Federal Telehealth Policy and Regulation in the United States

Federal telehealth policy sits at the intersection of Medicare statute, Drug Enforcement Administration authority, HIPAA privacy rules, and broadband infrastructure law — a collision of agencies that rarely share a conference room. This page maps the major federal frameworks that govern how telehealth services are delivered, billed, and regulated across the United States, with particular focus on the authorities that shape day-to-day clinical practice. Understanding where these rules come from — and where they are still being actively contested — is essential for anyone navigating the landscape.

Definition and scope

Federal telehealth regulation does not emerge from a single statute. It is assembled from at least 4 distinct legal regimes: the Social Security Act (which governs Medicare and Medicaid), the Controlled Substances Act (which governs prescribing), HIPAA (which governs privacy and data), and the Federal Communications Commission's broadband programs (which govern connectivity infrastructure). Each regime has its own definitions, and they do not always agree.

Medicare, for instance, defines telehealth narrowly under 42 U.S.C. § 1395m(m), tying coverage to specific originating sites, covered service types, and eligible practitioners. The Centers for Medicare & Medicaid Services (CMS) administers this definition and updates the list of covered telehealth services annually through the Physician Fee Schedule rulemaking process. The 2024 Physician Fee Schedule, for example, added and retained categories of telehealth services under temporary and permanent designations established after the COVID-19 public health emergency (CMS, CY2024 Physician Fee Schedule Final Rule).

HIPAA's definition of telehealth is functional rather than coverage-based — any electronic transmission of protected health information in a clinical context is subject to the Privacy and Security Rules (45 CFR Parts 160 and 164). The FCC, meanwhile, operates the Healthcare Connect Fund and the Connected Care Pilot Program under entirely different statutory authority, focused on infrastructure subsidy rather than clinical service delivery.

The practical scope of federal authority covers approximately 65 million Medicare beneficiaries and 94 million Medicaid and CHIP enrollees (CMS, 2023 Medicaid/CHIP enrollment data), making federal frameworks the dominant regulatory force even though licensure remains a state function.

Core mechanics or structure

The federal telehealth regulatory structure operates through four primary mechanisms: coverage policy, payment policy, prescribing rules, and privacy enforcement.

Coverage policy is set by CMS through annual rulemaking. Before a telehealth service is reimbursable under Medicare, it must appear on the Medicare Telehealth Services List. Services are designated as permanent (available indefinitely), temporary (authorized during a declared emergency), or provisional (under review for permanent addition). CMS categorizes covered services by HCPCS and CPT codes, and the distinction between "telehealth" visits and "non-face-to-face" services like remote patient monitoring carries significant billing implications — a distinction explored in detail at Telehealth Billing and Coding.

Payment policy flows from the Physician Fee Schedule and, for hospitals, the Outpatient Prospective Payment System. Medicare historically paid telehealth at facility rates rather than non-facility rates when patients were at home, a disparity that affected physician reimbursement. Pandemic-era waivers and subsequent legislation through the Consolidated Appropriations Act, 2023 extended payment parity provisions through December 31, 2024 (Pub. L. 117-328).

Prescribing rules are governed by the DEA under the Controlled Substances Act (21 U.S.C. § 802 et seq.). The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 generally requires an in-person medical evaluation before a practitioner can prescribe a controlled substance via telemedicine. The DEA proposed special registration rules for telemedicine prescribing in 2023 that would create limited exceptions — a rulemaking process that remained active as of 2024. The full prescribing framework is detailed at Telehealth Prescribing Rules.

Privacy enforcement falls to the HHS Office for Civil Rights (OCR) under HIPAA. During the public health emergency, OCR exercised enforcement discretion allowing providers to use non-HIPAA-compliant video platforms. That discretion expired May 11, 2023, restoring standard HIPAA requirements for telehealth sessions. Compliance specifics are covered at Telehealth HIPAA Compliance.

Causal relationships or drivers

The pandemic accelerated federal telehealth policy by roughly a decade in approximately 13 months. Before March 2020, Medicare telehealth coverage was tightly constrained — patients generally had to be in a rural area and physically present at a qualifying originating site such as a clinic or hospital. The CARES Act of 2020 (Pub. L. 116-136) and HHS waivers under Section 1135 of the Social Security Act stripped away originating-site restrictions, expanded eligible practitioners, and enabled audio-only services.

The underlying driver was utilization: CMS reported that Medicare telehealth visits increased from approximately 840,000 in 2019 to 52.7 million in 2020 (CMS Medicare Telehealth Trends Report). That surge generated an evidence base — and a constituency — for permanent expansion that simply had not existed before.

Broadband access emerged as a parallel driver. The FCC's Connected Care Pilot Program, authorized under the Communications Act, committed approximately $100 million to support telehealth connectivity for low-income patients and rural providers (FCC Connected Care Pilot Program). The Infrastructure Investment and Jobs Act of 2021 (Pub. L. 117-58) added $65 billion for broadband expansion, recognizing connectivity as a prerequisite for telehealth access rather than a secondary concern. Infrastructure and access challenges are examined at Telehealth Broadband and Connectivity.

Classification boundaries

Federal policy draws a precise distinction between service categories that determines both coverage and payment:

These distinctions are not academic. Billing a virtual check-in as a telehealth visit, or RPM as a face-to-face encounter, creates false claims exposure under 31 U.S.C. § 3729.

Tradeoffs and tensions

The central tension in federal telehealth policy is permanence versus proof. Congress and CMS expanded coverage dramatically under emergency authority, but converting temporary waivers into permanent policy requires either legislative action or formal rulemaking with an evidentiary record. The research base for many expanded services — audio-only visits, home-originating site coverage, mental health exceptions — is still developing, creating genuine uncertainty about long-term clinical and financial effects.

A second tension runs between fraud control and access. The Department of Justice prosecuted over $1.2 billion in telehealth-related healthcare fraud in 2022 alone (DOJ Health Care Fraud and Abuse Control Program, FY2022), most involving fraudulent orders for genetic testing, orthotic braces, or controlled substances ordered by practitioners who never interacted with patients. The policy response — tightened prescribing rules, enhanced audit triggers for high-volume telehealth billers — inevitably creates friction for legitimate providers serving underserved populations. Rural and frontier providers bear a disproportionate share of compliance overhead relative to their urban counterparts.

The DEA prescribing rulemaking illustrates this tension at its sharpest: restricting telehealth prescribing of controlled substances reduces diversion risk but imposes real barriers for patients managing opioid use disorder or ADHD in areas with no local psychiatrist. The National Alliance on Mental Illness (NAMI) and addiction medicine organizations have both filed formal comments opposing the most restrictive interpretations of the proposed rule.

Common misconceptions

Misconception: Federal law determines whether a provider can practice telehealth across state lines.
Federal law sets coverage and payment rules. Licensure — the actual legal authority to practice medicine — remains a state function. A provider licensed only in California cannot legally treat a patient located in New York via telehealth simply because Medicare pays for the service. The licensure framework is detailed at Telehealth State Laws and Licensure.

Misconception: The pandemic telehealth waivers are still in effect.
The COVID-19 public health emergency ended May 11, 2023. Some waivers converted to statutory extensions through legislation; others did not. Audio-only mental health services and home originating sites for mental health specifically were made permanent by the Consolidated Appropriations Act, 2023 for qualified practitioners — but this is a targeted exception, not a blanket continuation of all pandemic-era flexibility.

Misconception: HIPAA prohibits recording telehealth sessions.
HIPAA does not categorically prohibit recording clinical encounters. Recordings constitute protected health information and must be secured accordingly under the Security Rule, and state consent laws (not federal law) typically govern whether recordings require patient permission. The federal framework addresses storage and access, not the act of recording itself.

Misconception: All telehealth services are reimbursed at the same rate as in-person care.
Medicare payment parity — paying non-facility rates for home-originating telehealth — applied under temporary authority. The default Medicare payment model distinguishes between facility and non-facility rates, which affects physician take-home reimbursement. Parity provisions require active legislative renewal. See Telehealth Reimbursement Rates for current rate structures.

Checklist or steps (non-advisory)

The following sequence describes the standard federal compliance verification process for a healthcare organization establishing a telehealth program:

  1. Identify applicable CMS coverage categories — Confirm that each intended service type appears on the current Medicare Telehealth Services List and verify whether the designation is permanent, temporary, or provisional.
  2. Confirm CPT/HCPCS codes and Place of Service codes — Match service type to the correct billing code and POS designation (02 or 10 for telehealth; separate codes for virtual check-ins and e-visits).
  3. Review DEA registration status — Determine whether any practitioners will prescribe Schedule II–V controlled substances and assess Ryan Haight Act applicability and any applicable DEA telemedicine exceptions.
  4. Audit HIPAA technical safeguards — Confirm that the telehealth platform vendor has executed a Business Associate Agreement and that the platform meets HIPAA Security Rule standards under 45 CFR § 164.312.
  5. Verify state licensure for all patient locations — Federal coverage eligibility does not confer state practice authority. Each practitioner must hold a valid license in the state where the patient is physically located at the time of service.
  6. Review informed consent requirements — Federal law does not mandate a uniform telehealth informed consent form, but CMS conditions of participation and individual state laws may require documented consent. See Telehealth Informed Consent.
  7. Establish fraud and abuse controls — Implement documentation standards sufficient to support medical necessity claims and configure billing audits to flag outlier patterns consistent with OIG workplan priorities.
  8. Monitor rulemaking calendars — CMS publishes the proposed Physician Fee Schedule each July for comment, with final rules in November. DEA telemedicine rulemaking dockets are tracked at regulations.gov.

Reference table or matrix

Federal Authority Governing Agency Primary Statute Scope
Medicare telehealth coverage CMS Social Security Act, 42 U.S.C. § 1395m(m) Coverage, service list, payment rates
Medicaid telehealth CMS (state-administered) Social Security Act, Title XIX State flexibility within federal floor
Controlled substance prescribing DEA Controlled Substances Act, 21 U.S.C. § 802; Ryan Haight Act (2008) Telemedicine prescribing of Schedule II–V drugs
Privacy and data security HHS Office for Civil Rights HIPAA, 45 CFR Parts 160 and 164 PHI transmission, storage, access controls
Broadband infrastructure FCC Communications Act; Infrastructure Investment and Jobs Act (2021) Connectivity subsidies for rural/low-income providers
Fraud and false claims DOJ / HHS OIG False Claims Act, 31 U.S.C. § 3729 Fraudulent billing enforcement
Emergency authority HHS Secretary Social Security Act, § 1135 Waiver authority during declared public health emergencies

The National Telehealth Authority home resource provides orientation to how these federal frameworks interact with state-level rules, insurance requirements, and clinical practice standards. The post-pandemic evolution of these rules — including which waivers became permanent and which expired — is examined at Telehealth Post-Pandemic Policy Changes.

References