Cross-Platform Telehealth App

The Problem

A digital health startup needed to launch a telehealth platform on both iOS and Android within 4 months. Two separate native apps would require two engineering teams and double the timeline. HIPAA compliance added complexity to every feature: video encryption, data storage, audit logging, and user authentication. Competitors were 6–12 months ahead.

The Dataset

Clinical protocols from 15 medical specialties for symptom triage algorithms. FHIR R4 data models for patient records, medications, and clinical encounters. ICD-10 and CPT code mappings for billing integration. State-by-state prescribing regulations for e-prescribe compliance.

Model & Approach

• Kotlin Multiplatform (KMP): Shared business logic layer for encryption, FHIR parsing, triage algorithms, and network communication. Native UI (SwiftUI on iOS, Jetpack Compose on Android) for platform-native look and feel.
• AI Symptom Triage: Decision-tree augmented with NLU — patients describe symptoms in natural language, system classifies urgency and routes to appropriate care level (ER, urgent, scheduled, self-care).
• Video Infrastructure: WebRTC with SRTP encryption, adaptive bitrate, and TURN server fallback. End-to-end encrypted video calls that comply with HIPAA transmission security requirements.
• E-Prescribe: Surescripts integration for electronic prescribing. Drug interaction checking, formulary verification, and state-specific Schedule II–V compliance rules.

Architecture

KMP shared module (business logic + data layer) → native UI layers → API gateway (Kong) → microservices (Kotlin/Ktor) → PostgreSQL + Redis → EHR integration (FHIR R4) → Surescripts → video infrastructure (Twilio HIPAA). AWS GovCloud with full HIPAA compliance stack: encrypted RDS, encrypted S3, CloudTrail audit logging.

Deployment

Beta launch in 2 states with 500 patients and 20 providers. HIPAA penetration testing by third-party security firm. App Store and Google Play review with HIPAA documentation. Phased state-by-state rollout due to telehealth licensing requirements. Provider onboarding portal with credentialing workflow.

Results

ROI

56% development cost savings vs. two native apps. Estimated $800K saved in year-one engineering costs. Single codebase means bug fixes and features ship to both platforms simultaneously — 50% faster iteration cycles. Series A funded based on the platform's technical differentiation and rapid market entry.

Why It Was Hard

HIPAA compliance touched every layer of the stack. Video calls needed SRTP + DTLS encryption. Local storage required AES-256. Audit logs for every PHI access. Biometric authentication with session timeouts. Each feature took 40% longer due to security requirements.

WebRTC on KMP was uncharted territory. The shared networking layer worked for REST APIs but video required platform-specific WebRTC implementations bridged through Kotlin/Native expect/actual declarations.

What We Learned

KMP's expect/actual pattern is elegant for platform-specific features. We achieved 87% code sharing despite WebRTC, biometrics, and push notifications all requiring native implementations. The shared business logic (FHIR, triage, encryption) was the real value—that's where bugs hide.

HIPAA compliance is a feature, not a constraint. Patients chose our app over competitors specifically because of visible security features (biometric lock, encryption indicators, audit trail access). Trust is the product.

FAQ