Medplum Explained: How It Works and When to Use It

Integration headaches. Outdated infrastructure. Weeks lost just getting a basic system off the ground. From our 10+ years of experience building custom healthcare software, we know this pain all too well. Especially in healthtech, where even a simple feature must meet strict security, compliance, and interoperability standards.

That’s why we want to tell you about Medplum. This platform can do more than just cover the technical side of things – it can offer the flexibility and simplicity that many startups lack at the beginning of their journey. Medplum simplifies the process of launching and scaling health-focused apps.

Well, healthcare software development isn’t just difficult, it can often be expensive and time-consuming.

According to a 2023 Deloitte report, over 75% of digital health startups cite integration challenges with EHRs and data standards as a major barrier to scale. Meanwhile, compliance with healthcare regulations like HIPAA can increase development costs by 25-40%.

Medplum presents a different approach. As an open-source, FHIR-native end-to-end platform built specifically for healthcare, Medplum offers a blend of structure and flexibility that makes it easier for engineering teams to stay compliant while accelerating development. It won’t solve every problem automatically – but for the right project, it can eliminate months of upfront technical overhead.

In this article, we’ll:

• Pull back the curtain on Medplum, what it is and when it is needed
• Share our experience on what it’s like to actually build with it
• Discuss the benefits and challenges Medplum brings
• Help you decide if it could be a fit for your healthcare project

Let’s start with a quick overview!

What Is Medplum: Brief Overview

Medplum is an open-source end-to-end platform designed from the ground up for healthcare applications. Simply put, it provides a fully managed HL7 FHIR-compliant backend – but it actually allows for much more than that.

Here’s what Medplum offers:

• A FHIR-compliant backend with RESTful APIs and secure data storage
• Built-in user authentication and access control
• Comprehensive audit logging and activity tracking for compliance
• GraphQL support alongside REST for more flexible data queries
• Multi-tenant support with project and user management features
• Resource-level customization with extensions to tailor the data model to specific workflows

One of Medplum’s biggest advantages is its open-source nature. This means full transparency and control over the codebase – a huge win for teams that want to host their backend in a secure cloud like AWS or Azure, or that plan to scale and customize over time. You can self-host it or use the managed cloud offering, depending on your team’s DevOps maturity or needs.

In comparison to general-purpose platforms, Medplum is custom-built for healthtech. It speaks the language of FHIR natively and makes it easier to build interoperable systems and integrate with other health data sources. Medplum is HIPAA-conscious from the start, which helps teams avoid reinventing the wheel when it comes to compliance and security infrastructure.

It’s important to note that Medplum isn’t just an open-source project – it also offers a fully managed cloud solution. The hosted version at app.medplum.com mirrors the open-source core but includes additional integrations, configurations, and services managed by the Medplum team.

What's more, this hybrid model gives teams flexibility: you can connect a fully custom frontend to their backend (even when hosted in their cloud) and still benefit from the same FHIR-first architecture and backend capabilities found in the open-source version. This makes Medplum a unique option for teams that want control and extensibility, without the overhead of managing everything in-house.

From our experience, Medplum is not a plug-and-play platform in the same way low-code tools are. It’s developer-first. You get a strong foundation with clear FHIR-based patterns and example implementations. However, success depends on having the right technical team – one that understands healthcare workflows and can build on top of what Medplum offers.

Advantages of Medplum: Our Honest Opinion and Experience

When we began building a FHIR-based oncology platform with patient and practitioner portals, we needed a backend that could check off a demanding list of requirements: FHIR-native architecture, seamless compliance support, front-end flexibility, and the freedom to host and scale on our terms.

Medplum stood out early – not because it was the easiest tool to use, but because it was the most adaptable and transparent one. It gave our team the ability to move fast without compromising on compliance, customizability, or performance. Here’s what made the biggest difference for us:

Built-in FHIR compliance without the overhead

Achieving HL7 FHIR compliance is one of the most significant hurdles for early-stage healthtech startups. It requires not only a deep understanding of FHIR resource models but also specific attention to validation, structure definitions, and data access protocols.

Medplum abstracts much of this complexity out of the box. It provides:

• A fully compliant FHIR data model with built-in support for key resource types
• Automatic validation and error checking to ensure conformance with FHIR standards
• Built-in activity tracking and audit logging to support HIPAA/GDPR compliance

For our oncology platform, this meant we could build and deploy core patient and practitioner flows, including medical records, appointments, and care team coordination. All these without manually handling every FHIR implementation detail. This gave us more time to focus on designing useful features instead of architecting compliance from scratch.

Customizability and flexibility that adapt to your needs

Medplum wins over other platforms for its impressive flexibility. And it’s not only due to how it structures data, but how you can shape every layer of your application architecture to match real-world clinical workflows.

At the data layer, Medplum allows for custom FHIR resource extensions, which means you can tailor the data model to reflect your specific domain – whether it's oncology, mental health, diagnostics, or any other vertical. Need to track something that isn’t part of the base FHIR spec? Just define a custom structure and map it directly into your application logic.

Beyond resource modeling, Medplum also supports:

• Custom system URLs and service definitions for integrating internal or third-party services
• Role-based access controls that can be adapted to fit your care team hierarchy and patient privacy rules
• Flexible frontend architecture, which means you’re not locked into any proprietary interface or design system. With full control over the UI (we used React and Next.js), you can build an experience that feels native to your product while staying FHIR-compliant under the hood

You can even integrate external identity providers or patient data APIs (like HealthGorilla or Redox) without altering the core Medplum server – using clean interfaces and well-documented connection patterns.

What we found especially powerful was that this flexibility didn’t come at the cost of maintainability. As long as your development team works within the FHIR paradigm, Medplum remains stable and future-ready, even as you scale or introduce new modules.

This level of customization is hard to come by on other platforms. It’s a major reason why Medplum suits both early-stage experimentation and enterprise-grade production environments.

Developer-centric tools built around FHIR

In comparison to many similar platforms that try to generalize everything, Medplum is unapologetically designed around FHIR. And that’s a good thing – because when you work in healthtech, shortcuts almost always lead to roadblocks.

From a developer’s perspective, here’s what we appreciated:

• Clear patterns for extending resources, adding new endpoints, and customizing the logic
• TypeScript support to validate FHIR schemas and catch errors early
• An intuitive query system that matches the FHIR search API standard

Medplum also includes a customizable UI component library with common building blocks for healthcare apps – registration, authentication, patient charts, and more. While basic out of the box, it’s a strong foundation for building production-ready interfaces that align with FHIR workflows. We used it as a launchpad for our own oncology-specific components and tailored them to fit the required needs of patients and specialists.

It’s worth noting: Medplum is not for teams looking for low-code shortcuts. It’s best suited for engineering teams that are comfortable working directly with FHIR concepts. But for us, that was exactly what we needed.

Transparent and extensible open-source architecture

Medplum’s open-source approach is more than a licensing model – it’s an engineering philosophy. The full backend is available to inspect, fork, and improve. Infrastructure is written using AWS CDK, and CI/CD processes are streamlined with pre-defined GitHub Actions. You can deploy and iterate without vendor lock-in.

This level of transparency was critical for our team. If we encountered a bug or undocumented behavior (which happens with any fast-moving platform), we weren’t stuck waiting on vendor support – we could read the source, debug it ourselves, and even contribute fixes.

Just as importantly, the extensibility model is clean. You don’t need to hack the server. Instead, you can use established ways to extend FHIR resources or link to external services like HealthGorilla or custom auth providers. That kept our codebase clean and our architecture scalable.

Deployment freedom: managed or self-hosted

Medplum lets you choose how to deploy: use their managed service or run it yourself on AWS or Azure. This flexibility was a great benefit for us.

We opted for a self-hosted deployment on AWS due to the sensitivity of patient oncology data and our client’s preference for full infrastructure ownership. The deployment process was relatively smooth – thanks to the pre-written CDK infrastructure code – and allowed us to manage compliance, scaling, and monitoring on our terms.

This is a major differentiator compared to other healthtech platforms like Otter, which often require you to stay within a proprietary cloud setup. Medplum lets you build healthcare software your way.

Built-in interoperability for external services

Because Medplum is structured entirely around FHIR, integrating with external healthcare systems is far simpler than it would be with a generic backend.

Every core interaction – from querying a patient’s medical history to pushing data to another provider – happens through standardized FHIR queries. This gave us a reliable way to integrate custom AI modules, external EHR systems, and even third-party data sources, all while maintaining data integrity and traceability.

For example, in our platform, when a patient selects a doctor, the system automatically handles secure FHIR-based data routing to the appropriate practitioner, preserving a full audit trail along the way.

Scalable by design, not just for MVPs

No-code and low-code tools can get you to an MVP, but they often don’t grow with you. Once you need fine-grained control over workflows, data logic, or performance tuning, you’re forced to migrate – a costly and time-consuming process.

Medplum takes the opposite approach. It’s designed from day one with scalable, container-based architecture and a robust Postgres backend. For our project, we built custom workflows for oncology care, handled large volumes of structured patient data, and processed event-based triggers for things like appointment confirmations and data sharing. Everything scaled cleanly – no hacks, no roadblocks.

The platform’s containerized setup gave us full control over resource usage, autoscaling policies, and monitoring. From what we’ve seen, Medplum can easily support enterprise-grade systems with minimal architectural changes.

Rich example library and learning curve support

Even though it’s developer-first, Medplum doesn’t leave you in the dark. The GitHub repo offers well-documented examples covering:

• Form creation and customization
• Registration and authentication flows
• Role-based access patterns
• Custom FHIR resource definitions

These examples were incredibly helpful early in our development process. They gave us a clear mental model of how Medplum is structured and helped onboard new team members quickly. With FHIR being as complex as it is, having this kind of guide makes a big difference.

The Other Side: Challenges, Pitfalls and Considerations

Medplum is a powerful and flexible platform – but it’s not without its trade-offs. As with any developer-focused tool, teams considering Medplum should be aware of the potential technical and operational hurdles before diving in.

Below are the most important considerations to help you determine whether this platform fits your product, team, and growth stage.

FHIR isn’t easy – and Medplum won’t shield you from that

Medplum is built entirely around HL7 FHIR, which is a huge advantage in terms of compliance and interoperability. However, it also means there’s no avoiding the complexity of the standard.

Understanding how resources relate to one another, how extensions work, and how to structure clinical data correctly requires a solid grasp of FHIR fundamentals.

Even basic tasks – like retrieving all related data for a patient – can involve complex query logic using FHIR conventions that may be unfamiliar to most startup dev teams.

Our advice: Invest early in FHIR education. Use modeling tools like Forge or Simplifier, and encourage your engineering team to get comfortable with the FHIR data model before development begins. This upfront effort will save time and prevent errors down the line.

Self-hosting requires DevOps maturity

One of Medplum’s biggest advantages is deployment flexibility. It means you can host it on your own infrastructure or use their managed service. However, teams that choose to self-host will need a mature DevOps process in place.

Responsibilities like setting up continuous deployment pipelines, managing backups, monitoring system health, and handling infrastructure security all fall on your team.

Our advice: Choose self-hosting only if your team has experience with containerized infrastructure and cloud DevOps practices. If not, consider starting with the managed option and switching later once your DevOps stack is mature.

Documentation is improving – but still requires digging

Medplum’s documentation covers the basics well, and its GitHub repo includes helpful examples. That said, more advanced use cases – like extending custom resources or configuring authentication flows – often require developers to explore code, closed issues, or community discussions to find answers.

Our advice: Use the official docs as a starting point, but lean heavily on the Medplum GitHub repository, sample projects, and the developer community for real-world answers. Encourage your developers to explore and experiment early in the prototyping stage.

Not a low-code or no-code platform

If you’re looking for a platform where non-technical team members can build workflows or customize forms, Medplum isn’t the right fit. It’s designed for developer teams who are comfortable writing TypeScript, working with FHIR queries, and building interfaces from scratch.

Our advice: Make sure your product and clinical teams understand that customization will require engineering input. If internal tooling for non-developers is a must, plan to build admin panels or interfaces tailored to your team’s needs.

Maintenance burden with platform updates

Medplum is an active open-source project that is great for innovation and transparency. However, it also means you're responsible for keeping up with updates. If you're self-hosting, this includes patching your infrastructure, adapting to new API changes, and testing for compatibility.

Our advice: Assign responsibility for update monitoring and integration to someone on your team. Set up alerts for GitHub releases, automate tests for your core workflows, and schedule periodic platform reviews to stay in sync with upstream changes.

Governance and compliance still need to be designed

While Medplum includes essential features like audit logging and access controls, it doesn't come with built-in workflows for things like patient consent management, clinical escalation, or role-based data visibility across care teams. These are essential in real-world clinical applications, especially for regulated environments like oncology or remote care.

Our advice: Before development starts, define your governance model clearly – including user roles, data access policies, and escalation paths. Build these rules into your product from day one to avoid retrofitting compliance into a live system.

Is Medplum Really Compliant: A Closer Look at Security and Standards

For any healthtech startup, regulatory compliance is vital. If you’re dealing with patient records, telehealth communications, or medical questionnaires, your platform must meet strict requirements for data privacy, access control, and auditability.

Medplum is designed with these needs in mind. As a FHIR-native platform, it doesn’t just support interoperability – it builds compliance principles into its architecture.

HIPAA-ready by design

Medplum includes a number of features that help product teams meet HIPAA requirements, such as:

• Audit logging. Every action on the platform is recorded and timestamped, which creates a full activity trail across users and system operations.
• Role-based access control (RBAC). Developers can enforce access policies that restrict data visibility and editing based on user roles and scopes.
• Authentication and session control. Medplum supports secure login flows with password hashing, token-based auth, and optional MFA integrations.
• Data encryption. All data in transit and at rest is encrypted using modern standards (TLS for transfer, AES-256 for storage).

Importantly, Medplum is also built to be HIPAA BAA-friendly, meaning organizations using the hosted version can request a Business Associate Agreement as part of the managed service.

Built on FHIR for interoperability and auditability

Because Medplum is entirely structured around the HL7 FHIR specification, it naturally supports many of the data integrity and traceability features required for clinical-grade applications.

FHIR itself promotes:

• Structured data schemas for healthcare records
• Strict versioning and update tracking
• Patient consent modeling and access attribution
• Interoperability with certified EHR systems and data exchanges

In this sense, Medplum isn’t just a compliant backend but a standards-first foundation that aligns with the future of digital health regulation.

Infrastructure security

Medplum uses a modern cloud-native architecture (containers + Postgres + Node.js), which makes it easier to implement secure DevOps workflows. Teams can choose to deploy it on HIPAA-compliant infrastructure such as AWS or Azure, using CDK-based templates and container orchestration to control environments, secrets, and scaling.

What you still need to do to ensure compliance

Medplum gives you a strong foundation, but compliance is never out-of-the-box. It’s your team’s responsibility to ensure that the full application stack, deployment, and user workflows meet legal and clinical standards.

Here’s what we recommend:

• Define your data governance policies early: Who can access what data, and under which roles? How are patient consents tracked?
• Secure your infrastructure. Whether hosted or self-managed, ensure your cloud provider meets HIPAA/HITRUST standards and configure network/firewall rules properly.
• Implement access audits and alerts. Build monitoring tools around Medplum logs to detect unusual behavior or permission misuse.
• Conduct regular security assessments. Perform vulnerability scans, penetration testing, and compliance audits across your app and infrastructure.
• Maintain documentation and training. Document your compliance workflows clearly and ensure your team – especially engineers and clinical users – understand how data should be handled.

The bottom line about compliance

Medplum is compliant by design. However, turning that into full HIPAA, GDPR, or HITRUST alignment requires thoughtful implementation on your part. With the right setup, it’s absolutely capable of powering secure, regulation-ready healthtech platforms.

Expertise Requirements Needed for Developing Project on Medplum

Successfully implementing Medplum requires a certain level of technical depth. It’s a tool built for developers – especially those familiar with TypeScript, cloud infrastructure, and the HL7 FHIR standard.

While Medplum handles much of the heavy lifting around compliance and data modeling, it does not abstract away the complexity of working in healthcare. Your engineering team should be comfortable with the following:

• Building custom workflows and components using React or similar frameworks
• Understanding FHIR resource relationships and query structures
• Managing infrastructure, especially if you opt for self-hosting
• Extending backend logic responsibly without compromising compliance

Medplum works best when paired with a development team that embraces a code-first mindset and is willing to learn (or already understands) how to design software around FHIR principles.

Our advice: If your team lacks in-house FHIR experience or backend/frontend healthcare expertise, consider working with a specialized partner or allocating time for training before diving into development.

Medplum vs. Custom Development

When Medplum wins: efficiency, cost, and focus

Building a healthcare backend from scratch – especially one that’s FHIR-compliant, secure, and scalable – is a massive effort. It requires months of planning, development, and compliance work before a product can go live.

Medplum offers a powerful alternative. It provides a developer-ready, open-source platform that handles much of the heavy lifting: FHIR modeling, audit trails, access control, and integrations. Choosing Medplum, you can:

• Accelerate your time to market
• Reduce initial build and compliance costs
• Focus engineering resources on product-specific workflows and UX

In our view, Medplum is a great fit for the vast majority of healthtech projects – especially startups that want to move fast, stay compliant, and scale over time.

When full custom development makes sense

That said, Medplum isn’t the only path forward. In some cases, full custom development may be the better choice – particularly when:

• Your product requires non-FHIR-based architecture or deeply unique data models
• You’re aiming to build something significantly simpler or more lightweight than what Medplum provides
• You need an unusual backend architecture (e.g., distributed microservices with custom orchestration)
• You're building for highly specialized clinical or enterprise use cases with niche workflow requirements
• You want tight alignment with an existing legacy stack that doesn't mesh well with FHIR

Custom development allows you to design exactly what you need from the ground up – no compromises. But it also comes with a higher upfront investment, a longer timeline, and a greater need for in-house domain expertise.

Why work with TechMagic

At TechMagic, we bring experience from both worlds. If you need to customize and scale a Medplum-based product or design a fully bespoke healthcare platform from scratch, our team can help you make the right architectural decisions. Be sure that, in any case, we deliver a secure, compliant solution tailored to your goals.

Final Thoughts

Medplum is not just another framework. It’s a focused, developer-first platform purpose-built for healthcare. With built-in FHIR compliance, open-source flexibility, and scalable architecture, it can help startups overcome the most common barriers in healthtech development: speed, cost, and regulatory complexity.

From what we’ve seen, Medplum is a strong fit for most healthtech products – especially when paired with a skilled development team that understands the nuances of FHIR and healthcare workflows.

That said, success with Medplum depends on making the right architectural choices early on. If you’re evaluating whether Medplum is the right foundation for your product – or need help implementing it securely and efficiently – our team at TechMagic is here to support you. We’ve worked with Medplum in real-world projects and know how to turn its strengths into working solutions.

Let’s build something great together – and get your healthcare product to market faster and smarter.

FAQs

1. What is Medplum and when is it needed?

   Medplum is an open-source end-to-end platform built for healthcare apps. It’s ideal when you need FHIR compliance, secure data handling, and fast development without starting from scratch – especially for startups building HIPAA-ready, interoperable solutions.

2. Do I still need to worry about HIPAA compliance if I use Medplum?

   Yes. While Medplum provides HIPAA-friendly features like audit logging, RBAC, and data encryption, full compliance depends on how you deploy, configure, and manage your app and infrastructure. You’ll still need to ensure your hosting environment, workflows, and internal policies meet HIPAA requirements.

3. Can non-technical team members use Medplum to configure workflows or forms?

   Not directly. Medplum is a developer-focused platform that requires engineering effort to customize and build features. Non-technical users can interact with the end product, but configuring logic, UI, or data models must be done through code – typically using React and TypeScript.