The Hidden Challenges of Building HIPAA-Compliant Telehealth Applications: Lessons Learned

Developing secure healthcare applications requires meticulous planning and a thorough understanding of compliance standards. Recently, I embarked on creating a telehealth Minimum Viable Product (MVP) using a seemingly promising platform, only to discover crucial compliance limitations that could have been avoided with better research.

For two months, I worked diligently to develop a HIPAA-ready telehealth solution, leveraging an innovative platform that claims to simplify the development process with AI-generated code, authentication handled by Clerk, and database management through Supabase. The platform even offers a security scan feature, adding to its appeal. Everything appeared to align with my vision of a fast, efficient build.

However, upon closer examination of the platform’s documentation, significant issues emerged. There was no Business Associate Agreement (BAA) available — not even as part of a paid plan. This absence means that, legally, the platform cannot be trusted to handle Protected Health Information (PHI) in a manner compliant with HIPAA regulations. Additionally, unless you’re on an enterprise-level plan (which often involves substantial costs), the platform’s terms suggest that user prompts and data could be used to train their AI models, raising privacy concerns with sensitive patient data.

While the combination of Clerk and Supabase could, in theory, be configured for HIPAA compliance, doing so would require manual setup, signing separate BAAs with each service, and becoming well-versed in compliance requirements — effectively demanding an overnight transformation into a compliance expert.

Unfortunately, the platform I relied on was not designed with HIPAA compliance in mind. It continued to operate outside the protected data environment, with no clear way to ensure PHI security within its ecosystem. Faced with these limitations, I had no choice but to abandon my initial approach and rebuild the application using healthcare-specific infrastructure built from the ground up.

This experience has reinforced an important lesson: rushing to prototype with tools not explicitly designed for healthcare can hinder long-term progress and pose significant legal risks. Taking the time to choose compliant solutions from the outset can ultimately lead to faster, safer deployment.

I wish I had known earlier that while this platform is excellent for rapid prototyping, it’s unsuitable for any real PHI handling. Spent a lot of time and effort in vain, and I hope my story serves as a cautionary tale for others in the healthcare tech space.

Has anyone else encountered similar challenges? Or did I overlook some critical information during my research?