Konstantin Kalinin
Konstantin Kalinin
Head of Content
September 9, 2020

COVID-19 really hit the healthcare system under the belt. Did you find yourself scrambling for a HIPAA compliant solution when that happened, too, trying to quickly onboard your patients and continue helping them?

doctor from mobile app with recommendations

Then you know that having your own HIPAA compliant video conferencing and messaging solution sets your business up for success in the long run.

Table of Contents:

  1. HIPAA and Co
  2. White-Label vs. Custom
  3. Features to Look Out for in HIPAA Compliant Messaging
  4. Features to Look Out for in HIPAA Compliant Audio and Video Calling
  5. HIPAA Compliance in Messaging & Calling SDKs
  6. Nuances of Choosing a HIPAA compliant Conferencing SDK
  7. Top 3 HIPAA Secure Video Conferencing and Messaging APIs
  8. Our Experience with HIPAA compliant development

HIPAA and Co

I’m pretty sure you’re familiar with the terms, but let’s get them out of the way asap.

HIPAA is a public law that enforces the following rules on healthcare providers:

These rules set the security and privacy guidelines for handling PHI.

PHI is protected health information — virtually any patient information, such as demographics, medical history, lab results, insurance, etc.

BA is a business associate, a technology partner helping you set up a HIPAA compliant video calling and messaging SDK. And BAA is a business associate agreement that you and your partner need to sign before developing or integrating a telemedicine service.

Now, when creating HIPAA compliant platforms, you’d often look to quickly integrate with external softwares that enable functionalities like video calling, instant messaging, and more. This is where SDKs and APIs come in.

You might want to know the difference between SDK and API. Well, the former is like a code plugin that developers download and merge with custom code to produce your app.

HIPAA compliant messaging using software development kit graphic

And an API is a set of commands that developers need to know to make your app work with different standalone services. An example of such a command could be, “Sync this message across all the devices with this account.

The bottom line is SDKs and APIs are tools that help developers build your app faster.

White-Label vs. Custom Secure HIPAA Compliant Video Conferencing and Messaging

Today, when it comes to HIPAA compliant platforms, you can go two ways. One is developing your own custom solution, and the other is white-labeling a telemedicine product. With white-label teleconferencing, you are likely to face:

  • Higher licensing costs in the long run
  • Standard telemedicine features
  • Lack of flexibility to adapt to your processes

In other words, it will be you who will be adapting, not the solution. Consequently, many healthcare companies decide to go the custom route. Having a custom telehealth platform gives them all the freedom over features, branding, and full compatibility with internal workflows.

new rapid prototyping ebook

However, as it turns out, app development costs for custom-developed telemedicine platforms are higher than for a white-label solution. So what’s the way out?

Well, you can choose a video conferencing SDK that complies with the HIPAA rules and plugs into your existing healthcare system. This helps you reach the market faster on tangible budget, without the dependency on adapting to a white-label solution.

building teleconferencing features with SDK and API

But how do you decide on what call/messaging SDK to choose with so many variants available? We suggest you do so by reviewing their available feature sets, pricing, support, and integration simplicity. Let’s skim through features first.

Features to Look Out for in HIPAA Compliant Messaging

Whether you’re a patient, doctor, or quite honestly just someone that has a smartphone, it’s unlikely that you go about your day  without iMessage, WhatsApp, Hangouts, and other messengers. So, it’s no surprise that as a doctor or medical practitioner you’re looking for more or less the same functionality in a medical chat. Plus, the enhanced security measures that the HIPAA guidelines command.

topflight agora partnership


Still, you should double-check if all advertised functionality of a given SDK actually meets the HIPAA requirements. For instance, Twilio lists chatbot integrations as not yet HIPAA compliant. With that in mind, let’s review some of the features a decent HIPAA compliant messaging API should include.


Of course, push and in-app notifications are a critical feature for any messaging app. It’s important to note, though, that for healthcare chats, we can’t send any PHI in notifications. So, a pop-up banner can say things like “You’ve got a new message from Dr. M.,” but no details must be included.

recommend HIPAA compliant video calling and messaging SDK

One-on-one and group chats

Doctors and patients should be able to chat one-on-one, but then for doctor-doctor communication, inviting a colleague on a call may turn out quite useful. I know Dr. House would love the feature.

Editing and deleting messages

This option is another self-evident part of our messengers today, but it can get complicated if you think of it. Do you let a doctor and patient delete any message at all or just the most recent one? Do you reflect that in the chat history (more on this below)? Do you notify the user if the message has been updated? You’ll run into many nuances like these.

Fortunately, if you decide to go with some HIPAA compliant chat SDK — the answer will be, “Whatever the SDK/API provides.” Because if you add too much custom code around the tool, you’ll have a hard time supporting the app going forward.

User online status

The green and grey dots indicating whether users are online or not. By the way, would you allow an invisible status for doctors who are online but want the privilege of showing as offline to patients?

Delivery/read receipts and typing indication

Pretty self-explanatory and mostly nice-to-have features.

sendbird typing notification

Sending images and videos

Being able to share CT scans and MRIs, physiotherapy videos, and other imagery/videos with peers and patients can go a long way.

Messages sync

Since patients likely rotate between several devices throughout the day, it’s a good practice to let them continue the conversation from where they left off on any device. In addition, messages should be automatically sent and delivered even if there’s no connection: from the cache when their phones get connected again.

User roles and permissions

This option probably makes sense for group chats in a clinical environment, so that, let’s say, medical assistants couldn’t accidentally delete discussions where they participate.

Chat history

Messages should be stored safely on a server so that authorized users can easily access them from any device.

Advanced Features

Some progressive messaging SDKs offer add-on options like showing how many users have read your message in a group chat, integrations with external chatbots and messengers, keyword filtering, etc.

audio video calling Twilio SDK

Features to Look Out for in HIPAA Compliant Audio and Video Calling

Now let’s see what you can get in terms of video calls with a HIPAA compliant SDK for your mobile or web healthcare application development. You may think that video calls are pretty straightforward, and they really are, but there are always nuances.

One-on-one and group video calls

It’s safe to say that after years of calling on FaceTime, Skype, and other apps, we all know what a video call should look like:

  • Picture-in-picture video feed
  • Mute/unmute
  • Camera rotation
  • Stickers and reactions

Integration with chat

You’d think that HIPAA compliant teleconferencing SDKs would come bundled with the chat out-of-the-box, but that’s not always the case. Some companies focus exclusively on HIPAA compliant chats, and others — on video or audio calls.

Screen sharing and recording

Screen recording can be used by patients as a fallback option they can refer to, but ideally, doctors keep control over this feature, providing patients with a clip, .e.g, demonstrating an exercise when needed.

Customization and integration

As extra functionality, your solution may need to integrate with other APIs, such as enabling relaxing music background while on the call. And customization may come handy when you operate out of the home office and need to set a proper background.

HIPAA compliant voice and video calling and messaging SDK Sendbird admin area

Call dashboard for admins

Accessing calls and gathering respective analytics in an admin interface is essential to improving internal clinical workflows.

HIPAA Compliance in Messaging & Calling SDKs

You must be thinking, “Ok, you threw at me a bunch of features. But what about HIPAA? Tell me more about HIPAA in terms of how it applies to damn SDKs, APIs, or what have you.”

Well, when vendors say they are HIPAA compliant, it means they are doing everything possible to protect your and your patients’ data. These include:

  • Data encryption
  • Multi-factor authentication
  • Expiration of idle sessions
  • Secure TLS/SSL protocols for data transmit
  • User access rights management
  • Removing PHI from all publicly accessible interfaces

That’s sort of a bare minimum. There are more technical things app developers need to consider on the server-side as well. Get in touch if you’d like to learn more.

Nuances of Choosing a HIPAA Compliant Conferencing SDK

After shortlisting a couple of variants that have desired HIPAA-eligible features, you need to start looking deeper. You’d have to assess these audio and video calling / messaging APIs from these perspectives:

  • Usage of an API with their SDK for messaging, audio calls, and video calls. Do they support all of these?
  • Do they have a plug-and-play UI kit if you don’t want to spend time designing a custom UI/UX?
  • Do they provide licensing or self-hosting options?

How do I make my app HIPAA compliant banner

Beyond that, you should be looking at things like:


Is call quality good enough? How many people can join a call before its quality starts to degrade? How does the SDK handle switching from different types of internet connection?


How quickly can you scale this solution?

Multi-device and platform support

Does the SDK you consider work on web browsers and mobile phones/tablets? Does it also support Linux?

Programming language support

Do they offer the SDK in Swift, Java, React Native, JavaScript, Flutter, and other programming languages that your app developers use to spend less time on integration?

Best HIPAA compliant Video Conferencing and Messaging APIs

There are quite a few video and audio conferencing and messaging APIs available when custom developing your mobile app, but the top three that immediately come to mind include Twilio, Sendbird, and Agora. Worth a look, what do you think?


Twilio messaging video calling SDK HIPAA

Headquarters: San Francisco, California.

Notable features: “Message consumption horizon” visualizes how many participants have read your message. User roles and permissions for group chats. HIPAA compliant SMS messaging.

SDK flavors: JavaScript / Android / iOS.

NB: the in-app messaging component is not HIPAA-eligible yet, out-of-the-box.

Advantages: Robust platform covering all major communication channels, including SIP.


sendbird logo

Headquarters: San Mateo, California.

Notable features: Allows to automatically translate messages into 50+ languages.

SDK flavors: JavaScript / Android / iOS / .Net / Unity

NB: Compliance with HIPAA, HITECH, BAA, ISO27001, EU-US Privacy Shield, GDPR.

Advantages: Offers a UI kit. Signs BAA for chat and video. Probably the best HIPAA compliant text messaging.


Agora Inc Logo

Headquarters: Santa Clara, California.

Notable features: ultra-low latency (~400ms) and resilience to packet loss (up to 70%), which translates to super smooth, stutter-free video calling.

SDK flavors: JavaScript / Android / iOS / Unity / Electron / Windows

NB: Real-time messaging is in beta.

Advantages: super smooth audio and video conferencing.

Our Experience

We’ve built custom HIPAA compliant chats and integrated off-the-shelf HIPAA compliant video chats and HIPAA compliant instant messaging at Topflight.

As a matter of fact, we’ve been recently investigating different options for our telemedicine product and have stumbled upon attractive alternatives. Besides decent competitors (such as QuickBlox) who outrun the well-established trio with aggressive pricing, there are also promising variants that focus solely on chat or video calling APIs.

quickblox screenshot

For instance, you could go with PubNub for HIPAA compliant secure messaging and Vonage’s HIPAA compliant video chat API, or find other options based on your telemedicine solution’s requirements.

Let’s Talk

Take marketing copy on these SDK sites with a grain of salt. Even though it looks as easy as updating your phone’s OS, implementing a HIPAA compliant messaging system or a video calling SDK can be challenging. Often, even a senior developer may stumble once or twice when starting to implement a new SDK. If you’ve been in a similar situation, or have questions around cost or how long it will take to develop your app, or need help with choosing a HIPAA compliant conferencing API for your app, get in touch. Also, check out article on how to develop a HIPAA compliant app.


  1. A Guide to Building a Doctor’s Appointment Application
  2. How to Develop a Healthcare Application
  3. How to Create a Telehealth Application
  4. Healthcare Mobile App Design Guide
  5. How to Start a Healthcare Startup
  6. Medical Website Development Guide
  7. How to Build a Video Chat Application



How do I know if a chat or calling SDK agrees with the HIPAA rules?

See if the company that offers it is willing to sign a BAA with you.

How much am I saving by going with an off-the-shelf variant?

At least $100,000 in pure development costs.

Since many of these SDKs come for iOS and Android, does it mean developers can copy-paste code into my app and be done?

Someday, coding will be precisely that, but for now, developers working on integrations still need to tweak quite a few things around to make an SDK work with your telemedicine app.

I’ve chosen a HIPAA approved video conferencing SDK and the company that offers it provides both SDK and API. Which one do I need again?

Both. SDK – to plug into your app – and API to teach your app how to “speak” with the cloud. Remember, everything digital lives on servers these days.

Konstantin Kalinin

Head of Content
Konstantin has worked with mobile apps since 2005 (pre-iPhone era). Helping startups and Fortune 100 companies deliver innovative apps while wearing multiple hats (consultant, delivery director, mobile agency owner, and app analyst), Konstantin has developed a deep appreciation of mobile and web technologies. He’s happy to share his knowledge with Topflight partners.
Learn how to build winning apps.

Privacy Policy: We hate spam and promise to keep your email address safe

Copy link