Electronic Health Record (EHR) systems manage some of the most sensitive data in the world?patient medical information. Because of this, healthcare software must follow strict standards and regulations to ensure privacy, interoperability, and accountability.

Three key frameworks guide modern healthcare software development:

• HIPAA ? protects patient privacy and regulates access to medical data
• FHIR ? provides modern REST APIs for healthcare data exchange
• HL7 ? supports communication with legacy hospital systems

In this guide, we'll walk through how to build a secure EHR backend using Node.js, while implementing:

• FHIR-style REST APIs
• HL7 message processing
• HIPAA-aligned security controls
• Audit logging for accountability

Also, Explore | FHIR and Blockchain | A New Age of Healthcare Data Management

1. Understanding the Compliance Landscape

Before writing code, it's important to understand what each standard actually requires.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA focuses on Protecting Protected Health Information (PHI).

Key technical safeguards include:

• Access control
• Data encryption
• Secure authentication
• Audit logging
• Activity monitoring

Every access to patient data must be logged and traceable.

FHIR (Fast Healthcare Interoperability Resources)

FHIR defines standardized REST APIs and data formats for healthcare systems.

Common resources include:

• Patient
• Observation
• Encounter
• Medication
• Practitioner

FHIR typically uses JSON over REST APIs, making it ideal for modern web applications.

HL7 (Health Level Seven)

HL7 is a messaging standard used in hospital systems for decades.

Example HL7 message:

MSH|^~\&|EHR|Hospital|Lab|System|202503051200||ORM^O01|12345|P|2.3
PID|1||123456||Doe^John||19800101|M
OBR|1||54321|Blood Test

Even today, many labs, imaging systems, and insurance systems rely on HL7.

2. System Architecture for a Compliant EHR

A simplified architecture might look like this:

Client Apps
     |
API Gateway
     |
Node.js FHIR API
     |
Database (Encrypted PHI)
     |
Audit Logging Service
     |
HL7 Integration Layer

Important design principles:

• Zero-trust security
• Encrypted storage
• Strong authentication
• Immutable audit logs

Also, Discover | Healthcare Payments : The Role of Blockchain Technology

3. Setting Up the Node.js Backend

We'll build our backend using Express.js.

Install Dependencies

npm init -y

npm install express mongoose jsonwebtoken bcryptjs
npm install winston crypto hl7-standard

Project structure:

ehr-system/
 ??? server.js
 ??? routes/
 ??? models/
 ??? middleware/
 ??? services/
 ??? logs/

4. Creating a FHIR-Style Patient Resource

FHIR resources use a standardized structure.

Patient Model

// models/Patient.js

const mongoose = require("mongoose");

const PatientSchema = new mongoose.Schema({
  resourceType: {
    type: String,
    default: "Patient"
  },
  name: [
    {
      family: String,
      given: [String]
    }
  ],
  gender: String,
  birthDate: String,
  encryptedSSN: String
});

module.exports = mongoose.model("Patient", PatientSchema);

Patient API Routes

// routes/patient.js

const express = require("express");
const router = express.Router();
const Patient = require("../models/Patient");

router.post("/fhir/Patient", async (req, res) => {
  const patient = new Patient(req.body);
  await patient.save();

  res.json(patient);
});

router.get("/fhir/Patient/:id", async (req, res) => {
  const patient = await Patient.findById(req.params.id);
  res.json(patient);
});

module.exports = router;

Also, Read | Exploring the Role of Blockchain in Electronic Health Records

5. Implementing HIPAA Access Control

Role-based access control ensures only authorized personnel can access patient data.

Example roles:

• Doctor
• Nurse
• Admin
• Billing

Authorization Middleware

// middleware/auth.js

module.exports = function(requiredRole) {
  return (req, res, next) => {
    const user = req.user;

    if (!user || user.role !== requiredRole) {
      return res.status(403).json({
        error: "Access denied"
      });
    }

    next();
  };
};

Usage:

router.get(
  "/fhir/Patient/:id",
  auth("doctor"),
  async (req, res) => {
    const patient = await Patient.findById(req.params.id);
    res.json(patient);
  }
);

6. Encrypting Sensitive Patient Data

HIPAA requires encryption of protected health information.

Example using Node's crypto module.

const crypto = require("crypto");

const algorithm = "aes-256-cbc";
const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);

function encrypt(text) {
  const cipher = crypto.createCipheriv(algorithm, key, iv);

  let encrypted = cipher.update(text, "utf8", "hex");
  encrypted += cipher.final("hex");

  return encrypted;
}

function decrypt(text) {
  const decipher = crypto.createDecipheriv(algorithm, key, iv);

  let decrypted = decipher.update(text, "hex", "utf8");
  decrypted += decipher.final("utf8");

  return decrypted;
}

Use encryption for:

• Social security numbers
• Insurance information
• Medical history
• Addresses

7. Implementing Audit Logs

HIPAA requires tracking who accessed patient data and when.

Audit logs should include:

• User ID
• Timestamp
• Action
• Resource accessed
• IP address

Audit Logging Service

// services/auditLogger.js

const winston = require("winston");

const auditLogger = winston.createLogger({
  transports: [
    new winston.transports.File({
      filename: "logs/audit.log"
    })
  ]
});

function logAudit(userId, action, resource) {
  auditLogger.info({
    userId,
    action,
    resource,
    timestamp: new Date()
  });
}

module.exports = logAudit;

Usage:

const logAudit = require("../services/auditLogger");

router.get("/fhir/Patient/:id", async (req, res) => {

  logAudit(req.user.id, "READ", `Patient/${req.params.id}`);

  const patient = await Patient.findById(req.params.id);

  res.json(patient);
});

Audit logs should ideally be stored in immutable storage systems like Elasticsearch or SIEM platforms.

You may also like | 7 Ways To Leverage Live Streaming Services in Healthcare

8. Processing HL7 Messages in Node.js

Hospitals often send HL7 messages for lab results and patient updates.

Install HL7 parser:

npm install hl7-standard

Example:

const HL7 = require("hl7-standard");

const message = `
MSH|^~\\&|EHR|Hospital|Lab|System|202503051200||ORM^O01|123|P|2.3
PID|1||123456||Doe^John
`;

const hl7 = new HL7(message);

console.log(hl7.get("PID"));

This allows your EHR to integrate with:

• Lab systems
• Radiology systems
• Pharmacy software
• Insurance platforms

9. Securing the API

Production healthcare APIs must implement additional security layers.

Authentication

Use OAuth2 or OpenID Connect.

Example libraries:

passport
keycloak
auth0

Rate Limiting

Prevent abuse of patient APIs.

npm install express-rate-limit

HTTPS

All healthcare APIs must enforce TLS encryption.

10. Example Production Technology Stack

A typical Node.js EHR stack might include:

Final Thoughts

Building a compliant EHR system requires careful attention to security, interoperability, and transparency.

By combining:

• FHIR REST APIs
• HL7 message processing
• HIPAA security safeguards
• Audit logging
  
  For more information related to healthcare development, connect with our skilled healthcare experts.