Skip to main content

Medplum Monthly Update - May 2026

· 11 min read
Reshma Khilnani
Reshma Khilnani
Medplum Core Team

May was a heavy month for Medplum, with 100+ commits from 20+ contributors and four patch releases — v5.1.10 through v5.1.13. Scheduling was the headline: the full appointment operation suite — $find, $hold, $book, $confirm, and $cancel — landed in Alpha. The Provider App also gained medication ordering components, order set import, and operation-based claim submission. On the enterprise side, a new data warehouse export features were enabled, and the platform team shipped passwordless magic-link login, AWS GuardDuty malware protection, and a round of OAuth2 spec-compliance fixes. All of this continues to drive forward our 2026 roadmap priorities.

Features

Scheduling

Noah Silas Noah Silas

May completed the core scheduling operation suite that the scheduling roadmap has been building toward. Each step of the booking lifecycle now has a dedicated, spec-aligned FHIR operation:

  • Appointment/$find multi-schedule search — Search for open slots across multiple schedules in a single request, the foundation for self-scheduling across providers and locations
  • $hold operation — Temporarily reserve a slot while a patient completes booking, preventing double-booking during checkout
  • $book for proposed appointments$book now accepts a proposed appointment as input, with test coverage for the patient self-booking path
  • $confirm operation — New Appointment/:id/$confirm operation to confirm a held or proposed appointment
  • $cancel operation — New scheduling cancel operation with improved error-path handling throughout the booking flow
  • Appointment-based Provider flow — The Provider scheduling calendar now uses the Appointment-based flow, reveals more slots in the schedule page, and is gated behind a scheduling feature flag for controlled rollout
  • Self-scheduling reference flow — Foomedical, a sample patient-facing experience, now uses Appointment/$find + $hold to demonstrate the end-to-end patient booking pattern

Provider App: Medication Ordering and Prescribing

Oleg Rocklin Oleg Rocklin

Medication ordering moved into the Provider App this month:

  • Meds ordering components — New React and Provider App components for ordering medications, bringing prescribing into the standard clinical workflow
  • Batched pharmacy/org searches — Preferred pharmacies and organizations are now fetched with batched searches during prescribing for faster load times
  • Resilient draft handling — Draft MedicationRequest resources are soft-deleted when an order-medication step fails, keeping the chart clean after errors

Provider App: Order Sets and Billing

Andy Stoneman Andy Stoneman and David Yanez David Yanez

  • Order set import — An order set bundle and import button were added to the Provider App, with a sync bot trigger that runs automatically after an example order set is imported
  • Operation-based claim submission — Claim submission now uses a server-side FHIR operation instead of a bot, simplifying the billing integration and reducing moving parts
  • Self-pay coverage filtering — Self-pay coverage is now filtered out of the visit eligibility check and removed from the PatientSummary insurance display, so eligibility reflects only billable payers (Insurance Eligibility Checks)
  • ClinicalImpression in the timeline — Clinical impressions now appear in the patient timeline (Maddy Li)
  • Cancel Visit — A "Cancel Visit" button and a fixed "Details" link tab round out the encounter workflow (Noah Silas)
  • Configurable onboarding — The Provider App "Get Started" screen can now be hidden via a project setting (Ian Plunkett)

AI: Real-Time Clinical Documentation

David Yanez David Yanez

AI work this month focused on real-time clinical documentation inside Spaces, the AI-powered chat workspace in the Provider App, as part of the AI roadmap:

  • Real-time speech-to-text — Live speech-to-text in the Provider App for AI-assisted clinical documentation, backed by updates to the $ai-realtime operation
  • Markdown responses in Spaces — Spaces now renders markdown in AI responses for clearer, better-formatted output
  • Whisper hook in react-hooks — The Whisper transcription hook moved into the @medplum/react-hooks package so it can be reused across applications

Enterprise: Data Warehouse Export

Karl Pietrzak Karl Pietrzak

A major Enterprise Scale feature landed: Medplum can now export directly from PostgreSQL into Apache Parquet and Apache Iceberg tables on S3 Tables. This gives data teams an efficient, columnar path into modern lakehouse analytics without standing up a separate ETL pipeline. A new startDate parameter lets exports run incrementally. This is new functionality related to Medplum Enterprise.

Platform, Security, and Infrastructure

Cody Ebberson Cody Ebberson

  • Passwordless magic-link login — New OAuth2 pre-authorized code flow enables magic-link sign-in, with the pre-authorized code lifetime extended to 7 days for email-based flows
  • Unified external authentication — Consolidated the external identity-provider paths into a single unified external auth flow, including Google Cloud Identity Platform userinfo support
  • AWS GuardDuty Malware Protection — Added support for AWS GuardDuty Malware Protection on uploaded files, with graceful handling of images quarantined by the scanner
  • HTTPS-only subscription URLs — Rest-hook Subscription URLs now require HTTPS by default, and a server option can require a verified email address before login
  • OAuth2 spec-compliance fixes — A batch of OAuth2 token endpoint corrections including offline_access handling when refresh_token is in grant_types, www-authenticate: bearer responses, and enforcing login membership before scope
  • log-streaming project feature — A new log-streaming project feature plus a Project.features search parameter for managing it

Derrick Farris Derrick Farris

  • Bot Lambda lifecycle management — Medplum now prunes old bot Lambda versions, deletes the Lambda when a bot is deleted, and removes stale versions, keeping cloud deployments tidy and within service limits
  • Agent/$stats operation — New operation to retrieve statistics for a deployed Agent, Medplum's on-premise connectivity service for legacy healthcare systems
  • User/$rescope operation — New operation to change a user's project scope without re-issuing credentials
  • Rate-limit reliability — Optimized Redis key access for rate limiting, exposed the RateLimit header for CORS, and improved WebSocket subscription error messages

Maddy Li Maddy Li

  • Rate-limit administration — A new project rate-limits operation, an admin API endpoint for rate-limit utilization status, an active-consumer index, and a Rate Limits tab on the admin page give operators full visibility into rate limiting
  • NPI Lookup example bot — A new example bot for NPI lookups using the NPPES API

Matt Willer Matt Willer

  • Range search — FHIR search now supports range queries with correct overlap and boundary handling
  • Patient scope hardening — Patient-scoped tokens are now restricted to their context Patient compartment, and chained search and _include types are validated for safety
  • Vendored JSON Patch — The JSON Patch library is now vendored, and FHIR quota-limit computation was unified into a single helper
  • Larger payload handling — Oversized request bodies are transformed into a clean HTTP 413 response

Matt Long Matt Long

  • Transaction reliability — Serialized transaction state transitions and more consistent repository connection-state tracking improve site reliability under load
  • Project.link search parameter — New search parameter for navigating linked projects

Documentation

May's documentation work spanned self-hosting, compliance, integrations, and the Provider App.

Self-hosting and reliability

Cody Ebberson Cody Ebberson

Compliance and scale

Integrations

Provider App and platform

Testing infrastructure

Karl Pietrzak Karl Pietrzak

A broad effort migrated many internal packages — including hl7, fhir-router, generator, create-medplum, cdk, ccda, mock, and definitions — from Jest to Vitest for faster, more consistent test runs across the monorepo.

Bug Fixes

AWS and CDK

  • Fixed handling of complex server configuration, and corrected CDK to send the prefix instead of the bucket name (contributed by Jim Fiorato)

Authentication

  • Serialized cross-tab token refresh using the Web Locks API to prevent race conditions across browser tabs (contributed by Dillon Streator)
  • Fixed the RECAPTCHA_SITE_KEY always reverting to the default value (contributed by Meade)
  • Added defaultProjectFeatures to the config object keys set (contributed by Nate Watkins)

FHIR and Agent

  • Fixed indexing of fragment CodeSystem resources in the coding table (contributed by Jeffry Looijestijn)
  • The Agent now returns an explicit error when an upgrade artifact is missing (contributed by Agustin Bereciartua Castillo)
  • Display of onBehalfOf was added to History, Timeline, and Blame views (contributed by Alex Lin)

Releases

Looking Ahead

May brought the scheduling operation suite to completion — $find, $hold, $book, $confirm, and $cancel now cover the full booking lifecycle — and moved the Provider App onto an Appointment-based flow with medication ordering and order set import. Passwordless magic-link login and GuardDuty malware protection strengthen the platform's security posture.

Join us on Discord to share feedback or follow along on GitHub.