Project Background

MediSync, a healthcare SaaS company, is preparing to launch a new compliance dashboard for hospital administrators that tracks audit logs, access controls, and data retention status across patient record workflows. The product is intended for 35 enterprise hospital customers, and leadership has committed to a launch in 12 weeks to support Q4 renewals and reduce churn risk.

You are the program manager leading a cross-functional team of 11 people: 4 engineers, 2 QA analysts, 1 designer, 1 product manager, 1 security lead, 1 compliance analyst, and 1 customer success manager. The project must meet HIPAA and SOC 2 control requirements before release, while also satisfying customer requests for configurable reporting.

Key Stakeholders

The CTO wants the launch completed this quarter to support a major sales pipeline. The Head of Compliance will not approve release without documented control mapping and evidence collection. The VP of Customer Success wants two high-value customers included in an early pilot, while Engineering is concerned about the team’s limited bandwidth because one engineer is allocated 40% to production support.

Constraints

• Timeline: 12 weeks, with no approved extension
• Budget: $180,000 remaining, including external audit review and penetration testing
• Dependencies: external security assessment must be completed by week 8; legal review requires 10 business days; customer pilot environments take 1 week each to provision
• Team capacity: 1 backend engineer available only 60% of the time

Complications

1. A key hospital customer requests custom retention reporting not in the original scope.
2. The external auditor has warned that evidence gaps in access logging could delay sign-off by up to 2 weeks.
3. Sales has informally promised pilot access to a customer before compliance review is complete.

Your Task

1. Build a 12-week execution plan that ensures compliance with HIPAA and SOC 2 requirements.
2. Define how you will manage scope trade-offs between compliance work and customer-requested features.
3. Identify the critical path, key risks, and mitigation actions.
4. Propose launch criteria, pilot sequencing, and a rollback or hold strategy if compliance sign-off slips.
5. Specify the metrics and checkpoints you would use to confirm the project is launch-ready.