Building HIPAA-Compliant Telehealth Platforms in India
If you're building telehealth from India to serve US patients or providers, HIPAA isn't optional and isn't decoration, it's a real architectural constraint that shapes every layer. Here's what actually works.
Key takeaways
- HIPAA applies if you handle PHI (Protected Health Information) for US covered entities.
- Architecture must support: encryption at rest and in transit, access controls, audit logging, data integrity, BAAs with every vendor.
- AWS and GCP have HIPAA-eligible services and will sign BAAs. Use them.
- Data residency: HIPAA doesn't require US-only storage, but contracts often do.
- Video calling, file storage, messaging, each has HIPAA implications.
Why this matters
US healthcare won't buy from a vendor without HIPAA-ready infrastructure. Indian telehealth startups going global hit this gate immediately. Building it in is a 2-3 month engineering project; retrofitting is much longer.
The technical requirements
Encryption at rest
All PHI encrypted at rest. Use AWS S3 with KMS, RDS with encryption, EBS encrypted. Document key management policy.
Encryption in transit
TLS 1.2+ everywhere. No HTTP. Mutual TLS for service-to-service where possible.
Access controls
Role-based access. MFA for all admin and provider users. Just-in-time access for engineers needing prod data (rare, audited).
Audit logging
Every access to PHI logged. Immutable storage. Retention typically 6 years.
Data integrity
PHI cannot be modified or deleted without trace. Soft deletes with audit, never hard deletes on PHI.
BAA chains
Every vendor that touches PHI signs a Business Associate Agreement (BAA). AWS, GCP, SendGrid, Twilio Programmable Video, Sentry, etc. all must have a BAA with you.
Authentication
OAuth 2.0 + OIDC. Use a HIPAA-aware identity provider (Okta, Auth0 with HIPAA tier) or self-host with strong controls.
Architecture patterns
Data residency
Some US customers contractually require US-only data residency. Use AWS us-east-1 or us-west-2; replicate within US.
Video calls
Twilio Programmable Video with their HIPAA-eligible tier. Or WebRTC with self-hosted TURN servers. Never store recordings without explicit consent.
Messaging
In-app messaging only. No SMS/email of PHI (unless via HIPAA-eligible provider with BAA, like Twilio Programmable Messaging with their healthcare tier).
Mobile
App store assets must not show PHI. Push notifications must not include PHI in body. Authentication required for app open.
Common pitfalls
Logging PHI accidentally. Application logs that include patient identifiers are HIPAA violations. Mask or tokenize PHI before logging.
Backups outside scope. Backups are PHI too. Encrypt; document retention; include in BAAs.
Test environments with real PHI. Don't. Anonymize before copying production data anywhere.
Forgetting employee offboarding. Revoke access immediately on departure. Audit quarterly.
What we recommend
Treat HIPAA as a 90-day engineering project. Week 1-2: BAAs with all vendors. Weeks 3-6: encryption, logging, IAM. Weeks 7-10: PHI handling audit and remediation. Weeks 11-12: third-party HIPAA assessment. Then operate the controls, for SOC 2-style continuous compliance.
FAQs
Are we automatically HIPAA-compliant on AWS HIPAA-eligible services? No, services are eligible, but you must configure them correctly and sign the BAA. Configuration is where most violations happen.
Do we need a HIPAA audit? No formal HIPAA audit certification exists, but a third-party HIPAA gap assessment is standard for vendor due diligence.
What about HITRUST? Stricter framework; some US healthcare customers require it. Build HIPAA first; HITRUST after.