The temporary enforcement discretion that the HHS Office for Civil Rights issued on 17 March 2020 — allowing clinicians to use consumer video tools like FaceTime and Skype during the COVID-19 public health emergency — expired on 11 August 2023 after a 90-day transition. That date matters for supply chain reasons. It ended the period during which telehealth could be provided on tooling outside the usual HIPAA framework and returned the industry to the normal rule: any third-party software that transmits, stores, or processes electronic protected health information requires a business associate agreement and the underlying diligence that HIPAA's Privacy, Security, and Breach Notification rules require.
The telemedicine platforms that had scaled rapidly during the emergency were suddenly subject to the same scrutiny their in-person counterparts had lived with for two decades, but with a technology stack that was fundamentally different. Video SDKs from Zoom, Agora, Twilio, and Daily.co. Transcription services from AWS Transcribe Medical, Nuance, and Suki. Scheduling integrations with Google Calendar and Outlook. Mobile framework dependencies — React Native, Flutter, native iOS and Android — each bringing thousands of transitive packages into the critical path of a clinical encounter.
What telehealth software actually looks like
A telemedicine encounter is not a single application. It is a pipeline:
The patient opens a mobile app or web client. That client was built in React Native or Flutter with dependencies from npm or pub.dev. It calls into a video SDK that handles media negotiation and encryption.
The clinician opens a clinical workflow — often embedded in or alongside an EHR — that connects to the same video session. The clinician's view typically includes patient history retrieved from the EHR, scheduling data from a practice management system, and insurance eligibility from a clearinghouse.
The session itself streams audio and video. Many platforms now also stream the audio to a transcription service that generates a draft clinical note using a large language model fine-tuned on medical dialogue. That transcription pipeline is one of the newest additions to the stack and one of the least well-governed.
After the visit, documentation flows back into the EHR, billing codes are generated, and prescriptions are routed through ePrescribing networks like Surescripts.
Every stage of that pipeline has upstream software suppliers. A typical telehealth vendor has between 400 and 1,200 direct third-party dependencies in a production build, and the transitive graph stretches into the tens of thousands.
HIPAA, the Security Rule, and third-party software
The HIPAA Security Rule at 45 CFR §164.308(b) requires covered entities to obtain satisfactory assurances that business associates will safeguard ePHI, and §164.314(a) specifies that business associate contracts must establish permitted uses and require the business associate to implement administrative, physical, and technical safeguards. In practice, this has meant a BAA with every vendor who touches ePHI — Zoom Healthcare, Twilio, Nuance — and a SOC 2 report or HITRUST certification from those vendors.
The HHS OCR Notice of Proposed Rulemaking published 27 December 2024 would, if finalized, substantially expand the specificity of those obligations. The proposed rule would require written risk analyses that cover the full technology asset inventory, patching cadences documented and enforced, and specific attention to the supply chain dimension of vendor risk. OCR's resolution agreements through 2023 and 2024 — including the $4.75 million Montefiore Medical Center settlement in February 2024 — have increasingly cited inadequate vendor oversight as a contributing factor.
The SDK dependency problem
Video SDKs are the single most important supply chain component in a telemedicine platform, and they are also the most opaque. When Agora's React Native SDK updates, a typical telehealth vendor's application inherits whatever changes Agora has made to its underlying native libraries on iOS and Android. Those native libraries depend on the platform's WebRTC stack, which depends on a long list of media codecs and cryptographic primitives.
CVE-2023-7024, the WebRTC heap buffer overflow Google disclosed on 20 December 2023 and patched in Chrome 120.0.6099.129, affected every telehealth application that relied on Chromium-based WebRTC. Most vendors patched within days. Some did not realize they were affected for weeks because their SBOM did not resolve the WebRTC version actually compiled into their native SDK.
Transcription and the LLM supply chain
The rapid adoption of AI-generated clinical notes in telehealth — Nuance DAX, Abridge, Suki, Augmedix, and a growing list of newer entrants — has added a new layer to the supply chain that HIPAA's drafters did not contemplate. The audio of a clinical encounter is now routinely transmitted to a transcription service that passes it through a speech-to-text model and then to a large language model that generates structured documentation.
The BAA with the transcription vendor is the obvious control. Less obvious is the question of what the vendor's own supply chain looks like. Does the transcription vendor host the model in its own VPC? Does it use a third-party inference API like Anthropic or OpenAI? If it uses a third-party, is there a BAA in place between the transcription vendor and the model provider? The answer varies, and in 2024 the industry began to take the question seriously enough that several large health systems started requiring sub-processor disclosure as part of BAA renewal.
The mobile application angle
Mobile telehealth clients have all the ordinary supply chain risks of any mobile application plus the specific risk that they are handling ePHI on an unmanaged device. React Native's ecosystem has had its share of malicious packages — Phylum and Socket both published IOCs for compromised npm packages targeting React Native developers during 2024 — and a telehealth platform whose mobile build pipeline is compromised could ship a tampered client to thousands of patients.
The controls that matter here are code signing, reproducible builds, and a policy that any new dependency in the mobile build requires human review. Several telehealth vendors have also moved to strict allowlists for native modules, treating each native binary as a supply chain artifact that must be independently verified.
What a compliance walkthrough looks like
A well-run telemedicine supply chain compliance program, circa late 2024, has the following in place. A maintained SBOM for the server-side platform, the web client, the iOS client, and the Android client, refreshed on every build. A vendor list that identifies every third party who touches ePHI, with BAAs in place and SOC 2 or HITRUST evidence on file. A vulnerability management cadence that patches critical issues in the customer-facing components within days and lower-severity issues on a published schedule. A risk analysis, updated at least annually, that explicitly addresses the supply chain dimension — video SDKs, transcription pipelines, mobile frameworks, EHR integrations.
How Safeguard Helps
Safeguard provides the technology asset inventory and SBOM coverage that the updated HIPAA Security Rule NPRM will require, with reachability analysis that isolates the CVEs actually exercised by your telehealth application code — distinguishing, for example, a WebRTC vulnerability that is called on every video session from one that exists in an unused codec path. Griffin AI monitors your video SDK, transcription vendor, and mobile dependency graph for newly disclosed issues and surfaces the affected code paths in minutes. Our TPRM module captures BAAs, SOC 2 reports, and sub-processor disclosures from Zoom Healthcare, Nuance, Twilio, and the rest of your telehealth vendor list in a single compliance workspace. Policy gates prevent a build from shipping to patients' phones if it would regress the supply chain posture documented in your OCR risk analysis.