TURN Servers for Telehealth

In telehealth, a failed call is a failed visit

The patient logs in at 9:00am for a scheduled video visit. Their network — a hospital corporate Wi-Fi, a clinic guest network, a rural ISP behind carrier-grade NAT — silently blocks the WebRTC media path. The provider's screen says "connecting…" forever. The visit is rebooked. Reimbursement is delayed. Patient satisfaction tanks.

A correctly configured TURN server with TCP and TLS-443 fallbacks rescues these visits at the cost of a small added relay hop. Every serious telehealth platform deploys one. The question is who pays for the bandwidth.

What ExpressTURN gives a telehealth team

• UDP, TCP, and TURN-over-TLS on 3478 / 80 / 443. The 443 TLS path traverses essentially every hospital, clinic, and corporate firewall.
• End-to-end DTLS-SRTP encryption preserved — the TURN relay only forwards opaque encrypted packets.
• 20+ global regions for low added latency.
• Premium adds shared-secret authentication so each visit gets a fresh, time-limited credential — clean rotation, no static password in your client bundle.
• $9/month for 5 TB — orders of magnitude cheaper than Twilio Network Traversal at telehealth volumes.

Privacy posture

WebRTC encrypts media end-to-end with DTLS-SRTP between the patient and provider browsers. The TURN server cannot decrypt it; it only forwards already-encrypted packets. Under HIPAA, services that act purely as a conduit for already-encrypted PHI in transit are typically not considered to handle PHI in a way that requires a Business Associate Agreement. Most telehealth architectures explicitly treat TURN providers as conduits.

We do not offer signed BAAs. If your compliance team requires one for any vendor that touches packet flow, you should self-host coturn or use a vendor that does sign BAAs. For most telehealth platforms — especially those running an SFU or browser peer-to-peer model — the conduit framing is well-established.

Drop-in browser configuration

const pc = new RTCPeerConnection({
  iceServers: [
    { urls: 'stun:stun.expressturn.com:3478' },
    {
      urls: [
        'turn:relay1.expressturn.com:3478?transport=udp',
        'turn:relay1.expressturn.com:3478?transport=tcp',
        'turns:relay1.expressturn.com:443?transport=tcp'
      ],
      username: 'YOUR_EXPRESSTURN_USERNAME',
      credential: 'YOUR_EXPRESSTURN_PASSWORD'
    }
  ],
  iceTransportPolicy: 'all'
});

Bandwidth math for telehealth

• Standard 720p video visit at 1.5 Mbps relayed: ~675 MB/hour both directions combined.
• A typical 20-minute telehealth visit relayed: ~225 MB.
• Free 1 TB plan: ~4,400 fully-relayed visits/month.
• Premium 5 TB plan: ~22,000 fully-relayed visits/month.

And only the visits where TURN is actually needed consume relay bandwidth. The rest connect directly.

FAQ

Is the media relayed through TURN encrypted?

Yes. WebRTC media is end-to-end encrypted with DTLS-SRTP between the two peers. The TURN server only relays already-encrypted packets and cannot decrypt them.

Is ExpressTURN HIPAA compliant?

TURN only relays opaque DTLS-SRTP packets and never sees PHI. Most telehealth platforms architect their stack so the TURN provider is a conduit, where a BAA is generally not required. Consult your compliance team.

Will calls connect through hospital and corporate firewalls?

Yes. The 443 TLS path traverses essentially every restrictive firewall, including hospital networks.

Why not just use Twilio's TURN service?

Twilio Network Traversal is metered at roughly $0.40/GB. A 20-minute relayed telehealth visit is ~225 MB ≈ $0.09 of Twilio bandwidth. Hit a few thousand visits and ExpressTURN's $9 flat is 90%+ cheaper.

Related: TURN for VoIP · TURN for live streaming · vs Twilio Network Traversal