CareConnect — Healthcare platform

Full-stack reference application for patient care, scheduling, secure messaging, documents, telehealth (demo), analytics, and compliance-oriented patterns (audit logging, field-level encryption, JWT + RBAC).

Folder structure

healthcare/
├── README.md                 # This file
├── docker-compose.yml        # PostgreSQL 16 for local development
├── server/                   # Node.js API (Express + TypeScript + Prisma)
│   ├── prisma/
│   │   ├── schema.prisma     # Relational model (PostgreSQL)
│   │   └── seed.ts           # Sample users, doctors, appointments
│   ├── src/
│   │   ├── index.ts          # HTTP + Socket.IO bootstrap
│   │   ├── lib/              # Prisma client, crypto, notifications
│   │   ├── middleware/       # JWT auth, audit helpers
│   │   └── routes/           # REST modules by domain
│   ├── uploads/              # Local file storage (created at runtime)
│   └── .env.example
└── client/                   # React + Vite + Tailwind + i18next
    ├── src/
    │   ├── api.ts            # Fetch helper + token
    │   ├── auth.tsx          # Auth context
    │   ├── i18n.ts           # English / Spanish
    │   ├── components/
    │   └── pages/
    └── .env.example

Prerequisites

• Node.js 20+
• npm 10+
• Docker (optional, for PostgreSQL) or any managed PostgreSQL instance

Quick start

1. Database

cd healthcare
docker compose up -d

Default connection (see docker-compose.yml):

postgresql://healthcare:healthcare_dev@localhost:5432/healthcare

2. API

cd server
cp .env.example .env
# Edit .env: set JWT_SECRET and ENCRYPTION_KEY (32+ chars each)

npm install
export DATABASE_URL="postgresql://healthcare:healthcare_dev@localhost:5432/healthcare"
npx prisma db push
npm run db:seed
npm run dev

API listens on http://localhost:4000. Health check: GET /api/health.

3. Web app

cd client
cp .env.example .env   # optional; defaults assume API on :4000
npm install
npm run dev

Open http://localhost:5173.

Sample accounts (after seed)

Role	Email	Password
Patient	patient@demo.health	DemoPass12345
Doctor	dr.smith@demo.health	DemoPass12345
Doctor	dr.patel@demo.health	DemoPass12345
Admin	admin@healthcare.local	DemoPass12345

Features implemented

Patients

• Register / login (JWT), health profile (PII + encrypted address/notes where applicable)
• Medical history, allergies, medications with optional reminders
• Doctor search (specialty, location, fee, availability day)
• Book / reschedule / cancel appointments; upcoming vs past lists
• Secure messaging (allowed after a shared appointment)
• Medical document upload + authenticated download
• Reminders API (upcoming visits + medications)
• Symptom checker (rule-based triage with confidence — swap for validated models in production)
• Wearable metric ingest + integration stub
• Video visit entry point (Jitsi Meet iframe — demo only)

Doctors

• Professional profile, fee, bio, location
• Weekly availability (minute-of-day, UTC validation in MVP)
• Dashboard (upcoming appointments)
• Patient chart (after at least one visit)
• Consultation notes, prescriptions, test recommendations (sensitive text encrypted at rest)
• Analytics (30-day volume, status mix, distinct patients)

Platform / security

• Roles: PATIENT, DOCTOR, ADMIN (admin not self-registered)
• RESTful JSON API under /api/*
• Socket.IO for real-time toast notifications (appointment + messages + Rx)
• Audit log records for logins, PHI views, uploads, messaging, scheduling
• AES-256-GCM field encryption for selected columns (messages, notes, etc.)
• Rate limiting + Helmet security headers
• Multilingual UI (EN/ES) with optional persisted locale on user

HIPAA-oriented engineering notes

This codebase illustrates patterns common in regulated healthcare software; it is not certified or guaranteed compliant out of the box.

• Use TLS everywhere, rotate secrets, and store keys in a KMS (not plain .env in production).
• Sign a BAA with your hosting, database, file store, email, analytics, and video vendors. The bundled Jitsi public instance is not appropriate for PHI.
• Enable encryption at rest on PostgreSQL and backups; restrict network access; enforce least-privilege DB users.
• Extend audit logs with tamper-evident storage and SIEM export.
• Apply minimum necessary in API responses and add explicit consent flows where required.
• For AI symptom checking, use validated clinical decision support and human-in-the-loop workflows.

API overview (selected)

Method	Path	Description
POST	/api/auth/register	Create patient or doctor
POST	/api/auth/login	JWT issuance
GET	/api/auth/me	Current user + profiles
*	/api/patients/*	Patient profile & clinical self-data
GET	/api/doctors/search	Doctor discovery
*	/api/appointments/*	Scheduling
*	/api/doctor/*	Doctor portal
*	/api/messages/*	Secure chat
*	/api/documents/*	Uploads
*	/api/notifications/*	In-app notifications
POST	/api/symptom-checker/analyze	Triage helper
*	/api/wearable/*	Device ingestion stub
GET	/api/admin/audit-logs	Admin audit viewer

Full details live in route modules under server/src/routes/.

Production hardening checklist

• Managed Postgres + automated backups
• Object storage (S3/GCS) for documents with virus scanning
• Separate encryption keys per tenant or environment
• Refresh tokens, device binding, MFA for clinicians
• Observability (structured logs, metrics, tracing)
• E2E tests and load tests on hot paths (search, booking)

Scripts reference

Server

• npm run dev — watch mode API
• npm run build — compile TypeScript to dist/
• npm run db:push — apply Prisma schema
• npm run db:seed — load sample data

Client

• npm run dev — Vite dev server (proxies /api to :4000)
• npm run build — static production assets in dist/

---

Built as a modular monorepo so you can swap the UI, add GraphQL, or split services (notifications, scheduling, documents) behind queues without rewriting the core domain model.