HealthLens — Devpost Submission

Inspiration

Most of us, at some point in life, have sat in a doctor's office holding a printed lab report — rows of numbers, cryptic abbreviations, reference ranges — and felt completely lost. The doctor has three minutes. You nod. You say "okay." And then you go home and Google it, which somehow leaves you more anxious than before.

That moment stuck with us. Healthcare literacy shouldn't depend on how medically educated you are, how much time your doctor has, or whether you can afford a second opinion. Millions of people receive lab results every day and have no real way to understand what those results mean for their lives.

We built HealthLens because that gap — between a number on a page and actually understanding your own body — is a problem AI can solve today, right now, for everyone.

What it does

HealthLens is an AI-powered lab report interpreter that turns confusing medical data into plain-English understanding in seconds.

You paste your report text or upload a photo of it (JPEG, PNG, WebP, or PDF), and HealthLens gives you:

A plain-English summary of your overall results — what's going on in your body, simply put
Flagged values — every result marked as normal, high, or low with a visual gauge
Risk summaries across four body systems — Cardiovascular, Metabolic, Immune, and Endocrine
5 ready-to-ask doctor questions generated specifically from your findings, so you walk into your next appointment prepared
Follow-up chat — a multi-turn AI conversation where you can ask anything about your specific results
Trend comparison — paste two reports from different dates and see exactly what improved, declined, or stayed stable over time

Everything is processed in memory and immediately discarded. No health data is ever stored on our servers.

How we built it

Frontend — React 18 + Vite + Tailwind CSS + Radix UI. We prioritized clean, accessible UI (WCAG 2.1 AA) so the app feels trustworthy and calm — important when people are reading health information.

Backend — Node.js + Express 4 + TypeScript. Structured with separate route, controller, middleware, and service layers for maintainability.

AI — DigitalOcean Gradient™ AI Serverless Inference at inference.do-ai.run/v1 using the Llama 3 70B model via the OpenAI-compatible SDK. We make three distinct AI calls: analyzeReport for the full structured breakdown, chatFollowUp for the multi-turn conversation, and compareTrends for the two-report comparison. The AI is prompted to respond only in structured JSON, which we parse and render as rich UI components.

Image processing — sharp resizes, normalises, and strips all EXIF metadata from uploaded images before they reach the AI — a HIPAA privacy requirement.

Auth — Ed25519 asymmetric JWT via the jose library. No shared secrets. Tokens are signed with a private key and verified with a public key.

Security — Helmet security headers, per-route rate limiting via express-rate-limit, and input validation with express-validator.

Deployment — DigitalOcean App Platform with the API as a service and the frontend as a static site, configured via .do/app.yaml.

Challenges we ran into

Getting structured JSON reliably from the model. The analysis feature depends entirely on the AI returning a specific JSON schema — findings, flags, gauge values, risk levels. Early on, the model would occasionally wrap the response in markdown code fences or add a preamble sentence, breaking our parser. We solved this with strict system prompt instructions, a temperature: 0.1 setting for determinism, and a cleaning step that strips any markdown before parsing.

HIPAA-aware file handling. We wanted to support image uploads without ever writing PHI to disk. Getting multer's memoryStorage, sharp's in-memory pipeline, and EXIF stripping to work together cleanly while keeping the buffer small enough to send to the AI — took several iterations.

Balancing rate limits. Different endpoints have very different usage patterns — someone might send 30 chat messages in a session but should only run 10 full analyses per hour. Setting limits that protect the API without frustrating real users required thinking carefully about each route independently.

Accomplishments that we're proud of

Zero PHI at rest — by design, not policy. It would have been easy to save reports to a database "just in case." We made the deliberate architectural choice to never write health data anywhere — multer memory storage, in-memory sharp pipeline, no logging of request bodies. The privacy protection is structural, not just a checkbox.

A UI that feels calm and trustworthy. Health information is emotional. We spent real time on the visual design — the gauge bars, the colour-coded flags, the risk summary cards — so that the results feel reassuring and clear rather than clinical and alarming.

Three genuinely useful AI features, not one. Most hackathon AI apps do one thing with the model. HealthLens does three distinct things — analyze, chat, and compare — each with its own prompt strategy and UI, all integrated into a coherent product flow.

Production-grade security on a hackathon timeline. Ed25519 JWTs,Helmet headers, per-route rate limits, EXIF stripping, input validation — we shipped every layer of security a real-world health app would need.

What we learned

Privacy and UX are not opposites. We expected that doing things the "right" privacy way — no storage, no logging, memory-only processing — would mean sacrificing features. It didn't. The session-based history, the in-memory chat context, the transient file pipeline — all of it works smoothly for the user while keeping zero PHI on disk.

Rate limiting needs to be per-feature, not just global. A single global rate limit is blunt and frustrating. Per-route limits that match actual usage patterns — tight for auth, generous for chat, strict for heavy AI calls — make the app both safer and more usable.

What's next for HealthLens

Multi-language support. Lab reports and patients exist in every language. The AI can already reason in multiple languages — we want to add a language selector so non-English speakers get results in their native tongue. reCAPTCHA v3 in a monorepo. Loading the reCAPTCHA script once, making it available across two different form pages, and failing gracefully when the site key isn't set in local dev — without polluting global state — led us to build the clean useRecaptcha hook.

Built With

ed25519
express.js
https://inference.do-ai.run/v1
llama-3.3-70b-versatile
react
shadcn
typescript

Updates

Last Rites started this project — Mar 18, 2026 04:31 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.