Skip to content
← ALL WRITING

2026-04-21 / 11 MIN READ

Shipping HIPAA-compliant Next.js apps without a compliance team

What I learned building a regulated member platform solo: field encryption, audit logs, token-gated delivery, and the six places Next.js apps leak PHI.

Building HIPAA-compliant web apps solo is mostly an architecture problem, not a legal problem. The legal part is a one-time business associate agreement with your hosting provider and any third-party that touches protected health information. The architecture part is every day, in every pull request, until the system is decommissioned.

I've built one full regulated member platform from scratch - one developer, one quarter, multiple external integrations - and shipped the email and fulfillment layer of others. The same gaps show up every time, not because developers are careless, but because Next.js's hybrid rendering model creates genuine ambiguity about where data lives and who can see it. This same care about data boundaries is what I document in the DTC Stack Audit for tracking and analytics work.

PHI REQUEST LIFECYCLE
Click the next node to advance: Auth Check
A PHI request moves through auth, field-level decryption, and an append-only audit log before a stripped response reaches the client. Toggle the block path to see what happens when auth fails.

The pattern I keep seeing across regulated builds

Most developers treat HIPAA compliance as a checklist item. You get an attorney to help with the BAA, you encrypt the database at rest, and you put HTTPS on everything. That covers maybe 40% of what the Security Rule actually requires, and none of the architectural risks specific to Next.js.

The gap is in the hybrid boundary. Next.js runs code on the server and in the browser, and it doesn't always make it obvious which is which. A component that looks server-rendered might be hydrating on the client. An API route that seems private might be exposing headers you didn't intend. PHI has a way of drifting toward the client bundle the moment you stop paying attention.

I've seen this across a regulated healthcare member platform, a transactional email and fulfillment pipeline that touched member data at every hop, and a deployment configuration that was leaking secrets into the client-side JavaScript. Three different projects, three different teams, same core failure mode: compliance was something they planned to add after the feature was working.

Instance 1: A regulated member platform in healthcare

The first time I encountered this at scale was building a full member engagement platform for a regulated healthcare client - a context that parallels the kind of cloud infrastructure work documented in the silent failure case study, where a single misconfiguration cascaded quietly across an integration layer for days. The platform handled sensitive personal health data, external sensor integrations, billing, and CRM - all running under HIPAA's Security Rule requirements. I was the only developer.

The biggest architectural decision, made on day one, was where PHI would live and how it would be encrypted. Column-level database encryption - the kind you get by turning on encryption at rest in Postgres or enabling a cloud provider's managed encryption - is not enough under the Security Rule. It protects you if someone physically steals a drive. It does not protect you if someone queries the database with a stolen credential, because the database handles the decryption transparently.

Field-level encryption is different. Each sensitive field is encrypted before it hits the database, with a key the application controls. The database stores ciphertext. Even with full read access to the database, the data is unreadable without the application's encryption key. This is the pattern that satisfies the Security Rule's requirement for access controls on ePHI.

The second piece was audit logging. Under the Security Rule, you need records of who accessed what, when, and from where - and those records need to be tamper-resistant. A standard application log file doesn't cut it; logs that can be edited or deleted are not compliant. I built the audit trail as append-only rows in a separate schema with no update or delete permissions granted to the application's database user. Every authenticated action that touched PHI wrote a row. The application could read audit rows but never modify them.

Neither of these is a library you install. Both required upfront decisions about schema design and key management. Trying to retrofit either one onto an existing codebase is significantly more expensive than building it in from the start.

Instance 2: Email and fulfillment when PHI crosses service boundaries

The second place this gets complicated is any time PHI moves between services - and in a production Next.js app, it almost always does.

I ran into a concrete version of this building a purchase fulfillment and delivery pipeline. The flow was straightforward: a user completes checkout via Stripe, a webhook fires, the system creates an account, generates a time-limited access token, and sends a fulfillment email through a transactional email service. At each step in that chain, data about the user is in transit.

Under HITECH, every service that receives, stores, transmits, or touches PHI needs to be covered by a BAA. Stripe offers one. Major transactional email providers offer them. Your hosting provider, if they can see your data at rest, needs one. This is not the kind of detail that surfaces naturally when you're wiring up Stripe webhooks - it's something you have to check before you start, not after.

The fulfillment token itself is worth thinking about carefully. A plaintext download link with the file URL in the query string is not access-controlled after it's generated - if that URL gets forwarded, cached in a proxy, or logged somewhere, the file is accessible. I replaced this with short-lived tokens stored in the database: the download endpoint validates the token, checks expiry and use-count limits, and redirects to a signed object storage URL that expires in seconds. The URL in the email never directly points at the file.

This is standard practice in e-commerce. In a healthcare context, it's a requirement. The same token-gating approach applies to any sensitive report or deliverable - it's the pattern behind the Operator's Stack delivery architecture.

Instance 3: How Next.js deployments leak secrets

The third pattern is more specific to Next.js and more common than it should be.

Any environment variable prefixed with NEXT_PUBLIC_ is bundled into the client-side JavaScript and shipped to the browser. This is documented, but it's easy to forget in the flow of development. If a developer adds NEXT_PUBLIC_DATABASE_URL to make debugging easier, or NEXT_PUBLIC_API_KEY to avoid a server-side route, those values are in every user's browser.

The fix is to enforce a strict boundary: nothing that can retrieve or decrypt PHI goes near the NEXT_PUBLIC_ prefix. Server-side API routes handle all PHI retrieval. Client components receive only the data they need to render, already stripped of sensitive fields. This requires discipline about where you put data fetching logic, which is harder in Next.js 13+ because the app router makes it tempting to fetch data close to the component that renders it.

Environment variable audits should run before every deployment. The client-side bundle is inspectable by anyone. Treat it accordingly.

What the pattern tells us

These three instances point at the same root cause: compliance is not a feature you add to a working application. The decisions that determine whether a Next.js app is HIPAA-compliant are made in the first week of development, in choices about schema design, key management, access controls, logging architecture, and service selection. By the time the app is in production, most of those choices are expensive to change.

The six places Next.js apps most commonly leak PHI:

  1. NEXT_PUBLIC_ environment variables that grant access to sensitive data
  2. Server component data fetching that passes PHI to client components unnecessarily
  3. API routes that log request bodies (which may contain PHI) to a service without a BAA
  4. Transactional email sent through a provider not covered by a BAA
  5. Object storage URLs embedded directly in emails or API responses (no expiry, no access control)
  6. Audit logging built on top of application logs that can be modified or deleted

None of these require specialized HIPAA expertise to fix. They require knowing to look for them.

How to spot it early in a new engagement

If I'm being brought into an existing codebase, I look at a few things before anything else.

First: which services touch user data, and which of those have BAAs in place. This is often not documented. The developer who wired up the email integration three months ago may not have known to ask. Pull the service list, check each one, and flag the gaps.

Second: the environment variable inventory. Run a build, inspect the client-side bundle, and check what's in it. This takes fifteen minutes. If anything sensitive is there, you know immediately.

Third: the database access pattern for sensitive fields. If the application user has SELECT on the PHI columns and there's no application-level encryption, you're relying entirely on the database's access controls. That's one compromised credential away from a breach.

Fourth: the audit log. Where does it write? What permissions does the writing user have on those records? Can an attacker or a rogue admin modify the log to cover their tracks?

If all four of those look clean, the remaining work is usually filling in gaps in access controls and making sure the deployment pipeline is consistent. If any of the four are broken, that's where to start. For teams that want a structured audit framework applied to their stack, the DTC Stack Audit product covers the analytics and tracking layer using the same methodology.

FAQ

Do I need a compliance officer to ship a HIPAA-compliant Next.js app?

Not necessarily, but you do need someone who has read the Security Rule and understands what it actually requires. The technical requirements are implementable by any experienced developer. The risk is not knowing which requirements apply. A brief legal consult at the start of a project - specifically around BAA requirements and the access control provisions of the Security Rule - is usually enough to get grounded.

Is Vercel HIPAA-compliant for healthcare apps?

Vercel offers BAAs under their Enterprise plan. Without a BAA in place, Vercel is not a covered business associate and you should not be storing PHI in a way that Vercel can access. This applies to environment variables, logs, and any data your application writes to Vercel's edge infrastructure. Check the current Vercel documentation for their specific offerings; this changes.

What's the minimum viable HIPAA compliance posture for a small Next.js project?

The minimum I'd be comfortable shipping: BAAs with every service that touches PHI, field-level encryption on sensitive database columns, append-only audit logging, short-lived token-gated access for any file or report delivery, and a strict NEXT_PUBLIC_ policy. Beyond those five, everything else is defense in depth.

Does using Supabase as the database change anything?

Supabase offers a BAA and can be used in HIPAA-regulated contexts. The database-level encryption Supabase provides by default is column-level encryption at rest. You still need field-level application encryption if the threat model includes a compromised database credential. Supabase's Row Level Security is useful for access control but does not replace application-level encryption for PHI.

How does compliance interact with the typical Next.js feature release cycle?

Every new feature that touches PHI needs the same review: which services does this data reach? Is there a BAA? Is the data encrypted at the field level before it's stored? Does the audit log capture the access? This is most naturally handled as part of a lightweight pre-merge checklist for any PR that touches data models or external service integrations. The overhead per PR is low once the patterns are established.

Is the Security Rule the only regulation I need to worry about?

HIPAA's Security Rule covers electronic PHI. The Privacy Rule covers how PHI is disclosed and used. The Breach Notification Rule covers what happens when something goes wrong. For a web application handling electronic records, the Security Rule is the most technically demanding. The Privacy Rule shapes your terms of service and consent flows. Depending on what the app does - billing, insurance, certain types of clinical data - there may also be state-level regulations that go further than the federal floor. A healthcare attorney familiar with digital health is the right person to map this for a specific product.

The decisions that determine whether a Next.js app is HIPAA-compliant are made in the first week of development.

Sources and specifics

  • Field-level encryption and column-level encryption are architecturally distinct; the HIPAA Security Rule's access control requirements (45 CFR 164.312) are the basis for the field-level approach described here.
  • Audit log immutability requirement is grounded in the Security Rule's audit control standard (45 CFR 164.312(b)).
  • Stripe, major transactional email providers, and Vercel (Enterprise) all offer HIPAA BAAs as of early 2026; verify current terms with each provider directly.
  • The NEXT_PUBLIC_ client bundle exposure pattern applies to any Next.js version using the standard environment variable convention.
  • All implementation patterns described here were developed and used in production for a regulated healthcare client operating under HIPAA.

// related

Let us talk

If something in here connected, feel free to reach out. No pitch deck, no intake form. Just a direct conversation.

>Get in touch