Variant Systems

Node.js & Elysia for Healthcare

Healthcare data demands strict validation and access control at every layer. Elysia enforces both without sacrificing developer velocity.

Variant Systems builds industry-specific software with the tools that fit the problem.

Why this combination

  • TypeBox validation enforces FHIR-compatible resource schemas on clinical data payloads, catching structural errors before they reach your data store
  • Bun runtime reduces latency on patient record lookups and appointment scheduling APIs that clinicians rely on throughout the day
  • Eden Treaty generates typed clients for patient portals and clinician dashboards, preventing mismatched health data fields
  • Plugin architecture isolates PHI access controls, audit logging, and consent management into independently testable modules

Strict Validation for Clinical Data Integrity

Healthcare data is unforgiving. A lab result with a missing unit, a medication dosage with an ambiguous decimal, or a patient identifier that doesn’t match the expected format can have clinical consequences. Elysia’s TypeBox validation schemas enforce strict structure on every clinical data payload entering your system. You define FHIR-aligned resource schemas once, and every API request is validated against them before your handler logic executes.

This compile-time and runtime safety extends to your frontend applications through Eden Treaty. Your patient portal and clinician dashboard consume typed API clients that autocomplete patient record fields correctly. When your team adds a new lab result type to the API, TypeScript flags every frontend component that needs to render it. Clinical data never arrives in an unexpected shape.

Access Control as a First-Class Concern

HIPAA demands that every access to protected health information is authorized and logged. Elysia’s plugin architecture makes this enforceable, not aspirational. An access control plugin evaluates the requesting user’s role, relationship to the patient, and the specific data fields being requested before the endpoint handler sees any PHI. This isn’t a middleware afterthought. It’s a typed plugin with explicit inputs and outputs that your compliance team can review and audit.

The audit logging plugin captures every PHI access event with structured metadata: who accessed the data, which patient’s records, what fields were returned, and when. This log feeds directly into your HIPAA compliance evidence. Bun’s efficient I/O ensures that logging doesn’t add noticeable latency to the clinical workflow. Clinicians get fast record lookups, and your compliance team gets complete audit trails.

Patient Portal APIs That Clinicians Trust

Clinicians adopt tools that are fast and reliable. A slow patient lookup during a consultation wastes clinical time. An appointment scheduler that returns stale availability creates double-bookings. Elysia on Bun serves these high-frequency clinical endpoints with consistently low latency. The compiled route resolution and Bun’s optimized runtime mean your patient search API responds quickly even under the load of a busy multi-practice deployment.

TypeBox schemas also protect the write path. Appointment creation requests must include valid provider IDs, time slots that fall within configured availability windows, and patient identifiers that resolve in your registry. Malformed requests return precise typed error responses that your frontend handles gracefully instead of generic 400 errors that leave users guessing.

Composable Health Services With Plugin Isolation

Healthcare platforms expand in regulated directions. You start with scheduling, then add lab results, then secure messaging, then billing integration. Elysia’s plugin architecture supports this growth pattern cleanly. Each clinical domain lives in its own plugin with typed interfaces and independent test suites.

The consent management plugin gates data sharing based on patient preferences. The messaging plugin handles encrypted communication between patients and care teams. The billing plugin coordinates with insurance verification services. Each plugin enforces its own HIPAA requirements without depending on a shared middleware stack. You deploy and update the lab results plugin without risking regressions in appointment scheduling.

Compliance considerations

HIPAA compliance enforced through access control plugins that verify authorization context before any PHI endpoint handler executes
Audit logging middleware records every access to patient data with practitioner identity, timestamp, and access justification
Encryption-in-transit validation hooks reject any request that arrives over an unencrypted connection
Consent management plugins gate data sharing endpoints based on patient-granted permissions stored in a typed consent registry

Common patterns we build

  • Patient record APIs with role-based access control and field-level visibility rules
  • Appointment scheduling services with availability calculation and conflict detection
  • Lab result delivery endpoints with structured reporting and abnormal value flagging
  • Secure messaging APIs between patients and care teams with read receipts and attachment handling

Other technologies

Cloud Deployment Compliance & Security Database Operations Docker & Kubernetes Elixir & Phoenix Flutter & Dart

Services

Code Audit Full-Stack Development MVP Development Technical Debt Cleanup Vibe Code Cleanup

Building in Healthcare?

We understand the unique challenges. Let's talk about your project.

Get in touch