed-price. 11 weeks, kickoff to App Store + Play Store release.

• Week 1: Discovery, security review with their compliance lead, scope locked
• Weeks 2–4: App shell, auth, navigation, design system, accessibility scaffolding
• Weeks 5–7: Patient logging flow, offline sync, glucometer integrations
• Weeks 8–9: Backend hardening, encryption-at-rest, HIPAA audit-log layer
• Week 10: WCAG 2.1 AA accessibility pass, TestFlight + Play Console internal testing
• Week 11: Both stores submitted Monday, both approved by Friday, public release

The release

Halo Health released on both stores on the same day. First-week stats:

• App Store rating: 4.8 / 5 (113 reviews in first month)
• Play Store rating: 4.7 / 5
• Day-1 downloads: 240 (NHS pilot patients)
• Crash-free rate: 99.94% in week 1
• Average session length: 3:42 — well above the digital-health benchmark of 1:50

The board meeting that gated the launch went ahead. The company closed a Series A in the following quarter — partly on the strength of having shipped a live, used, well-rated product.

Senior engineers, weekly demos, zero scope creep. After three failed agency attempts, this finally felt like working with a team that actually ships.

— Priya Raman, CTO, Halo Health

The trade-offs we publicly accepted

Honest report of what we didn't ship in v1:

1. No native iOS widget. Would have added 2 weeks. Deferred to v1.1 (shipped 6 weeks later).
2. No Apple Watch companion. Halo's patient base skews older — < 8% have Apple Watches. Wrong investment for v1.
3. Mobile-only, not iPad-optimized. Phone is the primary device. iPad layout shipped in v1.2.

Saying no to these on day 1 was the difference between shipping in 11 weeks and missing the board meeting.

What we'd do differently next time

1. Get the glucometer SDKs in our hands before week 4. The Bluetooth bridge modules took 60% longer than estimated because the SDK docs were wrong. Build a Friday-week-1 deliverable that proves the bridge works.
2. HIPAA compliance review at week 6, not week 9. We had time. Next time we'd have their compliance lead in the loop earlier.

Numbers

• Build cost: £28,000 / $35,000 (fixed)
• Halo's previous agency spend with nothing shipped: £42,000
• Time from kickoff to public release: 11 weeks
• App Store rating: 4.8 / 5
• Series A raised in the following quarter — partially on traction

Want a mobile app shipped like this?

Book a free 30-minute strategy call. We'll scope your app, quote a fixed price, and have a contract in your inbox within 48 hours. Run your numbers through our MVP Cost Calculator first if you want a budget number before the call. Or read more about our mobile app development service.