How Much Does It Cost to Build a Patient Portal in 2026?

The 21st Century Cures Act and ONC's information blocking rules made patient portals a regulatory requirement for any healthcare organization participating in Medicare or Medicaid. If your patients cannot access their health records electronically, you are out of compliance. But beyond the regulatory stick, there is a significant carrot: patient portals reduce call center volume by 20 to 40%, decrease no-show rates through automated reminders, and improve HEDIS quality scores that directly affect reimbursement.

Most EHR vendors ship a built-in portal. Epic's MyChart, Cerner's HealtheLife (now Oracle Health Portal), and Athenahealth's Patient Portal all exist. So why would anyone build a custom one? Because the out-of-the-box experience is terrible. Patients hate them. The UIs look like they were designed in 2009 (many were), navigation is confusing, mobile experiences are an afterthought, and customization is nearly impossible. Health systems with the budget to differentiate on patient experience are increasingly building custom portals that sit on top of their EHR's FHIR APIs.

The patient portal development cost ranges from $50,000 for a bare-bones MVP to over $500,000 for a fully integrated, multi-facility platform with telehealth, bill pay, and real-time EHR synchronization. Where you land on that spectrum depends on your feature scope, your EHR environment, your compliance posture, and whether you build in-house, hire an agency, or go offshore.

Patient portals come in three practical tiers. Each one builds on the last, and skipping tiers usually means rework later. Here is what to expect at each level.

Basic Portal MVP: $50K to $120K

• Patient authentication: Secure login with email/password and MFA. Budget $5K to $10K using Auth0 or AWS Cognito with HIPAA-eligible configuration.
• Appointment scheduling: View upcoming appointments, request new ones, receive confirmation and reminder notifications. Budget $10K to $20K.
• Secure messaging: HIPAA-compliant messaging between patients and care teams. No SMS relay for PHI. Budget $8K to $15K.
• Lab results viewing: Read-only access to lab results pulled from the EHR via FHIR R4 APIs. Budget $10K to $20K.
• Profile management: Demographics, insurance info, pharmacy preferences. Budget $5K to $10K.
• Responsive web app: Single platform, mobile-friendly but not a native app. Budget $12K to $25K for frontend development.

Timeline: 3 to 5 months. This tier works for small to mid-size practices that want to replace their EHR vendor's default portal with something patients will actually use. You are reading data from the EHR but not writing much back, which keeps integration complexity manageable.

Mid-Range Portal: $120K to $280K

• Everything in Basic, plus:
• Online bill pay: Integration with payment processors (Stripe, PaySimple) and practice management billing systems. Patients see outstanding balances, make payments, set up payment plans. Budget $15K to $30K.
• Prescription management: View active prescriptions, request refills, e-prescribing integration via Surescripts. Budget $15K to $25K.
• Document upload and forms: Patients upload insurance cards, complete intake forms, sign consent documents electronically before appointments. Budget $10K to $20K.
• Telehealth integration: Embedded video visits using Twilio Video, Vonage, or Zoom for Healthcare SDK. Budget $20K to $40K.
• Native mobile apps: iOS and Android apps using React Native or Flutter. Budget $25K to $50K on top of web costs.
• Push notifications: Appointment reminders, lab results ready, message alerts. Budget $5K to $10K.

Timeline: 5 to 9 months. This is the sweet spot for multi-provider practices and small health systems. The bill pay integration alone often pays for the portal through improved collections rates. If you need a deeper look at what goes into the clinical side, read our guide on building a healthcare app.

Enterprise Portal: $280K to $500K+

• Everything in Mid-Range, plus:
• Bidirectional EHR integration: Write-back capabilities for scheduling, check-in, consent, and clinical data. Budget $40K to $80K depending on EHR vendor.
• Multi-facility support: Role-based access across departments, locations, and provider groups. Budget $20K to $35K.
• Health education content engine: Condition-specific educational materials surfaced based on patient diagnoses. Budget $15K to $25K.
• Care plan tracking: Post-discharge instructions, medication adherence tracking, symptom check-ins. Budget $20K to $35K.
• Analytics dashboard: Admin-facing metrics on portal adoption, feature usage, patient satisfaction, and operational impact. Budget $15K to $30K.
• Accessibility compliance: WCAG 2.1 AA, Section 508, multi-language support. Budget $15K to $25K.

Timeline: 9 to 14 months. This is what large health systems and hospital networks build when they want full control over the patient experience. The bidirectional EHR integration is the big cost driver here, and it varies enormously depending on your EHR vendor's API maturity.

EHR integration is where patient portal budgets go sideways. The technical difficulty and cost depend almost entirely on which EHR system your organization runs. Here is a realistic breakdown by vendor.

Epic (FHIR R4 + Open.Epic APIs)

Epic is the gold standard for API maturity. Their Open.Epic platform provides well-documented FHIR R4 endpoints for patient data, scheduling, clinical documents, and more. Read access is straightforward. Write-back (scheduling, check-in, questionnaire responses) requires App Orchard registration, Epic's security review, and often a dedicated Epic analyst on the hospital side. Budget $30K to $60K for integration development and $5K to $15K annually for API licensing and maintenance. Timeline: 6 to 10 weeks for read-only, 12 to 20 weeks for bidirectional.

Oracle Health (formerly Cerner)

Oracle Health provides Millennium FHIR APIs through their CODE Console developer portal. The API surface is broad but documentation quality is inconsistent, and some endpoints still use proprietary formats alongside FHIR. Write-back capabilities are more limited than Epic's. Budget $35K to $70K for integration. Oracle's licensing model for API access can add $10K to $25K annually depending on transaction volume.

Athenahealth

Athenahealth's More Disruption Please (MDP) API program is developer-friendly for a cloud-based EHR. RESTful APIs cover scheduling, clinical data, billing, and patient communication. The advantage is that Athenahealth handles hosting and updates, so you are integrating with a single cloud endpoint rather than an on-premise instance. Budget $20K to $45K for integration. API access is generally included in the Athenahealth subscription.

MEDITECH, NextGen, eClinicalWorks, and Others

This is where costs climb. MEDITECH Expanse has improved its API story significantly, but older MEDITECH versions (Client/Server, Magic) require HL7v2 interfaces or custom middleware. NextGen offers APIs but with tighter rate limits. eClinicalWorks has had compliance issues (they paid $155 million in a False Claims Act settlement related to data blocking) and their integration quality reflects that history. For these EHRs, budget $40K to $90K for integration and expect longer timelines (16 to 24 weeks).

Multi-EHR Environments

If your health system runs multiple EHRs across facilities (common after mergers and acquisitions), you need an integration engine like Rhapsody, Mirth Connect (NextGen Connect), or Redox as a middleware layer. Redox is particularly popular for patient portal projects because it normalizes data from multiple EHRs into a single API. Redox pricing starts around $1,000/month and scales with transaction volume. Budget an additional $20K to $40K for middleware setup and configuration.

Every patient portal handles Protected Health Information, which means HIPAA compliance is not optional. The compliance burden adds 15 to 30% to your total development cost, but cutting corners here exposes you to fines that start at $100 per violation and scale to $1.5 million per category per year. For a detailed breakdown of what compliance costs across the board, see our HIPAA compliance costs guide.

Infrastructure Security: $600 to $2,500/month

Your portal needs HIPAA-eligible cloud services. On AWS, that means running in a VPC with private subnets, using RDS with encryption at rest (AES-256) and in transit (TLS 1.2+), enabling CloudTrail for API audit logging, and retaining logs for six years. You need KMS for key management, WAF for web application firewall protection, and GuardDuty for threat detection. Google Cloud and Azure have equivalent HIPAA-eligible service configurations.

Alternatively, platforms like Aptible ($500 to $2,999/month) handle HIPAA infrastructure out of the box. For teams without dedicated DevOps engineers, Aptible or similar managed platforms save $30K to $60K in initial setup costs.

Security Engineering: $25K to $60K

Role-based access control, session management with automatic timeouts, audit trail implementation (every PHI access must be logged with who, what, when, and from where), encryption at every layer, and secure API authentication. You also need automatic de-identification for any analytics or reporting pipelines that aggregate patient data.

Penetration Testing and Security Audits: $10K to $30K

Before launch, you need a third-party penetration test from a firm experienced with healthcare applications. Companies like Coalfire, Protiviti, or healthcare-focused boutiques charge $10K to $30K depending on scope. Plan for annual re-testing.

Business Associate Agreements

Every vendor touching PHI needs a signed BAA. AWS, Google Cloud, Twilio, and Stripe all offer BAAs (some at no extra cost, some requiring enterprise plans). Having a healthcare attorney review critical BAAs costs $2,000 to $5,000 per agreement. Budget $5K to $15K total for legal review of your vendor agreements.

Risk Assessment and Documentation: $8K to $20K

HIPAA requires a formal risk assessment before you go live. This includes documenting all systems that touch PHI, identifying vulnerabilities, and creating remediation plans. You also need a privacy officer designation, workforce training program, incident response plan, and breach notification procedures. You can do this in-house, but most organizations hire a HIPAA consultant ($150 to $300/hour) to ensure nothing is missed.

How you build your patient portal affects both cost and risk. Each approach has real tradeoffs, and the "right" answer depends on your organization's technical maturity, timeline pressure, and tolerance for ongoing vendor relationships.

U.S.-Based Development Agency: $150K to $500K+

A specialized healthcare development agency brings HIPAA experience, EHR integration knowledge, and a team that has built portals before. You are paying $150 to $250 per hour for senior engineers who understand HL7 FHIR, know the quirks of Epic's API authentication flow, and have dealt with the operational realities of healthcare IT departments.

The advantages are significant. Faster time to market (agencies have reusable components for auth, messaging, and scheduling), fewer compliance mistakes, and a team that can navigate EHR vendor relationships. The downside is cost. A full-featured portal from a top-tier U.S. agency runs $250K to $500K. That said, the total cost of ownership is often lower because you avoid expensive rework caused by HIPAA oversights or botched EHR integrations.

Look for agencies with published healthcare case studies, SOC 2 Type II certification, and experience with your specific EHR vendor. Ask for references from healthcare clients, not just general software references.

In-House Development Team: $200K to $600K+ (Year One)

Building in-house gives you the most control but requires the largest upfront investment. You need a minimum team of two to three senior full-stack engineers ($130K to $180K salary each), a DevOps/infrastructure engineer with HIPAA experience ($140K to $190K), a UX designer, and a project manager. Fully loaded costs (salary, benefits, equipment, office) run $200K to $350K per engineer per year.

The hidden cost is recruiting time. Healthcare-experienced engineers are scarce. Plan 3 to 6 months to build a team, which means your project timeline extends significantly. The advantage is that you own the team, the codebase, and the institutional knowledge long-term. For large health systems that plan to iterate on their portal for years, this often makes sense despite the higher first-year cost.

Offshore Development: $40K to $150K

Offshore teams in Eastern Europe ($40 to $80/hour), India ($25 to $50/hour), or Latin America ($35 to $70/hour) can reduce your development budget by 50 to 70%. But healthcare software carries risks that general SaaS does not.

HIPAA compliance requires that developers handling PHI, even in test environments, operate under compliant agreements. Your offshore vendor needs a BAA, their development environments must meet HIPAA security standards, and you need to verify their security practices independently. Many offshore firms claim HIPAA experience but have only superficial knowledge of the requirements.

The model that works best: use an offshore team for frontend development and UI components (no PHI access needed), while keeping backend development, EHR integration, and security architecture with a U.S.-based team or agency. This hybrid approach typically costs $100K to $250K and balances cost savings with compliance safety.

Your patient portal budget does not end at launch. Ongoing costs are 15 to 25% of the initial build cost annually. Here is what to plan for.

Cloud Hosting and Infrastructure: $1,500 to $8,000/month

A HIPAA-compliant production environment with proper redundancy, backup, and monitoring runs $1,500 to $4,000/month for a small to mid-size portal. Enterprise portals handling 50,000+ active patients with high availability requirements push to $5,000 to $8,000/month. These numbers assume AWS or GCP. Managed HIPAA platforms like Aptible simplify operations but cost more per unit of compute.

EHR API Costs: $5K to $50K/year

Some EHR vendors charge for API access, and pricing models vary. Epic does not charge per-call fees for standard FHIR access, but requires App Orchard membership ($0 for open APIs, variable for premium endpoints). Oracle Health API fees depend on your contract and transaction volume. Third-party integration platforms like Redox charge $12K to $60K/year based on data volume and number of connected EHR instances.

Security Monitoring and Compliance: $2K to $8K/month

Continuous security monitoring, log analysis, vulnerability scanning, and annual penetration testing are not optional for healthcare applications. Tools like Datadog ($15 to $27 per host per month), Vanta ($6K to $20K/year for compliance automation), or Drata add up. Include the annual HIPAA risk assessment ($8K to $20K) and any gap remediation work.

Feature Updates and Bug Fixes: $5K to $20K/month

Patients will find bugs. Providers will request features. EHR vendors will deprecate API endpoints and release new versions. You need a development team (even a small one) continuously maintaining the portal. If you built with an agency, negotiate a retainer ($5K to $15K/month) for ongoing support. If you built in-house, at least one full-time engineer should be dedicated to the portal.

Third-Party Service Costs

• Twilio (SMS/telehealth): $500 to $3,000/month depending on volume
• Stripe (payment processing): 2.9% + $0.30 per transaction, plus Stripe's healthcare compliance requirements
• SendGrid/Postmark (transactional email): $50 to $300/month
• Auth0 (authentication): Free tier covers up to 7,500 active users, then $23/month per 1,000 users on the B2C plan

Total ongoing cost for a mid-range patient portal: $8K to $25K/month, or roughly $100K to $300K/year. This is the number that surprises most organizations. The portal is not a one-time purchase. It is a product that requires continuous investment.

Realistic timelines for patient portal development, assuming you have already selected your EHR integration approach and assembled your team:

• Basic MVP: 3 to 5 months (read-only EHR access, scheduling, messaging)
• Mid-Range Portal: 5 to 9 months (bill pay, telehealth, native mobile, prescription management)
• Enterprise Portal: 9 to 14 months (bidirectional EHR, multi-facility, care plans, analytics)

Add 4 to 8 weeks for EHR vendor security review and API credentialing. This step catches teams off guard because it happens after development is "done" but before you can connect to production EHR data. Epic's security review, for example, involves code scanning, a detailed questionnaire, and sometimes a video walkthrough with their team.

Common Risks That Blow Budgets

EHR integration scope creep. You plan for FHIR R4 read access. Then a stakeholder requests appointment write-back. Then someone needs real-time ADT feeds for bed management. Each addition is $15K to $40K in unplanned integration work. Lock your EHR integration scope early and treat additions as separate project phases.

Underestimating HIPAA. Teams that have built SaaS products but not healthcare products routinely underestimate HIPAA compliance costs. The technical requirements (encryption, audit logging, access controls) are manageable, but the administrative requirements (risk assessments, policies, training, BAAs) take real time and money.

Ignoring accessibility. Healthcare organizations receiving federal funds must comply with Section 508 and ADA requirements. Retrofitting accessibility into an existing portal is 2 to 3x more expensive than building it in from the start. Budget $15K to $25K for WCAG 2.1 AA compliance and test with actual screen readers.

Provider adoption. You can build the best patient portal in the world, but if your providers do not respond to secure messages and your front desk does not promote it, patients will not use it. Budget for change management, staff training, and at least 3 months of adoption monitoring after launch.

Where to Start

If you are evaluating whether to build a custom patient portal, start by documenting three things. First, what your current portal (if any) does not do that patients and staff need. Second, which EHR system you run and what API access you already have. Third, your realistic budget range, including at least 18 months of ongoing costs.

Then get specific about your feature priorities. You do not need every feature at launch. A phased approach (MVP in 4 months, then iterative releases) reduces risk and lets you validate assumptions with real patients before committing to the full scope.

We build HIPAA-compliant patient portals and healthcare platforms for health systems, digital health startups, and clinical organizations. If you want a realistic cost estimate based on your EHR environment and feature requirements, book a free strategy call and we will scope it together.