Building a HIPAA-Compliant Telehealth Platform from Scratch

Building a telehealth platform is challenging enough, but add HIPAA compliance into the mix and you're dealing with a whole new level of complexity. At Contour Health, we built our platform from the ground up with security and compliance at its core.

The Architecture Challenge

When we started building our telehealth platform, we had three non-negotiable requirements:

  1. End-to-end encryption for all patient data
  2. Real-time video consultations with minimal latency
  3. Complete audit trails for compliance

Our tech stack evolved through several iterations before we landed on:

  • Backend: Python/FastAPI for its async capabilities
  • Database: PostgreSQL with row-level security
  • Video: WebRTC with Jitsi for self-hosted control
  • Infrastructure: GKE with dedicated HIPAA-compliant nodes

HIPAA Compliance: More Than Just Encryption

Many developers think HIPAA compliance is just about encrypting data. It's actually about:

# Example: Audit logging middleware
@app.middleware("http")
async def audit_log_middleware(request: Request, call_next):
    start_time = time.time()
 
    # Log the access attempt
    audit_entry = {
        "timestamp": datetime.utcnow(),
        "user_id": request.headers.get("X-User-ID"),
        "resource": request.url.path,
        "method": request.method,
        "ip_address": request.client.host
    }
 
    response = await call_next(request)
 
    audit_entry["response_code"] = response.status_code
    audit_entry["duration_ms"] = (time.time() - start_time) * 1000
 
    # Store in audit log
    await audit_logger.log(audit_entry)
 
    return response

Real-Time Video at Scale

The biggest technical challenge was implementing reliable video consultations. We needed to support:

  • Multiple participants (patient, doctor, interpreter)
  • Screen sharing for reviewing test results
  • Recording capabilities for quality assurance

After evaluating various solutions, we chose to self-host Jitsi Meet:

// Video room initialization
const initializeVideoRoom = async (consultationId) => {
  const room = {
    id: consultationId,
    config: {
      startWithAudioMuted: true,
      startWithVideoMuted: false,
      enableWelcomePage: false,
      prejoinPageEnabled: false,
      // HIPAA-specific settings
      enableInsecureRoomNameWarning: false,
      disableThirdPartyRequests: true,
      // Disable all analytics
      analytics: {
        disabled: true,
        googleAnalytics: { disabled: true },
      },
    },
  }
 
  return await JitsiMeetExternalAPI(room)
}

Lessons Learned

  1. Start with compliance: It's much harder to retrofit security than to build it in from day one
  2. Invest in monitoring: We use Datadog for real-time monitoring with PII redaction
  3. Plan for scale: Our architecture supports 10,000+ concurrent video sessions
  4. Documentation is critical: Every API endpoint, every data flow must be documented

What's Next

We're now working on integrating AI-powered features while maintaining HIPAA compliance. This includes:

  • Automated appointment scheduling with NLP
  • Real-time transcription with medical terminology recognition
  • Predictive analytics for patient no-shows

Building healthcare technology is complex, but the impact on patients' lives makes every challenge worth it. If you're building in healthcare, remember: compliance isn't a feature, it's a foundation.