HIPAA-Compliant Developer (Next.js + Supabase)

Posted 2 weeks ago

Only freelancers located in the U.S. may apply.U.S. located freelancers only

Summary

We run a white-label health platform. The core app already exists and is in good shape — passwordless magic-link auth, row-level security / tenant isolation, PHI kept out of analytics and logs, server-side data handling, encryption in transit and at rest. This is not a greenfield build. We need a developer to close a specific, bounded set of HIPAA technical-safeguard gaps and security-test the result. Stack: TypeScript, Next.js (App Router, Server Actions), Supabase (Postgres + RLS), Vercel. What you'll build (quote EACH item separately, not a lump sum) 1. Audit logging (highest priority) Append-only, immutable audit_log table in Postgres (DB triggers/grants block UPDATE/DELETE; RLS insert + scoped select only) A single reusable helper called at every PHI touchpoint: record view, intake submit, checkout, auth issue/consume, admin reads, exports, deletions Acceptance: every PHI view/modify/export/delete + every auth event writes exactly one immutable row (who / what / when / where / success) 2. Rate limiting Applied to login, intake submit, and checkout endpoints. Per-IP and per-email. Postgres-backed (no new external service) Acceptance: over-limit requests return 429; login throttled per email + IP 3. Security headers HSTS (preload), CSP, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy CSP must still allow our third-party payment and identity-verification embeds Acceptance: securityheaders.com grade ≥ A, and checkout + verification flows still work end-to-end 4. Idle-session timeout Auto sign-out after N minutes of inactivity on the patient portal; confirm token expiry/refresh config Acceptance: idle session is invalidated and redirected to login 5. Patient data export + secure deletion Admin-initiated export of a single patient's full record (JSON) and a deletion workflow consistent with retention policy. Admin-run is fine — no patient-facing UI needed for v1 Acceptance: given a patient ID, export returns the full record; delete removes it and writes an audit row 6. Monitoring hooks (code portion) Emit structured events for failed logins, rate-limit trips, and audit anomalies (we wire the alerting) Acceptance: events emitted in a consumable, structured shape 7. Admin MFA + RBAC — conditional Only if there is a surface that reads PHI across multiple tenants: TOTP MFA + role checks + separate admin accounts. If no such surface is in scope, mark N/A Out of scope (do not quote) Managed infrastructure (encryption, backups, point-in-time recovery, SSL enforcement, dashboard-level config) — handled on our side All vendor BAAs Risk assessment, incident-response plan, DR plan, policies, training — our paperwork, not engineering Rebuilding anything already in place (listed above) Security testing (part of the deliverable) Per-layer tests for each item An adversarial pass: attempt to bypass rate limits, mutate/forge audit rows, access another tenant's data, inject PHI into analytics or URLs A short written summary of what was tested and the results Deliverables All code as reviewable PRs with tests passing The audit-log SQL migration as a standalone file (we apply it to our live database) A short doc listing every PHI touchpoint instrumented and every security header set Security-test summary Requirements Strong TypeScript + Next.js App Router (Server Actions, middleware) Solid Supabase/Postgres: RLS, triggers, grants, migrations Practical HIPAA technical-safeguards experience (audit controls, access control, integrity, transmission security) CSP tuning with third-party iframes (payments / identity verification a plus) Clean, test-covered work How to apply Quote each of the 7 items separately (line-by-line estimate), not a lump sum. Tell us specifically how you'd guarantee the audit log is immutable, and share one example of prior HIPAA or healthcare-data work.

  • $650.00

    Fixed-price
  • Intermediate
    Experience Level
  • Remote Job
  • Ongoing project
    Project Type

Contract-to-hire opportunity

This lets talent know that this job could become full time.
Learn more
Skills and Expertise
Mandatory skills
Database Architecture
Activity on this job
  • Proposals:10 to 15
  • Last viewed by client:2 weeks ago
  • Interviewing:
    2
  • Invites sent:
    0
  • Unanswered invites:
    0
About the client
Member since Feb 1, 2022
  • United States
    New York3:34 PM
  • $7.4K total spent
    3 hires, 1 active

Explore similar jobs on Upwork

Application InstallationFixed-price‐ Posted 3 weeks ago
Android
Smartphone
Tablet
iPhone
Solidity
Ethereum
Smart Contract
Blockchain
Cryptocurrency
Blockchain Architecture
ERC-20

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo