Skip to main content

Vibe Coding on Medplum

· 5 min read
Everett Williams
Everett Williams
Deployment Strategist, Medplum

More and more Medplum users are building with AI coding assistants — Cursor, Claude, Copilot, and others. We have been talking to users about what works and wrote up what we have learned in a new guide: Building on Medplum with AI Coding Assistants. This post is the short version of what is in there.

The single biggest lever we have found is this: make your AI tools learn from Medplum's open-source code and docs rather than from solely generic FHIR training data. This dramatically improves the outputs you get from any request you make.

Give your tools access to Medplum

Medplum is FHIR-native, so any LLM with baseline FHIR training has a head start. But FHIR is a standard, not an implementation - and the gap between knowing the spec and knowing how to build something real is where most AI-generated code falls apart. Medplum's open-source docs and codebase cover that gap directly: real patterns and working examples. Point the LLM there, and you get code that actually works instead of plausible-looking output that doesn't.

The simplest way to set this up, and the one we reach for first, is to clone the Medplum repo and symlink it into your project:

ln -s /absolute/path/to/medplum medplum-link

Then tell the model it can read medplum-link/. If you would rather not clone, you can give the agent docs and GitHub search instead, or connect Medplum's MCP server — the guide covers both.

Plan and prompt with Medplum as the source of truth

The setup only pays off if your prompts push the model toward it. The pattern that has worked best, in our experience, is to plan before you build: ask the model to read the relevant docs and code (or have a rule file do this for you — more on that below), explain the common design patterns and their tradeoffs, and only then implement. It is far cheaper to catch a wrong architectural turn while it is still a paragraph than after it is a few hundred lines. Where you can, point the agent at the closest existing implementation to adapt rather than asking it to start from a blank file.

Keep conversations short

One thing that is a real risk - long conversations decay. An agent that started with the right context drifts as the thread grows and earlier details get summarized away — strong answers early, subtle regressions later. We have had the best luck keeping a conversation scoped to a single task, starting fresh often, and re-pointing the model at the docs at checkpoints, for instance right after it generates a resource.

Verify the output

An agent's confidence is not a measure of correctness, so build verification in. The cheapest check — and one the agent can run itself if it has terminal access — is to compile the generated code against Medplum's TypeScript types. The types are strict, so a hallucinated field on a typed FHIR resource is a compile error rather than a production surprise. Tests and linting catch more, and when you want the real thing, Medplum's server-side validation will check resources against the actual FHIR and profile definitions.

And the part we would never skip, because this is healthcare: review the output, especially the sensitive parts. LLMs make mistakes, and a wrong access policy does not throw an error — it quietly exposes data. Anything touching access control, auth scopes, or PHI deserves a careful human read before it ships.

Put it in a rule file

Everything above works better when you write it down once instead of repeating it in every prompt. A rule file — CLAUDE.md, Cursor rules, or an AGENTS.md — gets read on every turn, so it keeps the model pointed at Medplum's docs without being told, and it survives the context decay from the last section. We offer a starter rule file you can drop in and adapt; grab it from the guide.

Advanced: direct data access

Finally, an aspect that should be treated with care: giving your AI tool direct access to your Medplum data, through an API token or the MCP server. It can speed things up, but the caveats are real. If the tool can reach live PII or PHI, you must have a BAA with your LLM vendor; if you do not, scope an access policy so the token only ever reaches non-PII/PHI data.

None of this is that complicated, but together it changes how much you can trust what your agent hands back. The full write-up — setup options, prompting patterns, the validation tiers, and the data-access caveats — lives in Building on Medplum with AI Coding Assistants. Give your tools the source of truth, plan before you build, verify the output, and keep a human in the loop. Then go build something, and let us know what you make.