How to Build a Patient Portal: Tech Guide for Healthcare Startups

A patient portal is the most common first product for healthcare startups. It's also one of the most misunderstood. Most guides describe enterprise patient portals built by Epic or Cerner — systems that cost millions and take years. That's not what you're building.

You're building a focused, HIPAA-compliant web and mobile application that lets patients interact with their care team. It doesn't need to replace Epic MyChart. It needs to solve one or two problems better than the generic portal their provider already has.

This guide covers exactly how to build one — features, architecture, tech stack, compliance requirements, and costs — written for startups, not hospital IT departments.

What a Patient Portal Actually Needs

Enterprise patient portals have 50+ features. Your MVP needs 5–7. Here's how to prioritise:

Must-Have (MVP)

Feature	What It Does	Build Cost
Secure login + MFA	HIPAA-required access controls	$1,500–$3,000
Patient profile	Demographics, insurance, emergency contact	$1,000–$2,000
Appointment scheduling	Book, reschedule, cancel with provider availability	$2,000–$5,000
Secure messaging	HIPAA-compliant communication with care team	$2,000–$5,000
Medical records viewer	View lab results, visit summaries, medications	$2,000–$4,000
Notifications	Appointment reminders, message alerts, results ready	$800–$1,500

Total MVP cost: $10,000–$20,000

Nice-to-Have (v2)

Feature	What It Does	Build Cost
Video consultations	Integrated telemedicine	$3,000–$8,000
Prescription refill requests	Patient-initiated, provider-approved	$1,500–$3,000
Bill pay / copay collection	Online payment for balances	$1,500–$4,000
Health education content	Condition-specific articles, videos	$1,000–$2,500
Intake forms (digital)	Pre-visit questionnaires, consent forms	$1,500–$3,000
Wearable data integration	Apple Health, Fitbit, glucose monitors	$2,000–$5,000
Family access / proxy	Parents managing children's records	$1,000–$2,500
EHR integration (FHIR)	Read/write data from Epic, Cerner	$5,000–$20,000

Don't build v2 features in your MVP. Ship the core portal, get patients using it, and add features based on what they actually request. EHR integration alone can cost more than your entire MVP — defer it.

Architecture Overview

A patient portal has three main components:

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│  Patient App    │     │   Provider App   │     │   Admin Panel   │
│  (Web + Mobile) │     │   (Web)          │     │   (Web)         │
└────────┬────────┘     └────────┬─────────┘     └────────┬────────┘
         │                       │                         │
         └───────────────────────┼─────────────────────────┘
                                 │
                    ┌────────────┴────────────┐
                    │      API Layer          │
                    │   (Next.js API Routes)  │
                    └────────────┬────────────┘
                                 │
              ┌──────────────────┼──────────────────┐
              │                  │                   │
    ┌─────────┴──────┐  ┌──────┴───────┐  ┌───────┴────────┐
    │   PostgreSQL   │  │  File Store  │  │  Integrations  │
    │   (Patient DB) │  │  (AWS S3)    │  │  (Twilio, EHR) │
    └────────────────┘  └──────────────┘  └────────────────┘

Patient App: What patients use. View records, book appointments, message providers. Built with Next.js (web) and React Native (mobile).

Provider App: What doctors, nurses, and staff use. View patient lists, respond to messages, manage schedule. Built with Next.js — web only is fine for v1.

Admin Panel: Practice management. User management, audit logs, content management, analytics. Built with Next.js.

All three share the same API layer and database. One codebase, three interfaces.

Tech Stack

Layer	Tool	Why
Patient web app	Next.js 16	Server Components keep PHI server-side
Patient mobile app	React Native + Expo	Cross-platform, encrypted storage
Provider dashboard	Next.js	Same codebase as patient app
API	Next.js API Routes	One repo, HIPAA logic co-located
Database	PostgreSQL on AWS RDS	Encryption at rest, RLS, ACID
Auth	Clerk (HIPAA plan)	MFA, session timeout, audit logs, BAA
File storage	AWS S3 (SSE-KMS)	Lab results, imaging, documents — encrypted
Messaging	Stream (HIPAA) or custom WebSocket	E2E encrypted, BAA available
Video (if needed)	Daily.co	HIPAA-compliant, simple API
Email/SMS	AWS SES + Twilio	Both sign BAAs
Hosting	AWS (ECS or App Runner)	HIPAA-eligible, VPC isolation
Monitoring	Sentry (PHI scrubbed)	Error tracking without logging patient data

For the full rationale behind each choice, read our healthcare tech stack guide.

Monthly infrastructure cost: $200–$600/month — AWS hosting ($100–$300), database ($25–$100), auth ($25–$50), messaging ($50–$100), monitoring ($0–$50).

Step-by-Step Build Process

Phase 1: Foundation (Weeks 1–2)

What you build:

Project setup (Next.js, TypeScript, Tailwind, Prisma)
Database schema design (patients, providers, appointments, messages)
Authentication with Clerk (HIPAA plan) — email/password + MFA
Role-based access: patient, provider, admin
Session timeout (15-minute inactivity auto-logout)
Audit logging middleware (logs every PHI access)

Database schema (core tables):

-- Core patient portal schema
patients (id, user_id, first_name, last_name, dob, phone, insurance_id, ...)
providers (id, user_id, name, specialty, availability_json, ...)
appointments (id, patient_id, provider_id, start_time, end_time, status, type, notes)
messages (id, conversation_id, sender_id, sender_role, content_encrypted, created_at)
medical_records (id, patient_id, record_type, title, content_encrypted, provider_id, date)
audit_logs (id, user_id, action, resource_type, resource_id, ip_address, timestamp)

Key decisions:

Encrypt sensitive fields at the application level (not just at-rest database encryption)
Use UUIDs, not sequential IDs (prevents enumeration attacks)
Add tenant_id if building for multiple practices (multi-tenancy from day one)

Phase 2: Core Features (Weeks 3–5)

Appointment scheduling:

Provider availability management (recurring schedules + exceptions)
Patient booking flow (choose provider → pick time → confirm)
Appointment types (in-person, video, phone)
Automated reminders (email + SMS, 24h and 1h before)
Cancellation and rescheduling with configurable policies

Implementation tip: Don't build a custom calendar from scratch. Use a scheduling library (Cal.com's open-source engine, or a purpose-built API like Acuity) and customise the UI. Building date/time handling with timezone support, recurring availability, and conflict detection is 2–3 weeks of work you can avoid.

Secure messaging:

Threaded conversations between patient and care team
End-to-end encryption (or at minimum, encryption at rest + in transit)
File attachments (images, documents) — stored in encrypted S3
Read receipts and typing indicators (optional for v1)
Critical: No PHI in push notification content. Notification says "You have a new message" — not "Your lab results are ready showing elevated glucose."

Medical records viewer:

List view of records by type (labs, visits, medications, immunisations)
Detail view with formatted results
PDF download for printed records
For MVP: manual upload by provider or admin (not EHR integration)
Sort and filter by date, type, provider

Phase 3: Polish and Compliance (Weeks 6–8)

HIPAA compliance layer:

Verify encryption at rest (database + file storage)
Verify encryption in transit (TLS on all endpoints)
Audit log review — confirm every PHI access is logged
Access control testing — patients can only see their own data
Session management — auto-logout, concurrent session limits
BAA verification — confirm all vendors have signed BAAs
Privacy policy and terms of service (healthcare-specific)
Data retention policy implementation

Patient-facing polish:

Onboarding flow (profile completion, verify identity)
Empty states (no appointments yet, no records yet)
Error handling (graceful failures, never expose stack traces)
Accessibility (WCAG 2.1 AA — healthcare apps must be accessible)
Mobile responsiveness (or React Native app)

Provider-facing features:

Patient list with search and filters
Message inbox with unread indicators
Appointment calendar view
Quick-add medical records / visit summaries

Phase 4: Testing and Launch (Weeks 7–8)

Security testing:

Penetration testing (third-party, $3,000–$5,000)
OWASP Top 10 verification
PHI access audit (test that cross-patient data leakage is impossible)
Session hijacking prevention testing
Input validation (SQL injection, XSS)

Compliance documentation:

HIPAA Security Risk Assessment document
Data flow diagram (where PHI lives and moves)
Incident response plan
Workforce training documentation (if applicable)

Launch:

Deploy to production (AWS)
Configure monitoring and alerting
Set up automated backups with defined retention
Verify HTTPS on all endpoints
App Store submission (if mobile — expect 1–2 weeks for Apple review of health apps)

HIPAA Compliance Checklist

Use this checklist to verify your patient portal is HIPAA-ready:

Category	Requirement	Status
Encryption	Data encrypted at rest (database, file storage)
	Data encrypted in transit (TLS everywhere)
	Encryption keys managed securely (AWS KMS)
Access Control	MFA enabled for all users
	Role-based access (patients see only their data)
	Session timeout after 15–30 minutes inactivity
	Failed login lockout (5 attempts)
Audit	All PHI access logged (who, what, when)
	Audit logs tamper-evident and retained 6+ years
	Admin can review access logs
Administrative	BAAs signed with all vendors handling PHI
	Security Risk Assessment documented
	Incident response plan written
	Privacy policy published (patient-facing)
Technical	Automatic encrypted backups (daily)
	Disaster recovery plan tested
	Vulnerability scanning (automated)
	No PHI in logs, error tracking, or notifications

This isn't exhaustive HIPAA compliance — consult a healthcare compliance specialist for your specific situation. But it covers the technical controls that a patient portal needs at minimum.

What This Costs

Approach	Cost	Timeline
Build from scratch (studio)	$15,000–$50,000	8–16 weeks
Build from scratch (freelancer)	$10,000–$35,000	10–20 weeks
White-label platform (customise existing)	$5,000–$15,000	4–8 weeks
Off-the-shelf (Elation, Spruce, Klara)	$200–$500/month	Days

For startups building a differentiated product: Build from scratch. Off-the-shelf solutions lock you into their feature set and prevent differentiation. Your patient portal IS your product — owning the code is essential.

For practices that just need a portal: Use an off-the-shelf solution. Building custom is overkill if you're a 5-provider clinic that just wants appointment scheduling and messaging.

For detailed cost breakdowns, see our healthcare app cost guide and general MVP cost guide.

Common Mistakes

Building EHR integration before validating the product. FHIR integration costs $5,000–$20,000 and takes months. Your MVP can use manual data entry. Validate that patients want your portal before investing in interoperability.

Storing PHI in the frontend. Patient data in localStorage, Redux, or cookies is a HIPAA violation waiting to happen. Fetch on demand with Server Components. Never cache PHI client-side.

Sending PHI in notifications. "Your lab results show normal glucose levels" in a push notification violates HIPAA if someone else sees the patient's phone. All notifications should be generic: "You have a new message from your provider."

Skipping the security audit. A $3,000–$5,000 pen test before launch is cheap insurance against a breach that could cost $100,000+ in fines and reputation damage.

Over-building for v1. You don't need video consultations, wearable integration, AI triage, and e-prescriptions in your MVP. You need login, appointments, messaging, and records. Ship that. Add the rest based on user feedback.

LSD Dev Studio Builds Patient Portals

We build patient portals with Next.js, React Native, PostgreSQL, and HIPAA-compliant infrastructure. Fixed pricing, defined scope, compliance built in from day one.

Patient Portal MVP: From $2,500 — core scheduling, messaging, and records
Full Patient Portal: From $15,000 — complete platform with provider dashboard, video, and admin

See our healthcare development services or get in touch for a scoped quote.

LSD Dev Studio — Launch Support Develop. We build healthcare apps, web apps, mobile apps, and digital products. See all our services or get in touch.

This guide covers exactly how to build one — features, architecture, tech stack, compliance requirements, and costs — written for startups, not hospital IT departments.

What a Patient Portal Actually Needs

Enterprise patient portals have 50+ features. Your MVP needs 5–7. Here's how to prioritise:

Must-Have (MVP)

Feature	What It Does	Build Cost
Secure login + MFA	HIPAA-required access controls	$1,500–$3,000
Patient profile	Demographics, insurance, emergency contact	$1,000–$2,000
Appointment scheduling	Book, reschedule, cancel with provider availability	$2,000–$5,000
Secure messaging	HIPAA-compliant communication with care team	$2,000–$5,000
Medical records viewer	View lab results, visit summaries, medications	$2,000–$4,000
Notifications	Appointment reminders, message alerts, results ready	$800–$1,500

Total MVP cost: $10,000–$20,000

Nice-to-Have (v2)

Feature	What It Does	Build Cost
Video consultations	Integrated telemedicine	$3,000–$8,000
Prescription refill requests	Patient-initiated, provider-approved	$1,500–$3,000
Bill pay / copay collection	Online payment for balances	$1,500–$4,000
Health education content	Condition-specific articles, videos	$1,000–$2,500
Intake forms (digital)	Pre-visit questionnaires, consent forms	$1,500–$3,000
Wearable data integration	Apple Health, Fitbit, glucose monitors	$2,000–$5,000
Family access / proxy	Parents managing children's records	$1,000–$2,500
EHR integration (FHIR)	Read/write data from Epic, Cerner	$5,000–$20,000

Architecture Overview

A patient portal has three main components:

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│  Patient App    │     │   Provider App   │     │   Admin Panel   │
│  (Web + Mobile) │     │   (Web)          │     │   (Web)         │
└────────┬────────┘     └────────┬─────────┘     └────────┬────────┘
         │                       │                         │
         └───────────────────────┼─────────────────────────┘
                                 │
                    ┌────────────┴────────────┐
                    │      API Layer          │
                    │   (Next.js API Routes)  │
                    └────────────┬────────────┘
                                 │
              ┌──────────────────┼──────────────────┐
              │                  │                   │
    ┌─────────┴──────┐  ┌──────┴───────┐  ┌───────┴────────┐
    │   PostgreSQL   │  │  File Store  │  │  Integrations  │
    │   (Patient DB) │  │  (AWS S3)    │  │  (Twilio, EHR) │
    └────────────────┘  └──────────────┘  └────────────────┘

Patient App: What patients use. View records, book appointments, message providers. Built with Next.js (web) and React Native (mobile).

Provider App: What doctors, nurses, and staff use. View patient lists, respond to messages, manage schedule. Built with Next.js — web only is fine for v1.

Admin Panel: Practice management. User management, audit logs, content management, analytics. Built with Next.js.

All three share the same API layer and database. One codebase, three interfaces.

Tech Stack

Layer	Tool	Why
Patient web app	Next.js 16	Server Components keep PHI server-side
Patient mobile app	React Native + Expo	Cross-platform, encrypted storage
Provider dashboard	Next.js	Same codebase as patient app
API	Next.js API Routes	One repo, HIPAA logic co-located
Database	PostgreSQL on AWS RDS	Encryption at rest, RLS, ACID
Auth	Clerk (HIPAA plan)	MFA, session timeout, audit logs, BAA
File storage	AWS S3 (SSE-KMS)	Lab results, imaging, documents — encrypted
Messaging	Stream (HIPAA) or custom WebSocket	E2E encrypted, BAA available
Video (if needed)	Daily.co	HIPAA-compliant, simple API
Email/SMS	AWS SES + Twilio	Both sign BAAs
Hosting	AWS (ECS or App Runner)	HIPAA-eligible, VPC isolation
Monitoring	Sentry (PHI scrubbed)	Error tracking without logging patient data

For the full rationale behind each choice, read our healthcare tech stack guide.

Monthly infrastructure cost: $200–$600/month — AWS hosting ($100–$300), database ($25–$100), auth ($25–$50), messaging ($50–$100), monitoring ($0–$50).

Step-by-Step Build Process

Phase 1: Foundation (Weeks 1–2)

What you build:

Project setup (Next.js, TypeScript, Tailwind, Prisma)
Database schema design (patients, providers, appointments, messages)
Authentication with Clerk (HIPAA plan) — email/password + MFA
Role-based access: patient, provider, admin
Session timeout (15-minute inactivity auto-logout)
Audit logging middleware (logs every PHI access)

Database schema (core tables):

-- Core patient portal schema
patients (id, user_id, first_name, last_name, dob, phone, insurance_id, ...)
providers (id, user_id, name, specialty, availability_json, ...)
appointments (id, patient_id, provider_id, start_time, end_time, status, type, notes)
messages (id, conversation_id, sender_id, sender_role, content_encrypted, created_at)
medical_records (id, patient_id, record_type, title, content_encrypted, provider_id, date)
audit_logs (id, user_id, action, resource_type, resource_id, ip_address, timestamp)

Key decisions:

Encrypt sensitive fields at the application level (not just at-rest database encryption)
Use UUIDs, not sequential IDs (prevents enumeration attacks)
Add tenant_id if building for multiple practices (multi-tenancy from day one)

Phase 2: Core Features (Weeks 3–5)

Appointment scheduling:

Provider availability management (recurring schedules + exceptions)
Patient booking flow (choose provider → pick time → confirm)
Appointment types (in-person, video, phone)
Automated reminders (email + SMS, 24h and 1h before)
Cancellation and rescheduling with configurable policies

Secure messaging:

Threaded conversations between patient and care team
End-to-end encryption (or at minimum, encryption at rest + in transit)
File attachments (images, documents) — stored in encrypted S3
Read receipts and typing indicators (optional for v1)
Critical: No PHI in push notification content. Notification says "You have a new message" — not "Your lab results are ready showing elevated glucose."

Medical records viewer:

List view of records by type (labs, visits, medications, immunisations)
Detail view with formatted results
PDF download for printed records
For MVP: manual upload by provider or admin (not EHR integration)
Sort and filter by date, type, provider

Phase 3: Polish and Compliance (Weeks 6–8)

HIPAA compliance layer:

Verify encryption at rest (database + file storage)
Verify encryption in transit (TLS on all endpoints)
Audit log review — confirm every PHI access is logged
Access control testing — patients can only see their own data
Session management — auto-logout, concurrent session limits
BAA verification — confirm all vendors have signed BAAs
Privacy policy and terms of service (healthcare-specific)
Data retention policy implementation

Patient-facing polish:

Onboarding flow (profile completion, verify identity)
Empty states (no appointments yet, no records yet)
Error handling (graceful failures, never expose stack traces)
Accessibility (WCAG 2.1 AA — healthcare apps must be accessible)
Mobile responsiveness (or React Native app)

Provider-facing features:

Patient list with search and filters
Message inbox with unread indicators
Appointment calendar view
Quick-add medical records / visit summaries

Phase 4: Testing and Launch (Weeks 7–8)

Security testing:

Penetration testing (third-party, $3,000–$5,000)
OWASP Top 10 verification
PHI access audit (test that cross-patient data leakage is impossible)
Session hijacking prevention testing
Input validation (SQL injection, XSS)

Compliance documentation:

HIPAA Security Risk Assessment document
Data flow diagram (where PHI lives and moves)
Incident response plan
Workforce training documentation (if applicable)

Launch:

Deploy to production (AWS)
Configure monitoring and alerting
Set up automated backups with defined retention
Verify HTTPS on all endpoints
App Store submission (if mobile — expect 1–2 weeks for Apple review of health apps)

HIPAA Compliance Checklist

Use this checklist to verify your patient portal is HIPAA-ready:

Category	Requirement	Status
Encryption	Data encrypted at rest (database, file storage)
	Data encrypted in transit (TLS everywhere)
	Encryption keys managed securely (AWS KMS)
Access Control	MFA enabled for all users
	Role-based access (patients see only their data)
	Session timeout after 15–30 minutes inactivity
	Failed login lockout (5 attempts)
Audit	All PHI access logged (who, what, when)
	Audit logs tamper-evident and retained 6+ years
	Admin can review access logs
Administrative	BAAs signed with all vendors handling PHI
	Security Risk Assessment documented
	Incident response plan written
	Privacy policy published (patient-facing)
Technical	Automatic encrypted backups (daily)
	Disaster recovery plan tested
	Vulnerability scanning (automated)
	No PHI in logs, error tracking, or notifications

This isn't exhaustive HIPAA compliance — consult a healthcare compliance specialist for your specific situation. But it covers the technical controls that a patient portal needs at minimum.

What This Costs

Approach	Cost	Timeline
Build from scratch (studio)	$15,000–$50,000	8–16 weeks
Build from scratch (freelancer)	$10,000–$35,000	10–20 weeks
White-label platform (customise existing)	$5,000–$15,000	4–8 weeks
Off-the-shelf (Elation, Spruce, Klara)	$200–$500/month	Days

For practices that just need a portal: Use an off-the-shelf solution. Building custom is overkill if you're a 5-provider clinic that just wants appointment scheduling and messaging.

For detailed cost breakdowns, see our healthcare app cost guide and general MVP cost guide.

Common Mistakes

Storing PHI in the frontend. Patient data in localStorage, Redux, or cookies is a HIPAA violation waiting to happen. Fetch on demand with Server Components. Never cache PHI client-side.

Skipping the security audit. A $3,000–$5,000 pen test before launch is cheap insurance against a breach that could cost $100,000+ in fines and reputation damage.

LSD Dev Studio Builds Patient Portals

We build patient portals with Next.js, React Native, PostgreSQL, and HIPAA-compliant infrastructure. Fixed pricing, defined scope, compliance built in from day one.

Patient Portal MVP: From $2,500 — core scheduling, messaging, and records
Full Patient Portal: From $15,000 — complete platform with provider dashboard, video, and admin

See our healthcare development services or get in touch for a scoped quote.

LSD Dev Studio — Launch Support Develop. We build healthcare apps, web apps, mobile apps, and digital products. See all our services or get in touch.

How to Build a Patient Portal: Tech Guide for Healthcare Startups

What a Patient Portal Actually Needs

Must-Have (MVP)

Nice-to-Have (v2)

Architecture Overview

Tech Stack

Step-by-Step Build Process

Phase 1: Foundation (Weeks 1–2)

Phase 2: Core Features (Weeks 3–5)

Phase 3: Polish and Compliance (Weeks 6–8)

Phase 4: Testing and Launch (Weeks 7–8)

HIPAA Compliance Checklist

What This Costs

Common Mistakes

LSD Dev Studio Builds Patient Portals

Keep reading

Best Tech Stack for a SaaS Product in 2026

Best Tech Stack for a Healthcare App in 2026

Best Tech Stack for a Fintech Startup in 2026

How to Build a Patient Portal: Tech Guide for Healthcare Startups

What a Patient Portal Actually Needs

Must-Have (MVP)

Nice-to-Have (v2)

Architecture Overview

Tech Stack

Step-by-Step Build Process

Phase 1: Foundation (Weeks 1–2)

Phase 2: Core Features (Weeks 3–5)

Phase 3: Polish and Compliance (Weeks 6–8)

Phase 4: Testing and Launch (Weeks 7–8)

HIPAA Compliance Checklist

What This Costs

Common Mistakes

LSD Dev Studio Builds Patient Portals

Keep reading

Best Tech Stack for a SaaS Product in 2026

Best Tech Stack for a Healthcare App in 2026

Best Tech Stack for a Fintech Startup in 2026