Personal Health Record (PHR) App Backend Template
User-owned medical documents, allergens tracking, and vaccination records
A production-ready Personal Health Record backend on Back4app with medical document storage, allergy and vaccination histories, medication and lab models, consent/sharing, audit logs, ER diagram, and an AI Agent prompt for rapid bootstrap.
Key Takeaways
This template gives you a user-centric PHR backend with document store, allergies, immunizations, medications, lab results, consent objects, and audit logs so you can deliver privacy-first health apps quickly.
- User-controlled health data — Keep patients first: records and consents are owned and controlled by the user's account, enabling selective sharing with providers.
- Structured clinical entities — Model allergies, immunizations, medications, and lab results with typed fields for accurate querying and UX display.
- Document upload and versioning — Store PDFs, images, and structured documents with metadata and upload history to support clinical workflows.
- Consent-driven sharing — Grant fine-grained provider access with Consent objects and time-bounded permissions.
- Cross-platform readiness — Serve mobile, web, and provider portals using unified REST and GraphQL APIs with Live Queries for real-time updates.
What Is the Personal Health Record (PHR) App Backend Template?
Back4app is a backend-as-a-service (BaaS) for rapid product delivery. The PHR App Backend Template is a pre-built schema for medical documents, allergies, immunizations, medications, lab results, providers, consents, and audit logs. Connect your frontend (React, Flutter, Next.js, and more) and accelerate delivery.
Best for:
Overview
A modern PHR product needs secure user-first storage for documents, accurate allergy and immunization records, medication history, and a consent model to share data with providers.
This template defines HealthDocument, Allergy, Immunization, Medication, LabResult, Provider, Consent, and AuditLog with ownership rules and extensible workflows so teams can implement PHR apps quickly and compliantly.
Core PHR Features
Every technology card in this hub uses the same PHR backend schema with HealthDocument, Allergy, Immunization, Medication, LabResult, Provider, Consent, and AuditLog.
Medical document vault
Upload and version PDFs, images, and structured records with metadata and owner pointers.
Allergy & reaction tracking
Record allergens, reactions, severity, and onset date tied to an owner.
Immunization and vaccination history
Capture vaccine name, administration date, lot, and provider reference.
Medication lists and schedules
Store active and historical medications with dose, frequency, and instructions.
Laboratory results
Store lab results with numeric values, units, reference ranges, and attachments.
Consent and sharing controls
Grant provider-specific access to records with expiry and scope.
Centralized audit logs
Record actor, action, target, and payload metadata for traceability.
Why Build Your PHR Backend with Back4app?
Back4app gives you core infrastructure for PHR apps so your team can focus on UX, consent experiences, and integrations instead of backend plumbing.
- •User-first data ownership: Implement ownership rules and consent objects so patients retain control of who can view or download their records.
- •Secure document and metadata storage: Upload clinical documents with metadata, versions, and pointers to structured data like labs and immunizations.
- •Auditability + API flexibility: Persist audit logs for share events and record changes while providing REST and GraphQL for web and mobile clients.
Ship a privacy-first PHR backend quickly with scalable storage, auth, and APIs across all platforms.
Core Benefits
A PHR backend that helps you deliver privacy-first health experiences while keeping data structured and auditable.
Speed to market
Start from a complete PHR schema instead of designing clinical entities and consent flows from scratch.
Patient-first access control
Enable patients to manage consents and selectively share records with providers and apps.
Interoperable data models
Use structured immunization, medication, and lab models for integrations and analytics.
Fine-grained permissions
Use ACL/CLP and Consent objects so access is explicit and auditable.
Reliable audit trail
Record access and sharing events for transparency and compliance.
AI-assisted bootstrap flow
Generate backend scaffolding and integration guidance quickly with a pre-built AI Agent prompt.
Ready to build a user-first Personal Health Record?
Let the Back4app AI Agent scaffold your PHR backend and generate documents, allergies, immunizations, consents, and audit logs from one prompt.
Free to start — 50 AI Agent prompts/month, no credit card required
Technical Stack
Everything included in this PHR backend template.
ER Diagram
Entity relationship model for the PHR backend schema.
Schema covering user-owned medical documents, allergies, immunizations, medications, lab results, consents, and audit logging.
View diagram source
erDiagram
Profile ||--o{ MedicalDocument : "owns"
Profile ||--o{ Allergy : "has"
Profile ||--o{ Vaccination : "has"
Profile ||--o{ SharedAccess : "grants"
Profile ||--o{ EmergencyContact : "links to"
MedicalDocument }o--|| Profile : "profile"
Vaccination }o--|| Profile : "profile"
Allergy }o--|| Profile : "profile"
SharedAccess }o--|| Profile : "profile"
SharedAccess }o--|| _User : "grantee"
Profile {
String objectId PK
Pointer user FK
String fullName
Date birthDate
String gender
String bloodType
String primaryCareProvider
String notes
Date createdAt
Date updatedAt
}
MedicalDocument {
String objectId PK
Pointer profile FK
File file
String documentType
String title
String description
Array<String> tags
Date uploadedAt
Boolean isShared
Date createdAt
Date updatedAt
}
Allergy {
String objectId PK
Pointer profile FK
String substance
String severity
String reaction
String notes
Date recordedAt
Boolean isActive
Date createdAt
Date updatedAt
}
Vaccination {
String objectId PK
Pointer profile FK
String vaccineName
Date dateAdministered
String dose
String lotNumber
String provider
Date nextDoseDate
Pointer proofDocument FK
Date createdAt
Date updatedAt
}
SharedAccess {
String objectId PK
Pointer profile FK
Pointer grantee FK
String accessLevel
Array<String> scope
Date expiresAt
Pointer createdBy FK
Date createdAt
Date updatedAt
}
EmergencyContact {
String objectId PK
Pointer profile FK
String name
String relationship
String phone
String notes
Date createdAt
Date updatedAt
}
AuditLog {
String objectId PK
Pointer actor FK
String entityType
String entityId
String action
String summary
Object metadata
Date createdAt
Date updatedAt
}
Integration Flow
Typical runtime flow for auth, record access, document upload, consent granting, and audit logging.
View diagram source
sequenceDiagram
participant User
participant App as Personal Health Record (PHR) App
participant Back4app as Back4app Cloud
User->>App: Login with email (patient) or OAuth (clinician)
App->>Back4app: POST /login
Back4app-->>App: Session token + user profile
User->>App: List my vaccinations and allergies
App->>Back4app: GET /classes/Vaccination?where={"profile":{"__type":"Pointer","className":"Profile","objectId":"profileId"}}
Back4app-->>App: Vaccination and Allergy records
User->>App: Upload lab result PDF
App->>Back4app: POST /files -> create MedicalDocument with file pointer
Back4app-->>App: File object + MedicalDocument.objectId
User->>App: Share record with Dr. Lee for 48h
App->>Back4app: POST /classes/SharedAccess with accessLevel and expiresAt
Back4app-->>App: SharedAccess.objectId + notification
Back4app-->>App: Live Query event: MedicalDocument updated by clinician
App-->>User: Notify patient in-app / refresh documents listData Dictionary
Full field-level reference for every class in the PHR schema.
| Field | Type | Description | Required |
|---|---|---|---|
| objectId | String | Auto-generated unique identifier | Auto |
| user | Pointer<_User> | Linked Back4app user account (patient or caregiver) | |
| fullName | String | Patient full name | |
| birthDate | Date | Date of birth | — |
| gender | String | Gender identity | — |
| bloodType | String | Blood type (e.g. A+, O-) | — |
| primaryCareProvider | String | Name or clinic of primary care provider | — |
| notes | String | Free-text health notes or summary | — |
| createdAt | Date | Auto-generated creation timestamp | Auto |
| updatedAt | Date | Auto-generated last-update timestamp | Auto |
10 fields in Profile
Security and Permissions
How ACL, CLP, consent objects, and Cloud Code secure personal health records and sharing.
Patient-owned records
Set ownership and ACL so HealthDocument, Allergy, Immunization, Medication, and LabResult entries are readable and writable only by the record owner and authorized providers.
Consent-driven sharing
Use Consent class to grant provider access with explicit scope and expiry; Cloud Code enforces consent checks on read/download endpoints.
Append-only audit logs
Keep AuditLog entries append-only for standard users; only trusted backend flows or admins may write or manage historical logs.
Schema (JSON)
Raw JSON schema definition ready to copy into Back4app or use as implementation reference.
{
"classes": [
{
"className": "Profile",
"fields": {
"objectId": {
"type": "String",
"required": false
},
"user": {
"type": "Pointer",
"required": true,
"targetClass": "_User"
},
"fullName": {
"type": "String",
"required": true
},
"birthDate": {
"type": "Date",
"required": false
},
"gender": {
"type": "String",
"required": false
},
"bloodType": {
"type": "String",
"required": false
},
"primaryCareProvider": {
"type": "String",
"required": false
},
"notes": {
"type": "String",
"required": false
},
"createdAt": {
"type": "Date",
"required": false
},
"updatedAt": {
"type": "Date",
"required": false
}
}
},
{
"className": "MedicalDocument",
"fields": {
"objectId": {
"type": "String",
"required": false
},
"profile": {
"type": "Pointer",
"required": true,
"targetClass": "Profile"
},
"file": {
"type": "File",
"required": true
},
"documentType": {
"type": "String",
"required": true
},
"title": {
"type": "String",
"required": true
},
"description": {
"type": "String",
"required": false
},
"tags": {
"type": "Array",
"required": false
},
"uploadedAt": {
"type": "Date",
"required": true
},
"isShared": {
"type": "Boolean",
"required": true
},
"createdAt": {
"type": "Date",
"required": false
},
"updatedAt": {
"type": "Date",
"required": false
}
}
},
{
"className": "Allergy",
"fields": {
"objectId": {
"type": "String",
"required": false
},
"profile": {
"type": "Pointer",
"required": true,
"targetClass": "Profile"
},
"substance": {
"type": "String",
"required": true
},
"severity": {
"type": "String",
"required": true
},
"reaction": {
"type": "String",
"required": true
},
"notes": {
"type": "String",
"required": false
},
"recordedAt": {
"type": "Date",
"required": true
},
"isActive": {
"type": "Boolean",
"required": true
},
"createdAt": {
"type": "Date",
"required": false
},
"updatedAt": {
"type": "Date",
"required": false
}
}
},
{
"className": "Vaccination",
"fields": {
"objectId": {
"type": "String",
"required": false
},
"profile": {
"type": "Pointer",
"required": true,
"targetClass": "Profile"
},
"vaccineName": {
"type": "String",
"required": true
},
"dateAdministered": {
"type": "Date",
"required": true
},
"dose": {
"type": "String",
"required": false
},
"lotNumber": {
"type": "String",
"required": false
},
"provider": {
"type": "String",
"required": false
},
"nextDoseDate": {
"type": "Date",
"required": false
},
"proofDocument": {
"type": "Pointer",
"required": false,
"targetClass": "MedicalDocument"
},
"createdAt": {
"type": "Date",
"required": false
},
"updatedAt": {
"type": "Date",
"required": false
}
}
},
{
"className": "SharedAccess",
"fields": {
"objectId": {
"type": "String",
"required": false
},
"profile": {
"type": "Pointer",
"required": true,
"targetClass": "Profile"
},
"grantee": {
"type": "Pointer",
"required": true,
"targetClass": "_User"
},
"accessLevel": {
"type": "String",
"required": true
},
"scope": {
"type": "Array",
"required": false
},
"expiresAt": {
"type": "Date",
"required": false
},
"createdBy": {
"type": "Pointer",
"required": true,
"targetClass": "_User"
},
"createdAt": {
"type": "Date",
"required": false
},
"updatedAt": {
"type": "Date",
"required": false
}
}
},
{
"className": "EmergencyContact",
"fields": {
"objectId": {
"type": "String",
"required": false
},
"profile": {
"type": "Pointer",
"required": true,
"targetClass": "Profile"
},
"name": {
"type": "String",
"required": true
},
"relationship": {
"type": "String",
"required": true
},
"phone": {
"type": "String",
"required": true
},
"notes": {
"type": "String",
"required": false
},
"createdAt": {
"type": "Date",
"required": false
},
"updatedAt": {
"type": "Date",
"required": false
}
}
},
{
"className": "AuditLog",
"fields": {
"objectId": {
"type": "String",
"required": false
},
"actor": {
"type": "Pointer",
"required": true,
"targetClass": "_User"
},
"entityType": {
"type": "String",
"required": true
},
"entityId": {
"type": "String",
"required": true
},
"action": {
"type": "String",
"required": true
},
"summary": {
"type": "String",
"required": true
},
"metadata": {
"type": "Object",
"required": false
},
"createdAt": {
"type": "Date",
"required": false
},
"updatedAt": {
"type": "Date",
"required": false
}
}
}
]
}Build with AI Agent
Use the Back4app AI Agent to generate a real Personal Health Record app from this template, including frontend, backend, auth, and consent workflows.
Create a Personal Health Record (PHR) backend on Back4app with this exact schema and behavior. Schema: 1. HealthDocument: owner (Pointer to User, required), title (String, required), file (File, required), tags (Array, optional), version (Number, default 1), createdAt, updatedAt (system). 2. Allergy: owner (Pointer to User, required), substance (String, required), reaction (String, optional), severity (String: mild, moderate, severe, required), onsetDate (Date, optional). 3. Immunization: owner (Pointer to User, required), vaccineName (String, required), administeredAt (Date, required), lotNumber (String, optional), provider (Pointer to Provider, optional). 4. Medication: owner (Pointer to User, required), name (String, required), dose (String, optional), frequency (String, optional), instructions (String, optional), active (Boolean, default true). 5. LabResult: owner (Pointer to User, required), testName (String, required), value (Number or String), units (String, optional), referenceRange (String, optional), date (Date, required), attachment (Pointer to HealthDocument, optional). 6. Provider: name (String, required), systemId (String, optional), contact (Object, optional). 7. Consent: owner (Pointer to User, required), provider (Pointer to Provider, required), scope (Array of Strings: [documents, allergies, immunizations, medications, labs]), expiresAt (Date, optional), grantedBy (Pointer to User or system). 8. AuditLog: actor (Pointer to User, required), action (String, required), entityType (String, required), entityId (String, required), payload (Object, optional); createdAt, updatedAt (system). Security: - Use ACL/CLP so only owners and consented providers access records. Cloud Code validates Consent before allowing provider read/download. AuditLog entries are append-only for standard users. Auth: - Sign-up, login, logout for user accounts. Support provider accounts with limited privileges. Behavior: - Authenticate, list user records, upload HealthDocument, create structured Allergy/Immunization/Medication/LabResult entries, create Consent to share selected records with a Provider, and write AuditLog entries for critical events. Deliver: - Back4app app with schema, ACLs, CLPs; frontend for secure document vault, allergy and immunization timelines, medication lists, lab result views, provider consent flows, and audit history.
Press the button below to open the Agent with this template prompt pre-filled.
This is the base prompt without a technology suffix. You can adapt the generated frontend stack afterward.
API Playground
Try REST and GraphQL endpoints against the PHR schema. Responses use mock data and do not require a Back4app account.
Uses the same schema as this template.
Choose Your Technology
Expand each card for integration steps, state patterns, data model examples, and offline notes.
Flutter PHR Backend
React PHR Backend
React Native PHR Backend
Next.js PHR Backend
JavaScript PHR Backend
Android PHR Backend
iOS PHR Backend
Vue PHR Backend
Angular PHR Backend
GraphQL PHR Backend
REST API PHR Backend
PHP PHR Backend
.NET PHR Backend
What You Get with Every Technology
Every stack uses the same PHR backend schema and API contracts.
Unified personal health record data structure
A pre-built schema for medical documents and records.
Secure sharing for personal health record
Easily share health information with providers while ensuring privacy.
Comprehensive audit logs for personal health record
Track all access and changes to sensitive health data.
REST/GraphQL APIs for personal health record
Flexible API access to integrate with various frontends seamlessly.
Real-time updates for personal health record
Instant notifications on changes to health records and status.
Extensibility for personal health record
Easily add custom features and modules to fit specific needs.
Personal Health Record Framework Comparison
Compare setup speed, SDK style, and AI support across all supported technologies.
| Framework | Setup Time | Personal Health Record Benefit | SDK Type | AI Support |
|---|---|---|---|---|
| Under 5 minutes | Single codebase for personal health record on mobile and web. | Typed SDK | Full | |
| ~3–7 min | Fast web dashboard for personal health record. | Typed SDK | Full | |
| Rapid (5 min) setup | Cross-platform mobile app for personal health record. | Typed SDK | Full | |
| ~5 min | Server-rendered web app for personal health record. | Typed SDK | Full | |
| ~3 min | Lightweight web integration for personal health record. | Typed SDK | Full | |
| Under 5 minutes | Native Android app for personal health record. | Typed SDK | Full | |
| ~3–7 min | Native iOS app for personal health record. | Typed SDK | Full | |
| Rapid (5 min) setup | Reactive web UI for personal health record. | Typed SDK | Full | |
| ~5 min | Enterprise web app for personal health record. | Typed SDK | Full | |
| Quick (2 min) setup | Flexible GraphQL API for personal health record. | GraphQL API | Full | |
| ~2 min | REST API integration for personal health record. | REST API | Full | |
| Under 5 min | Server-side PHP backend for personal health record. | REST API | Full | |
| Rapid (5 min) setup | .NET backend for personal health record. | Typed SDK | Full |
Setup time reflects expected duration from project bootstrap to first document upload and consent flow using this template schema.
Frequently Asked Questions
Common questions about building a Personal Health Record backend with this template.
Ready to Build Your Personal Health Record App?
Start your Personal Health Record project in minutes. No credit card required.