Healthcare Video Conferencing Software Development in 2026: HIPAA Build vs Buy Playbook

Why Fora Soft wrote this playbook

Fora Soft has been building real-time video products since 2005. Across 625+ shipped products we have run WebRTC at hospital scale, integrated with Epic and Cerner from the SMART-on-FHIR side, and shipped HIPAA-aware infrastructure on AWS, GCP, and Hetzner. We have seen a hospital IT director sign a $300K Zoom for Healthcare contract because a junior PM did not realise the BAA only covers the Zoom client — not the custom branding wrapper their team had bolted around it. We have also seen a four-clinic mental-health network ship a custom HIPAA video platform in 14 weeks for under $80K because the scope was honest.

This playbook is the document we wish those teams had on day one. It is opinionated, it names vendors, and it gives real 2026 numbers. Where we link to a Fora Soft case or service it is because that example actually moves the decision — not because we wanted a backlink. Read it, decide build vs buy on the same page, and if the answer is build, book a 30-minute scoping call with our team.

If you want our wider thinking on healthcare software, start with the healthcare software compliance and security playbook and the HIPAA-compliant video platform deep dive. Both are written by the same engineering team that delivers production work for healthcare and medtech clients.

Healthcare video conferencing in 2026 — market snapshot

The post-COVID plateau is over. Telehealth is now a permanent service line for almost every US health system, with the global telemedicine market sitting in the $80–100B range in 2025 and analyst consensus pointing at $220–240B by 2032 (15–19% CAGR). Roughly 38–48% of US health systems classify telehealth as a material revenue line, not a pandemic stopgap. In Europe, the European Health Data Space (EHDS) regulation is forcing every clinical platform to expose patient data via FHIR R4 export, which collapses the difference between “your video tool” and “your interoperability surface”.

The buyer’s job in 2026 is no longer “pick a Zoom alternative”. It is to design a healthcare video conferencing platform that survives a 2026 HHS audit, plugs into at least one EHR without breaking it, supports ambient AI scribing without leaking PHI, and costs less than the revenue it unlocks. The rest of this playbook walks the four decisions that actually move that calculation.

What good healthcare video conferencing looks like

A platform a CTO can defend in 2026 hits all of the following, regardless of build or buy:

• End-to-end encryption on the media path (SRTP + DTLS) and at-rest (AES-256 with KMS-managed keys, separate per tenant).
• BAA-covered across every component: SFU, TURN, recording storage, observability, identity provider, AI scribing, translation.
• MFA enforced for clinicians, admins, and any API integration. WebAuthn or TOTP — never SMS-only.
• Immutable audit logs in append-only storage (S3 Object Lock, GCS Bucket Lock) with 7-year retention.
• Two-party consent UI for any recording or AI processing, with state-aware logic and a per-call consent receipt.
• EHR launch from a clinician’s context — SMART on FHIR launch from Epic / Cerner / Athena, no copy-paste of patient IDs.
• P95 connect time below 5 seconds, MOS > 4.0, call drop rate < 1%. Anything worse and clinicians abandon the platform inside a month.
• Documented incident-response plan: who is paged, who notifies HHS within 60 days if a breach affects more than 500 records.

HIPAA in 2026 — what the December 2024 NPRM actually changes

The Notice of Proposed Rulemaking issued by HHS in December 2024 is the biggest update to the HIPAA Security Rule since 2013. Five things move from “recommended” to “required”, and they reshape what a healthcare video stack must do.

1. End-to-end encryption is no longer optional. Every transmission of ePHI must be cryptographically protected end-to-end, with key management documented. SRTP + DTLS for media, TLS 1.3 for signalling, AES-256 for storage. Plain HTTP between microservices — even inside a VPC — fails audit.

2. MFA is mandatory for all administrative and API access. Clinicians, admins, and any service-to-service integration that touches PHI need a second factor. Time-limited tokens (OAuth 2.0 with short-lived JWTs) for inter-service traffic. SMS OTP no longer counts on its own.

3. Continuous asset inventory and BAA verification. The NPRM requires automated discovery of every third-party SDK, library, and cloud service handling PHI, with a verified BAA for each. The classic failure: a developer adds Sentry for error reporting and accidentally ships PHI in stack traces.

4. Monthly vulnerability scanning with a 48-hour critical-CVE SLA. Customer-facing systems must be scanned at least monthly. Critical CVEs (CVSS ≥ 9.0) must be patched or compensating-controlled within 48 hours. Snyk, Dependabot, AWS Inspector all qualify if logs are retained.

5. Immutable audit logs with forensic-grade timestamps. Append-only storage. Minimum 90 days online, 7 years archived. Datadog and Splunk are fine when a BAA covers them — but the default Datadog plan does not include one. CloudTrail with S3 Object Lock is the default-safe choice on AWS.

For non-US deployments, GDPR Article 32, the EU AI Act’s “high-risk” classification of clinical-decision-support video, and EHDS-mandated FHIR R4 export add roughly 20–40% to infrastructure cost. The standard answer is to keep EU patient data in EU regions (AWS Frankfurt, GCP Belgium, Hetzner Falkenstein) with separate KMS keys.

Build vs buy — the four conditions that flip the answer

Buying is the right default. A custom build is the right answer only if at least three of the following hold:

1. Provider count above 50, growing. At ~50 providers Zoom for Healthcare and AmWell already cost more per year than the running cost of a self-hosted LiveKit cluster on a Hetzner AX-line server pair. Above 100 providers the gap is decisive.

2. Two or more EHRs, or a non-mainstream EHR. Vendors integrate cleanly with Epic and Cerner. Athena is patchy. Meditech, NextGen, and regional EHRs are usually a no. If you live across two or more EHRs, vendor licensing for each integration eats the savings of buy.

3. A clinical workflow vendors will not ship. Ambient AI scribing tied to a custom oncology template; multi-party consent for telepsychiatry with a parent in a different state; AR overlays on dermatology video. Any of these and your buy options collapse to two or three platforms with painful customisation costs.

4. The product is the platform. If you are a digital-health startup whose pitch is the video experience, you cannot rent it. Investors discount your moat to zero. Build is the only path.

Vendor comparison matrix — the seven options buyers actually shortlist

All pricing is 2026 published list. EHR support means “launches from clinician context”, not “has a Zapier connector”.

Reference architecture for a HIPAA-grade video stack

A 2026 healthcare video conferencing stack has six layers. Each one has a default-safe choice and one or two valid alternatives.

Media plane — SFU + TURN

LiveKit (Apache 2.0) is the default. Self-hosted on AWS EC2 or Hetzner AX-line, BAA-covered on AWS, around $15K/year of ops cost for ~500 concurrent providers. mediasoup is the lower-level alternative when you need bespoke media routing — pick it for AR overlays, multi-stream specialist workflows, or sub-100ms feedback. Janus is the lightweight option for clinic-edge deployments. We have shipped all three; for guidance see our LiveKit AI agents guide and the Agora.io alternative architecture comparison.

Signalling and SIP

WebSocket signalling on TLS 1.3, with JWT-based room tokens issued from your auth service. SIP trunking via Asterisk or Kamailio for legacy phone bridging is unavoidable in hospital environments — we cover the integration patterns in our OpenAI Realtime API + WebRTC + SIP integration article.

Identity, MFA, and authorisation

Okta or Auth0 with BAA addendum, WebAuthn or TOTP, SCIM provisioning from the hospital’s Active Directory. Service-to-service auth uses short-lived JWTs (15-minute TTL) signed by AWS KMS. Never SMS OTP alone — SIM-swap attacks are now a documented HIPAA breach vector.

Data layer

AWS RDS PostgreSQL with KMS-managed encryption is the default. Tokenise every PHI field; store mapping in a separate vault schema. Recordings go to S3 with Object Lock for immutability + KMS keys per tenant. For non-US deployments, GCP Cloud SQL or Hetzner-hosted Postgres works — just keep KMS keys in-region.

Observability without leaking PHI

CloudTrail for AWS API actions, CloudWatch with PHI-stripping log filters, and Sentry only when configured to drop request bodies. Datadog and New Relic are usable only if you negotiate a BAA addendum — the default contracts do not cover PHI. The classic mistake: a stack-trace exception that includes the patient’s last name in the SQL.

AI services — scribing, translation, decision support

Abridge, Suki, or Microsoft DAX Copilot for scribing — all carry HIPAA BAAs in 2026. AWS Transcribe Medical or Google Healthcare Natural Language API for in-house alternatives. Real-time interpretation routes through Google Cloud Translation + Speech-to-Text under Workspace BAA, or Amazon Translate + Transcribe. For clinical decision support, integrate with a CDS Hooks server and route advisory calls through your CDR — do not surface raw model output to clinicians without a human-in-the-loop check.

EHR integration — FHIR R4, SMART on FHIR, and where it goes wrong

EHR integration is where most healthcare video budgets actually go. The video core is solved. The integration is not.

SMART on FHIR launch is the modern pattern: Epic, Cerner / Oracle Health, and Athenahealth all support a clinician launching your video app from inside the EHR with a JWT carrying patient context. Integration cost runs $50–180K per EHR depending on the certification process. Epic is the most expensive ($80–150K) because of EMP development requirements. Athenahealth is the cheapest ($50–80K) because the API is genuinely API-first. Meditech is the most painful ($120–200K) because parts of the surface are still HL7 v2.

FHIR R4 write-back — pushing the encounter summary, clinical note, or visit metadata back into the chart — is the second integration pillar. Conformance testing per EHR is $5–20K. Without it, your video calls live in a silo and clinicians stop using the system.

Where it goes wrong: Epic’s 30 TPS API rate limit at peak hours, MRN collisions when integrating two EHRs that issue overlapping numeric IDs, and audit-log mismatches where the EHR’s “who viewed this chart” report does not match your video platform’s. Plan for a four-week post-launch hardening period on every EHR connection.

Cost model — honest 2026 numbers with agent-engineering speed

Fora Soft uses Claude- and Codex-assisted “agent engineering” across delivery, which trims roughly 25–35% off boilerplate-heavy work (test scaffolding, FHIR mapping code, audit-log instrumentation, Terraform). The numbers below assume that advantage; they are conservative, not aggressive.

MVP — 3–5 specialties, 1 EHR, no AI

Build: $40–90K. Team: 1 architect (0.5 FTE), 2–3 engineers (1.5 FTE), 1 QA (0.5 FTE). Timeline: 3–5 months. Deliverables: WebRTC SFU + TURN, MFA + Okta, Postgres + KMS, S3 audit logs, 1 EHR SMART-on-FHIR launch, basic clinician dashboard. Year-1 ops: $10–20K/month.

Mid — multi-specialty, 1–2 EHRs, AI scribing

Build: $150–280K. Team adds clinical advisor (0.3 FTE), more QA, extra integration engineer for the second EHR. Timeline: 6–9 months. Deliverables: full multi-specialty UI, 2 EHRs, AI clinical-note generation (Abridge or Suki integration, or in-house Whisper + LLM if data residency demands it), HIPAA audit program. Year-1 ops: $20–35K/month.

Enterprise — multi-tenant, 3+ EHRs, full clinical AI

Build: $350–700K. Team: architect lead, 6–8 engineers, 2 QA, dedicated compliance officer, clinical advisor. Timeline: 12–18 months. Deliverables: multi-tenant SaaS, 3+ EHR integrations, AI scribing + decision-support, SOC 2 audit, dedicated incident-response team. Year-1 ops: $40–80K/month. EHR integration costs ($200–600K) are tracked separately and depend on which combination you pick.

Mini case — a four-clinic mental-health network ships in 14 weeks

A four-location behavioural-health group with 22 clinicians came to Fora Soft after 14 months of Zoom for Healthcare. The contract was $400/provider/month, ambient AI scribing was a separate Abridge license at $300/provider/month, and intake forms still lived in PDF. They wanted one platform: video, intake, and scribing, all under one HIPAA umbrella.

We scoped 14 weeks: a LiveKit-based SFU on AWS, Auth0 with BAA addendum and WebAuthn, Postgres with KMS-managed keys, S3 + Object Lock for recordings, SMART-on-FHIR launch from Athenahealth, and Whisper + a fine-tuned 8B model for ambient scribing kept entirely in-VPC. Three engineers, one QA, an architect at 0.4 FTE, and a clinical advisor (board-certified psychiatrist) at 0.2 FTE. Total build: $76K.

Outcome at six months: scribing accuracy 89% on discharge summaries (Abridge benchmark was 91% — close enough at 1/4 the running cost), call drop rate 0.4%, P95 connect time 3.6 seconds, MOS 4.3. Annualised licensing saving vs the previous Zoom + Abridge combination: ~$184K. Build paid back in five months. Want a similar 14-week scope for your group?

A decision framework — pick a path in five questions

Q1. How many providers will you have in 24 months? Below 50 → buy. 50–150 → buy now, plan a build for month 18. Above 150 → build.

Q2. How many EHRs do you live across? One mainstream EHR (Epic, Cerner) → vendor integrations are fine. Two or more, or any non-mainstream EHR → build.

Q3. Is there a clinical workflow no vendor will ship? If yes — ambient scribing on a custom oncology template, AR overlays for dermatology, multi-state telepsychiatry consent — you cannot rent it.

Q4. Is the platform your differentiation? If your investor pitch leans on the video experience itself, build. If video is plumbing for a different product, buy.

Q5. Can you carry $40K/month of ops indefinitely? If the answer is “not yet”, the right move is buy first, build later. We have helped clients sequence both phases without throwing the first effort away.

Five pitfalls that wreck custom healthcare video builds

1. TURN servers outside your BAA scope. Spinning up TURN on a cheap consumer cloud or a personal AWS account that is not enrolled in the BAA. Media still flows through it; the BAA does not retroactively cover it. Fix: every component touching media or signalling lives inside a BAA-enrolled account, period.

2. PHI leaking into Datadog, New Relic, or Sentry. A stack trace including a SQL query with the patient’s last name; a feature flag exception logging the encounter ID. Fix: PHI-stripping log filters at source; BAA addendum on every observability tool that holds PHI; CloudTrail + S3 Object Lock as the default-safe alternative.

3. Recording without explicit two-party consent UI. Many states (California, Florida, Pennsylvania, others) require all-party consent. A blanket “by joining you consent” banner is not enough for a recorded clinical session. Fix: state-aware pre-call consent modal with an immutable consent receipt stored alongside the recording.

4. Treating Zoom SDK BAA as cover for your own wrapper. Zoom’s BAA covers the Zoom client. Your custom-branded React app embedding Zoom SDK is your responsibility — auth, logging, key management, every byte of your code. Fix: separate security review of your wrapper before launch; clear documentation of which surfaces are covered by Zoom and which are yours.

5. Custom E2EE without an independent crypto audit. Implementing your own AES wrapper, deriving keys with sketchy entropy, or assuming TLS + KMS equals end-to-end. Fix: use battle-tested protocols (Signal Protocol, SRTP + DTLS, MLS for group calls); commission an external crypto audit ($15–40K) before launch. Never roll your own.

KPIs that tell you the platform is actually working

Clinical KPIs. No-show rate down 15–25% vs in-person baseline. Average handle time 18–25 minutes for follow-ups. Referral completion within 48 hours above 70%. AI-scribe note acceptance by clinicians above 80% before edit (the only metric that matters for ROI on AI scribing).

Business KPIs. Telehealth share of new bookings 30–50% within 12 months. Revenue per visit at parity with in-person (telehealth must not silently leak 20–30% revenue through coding mismatches). Conversion rate from offered visit to completed visit above 85%.

Reliability KPIs. Call drop rate below 1% (target 0.5%). MOS above 4.0. P95 connect time below 5 seconds. Audit-log completeness 100% — an empty hour in the audit log is a failed audit, every time. We cover the measurement methodology in detail in our WebRTC stream-quality testing playbook.

AI features — where they pay off and where they leak PHI

Ambient clinical scribing is the highest-ROI AI feature in 2026 healthcare video. Abridge benchmarks at 85–92% accuracy on discharge summaries; Suki at 88–95%; Microsoft DAX Copilot integrated with Teams Premium. Custom Whisper-Large + a fine-tuned 8B model lands at 70–85% but cuts running cost to roughly $50–150/provider/month. Pick custom only if data residency demands it; pick Abridge or Suki by default.

Real-time interpretation for limited-English-proficiency patients drops average handle time by 12–18% in our deployments. Google Cloud Translation + Speech-to-Text covers 200+ languages under Workspace BAA, 2-second median latency. For high-stakes clinical content (oncology, behavioural health), route through a licensed-interpreter API like Interpretation.com at $2–5/minute — faithfulness still matters more than speed in those moments.

Clinical decision support integrated through CDS Hooks — drug interaction alerts, contraindication flags, risk calculator overlays — pays off only when a clinician-in-the-loop check is mandatory. Ship advisory only; never autonomous. Our AI call assistants API guide covers the integration patterns; the same architecture applies to clinical surfaces with stricter consent and logging.

The leak vector to watch: any AI feature that calls a third-party API needs a BAA. OpenAI offers HIPAA BAAs via Enterprise; Anthropic via Claude for Business; Google via Workspace; AWS Bedrock via the master AWS BAA. The default API endpoints do NOT cover PHI — this is the single most common 2026 audit finding.

The compliance program around the platform

A compliant stack with no compliance program still fails an audit. The minimum viable program for a 2026 healthcare video platform:

• Designated Privacy Officer and Security Officer — named individuals, not job titles.
• Written policies: access control, incident response, breach notification, BYOD, vendor management, log retention.
• Annual workforce training — HIPAA basics for engineers, advanced phishing for clinical-facing staff.
• Quarterly access review — who still has admin? Who left the company and still has SSO?
• Annual risk assessment with documented remediation plan.
• Tabletop incident-response exercise at least annually — the only way to know whether your 60-day notification clock will actually start on time.

Most digital-health startups underestimate this. Plan ~$40–80K/year for the program once you exceed 1,000 patient records under management. SOC 2 Type II adds another $25–60K and is increasingly demanded by hospital procurement — if you are selling enterprise, get on it inside year one.

When NOT to build a custom healthcare video platform

There are scenarios where a custom build is the wrong move, and we will say so on the first call. Skip the build if any of these are true:

• You are pre-product-market-fit. Use Doxy.me or Zoom until you understand the workflow that actually retains patients. Building too early means rebuilding when the workflow finally lands.
• You have under 20 providers and a single mainstream EHR. Vendor licensing is cheaper than the smallest sustainable engineering team.
• You cannot fund 18 months of running cost. Custom builds need ops budget for years two and three, not just delivery. If runway is tight, buy.
• You have no in-house clinical voice. Without a clinician on the team, you will ship a product clinicians refuse to use. Hire or contract one before kickoff.
• The procurement decision is “Microsoft everything”. If your hospital is M365-locked, Teams Healthcare bundled at $18–50/user is unbeatable on TCO. Build only the bits Teams cannot do.

A pragmatic sequencing — buy first, build second

For most growing health systems and digital-health startups, the right play is sequenced. Year 1 on Doxy.me or Zoom for Healthcare to learn the clinical workflow. Year 2 on a custom MVP that owns the differentiated workflow (intake, scribing, multi-EHR launch) while still using vendor video for the long tail. Year 3 onwards on the full custom platform.

This sequencing avoids the two failure modes we see most: building too early on assumptions that clinicians later overturn, and over-paying licensing for years because nobody scoped the build phase honestly. We help clients run both phases without writing off the Year 1 investment — the workflow learnings translate directly into the build scope.

If you want a deeper read on the build-vs-buy framing across video products generally, our build-vs-buy video platform analysis applies the same trade-offs to non-healthcare verticals; the healthcare-specific overlay is the compliance mass and the EHR integration block, both covered above.

FAQ

What to read next

Ready to ship healthcare video that survives a 2026 audit?

Healthcare video conferencing software in 2026 is not a Zoom-vs-Teams pick. It is a four-decision puzzle: comply with the 2024 HHS NPRM, choose buy or build against four hard conditions, get the EHR integration right, and run a real compliance program around the platform. Get those four right and you ship something that earns clinical adoption, withstands an HHS audit, and pays back inside a year.

Fora Soft has been doing this since 2005. Whether you are at the “buy first, learn fast” stage or already scoped for a $300K custom build, the cheapest hour you will ever spend on this decision is the first call with a team that has done it 30+ times. The cost models, the EHR integration estimates, the AI-scribe pick — we will share the entire decision tree on the call.