A HIPAA-compliant telehealth MVP in 8 weeks

• —Postgres schema with encryption-at-rest and row-level security so a clinician sees only their patients
• —Audit log table on every PHI read and write, shipped before any feature
• —Role-based auth (patient / clinician / admin) on every API route
• —Hosting under a BAA-eligible deployment (AWS or Azure), secrets in managed env, never in code

• —HIPAA-eligible video via a BAA-backed provider (Twilio Video, Daily, or Amazon Chime SDK) — no PHI in the signaling layer
• —Appointment scheduling with availability, time-zones, reminders, and reschedule/cancel flows
• —Waiting-room and consent capture before the call connects

• —Secure patient–clinician messaging with attachments, stored under the same encrypted, audited schema
• —Stripe payments — copays, self-pay visits, and saved cards via Stripe Customer + PaymentIntents
• —Stripe webhooks reconciled against your own ledger so billing state never depends on a third party

• —Epic integration over FHIR R4 (SMART on FHIR / App Orchard) — pull demographics and appointments, write encounters back
• —End-to-end test pass, access review, and a security walkthrough of the audit trail
• —Source code handed to you in your own repo, deploy keys in your accounts — full ownership, no lock-in

Can you really ship a HIPAA-compliant telehealth MVP in 8 weeks?

Yes, for an MVP scoped to four modules — secure video, scheduling, messaging, and payments — with one Epic (FHIR) integration. Wolrix has shipped a telemedicine platform in 8 weeks before. HIPAA itself is a covered-entity certification, not a software stamp; what we deliver is a HIPAA-aware build (encrypted schemas, audit logs, row-level security, human-in-loop on PHI, BAA-eligible hosting) that your organization then certifies and signs BAAs against.

Which video provider do you use, and is it HIPAA-eligible?

We use a provider that will sign a Business Associate Agreement — typically Twilio Video, Daily, or Amazon Chime SDK. The choice depends on your scale and whether you need recording. None of these put PHI in the signaling layer, and recordings (if any) are stored under your BAA.

How does the Epic integration work?

Over FHIR R4 using SMART on FHIR / Epic App Orchard. For an MVP we typically read patient demographics and appointments and write encounter or note resources back. Deeper bidirectional sync is a fast-follow once the MVP is live.

How are payments handled?

Stripe — Customers and PaymentIntents for copays and self-pay visits, with webhooks reconciled against your own database so billing state is authoritative on your side, not Stripe’s. Insurance claims are out of scope for an 8-week MVP and added later if needed.

Do we keep the source code, or is there lock-in?

You keep everything. Code ships to your own repository, infrastructure runs in your cloud accounts, and there is no proprietary runtime you have to license from us. NDA-first on every engagement. If you want to take the team in-house later, the codebase is built to be handed off.

Fixed price or time-and-materials?

Either. An 8-week MVP at fixed scope is a good fit for a fixed price; teams that expect scope to move during the build prefer time-and-materials with a weekly cap. We back the work with a 100% satisfaction guarantee.