This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

If you are a founder or product lead scoping a teledermatology, digital wound-care, or teleophthalmology product, you are entering the one corner of telemedicine where a blurry, badly lit, or mis-stored image is not a usability complaint — it is a missed melanoma, an untracked wound, or an undetected case of blindness-causing eye disease. These verticals also contain the clearest example in all of healthcare of when an artificial-intelligence feature becomes a regulated medical device, which is the difference between a six-week build and a multi-year clearance program. This article gives a non-technical product owner the vocabulary to make build-versus-buy decisions, talk to engineers and auditors, and avoid the four mistakes that sink these products: under-spec'd capture, an unprotected image store, the wrong billing code, and an accidental medical device.

Three specialties, one defining trait

Dermatology (skin), wound care, and ophthalmology (eyes) share a property that sets them apart from a routine video visit for a cold: the diagnostic information lives in an image, not in a conversation. A general telemedicine call can tolerate a slightly soft video feed because the doctor is mostly listening. A teledermatology consult cannot, because the doctor is counting the asymmetry, border, and color of a mole that may or may not be cancer.

That single trait cascades into every product decision. It raises the bar on the camera and the lighting. It pushes most of the work into asynchronous "store-and-forward" mode rather than live video. It pulls in image-storage and interoperability standards that a chat-and-video product never touches. And it draws a bright regulatory line the moment you let software interpret the picture instead of merely showing it.

Table: dermatology, wound care, ophthalmology by modality, diagnostic element, capture device, and regulatory flag Figure 1. The three visual specialties at a glance. The common thread: something in the frame must be diagnostic-grade, and that requirement drives the rest of the build.

Before going further, two plain-language definitions. Store-and-forward — also called asynchronous telemedicine — means the patient or a local clinician captures images (and a short history) at one time, and a specialist reviews them later, with no live call. Think of it as certified mail for medical photos rather than a phone conversation. Synchronous care is the live video visit you already picture. These three specialties lean heavily on store-and-forward, and the rules for it differ from live video — a distinction we cover in depth in synchronous, asynchronous, and remote patient monitoring.

Image quality is a compliance artifact, not a UX nicety

In these verticals, "make the photo look nice" is the wrong framing. The right framing is: the capture must be good enough for a specialist or an algorithm to make a clinical decision, and that threshold is published.

For skin, the American Academy of Dermatology's teledermatology standards recommend a camera with a minimum resolution of 800 × 600 pixels for both store-and-forward and live-interactive use, and for live use a connection faster than 384 kilobits per second. The same standards require that the platform itself be HIPAA-compliant and, for store-and-forward, use 128-bit encryption with authentication. These are not aspirations; they are the floor a board-certified dermatologist expects before reading your images.

Resolution alone is not enough. The International Skin Imaging Collaboration (ISIC) — which maintains the largest public archive of quality-controlled skin images, over 1.2 million of them — defines acquisition standards that explicitly include pose, orientation, lighting, magnification, and "size and color calibration markers." In plain terms: a ruler and a color reference in the frame, and consistent lighting, so that two photos of the same wound taken three weeks apart can actually be compared. A skin image without a known scale and a known color is a pretty picture, not a measurement.

Wound care makes this concrete. A clinician tracking a pressure ulcer needs length, width, depth, total area, and the color breakdown of the tissue, measured the same way every visit. Vendors in this space — Net Health's Tissue Analytics, Swift Medical's Skin & Wound — build smartphone capture with machine-vision measurement precisely because eyeballing a wound from a casual photo is not reproducible. Tissue Analytics reports under 5% measurement error against a physical ruler (a vendor claim, worth independent validation), and it has an FDA Breakthrough Device designation for its AI measurement, which tells you the agency considers automated wound measurement a device-adjacent function, not a cosmetic feature.

Ophthalmology is the strictest of the three. The flagship use case is diabetic retinopathy screening — checking the back of the eye for the damage diabetes causes, a leading cause of blindness that is preventable if caught early. The FDA-cleared autonomous systems are validated only with specific retinal cameras: the IDx-DR system (now branded LumineticsCore) was cleared with the Topcon NW400, and Eyenuk's EyeArt with the Canon CR-2 AF and CR-2 Plus AF. The lesson for builders is uncomfortable but important: when an algorithm is involved, the camera is not a swappable accessory. The hardware and the software are cleared together, as one system.

For the live-video side of these specialties — when a dermatologist does want a real-time look — the quality bar is higher than for a routine consult, and we cover how to budget for it in latency and quality: the clinical "good enough" bar.

The regulatory tripwire: display versus diagnose

This is the most important paragraph in the article, so we will define every term before using it.

Software as a Medical Device (SaMD) is software that performs a medical function on its own, without being part of a physical device. The FDA regulates it. Medical Device Data Systems (MDDS) are, roughly, software that only transfers, stores, converts, or displays medical data — including medical images — without analyzing them. Since the 21st Century Cures Act of 2016 (Section 3060), pure MDDS functions are not regulated as devices. The line between the two is the line between a product you can ship this quarter and a product that needs FDA authorization first.

Here is the rule of thumb. If your software moves, stores, or shows a dermatology photo or a retinal scan to a human who makes the call, you are most likely in non-device territory. The moment your software interprets the image and outputs a diagnostic or screening result, you have probably built a regulated medical device.

Decision tree: transmitting or displaying images is non-device MDDS; interpreting or diagnosing is a regulated FDA device Figure 2. The tripwire. "Display and transmit" stays out of device regulation; "interpret and diagnose" crosses into it. Autonomous retinal-screening AI is the canonical example of the far side.

The cleanest example in medicine is autonomous diabetic-retinopathy AI. In April 2018, IDx-DR became the first medical device the FDA ever authorized through its De Novo pathway for an autonomous AI diagnosis — authorization number DEN180001, which created a new device regulation, 21 CFR 886.1100, for "retinal diagnostic software." The FDA's own description is the device-defining sentence: it is "the first device authorized for marketing that provides a screening decision without the need for a clinician to also interpret the image or results." In its pivotal study of 900 patients with diabetes across 10 primary-care sites, it correctly flagged more-than-mild retinopathy 87.4% of the time and correctly cleared healthy eyes 89.5% of the time.

A second system, Eyenuk's EyeArt, was cleared via the 510(k) pathway (clearance K200667) in August 2020, the first autonomous AI cleared to detect both more-than-mild and vision-threatening retinopathy in one test, reporting 96% sensitivity and 88% specificity for the former. By 2024 the FDA had cleared the first fully autonomous system for a handheld, portable camera. The pattern across all of them is identical: because the software returns a screening decision a clinician does not re-read, it is a device, full stop.

What pushes software across the line is not just "it uses AI." The FDA's Clinical Decision Support guidance, finalized on September 28, 2022, leans on two ideas: automation bias — people's tendency to over-trust a confident machine — and time-critical decisions. Software that hands a clinician a specific diagnostic directive they are expected to act on, without being able to independently review the reasoning, looks like a device. Software that surfaces information for a clinician who still does the interpreting can stay a non-device. We unpack this boundary for AI features generally in the compliance and safety layer for clinical AI, and the model-engineering side lives in the AI section's fine-tuning a vision model on a clinical domain.

The store-and-forward pipeline, and where PHI lives

Because so much of this care is asynchronous, your architecture is really an image pipeline: capture, upload, store, review, report. Every hop carries Protected Health Information (PHI) — any health data tied to an identifiable person — and a medical image is unusually identifying. A face, a distinctive tattoo, an iris pattern, and the metadata embedded in the file (the EXIF block that records the phone model, the timestamp, and often GPS coordinates) can each identify the patient on their own.

Store-and-forward flow: capture, encrypted upload, image store, reviewer or autonomous AI, report to EHR, in a HIPAA boundary Figure 3. The store-and-forward pipeline as a compliance boundary. Every component that can see the image needs a signed BAA, and every hop crossing the boundary is encrypted.

Three rules govern this pipeline, and all three trace back to the HIPAA Security Rule and Privacy Rule.

First, encryption. Under 45 CFR 164.312(a)(2)(iv), encrypting electronic PHI is an "addressable" specification — which sounds optional but is not. Addressable means you either implement it or document a defensible reason you did something equally protective; for images sitting in cloud storage, there is no defensible reason not to encrypt. Stored images must be encrypted at rest, and uploads must be encrypted in transit. We cover the mechanics in encryption in transit, at rest, and end-to-end.

Second, the Business Associate Agreement, or BAA — the signed contract that lets an outside vendor handle patient data, the equivalent of the promise a contractor signs before getting a key to the building. Every component that can see the image needs one: the cloud image store, the AI vendor that reads retinas, the EHR you push the report into. Encryption and a BAA are separate requirements — encrypted-but-un-BAA'd is still a violation. This is the foundation laid out in HIPAA for telemedicine product teams.

Third, de-identification is harder than it looks for images. HIPAA's de-identification standard, 45 CFR 164.514, offers two methods: an expert statistical determination, or the "Safe Harbor" method of stripping 18 specified identifiers. Both assume you can remove identifiers from a record. But a clinical photograph of a face, or a retinal scan that captures a uniquely patterned iris, is the identifier — you cannot strip it without destroying the clinical content, and Safe Harbor explicitly names "full-face photographs and any comparable images." So "we will just anonymize the images for analytics" is usually wishful thinking. Treat clinical images as identifiable by default; we go deeper in de-identification and analytics on health data.

A note on interoperability: ophthalmology imaging is natively stored in DICOM (the NEMA PS3 standard that radiology has used for decades), and dermatology is migrating toward it — DICOM Working Group 19 develops the supplements for dermoscopy and total-body photography. If your product needs to exchange images with hospital systems, plan for DICOM, not just JPEGs in a bucket.

Common mistake: the un-BAA'd image bucket and the accidental device

The two failures we see most often in this space sit at opposite ends of the pipeline. At the storage end: a team stands up a slick capture app, then dumps high-resolution clinical photos — faces and all — into a general-purpose cloud bucket or a consumer photo SDK with no signed BAA, often with EXIF GPS still embedded. That is unencrypted-or-uncovered PHI, and it is the most common HIPAA breach pattern in imaging. At the analysis end: a team adds a "helpful" feature that scores a mole's risk or auto-measures a wound and shows the patient a result, not realizing they have just built an unauthorized diagnostic device. Both mistakes are cheap to avoid at design time and ruinous to fix after launch.

Reimbursement: who interprets decides the code

For these specialties, billing is unusually tied to the architecture, because the code you can bill depends on who or what does the interpreting — the same question that sets your regulatory class.

Who interprets sets the code: staff 92227, physician 92228, autonomous AI 92229, plus e-visit and remote-evaluation codes Figure 4. In retinal imaging, the interpreter determines the code. The autonomous-AI code, 92229, exists precisely because a machine — not a clinician — reads the image.

Retinal imaging shows the logic cleanly. There are three sibling CPT codes. Code 92227 covers remote imaging where staff (not a physician) review and report. Code 92228 covers remote imaging with physician review. And code 92229 — created for 2021 — covers "point-of-care automated analysis," meaning the autonomous algorithm interprets the image and issues the report with no physician reading it. The Centers for Medicare and Medicaid Services (CMS) set a national Medicare payment rate for 92229 in the Calendar Year 2022 Physician Fee Schedule, which means the U.S. payer system formally recognized autonomous AI as a billable diagnostic act. Who interprets sets both the device classification and the billing code — the single most useful unifying idea in this whole article.

Store-and-forward reimbursement has a more cautious history. Medicare historically paid for asynchronous store-and-forward only inside Alaska and Hawaii federal demonstration programs, pushing dermatology and other image-based specialties to lean on e-visit codes (99421 through 99423, for asynchronous patient-initiated digital evaluations) and the remote image-evaluation code G2010. The CY 2026 Physician Fee Schedule (CMS-1832-F, published November 2025) continued to streamline the telehealth list and set the originating-site facility fee at \$31.85. Reimbursement rules are jurisdictional and change yearly, so confirm the current state of store-and-forward parity for your payers and states; the structural picture is in reimbursement rules that shape the product.

Here is the arithmetic that makes the screening case work despite modest per-read payment. Diabetic retinopathy screening exists because roughly half of people with diabetes skip their annual eye exam, and diabetic patients outnumber U.S. ophthalmologists by on the order of 1,600 to 1. If a primary-care clinic screens 1,000 diabetic patients a year with an autonomous system at a Medicare rate near \$45 per read, that is about 1,000 × \$45 = \$45,000 in screening revenue the clinic could not previously capture, plus the downstream value of catching disease early — without adding an ophthalmologist to the staff. The unit economics, not the novelty, are why this category exists.

Where Fora Soft fits in

Fora Soft has built real-time video, streaming, and AI-enabled media products since 2005, including telemedicine platforms, and these visual specialties sit squarely where our experience concentrates: high-fidelity capture and streaming, an encrypted media pipeline, and the compliance boundary around it. The requirement comes first — diagnostic-grade images inside a HIPAA boundary, with a clear line between displaying an image and interpreting it — and the capability follows: standards-based capture, BAA-covered storage, DICOM exchange where the hospital needs it, and AI features wired so that a regulated-device decision is made deliberately, not by accident. We build the pipeline; the clinical interpretation and any FDA pathway stay with you and your regulatory advisors.

What to read next

Call to action

References

  1. American Academy of Dermatology, "Teledermatology Standards" (doc 21-762-DC) — minimum 800×600 capture resolution, 128-bit encryption for store-and-forward, HIPAA-compliant platform, board-certified reader. Tier 5. https://assets.ctfassets.net/1ny4yoiyrqia/595kopCF5lW6B72fXh06Bj/685491f27cb07488b2e54c347e28bacb/AAD-Teledermatology-Standards.pdf
  2. U.S. FDA, De Novo classification DEN180001 (IDx-DR), granted 2018-04-11; created 21 CFR 886.1100, product code PIB. Tier 1. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpmn/denovo.cfm?id=DEN180001
  3. U.S. FDA, "FDA permits marketing of artificial intelligence-based device to detect certain diabetes-related eye problems," 2018-04-11 — "screening decision without the need for a clinician to also interpret"; 87.4% sensitivity / 89.5% specificity; 900 patients, 10 sites. Tier 1/2. https://www.fda.gov/news-events/press-announcements/fda-permits-marketing-artificial-intelligence-based-device-detect-certain-diabetes-related-eye
  4. eCFR, 21 CFR 886.1100 — Retinal diagnostic software device, Class II special controls. Tier 1. https://www.ecfr.gov/current/title-21/section-886.1100
  5. eCFR, 45 CFR 164.312 — Technical safeguards; (a)(2)(iv) encryption/decryption (addressable). Tier 1. https://www.ecfr.gov/current/title-45/section-164.312
  6. eCFR, 45 CFR 164.514 — De-identification standard; Safe Harbor names full-face photographs and comparable images. Tier 1. https://www.ecfr.gov/current/title-45/section-164.514
  7. U.S. FDA, Clinical Decision Support Software — Final Guidance, issued 2022-09-28 (automation bias; non-device CDS criteria). Tier 2. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software
  8. U.S. FDA, Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices guidance — MDDS / image storage and display are non-device functions (21st Century Cures Act §3060, 2016). Tier 2. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/medical-device-data-systems-medical-image-storage-devices-and-medical-image-communications-devices
  9. Eyenuk, "EyeArt FDA Clearance" — 510(k) K200667, 2020-08-05; mtmDR 96% sensitivity / 88% specificity; cleared with Canon CR-2 AF / CR-2 Plus AF. Tier 4 (K-number citable in FDA 510(k) database). https://www.eyenuk.com/us-en/articles/news/eyenuk-announces-eyeart-fda-clearance/
  10. International Skin Imaging Collaboration (ISIC) Archive — 1.2M+ images; Technique Working Group acquisition standards (lighting, size and color calibration markers); DICOM Working Group. Tier 5. https://www.isic-archive.com/
  11. CMS, "Calendar Year 2026 Medicare Physician Fee Schedule Final Rule (CMS-1832-F)" — telehealth list streamlining; originating-site facility fee \$31.85. Tier 2. https://www.cms.gov/newsroom/fact-sheets/calendar-year-cy-2026-medicare-physician-fee-schedule-final-rule-cms-1832-f
  12. DICOM Standards Committee / NEMA, Working Group 19 (Dermatologic Standards) — visible-light dermatology supplements (dermoscopy, total-body photography). Tier 1. https://www.dicomstandard.org/activity/wgs/wg-19
  13. AAPC, CPT 92229 — point-of-care automated analysis and report; distinct from 92227 (staff) and 92228 (physician). Tier 6 (AMA CPT is the primary owner). https://www.aapc.com/codes/cpt-codes/92229
  14. Net Health, "Tissue Analytics granted FDA Breakthrough Device status," 2022 — AI wound measurement; vendor-reported <5% error vs ruler. Tier 4. https://www.prnewswire.com/news-releases/net-healths-tissue-analytics-for-wound-care-granted-breakthrough-device-status-by-fda-301560059.html
  15. JMIR Dermatology, store-and-forward vs face-to-face teledermatology concordance review (≈79–94% by condition). Tier 5. https://derma.jmir.org/2022/3/e37517

Where sources disagreed, the official rule or FDA order governed: the device classifications and CFR text (refs 2–8) override any vendor or coding-site paraphrase (refs 9, 13, 14). The autonomous-AI sensitivity/specificity figures come from FDA-order and pivotal-trial sources, not marketing pages.