Custom Software Development for Healthcare: HIPAA, NHS & Beyond

🇺🇸 United States — HIPAA & HL7/FHIR

• HIPAA Privacy Rule: governs the use and disclosure of Protected Health Information (PHI) — any data that could identify a patient.
• HIPAA Security Rule: mandates administrative, physical, and technical safeguards for electronic PHI (ePHI). Requires AES-256 encryption at rest and TLS 1.2+ in transit.
• Business Associate Agreements (BAA): every vendor or subcontractor that handles ePHI must sign a BAA. This includes cloud providers (AWS, Azure, Google Cloud — all offer BAAs).
• Audit Logging: all access to ePHI must be logged with user ID, timestamp, and action. Logs must be retained for six years.
• 21st Century Cures Act: mandates HL7 FHIR R4 APIs for certified EHRs and prohibits information blocking. Custom software that integrates with certified EHRs must be FHIR-compliant.

Penalty for breach: $100–$50,000 per violation; up to $1.9M per violation category per year.

🇬🇧 United Kingdom — NHS DSPT, CQC & UK GDPR

• NHS Data Security & Protection Toolkit (DSPT): annual self-assessment that all NHS-connected organisations must complete. Covers 10 standards including staff training, data sharing, and cyber security.
• DCB0129 Clinical Safety: mandatory for software with a clinical function. Requires a Clinical Safety Officer (CSO), a hazard log, and a clinical safety case report before go-live.
• UK GDPR Article 9: health data is special category data requiring explicit consent or a specific public task / legal obligation basis for processing. DPIAs are mandatory for new systems.
• CQC Requirements: Care Quality Commission regulated providers must evidence that digital systems support safe, effective, and responsive care. Software must support CQC inspection evidence requirements.
• NHS Login & NHS App: patient-facing applications should support NHS Login for identity verification and consider NHS App integration for maximum patient reach.

ICO penalty for breach: up to £17.5M or 4% of global turnover.

🇨🇦 Canada — PIPEDA, PHIPA & Infoway Standards

• PIPEDA (Federal): Canada's federal privacy law requires explicit consent for collection and use of personal health information. Organisations must designate a privacy officer and maintain a privacy policy.
• PHIPA (Ontario): Ontario's Personal Health Information Protection Act imposes stricter requirements on health information custodians. Similar provincial laws exist in Alberta (HIA) and British Columbia (PIPA).
• Canada Health Infoway: the pan-Canadian health data interoperability body promotes FHIR R4 adoption for provincial health system integrations. Pan-Canadian FHIR standards must be followed for federally funded digital health projects.
• Data Residency: provincial health authorities typically require patient data to remain within Canadian borders. Azure Canada Central and AWS Canada (Central) regions are the standard hosting choices.

Penalty for breach: up to CAD $100,000 per violation under PIPEDA.

🇦🇺 Australia — My Health Records, ADHA & APPs

• My Health Records Act 2012: governs the national My Health Record system. Healthcare providers and software vendors accessing My Health Records must be registered with the Australian Digital Health Agency (ADHA) and comply with the Act's access controls.
• Australian Privacy Act — APPs: the 13 Australian Privacy Principles regulate the collection, use, and disclosure of health information by private sector health service providers.
• ADHA FHIR Implementation Guides: the Agency publishes Australian-specific FHIR implementation guides for interoperability with Medicare and state health systems. Clinical terminology must use SNOMED-CT-AU.
• Therapeutic Goods Administration (TGA): software that constitutes a medical device must be registered with the TGA under the Software as a Medical Device (SaMD) framework before market entry.

Penalty for breach: up to AUD $2.22M for serious or repeated breaches of the Privacy Act.

🇪🇺 Europe — GDPR Article 9, MDR & CE Marking

• GDPR Article 9: health data requires a specific legal basis for processing — explicit consent, vital interests, public health, or medical diagnosis by a health professional. DPIAs are mandatory for health data processing at scale.
• EU MDR (Medical Device Regulation): software with a medical purpose (diagnosis, monitoring, treatment) is a medical device under EU MDR 2017/745 and requires conformity assessment, technical documentation, and CE marking before EU market placement.
• eIDAS & EU Digital Identity: patient identity verification in EU health applications should use eIDAS-compliant identity providers where available. The EU Digital Health Data Space (EHDS) is driving pan-EU patient data portability from 2027.
• HL7 FHIR in EU: IHE International profiles for FHIR are widely used in Germany (gematik TI), France (ANS), and Netherlands (Nictiz). Each country has national adaptations of the FHIR base standard.

Penalty for breach: up to €20M or 4% of global annual turnover under GDPR.

👤 Patient Portals

HIPAA/NHS-compliant self-service portals where patients view appointments, test results, care plans, and clinical letters. Integrates with NHS Login or social identity providers. Includes secure messaging, document upload, and consent management. Reduces inbound call volume by 30–50% for primary care and specialty practices.

🏥 Clinical Decision Support

AI-powered tools that assist clinicians at the point of care — flagging potential drug interactions, suggesting differential diagnoses based on symptom input, highlighting deteriorating patient indicators, and surfacing relevant clinical guidelines. Built with CE/TGA/FDA-aware development processes and human-in-the-loop design for clinician oversight.

📹 Telemedicine Platforms

End-to-end video consultation platforms including appointment scheduling, encrypted video sessions (WebRTC), secure in-session document sharing, e-prescription integration, and post-consultation note generation. HIPAA-compliant video uses encrypted WebRTC with BAA-covered infrastructure. Supports NHS GPAS appointment scheduling APIs for NHS-connected deployments.

🔗 EHR Integration Middleware

FHIR R4 integration layers that connect your custom applications to existing EHR systems (Epic, MEDITECH, SystemOne, EMIS, Cerner). Handles bidirectional patient demographic sync, appointment data, clinical observations, medication lists, and care plan data. Includes message transformation between HL7 v2 legacy formats and modern FHIR R4 resources.

💳 Medical Billing & RCM

Custom revenue cycle management tools for US private practice — claim generation, payer submission (EDI 837), ERA posting (EDI 835), eligibility verification (EDI 270/271), and denial management dashboards. Integrates with clearinghouses (Availity, Change Healthcare). For UK private practice: custom invoicing with NHS tariff codes, Healthcode CODA integration, and private medical insurer payment reconciliation.

🤝 Care Coordination Platforms

Multi-disciplinary team (MDT) tools for managing complex patient pathways across multiple care settings — community nursing, social care, mental health, and acute hospitals. Task assignment, escalation workflows, shared care plans, and cross-organisation messaging with role-based access. Integrated with NHS Shared Care Records where applicable.

React / Next.js frontend with server-side rendering for performance. TLS 1.3 enforced for all client connections. Content Security Policy (CSP) headers. WCAG 2.1 AA accessibility compliance for patient-facing interfaces. Session tokens expire after configurable inactivity periods. All forms include CSRF protection.

FastAPI or Node.js REST/GraphQL API layer. OAuth 2.0 + OpenID Connect for authentication (NHS Login, Azure AD, Okta). SMART on FHIR for clinical application authorisation. Role-based access control (RBAC) with fine-grained permission scopes. API rate limiting and DDoS protection via Cloudflare or AWS WAF. All API responses include audit trail metadata.

HL7 FHIR R4 server (HAPI FHIR, Azure Health Data Services, or AWS HealthLake) for standardised patient data exchange. HL7 v2 message transformation for legacy EHR integrations. SNOMED-CT and LOINC terminology mapping for clinical concepts. Async FHIR Bulk Data APIs for population health queries. IHE profiles for cross-institutional document exchange.

PostgreSQL with row-level encryption for PHI fields (AES-256). Separate audit log database with immutable write-only records of all data access events. Automated backup with point-in-time recovery and cross-region replication. Database access restricted to application service accounts — no direct developer access to production ePHI. Encryption keys managed in AWS KMS, Azure Key Vault, or HashiCorp Vault.

Kubernetes on HIPAA-eligible AWS / NHS-connected Azure regions. Infrastructure as Code (Terraform) for auditable, reproducible deployments. Automated vulnerability scanning (Trivy, OWASP ZAP) in CI/CD pipeline. Real-time security monitoring with SIEM integration (Splunk, Azure Sentinel). SLA 99.9% uptime with health check endpoints. Penetration testing performed before launch and annually thereafter.

Epic (US, some UK)

Epic provides a mature FHIR R4 API via their App Orchard programme. Custom integrations require Epic App Orchard registration and an access agreement. Supports SMART on FHIR for patient-context app launches. Read-write access to clinical data requires additional Epic sign-off. Epic Hyperdrive (the modern web client) supports embedded third-party apps.

MEDITECH (US, Canada)

MEDITECH Expanse provides FHIR R4 APIs. Older MEDITECH 6.x installations use HL7 v2 interfaces accessed via VPN. Integration complexity varies significantly by version — many US community hospitals still run older MEDITECH versions that require HL7 v2 message parsing and transformation. MEDITECH's FHIR APIs require separate API licensing.

EMIS & SystemOne (UK)

The two dominant UK GP system suppliers. Integration goes via NHS GP Connect APIs (appointment booking, patient demographics, coded clinical data) rather than direct supplier APIs. GP Connect access requires NHS Digital onboarding. Direct EMIS and SystemOne partner APIs exist for approved software suppliers with specific use cases such as patient-reported outcome measures.

Lab & Pharmacy Systems

Laboratory result delivery typically uses HL7 v2 ORU messages from LIS systems (Sunquest, Cerner PowerChart). UK NHS pathology uses EDIFACT messaging via NHS Spine. Pharmacy integration in the US uses NCPDP SCRIPT standard for e-prescriptions; UK uses NHS Electronic Prescription Service (EPS) via NHS Spine with smart card authentication.

Wearables & Remote Monitoring

Consumer wearables (Apple Health, Fitbit, Garmin) expose data via vendor APIs or Apple HealthKit / Google Health Connect. Clinical-grade remote monitoring devices (Dexcom CGM, Withings medical devices) provide dedicated APIs with configurable alert thresholds. FHIR Observation resources are used to standardise wearable data before writing to patient records.

AI-Powered Digital Triage for an NHS Primary Care Network

A Primary Care Network covering 14 GP practices and 85,000 registered patients commissioned a digital triage platform to manage unprecedented post-pandemic appointment demand. Patients complete a structured symptom questionnaire (built using validated clinical decision trees and reviewed by a Clinical Safety Officer under DCB0129) before their appointment request is processed. The AI layer — built on a clinician-validated decision model, not a black-box LLM — routes patients to the appropriate care pathway: self-care, pharmacy, GP telephone review, urgent face-to-face, or 999/111.

The platform integrates with EMIS Web via GP Connect for appointment booking and uses NHS Login for patient authentication. Compliance deliverables included a completed DSPT submission, full DCB0129 clinical safety case, and ICO DPIA.

Result: 34% reduction in unnecessary face-to-face appointments in the first 6 months. Clinician time saved: approximately 420 GP appointment slots per week redirected to higher-acuity patients. Build cost: £68,000. Timeline: 19 weeks from kickoff to live patients.

HIPAA-Compliant Patient Engagement Portal for a Multi-Site Orthopaedic Practice

A 12-location orthopaedic practice group in the US Midwest replaced a legacy patient portal (inherited through a practice acquisition) with a custom portal built on AWS HealthLake and integrated with their Epic EHR via Epic's FHIR R4 App Orchard APIs. The portal enables patients to view surgical procedure notes, pre-operative instructions, post-operative rehabilitation plans, and appointment scheduling. Secure in-app messaging between patients and clinical coordinators replaced insecure email for post-surgical queries.

Infrastructure runs in a HIPAA-eligible AWS region (us-east-1) with BAAs covering AWS, the video consultations provider, and the notification service. All ePHI is encrypted with AWS KMS. The project delivered a complete HIPAA Risk Analysis, Privacy Impact Assessment, and BAA register as part of the compliance documentation package.

Result: Patient portal adoption reached 78% within 90 days (vs 31% for the legacy portal). Inbound phone calls for post-surgical queries reduced by 47%. Build cost: $92,000. Timeline: 18 weeks.

Provincial Telehealth Platform for a Canadian Mental Health Network

A provincial mental health services network in British Columbia needed a telehealth platform that could serve rural and remote communities with poor broadband connectivity, support both individual and group therapy sessions, and comply with BC PIPA requirements for mental health data — a particularly sensitive category that attracts heightened compliance scrutiny. The platform uses adaptive bitrate WebRTC video (falls back to audio-only at low bandwidth), encrypted session note generation, client consent management, and outcome measure collection (PHQ-9, GAD-7) integrated into the session workflow.

All data is stored on Azure Canada Central with data residency guarantees under the BC PIPA framework. Group therapy sessions support up to 12 participants. Clinicians can annotate patient records during sessions without leaving the platform, with notes automatically structured using SOAP format and exported to the organisation's existing case management system via a custom REST integration.

Result: Access to mental health services for rural patients increased by 215% compared to prior in-person-only service model. Average session quality score (from post-session patient surveys): 4.6/5. Build cost: CAD $145,000. Timeline: 24 weeks.