Clinical Research Philadelphia

Operations Portal

Twelve agents doing the busywork. On top of CRIO, not against it.

Four surfaces · fourteen integrations · twelve production agents · a CRIO write-back bot · a 4-layer revenue platform · one design system.

What we built

In plain English.

The day-to-day operations of our site, mostly on autopilot — so the team handles the exceptions, not the busywork.

Getting patients in

Auto-collect leads from website + ads, auto-check who qualifies for which study, book online with automatic reminders, and win back no-shows & cancellations.

Running the day

One screen shows every visit and what's missing (records, consent, at-risk patients) — and catches scheduling mistakes (double-bookings, wrong site or time) before they happen.

Handling the messages

Every reminder and confirmation goes out automatically with guardrails, AI reads & routes incoming faxes and voicemails, and (early) an AI voice agent can pre-screen by phone.

Getting paid

Track what every study earns, what's invoiced, and what's owed; show profit per study; a bot updates the billing system; and (built, switched off) automatic collections.

Safe & compliant

Role-based access and patient-data protection, automatic data-quality checks every morning with a full audit trail, and an automatic test behind every rule we care about.

Not drowning in busywork

Dozens of scheduled jobs run all of this through the day, and assistant agents surface what needs attention — but a human always approves before anything goes out.

The honest version: most repetitive work a coordinator, recruiter, or finance person used to do by hand now happens automatically, with safety checks that catch mistakes. The rest of this deck is the detail behind each of these.

Portal overview

Four production surfaces.

Each serves a distinct audience. All share one BigQuery dataset and one component library.

Surface 01 · Internal

Unified operations dashboard

Operations dashboard (Cloud Run, auth-gated)

Internal Dashboard

TodayLeadsScheduleCommsStudiesAdmin

12book today

3SAEs open

1visit-window risk

Recruitment, schedule, leads, comms, study performance, and study management. Backed by BigQuery views and the CRIO API.

Users: coordinators, recruiters, PIs, leadership (RBAC-scoped views).

Surface 02 · Internal

Finance dashboard

Finance dashboard (Cloud Run, auth-gated)

Finance

$XXkthis week

11/11checks ok

1cap exceed

Sponsor A$XX,XXX · reconciled

Sponsor B$X,XXX · pending

The 4-layer revenue & receivables platform — data-health → revenue validation → per-study margin → collections — over the dollar-journey reconciliation spine. Per-study margin (contribution + fully-loaded), invoicing, and CRIO write-back for payments, invoices & reconciliation (live); mark-paid write-back is built and validated in test, not yet enabled in production. Gated to finance and leadership.

Users: finance team, leadership.

Surface 03 · Public

Patient-facing site & landing pages

phillyresearch.com · joinresearchstudies.com

joinresearchstudies.com

Find a clinical trial that fits you.

Check Eligibility →

CardioDermMetabolicLp(a) test · free

Study browse, eligibility intake, and scheduling for pre-screening (Lp(a), FibroScan).

Users: prospective patients, referring providers.

Surface 04 · Public (auth)

Provider portal

Provider referral portal (token-gated)

phillyresearch.com/refer — token-gated

PatientSmith, J · DOB 1968-03-12

OrderLp(a) + FibroScan · free

Send toCRP · auto-faxed back to clinic

Send referral

Direct-from-clinic ordering for Lp(a) and FibroScan, fax-back referrals, and a study list with eligibility criteria.

Users: referring physicians and clinic staff.

Production scope

Live counts · June 2026.

The current footprint, derivable from live deployments.

4

Production surfaces

12

Production agents (voice + mark-paid dark)

26

Modular code units

4

Revenue/receivables layers

~91

Scheduled cron jobs (85 on)

1,559

Passing unit tests

~455

Memory / decision documents

~3min

Push-to-production deploy

Highlight

What runs without anyone touching it

A morning in the dashboard.

Twelve automated actions, 6am–noon, typical weekday. At most sites each one would need a human.

06:00eSource QCScanned 47 subjects. 3 visit-window risks flagged.

06:15No-Show ScorerScored 12 appointments. 2 high-risk → coordinators.

07:00Finance ManagerDigest sent. 11 / 11 checks OK. $XXk week-to-date.

07:00Dollar JourneyReconciled 3 deposits. 1 CTA cap exceed.

07:08Voicemail Triage3 voicemails routed: reschedule · new lead · lab inquiry.

08:30Eligibility MatcherNew lead → 3 protocols matched. 2 confirms surfaced.

08:45Comms QAHeld 1 message. Rule: gate payment notice on results.

09:12Alert RouterTask: Visit-window miss · Subj 1042. Due EOD.

10:00Recruitment MgrSurfaced 4 stale leads to recruiters.

10:30eSource QCPaused STUDY-B. 3σ findings spike.

11:00Fax Classifier8 faxes processed. 5 lab results auto-filed.

11:45Health-ScanCleared 2 expired smoke artefacts. No alerts.

12

Automated actions

0

Humans involved

~80

Subject & visit touches

6h

Before lunch

Integration surface

External systems we read from and write to.

CRIO upstream. BigQuery canonical. Other vendors handle channels.

System	Role	Read access	Write access	Notes
CRIO source	EDC / clinical	REST API · webhooks · Fivetran CDC	PUT (allowlisted) + UI writer	Patient, study, visit, appointment, action-type. Finance (payments/invoices/mark-paid) via a Computer-Use browser writer — no finance API. Site-scoped.
BigQuery store	analytics store	SQL views	scheduled loads & mat. views	Canonical dataset behind every dashboard.
Telnyx channel	SMS · fax	delivery webhooks	send SMS · send/receive fax	Outbound SMS through one chokepoint · DNC + throttle + quiet window.
Google Voice source	voicemail intake	poll / transcript fetch	—	Voicemail triage. Claude classifies + auto-routes. Every 10 min · M–F.
GCS store	binary blob storage	signed URLs	agent uploads	Fax media + scraper artefacts. Replaced Firestore for binaries.
Tremendous channel	payments	order-status webhook	issue rewards (Visa)	Patient stipends and Lp(a) early-payment flow.
SignWell channel	e-signature	completion webhook	create signature requests	Consent capture · webhook updates the patient's consent status.
Gmail · Google APIs channel	email · drive	DWD service account	send email · drive writes	Outbound patient comms (queue-gated) and finance-direct mail.
JotForm source	intake	webhook endpoint	—	Single endpoint for form intake.
GitHub Actions infra	CI/CD	repo	deploy to Cloud Run · Firebase	Auto-deploy on push to main.

Plus four more not shown above — Meta Ads, Uber Health, ClickUp, and QuickBooks — fourteen integrations in total.

Operating context

How the portal is hosted, secured, and observed.

For integrations, audits, and incident response.

Hosting & deploy

Cloud Run + IAP for internal · Firebase Hosting for public.
Auto-deploy on push to main via GitHub Actions.
Rollback is a single revert.

Data & storage

BigQuery for analytics · Firestore for stateful records.
No spreadsheet data store. Ever.
Cross-system reconciliation in the validation harness.

Security & observability

IT security: 14 monitoring sections · auto-suspend every 15 min · owner digest 8am ET (suppress-empty).
Langfuse for agent tracing.
Daily finance digest 7am ET · 11 checks.

Primary contact

aneesh@phillyresearch.com

Organisation

Clinical Research Philadelphia, LLC

Document version

v6 · June 16, 2026

The automation surface

Single source of truth for everything that runs without a human.

Agents, rules, and routines — inventoried in one tab. This slide mirrors it.

12

Production agents

6

Active rule sets

~91

Scheduled cron jobs (85 on)

9

Send-time comms guards

Production agents 12

No-Show Risk ScorerDaily 6am ET
Recruitment Manager30 min · M–F
Finance ManagerDaily 7am ET
Dollar Journey DigestDaily 7am ET
Comms QA ReviewerPer comm
Eligibility MatcherPer submission
Fax Classifier (Telnyx + Claude)30 min
Undocumented Cancel AlerterOn-demand
eSource QC (full workflow)Engine 6am · digest 7am ET
Voicemail TriageEvery 10 min · 7a–9p M–F
CRIO Writer (Computer Use)Approval queue · payments/invoices
AI Voice Caller (Telnyx)Dark · speed-to-lead pre-screen

Active rules 6 sets

Eligibility Rulesaudited weekly
SMS GuardrailsDNC + throttle
Comms QAbrand · tone · template
Locked Tabs (RBAC)4 layers
eSource QC Rule Library17 rules · 41 citations

+ 1 more

Scheduled routines key · of ~91

eSource QC EngineDaily 6am ET
eSource QC Digest → ops@Daily 7am ET
Alert Router Resolution SweepEvery 30 min
Voicemail Classify + RouteEvery 10 min · M–F
Dollar Journey Daily DigestDaily 7am
Recruitment Manager Weekly ReviewSun 9am · weekly

+ 5 more

Live example Alert Router → Visit-window miss · Subj 1042 · V4 · assignee @coord.j · due 2026-05-15 EOD · 30-min resolution sweep armed. 7m ago

How the layers connect

Three layers, two flow patterns.

Sources above, surfaces below. The core in the middle is where logic, automation, and audit live.

Layer 01 · Sources

External systems of record. CRIO above all; thirteen others. Detail on the integration-surface slide.

↓ Fivetran sync · REST API · webhooks ↓

Layer 02 · Application core

BigQueryCanonical store + materialized hot-path views (one query 11GB→0.25GB)

Cloud FunctionsAgent loops · webhooks · transforms

Agent fleet12 agents · detail on the Automations slide

ChokepointsSMS DNC · comms QA · read-back-verified booking & mutation writes

QC engineeSource QC + screen-fail · 3σ auto-pause

FirestoreLive state · audit log · agent state

↓ Cloud Run + IAP · Firebase Hosting · Auto-deploy on push to main ↓

Layer 03 · Surfaces

Four deployed surfaces + the design system. Detail on the surfaces slide.

The visual layer

One design system. Every surface — including this deck.

One visual language across all four surfaces. A private repo, git-submoduled into every property.

Navy#072061

Blue#1843AD

Cyan#A2DCEB

Orange#FF9933

Orange (text)#b35900

Background#f0f4fa

Typography

Inter + Market Pro

Inter — body and UI on every surface, weights 200–800.

Market Pro — handwritten accent, always orange, sparingly. Landing-page hero · Lp(a) cards.

Components (helper library)

23 helpers

Chips, buttons, KPI tiles, badges, flags, action rows, panels, and more — one helper per component.

Object args, schema-validated. Every helper emits a tagged marker for lint + audit.

Brand assets

Logos, gradients, motion

Two gradients for hero treatments (navy→blue, orange→navy). Logo lockups + favicons + email-shell templates centralised in the same repo.

Email + SMS render against the same tokens; this presentation does too.

Repo: private · color & type tokens · component stylesheet · helper library · manifest · a locked doctrine (v1.0, 2026-04-27).

Design doctrine

Six rules for using it consistently.

The contract for using it. Every visible element obeys these rules.

Principle 01

Tagged elements only

Every visible element carries a design-system marker. Drives lint, audit, debug overlay.

marker + class · always paired

Principle 02

Helpers only — never hand-rolled HTML

No raw component markup anywhere. Object args, schema-validated. The 23 helpers are inventoried on the previous slide.

helper(opts) · never raw markup

Principle 03

Lint enforces the contract

Three lint rules + headless CI audit. Coverage floor 80%, rising to 100%.

3 lint rules · CI-gated

Principle 04

WCAG AA contrast everywhere

Two oranges: text-orange for type + buttons (AA contrast), decoration-orange for accents. Never mixed.

--crp-orange-text vs --crp-orange

Principle 05

Coverage rises, never falls

Floor starts at 80%, ratchets to 100% as modules retrofit. CI fails below the floor. Legacy is grandfathered with an expiring annotation.

coverage check · CI gate

Principle 06

Inter for body. Market Pro only as accent.

Hand-drawn warmth, orange-only, never for body copy.

font-sans · font-script (orange only)

Engineering doctrine

Six rules that keep the system safe and honest.

Constitutional principles. Every agent, chokepoint, and audit trail honours them.

Principle 01

Two places, one truth

One source-of-truth per fact. Four lint tripwires enforce it.

source of truth + derived caches · never both writable

Principle 02

Chokepoint pattern

Every mutating action funnels through one function with default-on safety guards: DNC, throttle, kill switch, idempotency.

one guarded chokepoint per write class

Principle 03

CRIO is observed, never written without evidence

Read-only by default. Trait writes are blank-fill only; coordinator data is authoritative. The finance write-back bot reads back every write and confirms storage == intent before reporting success.

blank-fill only · completed-visit guard · read-back verify

Principle 04

Bank deposit is the only trusted financial event

CRIO has no financial-write API. We reconcile against the deposit, never CRIO claims.

dollar-journey reconciliation · 53-mode FMEA

Principle 05

LLM is a narrator, not an actor

Schema-validated outputs cite subject, visit, and evidence row. Severity capped by ground-truth tier.

rule-id enum · ground-truth tiers 1–4

Principle 06

Append-only audit · auto-pause on drift

Every action logged (21 CFR Part 11). Auto-pause on 3σ findings spike.

append-only run log · 3σ kill switch

By-construction guardrails (Jun 2026): enforcement-liveness audit · strict null checks · role-inbox registry · read-back-verified mutation chokepoint — detection moved from months to compile-time / CI.

Who uses the dashboard

39 users · 8 roles · default-deny RBAC.

Every staff member has a role; every role has a fixed tab list. 4-layer default-deny. Unassigned staff are blocked.

Role	Users	Tabs visible
admin	1	11 (incl. leadership + admin)
leadership	4	9 (operational + leadership)
finance	2	4 finance-only
ops	7	7 operational
coordinator	7	7 operational
recruiter	5	7 operational
investigator	11	4 investigator-scoped
readonly	2	3 minimal

4-layer enforcement: CODEOWNERS on locked tabs · locked-section script · branch protection · runtime gate. Site scope: coordinators are site-scoped (currently all PHL); ops, recruiters, leadership see ALL. Hierarchy: admin is a strict superset of leadership.

Where this is going

Four themes that anchor the next phase.

The dashboard is the foundation. Four bets build on top — each compounds the others.

Theme 01

Magic

Agent-orchestrated patient qualification, end to end.

Five manual handoffs and ~60% candidate leakage compressed into one pipeline
9 phases · 6 shipped · 3 in flight. HIE / lab recon = Phase 3 roadmap.
Foundation for enrollment-as-a-service

Theme 02

Plug-and-play

Backend-once, frontend-anywhere — multi-site by construction.

Same data layer + agent fleet + chokepoints feed any site
Logo in → design system out, generated automatically
New site: minutes, not months

Theme 03

AI-native query

Natural language over the unified data model.

"How is enrollment trending for Sponsor X this quarter?" → answer in seconds
Reads across CRIO, ClickUp, finance, comms, audit log in one prompt
Conversation-as-UI replaces dashboard-as-UI for the long tail

Theme 04

Sponsor portfolio

The same data, a sponsor's questions — cross-site, cross-study.

Enrollment trajectory · recruitment health · regulatory posture
First commercial-facing surface for sponsor / CRO partners
One sponsor = many sites · sponsor-owned access scope

What we need from CRIO

Three pillars, nine asks.

Each ask is grounded in a postmortem or workaround. Platform changes that would let us delete compensating code.

Pillar A · Write safety

Make the platform refuse what shouldn't happen.

A1

Server-side subject status state machine

Reject regressions like ENROLLED → INTERESTED at the API layer.

A2

Trait-write protection for completed visits

Refuse trait, medication, or history overwrites for any patient with a completed visit; allow blank-fill only.

A3

Strict enum errors that name the rejected value

Return "actionType=INVALID not in enum" instead of "actionType is required."

Pillar B · First-class data model

Promote the entities we work with daily.

B1

Sponsor · CRO · enrollment target as entities

Structured fields on the study record, not free-text in notes.

B2

Test-vs-production patient flag

Boolean on the patient record, respected by every read and aggregate.

B3

Curated tables — consent versions · IP canon · visit windows

Read-write API replacing "only-in-PDF" as the source of truth.

Pillar C · API completeness

Close the gaps we hit in the read/write paths.

C1

Subject-level mutation endpoint

A direct PUT /subject/{id} instead of burying status updates inside studies[] on Patient PUT.

C2

Bulk write + idempotency keys

Batch N records per call; client-supplied idempotency token for safe retry.

C3

Document content access

API surface for subject-document file bytes, not just metadata.

What works well 90-day breaking-change notice · 24/7 sandbox since Dec 2025 · 8-event webhook coverage · Andrei + Joshua respond within hours

Appendix · 01 of 02 · example flow

One patient, traced end-to-end.

A real flow. Each step touches a different integration; agents fill the gaps.

01

Patient submits form

JRS landing site, 3-step condition-first form, HIPAA authorization captured

joinresearchstudies.com

02

Eligibility match

Evaluates against the approved-rule set (audited weekly)

Claude · BigQuery match views

03

Recruiter alerted

SMS through chokepoint · DNC + throttle + auto-pause

Telnyx · SMS DNC guard

04

Recruiter calls

Patient Card modal · interaction logged to CRIO

Dashboard · CRIO API

AGENT

Recruitment Manager

Surfaces stale leads back to recruiters with bombardment guards

Magic Phase 7

05

Booking

Webhook → CRIO subject created → confirmation SMS

CRIO · JotForm webhook

06

Consent signed

SignWell webhook auto-fills consent status · HMAC verified

SignWell · BQ

07

Visit happens

Live procedure progress in Schedule tab

CRIO · Fivetran

AGENT

Finance Manager

Daily 7am ET — 11 checks until payment lands

until payment lands

Each transition logged · every outbound message QA-reviewed. Agent steps in navy — automation closing gaps.

Appendix · 02 of 02 · for reference

Glossary.

Abbreviations used above.

Cloud, data & AI

BigQuery (BQ): Google's data warehouse. The canonical analytics store behind every dashboard.
Cloud Run · Cloud Function: Google's serverless platforms. Cloud Run hosts auth-gated dashboards; Cloud Functions power agent loops + webhooks.
Firestore: Google NoSQL document DB with point-in-time recovery. Holds visit confirmations, audit log, agent state.
Fivetran: Managed ETL service. Syncs CRIO → BigQuery every ~15 min.
Claude · Langfuse: Anthropic's LLM (the model under every agent) and the observability layer that traces every prompt + response.
Design-system helpers: Shared helper library — 23 helpers consumed by every CRP surface.

Security & compliance

RBAC: Role-Based Access Control. Determines which dashboard tabs each staff member can see.
IAP · DWD: Identity-Aware Proxy (Google Cloud auth gate). Domain-Wide Delegation (Workspace service-account auth on behalf of users).
HIPAA · 21 CFR Part 11: US patient-privacy regulation · FDA rule on electronic records (audit-trail requirement for clinical trials).
HMAC · 3σ: Cryptographic check that a webhook payload wasn't forged · three standard deviations from mean (auto-pause threshold).
gitleaks · Semgrep · Checkov · SBOM: Pre-commit secret scanner · static-analysis security scanner · IaC config scanner · Software Bill of Materials (dependency manifest).
CODEOWNERS · ALCOA+: Git enforcement of required reviewers · clinical data-integrity principles (Attributable, Legible, Contemporaneous, Original, Accurate, +).

Clinical, vendor & channels

CTMS · EDC: Clinical Trial Management System · Electronic Data Capture. CRIO is both.
CRA · IRB · DOA: Clinical Research Associate (sponsor monitor) · Institutional Review Board (ethics + protocol approval) · Delegation of Authority log.
I/E · DNQ · AE/SAE: Inclusion / Exclusion eligibility · Did Not Qualify · Adverse Event / Serious Adverse Event (SAE = 24h/15-day reporting).
HIE · FHIR · NCT: Health Information Exchange · FHIR R4 clinical-data API · ClinicalTrials.gov study identifier.
HSX · NJHIN: HealthShare Exchange (PA) · NJ Health Information Network. Our two HIE applications.
CTA · DNC · CAPI · FMEA: Clinical Trial Agreement (sponsor↔site contract) · Do Not Call list · Conversion API (server-side ad tracking) · Failure Modes & Effects Analysis.