Telehealth MVP: HIPAA-Ready Architecture Shipped in 6 Weeks

A digital health start-up had secured pilot agreements with two GP clinics and a small specialist network, contingent on demonstrating a working, secure telehealth product. Their existing prototype was a proof-of-concept with no security controls, no PHI boundary definition, and no audit logging — unsuitable for clinical use.

Key Pressures:

• Time constraint: Pilot launch window was fixed at 6 weeks; missing it would lose both clinic relationships
• Compliance unknown: Founding team had no experience with HIPAA or NHS Digital security standards; did not know what "HIPAA-ready" required in practice
• Data sensitivity: Platform would handle appointment records, video sessions, prescriptions, and patient identifiers — all constituting PHI
• Budget ceiling: Pre-seed stage meant infrastructure and third-party service costs had to be kept minimal without compromising compliance
• No internal engineering team: The founding team were clinicians and a product manager — all engineering would be contracted

The client needed a deployable telehealth MVP that satisfied the following constraints:

• HIPAA Security Rule compliance for all PHI at rest and in transit
• Secure video consultation with no third-party video provider receiving unencrypted patient data
• Appointment scheduling integrated with GP clinic calendar systems
• Patient records — basic encounter notes, prescription records, and visit history accessible by treating clinicians only
• Audit logging for all PHI access, sufficient to satisfy a basic compliance review
• Clinician and patient roles with appropriate access boundaries
• Business Associate Agreements (BAAs) in place with all infrastructure providers before go-live
• Documented security controls to share with clinic compliance reviewers

The technical challenge was designing a system that met HIPAA's Security Rule requirements without overbuilding — the client needed a compliant MVP, not an enterprise EHR.

PHI Boundary Mapping:

The first task was defining exactly which data was PHI and which systems would touch it. This produced a clear boundary: the core API, the database, and video session metadata were in scope. Static assets, the public marketing site, and the analytics layer were outside the boundary.

Video Architecture:

Free-tier video APIs (Twilio Video, Agora) required sending session metadata to third-party servers, creating BAA complexity and data sovereignty questions. The decision was to use WebRTC peer-to-peer sessions via a self-hosted TURN/STUN server (coturn on a private EC2 instance), keeping all session routing infrastructure within the client's AWS environment and under their BAA with AWS.

Compliance Without Overhead:

HIPAA does not require a specific technology stack, but it does require documented controls. The team had to design technical controls and produce documentation simultaneously — system design became dual-purpose: functional architecture and compliance evidence.

We delivered the platform in three parallel workstreams across 6 weeks:

Workstream 1: PHI Infrastructure (Weeks 1-2)

• Provisioned an AWS environment with a signed BAA, using AWS GovCloud-equivalent services in the EU (AWS Ireland with healthcare-appropriate service selection)
• All PHI stored in RDS PostgreSQL with AES-256 encryption at rest using customer-managed KMS keys
• VPC with private subnets for all PHI-handling services; no public database endpoints
• S3 buckets for document storage with Server-Side Encryption (SSE-KMS) and Block Public Access enabled at account level
• CloudTrail enabled across all regions for management plane audit logging
• All service-to-service communication over TLS 1.2+ within the VPC

Workstream 2: Application Build (Weeks 2-5)

• Patient and clinician authentication via Auth0 with MFA enforced for all clinician accounts, MFA strongly encouraged for patients
• Role-based access control: patients access only their own records; clinicians access only records of patients with active or past appointments with that clinician
• Appointment scheduling with iCal-based calendar sync for clinic integration
• Secure messaging thread per patient-clinician pair, stored encrypted with per-thread keys
• WebRTC video via coturn self-hosted TURN server; session tokens generated server-side and expired after appointment window
• Encounter note and prescription record management with field-level validation and version history
• Complete audit log on all PHI access: user, record, action, timestamp, IP — stored in CloudWatch Logs with a 7-year retention policy and no-delete protection

Workstream 3: Compliance Documentation (Weeks 4-6)

• Risk assessment document mapping threats, likelihood, and mitigations
• System security plan describing all controls by HIPAA Security Rule requirement
• BAA templates for clinic partners
• Incident response runbook
• Sanity-check review with a HIPAA compliance consultant in Week 6 before go-live