DEV Community

Dhruv Jain
Dhruv Jain

Posted on

Shipping a HIPAA-grade health app on Vercel + DynamoDB + Lambda

#aws #vercel #dynamodb #serverless

Solace is an AI patient intake and triage app for emergency departments. Here is the full stack and why each piece is where it is. The whole thing runs on AWS managed services with the human-facing apps on Vercel.

The request path 

Patient phone / Clinician (Vercel SPA)
        -> CloudFront + WAFv2
        -> API Gateway (HTTP)
        -> Lambda (FastAPI, arm64 container)
        -> DynamoDB, S3, Bedrock, Transcribe, Polly
Enter fullscreen mode Exit fullscreen mode

Cross-cutting: KMS CMK, Secrets Manager, CloudTrail, CloudWatch, EventBridge, SNS.

Why Vercel for the front door

A patient checks in by scanning a QR code in the waiting room, with no app and no account. The patient app and the clinician terminal are static, edge-cached shells on Vercel that load fast on a weak waiting-room connection, then call the AWS backend. Branch-based atomic deploys mean I can ship the marketing site, the patient app, and the clinician app independently.

Compute

One FastAPI service (via Mangum) packaged as an ARM64 container image on AWS Lambda, 2048 MB, 60s timeout, Python 3.12 on AL2023, behind an HTTP API Gateway. The trained ML artifacts are baked into the image so cold starts do not pay a model-download tax. The registry is ECR.

Data

Amazon DynamoDB is the primary datastore: about 30 tables, on demand, CMK-encrypted, with TTL on transient state (idempotency keys, session nonces, hot audit records). The live queue is a GSI on hospital_id + created_at. Media lives in S3 with presigned delivery and public access blocked.

Security and compliance

Because it is healthcare:

  • One CMK (alias/solace) encrypts every DynamoDB table, the media bucket, the CloudTrail bucket, and Secrets Manager.
  • WAFv2 on CloudFront runs Amazon IP Reputation, Known Bad Inputs, the OWASP Common Rule Set, and a rate-based rule capped at 50,000 requests per 5 minutes per IP (tuned for hospital NAT). Shield Standard is on.
  • Every AI call routes through AWS Bedrock, Transcribe, and Polly, all covered by the AWS Business Associate Agreement, so no patient data leaves the BAA boundary and there are no separate vendor BAAs to chase.
  • Clinicians authenticate by SMART-on-FHIR (OAuth + PKCE) or a PIN. IAM is least-privilege with an MFA permission boundary.

The point of the architecture is that a managed-service stack lets a small team ship something HIPAA-grade that still scales, rather than choosing between fast and real.

I created this content for the purposes of entering the H0: Hack the Zero Stack hackathon. #H0Hackathon

Top comments (0)