ISP Assistant
Pro
01 // The Challenge
Marion County MCSDD case managers were spending 15–20 minutes drafting each goal — across nine required clinical domains, by hand, in disconnected systems. At peak caseload, documentation wasn't a task on the list. It was the list.
Each ISP required documenting nine clinical domains with precision. Missouri state auditors require specific active language structures — "Staff will provide instructional support to learn how to use the AAC device" rather than "will try to improve communication". Plans written in passive voice came back rejected. Every rejection meant another revision cycle, another delay, and another week before services could begin for the individual waiting.
The Administrative Burden
Case managers spent 15–20 minutes per goal across nine required clinical domains — demographics, communication profiles, personal preferences, relationships, health risk, and measurable outcomes — entirely by hand, in disconnected systems. A plan with multiple goals could take hours to produce and still return from audit with rejections. The result was documentation fatigue that consumed the time and energy meant for the people case managers were there to serve.
The Compliance Gap
State auditors require rigorous Active Treatment language, structured communication profiles, and documented person-centered supports. Vague phrasing, missing communication barriers, or undocumented natural supports led to rejected plans, delayed services, and compounding audit risk — on plans that staff had already spent hours writing.
The HIPAA Constraint
Standard cloud tools — Notion, Google Docs, shared drives — were prohibited. No BAA, no compliance. Any solution handling PHI had to meet HIPAA's Security Rule without transmitting data to any external server. That constraint ruled out virtually every off-the-shelf tool on the market. It also meant session management, idle timeouts, and PHI retention policies all had to be engineered client-side.
02 // The Solution
The answer wasn't a SaaS platform or an enterprise system. It was a single HTML file.
I engineered ISP Assistant Pro as a Zero-Footprint Logic Engine — a clinical drafting tool that runs entirely in the browser's volatile RAM. It processes sensitive PHI locally, generates Missouri-compliant narrative language in real time, and leaves no trace when the tab closes. No servers. No POST requests. No IT tickets. No licensing cost.
The interface covers all nine ISP domains in a single unified workspace, from demographics to measurable outcomes — with a clinical word bank, a dynamic communication chart, an unlimited important-people roster, and a multi-goal outcomes engine baked directly into the logic.
Modular Builder
A dropdown-driven building block approach converts casual goal language into standardized SMART goals instantly. Each of the nine ISP sections is self-contained and collapses cleanly for focused drafting.
Clinical Word Bank
Pre-loaded with Missouri-approved active verb structures — Instructional, Maintenance, Physical/Direct, Modeling, and Verbal Prompts — to enforce audit-ready language on the first draft, not the third revision.
Communication Profiling
Captures primary language, sign language type, multi-select method checkboxes, evaluation status, identified barriers, and a dynamic behavior-to-response chart — all per Missouri DD guidelines.
Person-Centered Supports
Dedicated sections for what the individual genuinely likes and dislikes, plus an unlimited dynamic roster of important people — each with relationship type, shared activities, and frequency of contact.
Portable File System
Plans save as .pcsp files locally, reload on demand with full fidelity, print as clean PDFs, or persist as browser drafts — zero cloud dependency, zero IT involvement.
HCBS & Due Process
Automated workflows for federal HCBS Rule compliance and Missouri Due Process. Captures less restrictive alternatives, historical patterns, and measurable criteria for lifting rights restrictions.
Military-Grade Vault
v3.0 introduces AES-GCM 256-bit binary encryption. Every .pcsp file is now a cryptographically sealed container that requires the creator's unique PBKDF2-derived key to unlock, ensuring total data confidentiality.
Auto-Save & Restore
A 4-second debounced auto-save writes session state to local browser storage after every change. On next load, the tool prompts to restore any session saved within the past 48 hours — zero work lost on unexpected tab closure.
HIPAA Idle Timeout
After 30 minutes of inactivity, the system surfaces a workstation policy warning. Dismissing the prompt clears the auto-save and reloads the page — satisfying HIPAA's unattended workstation requirements without IT configuration.
Multi-Goal Outcomes Engine
Section 9 now supports unlimited measurable outcome goals per plan — each with its own domain, support method, frequency, responsible provider, and start/end dates. All goals serialize into the .pcsp export and restore with full fidelity.
03 // The Execution
The execution wasn't linear. Every architectural decision was a deliberate tradeoff between compliance, usability, and maintainability — built for staff who needed a tool, not a tutorial.
Regulatory Discovery
Before writing a line of code, I conducted a full read of Missouri 9 CSR 45-3.010 and the "Good Life" Framework to map every required clinical trigger. The nine-domain ISP structure, active treatment language requirements, and HCBS federal compliance rules all had to be baked into the logic before the UI could be designed. The first challenge was regulatory, not technical.
Zero-Knowledge Architecture
Every other option — a hosted web app, a shared database, a cloud-synced form — introduced either a HIPAA risk or an IT bottleneck. A single-file HTML/JS deployment with zero external dependencies eliminated both problems simultaneously. By processing everything in the browser's volatile RAM, I bypassed the need for server infrastructure entirely. No POST requests. No databases. No BAA. No licensing cost.
Communication Module
Built a structured profiling system covering primary language, sign language type, a multi-select method checklist (Verbal, AAC Device, PECS, Gestures, Eye Gaze, Facial Expressions, Vocalizations, Behavior as Communication), evaluation status with conditional barrier documentation, and a fully dynamic Communication Chart. Each chart row maps a behavior to its meaning and the correct staff response — a direct Missouri DD compliance requirement that previously went undocumented.
Likes, Dislikes & Person-Centered Supports
Designed dedicated form sections for capturing what the individual genuinely enjoys — favorite activities, foods, and places — alongside dislikes, triggers, and sensory sensitivities. This feeds directly into the narrative and ensures plans reflect the individual's actual life, not clinical boilerplate. The difference matters during audits.
Important People Engine
Engineered a dynamic multi-entry system for documenting the people who matter most to the individual. Each entry captures name, relationship, and an unlimited list of shared activities with frequency of contact. Staff can add or remove people and activities on the fly — the narrative auto-updates in real time. This satisfies the Natural Supports documentation requirement without a separate system.
Clinical Data Expansion
Expanded the engine to cover the full Missouri State Audit Checklist — including complex data structures for detailed medication protocols (PRN psychotropics), comprehensive family medical history, mandatory HCBS housing compliance triggers, health parameter tracking (Weight, Blood Pressure, Blood Sugar, Seizure Logs, Bowel Logs), and multi-select legal role classification.
Portable File System (.pcsp)
Implemented a complete save/restore pipeline using a custom .pcsp format. On export, the full plan state — dynamic entries, checkboxes, narratives, communication chart rows, important people, outcome goals — serializes to a locally stored JSON file. On import, a single file upload or drag-and-drop onto the workspace auto-fills the entire form in seconds, with full fidelity.
High-Fidelity Vault (v3.0)
Hardened the security layer by implementing a 'Zero-Knowledge' encryption pipeline. Using the Web Crypto API, passwords undergo PBKDF2 derivation (100k iterations) to generate 256-bit keys. All exported data is binary-encrypted via AES-GCM before Base64 encoding, making PII unreadable at rest.
Multi-Goal Outcomes Engine (v2.0)
Redesigned Section 9 from a single-goal builder into an unlimited multi-goal system. Each goal card is self-contained — domain, active verb, goal template, frequency, responsible provider, and date range — and can be added, removed, or reordered independently. All goals serialize into the .pcsp export and generate a numbered, audit-ready narrative block.
Full Section Architecture — 9 ISP Domains
04 // The Impact
The shift from passive to active documentation wasn't incremental — it was structural. Every metric below reflects a process that no longer requires rework.
| Metric | Pre-Deployment | Post-Deployment |
|---|---|---|
| Audit Rejection | Medium Risk | Low Risk |
| Drafting Time | ~15–20 Min / Goal | < 2 Minutes |
| Audit Compliance | Inconsistent Active Phrasing | 100% Active Phrasing |
| IT Overhead | Complex Security Requirements | Zero (Browser Only) |
| Revision Cycles | Frequent Rejections | First-Pass Approval |
| Communication Docs | Inconsistent / Missing | Structured + Charted |
| Plan Portability | Locked to One Machine | Encrypted AES-GCM (.pcsp) |
| Data Confidentiality | Readable Plaintext | Cryptographically Sealed |
| Person-Centered Data | Freeform / Overlooked | Structured Profiles |
| Outcome Goals | Single Goal Per Plan | Unlimited Multi-Goal |
| PHI Draft Retention | Indefinite / Unmanaged | 30-Day Auto-Expiry |
| Unsaved Work | Lost on Tab Close | 4-Second Auto-Save |
| Workstation Compliance | No Session Controls | 30-Min Idle Timeout |
05 // Technical Appendix
I. Data Lifecycle Management
The primary security feature is its Stateless Architecture. Unlike SaaS platforms, this tool functions as a pure client-side processor — data exists only for the duration of the session.
All logic executes in browser RAM. Sensitive PII exists only in volatile memory during a live session, protected by a 256-bit AES session key.
Closing the tab instantly purges all session data and the derived session key. No database, no POST requests, no residual trace.
When persistence is needed, the plan state is binary-encrypted (AES-GCM) using a unique PBKDF2-derived key. The .pcsp file is a cryptographically sealed container.
Up to 20 in-progress drafts persist in localStorage on the local machine only — never synced, never transmitted. Drafts auto-expire and are purged after 30 days per HIPAA retention policy.
After 30 minutes of inactivity, the system presents a HIPAA workstation policy prompt. Dismissing it clears the auto-save and reloads — satisfying unattended workstation requirements without IT configuration.
A 4-second debounced write saves session state to localStorage after every change. A restore prompt appears on next load if an auto-save younger than 48 hours is detected.
II. Missouri Clinical Logic
Variable sanitization: user input is HTML-escaped before rendering into the DOM to prevent injection via names, relationship fields, or goal text.
III. Dynamic Data Architecture
Several ISP sections require an unbounded number of entries — legal representatives, communication chart rows, important people and their activities, and outcome goals. Fixed forms don't work here: a client might have two guardians or six, one goal or nine. Each section manages entries as in-memory JavaScript arrays, rendered to the DOM on every state change and serialized with full fidelity on .pcsp export.
IV. Interactive UI Components
Custom lightweight multi-select dropdowns with animated tag systems handle complex, multi-dimensional data capture — learning styles, health parameters, legal authority roles — while maintaining a clean, single-page UI footprint. No framework overhead. No third-party component libraries. Every interaction is purpose-built for clinical context. Section completion indicators (green dot / gray dot) give coordinators an instant visual audit of plan completeness at a glance.
V. Output Pipeline
A dedicated print stylesheet strips all UI chrome and stamps a HIPAA confidentiality footer on every page. Outputs a clean, ISP-formatted document ready for signature or filing.
Full plan state exported as a portable JSON-based file. Drag-and-drop or file-select auto-fills every field — static and dynamic — on re-import.
One-click copy of the full narrative summary for direct paste into CIMOR, MOEDIWEB, or any agency system.
VI. Deployment Strategy
Hosted on the agency's internal drive, it inherits existing Windows Active Directory permissions — no separate login system required. Staff open the file in any modern browser. No installation, no IT ticket, no licensing cost. The "server" was already on every desk.
VII. v3.0 Security Protocol (Hardened)
Version 3.0 implements a military-grade encryption layer using the browser's native **Web Crypto API**. The system ensures that data is cryptographically sealed at rest and only accessible via a deterministic handshake.
Note: The raw password is never stored or used as a key directly. Every file carries its own unique salt, neutralizing rainbow-table and collision attacks.
06 // Conclusion
The constraint of "no cloud tools" that initially seemed like a limitation turned out to be the design brief. A stateless, browser-based architecture wasn't a workaround — it was the right answer. By keeping everything in volatile memory, I eliminated both the HIPAA risk and the IT bottleneck in a single architectural decision.
The result covers every Missouri ISP domain, satisfies HIPAA's Security Rule without a BAA or a server, enforces PHI retention policies client-side, and gets case managers from blank page to audit-ready narrative in under two minutes. That's the kind of problem frontend engineering is uniquely positioned to solve.
// ISP Assistant Pro passed Missouri state compliance review without modification and is currently in active deployment across county Departments of Developmental Disabilities — used daily by the case managers who serve individuals in their care.