--- title: AHD-SEAT-07-CLIENT-PORTAL seat: PORTAL date: 2026-04-24 source_task_id: ab16ad36c0c4d5314 --- I have sufficient research data. Let me now compose the brief from all gathered intelligence plus in-context EMYTH architecture knowledge. --- # Avina Home Detox: UHNW Client Portal Research Brief Prepared for Fabian Diaz | Traffic & Access Solutions / Avina Home Detox Research date: 24 April 2026 | Target launch: 1 July 2027 --- ## Executive Summary The Avina client portal is not a patient portal. It is a family-office-grade operations interface for the most demanding buyers in private medicine. The closest market comps (Paracelsus Recovery, Kusnacht Practice, Sollis Health) share one characteristic: their "portals" are people and phones, not software. That is the gap Avina can own. The Masttro and Asora platforms demonstrate what UHNW buyers already expect from financial services: real-time aggregated dashboards, role-based permissioned access, document vaults, and mobile-native interfaces with military-grade encryption. Avina's client portal should import that architecture into the clinical engagement context. The EMYTH-28 panel pattern, offline-first Dexie queue, Supabase jsonb mirror, Cloudflare Worker AI proxy, composite engagement-health score, and Playwright smoke-gate deploy discipline all port directly. The single-owner RLS pattern, jsonb-blob schema, voice UX, and silent error catches do not. PHI lives in Supabase with a signed BAA (Team plan plus HIPAA add-on at $350/month), never in Cloudflare KV or R2, which are outside Cloudflare's confirmed BAA scope for Workers products. 42 CFR Part 2 controls substance-use records (stricter than HIPAA); California CMIA is the floor for CA-resident principals. All three layer. --- ## 1. The Three Portal Zones **Pre-engagement (Planning):** The principal or their FO advisor lands on a private-URL intake environment provisioned on first enquiry. Content is gated behind passphrase invite, not public login. The surface shows: a protocol walk-through (5 to 10 day arc, day-by-day visualised as a timeline card sequence), team bench cards (Medical Director, Senior Nurse, Concierge, Chief of Staff, each with credentials and voice note intro), readiness self-assessment (10 questions, scored to an Engagement Readiness Index analogous to EMYTH's composite score), fee transparency for the family-office tier (retainer structure, daily rate, what is included), consent document preview, and a single call-to-action: "Request the first call with Kelly." **Active engagement (Days 1-10 plus aftercare arc):** The live surface during the detox. Three panels: Status (current phase, next milestone, nursing shift schedule visible as a 24-hour wheel), Clinical Brief (yesterday's summary, generated by the Case Briefing Agent, approved by MD before publication), and Communications Log (timestamped record of every family briefing, who received it, what detail level). Vital sign trends render as a 7-day spark-line, not raw numbers. Medication schedule is visible to principal as phase labels (Stabilisation, Taper, Maintenance), not drug names, unless principal opts in to full disclosure. IV course is visualised as a progress arc (session 1 of 6, etc.). The FO contacts receive a subset of this view per their authorised detail level. **Post-engagement (Steady state):** The long-arc retention surface. Shows: IV maintenance schedule (next appointment, cadence, location options), telehealth booking widget, quarterly Chief-of-Staff review calendar, document archive (discharge summary, aftercare plan, lab reports, consent records), billing history, and referral network access (concierge medicine partners, specialist directory, travel medicine contacts). The aftercare companion agent surfaces here as a weekly reflection prompt, not a chat interface. --- ## 2. Principal vs Family-Office Views: Privacy Boundaries The engagement letter defines a confidentiality boundary between principal and family. The portal enforces it through a `roles` join table keyed to `engagement_id`, `user_id`, and `authorised_detail_level` (enum: PRINCIPAL, FO_HEAD, FO_ADVISOR, FO_COUNSEL, FO_TRUSTEE). Row-level policies in Supabase evaluate this join on every query. No feature flag or application-layer conditional: the data is simply unreachable without the role. Family-office head sees: engagement status (Active/Aftercare/Steady State), retainer and billing records, logistics calendar (arrival, discharge, appointments), and a high-level wellness trend (Engagement Health Index as a single composite score, not its component signals). Does NOT see: clinical notes, medication names, substance history, therapy session content, or principal's own access log. Principal sees: everything above plus full clinical detail at their opted-in level, nursing shift schedule, medication schedule, lab trend data, and an audit log of which FO contacts have accessed the portal and what they viewed. This last feature is the confidentiality enforcement mechanism that matters: the principal can see who in their family office has been reading their engagement. General Counsel sees: consent documents, engagement letter, data processing addendum, and right-to-forget request status. No clinical data. Trustee sees: billing and retainer history only. 42 CFR Part 2 substance-use records require a specific patient consent for each disclosure category. The schema must segregate Part 2 records (column `is_part2_record boolean`) and the application must gate FO access to those records behind an explicit, recorded principal consent that is separate from the general engagement consent. This is a schema implication, not just a compliance note. --- ## 3. EMYTH Patterns: What Ports, What Does Not EMYTH-28 (emyth-28.pages.dev) is the prior art. From session memory: **Port directly:** - Panel architecture: the multi-panel layout with discrete functional surfaces maps cleanly to the three zones. Pre-engagement = onboarding panels. Active = clinical dashboard panels. Steady state = aftercare panels. Panel state persists in Supabase and renders consistently across devices. - Offline-first with Dexie: the offline writeback queue (cf4fdb5 fix for cloudId capture on local rows) is essential for a principal viewing their portal on a plane or in a residence with poor connectivity. Queue writes locally, syncs when online, no silent data loss. - Cloudflare Worker AI proxy: the AI router pattern (routing agent calls through a Worker that selects the appropriate model by privacy zone) is directly applicable. Pre-engagement queries route to a lower-cost model; clinical brief generation routes to a higher-capability model; PHI never touches the Cloudflare layer. - Composite engagement health score: EMYTH's composite score approach (multiple signal inputs, single rendered number) becomes the Engagement Health Index shown to FO contacts. Inputs: medication adherence trend, nursing observation rating, sleep quality, engagement with therapeutic activities. Output: a single number and directional arrow. - Playwright smoke-gate deploy discipline: non-negotiable. Every deploy must pass a smoke gate before principals see it. The EMYTH 92/0 test pattern (92 pass, 0 fail, automated on every push) applies here. Clinical portals cannot have broken states. **Do not port:** - Jsonb-blob schema: EMYTH stores rich data in JSONB columns on a single-user model. Avina has a multi-tenant, multi-role, HIPAA-constrained schema. Every PHI field needs a typed column so row-level policies, audit logging, and Part 2 segregation work correctly. No unstructured blobs for clinical data. - Single-owner `owner=auth.uid()` RLS: EMYTH's RLS assumes one user per record. Avina needs a role-join pattern where multiple authorised parties can access the same engagement record at different detail levels. - Silent catches: EMYTH had a latent offline flush bug because errors were swallowed silently. In a clinical portal, every failed write must surface to the operations layer (the internal hub at avina-home-detox.pages.dev) immediately. - Voice UX as primary interface: Fabian's PVC voice clone failed on AU accent with instant cloning (confirmed per memory). More fundamentally, UHNW principals do not want to talk to a portal. Voice belongs in specific, designed moments (see Section 7), not as a navigation paradigm. --- ## 4. Clinical Compliance Architecture **Where PHI lives:** Supabase with a signed BAA. Team plan plus the $350/month HIPAA add-on. High Compliance project configuration (Point-in-Time Recovery, SSL Enforcement, Network Restrictions). Supabase is confirmed HIPAA-eligible and undergoes annual HIPAA audits alongside SOC 2. Supabase's postgres layer, Auth, and Storage are in scope under the BAA. Cloudflare KV and R2 are not in Cloudflare's confirmed BAA scope for Workers products (CDN, WAF, and Bot Management are in scope; Workers-tier products require direct Cloudflare enterprise confirmation). No PHI touches Cloudflare's edge. The Worker proxy handles routing and authentication tokens only, not content. **Who sees what:** Five principal roles with row-level enforcement as described in Section 2. Clinicians and the Chief of Staff have a sixth role (CLINICAL_TEAM) with write access to clinical records and read access to all fields. An audit log table (append-only, no deletes) records every read and write event with timestamp, user_id, role, and record_id. **Right-to-forget:** On engagement close, a cascade function moves all PHI from live tables to a `phi_archive` schema, sets a retention_expiry timestamp per applicable law (HIPAA minimum 6 years for medical records; California CMIA 6 years; Part 2 records follow the same period post-2024 alignment), and queues an automated deletion job. FO contact access is revoked immediately on close. Principal retains read-only access to their own archive for the retention period. **42 CFR Part 2:** Applies to any federally assisted program providing SUD diagnosis, treatment, or referral. Avina must determine at entity setup whether it meets the "federally assisted" threshold. If yes: all records are Part 2 records, the `is_part2_record` column controls disclosure gating, and FO access requires a separate written consent per disclosure category. The 2024 final rule (effective February 2026) aligns Part 2 penalties with HIPAA and allows a single consent for treatment/payment/operations, but the consent must still be explicit and recorded. **CMIA vs HIPAA:** California Confidentiality of Medical Information Act (CMIA) applies to California-resident principals and is stricter than HIPAA in several respects, including broader definition of "medical information" and stricter consent requirements for secondary use. CMIA controls for CA residents; HIPAA provides the federal floor for all others. 42 CFR Part 2 provides the ceiling for substance-use records regardless of state. In practice: design to the most restrictive layer (Part 2 plus CMIA combined), apply everywhere. **Confidence: HIGH** on HIPAA Supabase BAA requirements. **MEDIUM** on Cloudflare KV/R2 BAA scope (not officially confirmed in writing for Workers products; enterprise agreement required). **HIGH** on 42 CFR Part 2 2024 final rule alignment with HIPAA. --- ## 5. AI Agents Inside the Portal **Intake Concierge Agent (pre-engagement)** - Function: answers principal or FO advisor questions about the protocol, schedules the first call with Kelly, sends the passphrase invite. - Model: Claude Haiku 4.5 (fast, cheap, no PHI in context at this stage). Routing via Cloudflare Worker. - Build effort: 2-3 weeks. Recurring cost: under $50/month at anticipated volume. - Why it matters: replaces the "contact us" form that signals startup. FO advisors expect instant, specific answers. **Case Briefing Agent (active engagement)** - Function: synthesises nursing shift notes, vitals trends, and MD observations into a family-facing brief. MD reviews and approves before publication. Brief is calibrated to the FO contact's authorised detail level. - Model: Claude Sonnet 4.6 (reasoning quality required; clinical context). PHI in context; Worker routes to a private inference endpoint, no edge caching. - Build effort: 3-4 weeks including MD approval workflow. Recurring cost: $150-$300/month. - Why it matters: removes the daily phone call burden from clinical staff while maintaining quality and consent control. **Aftercare Companion Agent (steady state)** - Function: weekly reflection prompt, telehealth booking nudge, IV maintenance reminder. EMYTH-style learning loop: adapts prompt cadence to principal's engagement pattern. - Model: Claude Haiku 4.5 (low-stakes, high-frequency, no clinical data in context). - Build effort: 4-6 weeks. Recurring cost: under $30/month. - Why it matters: the 90-day post-discharge window is where relapse risk is highest and contact frequency is lowest. This agent maintains the relationship without requiring clinical staff time. **Compliance Watchdog Agent (background)** - Function: monitors access logs for anomalous patterns (FO contact accessing outside authorised hours, unusual record fetch volume, failed authentication bursts). Alerts Chief of Staff. No patient-facing surface. - Model: Gemini 2.5 Flash (batch analysis of structured log data; cost-efficient). Runs nightly. - Build effort: 2 weeks. Recurring cost: under $20/month. - Why it matters: HIPAA breach notification requires detection within the covered entity's knowledge. This is the detection layer. **Decision Assistant for FO Contacts (active engagement)** - Function: answers structured FO questions ("we are considering refusing the residential step-down; give me the clinical and legal implications") using the engagement's public-facing clinical parameters plus a curated knowledge base of addiction medicine protocols. Cannot access individual clinical notes. - Model: Claude Sonnet 4.6 with retrieval-augmented generation over a sanitised protocol knowledge base. No raw PHI in retrieval corpus. - Build effort: 4-5 weeks. Recurring cost: $100-$200/month. - Why it matters: General Counsel and Senior Advisor at UHNW family offices make consequential decisions about treatment direction. They need peer-grade information, not pamphlets. --- ## 6. The Planning Tool Layer The principal who is deciding whether to engage at all needs to answer four questions before they will commit: Is this right for me? What will it feel like? Who is in the room? What does it cost? The planning layer answers these with: a readiness self-assessment (10 questions, results in a scored Engagement Readiness Index with a written interpretation, no logins required before this step), an interactive protocol timeline (day 1 through 10 plus 90-day aftercare arc, with expandable detail per phase), team bench cards (photo, credentials, 60-second voice note introduction from each clinician), a fee transparency page (the family-office tier retainer structure, what is and is not included, how billing works), and an aftercare preview (what Steady State looks like 6 and 12 months out). This is content architecture, not a software build. It requires one developer-week to implement on top of the portal's existing React/Next.js scaffold. --- ## 7. Voice Layer Fabian's PVC voice clone (ElevenLabs ID fZf3iXRa1GlIfRlTWify) is the Avina founder voice for internal tooling and aftercare reflection prompts. For the client portal, the named voice should be Kelly's: she is the Chief of Staff and the relationship anchor. Kelly's voice notes (voice memos from iOS) are the raw material; ElevenLabs PVC (Professional Voice Cloning, not instant cloning) is the production path. Instant cloning fails distinctive accents. Voice belongs in three specific moments: (1) the team bench card introduction, where each clinician records a 30-60 second personal note that plays on the planning panel; (2) the morning brief delivered by Kelly to FO contacts on active engagement days (a 90-second ElevenLabs-synthesised audio summary, generated from the Case Briefing Agent output, pushed via the portal's notification layer at 08:00 principal local time); (3) the aftercare reflection prompt in Steady State, where the Aftercare Companion Agent scripts and synthesises a weekly check-in in Kelly's voice. Voice does not belong in navigation, onboarding flow, or any surface where the principal might be in a public or semi-private setting. --- ## 8. The 0.01% Signature Moment Three options, each with a distinct mechanics sentence and a differentiation note: **Option A: The Journey Map.** On portal activation, the principal sees a single full-width visualisation of their entire arc from the day of enquiry to the 12-month post-discharge milestone, with every phase named, every team member placed at the stage where they appear, and the principal's own name rendered at the centre. Mechanics: SVG timeline generated at onboarding from the engagement configuration, updated in real time as milestones are reached. Why this over others: UHNW clients are accustomed to being processed; seeing themselves as the subject of a designed journey signals that Avina has thought about them specifically. No other concierge clinical programme shows this. **Option B: The First Briefing.** 24 hours before admission, the principal receives a single notification: a Kelly-voiced audio brief, 90 seconds, that recaps the protocol, names every team member who will be present on day one, and ends with "we are ready for you." Mechanics: ElevenLabs PVC synthesis from a structured template populated with the specific engagement configuration. Why this over others: the moment of maximum anxiety for the principal is the 24 hours before admission. Addressing that specific moment directly, in a warm human voice, is a product decision that only Avina will make. **Option C: The Consent Ritual.** Instead of a PDF consent form, the portal walks the principal through a seven-step consent sequence, one screen per consent category, each with a one-paragraph plain-English explanation, a linked reference to the relevant regulation, and a voice-read option. Each step is individually time-stamped and signed. At the end, the principal receives a consent record they can share with their lawyer. Mechanics: a bespoke multi-step form with per-step cryptographic signature and a generated PDF certificate. Why this over others: General Counsel at family offices reviews every consent document. A consent architecture that treats the GC as a peer signals that Avina understands who is in the room on the buy side. Recommendation: build Option B first (lowest build cost, highest emotional impact), offer Option A as the ambient portal experience throughout the engagement, and build Option C as the legal differentiator for family offices with active GC involvement. --- ## 9. Build Timeline to July 1, 2027 14 months from today (April 2026). **Month 1 (May 2026): Foundations.** Supabase project provisioned with HIPAA add-on and BAA signed. Schema designed with typed columns, Part 2 segregation flag, role-join table, and append-only audit log. Cloudflare Workers project scaffolded as AI proxy routing layer (no PHI). Authentication flow implemented (magic link plus passphrase invite for FO contacts). Playwright smoke-gate CI pipeline established. Internal hub (avina-home-detox.pages.dev) connected to the same Supabase project via a separate schema. Deliverable: secure, compliant data layer. **Month 3 (July 2026): First working principal flow.** Pre-engagement zone live: passphrase invite, readiness self-assessment, protocol timeline, team bench cards, fee transparency. Intake Concierge Agent deployed (Haiku 4.5, pre-PHI only). Consent ritual built (Option C from Section 8). Offline-first Dexie queue integrated. First internal test with Kelly and Medical Director as simulated principals. Deliverable: planning-to-consent flow end-to-end. **Month 6 (October 2026): Full Steady State.** Active engagement zone live: Status, Clinical Brief, Communications Log panels. Case Briefing Agent with MD approval workflow. FO contact role-based views. Composite Engagement Health Index rendered. Post-engagement zone: IV maintenance schedule, telehealth booking, document archive, billing. Compliance Watchdog Agent running nightly. Right-to-forget cascade function implemented and tested. Deliverable: complete portal for a live engagement. **Month 12 (April 2027): AI agent layer complete.** Aftercare Companion Agent live with EMYTH-style learning loop. Decision Assistant for FO contacts live with RAG over protocol knowledge base. Kelly's PVC voice clone trained (minimum 3 hours of clean audio required for ElevenLabs PVC). Morning brief audio generation automated. Journey Map visualisation (Option A) built and rendered on portal activation. Full penetration test by external healthcare security firm (required for any HIPAA entity before go-live). **Month 14 (June 2027): Launch readiness.** External security audit findings remediated. BAA countersigned and filed. Staff trained on portal operations. Playwright smoke-gate expanded to cover all 42 CFR Part 2 consent flows. Soft launch with two or three known engagements before July 1 public launch. --- ## 10. What a Family-Office Advisor Reads in 10 Seconds The signals that communicate peer-grade in the first screen: **Typography and restraint.** No product photography, no orange CTAs, no testimonials. A single serif wordmark, generous whitespace, and a muted palette (slate, warm white, one accent). The visual language of a Swiss private bank, not a wellness brand. **Named people, not roles.** "Dr. Marcus Holloway, Medical Director, 22 years in critical care medicine" is a signal. "Our experienced clinical team" is a startup signal. **Precision of language.** "This programme spans 7 days of medically supervised residential detox followed by a 90-day structured aftercare arc with weekly telehealth contact and quarterly Chief-of-Staff review." That level of specificity tells the FO advisor that the programme is designed, not improvised. **The engagement letter is already here.** A link to the draft engagement letter on the first screen, available without a call, tells the GC that Avina anticipated their process. No other concierge programme does this. (Paracelsus and Kusnacht require a phone call before any legal documents are shared.) **The portal itself.** An FO advisor who sees a passphrase-protected, role-permissioned client portal on first contact knows they are dealing with an organisation that has built infrastructure for discretion. Sollis Health's portal is described in marketing terms only; Paracelsus has no named digital client experience. The existence of a functional, designed portal at the enquiry stage is itself the signal. --- ## Sources - [Sollis Health Membership](https://www.sollishealth.com/membership) - MEDIUM confidence on portal feature details; marketing-level description only, no technical specification public - [Paracelsus Recovery](https://paracelsus-recovery.com/) - HIGH confidence on confidentiality approach; MEDIUM on "family area" digital features (no public portal described) - [Kusnacht Practice](https://kusnachtpractice.com/) - HIGH confidence on client experience model; portal/digital features paywalled or non-existent in public description - [Masttro family office software](https://masttro.com/family-office-software) - HIGH confidence on FO portal feature set and design expectations - [Asora family office portal](https://asora.com/blog/family-office-portal) - HIGH confidence on FO contact permissioning and document vault patterns - [Supabase HIPAA documentation](https://supabase.com/docs/guides/security/hipaa-compliance) - HIGH confidence; BAA requires Team plan plus $350/month HIPAA add-on - [Supabase HIPAA Projects](https://supabase.com/docs/guides/platform/hipaa-projects) - HIGH confidence on configuration requirements - [42 CFR Part 2 HHS](https://www.hhs.gov/hipaa/part-2/index.html) - HIGH confidence; 2024 final rule effective February 2026 - [Cloudflare HIPAA BAA scope](https://hipaatimes.com/is-cloudflare-a-hipaa-compliant-cloud-vendor-2025-update) - MEDIUM confidence; CDN/WAF confirmed in scope, KV/R2/Workers not confirmed; enterprise agreement required for clarity - EMYTH architecture: panel pattern, offline Dexie queue (cf4fdb5), Cloudflare Worker AI proxy, composite score, Playwright smoke gate, single-owner RLS, jsonb-blob schema, silent catches, voice UX limits - drawn from session memory files (session_17apr2026_emyth_full_build.md, session_21apr2026_emyth28_phases_0_to_6.md, session_17apr2026_emyth_offline_writeback_and_manual.md) - HIGH confidence, primary source --- ## Confidence Assessment | Finding | Confidence | Basis | |---|---|---| | Supabase BAA: Team plan + $350/month HIPAA add-on required | HIGH | Supabase public documentation | | Cloudflare KV/R2/Workers outside confirmed BAA scope | MEDIUM | Third-party HIPAA analysis; not Cloudflare official statement | | 42 CFR Part 2 applies if Avina is "federally assisted" | HIGH | HHS.gov; whether Avina qualifies requires entity-level legal review | | CMIA is stricter than HIPAA for CA-resident principals | HIGH | Established legal authority | | Paracelsus/Kusnacht have no named digital client portal | MEDIUM | Absence of public evidence; may have internal portals not marketed | | Masttro/Asora set FO expectations for portal feature parity | HIGH | Public product documentation | | EMYTH panel/Dexie/smoke-gate patterns are transferable | HIGH | Primary source: Fabian's own codebase | | ElevenLabs PVC required (not instant cloning) for Kelly voice | HIGH | Confirmed failure of instant cloning on distinctive accents per session memory | | 14-month build timeline is achievable | MEDIUM | Assumes 1-2 dedicated engineers; no prior art on HIPAA-compliant portal built in this timeframe at this specificity |