Residency Advisor
The biggest threat to your telemedicine startup is not competition. It is preventable compliance failure.
You can be brilliant clinically and still blow up your company with one sloppy workflow, one unchecked checkbox in your EHR, or one “we’ll fix that later” attitude toward regulations. I have seen telehealth ventures stall fundraising, lose payer contracts, and eat six‑figure legal bills because the founder assumed “our vendor handles that.”
If you are a physician CEO scaling telemedicine, you need a blunt, operational checklist. Not theory. Not vague “ensure compliance” language. Concrete items you can assign, verify, and audit.
This is that checklist.
1. Build a Real Compliance Backbone Before You Scale
If you scale without a compliance backbone, you are just scaling your risk.
1.1 Appoint Someone Who Wakes Up Worried About Compliance
You need a named owner. Not “everyone owns compliance.” That means no one does.
At minimum:
- A Compliance Officer (can be part‑time at the beginning, but not imaginary)
- Direct reporting line to you as CEO or to the board
- Written responsibilities and authority to say “no” to product and operations
If you are bootstrapped:
- This might be you for 3–6 months.
- But then you must hand it off and stay out of the weeds.
Checklist:
- Compliance Officer named in org chart
- Role description documented and shared
- Monthly compliance review meeting on the calendar
1.2 Create a Basic Compliance Program Document
Not a 90‑page law firm memo. A lean, working document that covers:
- Mission and scope of your compliance program
- High‑risk domains (licensure, prescribing, privacy, billing, etc.)
- How issues are reported and handled
- How you train clinicians and staff
You can expand later. What matters now is clarity and ownership.
2. Licensure, Location, and the “Where Is the Patient?” Rule
Most telemedicine problems begin with one mistake: misunderstanding “place of service.”
The rule: Clinically and legally, the encounter happens where the patient is located at the time of the visit.
Everything flows from that.
| Category | Value |
|---|---|
| Licensure | 90 |
| Prescribing | 80 |
| Privacy | 70 |
| Billing | 60 |
| Corporate Practice | 75 |
2.1 Map Every State You Touch
You cannot scale safely if you do not know exactly where your patients are, state by state.
Operational requirements:
- Platform must capture and lock the patient’s location at each visit
- You must be able to report visits per state on demand
- You must know which clinicians hold which state licenses
Create a simple licensure matrix:
| State | Active MD/DO Licenses | Midlevel Licenses (NP/PA) | Gaps (Need Coverage) |
|---|---|---|---|
| CA | 4 | 2 | None |
| TX | 3 | 1 | NP needed |
| FL | 2 | 0 | PA + NP needed |
Checklist:
- Patient location captured and verified at every visit
- Dashboard of visits per state and per clinician
- Licensure matrix updated monthly
2.2 Respect State Licensure and Compacts
You already know: you generally must be licensed where the patient is. Where founder‑clinicians get burned is in the “exceptions” and sloppy assumptions.
You need clear rules for:
- Interstate Medical Licensure Compact (IMLC) – useful, but not universal
- Nurse Licensure Compact (NLC) – applies to nursing practice, not prescribing across all scenarios
- State telehealth registration schemes vs. full licensure
- States that heavily restrict telemedicine for certain services (e.g., mental health, abortion, controlled substances)
Action steps:
- Pick your initial core states (where you will scale first).
- For each core state, obtain:
- Full license
- Summary sheet of telehealth‑specific rules
- Lock your scheduling rules:
- Only clinicians licensed in State X can see patients located in State X.
No exceptions. No manual overrides.
3. Prescribing and Controlled Substances: Where People Lose Licenses
Prescribing via telemedicine is where regulators sharpen their knives, especially for controlled substances.
3.1 Know the Ryan Haight Framework and Its Updates
Historically, the Ryan Haight Act required an in‑person evaluation before prescribing most controlled substances, with a few narrow exceptions.
During COVID, temporary flexibilities were introduced. They are evolving. Many founders are still operating like it is 2021. That is how you end up in an OIG report.
You need:
- A state‑by‑state and federal prescribing rules summary
- A documented rule: which classes of medications you will not prescribe via telemedicine
- A process for in‑person referrals when needed
Checklist:
- DEA policies and state rules reviewed with counsel in the last 6 months
- Written policy on telemedicine prescribing of controlled substances
- Clear patient messaging on what will / will not be prescribed
3.2 Hard‑Code Prescribing Rules into Your EHR/Platform
Do not rely on clinicians to remember every state nuance. You will lose that bet.
Your system must:
- Block controlled substances when:
- The patient is in a state where your model does not meet legal thresholds
- The prescriber is not properly licensed / registered
- Provide alerts for:
- Duplicate therapy
- Early refills
- PDMP (Prescription Drug Monitoring Program) checks where required
If your vendor says, “We do not support that level of state‑based logic,” then you have the wrong vendor for scaling.
4. Corporate Practice of Medicine and Entity Structure
This is where non‑physician founders get into trouble. Physician CEOs sometimes assume this does not apply to them. It does.
Some states have corporate practice of medicine (CPOM) prohibitions. They restrict who can own and control a medical practice.
4.1 Use the PC–MSO Model Where Needed
In CPOM states, the typical compliant structure is:
A Physician Professional Corporation (PC) that:
- Employs clinicians
- Holds clinical risk
- Makes medical decisions
A Management Services Organization (MSO) that:
- Provides non‑clinical services (admin, tech, billing, marketing)
- Holds the brand and non‑clinical assets
- Is often the “startup entity” investors fund
Revenue flows:
- Payer or patient pays the PC for medical services
- PC pays the MSO under a management services agreement (MSA)
You need:
- State‑specific analysis of where CPOM applies
- Proper ownership of PCs (often must be physician‑owned)
- Real, arms‑length MSAs (not fake contracts drawn up in a weekend)
Checklist:
- CPOM analysis completed for each state where you operate
- PC–MSO structure implemented where required
- MSAs and related agreements reviewed by healthcare counsel
5. HIPAA, Security, and Vendor Contracts: No, Zoom Alone Is Not Enough
You already know you need HIPAA compliance. The failure mode I see is not obvious breaches. It is sloppy vendor management.
5.1 Business Associate Agreements (BAAs) for Everyone Touching PHI
If a vendor can see, store, or process PHI, you either:
- Have a signed BAA with them, or
- You do not use them. Full stop.
This includes:
- Video platform
- EHR
- Cloud hosting provider
- Analytics tools
- Support / ticketing tools, if they see PHI
- SMS vendors if you send identifiable health information
Checklist:
- Vendor inventory with PHI exposure mapped
- Signed BAAs for each PHI‑exposed vendor
- Vendor risk ranking (high / medium / low)
5.2 Encrypt Everything and Lock Down Access
Minimum bar for scaling:
Encryption:
- Data at rest and in transit
Access controls:
- Unique logins (no shared accounts, ever)
- Role‑based access (nurses do not see everything physicians do)
- Multi‑factor authentication for any system with PHI
Audit:
- Access logs for EHR and core systems
- Regular review (quarterly at least) of who has access to what
- Procedure for rapid deprovisioning when staff leave
If your engineering lead pushes back on these, you have a culture problem, not a tech problem.
6. Clinical Protocols and Standard of Care at Scale
You are still practicing medicine. Standard of care does not disappear because the visit is virtual.
Where telemedicine ventures fail is inconsistent quality, especially during fast hiring and rapid growth.
6.1 Define What You Will Treat and What You Will Not
Your scope must be crystal‑clear. Not in your head. Written. Operationalized.
Examples:
Tele‑urgent care:
- Will treat: minor infections, simple rashes, medication refills (within reason)
- Will not treat: chest pain, severe abdominal pain, neurological deficits
Tele‑psychiatry:
- Will treat: mild to moderate depression/anxiety, ADHD (within rules), maintenance of stable patients
- Will not treat: acute psychosis, active suicidal intent without local backup
Each condition category should have:
- Inclusion criteria
- Exclusion criteria (red flags)
- Required documentation elements
- Required follow‑up timing
6.2 Hard‑Wire Clinical Decision Support
This is where your telemedicine platform becomes more than video chat.
Examples to implement:
Intake questionnaires that:
- Route high‑risk symptoms to urgent or emergency care
- Prevent scheduling with telemedicine when in‑person is required
Visit templates that:
- Prompt clinicians to document key elements (e.g., tele‑neuro “limited exam” specifics)
Order sets and prescribing templates that:
- Enforce your formulary and duration limits
- Flag dangerous combinations
Checklist:
- Condition‑level protocols documented and version‑controlled
- Intake flows aligned with protocols
- Templates and decision support built into your EHR or platform
7. Billing, Coding, and Payers: Where Startups Quietly Bleed Out
If you bill incorrectly at scale, you will either:
- Leave millions on the table, or
- Owe millions back after an audit.
7.1 Decide Your Payment Model Early
You have three basic revenue models:
- Cash‑pay / employer‑pay only
- Traditional fee‑for‑service insurance billing
- Value‑based contracts / capitated or hybrid arrangements
Each has its own compliance headaches. Many telehealth startups get into trouble by mixing them without clear rules.
Be explicit:
- Will you bill insurance directly?
- Will you send patients “superbills” for out‑of‑network reimbursement?
- Will employers pay a per‑member‑per‑month fee that requires reported utilization data (which must be accurate)?
7.2 Telehealth Coding Rules Are Not Optional
You need:
Clear policies on:
- Place of Service (POS) codes for telehealth vs. in‑person
- Modifier use (e.g., 95, GT) as payers require
- Audio‑only vs. audio‑video coding
- Time‑based vs. MDM‑based coding for virtual visits
A billing team that:
- Has telehealth‑specific training
- Has payer‑specific grids for your top 10 plans
| Visit Type | POS | Modifier | Notes |
|---|---|---|---|
| Video visit | 02 | 95 | Standard telehealth |
| Audio-only visit | 10 | FQ | Check payer policy |
| Remote check-in | 11 | None | Code G2012 where allowed |
Checklist:
- Telehealth coding policies documented and updated quarterly
- Top 10 payer rules documented in a quick‑reference grid
- Random monthly chart–claim audits conducted
8. Multi‑State Operations: Standardization Without Violating State Rules
Once you cross above 5–8 states, complexity explodes. You cannot run 20 different playbooks. You also cannot pretend every state is the same.
8.1 Build a “National Standard” with State Overlays
Your structure should look like this:
National baseline policies for:
- Documentation standards
- Minimum clinical workflows
- Core privacy and security rules
- Baseline telehealth visit type definitions
State overlays that:
- Modify the baseline only where required
- Are clearly visible in your policy repository (e.g., CA override, TX override)
- Are explained succinctly for clinicians working in that state
This avoids 50 entirely different SOPs and also avoids illegal one‑size‑fits‑all.
8.2 Create a State Compliance Playbook
For each state where you operate, you should be able to answer, in one or two pages:
- Licensure requirements and any telehealth registration options
- Specific consent requirements (some states require explicit telehealth consent, even documented verbatim)
- Prescribing rules, especially for controlled substances and tele‑psychiatry
- Parity laws for coverage and reimbursement
- Any telepresenter or site requirements (for certain services)
Store these in a shared, searchable repository. Not in someone’s email or a random Google Doc.
9. Quality, Audits, and “Prove It” Readiness
A compliance program that lives on paper is useless when a regulator, payer, or large employer asks: “Show me.”
9.1 Set Up a Real Telehealth QA Program
This does not need to be heavy bureaucracy. But it must be real.
Core elements:
Chart review:
- Random selection of visits per clinician per month
- Standard checklist: history, exam appropriate to virtual, assessment, plan, documentation of telehealth modality and consent
Outcome tracking:
- Return visits within 72 hours for the same complaint
- ED/hospitalization within 7 days after visit, where you can get that data
- Patient complaints and escalations
Feedback loop:
- Individual feedback to clinicians
- Pattern recognition (e.g., overprescribing antibiotics, poor documentation)
- Targeted training and, when needed, corrective action plans
9.2 Be “Audit Ready” at All Times
Assume three events will happen:
- A payer will conduct a claims audit.
- A large employer client will request a quality / utilization review.
- A state board or regulator will investigate a complaint.
You should be able to, within days:
- Pull complete encounter data per clinician, per state, per time period
- Show proof of:
- Consent
- Licensure
- Prescribing decision logic
- Documentation templates and policies in effect at that time
- Provide evidence of QA reviews and corrective actions where issues were found
If your data model or EHR setup cannot support this, fix that now. Not when the subpoena arrives.
10. Training, Culture, and the “We Do Not Wing It Here” Rule
You can write perfect policies and still fail if no one follows them.
10.1 Train Like You Mean It
Every clinician and staff member should complete:
Onboarding training:
- Core telehealth model
- State variability concept
- How your protocols work in the platform
- Prescribing and documentation rules
Annual refreshers:
- Updates on legal/regulatory changes
- Lessons learned from QA and audits
- Real cases where things went wrong (de‑identified)
No “click‑through” training with a quiz you could pass blindfolded. Make it meaningful and tracked.
Checklist:
- Onboarding training curriculum documented
- Completion tracked in an HR or LMS system
- Annual refreshers scheduled and content updated
10.2 Build a Speak‑Up Culture
You want clinicians and staff to raise their hand early when something feels off.
Operational moves:
- Anonymous reporting channel (even for a small team)
- Explicit “no retaliation” policy
- Regular messaging from you: patient safety and compliance > productivity metrics
- Examples where you have changed a process because a frontline person spoke up
If your productivity targets make clinicians feel punished for declining high‑risk telehealth encounters, you are building your own future headline.
11. A Practical Compliance Checklist Summary
Use this as an operational run‑through. Print it. Assign owners. Put dates next to each item.
Governance & Ownership
- Compliance Officer appointed with defined authority
- Basic compliance program document created
- Monthly compliance review cadence set
Licensure & Location
- Patient location captured and locked each visit
- Licensure matrix per state and clinician maintained
- Scheduling rules tied to licensure implemented
Prescribing
- Tele‑prescribing policy (including controlled substances) documented
- State and federal rules reviewed with counsel in last 6–12 months
- EHR hard‑stops for inappropriate prescribing configured
Corporate Structure
- CPOM analysis completed for all active states
- PC–MSO or equivalent structures implemented where needed
- MSAs and clinical autonomy protections documented
HIPAA & Security
- Vendor PHI inventory created
- BAAs signed for all PHI‑touching vendors
- Encryption, RBAC, MFA implemented for all PHI systems
- Access logs and deprovisioning processes in place
Clinical Protocols
- List of conditions you will / will not treat via telehealth
- Protocols with inclusion/exclusion criteria documented
- Intake flows and templates aligned with protocols
Billing & Coding
- Revenue model(s) clearly defined and documented
- Telehealth‑specific coding policies (POS, modifiers) written
- Payer‑specific rules for top plans documented
- Routine chart–claim audits running
Multi‑State Operations
- National baseline policies written
- State overlays and state playbooks for active states created
- Repository for state rules shared and maintained
Quality & Audits
- Telehealth QA program with regular chart reviews running
- Outcome metrics defined and tracked
- “Audit ready” data structure confirmed and tested
Training & Culture
- Onboarding telehealth compliance training in place
- Annual refresher scheduled and tracked
- Anonymous reporting and non‑retaliation policy active
| Task | Details |
|---|---|
| Foundation: Appoint Compliance Officer | a1, 2026-01-10, 14d |
| Foundation: Map Licensure and States | a2, after a1, 21d |
| Clinical & Legal: Draft Protocols and Prescribing Policies | b1, after a1, 30d |
| Clinical & Legal: CPOM and Entity Structure Review | b2, after a1, 30d |
| Systems: Configure EHR Rules and Templates | c1, after b1, 30d |
| Systems: Implement Security and BAAs | c2, after a2, 30d |
| Operations: Launch QA Program and Training | d1, after c1, 30d |
Here is your next step, not theoretical, but concrete:
Within the next 24 hours, sit down with your operations or legal lead and fill out the compliance checklist summary section above, honestly, with three colors—green (done and verified), yellow (in progress or partial), red (not started). Then pick the single highest‑risk red item and assign an owner, a deadline, and a calendar check‑in this week to move it to yellow.
Do that, and you are no longer “hoping” your telemedicine company is compliant. You are running it like a real physician CEO.
