In early 2025, a regional healthcare network approached us with an urgent need: their existing telehealth vendor was sunsetting its platform, and they had 90 days to replace it. The new platform needed to support 200+ concurrent video consultations, integrate with their Epic EHR system, and meet every requirement of the HIPAA Security Rule. There was no room for shortcuts on compliance.
This article is a detailed engineering walkthrough of how we designed, built, and launched that platform in 90 days. We will cover the architecture decisions, the security controls, the compliance framework, and the lessons we learned along the way. If you are building anything in healthcare technology, this guide will save you months of research.
Architecture Overview: Defense in Depth
The platform architecture follows a defense-in-depth model with security controls at every layer. At the network edge, AWS WAF and CloudFront filter malicious traffic before it reaches our application load balancers. The application tier runs on ECS Fargate containers in private subnets with no direct internet access. All inter-service communication uses mutual TLS authentication.
The data tier uses Amazon RDS for PostgreSQL with encryption at rest via AWS KMS using customer-managed keys. We implemented field-level encryption for sensitive PHI columns, meaning that even database administrators cannot read patient data without explicit key access. S3 buckets storing medical documents use server-side encryption with separate KMS keys and have versioning and object lock enabled to prevent accidental or malicious deletion.
Starting Small: The 20-Component Strategy
The biggest mistake organizations make with design systems is trying to boil the ocean. They audit every product, catalog 200 unique components, and embark on a 12-month project to rebuild everything from scratch. By the time the system launches, the products have evolved, stakeholders have lost patience, and adoption struggles because the system was built in isolation from real product needs.
Instead, start with the 20 most-used components across your products. Audit 2-3 key products and identify the components that appear most frequently: buttons, input fields, cards, modals, navigation bars, tables, dropdowns, form layouts, alert messages, and loading states. These 20 components cover 80% of interface needs for most applications.
Build these 20 components to production quality — fully accessible, properly typed with TypeScript, covered by unit and visual regression tests, and documented with usage examples in Storybook. Then integrate them into one real product as a pilot. Measure the time savings, defect reduction, and developer satisfaction. These metrics become your business case for expanding the system.
This approach takes 6-8 weeks instead of 6-8 months, delivers measurable value immediately, and builds organizational confidence in the design system as a worthwhile investment.
End-to-End Encryption
Role-Based Access Control
Comprehensive Audit Logging
Multi-Factor Authentication
One of the most critical security measures is encrypting sensitive PHI fields at the application level before they reach the database. This ensures that even if the database is compromised, patient data remains protected. Here is a simplified version of our encryption service that uses AWS KMS for key management.Industry Perspective on Design Systems
The most impactful insight on design systems comes from those who have built and maintained them at scale across large organizations.
Building for healthcare means accepting that security is not a feature — it is the product. Every architectural decision must be evaluated through the lens of patient safety and data protection. There are no acceptable shortcuts when lives and privacy are at stake.
Design systems are a force multiplier. They make good teams faster, inconsistent products cohesive, and accessibility compliance achievable at scale. The investment is real — a minimum viable design system requires dedicated people and ongoing maintenance — but the returns compound with every product team that adopts it.
Start small, prove value fast, and grow the system in response to real needs. Build the 20 components your teams use most, document them thoroughly, and make adoption effortless. When you measure a 30% reduction in UI development time and a 60% drop in handoff defects, the investment case makes itself. Your design system is not overhead — it is infrastructure that compounds in value over time.
Building a HIPAA-compliant telehealth platform in 90 days taught us that speed and compliance are not mutually exclusive — but only if compliance is built into the process from day one, not bolted on at the end. Starting with a HIPAA-eligible infrastructure foundation (AWS services with signed BAAs) eliminated an entire category of risk. Automating compliance checks with AWS Config rules meant we caught configuration drift within minutes, not days.
If we were to do it again, we would invest more time upfront in automated integration testing for the video pipeline. WebRTC edge cases — network switching, firewall traversal, browser compatibility — consumed more QA time than anticipated. We would also implement a formal threat modeling exercise during the design phase rather than relying solely on the risk assessment. For any team embarking on a similar project, our advice is simple: treat compliance as a design constraint, not a testing phase.
Building a HIPAA-compliant telehealth platform requires encryption at rest (AES-256) and in transit (TLS 1.3) for all PHI, WebRTC with SRTP for secure real-time video, comprehensive audit logging of every PHI access, role-based access controls, and signed Business Associate Agreements with all third-party services. A well-built platform can be audit-ready within 90-120 days using a structured compliance framework.
Key Takeaways
- HIPAA compliance requires encryption at rest (AES-256) and in transit (TLS 1.3) for all PHI
- WebRTC with SRTP provides secure real-time video but requires a TURN server for NAT traversal
- Every access to PHI must be logged with user identity, timestamp, action, and data accessed
- Business Associate Agreements (BAAs) must be signed with every third-party service that handles PHI
- Automated compliance scanning with tools like AWS Config and custom Lambda rules catches drift in real time
Frequently Asked Questions
Key Terms
- Protected Health Information (PHI)
- Any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. This includes names, dates, medical record numbers, and any data that could identify a patient.
- Business Associate Agreement (BAA)
- A contract between a HIPAA-covered entity and a vendor (business associate) that ensures the vendor will appropriately safeguard protected health information according to HIPAA requirements.
- SRTP (Secure Real-time Transport Protocol)
- An extension of RTP (Real-time Transport Protocol) that provides encryption, message authentication, and integrity verification for audio and video streams in real-time communications.
- Audit Trail
- A chronological record that provides documentary evidence of the sequence of activities affecting a specific operation, procedure, or event related to PHI access and modification.
Working on a healthcare application?
Compliance requirements vary widely between EHR, telehealth, billing and patient-portal use cases. If you are scoping a build, we are happy to share what we have learned from similar projects.
Compare Notes With UsSummary
This tutorial-style case study walks through the architecture, security controls, and compliance framework used to build a production-ready telehealth platform in 90 days. It covers WebRTC integration for real-time video, end-to-end encryption using the Signal Protocol, comprehensive audit logging, role-based access control, and the BAA and compliance documentation required for HIPAA certification.