HIPAA-Compliant Developer (Next.js + Supabase)
Only freelancers located in the U.S. may apply.U.S. located freelancers only
We run a white-label health platform. The core app already exists and is in good shape — passwordless magic-link auth, row-level security / tenant isolation, PHI kept out of analytics and logs, server-side data handling, encryption in transit and at rest. This is not a greenfield build. We need a developer to close a specific, bounded set of HIPAA technical-safeguard gaps and security-test the result. Stack: TypeScript, Next.js (App Router, Server Actions), Supabase (Postgres + RLS), Vercel. What you'll build (quote EACH item separately, not a lump sum) 1. Audit logging (highest priority) Append-only, immutable audit_log table in Postgres (DB triggers/grants block UPDATE/DELETE; RLS insert + scoped select only) A single reusable helper called at every PHI touchpoint: record view, intake submit, checkout, auth issue/consume, admin reads, exports, deletions Acceptance: every PHI view/modify/export/delete + every auth event writes exactly one immutable row (who / what / when / where / success) 2. Rate limiting Applied to login, intake submit, and checkout endpoints. Per-IP and per-email. Postgres-backed (no new external service) Acceptance: over-limit requests return 429; login throttled per email + IP 3. Security headers HSTS (preload), CSP, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy CSP must still allow our third-party payment and identity-verification embeds Acceptance: securityheaders.com grade ≥ A, and checkout + verification flows still work end-to-end 4. Idle-session timeout Auto sign-out after N minutes of inactivity on the patient portal; confirm token expiry/refresh config Acceptance: idle session is invalidated and redirected to login 5. Patient data export + secure deletion Admin-initiated export of a single patient's full record (JSON) and a deletion workflow consistent with retention policy. Admin-run is fine — no patient-facing UI needed for v1 Acceptance: given a patient ID, export returns the full record; delete removes it and writes an audit row 6. Monitoring hooks (code portion) Emit structured events for failed logins, rate-limit trips, and audit anomalies (we wire the alerting) Acceptance: events emitted in a consumable, structured shape 7. Admin MFA + RBAC — conditional Only if there is a surface that reads PHI across multiple tenants: TOTP MFA + role checks + separate admin accounts. If no such surface is in scope, mark N/A Out of scope (do not quote) Managed infrastructure (encryption, backups, point-in-time recovery, SSL enforcement, dashboard-level config) — handled on our side All vendor BAAs Risk assessment, incident-response plan, DR plan, policies, training — our paperwork, not engineering Rebuilding anything already in place (listed above) Security testing (part of the deliverable) Per-layer tests for each item An adversarial pass: attempt to bypass rate limits, mutate/forge audit rows, access another tenant's data, inject PHI into analytics or URLs A short written summary of what was tested and the results Deliverables All code as reviewable PRs with tests passing The audit-log SQL migration as a standalone file (we apply it to our live database) A short doc listing every PHI touchpoint instrumented and every security header set Security-test summary Requirements Strong TypeScript + Next.js App Router (Server Actions, middleware) Solid Supabase/Postgres: RLS, triggers, grants, migrations Practical HIPAA technical-safeguards experience (audit controls, access control, integrity, transmission security) CSP tuning with third-party iframes (payments / identity verification a plus) Clean, test-covered work How to apply Quote each of the 7 items separately (line-by-line estimate), not a lump sum. Tell us specifically how you'd guarantee the audit log is immutable, and share one example of prior HIPAA or healthcare-data work.
$650.00
Fixed-price- IntermediateExperience Level
- Remote Job
- Ongoing projectProject Type
Skills and Expertise
Activity on this job
- Proposals:10 to 15
- Last viewed by client:2 weeks ago
- Interviewing:2
- Invites sent:0
- Unanswered invites:0
About the client
- United StatesNew York3:34 PM
- $7.4K total spent3 hires, 1 active
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by