This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

If you are a founder or product lead planning a telemedicine product, "telemedicine app" is not a product definition — it is four different products wearing the same name. Each shape has a different buyer, a different payment flow, a different compliance center of gravity, and a different engineering priority list, so a pitch deck that mixes them gets mis-priced and mis-built. Investors and hospital procurement teams classify you in the first five minutes; you should classify yourself first. This article gives you the four-shape map, what each shape demands from architecture and compliance, and a worksheet to scope your own product. It builds on the vocabulary article and why telemedicine video is harder than a normal video call.

The four shapes, in one view

A telemedicine product is defined less by its features than by its answer to one question: who pays, and for whom? Four stable answers have emerged in the US market, and almost every product you can name is one of them — or a deliberate hybrid.

Direct-to-consumer (DTC): the patient pays the platform directly — a subscription, a per-visit fee, or a bundled medication price. Hims & Hers, Ro, and the virtual urgent-care arms of retail brands work this way. Even health systems now run DTC offers: Rush University System for Health sells a $19-per-month (or $189-per-year) virtual-care membership with 24/7 urgent care [9].

B2B2C: a business buys access on behalf of its population — an employer for its employees, a health plan for its members. The patient often pays little or nothing per visit; the platform is paid per covered member. Teladoc Health's Integrated Care segment is the reference case: roughly 102 million US members had access to one or more of its services as of December 31, 2025, sold almost entirely through employers and insurers [8].

Hospital / health system: the platform extends an existing provider organization. The health system is the buyer, its clinicians deliver the care, and the video visit must live inside the system's EHR workflow. This is now table stakes: about 87% of US hospitals offered some form of telemedicine in 2024, up from 72.6% in 2018 [10]. Epic, the dominant US hospital EHR vendor, even ships a native video-visit capability built on Twilio's programmable-video service, so "telehealth" increasingly means a button inside the chart, not a separate app [11].

Specialty: the platform is built around one clinical domain — mental health, dermatology, chronic-care management, physical therapy — and its workflow follows that domain's clinical and regulatory logic. Specialty platforms can sell DTC, B2B2C, or to systems; what defines them is the depth of the clinical model, not the sales channel. Mental and behavioral health is the anchor example: it holds the highest telehealth utilization of any specialty, around 28.2% of visits as of December 2025 [12].

Four-quadrant map of telemedicine product shapes with payer, example, and defining trait for each Figure 1. The four product shapes. The defining question is not the feature list — it is who pays, and for whom.

A useful test: describe your product in one sentence that names the payer. "Patients pay us $39 per visit" is DTC. "Employers pay us per employee per month" is B2B2C. "The hospital licenses our platform for its own clinicians" is hospital. "We treat one condition end-to-end" is specialty, and the same sentence then needs a second clause naming the channel.

DTC: the consumer product that happens to be healthcare

A DTC telemedicine platform is, commercially, a consumer subscription business. Hims & Hers — the largest pure-play example — expected $2.3–2.4 billion in 2025 revenue from more than 2 million subscribers, with over 90% of revenue recurring [13]. The product loop is conversion-driven: a visitor lands from an ad, completes an intake form, is connected to a clinician, and leaves with a treatment plan — often a recurring medication shipment.

That commercial logic dictates the engineering priorities. The funnel must convert, so onboarding is measured in seconds and drop-off is tracked per screen. The visit itself is often asynchronous (a questionnaire reviewed by a clinician) with video reserved for cases that need it — which is why DTC urgent care leans on queue management and fast triage rather than scheduled appointments. Identity is consumer-grade at signup but must still satisfy clinical requirements before prescribing; roles, identity, and consent covers that ladder.

Two structural facts about DTC catch teams by surprise.

First, the legal structure is usually two companies, not one. Most US states prohibit corporations from employing physicians to practice medicine — the corporate-practice-of-medicine (CPOM) doctrine. DTC platforms therefore typically run a "friendly PC" / management-services-organization (MSO) structure: physicians own a professional corporation (PC) that delivers care; the platform company acts as the MSO that provides technology, marketing, and administration under a management agreement [6]. Regulators in strong-CPOM states such as California, Texas, and New York increasingly examine whether the MSO functionally controls clinical decisions — protocols, visit frequency, prescription criteria [6]. For a product team this is not legal trivia: it means the clinical workflow engine and the consumer app may answer to two different masters, and feature decisions that touch clinical judgment belong to the PC's medical leadership.

Second, "cash-pay" does not mean "rule-free." A provider organization becomes a HIPAA covered entity when it conducts standard healthcare transactions electronically — billing insurers being the classic trigger (45 CFR §160.103) [2]. A purely cash-pay operation can sit outside HIPAA — and still be regulated: the Federal Trade Commission's Health Breach Notification Rule (16 CFR Part 318, amended 2024) covers health apps and personal-health-record vendors outside HIPAA, and the FTC has used its general deception authority against telehealth sellers — it finalized an order against weight-loss telehealth marketer NextMed in December 2025 [3][4]. The FDA, for its part, sent more than 100 warning letters to telehealth and compounding sellers over compounded GLP-1 marketing claims in 2025, and 30 more on March 3, 2026 [5]. DTC's compliance center of gravity is consumer-protection and advertising law as much as HIPAA — a different posture than any other shape. In practice most DTC platforms bill at least some insurance or run pharmacy transactions that put them inside HIPAA anyway; the safe engineering assumption is to build to HIPAA's technical-safeguard bar from day one.

B2B2C: selling to the payer, serving the member

In the B2B2C shape, the platform's customer is an employer, a health plan, or a benefits aggregator — and the patient is a member whose access is a negotiated benefit. The commercial unit is the covered life. Pricing is typically a per-employee-per-month (PEPM) fee, often with a per-visit fee on top; published employer-telehealth pricing runs from under $1 to roughly $15 PEPM depending on scope, with per-consult fees in the $40–75 range [14].

Walk through the arithmetic once, because it explains everything about how these products are built. Take a 10,000-employee customer at $3 PEPM:

  • Platform revenue: 10,000 × $3 × 12 = $360,000 per year, paid regardless of use.
  • If 6% of employees use the service once that year, that is 600 visits — the access fee alone works out to $360,000 ÷ 600 = $600 per visit.
  • If utilization doubles to 12%, the per-visit economics halve to $300 — and the buyer's benefits team suddenly sees the line item as money well spent.

That is why B2B2C platforms obsess over utilization: registration campaigns, reminder flows, integrations into the employer's benefits portal, and quarterly reporting that proves engagement to the buyer. The engineering priorities follow: eligibility files (ingesting and reconciling the employer's roster, often a nightly flat file), single sign-on from benefits portals, multi-tenant configuration per client, and reporting pipelines that aggregate utilization without exposing any individual's care. The clinical network is usually national from day one, which makes cross-state licensing an operational system, not a formality — the Interstate Medical Licensure Compact, which expedites multi-state physician licensure, now counts 43 member states plus Washington DC and Guam [7].

Compliance-wise, the B2B2C platform almost always operates as a business associate of the plan (and as, or on behalf of, a provider organization for the care itself). The contract that lets a vendor handle patient data on a covered entity's behalf — the Business Associate Agreement (BAA) — is the commercial gate: no signed BAA, no deal. The platform in turn needs BAAs with every subcontractor that touches protected health information (PHI) — cloud, video infrastructure, transcription. The BAA article maps that chain. Procurement here also brings security questionnaires, SOC 2 reports, and penetration-test attestations — a sales cycle measured in months, not clicks.

Hospital and health system: the platform that lives inside the EHR

When the buyer is a hospital or health system, the product stops being a destination and becomes a capability inside an existing clinical operation. The clinicians are the system's own; the schedule is the system's master schedule; the documentation must land in the system's EHR. The integration article on Epic, Oracle Health, and athenahealth goes deep; the headline here is that the EHR is the center of gravity, and the video layer is judged by how invisibly it embeds — launch from the chart, write-back of visit notes, status events into the schedule. Epic's own native video offering exists precisely because systems want zero-friction launch from the workflow [11].

The patient-facing surface is usually the system's existing portal (Epic's MyChart being the canonical example), which constrains your UX freedom but solves enrollment: the health system already knows the patient. Identity is enterprise-grade on the clinician side — SSO against the hospital's identity provider, role-based access mapped to clinical roles — and audit expectations are the strictest of any shape, because the platform inherits the hospital's HIPAA compliance program and its auditors.

Two regulatory notes are specific to this shape. First, reimbursement matters more than anywhere else: hospital telehealth visits are largely billed to Medicare, Medicaid, and commercial insurance, so the product must capture whatever the billing rules require — and those rules carry expiry dates. Most pandemic-era Medicare telehealth flexibilities currently run through December 31, 2027, with behavioral telehealth in the home permanent [1]. Reimbursement and the rules that shape the product unpacks this. Second, accessibility is law, not polish, for the public-sector slice of this market: hospitals run by state and local governments fall under the Americans with Disabilities Act (ADA) Title II web-accessibility rule, which sets WCAG 2.1 Level AA as the standard; the Department of Justice's April 2026 interim final rule extended the compliance dates to April 26, 2027 for entities serving populations of 50,000 or more, and April 26, 2028 for smaller ones [15]. Private hospitals face equivalent pressure through Section 504 and Title III case law. Build to WCAG 2.1 AA regardless of buyer — the accessibility article explains how.

The trade for all this constraint is durability: hospital contracts are slow to win (12–18-month sales cycles are normal) and slow to lose, and visit volumes ride an institution's full patient panel rather than an ad budget.

Specialty: the clinical model is the product

A specialty platform wraps the whole product around one clinical domain. The defining investment is not the video call — it is the domain's workflow, measurement, and safety model. Four examples show the range:

Mental and behavioral health is the largest specialty vertical, with telehealth utilization around 28.2% of visits — triple the next specialty [12]. Its product logic: recurring scheduled sessions (not one-off urgent visits), therapist-patient matching and continuity, outcome instruments such as PHQ-9 administered between sessions, and crisis-escalation paths. Its regulatory logic is heavier than generic care in three specific places: substance-use-disorder treatment records carry their own confidentiality regulation, 42 CFR Part 2, whose 2024 overhaul reached its compliance deadline on February 16, 2026 — with HIPAA-level penalties now attached [16]; remote prescribing of controlled substances (ADHD stimulants, buprenorphine) sits under the Ryan Haight Act's in-person-exam baseline, currently bridged by DEA telemedicine flexibilities that run through December 31, 2026 [17]; and state two-party consent rules complicate any session recording. The mental-health playbook covers the full build.

Dermatology and wound care are visually diagnosed, so the architecture tilts asynchronous: store-and-forward photo capture with quality enforcement (lighting, focus, scale reference), dermatoscope-attachment support, and image-retention policies. Video is a fallback, not the core transaction — a reminder that "telemedicine" does not always mean "video call," as the modality article explains.

Chronic-care management and remote patient monitoring (RPM) invert the visit model: the product's heartbeat is a stream of device readings — glucose, blood pressure, weight — with clinical review by exception, billed under specific CMS care-management codes. The engineering center is device ingestion, anomaly flagging, and care-team task queues; the video visit is an escalation step.

Physical therapy and rehabilitation need the video call itself to do clinical work: movement assessment benefits from good framing, sometimes pose estimation, and exercise-program players with adherence tracking sit beside the call.

The compliance lesson of the specialty shape: the rulebook is condition-specific. A generic HIPAA program is the floor; Part 2, DEA prescribing rules, FDA device boundaries for diagnostic claims, and specialty billing codes arrive with the vertical. That is also why specialty platforms are hard to clone sideways — the moat is the encoded clinical model.

Money and PHI flow for each product shape, showing payer, BAA chain, and where the patient relationship lives Figure 2. Follow the money, then follow the PHI. Each shape draws the payment arrow and the BAA chain differently.

The same product, four different builds

Here is the landscape compressed into one table. The rows are the decisions your architecture team will actually face.

Dimension DTC B2B2C Hospital / system Specialty
Who pays The patient (subscription / per visit) Employer or health plan (PEPM + per visit) The institution (license / per seat) Follows the channel it sells through
The real customer The consumer HR / benefits / plan product teams CIO, CMIO, service-line leaders Patients or payers in one vertical
Sales cycle Minutes (ad → signup) Months (RFP, security review) 12–18 months (procurement, IT governance) Varies with channel
Typical visit pattern On-demand urgent / async intake Scheduled + on-demand mix Scheduled, inside the master schedule Domain-specific (sessions, photo review, RPM stream)
Identity pattern Consumer signup → clinical-grade before prescribing Eligibility file + SSO from benefits portal Enterprise SSO, portal-bound patient identity Channel-dependent + clinical instruments
EHR integration Minimal; own record, often FHIR export later Moderate; data exchange with plan/PBM Deep: launch, write-back, scheduling events Deep within its domain (devices, registries)
Compliance center of gravity FTC / advertising / CPOM; HIPAA once billing or pharmacy enters HIPAA business-associate posture; SOC 2; eligibility data Full HIPAA program inherited from the system; reimbursement rules; ADA Title II if public Condition-specific: 42 CFR Part 2, DEA, FDA boundaries
Who signs the BAA Platform's PC ↔ MSO ↔ vendors Platform ↔ plan/employer's plan entity; platform ↔ subcontractors Vendor ↔ health system Per channel, plus domain data partners
Video architecture priority Queue throughput, mobile-first, fast join Multi-tenant config, reporting, national network EHR-embedded launch, enterprise reliability Domain features in-call (pose, images, devices)
Revenue risk Churn, ad costs, regulator action Utilization too low at renewal Implementation overruns, slow expansion Reimbursement changes in the vertical

The table is descriptive, not aspirational: a DTC team that builds hospital-grade EHR integration on day one has burned its runway on the wrong shape, and a hospital vendor with consumer-grade audit logging will fail procurement.

Hybrids: where the lines blur — carefully

Real companies cross shapes deliberately. Health systems launch DTC memberships (the Rush example above) to capture patients outside their walls [9]. DTC platforms add employer channels once their unit economics stabilize, becoming B2B2C sellers of the same clinical network. Specialty platforms graduate from DTC into payer contracts — the standard growth path in mental health. And B2B2C incumbents acquire specialty depth to defend renewals.

Hybridization is a sequencing decision, not a launch decision. Each added shape brings its own buyer, integration set, and compliance posture — roughly additively. The practical guidance: pick one primary shape for launch, and architect so the second shape is an addition, not a rewrite. Concretely, that means keeping eligibility/tenancy concerns out of the clinical core (so an employer channel can bolt on), exposing your record as FHIR resources from early on (so a hospital integration is an interface, not a migration — see HL7, FHIR, and the EHR integration reality), and treating the video layer as a service with its own boundary (so in-call specialty features can evolve independently — see choosing the video layer).

Common mistake: building the wrong shape's compliance program. The classic version: a cash-pay DTC team reads that HIPAA "doesn't apply to them," ships consumer-grade analytics with PHI in event payloads, then lands its first employer contract — which arrives with a BAA, a security questionnaire, and an audit right. Retrofitting a business-associate posture (BAA-covered infrastructure, audit logging, minimum-necessary access) into a shipped consumer app costs multiples of building it in. The inverse mistake is just as expensive: a two-person specialty startup building hospital-grade Epic integration before any hospital has agreed to buy. Match the compliance and integration build to the shape you are actually selling this year — and keep PHI out of your analytics stack in every shape (the analytics article shows how).

Stacked view of the regulatory load each product shape carries, from baseline HIPAA to condition-specific rules Figure 3. The compliance stack by shape. Every shape carries a baseline; each adds its own layers — with dates that move.

Which shape are you building? A 60-second self-classification

Answer four questions in order; the figure below turns them into a decision path.

  1. Does an institution's clinical staff deliver the care? If yes — you are building the hospital/system shape; the EHR is your center of gravity.
  2. Does a business buy access for a population? If yes — B2B2C; eligibility, SSO, utilization reporting, and a business-associate compliance posture lead.
  3. Is the product organized around one condition or discipline? If yes — specialty; budget for the domain's own rulebook (Part 2, DEA, devices) before features.
  4. Otherwise — you are DTC; conversion economics, CPOM structure, and consumer-protection law lead, with HIPAA's technical bar built in from the start.

Run the test annually: shapes drift as channels are added, and the compliance program must drift with them.

Decision tree classifying a telemedicine product into DTC, B2B2C, hospital, or specialty in four questions Figure 4. Four questions classify the product. The shape then sets the architecture and the rulebook.

To make the classification stick, we have packaged the four-question test, the per-shape priority lists, and the BAA-chain map into a one-page worksheet: download the product-shape scoping worksheet. Fill it in before your next architecture or fundraising conversation.

Where Fora Soft fits in

Fora Soft has built telemedicine and healthcare video products since 2005, alongside video conferencing, streaming, OTT, surveillance, e-learning, and AR/VR platforms — 239+ shipped projects. Our clients usually arrive as one of two shapes: specialty founders (mental health, chronic care, rehabilitation) who need a compliant clinical workflow and a reliable video layer built to HIPAA's technical-safeguard bar, and B2B2C or hospital-facing teams who need the eligibility, SSO, and EHR-integration plumbing done right the first time. We start every engagement by fixing the shape — payer, BAA chain, integration load — because that decision prices everything downstream. The video engineering itself draws on the same WebRTC stack we document across this Learn hub.

What to read next

Call to action

References

  1. HHS — Telehealth policy updates, Telehealth.HHS.gov, last updated 2026-02-05, https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates — Medicare telehealth flexibilities extended through 2027-12-31; permanent behavioral-health provisions. Tier 1.
  2. 45 CFR §160.103 — definitions of covered entity, business associate, protected health information (HIPAA Administrative Simplification), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103 — accessed 2026-06-11. Tier 1. Provider covered-entity status turns on conducting standard transactions electronically.
  3. FTC — Health Breach Notification Rule, 16 CFR Part 318 (final rule amendments effective 2024-07-29), https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule and https://www.federalregister.gov/documents/2024/05/30/2024-10855/health-breach-notification-rule — accessed 2026-06-11. Tier 1. Covers health apps and PHR vendors outside HIPAA.
  4. FTC — FTC Approves Final Order against Telehealth Provider NextMed…, press release, 2025-12, https://www.ftc.gov/news-events/news/press-releases/2025/12/ftc-approves-final-order-against-telehealth-provider-nextmed-over-charges-it-used-deceptive — accessed 2026-06-11. Tier 1. Deceptive-advertising enforcement against a DTC telehealth seller.
  5. FDA enforcement on compounded GLP-1 telehealth marketing — 100+ warning letters in 2025 and 30 additional letters 2026-03-03; summarized in Holland & Knight, FDA, HHS Taking Action Against Telehealth's Compounded Drug Advertising (2025-09), https://www.hklaw.com/en/insights/publications/2025/09/fda-hhs-taking-action-against-telehealths-compounded-drug-advertising and Foley & Lardner, GLP-1 Compliance: FDA Targets Telehealth Marketing in 30 New Warning Letters (2026-03), https://www.foley.com/p/102mmr0/glp1-compliance-fda-targets-telehealth-marketing-in-30-new-warning-letters/ — accessed 2026-06-11. Tier 4 summaries of Tier 1 agency actions.
  6. Epstein Becker Green — Corporate Practice of Medicine: The Unseen Hurdle in Telehealth, https://www.healthlawadvisor.com/corporate-practice-of-medicine-the-unseen-hurdle-in-telehealth; Dickinson Wright — Telehealth's Weight-Loss Boom and the Corporate Practice of Medicine (2025), https://www.dickinson-wright.com/news-alerts/blog-dolson-telehealths-weight-loss-boom — accessed 2026-06-11. Tier 4 (health-law analysis). Friendly-PC/MSO structure; CPOM scrutiny in CA, TX, NY.
  7. Interstate Medical Licensure Compact Commission — https://imlcc.com/ — accessed 2026-06-11. Tier 1 (the compact's own membership data). 43 member states plus Washington DC and Guam, 2026.
  8. Teladoc Health — Q4/FY 2025 results (Form 8-K, 2025-12-31 period), https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001477449 — approximately 102 million US Integrated Care members as of 2025-12-31; B2B distribution through employers and health plans. Tier 4 (company filing — authoritative for its own metrics).
  9. AHA Market Scan — 4 Digital Health Projects Transforming Care Delivery (2026-04-07), https://www.aha.org/aha-center-health-innovation-market-scan/2026-04-07-4-digital-health-projects-transforming-care-delivery — Rush Connect+ DTC membership at $19/month or $189/year. Tier 5.
  10. AHA — hospital telemedicine adoption: ~87% of US hospitals offered telemedicine services in 2024, up from 72.6% in 2018; AHA Telehealth Fact Sheet (2025-02-07), https://www.aha.org/fact-sheets/2025-02-07-fact-sheet-telehealth — accessed 2026-06-11. Tier 5 (institutional survey).
  11. Becker's Hospital Review — Epic launches new native telehealth offering, https://www.beckershospitalreview.com/ehrs/epic-launches-new-native-telehealth-offering/; Healthcare IT News — Epic launches new telehealth service with Twilio, https://www.healthcareitnews.com/news/epic-launches-new-telehealth-service-twilio — accessed 2026-06-11. Tier 5 (trade press on first-party product).
  12. AHA Market Scan — 5 Key Telehealth Insights (2026-03-10), https://www.aha.org/aha-center-health-innovation-market-scan/2026-03-10-5-key-telehealth-insights — telehealth utilization by specialty: mental health ~28.2% (Dec 2025), endocrinology 11.4%, obstetrics 9.4% (Epic Research data). Tier 5.
  13. Hims & Hers — FY2025 guidance of $2.3–2.4B revenue, 2M+ subscribers, >90% recurring revenue; company reporting summarized in RS Capital, A Deep Dive on Hims & Hers and FinancialContent (2026-03-18), https://rscapital.substack.com/p/a-deep-dive-on-hims-and-hers-hims — accessed 2026-06-11. Tier 5 (analyst summaries of company figures).
  14. First Stop Health — What is the Cost of Telemedicine?, https://blog.firststophealth.com/business-blog/what-is-the-cost-of-telemedicine; Benefit Providers — Telehealth Pricing, https://www.benefitproviders.com/telehealth-pricing/ — accessed 2026-06-11. Tier 6 (vendor pricing pages; ranges only). PEPM $0.15–$15; consult fees $40–75.
  15. DOJ — Extension of Compliance Dates… Accessibility of Web Information and Services of State and Local Government Entities, Interim Final Rule, Federal Register, 2026-04-20, https://www.federalregister.gov/documents/2026/04/20/2026-07663/extension-of-compliance-dates-for-nondiscrimination-on-the-basis-of-disability-accessibility-of-web — ADA Title II web/mobile accessibility (WCAG 2.1 AA): compliance 2027-04-26 (population ≥ 50,000) and 2028-04-26 (< 50,000 and special districts). Tier 1.
  16. HHS — Fact Sheet: 42 CFR Part 2 Final Rule (2024-02-08), https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html — compliance date 2026-02-16; HIPAA-aligned penalties; OCR Part 2 enforcement program announced 2026-02-13. Tier 1.
  17. DEA & HHS — Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications, Federal Register, 2025-12-31, https://www.federalregister.gov/documents/2025/12/31/2025-24123/fourth-temporary-extension-of-covid-19-telemedicine-flexibilities-for-prescription-of-controlled — flexibilities effective through 2026-12-31; Ryan Haight Act (21 U.S.C. §829(e)) in-person-exam baseline. Tier 1.

Where lower-tier sources disagreed with rule text, the rule text won: vendor explainers that equate "cash-pay" with "unregulated" are contradicted by the FTC's HBNR scope and enforcement record [3][4]; listicles that still cite the original April 2026 ADA Title II deadline are superseded by the DOJ's April 2026 extension [15]; and pricing claims from vendor pages are presented as ranges, not market facts [14].