Privacy-preserving Telemedicine Sample App
Open-source on-prem telemedicine sample app. On-device video segmentation and blur before transmission. HIPAA, GDPR, and EHDS-aware reference architecture.

This is an open-source, on-prem telemedicine sample app with privacy by design built in. The video stream is segmented and selectively blurred (face, background, or both) on the patient's device, before it leaves the phone. The server never sees an unblurred frame. Life Value publishes and maintains it as a reference architecture for HIPAA, GDPR, and EHDS-aware telemedicine. The source repository is on GitHub at github.com/LifeValue/privacy-preserving-telemedicine.
This is a sample app, not a production telemedicine product. It demonstrates the architecture end to end. A production deployment requires your own threat model, clinical-grade SLAs, audit logging, and a HIPAA / GDPR / MDR programme.
The problem
Most telemedicine apps transmit unblurred video over the wire and rely on TLS plus server-side policy for privacy. That model is fragile. Every server in the path, the SFU, the recording server, the analytics tap, the cloud provider, the CDN, is a potential leak vector. A misconfigured S3 bucket has put unblurred patient video on the public internet more than once in the last five years.
On-device segmentation and blur, applied before transmission, is the architecturally honest pattern. The server only ever receives the privacy-preserved stream. The patient's face, the patient's home, the children behind the patient, none of it ever leaves the device unblurred. The blur is structural, not policy-dependent.
What the sample app demonstrates
- On-device face and background segmentation using MediaPipe Selfie Segmentation (Google) on Android and Apple Vision Person Segmentation on iOS, with platform-appropriate fallbacks.
- Real-time blur applied to the segmented region. Background blur for the typical use case, full-face blur for the privacy-extreme mode.
- Optional voice-only mode. Blur everything and transmit voice plus a static avatar, for therapy and counselling sessions where visual privacy is mandatory.
- WebRTC transport for the resulting privacy-preserved stream, with sample server setup using LiveKit (or a similar SFU you choose).
- On-prem deployment documentation. The sample server runs on a single VM or a Kubernetes cluster you control. No third-party SFU required.
- Threat model documentation. What the architecture protects against, and what it does not.
The five blur modes
| Mode | What is blurred | Use case |
|---|---|---|
| Background only | Everything behind the patient | Standard telehealth consultation, patient visible to the clinician |
| Face only | Patient's face. Background visible. | Demonstrating injury, wound, or posture without identifying the patient |
| Background plus face | Both | Anonymous consultation, mental-health screening, sensitive scenarios |
| Voice-only | All video | Therapy and counselling where visual privacy is mandatory |
| Private-parts-only blur | Genitals, breasts, and other private regions auto-detected | Dermatology, OBGYN, and urology consultations. Keeps the clinically relevant area visible while masking the rest. |
Architectural pattern
The data flow is intentionally one-directional in terms of privacy. Original video on the patient's device, on-device segmentation model, blur, encoded H.264 or VP9 stream, WebRTC transport, SFU you control, clinician's device. The original unblurred frame never crosses the device boundary. If the server is compromised, an attacker sees the same privacy-preserved frames the clinician sees, not the raw video.
Why on-prem matters
An on-prem SFU keeps the privacy-preserved video inside your network perimeter. A SaaS SFU (Twilio Video, Daily.co, Zoom SDK) still receives your stream. Even though it is privacy-preserved, your data-processing agreement becomes simpler if you do not need a SaaS BAA at all. For healthcare in Germany under §75c SGB V, Italy's Garante framework, or stricter US health-system contracts, on-prem may be required.
Stack and requirements
| Languages | Dart (Flutter front-end), Swift and Kotlin (platform-specific ML), Go or Node (sample server) |
|---|---|
| ML models | MediaPipe Selfie Segmentation (Android), Apple Vision Person Segmentation (iOS), with auto-fallback per device capability |
| Real-time transport | WebRTC via flutter_webrtc |
| Sample SFU | LiveKit (open-source, on-prem-deployable). Alternatives documented: Janus, Mediasoup, Pion. |
| Distribution | github.com/LifeValue/privacy-preserving-telemedicine |
| Licence | MIT |
Compliance posture
| HIPAA Security Rule §164.312(e)(1). Transmission security. | Stronger than the standard requires. The transmitted frames are already privacy-preserved by structure. |
|---|---|
| HIPAA §164.308(a)(1). Risk analysis. | Sample documents include a threat-model walkthrough you can adapt to your own risk assessment. |
| GDPR Article 25. Privacy by design. | Explicit reference architecture. The blur is the data-minimisation default, not a policy add-on. |
| GDPR Article 32. Security of processing. | Encryption in transit plus privacy-preserving encoding before transmission. |
| EHDS. Cross-border telemedicine. | The sample server can run inside a single EU jurisdiction, addressing data-residency concerns for cross-border telemedicine programmes. |
| Note | This is a sample app, not a production-ready product. It demonstrates the architecture. A production deployment needs your own threat model, BAA and DPA chain, penetration testing, audit logging, and the rest of the standard healthcare-security programme. |
Frequently asked questions
Is this a production telemedicine product?
No. This is a reference architecture and sample app. It demonstrates the on-device blur pattern from the device camera through to the clinician's screen. A production deployment requires your own threat model, your own clinical-grade SLAs, your own audit logging, and a HIPAA, GDPR, or MDR programme. Life Value can build the production version with you under a delivery engagement, but the sample app is for evaluation and learning.
Does the blur work in real time?
Yes. MediaPipe Selfie Segmentation runs at 30 frames per second or higher on mid-tier 2023 phones (Pixel 6, iPhone 12, Samsung A53). Older devices fall back to a lower-resolution segmentation that maintains 24 frames per second. The sample app benchmarks per-device performance and adjusts.
How accurate is the segmentation?
Mature for human-versus-background segmentation. The public models reach 95 percent or higher IoU on standard test sets. Body-region segmentation (private-parts mode) is less mature and ships as an experimental mode in the sample app, with explicit documentation that production deployments need their own validation against the specific clinical workflow.
Can I deploy this on my own server?
Yes. The sample SFU is LiveKit, which runs on a single VM or a Kubernetes cluster you control. Setup instructions are in the GitHub repository. Total infrastructure cost for a small pilot is roughly EUR 30 to 50 per month at standard cloud rates.
Does this work with my existing EHR?
The sample app is transport-agnostic on the EHR side. The telemedicine session itself does not touch the EHR. Pre-session and post-session note-taking, scheduling, and clinical documentation are separate concerns that integrate with your EHR through SMART on FHIR or an HL7 v2 channel.
What about recording?
The sample app does not record. Recording introduces a whole new compliance surface. Patient consent, retention policy, encryption at rest, e-discovery, breach scope. If you need recording, build it as a separate engagement. Do not bolt it onto the sample app.
Why we built it
Telemedicine has been the standard mode of follow-up consultation since 2020. The architectural defaults around privacy have not caught up. Most apps still transmit identifying video to a SaaS SFU and trust the SaaS provider's security posture. That trust model is fragile and increasingly unacceptable for sensitive consultations. Mental health, OBGYN, dermatology, paediatric. Life Value open-sourced the alternative pattern. Anyone can fork it and ship a serious telemedicine app with privacy as the structural default.
Get the sample app and deployment guide
Submit your name and email through the form at the bottom of this page. Life Value will send you the GitHub repository (Flutter app plus sample server config), the on-prem deployment guide PDF, the threat-model walkthrough, and a short demo video showing the blur modes in action. The repository is also public at github.com/LifeValue/privacy-preserving-telemedicine.
Last reviewed: 30 May 2026.
Resources built for healthcare innovators
From deep-dive research to practical frameworks, explore a growing collection of resources that empower healthcare leaders to make informed decisions.



.webp)
.webp)
.webp)
.webp)









