Specialty Compliance

Telehealth Compliance Post-PHE: Where the Rules Landed in 2026

7 min read · Last reviewed May 23, 2026

Telehealth compliance post-PHE is governed by four overlapping authorities: the CMS Medicare telehealth framework at 42 CFR § 410.78, the DEA's Ryan Haight Act framework at 21 CFR § 1306.04 and the active telemedicine flexibility extensions, the ONC interoperability and certification standards, and state telehealth practice and consent statutes. Most practices comply with one and miss the other three.

What the rules actually require for a telehealth program

The PHE expired on May 11, 2023. The flexibilities did not all expire on the same date. The post-PHE landscape sorts into four buckets, and a telehealth program needs a defensible position in each.

Medicare coverage. 42 CFR § 410.78 defines telehealth services, originating sites, and the modality (synchronous audio-video). Geographic and originating-site restrictions were waived during the PHE and extended through statutory language tied to subsequent Consolidated Appropriations Acts. As of 2026, behavioral and mental telehealth is permanently expanded (no geographic restriction; patient's home an eligible originating site); most other Medicare telehealth flexibilities run under congressional extensions through December 31, 2027 per HHS-published guidance, and absent further legislation revert to the pre-PHE framework after that date. The current Medicare Telehealth Services List, updated annually, controls which CPT/HCPCS codes are billable.

Controlled-substance telemedicine. The Ryan Haight Online Pharmacy Consumer Protection Act, codified at 21 USC § 829(e), requires an in-person medical evaluation before a controlled substance can be prescribed via the internet, with seven enumerated exceptions including the practice-of-telemedicine exception. DEA and HHS announced the fourth temporary extension on January 2, 2026, running the pandemic-era telemedicine flexibility from January 1 through December 31, 2026 (see the DEA Diversion Control rule page). The DEA's proposed Special Registration for Telemedicine framework is the long-term solution. Verify current status at DEA Diversion Control before relying on telemedicine controlled-substance prescribing.

HIPAA and platform. The OCR Notification of Enforcement Discretion permitting non-public-facing consumer video applications (FaceTime, Skype, etc.) during the PHE was rescinded effective August 9, 2023. Practices must use HIPAA-compliant platforms with executed BAAs, end-to-end encryption, and audit logging. The underlying Privacy and Security Rules at 45 CFR Parts 160 and 164 apply identically to telehealth and in-person encounters.

State practice and consent. Telehealth is practiced where the patient sits. Provider licensure, scope of practice, consent requirements, and prescribing rules follow the patient's location, not the provider's. State telehealth statutes added since 2020 add specific consent, modality, and documentation requirements that federal law does not preempt.

The documents you must maintain

A telehealth program audit binder should produce:

  • Active state medical license for every provider in every state where patients are seen
  • IMLC, PSYPACT, NLC, or comparable compact registrations where used
  • DEA registration matched to a practice location for any controlled-substance prescribing
  • HIPAA-compliant platform vendor BAA, with end-to-end encryption confirmation
  • Telehealth informed-consent document, signed at the first telehealth encounter and re-affirmed at the practice-defined interval (annually is typical)
  • Identity and location verification documentation in every telehealth encounter
  • Emergency protocol per patient location (nearest ED, emergency contact, escalation path)
  • Modality documentation in the encounter note (synchronous AV vs. audio-only)
  • State-specific telehealth consent forms where state law requires a separate written acknowledgement (California Business and Professions Code § 2290.5, Texas Occupations Code § 111.002)
  • Billing documentation matched to the encounter modality, with the correct POS (02 or 10) and modifier (95 or 93)

How telehealth audits actually work

The auditing entities in telehealth fall into three buckets:

  1. OIG and CMS program-integrity reviews. The OIG Work Plan has called out telehealth billing patterns repeatedly since 2022. OIG audits sample telehealth claims for documentation matching the billed code, modality matching the place-of-service, and patient location matching state-licensure requirements.
  1. DEA inspections of controlled-substance telemedicine. When a telemedicine controlled-substance prescription is filled by a pharmacy that questions it, the chain often ends at the prescriber's DEA registration. Inspectors will ask for the telemedicine flexibility documentation (which extension, which patient encounter), the patient identity and location verification, and the clinical rationale supporting the 21 CFR § 1306.04 legitimate-medical-purpose finding.
  1. State medical board complaints. Patient complaints about telehealth care almost always go to the state board where the patient sits. The board will ask for the consent documentation, identity verification, and proof of state licensure or compact registration.

What we have seen drive telehealth enforcement, in order:

  • Provider not licensed in the patient's state at the time of service. This is often discovered only after a complaint.
  • Place-of-service mismatch on the claim — billing POS 02 for a patient who was actually at home (POS 10 since the 2024 update).
  • Modifier 95 used on an audio-only encounter without the modifier-93 designation where audio-only is permitted.
  • Telehealth consent documented once at intake and never refreshed, even after the practice's own policy required annual re-consent.
  • Controlled-substance prescription issued under a telemedicine flexibility that expired before the encounter.

Common gaps unique to telehealth

The gaps we see most often:

  • Multi-state expansion without a credentialing matrix tracking license status per provider per state
  • BAA on file with the platform vendor but expired or superseded by a vendor reorganization
  • Encryption confirmed at platform signup but not re-verified after a major platform release
  • Emergency protocol stale or generic, not tied to the patient's actual location
  • Audio-only encounters billed without documentation of why audio-only was appropriate (patient lack of camera, technical failure)
  • Notes that do not document the modality (a chart note that reads identically to an in-person encounter, with no notation that this was video)
  • Vendor changes (platform switches, scheduling-tool changes) without a BAA refresh

Maintenance cadence

  • At every telehealth encounter: Verify provider licensure in patient's state, verify patient identity and physical location, document modality, document consent at first encounter or per the practice's reaffirmation interval.
  • Monthly: Sample telehealth claims for POS and modifier accuracy. Review denials for telehealth-specific patterns.
  • Quarterly: Re-verify BAA status for the telehealth platform vendor and any ancillary vendors (scheduling, document signing, payment processing) that touch PHI.
  • Annually: Review the CMS Medicare Telehealth Services List for changes; update the practice's billable-telehealth-codes list. Refresh state telehealth statute review for each state the practice serves.
  • At every DEA extension expiration: Re-confirm the practice's reliance on the current DEA telemedicine flexibility. Schedule the review to expire 60 days before the flexibility expires, so the practice has time to adjust.

State preemption to watch

Telehealth state rules are the wildest carve-out in U.S. healthcare regulation. The biggest divergences in 2026:

  • California: Business and Professions Code § 2290.5 requires verbal or written informed consent for telehealth, documented in the chart. Under Cal. Health & Safety Code § 11165.4, CURES PDMP query is required at the first prescription of any Schedule II–IV controlled substance and at least every six months thereafter for ongoing therapy. Mandatory e-prescribing for all controlled substances.
  • Texas: Occupations Code § 111 governs telemedicine practice; the Texas Medical Board rules at 22 TAC Chapter 174 add documentation and prescribing-by-modality requirements. Defined practitioner-patient-relationship requirements separate from federal Ryan Haight.
  • Florida: Telehealth providers must register with the Florida Department of Health if located outside Florida and serving Florida patients (the Out-of-State Telehealth Provider Registration). E-FORCSE PDMP query at first controlled-substance prescription.
  • New York: I-STOP query at every controlled-substance prescription regardless of modality. EPCS mandatory.
  • Massachusetts and the New England states: Generally aligned with the Interstate Medical Licensure Compact; consent rules vary by board.

A telehealth program serving more than three states without a state-by-state policy matrix is a documentation gap waiting to surface in audit.

How d3rx fits

The d3rx compliance binder produces a telehealth section that names the platform BAA, the state-by-state license tracker, the telehealth informed-consent template, the encounter documentation template (identity, location, modality), and the emergency-protocol-per-location framework. Each element is sourced to the underlying federal or state statute. See the compliance binder overview for the broader binder structure.

D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversTelehealth Compliance Post-PHE: Where the Rules Landed in 2026. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Can I prescribe Schedule II controlled substances via telehealth in 2026?

Only under the conditions of the DEA/HHS fourth temporary extension of pandemic-era telemedicine flexibilities, announced January 2, 2026 and running January 1 through December 31, 2026, or under the eventual special-registration framework once it goes final. The default rule under [21 CFR § 1306.04](https://www.ecfr.gov/current/title-21/chapter-II/part-1306/section-1306.04) and the Ryan Haight Act requires an in-person evaluation before a Schedule II prescription. The fourth extension remains the operative authority for telemedicine-only prescribing windows; verify current status at [DEA Diversion Control](https://www.deadiversion.usdoj.gov/) before relying on it.

Did Medicare permanently extend the pandemic telehealth flexibilities?

Partially. Behavioral and mental telehealth has permanent no-geographic-restriction treatment (originating-site rules waived, patient's home as eligible site). For most other Medicare telehealth services, recent legislation extends the geographic and originating-site flexibilities through December 31, 2027 per HHS-published guidance; absent further congressional action those services revert to the pre-PHE framework after that date. Track the [HHS Medicare telehealth policies page](https://telehealth.hhs.gov/providers/billing-and-reimbursement/medicare-payment-policies) and the [CMS Medicare telehealth page](https://www.cms.gov/medicare/coverage/telehealth) for the current state and the published list of covered telehealth services.

Do I need a separate state license for every state where a telehealth patient sits?

Generally yes. Telehealth practice is regulated at the state of the patient's physical location at the time of service. Most states require full licensure; the Interstate Medical Licensure Compact (IMLC) and the PSYPACT and NLC compacts streamline multi-state licensure for participating providers. A few states have telehealth-specific licenses or registration pathways. Confirm before scheduling the first encounter, not after.

Is a HIPAA-compliant video platform enough?

It is the floor, not the ceiling. The platform vendor must have a current BAA, end-to-end encryption, and audit logging. The practice still owes consent, identity verification, location verification, encounter documentation, and state-specific elements (e.g., the California informed-consent requirement at the first telehealth visit). The Notification of Enforcement Discretion that allowed non-public-facing consumer video during the PHE was rescinded; HIPAA-compliant platforms are now required.

How do I bill telehealth for Medicare in 2026?

The 2026 framework uses POS 10 (telehealth provided in patient's home) and POS 02 (telehealth provided other than in patient's home) under the CMS POS coding guidance. Modifier 95 (synchronous audiovisual) applies to most telehealth services. Modifier 93 (audio-only) applies where audio-only is permitted. Confirm payment status on the CMS-published Medicare Telehealth Services List for the current year.

What is the audit-only telehealth flexibility, and is it still in effect?

Medicare permanently allows audio-only behavioral health under [42 CFR § 410.78](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-410/subpart-B/section-410.78). For other services, the audio-only flexibility has been extended through statutory language tied to the broader telehealth extensions; confirm the current status on the CMS telehealth page before billing audio-only for non-behavioral services.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 42 CFR § 410.78https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-410/subpart-B/section-410.78
  2. 21 CFR § 1306.04https://www.ecfr.gov/current/title-21/chapter-II/part-1306/section-1306.04
  3. DEA Diversion Controlhttps://www.deadiversion.usdoj.gov/
  4. Special Registration for Telemedicinehttps://www.federalregister.gov/agencies/drug-enforcement-administration
  5. 45 CFR Parts 160 and 164https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C
  6. OIG Work Planhttps://oig.hhs.gov/reports-and-publications/workplan/
  7. Business and Professions Code § 2290.5https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC&sectionNum=2290.5
  8. Cal. Health & Safety Code § 11165.4https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=11165.4
  9. Occupations Code § 111https://statutes.capitol.texas.gov/Docs/OC/htm/OC.111.htm
  10. Out-of-State Telehealth Provider Registrationhttps://flhealthsource.gov/telehealth/

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides