Key takeaways
• Telehealth in 2026 is post-COVID stabilised. Reimbursement parity in most US states; Epic and Cerner integration patterns mature; AI scribe normalised; FHIR R5 the data standard. The early-2020s scramble is over — the platforms that survived are now in “build to scale” mode.
• HIPAA + SOC 2 Type 2 are contract-table-stakes. Hospital systems and payers will not sign without them. Architect compliance from day 1; retrofit costs 3×. See our companion HIPAA + SOC 2 deep-dive.
• FHIR R5 + SMART-on-FHIR is the EHR integration default. Epic AppOrchard, Cerner Code, Athena Marketplace all support it. DIRECT messaging for cross-organisation referrals. Skipping FHIR makes you uncompetitive at enterprise sales.
• MVP ships in 5–7 months. Discovery (4 weeks) + patient portal (10) + clinician portal (8) + video consult (6) + scheduling/billing (6) + HIPAA controls (parallel) = ~28 person-weeks of senior eng. With Agent Engineering and CirrusMED pattern reuse we typically deliver toward the lower end.
• AI scribe is the killer 2026 feature. Ambient documentation that drafts SOAP notes from the consult automatically. Reduces clinician documentation time 50–70 %; massive adoption-driver in 2025–2026.
Why Fora Soft wrote this playbook
Fora Soft has shipped 15+ telehealth and medical-translation projects since 2005. CirrusMED (HIPAA-compliant US telehealth, audit-ready in 9 months), TransLinguist (NHS UK medical interpretation), Hospital Phone Interpreter, plus several NDA telemental-health and chronic-care platforms.
Through 2024–2026 we have audited four telehealth platforms in due diligence and built three from scratch. The patterns in this guide come from those engagements, plus the public references — ONC SMART-on-FHIR specs, Epic AppOrchard, the 2024 HIPAA Security Rule update, US state reimbursement law.
If you are a telehealth founder raising Series A, a hospital system COO building patient portals, or an insurance product lead adding video consults, this guide gives you the architecture, the EHR integration reality, the MVP cost model and the build-vs-buy framework.
Need a telehealth architecture review?
Send us your spec, target patient volume and EHR integration needs. We will return a one-page reference architecture in 48 hours, free.
The 2026 telehealth landscape
Reimbursement parity. 47 US states have video-visit reimbursement parity with in-person visits as of 2026; the remaining 3 are partial. CMS extended pandemic-era flexibilities through 2027 for Medicare. The reimbursement question is settled in the US for general practice; specialty (psychiatry, behavioural health, chronic care) is treated favourably.
EHR integration normalised. Epic AppOrchard and Cerner Code Marketplace mature with hundreds of integrated apps. SMART-on-FHIR is the auth + EHR-launch pattern. ONC’s 2024 information-blocking rule + USCDI v3 force EHRs to expose patient data via FHIR R4 / R5.
HIPAA Security Rule 2024 update enforced in 2026. Encryption-at-rest, MFA and asset inventory moved from “addressable” to “required.” Vulnerability scanning and patch management mandatory on a defined schedule. Your 2022 telehealth posture needs a refresh.
AI scribe is mainstream. Abridge raised $300M in 2024; Suki, Nuance DAX, Augmedix all in production at hospital systems. Patient consent and PHI handling are the open challenges.
Twilio Programmable Video sunset (Dec 2024). Many telehealth platforms had to migrate. The 2026 video-stack default is Daily.co (BAA on Scale tier), Vonage, LiveKit OSS self-hosted, or self-hosted mediasoup. See our build vs buy SDK guide.
Reference architecture for a modern telemedicine platform
Figure 1. Modern telemedicine platform — portals, identity, services, video, EHR integration, encrypted storage, audit, BAA umbrella.
FHIR R5 / HL7 / SMART-on-FHIR integrations
FHIR (Fast Healthcare Interoperability Resources). The data standard for exchanging healthcare information. R5 is the 2026 default; R4 is still widely deployed. Resources include Patient, Encounter, Observation, Condition, MedicationRequest, AllergyIntolerance, DocumentReference. Your platform reads and writes these against the EHR.
HL7 v2. The legacy standard. Many EHRs still use v2 messages for ADT (admit/discharge/transfer), ORM (orders), ORU (results), SIU (scheduling). You will integrate via HL7 v2 even when FHIR is available, because billing and lab feeds often go through v2 first.
SMART-on-FHIR. Auth + launch pattern. Your app launches inside the EHR’s patient context, gets an OAuth 2.0 token scoped to that patient’s data, reads/writes via FHIR. Epic AppOrchard, Cerner Code, Athena Marketplace, Allscripts Developer Programme all use this pattern.
DIRECT messaging. The encrypted email standard for cross-organisation healthcare communication. Used for referrals, care summaries, lab orders. Required for Meaningful Use compliance.
EHR-specific tooling. Epic provides Hyperdrive Web Services (Caboodle, Reporting Workbench, Bridges interfaces). Cerner provides Millennium FHIR. Athena provides athenahealth Marketplace API. Each has nuances; FHIR R5 is the closest thing to a common denominator.
Video stack — SFU, BAA-covered SDKs, recording
The 2026 video-stack options for HIPAA telehealth:
Daily.co (BAA on Scale tier). Strong telehealth focus, clean API, good React/iOS/Android SDKs. Pricing $0.004–$0.008/min for HD video. Best when time-to-market matters and your volume is <100k mins/mo.
Vonage Video API (BAA inclusive). Established BAA, ex-TokBox lineage. $0.00395/min including HD. Good for traditional telehealth deployments.
LiveKit OSS self-hosted. Same SDK as LiveKit Cloud, runs in your VPC. No BAA negotiation needed since you own the deployment. Best at >100k mins/mo or strict data residency.
Self-hosted mediasoup. Battle-tested SFU, full control, smaller operational footprint than LiveKit. Best when you need bespoke transport behaviour.
Twilio Programmable Video. Sunset Dec 2024. Migrate.
Recording. All recording is PHI — encrypted at rest with customer-managed KMS keys, 6-year retention minimum, audit log on every access. Recording infrastructure is often more complex than the live consult itself.
Patient portal vs clinician portal — different NFRs
Patient portal. High volume, low session frequency, mobile-first, public-internet, low tolerance for friction. NFRs: <3 s page load on 4G, single-tap join consult, MFA via SMS or app, accessibility WCAG 2.2 AA, offline gracefully (poor coverage scenarios).
Clinician portal. Lower volume, longer sessions, desktop-first, often inside EHR via SMART launch, high tolerance for clinical-density UI. NFRs: rapid switching between patients, sub-second EHR data fetch, integrated SOAP-note editor, AI scribe, prescription routing.
Admin portal (often forgotten). Practice management, scheduling templates, provider credentialing, billing reports. Lower volume but operationally critical — without it, the practice cannot run.
AI scribe and ambient documentation
AI scribe is the killer 2026 feature for clinician adoption. The pattern: ambient audio capture during the consult; speech-to-text via HIPAA-eligible STT; LLM drafts SOAP note, problem list, billing codes; clinician reviews and signs. Reduces documentation time 50–70 %.
Vendors. Abridge ($300M raised), Suki, Nuance DAX (now part of Microsoft), Augmedix. Or build custom on Azure OpenAI text endpoints (HIPAA-eligible) + Azure Speech / AWS Transcribe Medical / Google Cloud STT (all BAA-eligible). Note OpenAI Realtime audio modality is NOT yet HIPAA-covered — see our OpenAI Realtime guide.
Patient consent. Recording consent disclosure required at consult start. Pattern: explicit on-screen disclosure + audible announcement + recorded patient acknowledgment.
PHI handling. Audio capture contains PHI by definition. Storage, transcription, summarisation all happen inside the BAA boundary. Logs and AI prompts are PHI-adjacent — redact before any external service touches them.
Reimbursement and billing integration
CPT codes for telehealth. 99201–99205 (new patient), 99211–99215 (established patient) with modifier 95 (synchronous via interactive audio + video). 99441–99443 for telephone-only. State-specific variations apply.
Eligibility checks. Real-time insurance eligibility verification before the consult — via Change Healthcare, Availity or vendor-specific clearinghouses. Failed eligibility = patient self-pay or rescheduling.
Claims submission. Most platforms hand off to an existing PMS (NextGen, AdvancedMD, Athena) for claims. Direct claims submission via 837P (Professional) or Change Healthcare APIs is possible but rare for first-MVP scope.
Self-pay flow. Stripe / Square / vendor-specific. Patient pays at booking; refund flow on cancellation. Surprisingly common for cash-pay specialty practices (mental health, dermatology).
MVP cost & timeline — 4 phases
| Phase | Weeks | Deliverables | Person-weeks |
|---|---|---|---|
| Discovery | 1–4 | Architecture, NFR spec, EHR integration design, HIPAA gap assessment | 8 |
| Patient portal | 5–14 | Web + iOS + Android · booking + consult + records | 22 |
| Clinician portal + EHR | 8–16 | Web · consult · SOAP · FHIR R5 read/write · SMART launch | 14 |
| Video + scheduling + billing | 10–20 | SFU integration · recording · reminders · PMS handoff | 21 |
| + HIPAA controls (parallel) | All | Encryption + KMS + audit log + MFA + BAAs signed | 6 |
| Total | ~24 | ~71 person-weeks ≈ 5–7 calendar months with team of 4 |
At a typical mid-tier blended rate, this lands roughly $250–$420k. With our Agent Engineering pattern reuse from CirrusMED, we typically deliver toward the lower end. AI scribe adds roughly 10 person-weeks if shipped in the MVP; usually deferred to v2.
Building a telemedicine platform in 2026?
Send us your spec and target patient volume. We will return a one-page architecture, MVP cost forecast and 24-week plan in 48 hours, free.
Vendor build vs buy
BAA-covered SDKs (Daily, Vonage). Fastest time-to-market. Pre-built consent flows, recording, transcription. Per-minute pricing scales linearly. Best when scope is well-defined and below 100k mins/mo.
Full-stack telehealth platforms (eVisit, Doxy.me, Mend). Cheapest path for a small practice that just needs to start consulting. White-label-ish; no real differentiation. Wrong if you are building a product.
Custom on top of LiveKit OSS / mediasoup. Full control. Best for vertical-specific workflows (telemental health, chronic care, specialty practice with unique consult flow), enterprise contracts that demand customer-managed keys, or volumes >100k mins/mo where SDK fees dominate.
Hybrid. Custom UI + EHR integration on top of a BAA-covered SDK. Common for Series-A telehealth startups: ship fast on Daily.co, migrate to self-hosted at scale.
Mini case — CirrusMED audit-ready in 9 months
A US telehealth client (NDA, architecture similar to CirrusMED) approached us in early 2025 with a working MVP, two enterprise hospital systems in pilot, and SOC 2 + HIPAA contract requirements.
The 9-month plan. Months 1–3: replatformed the SFU from Twilio Programmable Video (sunset) to self-hosted mediasoup in their AWS VPC; customer-managed KMS keys; MFA via Auth0; audit log to dedicated CloudWatch with 6-year retention. Added FHIR R5 read/write against the pilot Epic instance via SMART-on-FHIR. Months 4–6: Drata integration for SOC 2 evidence collection; Compliancy Group HIPAA risk assessment; two pentest cycles; internal policy library. Months 7–9: SOC 2 Type 1 audit with Schellman; HIPAA self-attestation; cutover and go-live.
Outcome. Audit-ready in month 9 (target was 12). SOC 2 Type 2 attestation in month 15. Two pilot hospital systems converted to multi-year contracts based on the report. Book a 30-min call for a similar plan.
A decision framework — pick stack in five questions
Q1. Who is the buyer — consumer, practice, or hospital system? Consumer: lighter compliance, fast UI. Practice: PMS integration mandatory. Hospital system: full FHIR + SMART-on-FHIR + SOC 2 + HIPAA + multi-year contracts.
Q2. EHR integration depth? No EHR: faster MVP, narrower addressable market. Read-only: SMART-on-FHIR launch + read patient context. Read/write: full integration, longer build, larger market.
Q3. Volume profile in 12 months? <100k mins/mo: BAA-covered SDK. 100k–1M: hybrid. >1M: self-hosted SFU.
Q4. Specialty or general practice? Specialty (mental health, derm, chronic care) often needs vertical workflow customisation; general practice closer to off-the-shelf.
Q5. AI scribe in MVP or v2? v2 is more common — defer until core consult flow is validated. MVP-inclusive only if AI scribe is the key differentiator.
Pitfalls to avoid
1. Skipping HIPAA design from day 1. Retrofitting compliance costs 3×. Architect encryption, MFA, audit log, BAA chain into the very first commit.
2. Using OpenAI Realtime for AI scribe without a chained pipeline. The Realtime audio modality is NOT covered under BAA in 2026. Use chained STT (Azure Speech / AWS Transcribe Medical) + text LLM (Azure OpenAI) + TTS for HIPAA-eligible flow.
3. Ignoring 2024 Security Rule update. Encryption-at-rest, MFA, asset inventory all moved from “addressable” to required. Vulnerability management on a defined cadence is mandatory. Update your 2022 posture before next audit.
4. Building scheduling from scratch. Calendly, Calendly Health, NexHealth, Mend — mature scheduling APIs exist. Build only when your scheduling has unique constraints (provider templates, multi-location routing, insurance pre-auth).
5. Forgetting accessibility. WCAG 2.2 AA at minimum. Healthcare patients skew older; accessibility is not optional. Section 508 compliance for any US federal sales.
KPIs to measure
Quality KPIs. p95 video-consult connection time (<2.5 s). Glass-to-glass latency (<1 s). EHR query response (<500 ms). Audit log delivery 100 %.
Business KPIs. Consult completion rate (target: >95 %). Patient no-show rate (target: <15 %). Clinician adoption of AI scribe (target: >70 % within 90 days). Average reimbursement-to-payment cycle (target: <30 days).
Reliability KPIs. 99.95 % availability during clinician hours; 99.9 % off-hours. Recording integrity (target: 100 % successful capture, 0 loss).
FAQ
How long does it take to integrate with Epic?
Epic AppOrchard listing: 6–12 months from first application to live in customer Epic instance. SMART-on-FHIR integration with a single Epic site (without AppOrchard listing): 2–3 months. Most startups do single-site SMART integration first, AppOrchard listing later.
Daily.co or Vonage for HIPAA video?
Both sign BAAs and are widely used in telehealth. Daily.co has cleaner developer experience and stronger telehealth focus; Vonage has longer track record from TokBox lineage. Pricing comparable. We default to Daily.co for new builds; Vonage if your team has existing TokBox/Vonage code.
Can I use OpenAI Realtime for AI scribe?
As of 2026, the OpenAI Realtime API audio modality is NOT covered under BAA — do not use for PHI. Use a chained pipeline: HIPAA-eligible STT (Azure Speech, AWS Transcribe Medical) + Azure OpenAI text endpoints (BAA-eligible) + TTS. See our OpenAI Realtime guide.
What about FHIR R4 vs R5?
R5 is the 2026 default for new builds. R4 is widely deployed and many EHRs still expose only R4. Build for R5 with R4 fallback — the differences are mostly resource-level additions, not breaking changes. The transition is gradual; expect to support both for several years.
How does telehealth reimbursement work post-COVID?
CMS extended Medicare flexibilities through 2027. 47 of 50 US states have payer parity for synchronous video. CPT 99201–99215 with modifier 95 are the workhorses. State-by-state variations apply — consult an RCM expert when scoping insurance flow.
DIY EHR integration vs hire a specialist?
SMART-on-FHIR auth + basic FHIR read/write: doable in-house with strong dev team. Epic AppOrchard certification, Cerner Code Marketplace listing, edge cases on legacy EHRs (eClinicalWorks, NextGen): specialist help saves 2–4 months. Redox / Particle Health / Health Gorilla offer EHR-integration-as-a-service for non-FHIR-mature EHRs.
Should I build for iOS, Android, or web first?
Patient portal: web mobile-first usually wins (no app-store friction). iOS second if your demographic skews iPhone. Android third unless you serve specific markets. Clinician portal: web only. Practice management: web only. Build the full mobile app once you validate web mobile usage.
What is SMART-on-FHIR launch?
An OAuth 2.0 + OpenID Connect pattern that lets your app launch inside the EHR’s patient context. Clinician clicks a button in Epic; your app opens in an iframe or new window with a token scoped to the current patient’s data. The 2026 standard pattern for telehealth EHR integration.
What to Read Next
Compliance
HIPAA + SOC 2 Deep-Dive
Compliance architecture for telehealth in detail.
Voice AI
OpenAI Realtime: HIPAA Catch
Why audio modality is not BAA-covered.
Architecture
Build vs Buy Video SDK
Daily/Vonage/LiveKit OSS comparison.
NFR
NFR Checklist
Telehealth NFR worked example.
Estimation
CTO’s Estimation Guide
Project estimation framework with telehealth example.
Ready to ship a 2026-grade telemedicine platform?
Post-COVID telehealth has stabilised. Reimbursement parity in 47 US states; FHIR R5 + SMART-on-FHIR mature; AI scribe normalised; HIPAA Security Rule 2024 update enforced. The architecture pattern is well understood: portals + identity + services + video + EHR integration + encrypted storage + audit, all under a BAA umbrella.
MVP ships in 5–7 months at $250–$420k. AI scribe is v2 unless it is your differentiator. EHR integration depth determines addressable market — SMART-on-FHIR is the entry bar; AppOrchard listing is the enterprise unlock.
Want a 24-week telehealth shipping plan?
Send us your spec and target market. We will return architecture, EHR plan, and cost forecast in 48 hours, free.
.avif)
Comments