How to Build a Telemedicine Platform With Video and EHR 2026

Telemedicine is no longer an emergency measure. It is how modern healthcare gets delivered. Patients expect to book a video visit as easily as they schedule a rideshare, and payers are reimbursing virtual visits at parity with in-person encounters across most specialties. The global telehealth market grew 25% year-over-year in 2026 and analysts project it will reach $380 billion by 2030.

The opportunity is massive, but the bar is high. Patients and providers will not tolerate laggy video, clunky scheduling, or disconnected clinical workflows. A telemedicine platform that cannot pull a patient's medication list from their EHR or send a prescription directly to their pharmacy is a toy, not a tool. You need real-time video, deep EHR integration, e-prescribing, and compliance baked into every layer.

The platforms winning in this space share a few traits. They reduce provider documentation burden by pulling and pushing data to the EHR automatically. They handle the full patient journey from scheduling through billing in a single interface. They work across devices without requiring app downloads. And they satisfy compliance requirements without making the user experience feel like a government form.

If you are building a telemedicine platform in 2026, you are competing against established players like Teladoc, Amwell, and Doxy.me, plus dozens of niche platforms in behavioral health, dermatology, and chronic care management. Your competitive advantage comes from workflow specificity, superior provider experience, or targeting an underserved specialty. Generic "video call with a doctor" products are commoditized. The money is in vertical solutions that solve real clinical workflow problems.

Video is the core of your telemedicine platform, and getting it wrong means choppy calls, dropped connections, and providers abandoning your product after the first week. You have three paths for video infrastructure, each with different tradeoffs in cost, control, and compliance.

Option 1: Managed CPaaS providers. Twilio Video, Daily.co, Vonage, and Amazon Chime SDK all offer WebRTC-based video APIs with HIPAA BAA availability. Twilio Video costs roughly $0.004 per participant per minute for group rooms. Daily.co charges $0.04 per participant minute at their scale plan. Both sign BAAs without negotiation on their healthcare-tier plans. These providers handle TURN servers, network traversal, quality adaptation, and global infrastructure. You integrate their SDK, customize the UI, and focus on your clinical workflows.

Option 2: Open-source with LiveKit or Jitsi. LiveKit is a modern, performant open-source WebRTC SFU (Selective Forwarding Unit) built in Go. You deploy it on your own infrastructure, which gives you complete control over data residency and eliminates per-minute costs. The tradeoff is operational complexity. You need to manage TURN servers, handle scaling, configure STUN/TURN for restrictive firewalls, and monitor call quality metrics yourself. Monthly infrastructure costs for a LiveKit deployment handling 500 concurrent sessions run approximately $3,000 to $6,000 on AWS.

Option 3: Hybrid approach. Use a managed provider for the media layer but handle signaling, room management, and recording on your own backend. This gives you flexibility to switch providers or add custom features (AI transcription, clinical note generation) without rebuilding the entire video stack.

Regardless of which path you choose, these requirements are non-negotiable for healthcare video:

• End-to-end encryption or encryption in transit: All media streams must use SRTP (Secure Real-time Transport Protocol). Most WebRTC implementations handle this by default, but verify it is enforced and not optional.
• BAA with your video provider: If any vendor touches PHI (which includes video/audio of patient encounters), you need a signed Business Associate Agreement. No exceptions.
• Recording storage in compliant infrastructure: If you record visits, those recordings are PHI. Store them in an encrypted S3 bucket (AES-256, SSE-KMS) with access logging enabled. Set retention policies aligned with state medical record requirements, which range from 7 to 10 years depending on jurisdiction.
• Fallback to audio-only: Patients in rural areas with poor bandwidth need to still complete their visit. Your platform must gracefully degrade to audio when video quality drops below usable thresholds.
• Network quality indicators: Providers need to see connection quality in real time so they can ask a patient to switch to audio or move to a stronger signal before the call drops.

For the frontend, use the provider's JavaScript SDK (or React SDK for Twilio/Daily) and build a custom UI that fits your clinical workflow. The default video UI from these providers is designed for generic meetings, not healthcare encounters. You want the patient chart, visit notes, and prescription pad accessible alongside the video feed, not hidden behind tab switches.

A telemedicine platform without EHR integration is a standalone video tool. Providers will not adopt it because it creates double documentation. They finish a video visit, then have to manually re-enter everything into Epic or Cerner. That workflow kills adoption within weeks.

The modern standard for EHR integration is HL7 FHIR (Fast Healthcare Interoperability Resources). FHIR uses RESTful APIs with JSON payloads, which makes it dramatically easier to work with than the older HL7 v2 pipe-delimited messages or CDA XML documents. Most major EHRs now expose FHIR R4 endpoints, though coverage varies wildly by resource type.

Epic integration requires joining the Epic App Orchard (now called the Epic App Market). You build a SMART on FHIR app that can be launched from within the Epic EHR or from your platform using Epic's OAuth2 flow. Epic exposes Patient, Encounter, Condition, MedicationRequest, Observation, and other FHIR resources. Getting approved for App Market takes 3 to 6 months and requires a security review, but once approved, any Epic customer can enable your integration. Epic covers roughly 35% of the US hospital market.

Oracle Health (formerly Cerner) also supports SMART on FHIR and has a developer portal with sandbox environments. Their FHIR coverage is comparable to Epic's, and they cover another 25% of the hospital market. Budget 2 to 4 months for their review process.

Athenahealth offers a well-documented REST API (not strictly FHIR but FHIR-aligned) through their developer program. They dominate the ambulatory/outpatient clinic space. Their API allows reading and writing clinical data, scheduling, and billing information.

Here is what you should pull from the EHR before a telemedicine visit starts:

• Patient demographics: Name, DOB, preferred pharmacy, insurance information
• Active medication list: So the provider can review and prescribe safely
• Problem list and conditions: Active diagnoses for clinical context
• Allergies: Critical for prescribing workflows
• Recent lab results: Relevant vitals and test results from the past 90 days
• Upcoming orders: Pending referrals or tests the provider should know about

After the visit, you push back:

• Visit encounter note: Structured or unstructured clinical documentation
• New prescriptions: Written through your e-prescribing module
• Updated problem list: Any new diagnoses added during the encounter
• Orders: Lab orders, imaging referrals, specialist referrals
• Billing codes: CPT and ICD-10 codes for the encounter

The biggest technical challenge is handling the OAuth2 flow across different EHR vendors. Each has slightly different token refresh behavior, scope requirements, and patient-matching logic. Build an abstraction layer that normalizes these differences so your application code does not need vendor-specific branches everywhere. Use a middleware service that maps vendor-specific FHIR quirks to a canonical internal data model.

For detailed guidance on clinical data architecture, see our guide on healthcare app development.

E-prescribing is what transforms a telemedicine platform from "video chat with a doctor" into a complete clinical encounter. If a provider diagnoses a UTI over video but the patient has to call the office to get the prescription sent to their pharmacy, you have failed at the core value proposition. The prescription should arrive at CVS before the video call even ends.

Surescripts is the national health information network that routes electronic prescriptions between prescribers and pharmacies. They process over 2 billion transactions per year and connect to virtually every retail pharmacy in the United States. Integrating with Surescripts is not optional if you want a real telemedicine platform. It is table stakes.

There are two paths to Surescripts connectivity:

Direct certification: You apply to become a Surescripts-certified solution. This involves a lengthy certification process (6 to 12 months), security audits, and ongoing compliance requirements. You get direct access to their network for routing NewRx, RxRenewal, RxChangeRequest, and CancelRx messages. This path makes sense if e-prescribing is core to your product differentiation and you want full control.

Through a certified intermediary: Companies like DoseSpot, RxNT, and iPrescribe offer embeddable e-prescribing modules that are already Surescripts-certified. DoseSpot, for example, provides an iframe-based widget and REST API that handles the entire prescribing workflow: medication search, drug-drug interaction checking, formulary lookup, pharmacy selection, and electronic transmission. Pricing typically runs $1 to $3 per prescription routed. For most telemedicine startups, this path gets you to market 9 months faster.

EPCS (Electronic Prescribing of Controlled Substances) adds another layer of complexity. DEA regulations require two-factor authentication for every controlled substance prescription, identity proofing of the prescriber, and audit trails that meet specific DEA requirements. Your EPCS solution needs third-party identity verification (companies like Exostar or IdenTrust provide this) and a compliant two-factor workflow. DoseSpot and similar intermediaries handle EPCS compliance as part of their platform, which is a significant reason to use them rather than building direct.

Key requirements for your prescribing module:

• Drug database: Use FDB (First Databank) or Medi-Span for comprehensive drug information, dosing guidance, and interaction checking
• Formulary checking: Query the patient's insurance formulary to show tier status and suggest therapeutic alternatives before the provider writes a non-covered medication
• Allergy cross-referencing: Automatically flag prescriptions that conflict with documented allergies
• State prescription drug monitoring program (PDMP) integration: Many states now require PDMP checks before prescribing controlled substances. Integrate with platforms like Bamboo Health (formerly Appriss) to pull PDMP data into your workflow
• Pharmacy directory: Let patients search for pharmacies by location, with real-time availability data

State licensing creates another challenge. A provider licensed in California can only prescribe to patients located in California during the visit (with some interstate compact exceptions). Your platform needs to verify both the provider's active license state and the patient's physical location at the time of the encounter. Build location verification into your intake flow.

The patient journey through a telemedicine visit has distinct phases, and each one needs careful UX design. Drop-off rates are highest during scheduling and intake. If those steps feel bureaucratic or confusing, patients will abandon and call the office instead, which defeats the entire purpose.

Scheduling. Offer real-time provider availability synced with the EHR calendar. Patients should see open slots, filter by provider specialty, and book in under 60 seconds. Support same-day urgent appointments (a major advantage over in-person care). Send SMS and email confirmations with a one-click link to join the visit. Reminder notifications at 24 hours and 15 minutes before the appointment reduce no-show rates by 30% to 40%.

Pre-visit intake. Before the appointment, collect chief complaint, relevant symptoms, current medications (pre-populated from EHR if available), pharmacy preference, and insurance verification. Run real-time eligibility checks through your clearinghouse (Availity, Change Healthcare, or Waystar) so you know coverage status before the visit starts. This prevents the painful scenario of completing a visit only to discover the patient's plan does not cover telehealth for that service type.

Virtual waiting room. When the patient clicks their appointment link, they land in a waiting room. This screen should show their position in queue, estimated wait time, a connection quality test, and camera/microphone permissions check. Providers see a queue of waiting patients with chief complaint summaries and can admit them in order or triage based on urgency.

The video encounter. During the visit, the provider sees a split view: video feed on one side, clinical workspace on the other. The workspace includes the patient chart (pulled from EHR), a documentation panel for visit notes, a prescribing module, and an orders panel. AI-assisted documentation can transcribe the conversation in real time and generate a draft SOAP note that the provider reviews and signs. This cuts documentation time from 8 minutes per visit to under 2 minutes.

Post-visit summary. After the encounter ends, the patient immediately receives a visit summary including diagnosis, treatment plan, prescriptions sent, follow-up instructions, and any lab or imaging orders. Push this to the patient portal and send via secure email. The provider's note simultaneously syncs back to the EHR.

Billing and claims. Automatically generate a superbill with CPT codes (99211-99215 for established patient E/M, with telehealth modifier 95 or place of service 02), ICD-10 diagnosis codes, and the appropriate telehealth originating site information. Submit claims electronically through your clearinghouse. For patient responsibility (copays, coinsurance), collect payment via Stripe with a stored card on file and send an itemized receipt.

Every component in your telemedicine stack touches protected health information. Video recordings, chat messages, clinical notes, prescriptions, scheduling data, even IP addresses when combined with appointment times can constitute PHI. Your security architecture must treat the entire system as a HIPAA-regulated environment.

Encryption requirements: All data at rest must be encrypted with AES-256. All data in transit must use TLS 1.2 or higher. Database encryption should use transparent data encryption (TDE) or application-level encryption for sensitive fields. S3 buckets holding recordings or documents need SSE-KMS with customer-managed keys so you can audit and rotate keys on your own schedule.

Access controls: Implement role-based access control (RBAC) with the principle of minimum necessary access. Providers see only their own patients. Staff see only patients at their practice location. Administrators have elevated privileges but every action is logged. Use OAuth2 with short-lived access tokens (15-minute expiry) and refresh tokens stored in httpOnly cookies. Session timeout after 15 minutes of inactivity is a HIPAA best practice.

Audit logging: HIPAA requires you to track every access to PHI. Log who accessed what data, when, from which IP, and what action they took (view, create, update, delete). Store audit logs in a tamper-proof system separate from your application database. AWS CloudTrail plus a dedicated audit log table in a write-once storage configuration works well. Retain logs for a minimum of 6 years (HIPAA retention requirement).

BAA management: You need signed BAAs with every vendor that processes PHI. This includes your cloud provider (AWS, GCP, Azure), video provider (Twilio, Daily), database hosting (if managed), email/SMS provider (SendGrid, Twilio), error monitoring (Datadog, Sentry with PHI scrubbing), and analytics platform. Maintain a BAA registry document that tracks every vendor, agreement date, and renewal terms. Review annually.

Infrastructure hardening: Deploy in a dedicated VPC with private subnets for databases and application servers. Use WAF (Web Application Firewall) rules to block common attacks. Implement network segmentation so your video infrastructure cannot directly access your prescription database. Run regular penetration tests (at least annually) and vulnerability scans (weekly). Use a secrets manager (AWS Secrets Manager or HashiCorp Vault) for all credentials. Never store secrets in environment variables on disk or in code repositories.

Incident response: Have a documented incident response plan that covers breach detection, containment, assessment, notification (within HIPAA's 60-day window), and remediation. Run tabletop exercises quarterly. Designate a HIPAA Security Officer and Privacy Officer, even if that is the same person at a startup stage.

For a full breakdown of what compliance costs look like at each stage, see our analysis of HIPAA compliance costs.

Your technology choices need to balance developer velocity, long-term maintainability, compliance requirements, and real-time performance. Here is the stack we recommend for a production telemedicine platform in 2026:

Frontend: Next.js 14+ with TypeScript. Server-side rendering gives you fast initial page loads (critical for patients on mobile networks). The App Router handles complex layouts where you need the video feed persistent while navigating between chart tabs. TypeScript catches data contract mismatches between your frontend and FHIR API responses at compile time rather than in production.

Backend: Node.js (NestJS) or Python (FastAPI). NestJS gives you a structured, modular architecture with dependency injection, which keeps a complex healthcare backend organized as it grows to 50+ endpoints. FastAPI is the better choice if your team has Python expertise or you plan heavy ML/AI integration (clinical note generation, symptom analysis). Both support async operations well, which matters for EHR API calls that can take 2 to 5 seconds to resolve.

Database: PostgreSQL 16 with row-level security. PostgreSQL's row-level security policies enforce data isolation at the database layer. A provider's query physically cannot return another provider's patient records, regardless of application bugs. Use JSONB columns for FHIR resource storage so you can query structured clinical data without a rigid schema that breaks every time a FHIR profile changes. Add pgcrypto for field-level encryption of the most sensitive data (SSN, certain clinical notes).

Real-time layer: Redis Pub/Sub or WebSockets via Socket.io. The waiting room, queue updates, in-visit chat, and provider availability indicators all need real-time push. Redis handles pub/sub at scale with minimal latency. For the WebSocket connections themselves, Socket.io with sticky sessions behind an ALB works reliably at moderate scale (up to 10,000 concurrent connections per node).

File storage: AWS S3 with server-side encryption. Visit recordings, uploaded documents (insurance cards, lab reports), and signed consent forms go in S3 with SSE-KMS encryption, versioning enabled, and lifecycle policies for retention compliance. Use pre-signed URLs with 5-minute expiry for downloads so files are never publicly accessible.

Video: Daily.co or Twilio Video SDK. Both offer React SDKs, HIPAA BAAs, recording to cloud storage, and solid documentation. Daily.co has a simpler API surface. Twilio has broader communication features (SMS reminders, voice fallback) in the same platform.

E-prescribing: DoseSpot API. Already Surescripts-certified, handles EPCS, includes drug interaction databases, and provides an embeddable UI component. $1.50 per routed prescription at typical volume.

Infrastructure: AWS (preferred for healthcare). Use ECS Fargate or EKS for container orchestration, RDS for managed PostgreSQL, ElastiCache for Redis, CloudFront for static assets, and CloudWatch plus Datadog for monitoring. Deploy in us-east-1 and us-west-2 for redundancy. AWS signs BAAs and offers a dedicated HIPAA-eligible services list that covers over 100 services.

CI/CD: GitHub Actions with infrastructure as code (Terraform). Automate deployments with mandatory security scanning (Snyk, Trivy for container images) in the pipeline. No deployment goes to production without passing SAST, dependency vulnerability checks, and HIPAA configuration validation.

Building a telemedicine platform with video visits, EHR integration, and e-prescribing is a significant investment. Here are realistic numbers based on platforms we have helped build:

MVP (3 to 5 months, $150K to $250K): Core video visits with one EHR integration (typically Epic or Athenahealth), basic scheduling, patient intake, e-prescribing through DoseSpot, HIPAA-compliant infrastructure, and mobile-responsive web app. This gets you to market with a functional product that providers can actually use for patient care.

Full platform (8 to 14 months, $300K to $400K): Multiple EHR integrations, AI-assisted documentation, multi-provider practice management, insurance eligibility verification, claims submission, patient portal with async messaging, mobile native apps (iOS/Android), analytics dashboard, and advanced compliance features (audit reports, automated risk assessments).

Ongoing operational costs ($5K to $15K per month): This covers cloud infrastructure ($2K to $5K depending on visit volume), video API usage ($1K to $4K at 2,000 to 5,000 visits per month), e-prescribing transaction fees ($500 to $1,500), EHR API subscription fees ($500 to $2,000), monitoring and security tools ($500 to $1,000), and compliance maintenance ($500 to $1,000 for ongoing pen testing, policy updates, training).

The biggest cost variables are EHR integration depth and the number of EHR vendors you support. Each new EHR integration adds $30K to $60K in development and 2 to 4 months of certification time. Start with the EHR your initial customers use, then expand based on demand.

Where teams get stuck:

• Underestimating EHR certification timelines. Epic App Market review alone takes 3 to 6 months. Build this into your go-to-market plan from day one.
• Skipping compliance from the start. Retrofitting HIPAA compliance into an existing codebase costs 3x more than building it in from the beginning. Encryption, audit logging, and access controls need to be in your first sprint, not your last.
• Building video infrastructure in-house. Unless you have dedicated WebRTC engineers, use a managed provider. The edge cases in real-time video (NAT traversal, codec negotiation, bandwidth adaptation) will consume months of engineering time that should go toward clinical workflows.
• Ignoring state licensing complexity. Telehealth licensing varies by state, and interstate compacts only cover certain professions. Your platform needs provider license verification and patient location checks built into the encounter flow.

The fastest path to a production telemedicine platform is pairing a team that understands healthcare compliance with modern development practices. You need engineers who have implemented FHIR integrations before, know the gotchas of Surescripts certification, and can architect for HIPAA from the first commit.

If you are planning a telemedicine platform and want to validate your architecture, scope the build accurately, or accelerate development with a team that has shipped healthcare products before, book a free strategy call and we will walk through your requirements together.