top of page
Case study
Building Quality from the Ground Up for a Virtual Healthcare Benefits Platform
Plexteq established a full-spectrum QA practice for a US-based virtual healthcare benefits provider - cutting release cycles from quarterly to weekly and eliminating recurring regression failures across a PHP web application and Flutter mobile app.
Project Highlights
Industry
Virtual Healthcare Benefits
Market
United States
Team Size
8 engineers
Engagement
2023 – now
Expertise
Manual QA, Automation QA, ISO/IEC 25010:2011
Expertise Applied
Business Challenge
​​
Our client operates at the intersection of employer benefits and virtual care, giving members access to a curated marketplace of virtual healthcare services - including a pharmacy benefit and prescription savings network, an on-demand virtual physician consultation platform, and a behavioral and mental health support program. The product handles electronic protected health information (ePHI) on behalf of its members, placing it firmly within the scope of HIPAA and the obligations that come with it. The product depends on seamless coordination between embedded third-party service integrations, precise benefit eligibility logic, and a reliable, compliant member experience across both web and mobile.
Despite strong market traction, the client was caught in a quality trap that threatened to hold the entire business back. Their previous engineering vendor had delivered a working product but left behind no systematic testing practice. Regression issues resurfaced with every release, and the only way to ship with any confidence was to run exhaustive manual checks - a process so time-consuming it pushed the release cadence to once every three months.
For a company whose competitive edge depended on rapidly onboarding new service partners and rolling out plan customisations for employer clients, a quarterly release window was not a constraint - it was a ceiling.
Key Challenges
Uncontrolled regression across core memberflows
Every release introduced a fresh wave of regression defects in the product's most critical paths - benefit eligibility checks, virtual physician session launch, prescription savings lookups, and mental health plan enrollment. With no automated safety net, breakages only surfaced after code had already reached production.
No test management or requirements traceability
There was no test management system, no structured test cases, and no traceability between business requirements and what had actually been verified. Testing was ad hoc and undocumented, making it impossible to know what was covered, what was at risk, or why the same issues kept coming back.
90-day release cycle driven by fear, not process
The team was releasing once every three months - not because the product required it, but because the lack of a structured quality gate made every deployment a high-risk event. Business stakeholders were unable to ship improvements at a pace that matched market demand.
HIPAA compliance with no QA framework to back it up
As a platform handling electronic protected health information (ePHI) - the product was subject to HIPAA's Security and Privacy Rules. Yet there was no QA framework in place to validate that ePHI was handled correctly across access controls, data transmission, audit logging, or third-party integration boundaries. Compliance was assumed rather than verified, creating significant regulatory and business risk.
Solution Delivered​
Plexteq approached the engagement as a quality transformation, not a quick fix. Rather than layering automation on top of an undefined process, the team started with a foundational audit and built the QA practice systematically - from strategy through to automation - in a deliberate sequence that allowed value to be delivered at every phase.
↳ Phase 1. Discovery & strategy
Plexteq's QA leads conducted a full analysis of the existing application features across both the PHP web platform and the Flutter mobile app. Every functional area - from member onboarding and benefit plan selection to the integrations with the prescription savings network, the virtual physician consultation service, and the behavioral health program - was inventoried and mapped. A requirements traceability matrix was established to ensure that every testable requirement had explicit test coverage. Given the platform's obligation to maintain HIPAA compliance as a handler of ePHI, the QA strategy incorporated compliance-oriented test dimensions from the outset - covering access control verification, ePHI data handling across integration boundaries, audit logging behaviour, and data transmission security. This was formalised within the broader ISO/IEC 25010:2011 framework, covering functional suitability, reliability, usability, security, and compatibility.
​↳ Phase 2. Infrastructure ​
Plexteq established a structured three-tier infrastructure - development, staging, and production - each with isolated data and consistent configuration. A blue-green deployment strategy was introduced, allowing the team to run two identical production environments in parallel. This made rollbacks instantaneous: if a deployment surfaced an unexpected issue, the team could switch traffic back to the previous stable state within minutes, eliminating the all-or-nothing risk that had previously made every release a high-stakes event.
↳ Phase 3. Test Management
T​estRail was introduced as the central test management platform, giving the team a single source of truth for test cases, test plans, and run history. Test cases were authored for every critical user journey first - member registration, benefit eligibility resolution, virtual care session initiation, and plan management - before gradually extending coverage to non-critical features. A sanity test suite was defined as a fast-pass gate to validate build stability before proceeding to full regression, becoming the practical enabler of shorter release cycles.
↳ Phase 3. Automation
With a stable manual baseline in place, Plexteq implemented a two-layer automation strategy. End-to-end regression tests were built with Playwright, covering critical member-facing journeys across the web application - benefit eligibility flows, virtual care session launch, and plan management. Playwright's cross-browser reliability and strong async support made it a natural fit for an application with multiple embedded third-party service touchpoints. The second layer used PHPUnit to test the PHP backend directly - validating service partner API contracts, eligibility logic, and data handling in isolation from the UI. These backend tests were designed to run fast and early in the development cycle, giving engineers immediate signal on regressions before any code reached staging.
Technology & Approach
​​
Healthtech Domain Expertise
Testing a virtual healthcare benefits platform is not the same as testing a generic SaaS product. The platform handles electronic protected health information (ePHI) - including member health plan data, prescription records, and virtual care session details - making HIPAA compliance a non-negotiable quality dimension, not an afterthought. Plexteq's QA engineers brought direct experience with the compliance and reliability standards that govern software in this space, and structured the entire quality programme with that regulatory context in mind.
HIPAA-oriented test coverage was built into the QA strategy from Phase 1, targeting the specific risk areas that ePHI handling introduces: role-based access controls, data minimisation at integration boundaries, secure transmission of health records between the platform and its embedded service partners, audit trail completeness, and session handling for virtual care flows. These were not treated as a separate compliance checklist but as first-class test scenarios within the traceability matrix, ensuring they received the same rigour and regression coverage as functional requirements.
Particular care was applied to the integration touchpoints with each embedded service partner - the prescription savings network, the virtual physician platform, and the behavioral health program - each of which carries its own data contract, ePHI exposure surface, session-state expectations, and failure-mode behaviour. PHPUnit integration tests were designed to validate these contracts explicitly, ensuring that changes on either side of an integration boundary were caught before they reached members or created a compliance gap.
Business Outcome
​
12×
More frequent releases
from quarterly to weekly production deployments
0
Recurring incidents
​
after the quality process was fully operational
<1 hr
Rollback time
​
in the event of a failed deployment, down from hours of manual recovery
100%
Critical journeys covered
​
by structured test cases and automated regression runs
↳ Strategy and process: the foundation that made everything else possible
The most consequential change was not a tool or a test - it was the establishment of a coherent quality strategy where none had existed before. Before Plexteq's engagement, the team had no documented understanding of what needed to be tested, in what order, or against what standard. The requirements traceability matrix changed that entirely: for the first time, every feature and every compliance requirement had a corresponding test case, and every test case had a clear owner, a known execution history, and a traceable link back to the business need it was validating.
This traceability had an immediate and measurable effect on the regression problem. The recurring defects that had plagued every previous release were not random - they were the predictable consequence of testing that was unstructured, undocumented, and impossible to reproduce consistently. Once the traceability matrix was in place and test cases were authored systematically in TestRail, the team could execute regression cycles with full coverage confidence. Gaps that had previously been invisible became explicit, and the act of closing those gaps became a trackable, manageable process rather than a continuous fire drill.
The sanity testing strategy delivered the most immediate business impact. By defining a curated fast-pass suite of high-priority test cases - covering the critical member flows that had to work before any release could proceed - the team created a reliable quality gate that could be executed quickly and consistently. This was the direct mechanism that unlocked weekly releases: not automation, but structured human judgement applied systematically at the right moment in the release cycle. Stakeholders no longer needed to wait three months to ship improvements; they could release with confidence on a weekly cadence because the sanity suite gave them a clear, repeatable signal of production readiness.
The manual QA practice also surfaced a class of issues that no automated suite would have caught in the short term: usability problems in benefit enrollment flows, inconsistent behaviour across the mobile and web applications for the same member action, edge cases in eligibility resolution that only appeared under specific plan configurations, and gaps in HIPAA-relevant audit logging that had never been formally verified. These findings were not incidental - they were the direct output of disciplined exploratory and manual regression testing conducted by engineers with healthtech domain knowledge, working from a well-defined test strategy rather than guesswork.
↳ Automation: locking in the gains
The Playwright regression suite gave the team repeatable, browser-level confidence on every release candidate without the manual effort that had previously bottlenecked deployments. The PHPUnit integration layer caught backend regressions at the source - before they had a chance to surface as user-facing failures. Together, these two layers meant that both the interface and the integration logic underpinning it were continuously validated, not just at release time but throughout the development cycle.
bottom of page