We open-sourced the simplest HIPAA compliant app to demonstrate how to use the 1upHealth platform. It's a template available for any developer to modify on GitHub. Today you could build on top of it and launch an app which can get data from electronic health records for patients at hundreds of hospitals and clinics in the US. It only takes one minute to startup.
Result data is populated in the patient's dashboard!
Now you can connect more health systems and play around with the data in your app.
The app is built using a few packages that allow us to keep things simple while setting up developers for a real production level app.
Node - If you're building a web app today, Node.js provides many features and has a vibrant community around NPM.
React - Applications with frontend components are pretty easy to manage with React and can be somewhat more modular.
NextJS - Next.js allows us to very easily build a single page app that both renders server-side and calls an API client side. Building a single page app is ideal because it uses the fewest resources and only sends a JSON doc via an API between page navigation.
Passwordless - To make it extremely easy to create users on the demo app while maintaining HIPAA compliance, we are not setting up any database. The only place data is on 1upHealth and in in-memory cookies server side and the client browser.
Refresh tokens - We have no database running in this demo app, and refresh tokens are not stored or used. In a production app, you are likely to refresh tokens after the access token expires like you do in the normal OAuth2 flow. Here's more about refreshing tokens
Users / passwords - Because we are using passwordless in the demo app, you may want to allow users to create their own accounts and manage passwords and sessions in a separate dataabase. 1upHealth currently does not support password management, but users created on your app can be linked to 1upHealth users via our user-management API
Serving - We leave the decisions on serving the app up to you. We serve our apps from Amazon Web Services but plenty of others are great too.
When modifying these two processes and others you should follow procedures to meet HIPAA compliance. Although data shared directly by users with applications is not covered under HIPAA, HIPAA is basically the minimum bar to meet for security and backup of patient data. We would not feel comfortable if we released an app without addressing it.
Building a healthcare product is a difficult endeavor. 1upHealth's API services let you take advantage of our team's collective learnings in security and healthcare data integration experiences so that you can focus on your product.