Residency Advisor
You’ve just signed your first payer contract for your virtual care startup. The deck looks slick, the product demo lands, investors are nodding, and engineering is already talking “scalability.” Then someone casually asks on a call:
“Just to confirm—your clinicians are licensed and credentialed for all the states in your coverage map, right?”
There’s a pause.
Someone says, “Yeah, we’re working on that.”
This is the moment where a lot of telehealth startups quietly start dying. Not from bad tech. Not from lack of demand. From credentialing and licensing mistakes that could have been prevented with two weeks of boring, unsexy work.
You’re post‑residency, or you’ve left a traditional job to build something better. Good. But if you underestimate the regulatory plumbing behind “seeing patients online,” you will either:
- Stall out for 12–18 months fighting fires
- Or get big enough to attract regulators and payers—then pay for your early shortcuts with audits, clawbacks, and public embarrassment
Let’s walk through the traps that sink virtual care startups and how to avoid being the next cautionary tale.
1. Treating “Telehealth” Like a Single Jurisdiction
The laziest—and most common—mistake: acting like “I’m doing telehealth” is some special zone where state rules soften and everyone just vibes.
No. Telehealth is practice of medicine. State by state. One by one. Every time.
I’ve watched founders pitch: “We’ll launch in all 50 states next quarter.” Then I ask: “How many states are your clinicians currently licensed in?” They say: “Two. But it’s telemedicine, so…”
That “so” is how you get:
- State board letters
- Emergency cease‑and‑desist orders
- Hospital partners quietly backing away
Key landmines:
Assuming your home state license covers “outbound” telehealth
If you’re sitting in New York seeing a patient in Texas, whose rules matter? Texas. The patient location is king. Almost every state treats it that way.Misreading compacts as free passes
Interstate Medical Licensure Compact (IMLC) helps. It does not magically grant you 30 licenses overnight. It just streamlines the process for eligible physicians. You still file. You still pay. You still get tracked.Ignoring allied health rules
Nurse practitioners, PAs, psychologists, PTs—each has their own state practice acts, supervisory rules, and sometimes their own compacts (like PSYPACT). Startups love to optimize physician coverage and completely forget NP/APRN rules until a board complaint shows up.
Do not plan “all 50 states” until you have:
- A prioritized state expansion roadmap
- A licensing budget and timeline that a sober compliance person has reviewed
- Clear rules per state on who can do what (MD, DO, NP, PA, etc.)
If your Gantt chart shows “national launch” before “licenses obtained,” your timeline is a fantasy document.
2. Confusing Licensing with Credentialing (They Are Not the Same)
Another classic faceplant: teams using “licensed” and “credentialed” interchangeably.
Licensing = legal permission to practice in a jurisdiction (state medical board, nursing board).
Credentialing = process by which payers, hospitals, or networks verify you’re who you say you are and approve you to bill or work there.
You can be:
- Licensed but not credentialed (most common startup failure mode)
- Credentialed at one hospital but not another
- Credentialed by one payer and totally unknown to the next
I’ve seen startups sign a contract with a major payer, then launch visits and bill for months before realizing: none of their clinicians were actually credentialed with that plan. Claims went out under the company’s NPI, or under a single “medical director’s” NPI as a workaround.
Result: massive overpayment and fraud risk. Payer audits. Recoupment. Sometimes repayment of every claim for a year.
Here’s the nasty part: payer credentialing is slow. 60–120 days is common. Longer if your paperwork is incomplete or you’re onboarding dozens of clinicians.
Build this into your operational model:
- New clinician → license check → primary source verification → application for payer credentialing → only then allowed to see covered patients for that payer.
- No exceptions because “we’re a startup” or “it’s just a pilot.”
If anyone on your team says “We’ll just bill under X while we wait,” that’s a red flag. Stop and ask your healthcare regulatory counsel if that’s legal. Often, it is not.
3. “We’ll Just Use One Medical Director’s License”
This is the shortcut I see over and over from VC‑backed telehealth darlings that grow too fast.
The scammy version looks like:
- One physician (medical director) licensed in a bunch of states
- Dozens of NPs or other clinicians “seeing” patients “under their license”
- Clinical encounters documented by non‑licensed personnel or non‑credentialed foreign doctors
- Prescriptions or attestations signed off by the medical director after the fact
Boards love these cases. Because they’re basically handing them easy enforcement victories.
You cannot “rent out” one doctor’s license to cover an army. Scope of practice, supervision, collaboration agreements—these are real legal constructs, not vibes. Each state has rules about:
- How many clinicians one supervising physician can oversee
- What tasks can be delegated
- Whether supervision must be direct, indirect, or chart review–based
- Whether virtual supervision counts
If your entire business model requires one MD “covering” 200 NPs across 18 states, that is not a scalable model. That is an enforcement time bomb.
| Category | Value |
|---|---|
| Each clinician individually licensed | 10 |
| Reasonable MD-to-NP ratios per state rules | 25 |
| One MD covering dozens of NPs | 70 |
| One MD covering 100+ clinicians across many states | 95 |
The higher the ratio and the more states involved, the more you’re begging for scrutiny.
4. Sloppy Provider Data and CAQH Neglect
This one feels boring. It will wreck you if you ignore it.
Credentialing runs on data. NPI numbers, DEA numbers, state licenses, malpractice coverage, work history, gaps in employment, hospital affiliations, board certifications. CAQH (for physicians and some other clinicians) is the single source many payers pull from.
The mistakes:
- Letting clinicians maintain their own CAQH profiles with no oversight
- Not setting reminders for license/DEA expirations
- Not tracking which payer contracts each clinician is actually approved under
- Onboarding clinicians without background checks or primary source verification
You end up with:
- Expired licenses you didn’t notice
- Wrong addresses and practice locations on file
- Payers denying claims because the provider never got fully enrolled
- Audits where your “provider roster” does not match what payers have on file
Have one person (or a small team) own this centrally. This is not something you toss to an overworked practice manager “for now.” At scale, you need:
- A master provider database
- Credentialing software or at least decent spreadsheets with real version control
- License and certification expiration tracking with alerts
If your first instinct is “we’ll fix data quality later,” you are building a credentialing swamp that will be impossible to drain once you hit 50+ clinicians.
5. Underestimating Timeline and Cost of Multi‑State Licensing
Founders love aggressive launch timelines. State boards do not care.
You’re post‑residency, you’re used to bureaucracy, but you still might be thinking like an individual physician, not like an organization trying to license 30+ people across 10–15 states at once.
Reality:
- Some states are quick (2–4 weeks)
- Some are brutally slow (4–6 months, or more if they want more information)
- Some require in‑person fingerprinting
- Some charge high fees and want primary source verification on everything
And if you have even one documentation issue—a missing transcript, an unexplained training gap, an old board complaint—your application goes into the pile that never moves.
| State | Typical Processing Time | Notes |
|---|---|---|
| Texas | 3–4 months | Intensive documentation |
| California | 3–6 months | Slow, heavy verification |
| Florida | 2–3 months | Faster if clean history |
| Colorado | 4–8 weeks | Relatively efficient |
| Washington | 2–3 months | Extra checks for telehealth |
If your pitch deck shows “Q2: launch in 20 states,” and you haven’t even started applications, investors who know this space will quietly mark you as naïve.
Do this instead:
- Pick 3–5 core states as your Phase 1 (based on demand, payer mix, and clinician availability)
- Start licensing for Phase 2 states early, understanding it’s a 6–12+ month process at scale
- Budget real money for licensing fees and legal review
Do not hinge revenue projections on “everyone being licensed by X date.” That’s a fantasy.
6. Playing Games with Where Your “Practice” Is Located
This one’s subtle and dangerous.
Many telehealth startups think: “We’ll incorporate in a friendly state, run everything from there, and treat that as our practice location.”
But states care less about your corporate registration and more about:
- Where the clinician is physically located
- Where the patient is located
- Where the clinical relationship is deemed to occur
If you have:
- A Delaware C‑corp
- Clinicians physically living in New York
- Patients in Texas, Florida, and Ohio
You do not have a “Delaware‑only” practice. You are practicing medicine (or nursing, or behavioral health) in every patient’s state. Those state boards will be your primary headache, not Delaware.
What you cannot safely do:
- Use a shell “clinic address” in one state while actively marketing and treating patients in others without the right licenses
- Pretend “it’s just asynchronous care” so state rules somehow don’t apply to you
- Assume “we aren’t prescribing controlled substances” means you can loosen everything else
If a board or AG office wants to make an example of a telemedicine company, jurisdiction games are the first thread they pull.
7. Ignoring Hospital Credentialing When You Add “Hospital‑Level” Services
A lot of virtual care companies start simple: low‑acuity urgent care, mental health follow‑ups, chronic disease management.
Then someone suggests: “Let’s do virtual hospital at home” or “Let’s partner with hospitals for ED follow‑up consults.”
Now you’ve triggered a completely different domain: hospital credentialing and privileging.
Hospitals generally require:
- Formal medical staff credentialing
- Privileges granted by their medical staff office
- Peer references, case logs, sometimes in‑person or live video interviews
- Ongoing FPPE/OPPE (focused and ongoing professional practice evaluation)
You cannot just pipe your telehealth docs into a hospital’s EMR and call it “coverage.”
If you skip this or try to “operate under the hospital’s umbrella” without formal credentialing, you’re risking:
- Violating Joint Commission or DNV standards
- Jeopardizing the hospital’s accreditation
- Exposing both you and the hospital to malpractice risk with weak oversight
Before you offer any service that sounds like “hospital‑level care,” get a list (in writing) of credentialing requirements from every participating facility. Do not assume they’ll bend the rules because “it’s innovative.”
8. Failing to Match Scope of Practice to Service Design
I’ve seen startups design a service they want (e.g., nationwide ADHD diagnosis via NPs only, no physician involvement), then only later ask, “Can we legally do that everywhere?”
You should flip that.
Scope of practice rules dictate:
- Whether NPs can practice independently
- What supervision PAs need
- Whether certain diagnoses or procedures must involve a physician
- Whether prescribing authority is limited
You can’t design a totally standardized clinical model across 50 states and then ignore that half of them restrict NP independence or PA prescribing.
| Step | Description |
|---|---|
| Step 1 | Design Clinical Service |
| Step 2 | Identify Professions Involved |
| Step 3 | Map State Scope Rules |
| Step 4 | Proceed With Uniform Protocol |
| Step 5 | Adjust Staffing or State List |
| Step 6 | Limit States or Add MD Coverage |
| Step 7 | Conflicts With Model? |
Bad pattern:
“Let’s sell the same service everywhere and handle legal later.”
Better pattern:
“Here’s our ideal model. Where is it fully legal? Where does it need modifications? Where is it simply not viable?”
If your clinical service depends heavily on NPs or PAs, and you don’t have a state‑by‑state scope map, you’re flying blind.
9. Credentialing as a One‑Time Project Instead of an Ongoing System
Founders often treat credentialing and licensing like a big checklist you power through at launch. Then you move on to “real work.”
That’s how you wake up one day with:
- Expired licenses in key states
- Lapsed malpractice for some clinicians
- Clinicians who changed their names, addresses, or board certifications and no one updated payers
- New service lines launched without adding them to existing payer contracts
Credentialing and licensing are not startup chores. They are permanent infrastructure.
You need:
- Policies and procedures for onboarding and offboarding clinicians
- Regular internal audits of license status, malpractice coverage, and payer rosters
- A clear owner for “provider lifecycle management”
If there’s no single person in your org who can, today, produce an accurate list of:
- Every clinician
- Every state license they hold with expiration dates
- Every payer they’re credentialed with
…you’re already in the danger zone.
10. Pretending Legal/Compliance Is Optional “Overhead”
Let me be blunt: if your only “compliance resource” is a generalist startup lawyer who “has a few health tech clients,” you are under‑protected.
Telehealth is one of the highest‑risk areas in healthcare law right now: cross‑state practice, prescribing, corporate practice of medicine, fee‑splitting, kickbacks, privacy, and on and on.
Common startup delusion:
“We’ll move fast now and bring in heavy compliance later, once we have traction.”
I have seen this. Over and over. “Later” usually arrives as:
- An inquiry letter from a state board or AG
- A payer post‑payment review notice
- A DEA or pharmacy board investigation for prescribing practices
At that point, you’re negotiating from a position of weakness. Your documentation is messy, your policies are back‑dated (and they can tell), and your credibility is already damaged.
You do not need a full‑time general counsel on day one. But you do need:
- A healthcare regulatory lawyer who actually lives in this world
- Someone operationally responsible (not just a lawyer) for turning legal advice into policies, workflows, and checks
If your budget reserves six figures for brand and UI/UX and almost nothing for legal/compliance, your priorities are upside down.
11. Red Flags That You’re Already in Trouble
If you’re reading this and thinking, “We’re probably fine,” pause and actually check.
Go look for these red flags in your current operation:
- Billing payers for visits where the performing provider isn’t credentialed with that payer
- Using one clinician’s NPI as a “billing shell” for work done by uncredentialed clinicians
- Clinicians seeing patients in states where they either have no license or only a pending license
- No centralized system to track license, DEA, and malpractice expirations
- Service lines that rely on NPs or PAs doing things that might exceed their scope in certain states
- No written supervision/collaboration agreements where required by law
- No regular internal audits of claims vs. credentialing records
If you find more than one, do not hand‑wave it away as “growing pains.” These are the exact issues regulators, boards, and payers nail virtual care companies for.
| Category | Value |
|---|---|
| Out-of-state practice | 80 |
| Uncredentialed billing | 65 |
| Expired licenses | 50 |
| Scope of practice violations | 45 |
| Single MD covering many NPs | 30 |
Those percentages are not from a specific dataset, but they reflect what keeps coming up in investigations and enforcement actions I’ve seen.
12. What To Put in Place So You Don’t Become a Cautionary Tale
This isn’t about perfection. It’s about being disciplined where most startups are lazy.
Minimum viable protection:
State map
Clear, written list of:- Where you’re actually live
- Which services are offered in each state
- What licenses and scopes are used in each
Provider roster
Central, accurate database of:- Every clinician
- Licenses (state, expiration)
- DEA numbers
- Payer credentialing status
Credentialing playbook
Step‑by‑step workflows for:- Onboarding (from offer letter to first patient)
- Offboarding (so terminated clinicians don’t stay active in payers/hospitals)
- Ongoing monitoring (expirations, sanctions, board actions)
Legal/compliance partner
Not just a name to put on slides. Someone who has already killed bad ideas for you. If your legal counsel has never once told you “No, you can’t do that,” you don’t have a real partner.Realistic expansion plan
Multi‑state rollout that’s built around:- Actual licensing timelines
- Credentialing lead times
- Staffing realities
If your idea of “compliance” is a one‑page policy you downloaded from a friend’s startup, you’re not ready for payer contracts or scale.
FAQ (Exactly 3 Questions)
1. Can we start seeing cash‑pay patients before all the licensing and credentialing is complete?
You cannot “cash‑pay” your way out of licensing requirements. State medical and nursing boards don’t care who pays the bill. If the patient is in their state, you need to comply with that state’s practice laws. Credentialing is different—you don’t need payer credentialing for pure cash‑pay, but you still need valid licenses, scope compliance, and malpractice coverage. If you’re seeing patients in states where your clinicians are not licensed, you’re already off the rails, regardless of payer involvement.
2. Is it ever legal to bill under one supervising physician’s NPI for work done by others?
Sometimes, but in very specific, tightly regulated contexts (for example, certain “incident to” billing under Medicare in brick‑and‑mortar practices with strict supervision rules). Virtual care complicates this significantly. Many telehealth startups wildly misapply these concepts, using one NPI as a catch‑all billing shell. That’s how you get fraud allegations and recoupments. You need payer‑specific, state‑specific guidance before doing anything like this. If your billing team can’t clearly explain the regulatory basis for your model, don’t use it.
3. We already launched and now realize some clinicians saw patients in states where they weren’t licensed. What should we do?
Do not just quietly fix it and hope no one notices. First, stop the offending practice immediately. Second, quantify scope: which clinicians, how many visits, which states, what time period. Then talk to healthcare regulatory counsel about remediation. Options might include self‑disclosure to payers, internal corrective action plans, and in some cases proactive communication with boards. Trying to bury past non‑compliance usually makes things worse when (not if) it surfaces.
Open whatever document you use for operations right now and make a simple list: every state you’re currently seeing patients in, and for each one, which clinicians are actually licensed and credentialed there. If you can’t complete that list easily—or you do and it looks ugly—that’s your signal to fix this before you scale another inch.
