Telehealth is not a trend anymore. It is a permanent channel for healthcare delivery. The market crossed $100 billion in 2025, and every health system, startup, and digital clinic is either building or buying a platform. If you are building, this guide covers what actually matters: HIPAA compliance, technical architecture, and realistic cost expectations.
Why Custom Beats Off the Shelf for Telehealth
Generic video call tools do not cut it. You need patient intake flows, provider scheduling, EHR integration, prescription workflows, and a compliance layer that touches every component. Off the shelf telehealth solutions force you into their workflow. When your clinical model does not match their assumptions, you are stuck. We have seen this pattern repeatedly in custom software versus SaaS decisions, and healthcare is where the gap is most painful.
A custom telehealth platform gives you control over the patient experience, the clinical workflow, and the data. That control is not optional when you are building a differentiated care model.
HIPAA Compliance Is Architecture, Not a Checkbox
HIPAA compliance is not something you bolt on after building. It is baked into every layer of the system. Here is what that looks like in practice:
Data at rest and in transit. Every piece of Protected Health Information (PHI) must be encrypted. AES 256 for storage, TLS 1.2+ for transit. Your database, your file storage, your backups, and your logs all need encryption. No exceptions.
Access controls. Role based access is the minimum. Providers see their patients. Admins see aggregate data. Support staff see what they need and nothing more. Every access to PHI gets logged with who, what, when, and why.
Audit trails. HIPAA requires you to track every access and modification to PHI. This means immutable audit logs, not a column called "updated_at" on your user table. We build dedicated audit tables with append only writes and separate retention policies.
Business Associate Agreements (BAAs). Every third party service that touches PHI needs a BAA. Your cloud provider, your video API, your email service, your error tracking tool. If it could see patient data, it needs a signed BAA. This eliminates a surprising number of popular developer tools.
Breach notification procedures. You need a documented plan for what happens when (not if) something goes wrong. Detection, assessment, notification to affected individuals within 60 days, and notification to HHS. Build the monitoring and alerting infrastructure to detect breaches early.
Our web application security checklist covers the general security foundations. Telehealth adds a regulatory layer on top of all of it.
Technical Architecture
A production telehealth platform has five core subsystems. Each one has to work reliably and comply with HIPAA independently.
Video and messaging infrastructure. Real time video with WebRTC, encrypted end to end. You need adaptive bitrate for patients on poor connections, screen sharing for providers reviewing imaging, and recording capabilities with encrypted storage for documentation. Build this on a HIPAA eligible video API (one that signs a BAA), not a consumer video tool.
Patient portal. Registration, intake forms, document upload, appointment scheduling, visit history, and messaging. This is the patient facing surface area. It needs to be accessible (WCAG 2.1 AA), mobile responsive, and fast on any device. Most patients will access it on their phone.
Provider dashboard. Queue management, patient charts, visit notes, e prescribe integration, and scheduling. Providers need to move fast during visits, so the interface needs to load patient context before the call starts. Pre fetch the chart, medications, allergies, and visit history.
EHR integration. HL7 FHIR is the standard. You will integrate with Epic, Cerner, or Athenahealth depending on your market. FHIR R4 APIs let you read and write patient data, but each EHR has its own quirks, rate limits, and approval processes. Budget 4 to 8 weeks just for EHR integration and certification.
Billing and insurance. Telehealth billing codes (CPT 99441 through 99443 for phone, 99201 through 99215 with modifier 95 for video) and insurance claim submission. Integration with a clearinghouse for electronic claims. This is where most teams underestimate complexity.
For a deeper look at how we approach system design at this scale, see our system architecture services.
Infrastructure Decisions
Cloud provider. AWS and Google Cloud both offer HIPAA eligible services with BAAs. Not every service within those platforms is eligible, so you need to verify each one. AWS has the broadest HIPAA eligible service list, which is why we lean toward it for healthcare projects.
Database. PostgreSQL with row level security, encrypted at rest, and connection level TLS. Separate PHI from non PHI data at the schema level so you can apply different access controls and retention policies.
Authentication. Multi factor authentication is required for providers. Patients get MFA encouraged, not forced (accessibility matters). Session management with automatic timeouts, and device trust for returning users.
Monitoring and logging. Every log that could contain PHI needs to be in a HIPAA eligible logging service. No sending patient names to a generic error tracker. Build separate logging pipelines for PHI and non PHI data from day one.
Realistic Cost Breakdown
Here is what a production telehealth platform actually costs to build:
MVP with core video visits and scheduling: $80K to $150K. This gets you video calls, basic scheduling, patient intake, provider notes, and the HIPAA compliance layer. Timeline: 12 to 16 weeks.
Full platform with EHR integration and billing: $200K to $400K. Add EHR integration, insurance billing, e prescribe, advanced scheduling with provider availability rules, and a patient mobile app. Timeline: 6 to 9 months.
Ongoing compliance and maintenance: $5K to $15K per month. Security monitoring, penetration testing, compliance audits, infrastructure management, and feature updates. HIPAA compliance is not a one time event. It requires continuous monitoring and regular risk assessments.
These numbers are for a platform built correctly from the start. We have seen teams spend more than this fixing a platform that was built without compliance in mind. Our custom software cost guide provides broader context on development pricing.
Common Mistakes We See
Treating HIPAA as a final step. Teams build the whole platform, then try to "make it HIPAA compliant." This usually means a partial rebuild. Compliance requirements affect your database schema, your hosting choices, your third party services, and your deployment pipeline. Start with compliance on day one.
Ignoring state licensing. Telehealth regulations vary by state. Some states require providers to be licensed in the patient's state, not just their own. Your platform needs location awareness and provider credential verification.
Underestimating EHR integration. Getting approved to integrate with Epic takes months. The technical work is one part. The certification, security review, and business agreements are another. Start this process early.
Building without clinical input. Engineers building telehealth platforms without clinician involvement produce tools that clinicians will not use. Include at least one practicing provider in your design process from the beginning.
Start With the Right Foundation
Telehealth is complex, but the complexity is manageable when you plan for it. The biggest risk is not technical difficulty. It is building without understanding the regulatory and clinical requirements, then discovering you need to rebuild six months in.
We build healthcare platforms with compliance baked into the architecture from day one. If you are planning a telehealth platform, tell us about your project and we will scope it properly.