Mental health
Mental Health App Backend
Mental health apps deal with some of the most sensitive personal data a patient generates. The backend has to make access decisions narrow, recover gracefully from a forgotten password, support a coach or clinician relationship without overexposing the patient, and handle crisis flags with care.
What you can build
- Sensitive data stays inside a narrow access scope
Patient-only by default. Coach and clinician access is granted explicitly per relationship and recorded in the audit log.
- Standard FHIR shape for assessments and journaling
QuestionnaireResponse for PHQ-9, GAD-7, and similar; Observation for derived scores; Communication for chat messages.
- Crisis flags drive Subscriptions
Severe responses trigger Subscriptions that page the on-call clinician. The escalation is auditable from start to finish.
What you get out of the box
Who this is for
Mental health product teams designing the backend for therapy apps, mood tracking, sleep support, or coach-mediated programs, and clinical leads evaluating the data model.
Clinical applicability
A guided CBT app pairs each patient with a coach for the first eight weeks. The patient writes journal entries, completes weekly PHQ-9 assessments, and chats with the coach. Coaches see only the patients on their roster; clinicians review escalations.
Why the access model matters more here
Most healthcare apps balance access against utility; mental health apps tend to require narrower defaults. A breach of mental health data is harder to recover from than a breach of routine clinical data, which makes the deny-by-default access posture more important and the access-boundary discipline more valuable.
Fire Arrow's deny-by-default rule chain enforces this directly. The patient owns the data; access by anyone else is a deliberate grant tied to a specific role and a specific relationship, recorded in the audit log.
Coach-vs-clinician roles
Coaches and clinicians need different roles. A coach typically sees adherence, mood scores, and chat history but not raw journal text. A clinician reviewing an escalation sees more, including journal entries relevant to the crisis flag.
Both roles use the same data; the difference is in property filters and which resource types are in scope. Coach role has stricter filters; clinician role has broader filters scoped by the active escalation.
Crisis-flag flow
A PHQ-9 response above a configured score triggers a Subscription. The Subscription handler creates a Task for the on-call clinician and sends a notification through the configured channel. The clinician reviews the response, contacts the patient if appropriate, and records the outcome.
Every step is recorded: the response that triggered, the Subscription that matched, the Task that was created, the clinician who viewed the response, the action that was taken. A retrospective review of an escalation is a search, not an investigation.
Related docs
FAQ
How do I handle account recovery without exposing data?
Account recovery is an identity-layer concern handled by the OAuth/OIDC provider. Fire Arrow does not see the recovery flow; what it sees is a re-authenticated identity that resolves to the same Patient. Defense-in-depth (account verification, support-side identity confirmation) sits in the recovery flow itself.
Can the coach see the patient's raw journal?
Only if the patient's consent and the coach's role permit it. The default coach role does not include raw journal access; specific products configure this based on their clinical model and consent design.
What about minors and parental access?
Parental or guardian access is modeled through RelatedPerson with a defined relationship. Rules can permit or deny RelatedPerson access to specific resource types based on the patient's age and the deployment's policy.
How do crisis escalations work in practice?
Subscription criteria run server-side; the matching response triggers a notification to the on-call clinician through a queue or webhook channel. The escalation lifecycle is tracked as a Task with documented state transitions.
