Choosing a tech stack for a healthcare app is not the same as choosing one for a SaaS dashboard or an e-commerce store. Healthcare has constraints that most frameworks and tools don't address by default: HIPAA compliance, PHI encryption, audit trails, EHR interoperability, and hosting requirements that eliminate half the providers on the market.
Pick the wrong stack and you'll discover — during your compliance audit, not before — that your database doesn't support encryption at rest, your hosting provider won't sign a BAA, or your auth system doesn't log access events. Rebuilding at that point costs 2–3x what building correctly from the start would have.
This guide gives you the exact stack we use for healthcare projects at LSD Dev Studio, with alternatives for different app types and explanations of why each choice fits healthcare specifically.
The Recommended Healthcare Stack
| Layer | Recommendation | Why It Fits Healthcare |
|---|---|---|
| Frontend (web) | Next.js + React | Server Components keep PHI server-side, never exposed to browser |
| Frontend (mobile) | React Native + Expo | Cross-platform, encrypted local storage, biometric auth support |
| Language | TypeScript | Type safety for medical data structures, fewer runtime errors |
| Backend | Next.js API Routes or Node.js | Same language across stack, strong async for EHR API calls |
| Database | PostgreSQL (AWS RDS or Supabase HIPAA) | Encryption at rest, row-level security, ACID transactions |
| ORM | Prisma | Type-safe queries, audit-friendly migration history |
| Auth | Clerk (HIPAA plan) or Auth0 | MFA, session timeout, audit logs, BAA available |
| Video | Twilio or Daily.co | HIPAA-compliant video with BAA, recording, waiting rooms |
| Messaging | Stream (HIPAA plan) or custom | End-to-end encrypted, message retention policies |
| File storage | AWS S3 (SSE-KMS) | Server-side encryption, access logging, BAA covered |
| Hosting | AWS or Aptible | HIPAA-eligible, BAA available, VPC isolation |
| Monitoring | Sentry + Datadog | Configurable to exclude PHI from error payloads |
This stack covers telemedicine, patient portals, clinical tools, remote monitoring, and wellness apps. Every component either has HIPAA compliance built in or can be configured for it.
Why HIPAA Compliance Shapes Your Stack
HIPAA isn't a feature you add at the end. It's a constraint that eliminates options from day one.
What HIPAA requires from your tech stack:
| Requirement | Stack Impact |
|---|---|
| Encryption at rest | Database must support transparent encryption (PostgreSQL on AWS RDS, not SQLite) |
| Encryption in transit | TLS everywhere — enforced, not optional |
| Access controls | Auth system must support RBAC, session timeout, MFA |
| Audit logging | Every PHI access must be logged with timestamp, user, action |
| Business Associate Agreement | Every vendor touching PHI must sign a BAA (eliminates most free tiers) |
| Data backup and recovery | Automated encrypted backups with defined retention |
| Minimum necessary access | Row-level security — users see only their own data |
Vendors that sign BAAs (and can handle PHI):
- AWS (RDS, S3, ECS, Lambda) — Yes
- Vercel — No
- Supabase — Yes (HIPAA plan, $599/mo)
- Clerk — Yes (Enterprise plan)
- Auth0 — Yes (Enterprise plan)
- Twilio — Yes (Business plan)
- Daily.co — Yes
- Stream — Yes (Enterprise plan)
- Heroku — No
- Railway — No
- Netlify — No
This is the most important table in this guide. If your vendor won't sign a BAA, you cannot store or process PHI through their service. Period. This eliminates Vercel (for HIPAA apps), Heroku, Railway, Netlify, and most free-tier services.
Frontend: Next.js + React Native
Next.js for healthcare web apps
Server Components are a security win. PHI should never exist in client-side JavaScript. React Server Components fetch patient data on the server and send only rendered HTML to the browser. If a user inspects the page source or network tab, they see rendered output — not raw API responses containing PHI.
API Routes handle HIPAA-sensitive logic. EHR API calls (Epic FHIR, Cerner), KYC verification, and insurance eligibility checks happen in Next.js API Routes — server-side, behind authentication middleware. No secrets or PHI in the browser.
SSR for patient-facing content. Appointment confirmations, health education content, and provider directories should be server-rendered for accessibility and SEO.
Caveat: Vercel can't host HIPAA apps. Vercel doesn't sign BAAs. For healthcare Next.js apps, deploy on AWS (ECS, App Runner, or Lambda) or Aptible instead. The code is the same — only the deployment target changes.
React Native for healthcare mobile apps
Encrypted local storage. React Native supports encrypted storage via expo-secure-store (Keychain on iOS, Keystore on Android). Patient data cached locally — like appointment details or medication lists — must be encrypted on-device.
Biometric authentication. expo-local-authentication provides Face ID and fingerprint auth with minimal code. Healthcare apps should require biometric re-authentication for accessing sensitive records after a timeout.
Cross-platform reduces cost and risk. One codebase means one set of security controls to audit, one HIPAA compliance review, and one place to fix vulnerabilities. See our React Native cost guide →
Expo OTA updates for compliance patches. When a security vulnerability is discovered, Expo's over-the-air updates let you push a fix to all users immediately — without waiting for Apple's 24–72 hour review cycle. Critical for healthcare where security patches are time-sensitive.
Database: PostgreSQL on AWS RDS
Why PostgreSQL for healthcare
Encryption at rest. AWS RDS PostgreSQL supports AES-256 encryption for all data, automated backups, and replicas. This satisfies HIPAA's encryption at rest requirement without any application-level code.
Row-level security (RLS). PostgreSQL's RLS enforces data isolation at the database level. A patient query automatically filters to only their own records — even if your application code has a bug. This is defense in depth.
ACID transactions for medical records. Creating a patient encounter that involves multiple tables (encounter record, diagnosis, medications, notes) must be atomic. PostgreSQL guarantees this.
Audit trail with triggers. PostgreSQL triggers can log every INSERT, UPDATE, and DELETE on PHI tables to a separate audit schema. This gives you a tamper-evident log that satisfies HIPAA's audit requirements.
JSON support for FHIR. FHIR resources are JSON objects. PostgreSQL's jsonb type lets you store and query FHIR data natively — useful for caching EHR responses or storing structured clinical data.
Managed PostgreSQL for healthcare
| Provider | HIPAA Eligible | BAA | Cost | Best For |
|---|---|---|---|---|
| AWS RDS | Yes | Yes | $15–$200/mo | Production healthcare apps |
| Supabase (HIPAA plan) | Yes | Yes | $599/mo | Rapid development with compliance |
| Aptible | Yes | Yes (included) | $185+/mo | HIPAA-first, fully managed |
| Google Cloud SQL | Yes | Yes | $15–$200/mo | GCP-native teams |
| Neon | No | No | — | Not for PHI |
For MVPs with PHI: Aptible is purpose-built for HIPAA. It handles database encryption, access logging, and BAAs out of the box. More expensive than raw AWS, but saves weeks of compliance configuration.
For production at scale: AWS RDS with Multi-AZ deployment, automated backups, and encryption enabled. Configure CloudTrail for API-level audit logging.
Auth: HIPAA-Compliant Options
Healthcare auth has requirements beyond standard login:
| Feature | Why Healthcare Needs It |
|---|---|
| MFA (mandatory) | Prevents unauthorized PHI access from stolen credentials |
| Session timeout (configurable) | HIPAA requires auto-logout after inactivity (typically 15–30 min) |
| Audit logs | Every login, logout, and failed attempt must be logged |
| Role-based access | Providers, nurses, patients, admins see different data |
| Device management | Limit active sessions, require re-auth on new devices |
| BAA available | Vendor processes auth tokens that may correlate to PHI |
Clerk (HIPAA Enterprise plan):
- Signs BAAs
- Built-in MFA, session management, audit logs
- React/Next.js components work out of the box
- Configurable session timeout
- Best for: MVPs and startups that want fast integration
Auth0 (Enterprise):
- Signs BAAs
- More granular RBAC and permissions
- SAML/OIDC for hospital SSO integration
- Best for: Enterprise healthcare apps selling to hospitals
Supabase Auth (on HIPAA plan):
- Covered under Supabase's BAA
- Basic but functional
- Best for: Teams already using Supabase for database
Never roll your own auth for healthcare. Custom auth systems fail compliance audits. Use a vendor with a BAA and SOC 2 certification.
Video: Telemedicine Infrastructure
If your app includes video consultations, the video provider must be HIPAA-compliant:
| Provider | BAA | Features | Cost |
|---|---|---|---|
| Twilio Video | Yes (Business plan) | Recording, rooms, waiting room, screen share | $0.004/min/participant |
| Daily.co | Yes | Simple API, HIPAA-ready, recording, low latency | $0.004/min/participant |
| Vonage (formerly TokBox) | Yes | Established, reliable, recording | $0.004/min |
| Zoom SDK | Yes (Healthcare plan) | Familiar UX, waiting room, recording | Per-license pricing |
| Doxy.me (white-label) | Yes | Purpose-built for telehealth | $35–$50/provider/mo |
Our recommendation: Daily.co for custom integration (simpler API than Twilio, excellent docs) or Twilio if you need the broader Twilio ecosystem (SMS, voice, messaging). Both sign BAAs and support recording for clinical documentation.
Key features for telemedicine video:
- Virtual waiting room (patients wait, provider admits)
- Session recording (for clinical notes, consent required)
- Screen sharing (for lab results, imaging)
- Bandwidth adaptation (works on poor connections)
- End-to-end encryption
Budget $3,000–$8,000 for video integration. See our full healthcare app cost breakdown →
EHR / FHIR Integration
If your app reads or writes clinical data from Epic, Cerner, or other EHRs:
| Tool | Purpose | Cost |
|---|---|---|
| SMART on FHIR | Standard protocol for EHR app authorization | Free (open standard) |
| Epic App Orchard | Epic's app marketplace and FHIR API access | Free to develop, review process |
| Cerner Code | Cerner's developer program and FHIR APIs | Free tier available |
| 1upHealth | FHIR data aggregation across multiple EHRs | Per-connection pricing |
| Redox | Integration engine for HL7v2 and FHIR | Enterprise pricing |
| Health Gorilla | Clinical data network, labs, prescriptions | Per-transaction |
For MVPs: Skip EHR integration entirely. Validate your product with manual data entry or CSV imports. EHR integration adds $5,000–$30,000 and months of timeline. Add it after product-market fit.
When you do integrate: Use SMART on FHIR (the standard) rather than proprietary APIs. It works across Epic, Cerner, and most modern EHRs. The authorization flow is OAuth2-based — familiar to any web developer.
Hosting: AWS or Aptible
| Factor | AWS | Aptible | Vercel |
|---|---|---|---|
| HIPAA eligible | Yes | Yes (purpose-built) | No |
| BAA | Yes | Included | No |
| Encryption at rest | Configurable | Default | N/A |
| VPC isolation | Yes | Yes | No |
| Audit logging (CloudTrail) | Yes | Built-in | No |
| Complexity | High (you configure everything) | Low (managed) | Very low |
| Cost | $50–$500/mo | $185–$1,000/mo | $0–$50/mo |
| Use for healthcare? | Yes | Yes | No (no BAA) |
For MVPs on a budget: Aptible. It's more expensive than raw AWS ($185/mo minimum) but gives you HIPAA-compliant hosting with zero DevOps configuration. Database encryption, access logging, BAA, and container orchestration are all included.
For production at scale: AWS with Terraform or CDK for infrastructure-as-code. VPC with private subnets for the database, public subnets for the load balancer, security groups restricting access. Enable CloudTrail, GuardDuty, and Config for compliance monitoring.
Stack by Healthcare App Type
| App Type | Frontend | Backend | Key Integrations | Hosting |
|---|---|---|---|---|
| Telemedicine | React Native + Next.js | Node.js | Daily.co, Stripe, Twilio SMS | AWS or Aptible |
| Patient portal | Next.js | Next.js API Routes | FHIR (read), Stripe, Resend | AWS or Aptible |
| Wellness / fitness | React Native | Node.js or Supabase | HealthKit, Google Fit | Vercel (no PHI) or AWS |
| Clinical management | Next.js | Node.js | Epic FHIR, HL7v2, labs | AWS |
| Remote monitoring | React Native | Node.js + TimescaleDB | Bluetooth LE, wearable SDKs | AWS |
| Mental health | React Native + Next.js | Node.js | Daily.co, Stripe, journaling | Aptible |
Note: Wellness apps that don't store PHI (no diagnoses, no insurance data, no clinical records) can use Vercel and standard infrastructure. The HIPAA stack only applies when you handle Protected Health Information.
Common Mistakes
Hosting on Vercel for a HIPAA app. Vercel is excellent for standard web apps but doesn't sign BAAs. If your app stores or processes PHI, you need AWS or Aptible. Discover this during an audit and you'll rebuild your entire deployment pipeline.
Storing PHI in client-side state. Patient data in Redux, localStorage, or React state is exposed to browser extensions, XSS attacks, and device theft. Fetch PHI on demand with Server Components and never persist it client-side.
Using a chat SDK without a BAA. If patients message providers through your app, those messages are PHI. Your chat infrastructure needs a BAA — Intercom, Crisp, and most standard chat widgets don't qualify. Use Stream (HIPAA plan) or build custom encrypted messaging.
Logging PHI in error tracking. Sentry, Datadog, and LogRocket will capture request/response data by default — which may include patient names, diagnoses, or medical record numbers. Configure these tools to scrub PHI from payloads before they leave your infrastructure.
Skipping the BAA for "small" vendors. Every service that touches PHI needs a BAA — email (use AWS SES, not Mailchimp), analytics (use self-hosted PostHog, not Google Analytics with PII), SMS (use Twilio with BAA, not a random SMS provider).
LSD Dev Studio's Healthcare Stack
We build healthcare apps with Next.js, React Native, PostgreSQL on AWS, and HIPAA-compliant integrations. Every healthcare project starts with a compliance architecture review before we write code.
See our healthcare development services for pricing and capabilities, or read how much a healthcare app costs in 2026 for detailed pricing by feature.
For broader tech stack guidance, see our general tech stack guide. Ready to build? Get in touch.
LSD Dev Studio — Launch Support Develop. We build healthcare apps, web apps, mobile apps, and digital products. See all our services or get in touch.