Skip to main content

Medplum Monthly Update - February 2026

· 11 min read
Reshma Khilnani
Reshma Khilnani
Medplum Core Team

February was a productive month for Medplum. We shipped four releases — v5.0.14, v5.0.15, v5.1.0, and v5.1.1, including a minor version bump reflecting the depth of new capabilities — with over 130 commits from 25+ contributors. The biggest themes this month were WebSocket subscription stability and performance improvements, AI-powered provider experiences, scheduling refinements, and revenue cycle tooling — all advancing our 2026 roadmap priorities.

Features

Provider App: AI-Powered Spaces and Chat

David Yanez David Yanez

The Provider app's Spaces experience gained significant AI capabilities this month, advancing our AI roadmap initiative:

  • LLM components and visualization preview in Spaces — AI-generated structured components and previews now render inside the chat interface, enabling richer, more interactive AI responses
  • Attachment support in chat — Providers can now send and receive file attachments within the base chat component
  • Updated AI models — The provider app is configured with the latest available language models
  • ThreadInbox as a reusable React component — Moved to the @medplum/react package, making inbox functionality available to any Medplum-powered application
  • Navbar alerts and countsProvider app navigation links now support badge icons and resource counts for at-a-glance workflow status

The Foomedical demo — a sample patient-facing experience — was also updated to showcase the latest chat experience.

AWS Lambda Streaming for Bots

David Yanez David Yanez

Bots deployed on AWS Lambda can now stream responses back to callers in real time. This unlocks Server-Sent Events-style streaming from Lambda-hosted bots — a foundational capability for building AI scribes, copilots, and other latency-sensitive applications. This directly supports the AI roadmap initiative.

WebSocket Subscriptions: Scale and Observability

Derrick Farris Derrick Farris

February saw a major investment in WebSocket subscriptions, improving performance, reliability, and operational visibility at scale — directly advancing the Enterprise Scale & Infrastructure roadmap priority:

  • Per-user WebSocket subscription limits — Prevents runaway connections from any single user from destabilizing the platform
  • Super admin dashboard for subscription stats — Real-time visibility into active WebSocket subscriptions, connection counts, and resource utilization across the entire platform (super admin guide)
  • Admin operation to clear all WebSocket subscriptions — Administrative control for operations teams managing large deployments
  • Multiple performance improvements — Subscription criteria is now only evaluated when criteria match, access policy decisions are cached in the hot evaluation loop, active subscription lists are partitioned by resource type, Redis key deletion is non-blocking, and a new efficient event payload format reduces latency and CPU load at high subscription volumes

Scheduling Enhancements

Noah Silas Noah Silas

Building on January's $find and $book foundation, scheduling received several refinements this month:

  • Customizable appointment creation before $book — Developers can now inject custom fields and logic into the appointment object before the booking operation executes, enabling clinic-specific workflows
  • _count parameter for $find — Limits the number of available slots returned, improving efficiency for high-volume scheduling queries
  • Adding a visit now creates a busy slot — The Provider calendar correctly blocks time when a visit is added, ensuring accurate availability display
  • Improved UTC/local day discrepancy handling — Scheduling operations behave correctly when the server's UTC time and the local calendar day differ

Revenue Cycle: Claim Submission and Eligibility

David Yanez David Yanez

Advancing the Revenue Cycle & Billing roadmap initiative:

  • Claim submission to Candid — A proof-of-concept integration for submitting claims directly to Candid Health, enabling automated professional billing workflows from within the Provider app (billing overview)
  • CoverageEligibilityRequest in $extract — The SDC $extract operation now uses the standard CoverageEligibilityRequest resource for insurance eligibility checks, aligning with the FHIR specification

Pharmacy Components

Oleg Rocklin Oleg Rocklin

New React components for patient preferred pharmacy selection are now available in @medplum/react. This supports e-prescribing workflows and the ePrescribe integration roadmap initiative.

Multiple Redis Support

Matt Long Matt Long

Medplum server now supports multiple Redis instances, enabling more flexible infrastructure topologies including Redis Cluster deployments and failover configurations. This is an important step for enterprise-scale deployments that require high availability for caching and pub/sub. (self-hosting guide)

Instance-Level Custom FHIR Operations

Rahul Agarwal Rahul Agarwal

Developers can now define custom FHIR operations at the instance level with resource input — enabling more granular, resource-specific API extensions. Combined with updated bot operation documentation, this gives builders more control over custom workflow APIs. For self-hosters, this is particularly valuable: you can expose clinic- or organization-specific operations directly on your FHIR server without forking Medplum, keeping your customizations cleanly separated from the core platform.

Security and Authentication

  • Public PGP key published — Medplum now has a published security PGP key for responsible disclosure, listed on the security page (Cody Ebberson)
  • Sub claim fallback in external auth — Improved compatibility with external OIDC providers that use non-standard subject claim formats (Rahul Agarwal)
  • In-memory rate limit tracking for high-volume abuse — Heavily rate-limited users are now tracked in memory for faster enforcement (Matt Willer)
  • Access policy search permission explicitly checked — Tightened enforcement of access control on search operations (Matt Willer)

Developer Experience

  • Members tab in project admin — Users and Patients are now combined into a single Members tab on the project admin page for a cleaner project management experience (Maddy Li)
  • SMART app launch with patient identifier — SMART app launch URLs now support patient identifiers, improving interoperability with EHR launch contexts (Maddy Li)
  • Token :text modifier in SearchControl — The SearchControl component now supports the token text modifier for more flexible searches (Cody Ebberson)
  • Hidden field support in forms — Form components now support hidden fields for passing context without user input (Maddy Li)
  • Membership label filtering in profile chooser — The profile selection form can now filter memberships by label, contributed by jeffrey-peterson-vanna
  • Operation to refresh reference display strings — A new operation allows refreshing cached display strings on resource references, keeping display data current after resource updates (Matt Willer)
  • Native bcrypt for improved authentication performance — Switched from the pure-JavaScript bcryptjs library to native bcrypt bindings, significantly improving password hashing throughput (Cody Ebberson)
  • Configurable CDS services URL — The Clinical Decision Support (CDS) Hooks service URL is now configurable, enabling integration with custom CDS endpoints. CDS Hooks support is part of Medplum's HTI-4 compliance initiative, which covers payer interoperability requirements ahead of the January 2027 enforcement date. (Cody Ebberson)

Documentation

February's documentation work was substantial, with a major restoration of SDK docs and expanded coverage of operations, subscriptions, and integrations.

Operations and API

Darren Eam Darren Eam

Subscriptions

Provider and Clinical

  • DoseSpot notifications — Updated documentation for DoseSpot notification handling (David Yanez)
  • Patient login and launch URI clarification — Improved docs for patient-facing login flows and SMART launch URIs, contributed by Mallikharjuna Mulpuri
  • Allergy representation — Clarified allergy status and AllergyIntolerance formatting in the representing allergies guide, contributed by Aaron Hong
  • CareTeam tenancy patterns — Clarified per-patient CareTeam cardinality and multi-tenancy patterns (Rahul Agarwal)

Infrastructure and Security

Blog

  • Identity Management: A Practical Guide — New blog post by Everett Williams on managing digital identities in healthcare applications (read the post)
  • Medplum Secures Healthcare Platform on Docker Hardened Images — Published on the Docker blog, this post by Cody Ebberson and Docker's Ajeet Singh Raina covers how Medplum uses Docker Hardened Images to reduce CVE noise, meet HIPAA and SOC 2 requirements, and minimize container security configuration burden

Bug Fixes

Clinical Data

  • Fixed handling of nullFlavor values in CCDA-to-FHIR conversion, improving interoperability with C-CDA documents that contain null-flavored data elements (contributed by Amanda McGivern)
  • Fixed handling of terminology designations without a language code

Scheduling

  • Fixed scheduling operations during UTC/local day boundary discrepancies

Server and Authentication

  • Fixed project-scoped users being properly removed when their project membership is deleted
  • Fixed a string equality check error in the token endpoint

Infrastructure

  • Fixed the CDK deployment option for retaining RDS instances on stack deletion
  • Fixed basic auth behavior for inactive project memberships
  • Reverted an overly strict date validation change that caused regressions

Releases

Looking Ahead

February's investments in WebSocket subscription performance and Lambda streaming set the stage for more capable real-time and AI-powered workflows in Q1. The scheduling enhancements continue to push toward a full self-scheduling experience, and the Candid claim submission proof-of-concept marks meaningful progress on revenue cycle automation.

Join us on Discord to share feedback or follow along on GitHub.