Building HIPAA-Compliant Zoom-based Telemedicine Software

Guide to Developing a Secure and Reliable Telemedicine App

13 min read


Telehealth projects may seem an expensive addition to overall digital platforms in healthcare, because there are a lot of restrictions and regulations that imply costly custom development. Although it’s partially true, in some cases we can embrace integration with 3rd party services to implement central functionality like video conferencing. In this article, we’ll discuss our own experience with integrating and testing Zoom for telemedicine purposes. All the information is based on our experience building a Zoom-based telehealth platform called Groupwell.

Telemedicine Software Basics

If you are already familiar with traditional components of telehealth applications, you can skip this part. 

Otherwise, let’s start with the fact that unlike other video conferencing software for personal use, telemedicine apps often require integration with Electronic Health Record (EHR) systems to store patient medical records. An EHR allows healthcare providers to handle document workflows safely, and processes patient data across various databases and user interfaces. 

The telemedicine component on its own provides the service of video conferencing for appointments, scheduling, administration, etc. This means that data transferred through this channel is also subject to HIPAA compliance, which sets standards for data storage and transmission across healthcare applications.

Telehealth applications can be used in a range of different cases, and depending on the specific application, will vary in overall architecture and the number of necessary features.

  • Conventional healthcare: primary care providers use telemedicine software to issue pharmacy prescriptions, form treatment plans, provide drug information, or consultation to their patients.
  • Critical remote care: some patients require permanent or continued remote supervision to monitor their state via additional wearables connected with the application. In this case, video conferencing software will be used. 
  • Mental health: personal and group therapy, screening, and medication consultation and prescription. 

Telemedicine supplements or acts in place of in-person care in a variety of domains beyond the ones listed here. One more important thing to mention, is that all the data transferred via telemedicine software to an EHR, or back, may require implementation of data security standards. HL7 and FHIR are the most common healthcare standards that are established to control electronic data management and its exchange between software applications used by healthcare organizations.

Must-Have and Nice-to-Have Telemedicine App Features

Video conferencing tools are a central element of any telemedicine application. This allows healthcare providers to communicate in real-time with their patients to provide high quality care. 

The ideal video conferencing solution involves giving patients access to appointments, optional anonymous sessions, patient data protection, file exchanges, and more. There are other features that are helpful for telemedicine apps, such as: 

  • Patient profile management: allowing users to update personal information for providers.
  • Doctor catalogue: browsing and selecting available doctors to contact and receive care from.
  • Appointment management: schedule, reschedule, cancel, or confirm appointments online.
  • Electronic health record (EHR) system integration: allows doctors to access and update medical data from labs, pharmacies, or other providers. 
  • Electronic prescription services: a feature that doctors can use to prescribe medications electronically after video consultations. 
  • Payment gateway: enables patients to pay for telemedicine services online. 

In some specific scenarios, like mental health platforms or rehabilitation practitioners, integration with the EHR system isn’t required. This is because there are healthcare organizations that operate outside medical requirements, and may not follow these requirements for digital data storage. This doesn’t mean HIPAA compliance can be ignored in this case, since we are still working with the patient’s private data.

Telehealth App Development Peculiarities 

There are three methods of developing a telemedicine application with the features that providers need: custom development and integration, or some combination of the two. 

Custom-built telehealth solutions are required in case there is a need for branded software, high requirements for data protection, or limited access to healthcare provider’s EHR data. Additionally, there might be governmental limitations with regard to integrating third-party instruments if they are not verified as HIPAA compliant, since data transmission will be compromised.

Integration with existing platforms that provide video conferencing capabilities is a much more affordable option, since the timeline and scope of development can be reduced to focusing on backend infrastructure and frontend features. However, the end product in either case must be reliable, stable, and meet the requirements of data privacy standards. 

The Cost of Telehealth App Development 

As a separate point of discussion, you might wonder what are the raw estimates for cost of this type of project. As with any software development project, the cost and budgets will differ from product to product. However, based on our expertise in communication with clients, estimating development scope and required budget, we can provide an approximate cost for telehealth implementation.

Given that development will face significant regulations and privacy concerns, telemedicine projects often require a custom approach to developing some modules like scheduling, patient information, and the administration panel. This is because functional requirements differ significantly. This sets telehealth projects in the 1,500-2,000 hours category of development timeline. Budget-wise, it will depend on the rate of developers, resource allocation between the client and vendor teams, involvement of QA, PM, BA, etc. 

QA is one of the major areas where time is needed for these types of projects, since we generally need to implement testing from the beginning of the project to ensure there are no breaches or data leaks in the data pipeline. So now, let’s discuss how a telemedicine application can be centered around Zoom as a video conferencing tool. 

Case Study: Building A Zoom-Based Telehealth App 

In a project for one of our clients, we built a telemedicine platform called GroupWell. This app allows healthcare professionals to provide mental health treatment online. This application integrates with Zoom to provide a stable connection, along with data privacy for doctors and patients. The MobiDev team was involved in the development process, implementing measurement, monitoring, and analytical systems for the platform. 

To reduce the timeline and scope of the project, our team also made use of open-source tools like Zoom, calendar solutions and libraries for other functionality on par with UI/UX design. With that in mind, let’s talk in more detail about the Zoom integration and testing procedure done by MobiDev.

Why Did We Choose Zoom?

Zoom is a proven and reliable platform for video conferencing. Since Zoom is very popular, many users are also very familiar with it. This makes it easier to use for both providers and patients.

Zoom is also convenient to integrate with other software. In fact, Zoom provides documentation on integrating the platform with telemedicine products. Out of the two of these methods available, Meeting and Video SDKs, we chose the Meeting SDK for the following reasons: 

  • Meeting SDK has more flexible design features
  • Custom UI and component view settings
  • Easier integration
  • Sessions duration customization 

Since flexibility and configuration were our main project needs, Zoom Meeting SDK was chosen thanks to its administration schema and existing API. 

Zoom-Based Telemedicine App Testing Process Challenges

Once we started with testing procedures, we needed to cover a range of basic things like cross-browser testing, the flow of creating and joining meetings, checking user roles, audio/video quality, and the interface. However, there are a number of pitfalls that QA engineers can face throughout this process. Here is our list of things you should check when testing your application with Zoom in mind:

  • Meeting Attendance Tracking: if your project is intended to charge attendees for meetings, their attendance needs to be tracked so that payment can be processed correctly. 
  • Session duration customization: pay attention to what you have set to happen when a meeting reaches its maximum duration. You can also determine what will happen if a user joins a meeting early. 
  • Privacy: test thoroughly to make sure that nobody can interrupt or join sessions without being invited. Confidentiality in calls is essential for HIPPA-compliant applications. 
  • Network conditions: pay attention to the user experience of the application. Pay attention to more than just the network speed. Look at factors like client-side user behavior, for example, if a user accidentally leaves a call or reconnects using another device. 
  • License limit: the number of host licenses that Zoom provides is finite. This will vary depending on the subscription. 

Unexpected errors are possible even in sandbox testing. Developers need to expect errors and handle problematic behavior with error codes that are communicated from Zoom to the user. For example, if the user has reached the maximum number of host licenses, it can cause problems with the software. Displaying an error message and preventing hosts from getting more than one license is a great way to improve the quality of your product. 

QA Solutions for Improving Telehealth Software

With all of this in mind, let’s discuss some solutions that can improve the robustness of application features and the security of the end product. 

  • Tracking Meeting Attendance:

Tracking meeting attendance has a few important elements that need special attention. These are:

  • When a particular client joins a specific host. In this situation, the client will be charged, and attendance and payment will be received by the host. 
  • Duration of a call is sufficient evidence for attendance. For example, if a user joins a meeting and then leaves immediately, backend rules can understand that this may not be considered proper attendance. 

As a result, QA engineers should check for the uniqueness of the client link. They should also check to make sure that metadata from Zoom meetings arrives at the payment system properly. Once received, it’s important to ensure that this includes the correct host and client IDs. The settings for this metadata should be configured by developers. QA should also have access to the admin accounts needed to inspect this information. 

  • Session Duration:

To best measure how long the meeting lasts, there are a few elements that engineers need to examine. For example: 

  • A user joins before, during, and after the meeting. 
  • A user rejoins and how this influences a meeting’s attendance. 
  • Waiting room availability. Time-out errors can occur if there is no proper setting for a waiting room for early arrival users. This type of error can confuse users.
  • Call duration in testing can be reduced to 5-10 minutes to test payment systems to charge clients for the duration of a meeting. This will reduce testing times. 

Tracking meeting attendance and session duration checks can be combined for cross-platform testing. Proper testing should use unique browser sessions for every user. 

  • Network Conditions:

When a meeting host’s connection is timed out, the host role will transfer to someone else in the meeting. In some cases, users who try to reconnect to the meeting with the same link may be placed in an entirely new meeting room. Both of these cases can be tested by changing settings for the waiting room and joining before the host

  • License Limit:

Applications that use Zoom integration should ensure that licenses for hosts are provided and removed as needed if their quantity is limited. For example, if a user account is deleted from the platform, the license should be released. This will reduce the number of unused licenses with a chosen subscription plan. 

Ensuring HIPAA Compliance and Data Security

In the healthcare industry, HIPAA compliance is essential for healthcare data privacy. This entails setting up data transport and storage encryption, identity and access management, data integrity, and data disposal protocols. In our example, our client’s team handled the compliance implementation, while we provided technical recommendations. You can read more about HIPAA requirements in our dedicated article that describes how MobiDev accomplished healthcare regulatory compliance in different projects.

Once it’s time to check your project’s privacy settings, the requirements must be clarified with your team. These specific settings may depend on the goal of your project. Some important points to keep in mind: 

  • User privacy: What data or data pairs must be kept confidential? QA must check to make sure that no sensitive user data is shared with Zoom. If shared, it must be encrypted so that the data cannot be transmitted in its original form. 
  • Link availability: Make sure that meeting invite links cannot be used by unregistered users. Also, ensure that the links cannot be accessed after the meeting ends. 
  • Zoom invites: If you don’t want strangers to join your platform meetings for free, ensure that this feature is turned off. 
  • Meeting recording: since meetings in healthcare contexts can contain sensitive information, ensure that this feature is disabled. 

Our experience developing a Zoom-integrated telemedicine application, GroupWell, has helped us understand many of these needs much more closely. QA is essential for developing telemedicine solutions. Secure storage of sensitive patient information is critical, so thorough testing is needed to ensure that this process works right every time. 

This started out as a small, demo project that blossomed into a full-scale application due to the dedication, commitment, and teamwork from MobiDev. The team is smart, capable, and very strong communicators. They find a way around every technical challenge we face. I don’t think of them as outsourced, but instead as my team.

Denise Shiffman

Denis Shiffman

Founder and CEO at GroupWell

To Sum Up

Integration with 3rd party services is an accessible way to develop telehealth applications, as it offers faster ways to market with less development resources required. Budget-wise, it is also more beneficial as well, since providers of video conferencing such as Zoom, ensure data integrity for healthcare projects. 

This makes Zoom a suitable groundwork for adding new features and customizing other components. MobiDev provides consultancy and development services for telehealth solutions based on explicit expertise in medical applications, integrations with EHR systems and processing protected health information within healthcare platforms.

Open Contents


Whether you want to develop a new product or update an existing one, we're eager to assist. Call us or fill in the form via CONTACT US.

+1 916 243 0946 (USA/Canada)



How AI Helps in Whole Slide Images Analysis for Cancer Detection

How AI Helps in Whole Slide Image Analysis for Cancer D…


HIPAA-compliant Cross-platform healthcare management so…

Dementia diagnostics AI

Applying AI for Early Dementia Diagnosis and Prediction

We will answer you within one business day