Healthcare App Development Company: HIPAA, Architecture & Real Costs

By Viprasol Tech Team

---

Healthcare app development is software development with compliance at the center. The technical challenges — building performant, secure, reliable web and mobile applications — are the same as any other domain. The difference is that every design decision must account for HIPAA, that patient data has special legal protections, and that a data breach doesn't just cost money — it harms people.

Understanding what HIPAA actually requires technically (as opposed to what it's perceived to require) is the starting point for any healthcare development engagement.

---

What HIPAA Actually Requires Technically

HIPAA's Security Rule defines the technical safeguards for Protected Health Information (PHI). The key requirements:

Access control — unique user identification, automatic logoff, encryption and decryption of PHI. Every user who touches PHI needs a unique identifier. Sessions must time out. PHI must be encrypted at rest and in transit.

Audit controls — hardware, software, and procedural mechanisms that record and examine activity in systems that contain PHI. This means: audit logs of who accessed what PHI, when, and what they did. Immutable, retained for 6 years.

Integrity controls — PHI must not be altered or destroyed in an unauthorized manner. Data integrity checks, backup and recovery procedures.

Transmission security — PHI transmitted over open networks must be encrypted. TLS 1.2+ in transit; AES-256 at rest. This is non-negotiable.

Business Associate Agreements (BAAs) — every vendor who processes PHI must sign a BAA. AWS, Google Cloud, and Azure all offer HIPAA BAAs. Stripe, SendGrid, Twilio, and most major cloud services offer BAAs for HIPAA customers. Verify BAA coverage for every service before storing PHI in it.

What HIPAA is NOT:

• A specific technology requirement (you don't have to use specific software)
• A certification (there is no HIPAA certification; there is compliance)
• A one-time checkbox (ongoing risk assessments are required)

---

HIPAA-Compliant Architecture

User (browser/mobile)
    ↓ HTTPS/TLS 1.3
Cloudflare (WAF + DDoS — HIPAA BAA available)
    ↓
AWS Load Balancer (in HIPAA-compliant account)
    ↓
Application (AWS ECS Fargate — isolated VPC)
    ↓ encrypted connection
AWS RDS (PostgreSQL, encrypted at rest with AWS KMS)
    ↓
AWS S3 (PHI documents — server-side encryption, no public access)

Audit logging → AWS CloudWatch Logs → S3 (long-term retention)
Secrets → AWS Secrets Manager (PHI credentials never in env vars)

Encryption of PHI at the field level (for high-sensitivity data like SSNs, diagnoses):

import { KMSClient, EncryptCommand, DecryptCommand } from '@aws-sdk/client-kms';

const kms = new KMSClient({ region: 'us-east-1' });

export async function encryptPHI(plaintext: string): Promise<string> {
  const command = new EncryptCommand({
    KeyId:     process.env.KMS_KEY_ID!,
    Plaintext: Buffer.from(plaintext, 'utf-8'),
  });
  const response = await kms.send(command);
  return Buffer.from(response.CiphertextBlob!).toString('base64');
}

export async function decryptPHI(ciphertext: string): Promise<string> {
  const command = new DecryptCommand({
    CiphertextBlob: Buffer.from(ciphertext, 'base64'),
  });
  const response = await kms.send(command);
  return Buffer.from(response.Plaintext!).toString('utf-8');
}

Using AWS KMS for field-level encryption means the encryption key is managed by AWS, rotated automatically, and access is controlled by IAM policies — not application code.

Audit log (immutable):

// HIPAA-required audit log: every PHI access, modification, deletion
async function logPHIAccess(event: {
  userId:       string;
  patientId:    string;
  action:       'view' | 'create' | 'update' | 'delete' | 'export';
  resourceType: 'record' | 'document' | 'message' | 'appointment';
  resourceId:   string;
  ipAddress:    string;
  userAgent:    string;
  success:      boolean;
  failureReason?: string;
}) {
  // Append-only — no UPDATE or DELETE on this table
  await db.phiAuditLog.create({ data: { ...event, timestamp: new Date() } });
  // Also ship to CloudWatch for long-term retention
  await cloudwatchLogs.putLogEvents({ /* ... */ });
}

---

EHR Integration: FHIR and HL7

The majority of healthcare app development projects require integration with existing Electronic Health Record (EHR) systems. The two standards:

HL7 v2 — the legacy standard (1987), still dominant in hospital systems. Pipe-delimited message format, not REST. Every major hospital has HL7 v2 interfaces but implementation varies widely.

FHIR (Fast Healthcare Interoperability Resources) — the modern standard (HL7 FHIR R4 is current). RESTful API, JSON/XML resources, standardized data models. The 21st Century Cures Act mandates FHIR R4 API access for US healthcare providers.

// FHIR R4 client — fetching patient records
import { Client } from 'fhirclient';

async function getPatientData(fhirBaseUrl: string, accessToken: string, patientId: string) {
  const client = new Client({ serverUrl: fhirBaseUrl, tokenResponse: { access_token: accessToken } });

  // Fetch patient demographics + recent conditions + medications in one batch
  const [patient, conditions, medications] = await Promise.all([
    client.request<fhir4.Patient>(`Patient/${patientId}`),
    client.request<fhir4.Bundle>(`Condition?patient=${patientId}&clinical-status=active`),
    client.request<fhir4.Bundle>(`MedicationRequest?patient=${patientId}&status=active`),
  ]);

  return {
    demographics: {
      name:      patient.name?.[0]?.text,
      birthDate: patient.birthDate,
      gender:    patient.gender,
    },
    activeConditions: conditions.entry?.map(e => ({
      code:    (e.resource as fhir4.Condition).code?.coding?.[0]?.display,
      onset:   (e.resource as fhir4.Condition).onsetDateTime,
    })) ?? [],
    activeMedications: medications.entry?.map(e => ({
      medication: (e.resource as fhir4.MedicationRequest).medicationCodeableConcept?.text,
      dosage:    (e.resource as fhir4.MedicationRequest).dosageInstruction?.[0]?.text,
    })) ?? [],
  };
}

SMART on FHIR — the OAuth 2.0 authorization layer for FHIR. Required for EHR app marketplace submissions (Epic App Orchard, Cerner App Market). Implements patient-specific launch context: the EHR passes the current patient's ID to your app at launch time.

---

Telemedicine Architecture

A HIPAA-compliant video consultation requires end-to-end encrypted video. The options:

Twilio Video — WebRTC, HIPAA BAA available, mature SDK. Good for custom UIs. ~$0.004/minute per participant.

Daily.co — HIPAA BAA, easier integration than Twilio, lower engineering overhead. ~$0.004/minute.

Zoom SDK for Healthcare — Zoom's HIPAA-compliant SDK. Familiar UX for patients.

Doxy.me, Zoom for Healthcare — turn-key telemedicine without custom development. If you're building a custom platform, use the SDK options.

// Twilio Video: create HIPAA-compliant room and generate access tokens
import twilio from 'twilio';
import { AccessToken, VideoGrant } from 'twilio/lib/jwt/AccessToken';

const twilioClient = twilio(process.env.TWILIO_ACCOUNT_SID!, process.env.TWILIO_AUTH_TOKEN!);

async function createConsultationRoom(appointmentId: string): Promise<string> {
  const room = await twilioClient.video.v1.rooms.create({
    uniqueName:     `consultation-${appointmentId}`,
    type:           'go',    // peer-to-peer — HIPAA BAA covers this
    maxParticipants: 2,      // provider + patient only
    recordParticipantsOnConnect: false,  // no recording without explicit consent
    statusCallback:  `${process.env.API_URL}/webhooks/twilio/room-events`,
  });
  return room.sid;
}

function generateRoomToken(userId: string, roomName: string, role: 'provider' | 'patient'): string {
  const token = new AccessToken(
    process.env.TWILIO_ACCOUNT_SID!,
    process.env.TWILIO_API_KEY!,
    process.env.TWILIO_API_SECRET!,
    { identity: userId, ttl: 3600 }
  );
  token.addGrant(new VideoGrant({ room: roomName }));
  return token.toJwt();
}

HIPAA-compliant messaging (chat between provider and patient) requires a BAA from the messaging provider. Twilio Conversations, Sendbird, and Stream Chat all offer BAAs.

---

Patient Portal: Core Features

A patient portal is the patient-facing digital front end for healthcare providers. Standard features:

• Appointment scheduling — calendar availability, provider selection, appointment type
• Secure messaging — HIPAA-compliant message thread between patient and care team
• Medical records access — lab results, visit notes, imaging reports (FHIR-backed)
• Prescription management — active medications, refill requests
• Billing and payments — outstanding balances, payment history, online payment
• Care plan — provider-assigned tasks, educational resources, goal tracking
• Telemedicine — video visit launch directly from the portal

---

Healthcare App Development Cost Ranges

HIPAA compliance program (legal, policies, risk assessment, workforce training): $20K–$60K separately. This is not optional.

---

Working With Viprasol

Our healthcare software development practice covers HIPAA-compliant architecture on AWS, FHIR/HL7 EHR integration, patient portal development, and telemedicine platform engineering.

We sign BAAs with clients and use BAA-covered AWS services exclusively for PHI. Every engagement includes audit logging architecture and access control design as deliverables.

Building a healthcare application? Viprasol Tech develops HIPAA-compliant digital health software. Contact us.

---

See also: Custom Healthcare Software Development · Custom Software Development Cost · Enterprise Software Development

Sources: HHS HIPAA Security Rule · HL7 FHIR R4 Specification · ONC 21st Century Cures Final Rule