How to Build a Telemedicine App: Architecture, Compliance, and Cost
What Matters
- -HIPAA-compliant video calls require end-to-end encryption and a signed Business Associate Agreement - consumer tools like Zoom are not compliant by default
- -EHR integration (Epic, Cerner, or Athenahealth) adds $30,000-$60,000 to build cost and 2-4 months to timeline
- -Multi-state licensing validation is the most overlooked compliance requirement - each state has different telehealth prescribing rules
- -Asynchronous care (messaging and photo review) is cheaper to build than live video and works for 60-70% of primary care use cases
- -Prescription routing to a pharmacy network adds significant scope but is required for any prescribing platform
Most software is forgiving. You ship, you iterate, you fix bugs in production. Telemedicine is not forgiving.
A HIPAA breach costs $100-$50,000 per record, per violation. A prescribing error has human consequences that no post-incident review can undo. And a video call that drops at the moment a doctor is explaining a diagnosis doesn't get a second chance.
This guide is the architecture and compliance playbook we use when building telehealth platforms. No hand-waving. No "consult a lawyer" deflections. The real decisions and the real tradeoffs.
What Telemedicine Apps Actually Do
Before the architecture, let's agree on scope. "Telemedicine app" covers a wide range:
- Direct-to-consumer telehealth (Teladoc model): Patients pay per visit, see any available provider
- Practice extension (your doctor's office, but remote): Existing patients see their own providers via video
- Specialty-specific platforms (mental health, dermatology, chronic disease management): Condition-focused with async care models
- B2B employer health (Hims & Hers model): Employers pay, employees get access
- Remote patient monitoring (Livongo model): Continuous data collection plus periodic provider review
Each has different requirements. A direct-to-consumer platform needs a provider marketplace. A practice extension needs deep EHR integration. A specialty mental health platform needs note templates tuned to psychiatric workflows.
Define which category you're building before you touch an API.
Core Technical Architecture
Patient-Facing Features
Registration and onboarding - Collect insurance information, medical history, state of residence (for licensing validation), and consent forms. The consent layer matters: HIPAA requires documented informed consent for telehealth in many states. Build this with e-signature capture (HelloSign or DocuSign, both sign BAAs).
Appointment scheduling - Choose between on-demand (next available provider) and scheduled (pick a time). On-demand is better for urgent care and mental health crisis. Scheduled works for chronic disease management and established patient relationships. Most platforms offer both.
Video visits - See the SDK comparison below. The core requirements: provider and patient video/audio with screen share capability, visit recording (optional, with consent), chat messaging during call, and document sharing.
Async care - Text and photo-based consultations where patients submit a complaint with photos and providers respond within hours. Async is the right model for dermatology, prescription refills, and many primary care encounters. It costs less to build than live video and handles 60-70% of typical primary care volume.
Medical records access - Patients need to view their visit summaries, prescriptions, and lab results. Build this as a document viewer with controlled access - not a full PHR unless that's your core product.
Provider-Facing Features
Provider dashboard - Queue management, patient records, note-taking interface, prescription writing, and referral management. This is the most complex part of the build. Budget 30-40% of total engineering time here.
Visit documentation - SOAP notes (Subjective, Objective, Assessment, Plan) with templates for your specialty. Pre-built templates save provider time and improve documentation quality. Budget $15,000-$25,000 for a solid templating system.
Availability management - Providers set their schedules, buffer times, and appointment types. Integrate with their calendar (Google Calendar or iCal) if you're building a practice extension.
Prescribing workflow - Provider writes prescription, system validates controlled substance rules for the patient's state, routes to pharmacy. See the e-prescribing section below.
Admin and Operations
Practice management - For multi-provider platforms, you need group management, role assignment, and billing oversight.
Insurance and billing - The hardest part of telemedicine. Insurance reimbursement for telehealth varies by state, payer, and service type. The technical implementation (EDI 837 claim files, ERA remittance parsing) is genuinely complex. Most early-stage platforms use a billing clearinghouse like Waystar or Availity to abstract this. Budget $25,000-$40,000 for basic insurance billing integration.
Analytics and reporting - Visit volume, provider utilization, completion rates, patient satisfaction. Standard reporting, $10,000-$15,000.
Where telemedicine budgets expand
Video visits, patient registration, scheduling, provider workflow, and HIPAA-ready storage are the minimum production surface.
Epic, Cerner, or Athenahealth adds both cost and timeline because each deployment needs mapping, auth, and workflow testing.
Claims, remittance handling, and payer workflow logic are usually the most underestimated operational build item.
Prescription routing, state-specific validation, and controlled-substance workflows add a separate compliance track.
Multi-state provider verification is where many teams get caught flat-footed after launch.
HIPAA overhead is not a line item you can trim later. Vendor BAAs, audit logging, security review, and access controls change the architecture from day one.
HIPAA Compliance: The Non-Negotiable Layer
HIPAA is not a checkbox. It is a design philosophy. Every architectural decision gets run through the same question: does this put Protected Health Information (PHI) at risk?
What Counts as PHI
Name, date of birth, address, phone number, email, SSN, medical record number, health plan ID, account numbers, biometric identifiers (fingerprints, retinal scans), full-face photos, IP addresses in certain contexts, and any other identifier that could connect a health condition to a specific person.
Most of your app's data is PHI. Design accordingly.
Technical Safeguards Required
Encryption at rest and in transit - All PHI stored in your database must be encrypted. All data in transit must use TLS 1.2 or higher. This is table stakes - any serious cloud provider gives you this with minimal configuration. The risk is in the gaps: log files, backups, error messages that might include PHI.
Access controls - Role-based permissions (providers see their patients, admins see all, patients see only their own data). Session timeout after 15-30 minutes of inactivity. Multi-factor authentication for providers.
Audit logs - Every access, modification, and deletion of PHI must be logged with timestamp, user ID, and action. Logs must be retained for 6 years and protected from modification. AWS CloudTrail plus a structured logging system handles this well.
Business Associate Agreements (BAAs) - Every vendor that touches PHI must sign a BAA. This includes your cloud provider (AWS, Google Cloud, Azure all offer BAAs), your video SDK provider, your payment processor, your analytics platform, and your support ticketing system. If a vendor won't sign a BAA, you cannot use them for anything touching PHI.
Risk assessment - HIPAA requires a documented security risk analysis covering threats, vulnerabilities, and mitigations. This is a real document, not a template exercise. Budget $5,000-$15,000 for a security firm to conduct this if you don't have internal expertise.
The BAA Checklist
Before you select any vendor, confirm they will sign a BAA:
- Video SDK: Daily.co (yes), Twilio (yes), Vonage (yes), Zoom Healthcare (yes, standard Zoom no)
- Cloud: AWS (yes), GCP (yes), Azure (yes), generic hosting (probably not)
- Analytics: Segment HIPAA plan (yes), standard Mixpanel (no), Amplitude Healthcare tier (yes)
- Payment: Stripe (yes, but PHI must not touch their servers), Braintree (yes)
- Support: Zendesk for Healthcare (yes), standard Zendesk (no)
Using non-BAA vendors for PHI-adjacent workflows is the most common HIPAA gap in early-stage telehealth startups.
Choosing Your Video Infrastructure
The practical video SDK choice
All three options can work. The right call depends on whether you need speed, deep control, or low per-minute cost at scale.
Fastest path to a working telemedicine visit flow. The API is cleaner and the implementation burden is lower.
Teams shipping an MVP quickly without custom network-routing requirements.
You get less infrastructure-level control than Twilio, so it is not the best fit for highly custom multi-party workflows.
More flexible for recording, composition, and complex call experiences, but the engineering surface is meaningfully larger.
Complex provider workflows such as group therapy, consultations with observers, or heavier customization.
The setup is more exacting and HIPAA-safe deployment depends on getting the full configuration right.
Cheapest at high volume and attractive if your stack already lives inside AWS.
Teams already committed to AWS that care about infrastructure leverage and scale economics.
Developer experience is rougher than Daily or Twilio, so the lower runtime cost can be offset by build complexity.
Option 1: Daily.co
Cost: $0.01-$0.04/participant minute. $99/month minimum.
Why it works: Simplest API in the space. Their HIPAA-compliant plan includes BAA signing. SDK is well-documented. Custom UI is straightforward.
Limitation: Less control over infrastructure than Twilio. Network routing is managed, not configurable.
Best for: Teams that want to move fast and don't need custom video network routing.
Option 2: Twilio Video
Cost: $0.004/participant minute (Group Rooms). More complex pricing for large deployments.
Why it works: More control over recording, composition, and network topology. Strong documentation and community.
Limitation: More engineering effort to get right. HIPAA compliance requires a specific setup and signed BAA.
Best for: Teams building complex multi-participant workflows (group therapy, case conferences).
Option 3: Amazon Chime SDK
Cost: $0.0017/attendee minute. Cheapest at scale.
Why it works: Native integration with AWS infrastructure. Strong if you're already deep in the AWS ecosystem.
Limitation: More complex setup. Documentation is solid but the SDK is less developer-friendly than Daily or Twilio.
Best for: Platforms expecting very high call volume where per-minute costs matter significantly.
EHR Integration: Do You Need It Day One?
Honest answer: probably not.
EHR integration (Epic, Cerner, Athenahealth) is the single biggest scope addition you can make. It costs $30,000-$60,000 in development, adds 2-4 months to your timeline, and requires extensive testing with each health system's specific configuration.
You need EHR integration when:
- You're selling to hospitals or health systems that require it for their workflows
- Your clinical protocols depend on accessing a patient's medication history or problem list in real time
- You're applying for reimbursement under value-based care programs that require claims data reconciliation
You don't need it when:
- You're building a direct-to-consumer platform with no existing patient relationships
- Your providers use your platform as a standalone practice
- Your focus is async care where real-time EHR data is not part of the workflow
Most telemedicine startups launch without EHR integration and add it in year two when they start selling to health systems.
E-Prescribing: The Details Nobody Talks About
If providers on your platform prescribe medications, you need a certified e-prescribing integration. "Certified" means DEA EPCS (Electronic Prescribing for Controlled Substances) compliant for Schedule II-V drugs, and compliant with state prescribing laws.
The integration requires:
- A prescribing network partner (Surescripts is the dominant network)
- State-by-state controlled substance validation (each state has different rules for telemedicine prescribing)
- Two-factor authentication for providers when prescribing controlled substances
- Prescription routing to patient's preferred pharmacy
DrFirst is the most common middleware layer for teams that don't want to build directly on Surescripts. Their API is documented and they handle the network complexity. Expect $20,000-$30,000 in development plus $2,000-$4,000/month in licensing.
State Licensing Validation
This is the most overlooked compliance requirement in telemedicine.
Providers must be licensed in the patient's state at the time of service. Not their home state. Not the state where they practice in-person. The patient's state.
Your platform must:
- Capture patient state at registration
- Validate each provider's license status in that state before allowing a visit
- Block visits where the provider is not licensed (or show only providers who are)
The technical implementation requires a licensing database - either built internally or sourced from a provider like Nursys (nursing), Federation of State Medical Boards (physicians), or a licensing verification service like Modio or Medallion.
Budget $15,000-$25,000 for a solid licensing validation system. Build it wrong and you're liable for unlicensed medical practice.
Build Plan: 12-Week MVP
Here is the sequenced build for a basic telemedicine MVP:
The 12-week MVP sequence
This is the order that keeps teams out of the common trap: building a pretty visit flow before the compliance and provider foundations exist.
Infrastructure, encryption, auth, provider onboarding, and the PHI-safe data model.
Scheduling, video, basic provider dashboard, and SOAP-note capture.
Licensing validation, consent capture, audit logging, and provider availability controls.
Records view, notifications, admin tooling, penetration test, and final BAA verification.
This gets you to a working telehealth platform in 12 weeks. Not feature-complete. Working. From here, you add EHR integration, insurance billing, and e-prescribing as separate phases.
The Mistakes Teams Make
Using non-BAA tools because they're faster. Teams under pressure grab Calendly for scheduling or standard Zoom for video calls. Both are HIPAA violations waiting to happen. The fix takes a sprint. The breach investigation takes months.
Building the provider experience last. Provider dashboards are where visits actually happen. Underinvesting here means providers have a terrible experience and the platform fails not from patient adoption but from provider attrition.
Skipping state licensing validation. It seems like a detail until your first out-of-state visit triggers a licensing board complaint.
Assuming async care is simpler than video. Async care has its own compliance requirements (documented response time SLAs, escalation protocols, coverage for when a provider is unavailable). It's a different product, not a simpler one.
Under-specifying the note-taking system. Generic text fields for clinical notes create liability. Build structured note templates with the clinical team from day one.
What to Build vs. What to Buy
| Feature | Build | Buy |
|---|---|---|
| Video infrastructure | No | Daily.co, Twilio, Chime |
| Scheduling engine | Maybe | Calendly BAA plan, Acuity |
| E-prescribing | No | DrFirst, Surescripts partner |
| Insurance billing | No | Waystar, Availity |
| Provider credentialing | No | Modio, Medallion |
| Patient portal | Build | - |
| Provider dashboard | Build | - |
| Clinical note templates | Build | - |
| Licensing validation | Build | Nursys API + custom logic |
The principle: build what differentiates your clinical workflow. Buy infrastructure and compliance tools where established vendors have regulatory relationships that would take you years to build.
That's how you ship a production-grade telemedicine platform in 12 weeks instead of 18 months.
Frequently asked questions
A basic telemedicine MVP with video calls, patient registration, scheduling, and HIPAA-compliant storage costs $80,000-$150,000. A full platform with EHR integration, prescription routing, multi-specialty workflows, and insurance billing costs $200,000-$500,000. Timeline is 4-8 months depending on scope.
Related Articles
Related posts
Telemedicine App Development Cost in 2026: Real Numbers by Feature Set
A telemedicine MVP costs $40K-70K. A full-featured platform with EHR integration, AI triage, and remote monitoring runs $150K-300K+. Here is the honest breakdown with every cost driver explained.
AI Coding Tools Build MVPs, Not Businesses
Cursor, Lovable, Bolt, and v0 can build a working demo in an afternoon. But a demo is not a product. Here is what they skip and why it costs 3x more to fix later.
How to Build a Hotel Property Management System in 2026
Custom hotel PMS development costs $150,000-$500,000. Here is what it takes to build one that actually beats the legacy systems hotels are desperate to replace.