Major Retail Pharmacy

Designing Secure Household Pharmacy Access

Making identity, consent, and pickup authorization usable under real constraints

Role: Senior UX Designer
Scope: Household registration and linking, pickup authorization, orders, fulfillment states
Platform: Responsive web
Team: Product, engineering, legal, business, internal design
Tools: Figma

Stakes & model

What breaks, who owns what, how the system behaves

Most people don't think about the pharmacy until they need it, but when they need it, they really need it.

Pharmacy users are often sick, anxious, or managing a loved one who is one of those things. They need to get in and get out so they can get back to their lives.

This project was about making identity, consent, and pickup authorization work the way families actually do.

I led registration, dependent and adult linking, pickup authorization, post-registration setup, orders visibility, fulfillment states, and pickup-channel changes. Partners included product, engineering, internal design teams, and legal.

Risk

Failure modes we designed against

The product had to reduce concrete failures: pickup denial, confused caregivers, silent duplicates, and fulfillment surprises when channels are not interchangeable.

Pickup attempts fail when “family” language hides the gap between managing someone and being allowed to retrieve medication.
Duplicate profiles scatter prescriptions and weaken authorization decisions downstream.
Heavy optional tasks during signup steal attention from verification and linking—the highest-risk moments.
Fulfillment and channel changes break assumptions unless eligibility shows up before patients commit time.

Focus

What I optimized for

1. Confirm identity and bind records before exposing household-level pharmacy actions.
2. Keep verbs legally precise: separate everyday words (“help,” “family”) from enforced behaviors (manage accounts, respond to invites, pick up).
3. Add deliberate pacing where mistakes carry lasting consequences—linking, duplicate handling, consent responses—with recoverable paths.
4. Expose preparing, ready, shipped, and inventory exceptions early enough that patients can replan.
5. Ship interaction specs—states, empty states, branches—so legal, accessibility, and engineering review the same behavior, not isolated screens.

Decision 1

Verify first, then stage optional work

Constraint: activation pressure competes with safe sequencing. Design pushes verification and membership linkage ahead of insurance, transfers, payments, or managing others.

What changed: sign-in through email verification and profile linkage stay tight; confirmation and a deferrable setup hub follow so patients opt into secondary tasks when ready.

Why it matters: splitting attention during identity steps raises error rates where PHI and guardianship enter the picture.

Mobile sign-in screen with email and password fields and create account option — Entry — sign in or create account

Email verification step with code entry — Verify email before deeper pharmacy tasks

Success screen confirming pharmacy account created and prescriptions linked — Confirm what linked before branching

Additional account setup menu listing optional tasks — Optional hub — complete high-value steps when ready

Decision 2

Explicit permissions and duplicate-record handling

Constraint: disclosure wording and permission boundaries come from legal and privacy—not retail shorthand.

What changed: screens separate account access, management invitations, and pickup allowance instead of folding them under “family.” When the system likely already holds a dependent profile, the flow surfaces conflict, confirms guardianship, and links without silent merges.

Why it matters: fuzzy caregiver language drives counter denial; silent merges fracture prescription history and blur authorization.

Screen asking user to accept or decline a request to manage another person's prescriptions — Respond to a management request

Choose whether to add a child, adult, or pet — Choose who to add — explicit paths

Form to enter another adult's information for consent — Collect details to send a consent invite

Confirmation that an invite was sent to the other adult — Invite sent — auditable next step

Decision 3

Household-aware lists without blurred boundaries

Constraint: mobile density limits clinical detail; the UI still has to signal whose medication each row represents.

What changed: home and orders emphasize prescription ownership, search, filters by household member, and separation between active and completed work.

Why it matters: wrong-household assumptions trigger pickup failure and privacy complaints.

Pharmacy home with welcome message, quick actions, and prescription list — Home — actions anchored per person where relevant

Orders list with search, filters, and current versus complete sections — Orders — filter by member and delivery context

Decision 4

Fulfillment truth and channel limits patients can plan around

Constraint: inventory location, stock, and channel partners set eligibility the interface cannot invent.

What changed: detail views show preparing, ready, and shipped paths; inventory exceptions sit beside in-progress work. Pickup changes expose locker, pay-ahead, and expedited options where eligible. Refill confirmation summarizes split fulfillment when multiple people share one account.

Why it matters: channel switching is where optimism collapses; surfacing limits early prevents wasted trips.

Warehouse pick-up orders in preparing state with one item flagged out of stock — Preparing — exception visible next to healthy lines

Orders ready for pick-up with option to change pickup method — Ready — alternate fulfillment when eligible

Modify pickup methods flow with locker location and prescription selection — Channel change — eligibility surfaced in-flow

Refill request received confirmation with warehouse and delivery groupings — Refill submitted — grouped when fulfillment splits

Results

Impact

↑ Distinct paths for invites, caregiver responses, and pickup-sensitive actions instead of one vague family affordance
↑ Duplicate-record and linking flows route through explicit choices, reducing silent merges across identities
↑ Order surfaces foreground inventory-style exceptions next to normal progress so patients adjust plans earlier
↑ Pickup-change flows spell channel eligibility, cutting surprises when lockers, pay-ahead, or expedited delivery are not interchangeable
↑ Accessibility annotations and analytics events documented per branch—fewer review loops between legal, accessibility, and engineering

Roadmap shifts deferred some launches, but the shipped patterns tighten authorization grammar, make fulfillment states legible, and give downstream teams a shared interaction reference for household-scale pharmacy work.

What I'd push further

Tighter feedback loops between live pickup exceptions and pattern tweaks—especially rushed pickups on shared phones. Next pass: parity polish on invite-expired and pickup-denied branches so stress paths match the clarity of happy flows.