Build a HIPAA-Compliant
Telemedicine App in 2026
An engineering blueprint for video, clinical workflow, ePrescribing, and the architecture that ships without an OCR settlement
BAA-eligible video stack
Cross-state licensure gating
EPCS-ready prescribing
By Garvita Amin· Healthcare Technology Experts
May 14, 2026 · 14 min read
Telemedicine looks deceptively simple from the outside — a Zoom call, a chart entry, a prescription. The compliance underneath is dense. Every session crosses HIPAA, state telehealth laws, DEA prescribing rules, and a tangle of vendor BAAs. The teams that ship telemedicine cleanly design the pipeline around those constraints on day one; the teams that don't end up with an OCR settlement, a state board complaint, or a paused DEA registration. This guide is the engineering version: which video stack actually qualifies, how to gate cross-state licensure, what EPCS requires, and the architecture that holds up under audit.
What a HIPAA-Compliant Telemedicine App Actually Has to Do
HIPAA is the floor, not the ceiling. A telemedicine app sits at the intersection of three regulatory regimes, and you need all three working before you can take a paying patient. The Security Rule governs the technical safeguards on PHI in transit and at rest. State telehealth laws govern who can practice, how recordings are handled, and how parity with in-person care works. The Drug Enforcement Administration governs the prescribing pathway whenever a controlled substance is on the table.
The good news: most of the heavy lifting is shared with any HIPAA-compliant healthcare app. If you have the foundations from our HIPAA-compliant healthcare app guide, you already have most of what telemedicine needs. The telemedicine-specific work is in three places: the live media pipeline (video, audio, chat), the licensure gate that decides whether this clinician can see this patient right now, and the prescribing workflow.
HIPAA-compliant telemedicine is a stack of three pipelines layered together: media (live video + audio + chat), workflow (intake → consult → notes → prescribe → bill), and identity (clinician licensure + patient identity + DEA registration). Each pipeline has its own BAA and audit story.
The 2026 lay of the land
Pandemic-era flexibilities for telehealth prescribing of controlled substances were extended again by the DEA in late 2024, then narrowed for Schedule II substances. The January 2025 HIPAA Security Rule update also made encryption and MFA required, not addressable — both of which hit telemedicine harder than other modalities because of the volume of media and identity flows. Plan for the stricter rules; they are not going back.
The Four Data Flows You Must Encrypt
Every telemedicine session moves PHI through four distinct channels. Treat each one as its own at-rest + in-transit story; the encryption details for each are covered in our HIPAA PHI encryption guide.
Video stream. Patient and clinician faces, environment, body language. End-to-end media encryption via DTLS-SRTP (WebRTC) or vendor TLS. Recordings at rest are AES-256.
Audio stream. Same channel as video for most stacks. Watch for separate dial-in fallbacks — PSTN bridges typically are not HIPAA-eligible.
Chat. In-session messaging, file share, screen share annotations. TLS 1.3 in transit, AES-256 at rest, audit log per message.
Clinical records. Notes, vitals, attachments, follow-up plans. Standard PHI-at-rest controls plus column-level encryption for high-sensitivity fields.
Common Trap — "The video vendor handles encryption"
Vendor encryption protects the wire. It does not handle your recording storage, your transcript pipeline, your chat archive, or the metadata you log around the session. Each of those is a separate PHI store that needs its own encryption + access control + audit log story.
Picking a Video Stack That Qualifies
The video layer is the most expensive thing to swap later. Pick on three axes: BAA coverage and scope, control you need over media routing, and the recording / transcription story. The shortlist:
| Stack | BAA | Best For | Watch Out For |
|---|---|---|---|
| Zoom for Healthcare | Fastest time-to-market | Consumer Zoom tiers do not qualify | |
| Twilio Programmable Video | Embedded SDK, custom UX | Recording storage is a separate config | |
| Daily.co | Modern WebRTC API, low latency | BAA on Scale tier only | |
| Doxy.me | Browser-only, no install | Limited SDK customization | |
| Vonage Video API | Enterprise scale + recordings | Heavier integration | |
| Self-hosted WebRTC (Pion, mediasoup) | Full control, EU residency | You own all controls + audit | |
| Consumer Zoom / Google Meet / FaceTime | — | No BAA — never for PHI |
Self-hosting WebRTC sidesteps the per-minute video vendor cost and gives you region-pinning that some EU customers require, at the cost of owning the entire compliance perimeter yourself: TURN servers, signaling, recording storage, transcoding, observability, every one needs its own BAA-eligible infrastructure and audit log.
Recording Capability ≠ Permission to Record
Most BAA-covered video vendors can record. That does not give you legal cover to record. State law on recording consent is separate and stricter than HIPAA — covered in §5 below.
The Clinical Workflow, End to End
A telemedicine session looks like one event from the outside. Inside, it is six or seven discrete steps, each of which produces or consumes PHI and each of which needs its own integrity story.
6+
Clinical workflow steps per session
6 yrs
Audit retention minimum
11
Two-party consent US states
1. Patient intake and identity verification
Identity is the foundation of everything else. Verify name, date of birth, insurance, and state of physical location at intake. The state-of-location field is what your licensure gate runs against later. For ePrescribing-enabled accounts, intake is also where you collect the identity proofing data the DEA will eventually want.
2. Pre-consult: queue, vitals, symptom intake
If your app collects vitals (BP cuff, pulse ox, glucose meter) or a symptom questionnaire, that data is PHI from the second it leaves the patient's device. Encrypt it in transit, store it in the same PHI-eligible database as the rest of the chart, and log every read.
3. Live consult: video + chat + screen share
The encrypted media stream from §3 is only part of this step. The clinician also wants to pull up the chart, share a screen, drop links in chat, and possibly invite a translator or a family member. Each entrant is a session participant who needs audit-logged access; each shared artifact is a PHI exposure decision.
4. Clinical notes (manual or AI scribe)
Notes are PHI. AI scribes — Abridge, DAX, Suki, or in-house — are increasingly the default. The rules for AI scribes in healthcare are the same as for any AI feature on PHI: BAA-covered model, zero-retention configured, encryption end-to-end, audit log per call. Our HIPAA Compliant AI guide covers the whole stack.
5. ePrescribing
Standard ePrescribing for non-controlled substances integrates with Surescripts or a similar network. Controlled substances (Schedule II–V) require EPCS — an entirely separate pathway with identity proofing, two-factor signing, and DEA registration. See §6.
6. Billing and coding
Use the correct telehealth CPT modifiers (typically –95 or –GT depending on payer). Billing data combined with diagnosis codes is PHI. Most payment processors are PCI-scope only; a billing pipeline that also touches diagnosis codes needs a BAA with whoever sees that data — including your accounting system.
7. Post-consult follow-up
Care plan delivery, lab orders, follow-up scheduling, secure messaging. Every channel is a PHI flow, and patients often discover they have no audit trail for the messages they thought their clinician received. Your secure-messaging archive must satisfy the same retention and access controls as the chart itself; audit logging patterns are in our HIPAA audit logging deep dive.
The Cross-State Licensure Problem (And the Recording Consent Trap)
The single biggest difference between telemedicine and in-person care is jurisdictional: the clinician must be licensed in the state where the patient is physically located at the moment of the visit. That state can change between visits, and patients travel. A licensure check at signup is not enough; you need a check at session start.
Building the licensure gate
At session start, capture the patient's current state (geolocation with consent, or self-report at minimum), and gate the consult: if the clinician is not licensed there, route to a clinician who is, or decline the visit with a clear message. Maintain a database of which clinicians are licensed in which states, with expiration tracking. The Interstate Medical Licensure Compact (IMLC) covers 40+ states and lets clinicians hold reciprocal licenses, but you still verify membership and check status each session.
Two-party consent for recording
HIPAA does not require consent for recording, but eleven US states do — California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, and Washington. In those states, both patient and clinician must explicitly agree before recording starts. If a single party is in a two-party state, the rule applies.
Practically: capture consent in the intake flow, re-confirm at session start, default the recording switch to OFF, and never permit a clinician to enable it unilaterally.
Geolocation is PHI Too
If you store the patient's captured geolocation alongside their identity, that is PHI. Encrypt it, audit access to it, retain it under the same rules as the rest of the chart.
ePrescribing and EPCS (The DEA Side of the House)
Non-controlled prescriptions over telemedicine are easy: integrate Surescripts, use NCPDP SCRIPT, and route the prescription to the patient's pharmacy of choice. Controlled substances are a separate world.
EPCS — what the DEA actually requires
For Schedule II–V prescriptions, 21 CFR § 1311 requires: clinician identity proofing to NIST IAL2, two-factor authentication at the moment of signing, an audit trail of every prescription, and a DEA-registered EPCS application. The pandemic-era flexibility that allowed telemedicine prescribing of controlled substances without an in-person visit was extended in 2024, but the underlying EPCS technical requirements never went away — they just lived behind the visit requirement.
In-person visit requirements (current status)
As of 2026, the DEA Special Registration for telemedicine permits limited telehealth prescribing of Schedule III–V substances without an in-person visit, with stricter conditions for Schedule II. The exact rule has changed three times in three years; build your workflow with a feature-flag-style policy layer so you can adjust the in-person requirement per substance, per state, and per regulatory update without redeploying core code.
Out-of-scope is fine; in-scope is mandatory
If your app does not prescribe controlled substances, you do not need EPCS. The moment a clinician on your platform wants to prescribe a single Schedule IV anxiolytic, the whole EPCS apparatus has to be in place. Plan that boundary deliberately.
Integrations: EHR, Payments, Scheduling, E-Signature
Telemedicine apps rarely live in isolation. Each external system you connect to is a BAA decision and a PHI flow.
| System | PHI Touches | BAA Needed | Notes |
|---|---|---|---|
| EHR (Epic, Cerner, athena) | Always | Use FHIR R4; Bulk FHIR for sync | |
| Surescripts (ePrescribing) | Always | EPCS for controlled | |
| Payment processor | Maybe (claim line items) | Stripe BAA on enterprise; isolate claim data | |
| Scheduling (Calendly etc.) | Maybe (visit reason) | Most consumer schedulers do not BAA | |
| E-signature (DocuSign, HelloSign) | Usually | Enterprise tier only | |
| Identity verification (ID.me, Persona) | Always | Required for EPCS IAL2 | |
| Observability (Datadog, Sentry) | If logs include PHI | Enterprise tier; redact at source |
The compliance baseline is always the same shape: every vendor whose systems touch PHI must sign a BAA, and you need to be able to map every PHI flow on a whiteboard. The mechanics of vendor BAAs are covered in our BAA vs HIPAA explainer.
The Telemedicine Launch Checklist
Walk this before your first paying patient. Every line maps to a control an OCR or state-board investigator will ask about.
BAA signed with the video vendor, the EHR, the AI scribe, the e-signature provider, and observability
Video, audio, chat, and clinical records all encrypted in transit (TLS 1.2+) and at rest (AES-256)
Recording defaults to OFF; explicit two-party consent captured per session in applicable states
Licensure database with expiration tracking; clinician-state gate runs at session start
Patient state-of-location captured at session start; routing logic to a licensed clinician or polite decline
Identity proofing for clinicians (NIST IAL2) if EPCS is in scope
EPCS workflow with DEA registration, two-factor signing, and prescription audit trail (if prescribing controlled substances)
Audit log per session: start/end, participants, devices, IPs, recording flag, EHR sync events
Telehealth-eligible CPT modifiers in billing; BAA with anything that sees claim-plus-diagnosis pairs
Risk analysis updated to cover video, ePrescribing, and cross-state operations
Incident response plan covers recording leak, vendor breach, dropped session mid-emergency
Patient-facing notices: telehealth informed consent, recording consent, emergency-care limitations
Mistakes That Get Telemedicine Startups in Trouble
Mistake 1: Using consumer Zoom "just for demos"
A demo with a real patient is not a demo. Multiple OCR settlements have started with a clinician using consumer Zoom or FaceTime to "quickly see" a patient who couldn't join the official app. Either block consumer tools at the network layer or accept the breach.
Mistake 2: No state-of-location field at session start
You licensed the clinician for the state the patient lives in. The patient is calling from a hotel in another state on a business trip. Without an at-session location check, you have just unlicensed-practice-of-medicine'd. State boards have prosecuted on these facts.
Mistake 3: Recording without explicit two-party consent
Even if your TOS includes a recording clause, two-party-consent states want explicit, in-session, affirmative consent. A pre-checked TOS checkbox is not affirmative consent in California or Massachusetts.
Mistake 4: Letting AI scribe transcripts leak to non-BAA logs
The transcript pipeline is just another AI feature on PHI. If the transcript model's error logs ship to a non-BAA observability tool, the observability tool is now PHI infrastructure. Redact at source or use a BAA-covered observability tier.
Mistake 5: Treating EPCS as a feature flag
EPCS is not an SDK; it is a full identity-proofed workflow with DEA registration. Adding a controlled-substance dropdown to your prescriber form without the EPCS apparatus exposes the clinician to a DEA violation and your platform to a federal enforcement action.
Mistake 6: Forgetting that telemedicine sometimes meets emergencies
Patients show up via telemedicine with mental health crises, chest pain, and overdoses. Document the protocol for handing off to 911 in the patient's current state, capture the location at session start so dispatch knows where to send help, and log every escalation. Liability and HIPAA both want this paper trail.
How to Actually Ship a HIPAA-Compliant Telemedicine App
Pick the video stack early; lock the BAA before any code
Switching video vendors after launch is the most expensive refactor in this space. Pick early, sign the BAA, and confirm exactly which endpoints and recording configurations the BAA covers.
Design the clinical workflow before the UI
Map the six or seven workflow steps. Identify the PHI store at each step. Sketch the audit log fields per step. Only then design screens.
Build the licensure gate as a first-class service
Not a util function. A service with a versioned database of clinician-state pairs and expiration. Run it on every session start and every prescription.
Wire identity verification on day one
Even before EPCS becomes a feature, you want NIST IAL2 identity proofing for clinicians. Adding it later is a forced migration; adding it now is a one-week task.
Decide ePrescribing scope explicitly
If you will never prescribe controlled substances, document that decision and design your prescriber UI to make it impossible. If you might, scope EPCS into the launch plan from week one.
Wire audit logging into every transition
Session start, session end, participant joined, screen shared, recording toggled, chart pulled, prescription signed, billing submitted. Every transition logged with user, time, IP, device. Retained six years.
Simulate cross-state and emergency scenarios in staging
Run synthetic patient drills: patient in CA seeing clinician licensed in OR, patient in a two-party state, patient with a chest-pain emergency mid-session. Your app should produce graceful, audit-logged outcomes for each.
Update risk analysis and incident response before launch
The artifact OCR will request first is your written risk analysis (§ 164.308(a)(1)(ii)(A)). Telemedicine adds video pipelines, cross-state operations, and recording controls that need to be named in that document.
Frequently Asked Questions
Is Zoom HIPAA-compliant for telemedicine?
Only the Zoom for Healthcare plan (and Zoom Workplace with the BAA add-on) is HIPAA-compliant. Standard, Pro, Business, and consumer Zoom are not — sending PHI over those tiers is a HIPAA violation regardless of encryption.
Do I need a BAA with Stripe for telemedicine billing?
Only if PHI flows through Stripe. Card data alone is PCI scope, not PHI. If your payment flow ever sends diagnosis codes, visit notes, or links a charge to a specific clinical encounter Stripe can see, you need a BAA — Stripe does sign one on its enterprise tier.
Can I record telemedicine sessions for clinical reference?
Yes, but state recording-consent rules are stricter than HIPAA. Eleven US states are two-party consent jurisdictions — both patient and clinician must explicitly agree before any recording starts. Store recordings with the same encryption and audit controls as any other PHI.
What is required to prescribe controlled substances via telemedicine in 2026?
You need a DEA-registered EPCS (Electronic Prescribing of Controlled Substances) workflow under 21 CFR § 1311: clinician identity proofing to NIST IAL2, two-factor signing at the moment of prescription, and a complete audit trail. Pandemic-era flexibility around the in-person visit requirement has been extended but narrowed for Schedule II — confirm current DEA guidance before launching.
Does telemedicine require state-by-state licensure?
Yes by default. The clinician must be licensed in the state where the patient is physically located at the time of the visit. The Interstate Medical Licensure Compact (IMLC) simplifies licensure across 40+ states but does not eliminate the per-session check.
Is WebRTC HIPAA-compliant out of the box?
WebRTC encrypts media end-to-end (DTLS-SRTP) by default. That satisfies the in-transit standard but is only part of HIPAA — you still need audit logs, access controls, signed BAAs with your TURN/STUN and signaling providers, and infrastructure that satisfies the rest of the Security Rule. WebRTC is a building block; HIPAA telemedicine is the system around it.
What happens if a telemedicine session drops mid-emergency?
Document a written protocol that covers dropped-session handoff to 911 dispatch in the patient's current state. Capture the patient's location at session start so dispatch knows where to send help. Log every escalation. Liability and HIPAA both expect this paper trail.
Can I serve international patients?
HIPAA travels with the covered entity, not the patient. If a US clinician sees a patient abroad, HIPAA still applies to the PHI you create. If a non-US clinician sees a non-US patient on your platform, HIPAA may not apply but GDPR likely does — see our GDPR-for-US-healthcare guide for the dual-regime architecture.
Launch a HIPAA-compliant telemedicine app without rebuilding the compliance stack
VertiComply generates telemedicine app code with BAA-eligible video, licensure gating, audit logging, and HIPAA-grade encryption wired in by default — so your team spends its time on the clinical workflow, not the regulatory plumbing.
BAA on day one. Licensure gating built in. Audit logs you can hand to OCR.
In This Guide
01
What it takes to be compliant
02
The four encrypted data flows
03
Picking a video stack
04
The clinical workflow
05
Licensure + recording consent
06
ePrescribing and EPCS
07
EHR, payments, e-sig
08
The launch checklist
09
Mistakes to avoid
10
How to actually ship it
11
FAQ
Key Numbers
2-party consent states
11
IMLC member states
40+
EPCS identity proofing
IAL2
Audit retention
6 yrs
Glossary
Topics
Related Articles
Continue reading about healthcare compliance and telemedicine
How to Build a HIPAA-Compliant Healthcare App Without Code in 2026
The complete 2026 guide to building HIPAA-compliant healthcare apps without code. Covers compliance rules, no-code platforms, what to look for, real costs, common mistakes, and a step-by-step practical sequence for US healthcare startups.
Read article
BAA vs HIPAA: Know the Difference (2026 Guide)
BAA vs HIPAA explained in plain English. What each one actually is, why they are not the same thing, who needs a BAA, when it is required, and what happens if you skip it.
Read article
GDPR for US Healthcare Apps: When It Applies & What to Do
Does GDPR apply to your US healthcare app? Yes, if you have even one EU user. Learn when GDPR triggers, how it overlaps with HIPAA, the 8 requirements that differ, and how to build compliant apps without doubling your work.
Read article