TL;DR
No boilerplate ships as "HIPAA certified" — HIPAA is a process, not a checkbox. But some starters include the technical safeguards (encryption, audit logging, access controls) that bring you meaningfully closer. Supastarter and Makerkit are the most complete premium options. For open-source, medplum is purpose-built for healthcare. The biggest factor is your infrastructure choice: Vercel, AWS, and Azure have HIPAA BAA programs; Render and Railway do not (yet).
Key Takeaways
- HIPAA requires a Business Associate Agreement (BAA) — you need one with every service that touches PHI
- Technical safeguards are required: encryption at rest and in transit, audit logs, access controls, automatic logoff
- No SaaS boilerplate is HIPAA-certified — compliance depends on your complete stack and processes
- Vercel, AWS, Azure, and Google Cloud offer HIPAA BAAs — key requirement for cloud deployment
- PostgreSQL row-level security + audit logging is the right database pattern for PHI
- Medplum is the only healthcare-specific open-source full-stack platform
What HIPAA Actually Requires Technically
HIPAA's Security Rule specifies technical safeguards (§164.312). For a SaaS, the key requirements:
| Requirement | What This Means in Code |
|---|---|
| Access Control | Unique user IDs, role-based permissions, MFA |
| Audit Controls | Log every access to PHI with who, what, when |
| Integrity | PHI can't be altered or destroyed improperly |
| Transmission Security | HTTPS everywhere, TLS 1.2+ |
| Automatic Logoff | Session timeout after inactivity |
| Encryption | PHI encrypted at rest (AES-256) and in transit |
The requirements your boilerplate can address:
- ✅ Authentication with MFA (Clerk, Auth.js, etc.)
- ✅ Role-based access control (RLS in Postgres, middleware)
- ✅ HTTPS (any modern deployment)
- ✅ Audit logging (custom implementation needed)
- ✅ Session management (built-in to auth providers)
The requirements that require infrastructure + process, not just code:
- ✅ Encryption at rest (managed by cloud provider — Vercel, AWS, etc.)
- ✅ Business Associate Agreements (signed with each service vendor)
- ✅ Backup and disaster recovery procedures
- ✅ Workforce training (non-technical)
- ✅ Risk analysis documentation
The BAA Checklist: What Must Sign
Before any ePHI (electronic Protected Health Information) flows through a service:
| Service Category | HIPAA BAA Available | Notes |
|---|---|---|
| Vercel | ✅ Enterprise plan | Not available on Hobby/Pro |
| AWS | ✅ Standard | Free, self-service |
| Google Cloud | ✅ Standard | Free, self-service |
| Azure | ✅ Standard | Free, self-service |
| Supabase Cloud | ✅ Pro plan+ | Contact required |
| Neon | ✅ Scale plan | Available |
| Clerk | ✅ Enterprise | $25/month minimum |
| Resend | ⚠️ Contact | Case-by-case |
| Stripe | ✅ Standard | For payment processing only |
| Twilio | ✅ Standard | For messaging/HIPAA texting |
| Vercel AI SDK | ❌ Check provider | AI providers vary |
| Railway | ❌ Not available | Cannot use for PHI |
| Render | ❌ Not available | Cannot use for PHI |
HIPAA-Ready Boilerplates
Medplum — Purpose-Built Healthcare Platform
Price: Free (open source) + Cloud ($200+/month) | Stack: React + Express + PostgreSQL
Medplum is the only open-source project purpose-built for healthcare applications. It implements FHIR R4 (the healthcare data standard), provides a HIPAA-compliant cloud, and has prebuilt components for clinical workflows.
// Medplum client — FHIR-native healthcare data
import { MedplumClient } from "@medplum/core";
const medplum = new MedplumClient({ baseUrl: "https://api.medplum.com/" });
// Create a patient record (FHIR Patient resource)
const patient = await medplum.createResource({
resourceType: "Patient",
name: [{ given: ["John"], family: "Doe" }],
birthDate: "1990-01-01",
telecom: [{ system: "email", value: "john@example.com" }],
});
// Create an appointment
const appointment = await medplum.createResource({
resourceType: "Appointment",
status: "booked",
participant: [
{ actor: { reference: `Patient/${patient.id}` }, status: "accepted" },
],
start: "2026-04-01T09:00:00Z",
end: "2026-04-01T09:30:00Z",
});
Choose Medplum if: You're building a clinical app, EHR integration, or need FHIR compliance.
Don't choose if: You're building a general wellness app that doesn't actually handle clinical PHI.
Supastarter — Best HIPAA-Ready Premium Starter
Price: $199+ | Stack: Next.js + Supabase/Neon + Prisma
Supastarter includes several features that support HIPAA compliance:
- Row-level security: Every Supabase table has RLS policies
- Audit logging: Built-in activity tracking
- Role-based access control: Teams and permissions system
- MFA support: Via Supabase Auth
- Environment isolation: Strict separation of dev/staging/prod
For HIPAA, you'd deploy with:
- Supabase Pro (get BAA)
- Vercel Enterprise (get BAA)
- Enable Supabase encryption at rest (on by default in Pro)
// Supastarter audit logging pattern
export async function logAuditEvent({
action,
userId,
resourceType,
resourceId,
ipAddress,
}: AuditEvent) {
await db.insert(auditLog).values({
id: cuid(),
action,
userId,
resourceType,
resourceId,
ipAddress,
timestamp: new Date(),
});
}
// Middleware: log every PHI access
export async function auditMiddleware(req: Request, userId: string) {
if (isPHIRoute(req.url)) {
await logAuditEvent({
action: "READ",
userId,
resourceType: extractResourceType(req.url),
ipAddress: req.headers.get("x-forwarded-for") ?? "unknown",
});
}
}
Makerkit — Strong Compliance Foundation
Price: $299+ | Stack: Next.js + Supabase/Firebase
Makerkit's plugin architecture makes adding HIPAA-specific features straightforward:
- Built-in team management with role-based permissions
- Session management with configurable timeout
- Support for Supabase RLS
- Structured logging via Pino
- MFA support via Supabase Auth
HIPAA additions you'd build on top:
// Automatic session timeout (required for HIPAA)
// makerkit/apps/web/src/middleware.ts
export function middleware(request: NextRequest) {
const response = NextResponse.next();
// Check last activity
const lastActivity = request.cookies.get("last_activity")?.value;
const TIMEOUT_MINUTES = 15; // HIPAA typically requires 15-30 min
if (lastActivity) {
const elapsed = Date.now() - parseInt(lastActivity);
if (elapsed > TIMEOUT_MINUTES * 60 * 1000) {
// Force re-authentication
return NextResponse.redirect(new URL("/auth/sign-in?reason=timeout", request.url));
}
}
// Update last activity
response.cookies.set("last_activity", Date.now().toString(), {
httpOnly: true,
secure: true,
sameSite: "strict",
});
return response;
}
Building HIPAA Audit Logging
Every boilerplate needs this added. Here's a production-grade audit log implementation:
// lib/audit.ts — HIPAA audit log
import { db } from "@/lib/db";
import { auditLogs } from "@/db/schema";
export type AuditAction =
| "CREATE_PATIENT"
| "READ_PATIENT"
| "UPDATE_PATIENT"
| "DELETE_PATIENT"
| "EXPORT_PHI"
| "LOGIN"
| "LOGOUT"
| "FAILED_LOGIN"
| "PERMISSION_DENIED";
interface AuditEntry {
userId: string | null;
action: AuditAction;
resourceType: string;
resourceId?: string;
ipAddress: string;
userAgent: string;
metadata?: Record<string, unknown>;
}
export async function audit(entry: AuditEntry) {
await db.insert(auditLogs).values({
id: crypto.randomUUID(),
userId: entry.userId,
action: entry.action,
resourceType: entry.resourceType,
resourceId: entry.resourceId,
ipAddress: entry.ipAddress,
userAgent: entry.userAgent,
metadata: entry.metadata ? JSON.stringify(entry.metadata) : null,
timestamp: new Date(),
});
}
// Usage in API route
export async function GET(req: Request) {
const patient = await db.query.patients.findFirst({ where: eq(patients.id, patientId) });
await audit({
userId: session.userId,
action: "READ_PATIENT",
resourceType: "Patient",
resourceId: patientId,
ipAddress: req.headers.get("x-forwarded-for") ?? "unknown",
userAgent: req.headers.get("user-agent") ?? "unknown",
});
return Response.json(patient);
}
Schema:
CREATE TABLE audit_logs (
id UUID PRIMARY KEY,
user_id TEXT,
action TEXT NOT NULL,
resource_type TEXT NOT NULL,
resource_id TEXT,
ip_address TEXT NOT NULL,
user_agent TEXT,
metadata JSONB,
timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- Required by HIPAA: retain for 6 years
-- Set up retention policy in your database or archive to S3
Recommended Stack by Healthcare Use Case
| Use Case | Stack | Why |
|---|---|---|
| Telehealth / Video | Next.js + Supabase + Daily.co/Twilio | HIPAA BAAs available, daily.co has HIPAA plan |
| Clinical EHR integration | Medplum | Purpose-built FHIR R4 compliance |
| Wellness app (non-clinical) | Any Next.js starter | If not collecting clinical PHI, HIPAA doesn't apply |
| Mental health SaaS | Supastarter + AWS | Sensitive data, strong audit trail needed |
| Medical billing | Custom on AWS | Complex compliance requirements |
| Healthcare B2B tool | Makerkit + Vercel Enterprise | Quick to market, strong access control |
The "I Might Have PHI" Question
Many founders ask: "My app collects health information. Does HIPAA apply?"
HIPAA applies when you are a covered entity or business associate:
- Covered entities: healthcare providers, health plans, clearinghouses
- Business associates: companies that handle PHI on behalf of covered entities
If your SaaS is a direct-to-consumer wellness app (not used by healthcare providers), HIPAA may not apply — though FTC regulations and state laws (California, New York) may.
When in doubt, consult a healthcare attorney. This article covers technical implementation, not legal advice.
Infrastructure Setup Checklist
For any healthcare SaaS:
☐ Sign Vercel Enterprise BAA (or use AWS/Azure)
☐ Enable Supabase Pro + sign BAA (or use RDS/Aurora)
☐ Sign Clerk Enterprise BAA (or use AWS Cognito with BAA)
☐ Enable encryption at rest (PostgreSQL, S3/R2)
☐ Configure TLS 1.2+ only (no TLS 1.0/1.1)
☐ Implement audit logging for all PHI access
☐ Set session timeout (15-30 minutes)
☐ Enable MFA (required for workforce, recommended for users)
☐ Configure automated backups (retain 6 years)
☐ Document your risk analysis (required by HIPAA)
☐ Create breach notification procedures
☐ Train your team on HIPAA basics
Methodology
- Reviewed HIPAA Security Rule technical safeguards (45 CFR Part 164)
- Checked BAA availability for 15 common SaaS infrastructure providers as of March 2026
- Analyzed Medplum, Supastarter, and Makerkit codebases for compliance-relevant features
- Consulted HIPAA.com, HHS.gov, and healthcare developer community discussions
- Reviewed audit logging patterns from open-source healthcare projects on GitHub
This article is for informational purposes. Consult a HIPAA compliance attorney for your specific situation.
The Compliance Gap Between Technical Controls and Actual HIPAA Compliance
Building the technical controls described in this article — audit logging, encryption, session timeouts, MFA, RLS — puts you in a better security posture than most startups. But technical controls are roughly half of HIPAA compliance. The administrative and physical safeguards are equally required and often overlooked by engineering teams focused on code.
Administrative safeguards include a documented Security Officer designation (someone is formally responsible for HIPAA compliance), a risk analysis conducted at least annually, workforce training on PHI handling, and documented sanctions for security policy violations. These aren't optional — they're required by the Security Rule.
Physical safeguards cover workstation access controls (who can access computers with PHI, including your cloud console), device disposal procedures, and facility access controls. For a fully remote software company, physical safeguards translate to: requiring full-disk encryption on developer laptops, using MDM software (Jamf, Mosyle) to enforce device policies, and having a formal procedure for wiping devices when employees offboard.
The practical implication: a SaaS startup building healthcare software cannot simply deploy Supastarter with audit logging and call it HIPAA-compliant. The technical implementation is necessary but not sufficient. Compliance requires organizational policies, training documentation, and administrative procedures running alongside the technical controls. Organizations like Vanta or Drata automate much of the compliance evidence collection and make this achievable without a dedicated compliance team.
Pricing Reality for HIPAA-Compliant Infrastructure
The BAA requirements add meaningful infrastructure costs that aren't visible from standard pricing pages. Building out the full HIPAA-compliant stack has a realistic monthly cost structure:
Vercel Enterprise for the BAA is a significant jump from the standard Pro plan — typically in the $150-500/month range depending on usage. Many healthcare startups avoid this by deploying directly to AWS instead of Vercel, which gets you the BAA without the platform premium. AWS infrastructure managed through Terraform or an AWS consulting partner typically costs $50-200/month at startup scale.
Clerk Enterprise for the BAA starts at $25/month minimum with an annual contract. Alternatively, Auth.js with your own database avoids the managed auth vendor entirely — no BAA needed because you control the auth infrastructure. This approach trades vendor cost for engineering maintenance time.
Supabase Pro with the BAA is $25/month plus usage. The Pro plan is required because the free tier doesn't include BAA eligibility. At $25/month for a PostgreSQL database with auth, storage, and realtime included, this is reasonably priced for compliance infrastructure.
Realistic HIPAA-ready infrastructure budget for a seed-stage healthcare startup: $200-600/month depending on deployment choices. Budget this cost into your financial projections before closing your first healthcare customer contract.
Find all HIPAA-ready SaaS starters on StarterPick — filter by compliance features.
Review best premium SaaS boilerplates for the most complete feature sets that reduce compliance implementation time.
See our Clerk vs Auth0 vs WorkOS comparison for the enterprise auth options with HIPAA BAA availability.
Browse best SaaS boilerplates for 2026 to compare Supastarter and Makerkit against other full-featured options.