HIPAA-Compliant SaaS Boilerplates 2026
TL;DR
No boilerplate ships as "HIPAA certified" — HIPAA is a process, not a checkbox. But some starters include the technical safeguards (encryption, audit logging, access controls) that bring you meaningfully closer. Supastarter and Makerkit are the most complete premium options. For open-source, medplum is purpose-built for healthcare. The biggest factor is your infrastructure choice: Vercel, AWS, and Azure have HIPAA BAA programs; Render and Railway do not (yet).
Key Takeaways
- HIPAA requires a Business Associate Agreement (BAA) — you need one with every service that touches PHI
- Technical safeguards are required: encryption at rest and in transit, audit logs, access controls, automatic logoff
- No SaaS boilerplate is HIPAA-certified — compliance depends on your complete stack and processes
- Vercel, AWS, Azure, and Google Cloud offer HIPAA BAAs — key requirement for cloud deployment
- PostgreSQL row-level security + audit logging is the right database pattern for PHI
- Medplum is the only healthcare-specific open-source full-stack platform
What HIPAA Actually Requires Technically
HIPAA's Security Rule specifies technical safeguards (§164.312). For a SaaS, the key requirements:
| Requirement | What This Means in Code |
|---|---|
| Access Control | Unique user IDs, role-based permissions, MFA |
| Audit Controls | Log every access to PHI with who, what, when |
| Integrity | PHI can't be altered or destroyed improperly |
| Transmission Security | HTTPS everywhere, TLS 1.2+ |
| Automatic Logoff | Session timeout after inactivity |
| Encryption | PHI encrypted at rest (AES-256) and in transit |
The requirements your boilerplate can address:
- ✅ Authentication with MFA (Clerk, Auth.js, etc.)
- ✅ Role-based access control (RLS in Postgres, middleware)
- ✅ HTTPS (any modern deployment)
- ✅ Audit logging (custom implementation needed)
- ✅ Session management (built-in to auth providers)
The requirements that require infrastructure + process, not just code:
- ✅ Encryption at rest (managed by cloud provider — Vercel, AWS, etc.)
- ✅ Business Associate Agreements (signed with each service vendor)
- ✅ Backup and disaster recovery procedures
- ✅ Workforce training (non-technical)
- ✅ Risk analysis documentation
The BAA Checklist: What Must Sign
Before any ePHI (electronic Protected Health Information) flows through a service:
| Service Category | HIPAA BAA Available | Notes |
|---|---|---|
| Vercel | ✅ Enterprise plan | Not available on Hobby/Pro |
| AWS | ✅ Standard | Free, self-service |
| Google Cloud | ✅ Standard | Free, self-service |
| Azure | ✅ Standard | Free, self-service |
| Supabase Cloud | ✅ Pro plan+ | Contact required |
| Neon | ✅ Scale plan | Available |
| Clerk | ✅ Enterprise | $25/month minimum |
| Resend | ⚠️ Contact | Case-by-case |
| Stripe | ✅ Standard | For payment processing only |
| Twilio | ✅ Standard | For messaging/HIPAA texting |
| Vercel AI SDK | ❌ Check provider | AI providers vary |
| Railway | ❌ Not available | Cannot use for PHI |
| Render | ❌ Not available | Cannot use for PHI |
HIPAA-Ready Boilerplates
Medplum — Purpose-Built Healthcare Platform
Price: Free (open source) + Cloud ($200+/month) | Stack: React + Express + PostgreSQL
Medplum is the only open-source project purpose-built for healthcare applications. It implements FHIR R4 (the healthcare data standard), provides a HIPAA-compliant cloud, and has prebuilt components for clinical workflows.
// Medplum client — FHIR-native healthcare data
import { MedplumClient } from "@medplum/core";
const medplum = new MedplumClient({ baseUrl: "https://api.medplum.com/" });
// Create a patient record (FHIR Patient resource)
const patient = await medplum.createResource({
resourceType: "Patient",
name: [{ given: ["John"], family: "Doe" }],
birthDate: "1990-01-01",
telecom: [{ system: "email", value: "john@example.com" }],
});
// Create an appointment
const appointment = await medplum.createResource({
resourceType: "Appointment",
status: "booked",
participant: [
{ actor: { reference: `Patient/${patient.id}` }, status: "accepted" },
],
start: "2026-04-01T09:00:00Z",
end: "2026-04-01T09:30:00Z",
});
Choose Medplum if: You're building a clinical app, EHR integration, or need FHIR compliance.
Don't choose if: You're building a general wellness app that doesn't actually handle clinical PHI.
Supastarter — Best HIPAA-Ready Premium Starter
Price: $199+ | Stack: Next.js + Supabase/Neon + Prisma
Supastarter includes several features that support HIPAA compliance:
- Row-level security: Every Supabase table has RLS policies
- Audit logging: Built-in activity tracking
- Role-based access control: Teams and permissions system
- MFA support: Via Supabase Auth
- Environment isolation: Strict separation of dev/staging/prod
For HIPAA, you'd deploy with:
- Supabase Pro (get BAA)
- Vercel Enterprise (get BAA)
- Enable Supabase encryption at rest (on by default in Pro)
// Supastarter audit logging pattern
export async function logAuditEvent({
action,
userId,
resourceType,
resourceId,
ipAddress,
}: AuditEvent) {
await db.insert(auditLog).values({
id: cuid(),
action,
userId,
resourceType,
resourceId,
ipAddress,
timestamp: new Date(),
});
}
// Middleware: log every PHI access
export async function auditMiddleware(req: Request, userId: string) {
if (isPHIRoute(req.url)) {
await logAuditEvent({
action: "READ",
userId,
resourceType: extractResourceType(req.url),
ipAddress: req.headers.get("x-forwarded-for") ?? "unknown",
});
}
}
Makerkit — Strong Compliance Foundation
Price: $299+ | Stack: Next.js + Supabase/Firebase
Makerkit's plugin architecture makes adding HIPAA-specific features straightforward:
- Built-in team management with role-based permissions
- Session management with configurable timeout
- Support for Supabase RLS
- Structured logging via Pino
- MFA support via Supabase Auth
HIPAA additions you'd build on top:
// Automatic session timeout (required for HIPAA)
// makerkit/apps/web/src/middleware.ts
export function middleware(request: NextRequest) {
const response = NextResponse.next();
// Check last activity
const lastActivity = request.cookies.get("last_activity")?.value;
const TIMEOUT_MINUTES = 15; // HIPAA typically requires 15-30 min
if (lastActivity) {
const elapsed = Date.now() - parseInt(lastActivity);
if (elapsed > TIMEOUT_MINUTES * 60 * 1000) {
// Force re-authentication
return NextResponse.redirect(new URL("/auth/sign-in?reason=timeout", request.url));
}
}
// Update last activity
response.cookies.set("last_activity", Date.now().toString(), {
httpOnly: true,
secure: true,
sameSite: "strict",
});
return response;
}
Building HIPAA Audit Logging
Every boilerplate needs this added. Here's a production-grade audit log implementation:
// lib/audit.ts — HIPAA audit log
import { db } from "@/lib/db";
import { auditLogs } from "@/db/schema";
export type AuditAction =
| "CREATE_PATIENT"
| "READ_PATIENT"
| "UPDATE_PATIENT"
| "DELETE_PATIENT"
| "EXPORT_PHI"
| "LOGIN"
| "LOGOUT"
| "FAILED_LOGIN"
| "PERMISSION_DENIED";
interface AuditEntry {
userId: string | null;
action: AuditAction;
resourceType: string;
resourceId?: string;
ipAddress: string;
userAgent: string;
metadata?: Record<string, unknown>;
}
export async function audit(entry: AuditEntry) {
await db.insert(auditLogs).values({
id: crypto.randomUUID(),
userId: entry.userId,
action: entry.action,
resourceType: entry.resourceType,
resourceId: entry.resourceId,
ipAddress: entry.ipAddress,
userAgent: entry.userAgent,
metadata: entry.metadata ? JSON.stringify(entry.metadata) : null,
timestamp: new Date(),
});
}
// Usage in API route
export async function GET(req: Request) {
const patient = await db.query.patients.findFirst({ where: eq(patients.id, patientId) });
await audit({
userId: session.userId,
action: "READ_PATIENT",
resourceType: "Patient",
resourceId: patientId,
ipAddress: req.headers.get("x-forwarded-for") ?? "unknown",
userAgent: req.headers.get("user-agent") ?? "unknown",
});
return Response.json(patient);
}
Schema:
CREATE TABLE audit_logs (
id UUID PRIMARY KEY,
user_id TEXT,
action TEXT NOT NULL,
resource_type TEXT NOT NULL,
resource_id TEXT,
ip_address TEXT NOT NULL,
user_agent TEXT,
metadata JSONB,
timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- Required by HIPAA: retain for 6 years
-- Set up retention policy in your database or archive to S3
Recommended Stack by Healthcare Use Case
| Use Case | Stack | Why |
|---|---|---|
| Telehealth / Video | Next.js + Supabase + Daily.co/Twilio | HIPAA BAAs available, daily.co has HIPAA plan |
| Clinical EHR integration | Medplum | Purpose-built FHIR R4 compliance |
| Wellness app (non-clinical) | Any Next.js starter | If not collecting clinical PHI, HIPAA doesn't apply |
| Mental health SaaS | Supastarter + AWS | Sensitive data, strong audit trail needed |
| Medical billing | Custom on AWS | Complex compliance requirements |
| Healthcare B2B tool | Makerkit + Vercel Enterprise | Quick to market, strong access control |
The "I Might Have PHI" Question
Many founders ask: "My app collects health information. Does HIPAA apply?"
HIPAA applies when you are a covered entity or business associate:
- Covered entities: healthcare providers, health plans, clearinghouses
- Business associates: companies that handle PHI on behalf of covered entities
If your SaaS is a direct-to-consumer wellness app (not used by healthcare providers), HIPAA may not apply — though FTC regulations and state laws (California, New York) may.
When in doubt, consult a healthcare attorney. This article covers technical implementation, not legal advice.
Infrastructure Setup Checklist
For any healthcare SaaS:
☐ Sign Vercel Enterprise BAA (or use AWS/Azure)
☐ Enable Supabase Pro + sign BAA (or use RDS/Aurora)
☐ Sign Clerk Enterprise BAA (or use AWS Cognito with BAA)
☐ Enable encryption at rest (PostgreSQL, S3/R2)
☐ Configure TLS 1.2+ only (no TLS 1.0/1.1)
☐ Implement audit logging for all PHI access
☐ Set session timeout (15-30 minutes)
☐ Enable MFA (required for workforce, recommended for users)
☐ Configure automated backups (retain 6 years)
☐ Document your risk analysis (required by HIPAA)
☐ Create breach notification procedures
☐ Train your team on HIPAA basics
Methodology
- Reviewed HIPAA Security Rule technical safeguards (45 CFR Part 164)
- Checked BAA availability for 15 common SaaS infrastructure providers as of March 2026
- Analyzed Medplum, Supastarter, and Makerkit codebases for compliance-relevant features
- Consulted HIPAA.com, HHS.gov, and healthcare developer community discussions
- Reviewed audit logging patterns from open-source healthcare projects on GitHub
This article is for informational purposes. Consult a HIPAA compliance attorney for your specific situation.
Find all HIPAA-ready SaaS starters on StarterPick — filter by compliance features.
Check out this boilerplate
View Supastarter on StarterPick →