HIPAA-compliant telemedicine with AI clinical documentation
A US healthcare group needed a telemedicine platform across 3 states — video consultations, EHR integration, prescription management, insurance billing, and AI documentation to reduce physician admin time. We delivered HIPAA-compliant infrastructure with AI SOAP-note generation that cut documentation time by 45%.
The challenge
A US healthcare group serving three states needed a telemedicine platform built around physician workflow, not against it. Their requirements:
- Video consultations with the latency and reliability of a real clinical tool
- Epic EHR integration — patient lookup, problem list, medication reconciliation, encounter posting
- Prescription management with state-by-state e-prescribe rules
- Insurance billing that handles eligibility checks, claim generation, and denials
- AI-assisted documentation — physicians were losing 2–3 hours / day on SOAP notes alone
- HIPAA-compliant infrastructure that would pass audit on the first try, not the third
Existing telemedicine platforms covered video adequately and everything else thinly.
What we built
A telemedicine platform with AI clinical documentation as a core surface:
- Twilio-powered video with low-latency ICE/TURN configuration tuned for clinical use
- Epic EHR integration via the FHIR R4 API — patient context loaded into the encounter view, encounters posted back on visit close
- AI SOAP note generation from real-time consultation transcripts using OpenAI Whisper + GPT-4o, with mandatory physician review before EHR posting
- E-prescribing integrated with Surescripts, state-aware rule engine for controlled substances
- Insurance billing with eligibility check on patient join, automated claim generation post-visit
- Audit logging of every PHI access with actor, timestamp, and scope — required for HIPAA
The AI documentation alone cut physician documentation time by 45%.
Architecture
A React + Node.js platform on a HIPAA-compliant AWS account, audited for SOC 2 readiness:
- Frontend: React with a dedicated provider console and patient portal, end-to-end encryption for messaging
- Backend: Node.js services in a HIPAA-eligible AWS configuration (BAA in place across S3, RDS, Lambda)
- Video: Twilio Programmable Video with TURN failover; video streams never touch our infrastructure
- AI/ML: OpenAI Whisper for transcription, GPT-4o for SOAP-note generation; both running through a PHI-aware proxy that strips identifiers before egress and re-inserts them on response
- EHR: Epic FHIR R4 client with token vault and deterministic backoff
- Audit: Append-only audit log in DynamoDB with cryptographic chain, queryable by patient + actor + date
Outcomes
- 45% reduction in physician documentation time
- 5,000+ teleconsults / month sustained from launch
- Epic EHR integrated for patient lookup, problem list, and encounter posting
- 3 US states covered with state-aware e-prescribe rules
- 180ms average call latency across all sessions
- HIPAA audit passed on first attempt, with no remediation findings
- Zero PHI incidents to date
Why it worked
Three deliberate calls:
- Mandatory human review on AI output. The AI generates the SOAP note; the physician edits, approves, and posts. We never auto-post AI-generated PHI to the EHR. That call closed every clinical-safety conversation in under a minute.
- Strip-then-process for AI. No PHI ever leaves the HIPAA-eligible boundary in raw form. The proxy strips identifiers, sends de-identified text to the model, and re-inserts identifiers on the response. The auditor verified this flow on the first walk-through.
- Epic integration was a foundation, not a feature. The encounter context is the EHR, not our database. Our system holds session state and AI artifacts; the canonical record stays in Epic. That clarity made the integration small, the audit short, and the physician adoption fast.
The platform is now expanding into specialty practices on the same architecture.