Residency Advisor
Most physicians practicing telehealth right now are underestimating how fast the regulatory ground is shifting beneath their feet.
You do not need to be a health policy lawyer. But if you ignore a few specific regulatory threads, you are setting yourself up for licensing headaches, billing audits, or ethical messes that will land on your desk, not the compliance department’s.
Let me break down the actual nuanced policy issues you should track. Not the generic “HIPAA and licensing” soundbites. The real friction points I see over and over when clinicians move from ad‑hoc telehealth to sustained, cross‑state, technology‑heavy virtual care.
1. Licensing Is Not “Solved” — It Is Fragmented, Political, and Moving
Physicians keep asking the wrong question: “Can I see patients in other states via telemedicine?”
The right question is: “Under which legal theory, with which exceptions, and for how long can I treat this specific patient in that specific jurisdiction?”
The core rule you cannot ignore
In the United States, the controlling principle is still:
You practice medicine where the patient is physically located at the time of the encounter.
So if you are in New York and your patient is sitting in Florida during a video visit, you are “practicing in Florida” for licensing purposes. Florida’s board can discipline you. Florida’s statutes control scope, prescribing, and supervision rules.
This sounds simple. It is not. Because the “patient location” rule collides with several moving parts:
- Interstate compacts
- State-specific telehealth exceptions
- Pandemic-era waivers (some now gone, some half‑alive, some codified)
- Corporate telehealth platforms “air‑dropping” patients into your schedule from everywhere
| Step | Description |
|---|---|
| Step 1 | Patient requests telehealth visit |
| Step 2 | Where is patient now |
| Step 3 | Check state license status |
| Step 4 | Proceed under full scope |
| Step 5 | Use limited exception |
| Step 6 | Do not provide care or redirect |
| Step 7 | Any exception |
What you actually need to track as a clinician
Interstate Medical Licensure Compact (IMLC)
This is not a national license. It is an expedited pathway to get multiple state licenses faster if your home state participates and you meet criteria (clean record, primary license in a member state, etc.).The nuance:
- It does nothing if the patient is in a non‑compact state (e.g., some high‑population states have sat out or moved slowly).
- It does not harmonize scope or telehealth rules; you still must know each state’s practice rules.
State telehealth exceptions
Some states allow limited practice without full licensure under narrow conditions, such as:- Episodic consultation with an in‑state physician
- Follow‑up for a patient who traveled for in‑person care (surgical follow‑ups, specialty consults)
- True emergencies
These exceptions are tempting shortcuts for busy physicians wanting to “just help” their patients while they travel. They are also easy to overuse. I have seen surgeons casually doing serial follow‑ups on snowbird patients under exceptions that clearly were meant for rare episodes, not ongoing chronic care.
Cross‑border telepsychiatry and “therapy tourism”
Mental health is where regulators are now sharpening their focus. Patients shop for states with looser prescribing rules, more permissive practice acts, or higher availability and then sit physically in a restrictive state during the encounter.
If you provide telepsychiatry across states, you should assume:- You will be judged by the strictest applicable rule (home state + patient state + DEA + payer policy).
- Enforcement will escalate after any high‑profile adverse event.
International telehealth
Many physicians quietly do follow‑ups for patients who return to their home country. This is a grey area minefield:- U.S. boards still consider you practicing under your U.S. license.
- The foreign country may consider you an unlicensed provider.
- Malpractice coverage often explicitly excludes foreign jurisdiction claims.
If you are doing this regularly, you either:
- Need explicit institutional policy and insurer approval, or
- Need to stop pretending it is “just a quick call.”
2. Prescribing by Telehealth: The DEA, Controlled Substances, and the Coming Snap‑Back
The biggest regulatory time bomb in telehealth right now is controlled substance prescribing.
During COVID, the Ryan Haight Act’s in‑person exam requirement for prescribing controlled substances via telemedicine was temporarily relaxed. Many virtual care companies built entire business models (ADHD meds, anxiety, insomnia, pain) on top of these flexibilities.
Those flexibilities are not permanent in the form most physicians are practicing.
| Category | Value |
|---|---|
| Non-controlled (e.g., antihypertensives) | 20 |
| Schedule IV (e.g., some sleep aids) | 40 |
| Schedule III (e.g., some pain meds) | 70 |
| Schedule II (e.g., stimulants) | 90 |
The numbers here are a rough conceptual “regulatory risk index” (0–100). Schedule II via telehealth is where the real scrutiny lives.
Key nuances you must track
In‑person exam requirements are returning in some form
The DEA has proposed rules (still evolving) that would:- Allow some limited initial prescribing via telemedicine with caps or time‑bound exceptions.
- Require an in‑person exam at some point for ongoing controlled substances, potentially via:
- The telehealth prescriber themselves, or
- A “qualifying” in‑person evaluation by another DEA-registered clinician.
As these harden into final rules, you need to know:
- Does your organization have a clear workflow to document a compliant in‑person exam?
- Are you inheriting patients who started meds under more permissive pandemic rules with no formal transition plan?
Platform‑driven prescribing pressure
If you work for a virtual ADHD, pain, weight loss, or insomnia platform, you have a specific problem: the business model often tacitly expects high prescription conversion.Policy risk red flags I have personally seen:
- Short, script‑driven visits with prechecked “symptom” boxes aligned with target meds.
- Subtle performance metrics on your dashboard: “conversion rate,” “time per visit,” “refill capture.”
- Algorithms that surface “high need” patients who, conveniently, are also high margin.
Your name, your DEA number, your license will be on that prescription. The founders will be gone long before a state AG or DEA investigator calls.
PDMP and cross‑state data gaps
Prescription Drug Monitoring Programs (PDMPs) are state-based. Many telehealth physicians casually skip PDMP checks for out-of-state patients because:- They do not have credentials in that state PDMP.
- The telehealth platform’s EHR does not integrate with that PDMP.
Reality: If anything goes wrong, “the PDMP was hard to access” will sound ridiculous in a deposition. You either:
- Get access and document checks, or
- Do not prescribe controlled substances across that border.
E-prescribing location metadata
Many eRx systems record prescriber location, IP address, and sometimes device info.
If your organization is sloppy about:- Shared logins
- Remote work across multiple states
- Using out-of-state physicians to “cover” local patients
…then PDMP + pharmacy + eRx logs can reconstruct suspicious patterns fast.
3. Privacy and Security: HIPAA Is the Floor, Not the Ceiling
Most physicians still conceptualize telehealth privacy as “Is Zoom HIPAA-compliant?”
That is about 10 percent of the real issue.
The bigger problem is the explosion of data around the visit:
- Digital intake forms
- Symptom trackers
- Remote monitoring devices
- AI scribes and transcription tools
- Messaging platforms and patient apps
And many of these are outside traditional HIPAA territory, especially direct-to-consumer apps.
What physicians consistently misunderstand
“HIPAA-exempt” does not mean ethically free‑for‑all
If an app or service is not formally a HIPAA covered entity or business associate (common with wellness apps, coaching platforms, or some DTC telehealth), your patients still think their health information is private.
The law may technically allow broad data sharing. Your ethical obligations do not.You need to ask explicitly:
- Where does this video visit happen (embedded in EHR? third-party app?).
- Where is the recording or transcript stored, and who can access it?
- Is data being used for secondary purposes (e.g., training commercial AI tools, marketing, profiling)?
If you cannot get a straight answer from your telehealth vendor, that is your answer.
AI documentation tools and “shadow records”
AI scribes that listen to visits and generate notes are exploding. Hidden risk: many of them keep separate “training data” copies of audio and transcripts, not fully controlled by your institution.Watch for:
- Vague “we may use de‑identified data to improve our services” language.
- Opt‑out mechanisms that your organization never actually configures.
- Voice data and transcripts being processed outside the country, under weaker data protection regimes.
Patient environment privacy
Technically not HIPAA, but very much your professional problem.
You have zero control over:- Who is sitting just off camera in the patient’s room.
- Whether the patient is in a car, at work, or in a shared space.
For sensitive topics—reproductive health, IPV, mental health, substance use—you should be routinely asking:
- “Who else is in the room or within earshot?”
- “Are you comfortable discussing private health information where you are right now?”
It is not perfect, but it is much better than assuming a video frame equals a private exam room.
Cross‑border data transfer rules
If your organization uses cloud services or offshores any telehealth support (transcription, IT, after‑visit summaries), you can easily trigger:- GDPR or other foreign data protection laws for EU/UK residents.
- Heightened regulatory expectations if working with U.S. federal programs (VA, DoD, etc.).
You may not be the one choosing vendors, but you are the one ethically responsible for how your patients’ data is handled. Push the question up the chain when you smell sloppiness.
4. Reimbursement, Fraud, and “Upcoding by Design”
Telehealth billing rules are one of the most quietly abused areas in modern healthcare. Not because clinicians are all crooks, but because:
- Payers change rules frequently.
- Platforms optimize visit design around maximum billable codes.
- Clinicians are nudged to document in ways that “incidentally” justify higher reimbursement.
| Scenario | Relative Audit Risk |
|---|---|
| Occasional follow-up video visits | Low |
| High-volume brief visits (DTC platform) | High |
| Incident-to telehealth billing | High |
| Telehealth plus remote monitoring stack | Moderate–High |
| Multi-state Medicaid telehealth | High |
Subtle but important issues
Time-based coding inflation
Many telehealth EHR templates default to “time spent” coding. You click a few boxes; suddenly your 9‑minute check-in is documented as a 30‑minute visit because:- Pre‑chart review time was auto-added based on EHR logins.
- Post-visit documentation time is assumed, not measured.
Auditors will not be impressed by “the system did it.” If you consistently bill high-level visits with obviously short real-time contact, you look like low-hanging fruit.
Incident-to and supervision rules in telehealth
For Medicare and many commercial plans, incident-to billing (APC providing care under a physician’s supervision, billed under the physician’s NPI) has:- Physical location requirements, and
- Specific supervision rules (direct, general, etc.).
Telehealth scrambles this. You get odd scenarios:
- APC at home. Physician at home. Patient at home.
- Platform tries to bill under the physician’s NPI to maximize payment, claiming “general supervision.”
If you are the supervising physician in these chains, make sure:
- You know which visits are billed under your NPI.
- You actually review charts and provide meaningful oversight.
- You understand your program’s interpretation of supervision for virtual teams.
“Tech stack stacking” — RPM, CCM, telehealth all at once
Many chronic disease management programs now bill:- Remote Patient Monitoring (RPM) codes
- Chronic Care Management (CCM) codes
- Periodic telehealth visits
- Possibly device supply codes
In legitimate programs, that is fine. In sloppy or aggressive programs, patients:
- Barely understand what they consented to.
- Rarely interact meaningfully with clinicians.
- Generate a lot of billed hours with minimal clinical value.
If you are signing off on these services, ask:
- “Would I be comfortable explaining this pattern under oath?”
- “Is the time documented actually spent on this patient?”
- “Is there clear benefit beyond billing opportunity?”
State Medicaid and telehealth
Medicaid is state-specific. Requirements differ on:- Eligible originating sites
- Covered modalities (audio-only vs audio-video)
- Provider types
Some telehealth companies treat Medicaid as a monolith. Then physicians discover retroactive denials and overpayment letters years later. If a big part of your panel is Medicaid, you cannot ignore state-by-state nuance.
5. Standard of Care, Liability, and the Illusion of “Quick Visits”
The law is simple here, even if people try to complicate it:
Telemedicine is held to the same standard of care as in‑person care.
Not a telehealth standard. The same standard.
If you could not ethically or legally manage something with an in‑person 10‑minute visit and no exam, you cannot safely claim telehealth makes it fine.
| Category | Value |
|---|---|
| Minor acute (URI, rash) | 80 |
| Chronic disease follow-up | 85 |
| New serious symptoms | 30 |
| Complex mental health | 50 |
| High-risk OB concerns | 20 |
Interpretation: Rough estimate of appropriateness (0–100) for primarily telehealth-based management from a risk perspective. Too many telehealth programs behave as if every bar is at 90+.
Situations that routinely go wrong
“Telehealth-first” for new serious complaints
Chest pain. Severe abdominal pain. Neurologic deficits. OB red flags.
The ethical approach:- Use telehealth for triage.
- Move to in-person or ED immediately when red flags appear even on the phone.
The risky behavior I see:
- Trying to manage borderline concerning symptoms with “watchful waiting” over video because the patient prefers convenience or the platform discourages referrals.
Relying on patient self-exam beyond what is reasonable
Getting patients to press on their abdomen, shine a flashlight in their throat, or move a swollen joint can be helpful. But there is a line.If your differential includes conditions where a real physical exam would change management in a non-trivial percentage of cases, then choosing telehealth alone can be negligent.
Inadequate safety net instructions
Many telehealth notes have generic after-visit summaries. They do not:- Spell out specific red-flag symptoms.
- Give clear thresholds for ED vs clinic vs phone.
- Document that these were explained and understood.
In telehealth, your “safety net” is more important, not less. You do not have the luxury of “come back to the clinic tomorrow and we will recheck.”
Malpractice coverage gaps
You need to explicitly confirm:- Are telemedicine services covered under your policy?
- Are all states you practice in covered?
- Are you covered if you are employed as an independent contractor on a telehealth platform?
I have seen physicians assume their day-job malpractice extends to moonlighting telehealth gigs. It often does not.
6. Equity, Access, and the Ethics of Who Gets What Kind of Visit
Telehealth can improve access. It can also quietly amplify inequities if you are not paying attention.
Think of three layers:
- Who can access telehealth at all (connectivity, devices, language).
- Who is offered telehealth versus in-person for the same clinical issues.
- Whose data and outcomes are being used to design future care models.
The patterns that should bother you
Digital divide by age, income, and language
Video visits skew toward:- Younger, more educated, higher-income patients.
- English speakers with better digital literacy.
Everyone else gets:
- Phone calls, or
- Nothing, or
- Repeated rescheduling due to tech failure.
Ethically, you should be asking your clinic or system:
- Are we systematically tracking who is unable to use video?
- Do we offer device support, tech help, or alternative workflows?
- Are certain populations being defaulted to lower‑quality modalities?
Telehealth used as a second-class option for marginalized groups
In some safety-net systems, I have seen this pattern:- Commercially insured patients get easier access to in-person specialist slots.
- Medicaid/uninsured patients are more often routed to telehealth-only clinics.
On paper, everyone has “access.” In practice, one group has a narrower diagnostic and therapeutic toolkit.
Algorithmic bias in telehealth triage and remote monitoring
When telehealth platforms use automated triage bots or risk scores, those algorithms reflect biased training data:- Under-recognition of pain and mental health in certain racial groups.
- Misinterpretation of vital signs when devices were never validated in darker skin tones.
- Overreliance on prior utilization as a proxy for need (which penalizes under-served groups).
As a physician, you cannot audit algorithms yourself. But you can push:
- “Show me performance by race, language, insurance type, and age.”
- “Are we adjusting workflows where disparities are obvious?”
Cross-border reproductive and gender-affirming care
Some states are criminalizing or restricting abortion and gender-affirming care, including telehealth-based models. If you provide these services:- You must understand your own state’s shield laws (if any).
- You must understand extraterritorial enforcement attempts (states trying to reach across borders to criminalize care).
- You must be crystal clear with patients about what can and cannot safely be documented or done when they are physically in hostile jurisdictions.
This is not theoretical. We already have attorneys coaching clinicians to:
- Avoid certain phrases in notes.
- Limit cross-state telehealth when states explicitly target such care.
7. Practical Ways to Stay Ahead Without Becoming a Lawyer
You cannot track every regulation. You do not need to. But there are a few high-yield habits that keep you ahead of most of the risk while aligning with sound ethics.
| Step | Description |
|---|---|
| Step 1 | Identify telehealth use cases |
| Step 2 | Map states and payers |
| Step 3 | Clarify prescribing and supervision rules |
| Step 4 | Review privacy and vendor contracts |
| Step 5 | Set personal red lines |
| Step 6 | Periodic policy check-in |
Focus on these concrete actions:
Know your map
Keep a simple list: which states you are licensed in, which payers you bill, and which services (e.g., controlled substances, telepsych, RPM) you provide in each.Ask your compliance or legal team targeted questions
Instead of, “Is our telehealth compliant?”, ask:- “Can I prescribe Schedule II meds to out-of-state patients, and what are the rules?”
- “How are we documenting in-person exams for controlled substances?”
- “Which vendors have access to audio/video from visits, and how do they use it?”
Set personal ethical red lines
Examples:- “I will not prescribe new controlled substances to patients in states where I am not licensed, no matter what the platform suggests.”
- “I will not rely solely on telehealth for high-risk OB or new severe neurologic symptoms.”
- “I will not work for platforms that pay me per prescription or per ‘conversion.’”
Do a twice‑yearly telehealth policy check-in
Take 1–2 hours, twice a year:- Glance at summaries from AMA, specialty societies, or your board.
- Review any updated institutional policies.
- Adjust your practice where needed.
Document your reasoning when you are near the line
If you decide not to prescribe, not to manage via telehealth, or to send someone to the ED, write a short, explicit sentence:- “Telehealth limitations preclude adequate neuro exam; advised ED evaluation.”
- “Out-of-state location and prescribing rules limit ongoing controlled substance management; discussed plan and local referral.”
That one line often makes the difference between “looked careless” and “used appropriate clinical judgment under constraints.”
FAQ (Exactly 5 Questions)
1. Do I really need a license in every state where my telehealth patients are located?
In almost all U.S. jurisdictions, yes. You practice where the patient is located. Interstate compacts only simplify getting additional licenses; they do not replace them. Limited exceptions (consultation, follow-up, emergency) are narrow and not designed for ongoing care. If you are regularly treating patients in another state, you should assume you need a license there unless your legal team has confirmed a specific statutory exception.
2. Can I keep prescribing stimulants or other controlled substances via telehealth indefinitely if I started during the COVID waivers?
No. The temporary flexibilities are being scaled back, and the DEA’s final rules will require some form of in‑person evaluation for ongoing controlled substance prescribing. If you are continuing long-term stimulant, benzodiazepine, or opioid management purely via telehealth with no in‑person exam in the chain, you are sitting on a regulatory and liability risk. You should work with your organization to transition those patients into compliant workflows.
3. Are audio-only (telephone) visits still acceptable telehealth in the eyes of regulators and payers?
Sometimes. Medicare and many Medicaid programs continue to cover some audio-only services, especially for behavioral health and when patients lack video capability. Commercial payers vary. Ethically, audio-only may be appropriate for certain follow-ups and counseling, but not for conditions where a visual or physical assessment would materially change care. You should know your payer’s rules and also document why audio-only was clinically reasonable or necessary.
4. How worried should I be about using AI scribes or transcription tools in telehealth?
You should be curious and mildly skeptical. AI scribes can reduce documentation burden, but you must know where the audio and text go, how long they are stored, and whether they are used to train commercial models. Ideally, your organization has a business associate agreement and clear data-use limitations with the vendor. If you are using consumer-grade tools with no formal protections, you are exposing patient information and yourself to unnecessary risk.
5. What is my ethical obligation when telehealth is clearly inferior to in-person care, but the patient insists on virtual visits only?
Your obligation is to practice within the standard of care, not within the bounds of patient convenience. You can and should explain why telehealth is insufficient for a given problem and offer reasonable alternatives (in-person visit, ED, local referral). If a patient refuses and there is no safe telehealth pathway, you should decline to provide substandard care and document the discussion. Clinician duty to provide competent care outweighs patient preference for convenience.
Three things to remember:
- Telehealth does not change the standard of care; it just changes how easy it is to drift below it.
- Licensing, prescribing, privacy, and reimbursement rules are shifting targets, but a few disciplined habits keep you out of obvious trouble.
- If a telehealth workflow feels ethically off—rushed visits, scripted prescribing, opaque data use—it probably is. Stop, question, and, if needed, walk away.
