Tony Derry
All Projects

PatientPortalforHealthcareClinic

A HIPAA-compliant patient portal for MediCare Plus that streamlined appointment booking, medical records access, and secure messaging across multiple clinic locations.

Client

MediCare Plus

Role

Full-stack Developer

Duration

4 months

Date

Jan 2026

Next.jsTypeScriptPostgreSQLHIPAATailwind CSS

Key Results

0%

fewer phone calls to front desk

0%

patient adoption in 3 months

0

-minute avg booking time → 2 minutes

The Challenge

MediCare Plus operates six clinic locations across the US East Coast, and their patient experience was stuck in the past. Booking an appointment meant calling during business hours and waiting on hold. Medical records were only available by request, and communication between patients and providers relied on phone tag and fax machines. They needed a modern patient portal that could handle sensitive health data while being intuitive enough for patients of all ages.

The biggest constraint was HIPAA compliance. Every feature, from data storage to messaging to audit logging, had to meet strict regulatory requirements. Previous vendors had quoted them enterprise-level pricing with twelve-month timelines, so MediCare Plus was looking for a leaner approach that could deliver real value in months, not years.

The Approach

I built the portal on Next.js with TypeScript, using server-side rendering to ensure pages loaded quickly even on older devices that many patients relied on. PostgreSQL handled the data layer with row-level security policies enforcing that patients could only access their own records. All data at rest was encrypted with AES-256, and every API route ran through a middleware layer that verified authentication, authorization, and audit logging before any data left the server.

The appointment booking system integrated with each clinic's existing scheduling software through a custom adapter layer, allowing patients to see real-time availability across all six locations. Secure messaging was built with end-to-end encryption and automatic expiration for sensitive attachments.

// Middleware for role-based access control with JWT verification
import { NextRequest, NextResponse } from "next/server";
import { jwtVerify } from "jose";
 
const rolePermissions: Record<string, string[]> = {
  patient: ["/api/appointments", "/api/records/me", "/api/messages"],
  provider: ["/api/appointments", "/api/records", "/api/messages", "/api/prescriptions"],
  admin: ["/api/appointments", "/api/records", "/api/messages", "/api/users", "/api/audit"],
};
 
export async function middleware(request: NextRequest) {
  const token = request.cookies.get("session")?.value;
 
  if (!token) {
    return NextResponse.redirect(new URL("/login", request.url));
  }
 
  try {
    const secret = new TextEncoder().encode(process.env.JWT_SECRET);
    const { payload } = await jwtVerify(token, secret);
    const role = payload.role as string;
    const path = request.nextUrl.pathname;
 
    const allowed = rolePermissions[role]?.some((p) => path.startsWith(p));
    if (!allowed) {
      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
    }
 
    const response = NextResponse.next();
    response.headers.set("X-User-Id", payload.sub as string);
    response.headers.set("X-User-Role", role);
    return response;
  } catch {
    return NextResponse.redirect(new URL("/login", request.url));
  }
}

Compliance and Security

HIPAA compliance touched every layer of the stack. I implemented comprehensive audit logging that tracked every data access event, including who accessed what, when, and from which IP address. Session timeouts were enforced at fifteen minutes of inactivity, and all API responses were stripped of metadata that could leak information through error messages or headers.

The secure messaging feature required particular care. Messages were encrypted client-side before transmission, and file attachments were scanned for malware, stored in an encrypted S3 bucket, and automatically deleted after 30 days unless a provider flagged them for retention. I worked closely with MediCare Plus's compliance officer to ensure every workflow passed their internal security audit before launch.

Results and Impact

The portal launched across all six locations in a phased rollout over three weeks. Within three months, 85 percent of active patients had created accounts and were using the system regularly. Phone calls to the front desk dropped by 40 percent, freeing up staff to focus on in-person patient care. The average time to book an appointment went from twelve minutes on the phone to under two minutes online.

MediCare Plus also reported a noticeable improvement in patient satisfaction scores, particularly among younger patients who had previously avoided calling for routine matters. The audit logging system passed a third-party HIPAA compliance review on the first attempt, and the portal has since become a key selling point when MediCare Plus recruits new providers.

Real Estate Listing PlatformAnalytics Dashboard for Fintech Startup

Interestedinsimilarresults?

Let's talk about your project and see how I can help you achieve your goals.

Start a Conversation