Magento for medical supplies: HCPCS, EDI, HIPAA, and prior auth, wired in

Honest cut, medical-specific:

• McKesson Connect / Cardinal Direct are vendor portals, not e-commerce platforms. Great if you want to resell their SKUs without holding inventory, terrible if you want your own brand identity, your own SEO, or to drop-ship from a second distributor. You don’t own the customer.
• Shopify Plus handles a clean B2C Medicare direct-ship catalog under ~5,000 SKUs reasonably well. Falls apart on three medical-specific things: HCPCS-as-attribute indexing, prior-auth checkout flow (you’d need a $20k+ custom app), and EDI 850/855/856 to McKesson (Shopify EDI apps exist but are fragile).
• Magento + Hyvä handles 20,000+ SKUs cleanly, has native EDI integration paths via TrueCommerce / SPS Commerce, supports HCPCS as a first-class product attribute, can pause checkout for prior auth via order-state machine, and lets you ship B2B hospital procurement + B2C Medicare direct-ship from the same store with separate catalogs.

Most DME merchants above $2M GMV land on Magento. Below $1M, Shopify Plus + a few apps is fine. Above $10M, especially with multi-distributor EDI + GPO contracts, Magento (or Adobe Commerce + B2B Companies) is the only real answer.

HCPCS code (E0143 standard walker, A4253 blood glucose test strips, K0001 manual wheelchair, E0601 CPAP, etc.) is stored as an indexed Magento product attribute. Modifiers (NU new, RR rental, KH initial month, KI second/third month, KJ months 4–13) are stored on the order line item, not the product.

At order placement, an observer fires a webhook to your DME billing system with a normalized payload: {patient_id, payer_id, hcpcs, modifier, units, dos, charge, dx_codes[]}. Each system has its own API:

• Brightree (the market leader) — REST API + bulk SFTP fallback. Native order-import endpoint. ~$3k/mo for the platform + integration build is ~$4k–$8k.
• CareCloud / NikoHealth — REST APIs, well-documented, ~$2k–$5k integration build.
• Bonafide — popular with mid-size DME suppliers. REST API.
• TIMS Software — older, SOAP-based but stable. Integration ~$6k–$10k due to the legacy protocol.

Claim adjudication, payer-specific edits, and ERA posting all live in the DME billing system — Magento doesn’t do claims. Magento is the order-of-record; the DME billing system is the claim-of-record. Reconciled nightly via a status-back webhook so the Magento order shows “billed,” “paid,” or “denied” with the EOB attached.

The pattern is an order-state machine, not a checkout hack.

SKUs that require prior auth are flagged with a product attribute (requires_prior_auth = 1) and tagged with the payer-matrix segment (Medicare DME MAC Jurisdiction A/B/C/D, Medicaid by state, commercial by payer ID). At checkout, if any cart line item has the flag and the customer’s insurance is in the matrix:

• Place order → order created in state pending_prior_auth, payment authorized but not captured, inventory reserved.
• Prior-auth request fires → via your clearinghouse (Availity, Change Healthcare, Waystar) using X12 278 transactions, or via the payer’s portal API (UHC PreCheck, Aetna eviCore, Anthem AIM, BCBS ProPAT).
• Patient + clinician notified via email/SMS with the auth-request number and expected turnaround (typical: 3–15 business days depending on payer + service code).
• Auth approved → order auto-transitions to ready_to_fulfill, payment captures, EDI 850 fires to distributor.
• Auth denied → order auto-cancels, payment auth releases, customer-service handoff with the denial reason + appeal path.

The hardest part isn’t the code — it’s the payer matrix. Each payer has different prior-auth rules per HCPCS code, and the rules change quarterly. We refresh the matrix via the clearinghouse and Optum’s payer-policy library; the retainer covers this.

HIPAA isn’t a checkbox; it’s a posture. The non-negotiables for a Magento medical-supplies store:

• Encryption at rest — AES-256 on the customer + order + sales tables (specifically the columns holding PHI: patient name, DOB, SSN/MBI, insurance ID, diagnosis codes). Magento supports column-level encryption via the encryption interface; we extend it to PHI columns.
• Encryption in transit — TLS 1.2+ everywhere, HSTS on. No surprise.
• BAA-ready hosting — AWS HIPAA-eligible services (RDS, EC2, S3, CloudFront) under a signed BAA, Cloudways Pro+ tier with BAA, or Magento Commerce Cloud Pro. Most shared hosts (Bluehost, SiteGround, etc.) will not sign a BAA — not an option.
• Audit log — every PHI read/write logged with user, IP, action, before/after, timestamp. Magento has a basic admin action log; we extend it to capture API access + customer-account access.
• Customer-data auto-purge — per-state retention timers. CA 7yr, TX 7yr, FL 5yr, NY 6yr (per state DME regulations). Cron-driven purge on inactive accounts past the timer.
• Access controls — MFA on all admin accounts, role-based PHI access, 15-min session timeouts on admin, IP allowlisting on the admin panel.
• Breach response plan — written, tested, ready to fire within 60 days of detection (HIPAA breach-notification rule).

This is built into the platform from day one, not bolted on after launch. Migrating an existing Magento store to HIPAA posture mid-life is roughly 2x the cost of building it right the first time.

Each distributor handles EDI slightly differently. What we build per merchant:

• Magento side — order observer that emits EDI 850 (PO) on order place, ingests EDI 855 (PO acknowledgment) to update cart-line backorder ETA, ingests EDI 856 (ASN advance ship notice) to update fulfillment status + tracking, ingests EDI 810 (invoice) for AP reconciliation. Plus exception monitoring: if a 855 doesn’t arrive within SLA, alert + retry.
• Translator layer — we use TrueCommerce, SPS Commerce, or DiCentral as the X12 translator between Magento JSON and X12 EDI. Cost: ~$300–$1,500/mo depending on transaction volume. For very high-volume merchants (10k+ orders/mo) we roll a custom AS2 + X12 stack and skip the SaaS translator (saves ~$15k/yr at scale).
• Distributor side — McKesson has their SupplyManager EDI program (well-documented, friendly). Cardinal has Cardinal Health Direct EDI (good docs, longer onboarding). Medline has Medline EDI (decent docs, requires their compliance review).

Typical timeline: 4–8 weeks per distributor including their sandbox certification. The first distributor takes longest because we’re building the translator pipeline; subsequent distributors take 2–3 weeks each. Henry Schein Medical and AvaCare Medical follow the same pattern.

The DSCSA (Drug Supply Chain Security Act, now fully enforced since November 2024) plus FDA UDI (Unique Device Identification, 21 CFR 830) require traceability from manufacturer to dispensing endpoint.

Per SKU, Magento stores:

• UDI-DI (Device Identifier, the static product identifier) — product attribute.
• GMDN code (Global Medical Device Nomenclature) — for FDA Class I/II/III + EU MDR classification.
• Manufacturer name + FDA registration number — product attribute.
• Predicate device (510(k)) reference if applicable — product attribute.

Per shipped order line, Magento stores:

• UDI-PI (Production Identifier: lot/batch, serial, expiry date, manufacture date) — captured at WMS scan, written back to the order line via webhook.
• NDC (National Drug Code) if pharma-adjacent — per-shipment.
• Transaction Information (TI), Transaction History (TH), Transaction Statement (TS) — DSCSA-required, stored in the order-comments + a dedicated dscsa_chain_of_custody table.

Recall drill workflow: on a Class I recall (most severe), the workflow filters orders by affected UDI-DI + lot number range, pulls every customer + ordering clinician, fires templated email/SMS/letter outreach within 24 hours, generates the FDA MedWatch 3500A reporting bundle (CSV + PDF cover letter), and tracks customer response status (returned / destroyed / no response) for the audit log. We rehearse quarterly on a synthetic lot.

Yes, and it’s the right architecture for most medical-supplies merchants serving both channels.

B2B side (hospitals, surgery centers, urgent-care chains, LTC): PO-based ordering, Net-60 terms, GPO contract pricing via Vizient, Premier, HealthTrust, multi-step approval (requisitioner → supervisor → procurement), requisition lists for buyer reps, tier-priced catalogs (some SKUs hidden from non-contract customers), line-sheet PDF export, EDI 850 in from hospital procurement systems (Workday, Oracle, SAP Ariba) → Magento order → EDI 850 out to distributor.

B2C side (Medicare beneficiaries, home-care patients, cash-pay consumers): insurance card capture (front + back, OCR’d), prior-auth gate (above), copay collection at checkout via card-on-file, signature-on-delivery for Schedule items, automated refill subscriptions for CPAP masks / diabetes test strips / ostomy pouches via a Magento subscription extension or Recharge.

Shared infrastructure: same SKU pool with shared inventory, same admin, same WMS, same DME billing system handoff. Customer-group-aware visibility (B2B sees contract pricing + hidden SKUs, B2C sees retail price + Medicare-eligible flag). Customer-group-aware checkout (Net-60 + PO for B2B, card-only with insurance gate for B2C).

On Adobe Commerce: native B2B Companies module. On Open Source: customer-group price rules + extensions like Aheadworks B2B Suite, Amasty Company Accounts, or Magenest B2B.

Power wheelchairs, hospital beds, lift chairs, oxygen concentrators don’t go FedEx Home Delivery — they need white-glove (assembly, fitting, in-home delivery, removal of old equipment). The carrier ecosystem is small but mature:

• XPO Last Mile — dominant in US white-glove for medical. Native API for scheduling, delivery windows, in-home setup, debris removal. Magento integrates via REST.
• Pilot Freight Services (now Maersk) — strong in the East Coast, good API, well-priced.
• AGS (Ameriship Logistics) — medical-specialty white-glove. Higher cost, better fitting expertise (especially CPAP + lift chair setup).
• Local DME couriers — many merchants run a local fleet for same-region delivery (under 200 miles) and use XPO for further routes. Magento source-selection algorithm routes to the cheapest fit-for-purpose option.

Scheduling flow: at checkout, the customer picks a delivery window (2-hour slots, 5–14 days out depending on inventory + carrier). Magento writes the slot to the order, fires a booking API call to the carrier, captures a confirmation number, sends the customer a calendar invite. If the slot needs to reschedule (carrier-side delay), the carrier’s webhook updates the order and notifies the customer.

Fitting + setup capture: white-glove carriers ship back a fitting confirmation (signature, photos of the setup, customer satisfaction note) via webhook. This is critical for Medicare compliance — without proof of delivery + fitting, the claim can be denied.

CPAP supplies (masks, cushions, headgear, hoses, filters) are the highest-LTV medical-supplies category because Medicare and most commercial payers reimburse on a fixed replacement schedule:

• Nasal cushion: 2/month
• Full-face cushion: 1/month
• Mask frame: 1/quarter
• Headgear: 1/6 months
• Hose: 1/quarter
• Disposable filters: 2/month; non-disposable: 1/6 months

The Magento subscription workflow stores the schedule per customer per SKU, fires an auto-order on the eligible date, validates the RX is still current (CPAP requires a valid prescription with diagnosis E66.2 or G47.33), checks for an in-person follow-up compliance per Medicare (90-day adherence requirement for new CPAP users), and routes the order through the standard prior-auth + EDI flow.

RX validation: RX captured as a customer-account document (PDF/JPG, encrypted at rest), expiry tracked, auto-prompt to customer to upload renewal 30 days before expiry. If RX expires, subscription pauses and customer-service is notified to follow up with the prescriber.

Adherence tracking (optional): for new CPAP users on Medicare, we integrate with ResMed myAir or Philips DreamMapper to pull modem-reported adherence data (90-day rule: 4+ hours/night for 70% of nights). Magento subscription auto-cancels if adherence fails the rule — required for Medicare reimbursement.

Subscription LTV on CPAP averages $1,800–$3,200/yr per beneficiary. The retention work is the platform job, not a sales-team job.

Three distinct regulatory regimes, three distinct catalogs, one Magento.

US FDA (21 CFR Part 820 quality system, FDA registration + 510(k) for Class II devices): products tagged with FDA registration number, 510(k) reference, Class I/II/III, predicate device. US store view in USD, ships with US HCPCS coding + DME billing handoff.

EU CE-mark under MDR 2017/745 (in force since May 2021, MDR transition extended to 2027/2028 for some classes): products tagged with CE certificate number, Notified Body ID (e.g. NB 0123 for TÜV SÜD), EUDAMED registration number, Basic UDI-DI. Different product attribute set than US. EU store view per locale (DE, FR, NL, IT) in EUR with VAT-included prices. EU customers see CE-marked SKUs only; FDA-only SKUs are hidden via attribute-driven catalog rules.

AU TGA (Therapeutic Goods Administration, ARTG listing required): products tagged with ARTG ID, sponsor name (the AU-registered entity). AU store view in AUD with GST. Most US-class-II devices need separate TGA conformity assessment.

Magento architecture: one product master, multiple website + store-view scopes. Each region’s catalog is filtered by attribute (fda_listed = 1, ce_marked = 1, artg_listed = 1) so a SKU shows up only in the regions where it’s legally sellable. Multi-source inventory (MSI) per warehouse: US warehouse for US store, EU warehouse for EU store, etc. Customer geo-routes via Cloudflare to the right store-view.

Shopify Markets handles the price-display side but cannot cleanly hide a SKU from one market based on regulatory class — Magento can.

Realistic ranges for a US DME merchant at $1M–$10M GMV:

• Audit (5 days): $499 fixed-fee. SKU inventory import + HCPCS gap report + payer-mix analysis + HIPAA + 21 CFR Part 820 posture review + distributor EDI readiness. Written gap report.
• Build (6 weeks): $4,999 fixed-fee. Catalog with HCPCS mapping, 1 distributor EDI (pick McKesson, Cardinal, or Medline), prior-auth checkout for the top 5 payers, DME billing handoff to your existing system, HIPAA order layer, Hyvä storefront.
• Custom enterprise: $40k–$200k+ depending on scope. Adds: multi-distributor EDI (+$8k–$15k per distributor), full HIPAA + 21 CFR Part 820 with quarterly mock audit (+$15k–$30k), 50+ insurer prior-auth matrix (+$20k–$40k), DSCSA full serialization (+$10k–$20k), multi-region with EU MDR + AU TGA (+$25k–$60k), GPO contract pricing (Vizient + Premier + HealthTrust, +$8k–$15k).
• Ongoing: $2k–$6k/mo retainer for compliance ops, payer-matrix updates (payer rules change quarterly), recall-drill rehearsal, EDI exception monitoring.
• Hosting: $600–$2,500/mo on BAA-signed hosting (AWS HIPAA-eligible, Cloudways Pro+, Magento Commerce Cloud Pro).

Credentials: Adobe-Certified Magento + Hyvä developer, 8+ years on Magento, shipped B2B medical-supplies builds for DME suppliers and hospital procurement portals across the US, UK, AU, and IN. HIPAA + 21 CFR Part 820 + DSCSA familiarity. Direct integrations done with McKesson Connect, Cardinal Health Direct, Medline, Henry Schein, Brightree, CareCloud, and NikoHealth. Free 30-min consult if a written platform-fit recommendation would help.

Same Magento, different sub-stacks lit up.

Single-clinic supplier (1–5 employees, <500 SKUs, <$500k GMV): Magento Open Source + Hyvä, single store-view, no B2B layer, basic HIPAA posture (encryption + BAA hosting + audit log), one distributor EDI (usually McKesson SupplyManager), DME billing handoff to whatever single-system the clinic runs (often Bonafide or a spreadsheet). Total build: $5k–$15k. Ongoing: $400–$1,500/mo. Decision matters mainly: don’t buy McKesson Connect’s reseller portal — you lose customer ownership and SEO.

Mid-size DME ($2M–$10M GMV, 5,000–50,000 SKUs): Magento Open Source + Hyvä, B2B + B2C with customer-group catalogs, 1–2 distributor EDIs, full prior-auth checkout, 21 CFR Part 820 lite (design controls + CAPA + complaint handling), Brightree or CareCloud handoff, GPO membership if applicable. Total build: $25k–$70k. Ongoing: $2k–$4k/mo. This is the sweet spot for most clients I work with.

200-bed hospital procurement portal (B2B-only, contract pricing, Vizient/Premier/HealthTrust GPO): Adobe Commerce + B2B Companies module (worth the $30k+/yr Adobe Commerce license at this scale for the native multi-step approvals + requisition lists), 3–5 distributor EDIs in parallel (McKesson + Cardinal + Medline + Henry Schein + maybe AvaCare), full 21 CFR Part 820 + HIPAA + DSCSA, recall workflow with FDA MedWatch reporting, integration with the hospital’s procurement system (Workday, Oracle, SAP Ariba) via EDI 850 inbound. Total build: $80k–$300k. Ongoing: $5k–$12k/mo.

Architecture scales linearly; the difference is which modules you light up, not which platform you’re on.