Telehealth and Regulatory Compliance

Healthcare is the most highly regulated industry, and while telehealth offers some flexibility that traditional healthcare settings do not, regulatory compliance does not offer the same flexibility. All healthcare providers must comply with all applicable regulations unless an exception applies. Compliance can be tricky anyway, but especially tricky for telehealth providers, as telehealth services cross geographic boundaries and involve both federal and state regulations. However, violations can have serious ramifications. These are a few considerations for regulatory compliance for telehealth providers.

Prescribing Restrictions

Prescribing non-controlled medications is generally permitted via telehealth if the provider complies with state law, establishes a valid provider-patient relationship, and documents medical necessity. However, compliance becomes more crucial when it comes to prescribing controlled substances. The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 requires an in-person medical evaluation before a clinician can prescribe controlled substances via telemedicine, with only narrow statutory exceptions for “practice of telemedicine.”  During COVID, DEA-registered clinicians were allowed to prescribe Schedule II–V medications via telemedicine without first conducting an in-person medical evaluation. The COVID-era framework has been extended to continue temporary flexibilities. These provisions remain in place through December 31, 2026. However, it is important to keep an eye on any future changes. 

HIPAA and Telehealth 

HIPAA is a law that protects the privacy and security of patients’ health information. Telehealth providers must follow the same HIPAA rules as in-person healthcare providers to protect patient privacy and keep medical information secure. Because telehealth involves sharing sensitive health data over the internet, providers need to take extra steps to prevent unauthorized access, breaches, or accidental disclosure.

HIPAA compliance in telehealth mainly focuses on protecting electronic protected health information (ePHI). This includes any video calls, messages, medical records, or prescriptions shared through digital platforms. Providers are required to use secure systems and follow strict privacy and security standards when communicating with patients.

Corporate Practice of Medicine 

Telehealth services are often delivered through partnerships between healthcare providers and technology companies, but these arrangements can create legal risks under the Corporate Practice of Medicine (CPM) doctrine. The CPM doctrine is a set of state laws that generally prohibit non-physicians or non-clinical businesses from owning, controlling, or directing medical practices or influencing clinical decision-making. It is designed to ensure that only licensed medical professionals make patient care decisions. Risks arise when a technology company exerts control over clinical judgment, when payment structures involve fee-splitting with non-clinical entities, or when non-physicians effectively own or operate medical practices in states that restrict such arrangements. Additional concerns include marketing or referral arrangements that resemble patient brokering. 

Billing and Reimbursement Compliance

Telehealth reimbursement varies widely across payers, with Medicare, Medicaid, and private insurers each applying different rules for eligible services, originating sites, documentation standards, and delivery modalities. This creates compliance challenges for providers who must carefully follow payer-specific billing requirements to ensure proper payment. Common reimbursement pitfalls include incorrectly billing telehealth codes, failing to apply required modifiers, or submitting claims for audio-only visits when video is required. Providers may also mistakenly bill telehealth for services not covered under a specific payer’s policy or fail to accurately document time-based services, which can lead to claim denials or audits. In addition, some payers require real-time video interaction for reimbursement, while others allow limited audio-only services under specific conditions. These complexities increase the risk of fraud and abuse allegations because telehealth billing rules are often complex, rapidly changing, and inconsistently enforced across payers. As a result, even unintentional errors, such as incorrect coding, missing documentation, or billing for services that do not meet coverage criteria, can be interpreted as false claims. Federal agencies, including the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG), have increased oversight of telehealth due to its rapid expansion and higher potential for misuse.

Reducing Compliance Risk

While it can be tricky for telehealth providers to comply with healthcare regulations, there are some steps that providers can take to reduce risk:

Audit billing and coding: Routinely review claims for correct telehealth modifiers, place-of-service codes, and medical necessity documentation.

Create clear telehealth policies: Maintain written procedures for emergencies, prescribing rules, and cross-state care to reduce legal exposure.

Document thoroughly: Record consent, patient identity verification, treatment decisions, and follow-up instructions clearly in every visit.

Implement strong data security: Use encryption, multi-factor authentication, and strict access controls to protect patient information.

Use compliant platforms: Only rely on HIPAA-compliant telehealth software with signed Business Associate Agreements (BAAs).

Provide regular staff training: Ongoing education on privacy rules, billing standards, and telehealth protocols helps prevent violations.

An experienced healthcare regulation attorney can identify potential risks and noncompliance and recommend policies and procedures for telehealth providers to implement. 

What’s On The Horizon For Telehealth Regulations

Perhaps what is most complex about compliance regulation for telehealth providers is that the regulations have not stayed the same. During the COVID-19 public health emergency, many restrictions were temporarily waived, allowing providers to treat patients across state lines, prescribe controlled substances more freely, and use consumer-friendly communication platforms. As those emergency waivers expired, regulators began replacing temporary flexibility with more permanent rules. Providers must now operate in a “hybrid” regulatory environment, where some telehealth accommodations remain while others have tightened. The result is a compliance landscape where providers must monitor ongoing changes.

Reach Out to An Experienced Telehealth Healthcare Law Attorney 

While telehealth offers major benefits for patients and providers, it also entails complex legal requirements that must be carefully followed. Telehealth regulations are evolving quickly, which can create compliance risks for providers who are not keeping up with new federal, state, and payor rules. Telehealth providers who build strong compliance processes can grow their telehealth services with far less risk. An experienced healthcare law attorney who understands telehealth can help telehealth providers implement these processes and ensure strong compliance. Contact us today to discuss.