Telehealth Regulatory Framework in the United States
The regulatory framework governing telehealth in the United States spans federal statutes, agency rulemaking, state licensing boards, and payer-specific coverage policies — creating a layered compliance environment that affects every encounter delivered outside a traditional in-person clinical setting. This page maps the authoritative sources, structural mechanics, classification distinctions, and contested boundaries within that framework. Understanding the architecture matters because a single telehealth encounter may simultaneously implicate CMS billing rules, DEA prescribing authority, state medical practice acts, and HIPAA privacy requirements.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
The Health Resources and Services Administration (HRSA) defines telehealth broadly as the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health, and health administration. That definition is deliberately technology-neutral and covers synchronous video visits, asynchronous store-and-forward transmission, and remote patient monitoring under a single umbrella.
Federal law has approached telehealth through targeted amendments rather than a single unified statute. Title XVIII of the Social Security Act (42 U.S.C. § 1395m(m)) establishes the conditions under which Medicare reimburses telehealth services, including originating site restrictions and eligible service categories. The Telehealth Modernization Act and pandemic-era waivers embedded in the Consolidated Appropriations Act of 2023 extended flexibilities originally authorized under the COVID-19 public health emergency, though those extensions carry defined expiration windows. The scope of regulatory authority therefore depends on the payer, the service modality, and the physical location of both patient and clinician at the time of the encounter.
State scope-of-practice laws add a second jurisdictional layer. All 50 states and the District of Columbia maintain independent medical practice acts that define which services constitute the practice of medicine and where that practice is deemed to occur — questions that become non-trivial when a clinician is licensed in one state and a patient sits in another.
Core mechanics or structure
The regulatory structure operates across four distinct but overlapping axes:
1. Licensure and practice authority. A clinician must hold a valid, unrestricted license in the state where the patient is physically located at the time of service (not where the clinician practices). The Interstate Medical Licensure Compact (IMLC), administered by the Interstate Medical Licensure Compact Commission, streamlines multi-state licensure for physicians but does not override individual state medical board requirements. As of 2024, 39 states, the District of Columbia, and Guam participate in the IMLC (IMLC Commission).
2. Prescribing authority. Controlled substance prescribing via telehealth is governed by the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (21 U.S.C. § 829), which requires at least one prior in-person evaluation before a practitioner may prescribe Schedule II–V substances via the internet absent a DEA-registered telemedicine registration. The DEA proposed telemedicine prescribing rules in 2023 that would create a special registration pathway — those rules remained in proposed rulemaking as of the date of the most recent Federal Register publication. Non-controlled prescribing follows state pharmacy and medical board rules.
3. Reimbursement and coverage. Medicare telehealth coverage and billing is governed by CMS under 42 C.F.R. § 410.78, which specifies eligible originating sites, distant site providers, and covered service types. Medicaid coverage varies by state: all 50 states cover at least some form of telehealth under Medicaid, but the specific modalities, provider types, and reimbursement rates differ. Private insurance parity laws in 43 states (as documented by the National Conference of State Legislatures as of 2023) require insurers to cover telehealth services when equivalent in-person services are covered, though payment parity — equal reimbursement rates — is required in fewer states.
4. Privacy and security. HIPAA's Privacy Rule (45 C.F.R. Parts 160 and 164) and Security Rule apply to telehealth encounters when a covered entity or business associate transmits protected health information electronically. The HHS Office for Civil Rights (OCR) enforces these requirements and has issued specific guidance on the use of audio-only telehealth and the permissibility of various communication technologies.
Causal relationships or drivers
The current regulatory complexity traces to three structural causes.
Federalism and dual sovereignty. Health care regulation in the United States is not preempted by a single federal authority. States retain police power over health professions licensing, and Congress has consistently legislated telehealth through the Medicare program — a payer-specific mechanism — rather than through a general federal practice standard. This architectural choice ensures that federal telehealth rules bind Medicare-participating providers and beneficiaries but leave Medicaid and commercial market rules to state legislatures and insurance commissioners.
Payer-driven policy cycles. CMS waivers during the COVID-19 public health emergency (declared under Section 1135 of the Social Security Act) temporarily suspended originating site requirements and allowed audio-only services, creating a temporary regulatory environment that dramatically expanded utilization. Congressional action was subsequently required to extend those flexibilities, illustrating how reimbursement policy — not clinical evidence — drives the pace of regulatory change.
Technology neutrality vs. technology specificity. Regulators have generally avoided prescribing specific platforms, defaulting to outcome-based standards (e.g., requiring "real-time audio and video" without mandating encryption protocols). This creates interpretive gaps that individual state boards fill inconsistently, producing what the American Telemedicine Association (ATA) has documented as a fragmented patchwork of state telehealth policies.
Classification boundaries
Regulatory treatment differs materially by service modality. Synchronous and asynchronous telehealth carry distinct reimbursement and documentation rules. The three primary modalities under federal and most state frameworks are:
- Synchronous (real-time interactive) telehealth: Two-way audio-visual communication between patient and provider. Medicare covers this under 42 C.F.R. § 410.78 with specific HCPCS/CPT codes.
- Store-and-forward (asynchronous) telehealth: Transmission of recorded health information (images, data, video clips) for review by a distant provider. Medicare covers store-and-forward only in federal telemedicine demonstration programs in Alaska and Hawaii under current statute.
- Remote patient monitoring (RPM): Collection and transmission of physiologic data from a patient's location to a clinician. CMS reimburses RPM under CPT codes 99453, 99454, 99457, and 99458, with documented requirements for device setup, data collection thresholds (at least 16 days of data per 30-day period), and clinical review.
Telehealth platform types and technologies further affect compliance obligations, particularly regarding HIPAA-compliant data transmission and the distinction between consumer applications and certified health IT.
Tradeoffs and tensions
Interstate licensure expansion vs. state sovereignty. Compact participation streamlines licensure but does not eliminate state-level disciplinary authority. States retain the right to enforce their own standards of care, and compact membership does not create uniform liability exposure or prescribing authority.
Flexiblity for access vs. fraud prevention. CMS has raised compliance concerns about telehealth fraud. The HHS Office of Inspector General (OIG) identified telehealth as a high-risk area in its 2023 Work Plan, noting cases in which fraudulent billing for telehealth services occurred at scale during the public health emergency. Tighter audit requirements reduce fraud but also increase administrative burden for legitimate providers.
Audio-only inclusion vs. clinical adequacy. Allowing audio-only encounters expands access for patients without broadband or devices capable of video, particularly among rural populations and older adults. However, clinical organizations including the American College of Physicians have noted that audio-only encounters may be inadequate for visual assessment-dependent diagnoses, creating a tension between equity and clinical standards.
Prescribing liberalization vs. controlled substance diversion. The Ryan Haight Act's in-person evaluation requirement was designed to prevent diversion of controlled substances. Relaxing that requirement to improve access to mental health and substance use disorder treatment carries documented diversion risks, as reflected in DEA's proposed special registration framework rather than blanket elimination of in-person requirements.
Common misconceptions
Misconception: A single federal telehealth license exists. No such license exists. Licensure remains state-specific. The IMLC expedites the process of obtaining multiple state licenses but does not constitute a federal override of state medical boards.
Misconception: HIPAA prohibits audio-only telehealth. HIPAA does not categorically prohibit audio-only encounters. HHS OCR guidance issued in 2022 clarified that audio-only telehealth can be HIPAA-compliant when appropriate safeguards — including patient verification and minimum necessary disclosure standards — are in place.
Misconception: Telehealth parity laws require equal reimbursement rates. Coverage parity (requiring insurance coverage for telehealth services) and payment parity (requiring equal reimbursement rates to in-person services) are legally distinct. The majority of state parity laws mandate coverage parity; payment parity laws are present in fewer states (the National Conference of State Legislatures tracks this distinction at ncsl.org).
Misconception: Pandemic waivers made all telehealth flexibilities permanent. The Consolidated Appropriations Act of 2023 extended specific Medicare telehealth flexibilities through December 31, 2024. Congress must act affirmatively to make any extension or modification permanent — automatic permanence did not occur. The Social Security Fairness Act of 2023, enacted on January 5, 2025, addressed Social Security benefit provisions but did not itself extend or modify Medicare telehealth flexibilities; telehealth extension remains subject to separate congressional action.
Checklist or steps (non-advisory)
The following outlines the regulatory compliance touchpoints typically associated with establishing a telehealth encounter, structured as a reference sequence rather than professional guidance.
- Confirm patient physical location at time of service — determines which state's practice act governs.
- Verify clinician licensure in patient's state — check state medical board registry; confirm IMLC participation status if applicable.
- Identify payer type — Medicare, Medicaid, commercial insurance, or self-pay; each carries distinct coverage and billing rules.
- Determine service modality — synchronous video, audio-only, asynchronous, or RPM; confirm payer coverage for that modality.
- Apply correct billing codes — reference CMS HCPCS/CPT code list for Medicare; confirm place-of-service code (02 for telehealth other than home; 10 for patient home as of CY2023).
- Obtain informed consent — state-specific telehealth consent requirements vary; confirm whether the state requires written or documented verbal consent. See telehealth informed consent standards.
- Confirm HIPAA-compliant technology — verify the platform meets the Security Rule's technical safeguard standards (45 C.F.R. § 164.312).
- Document encounter per applicable standard of care — documentation requirements do not differ from in-person encounters under CMS guidelines.
- Apply prescribing rules if applicable — verify Ryan Haight compliance for controlled substances; check state prescription drug monitoring program (PDMP) requirements.
- Retain records per state statute — state medical records retention laws apply regardless of service modality.
Reference table or matrix
| Regulatory Domain | Primary Authority | Governing Instrument | Scope |
|---|---|---|---|
| Medicare telehealth reimbursement | CMS (HHS) | 42 C.F.R. § 410.78; Social Security Act § 1834(m) | Medicare beneficiaries and participating providers |
| Medicaid telehealth coverage | CMS + State Medicaid Agencies | State plan amendments; 42 C.F.R. Part 440 | Medicaid beneficiaries; varies by state |
| Clinician licensure | State Medical Boards | State Medical Practice Acts | All providers treating patients in that state |
| Interstate licensure compact | IMLC Commission | Interstate Medical Licensure Compact (statutory) | Physicians in 39 states + DC + Guam (2024) |
| Controlled substance prescribing | DEA (DOJ) | Ryan Haight Act; 21 U.S.C. § 829 | All practitioners prescribing controlled substances |
| Privacy and data security | HHS OCR | HIPAA Privacy Rule (45 C.F.R. Part 164); Security Rule | Covered entities and business associates |
| Fraud and abuse | HHS OIG; DOJ | Anti-Kickback Statute; False Claims Act | Medicare and Medicaid participants |
| Commercial insurance parity | State Insurance Commissioners | State telehealth parity statutes | Commercial plan enrollees in parity states |
| Informed consent | State Medical/Telemedicine Boards | State telehealth consent statutes | All telehealth practitioners in that state |
| Prescribing non-controlled substances | State Pharmacy Boards | State pharmacy and prescribing acts | All practitioners with prescribing authority |
| Social Security benefit provisions | SSA (HHS) | Social Security Fairness Act of 2023 (enacted January 5, 2025) | Social Security beneficiaries affected by WEP and GPO provisions; does not directly govern telehealth reimbursement |
For detailed billing code reference, the American Medical Association CPT code set and the CMS telehealth services list are the primary authoritative sources. State-level variation is tracked by the Center for Connected Health Policy (CCHP), which publishes a 50-state telehealth policy report updated biannually.
References
- Health Resources and Services Administration (HRSA) — Telehealth
- Centers for Medicare & Medicaid Services (CMS) — Telehealth Services
- CMS — Telehealth Codes List
- 42 C.F.R. § 410.78 — Telehealth Services (Electronic Code of Federal Regulations)
- HHS Office for Civil Rights — HIPAA for Professionals
- HHS Office of Inspector General (OIG) — Work Plan
- Drug Enforcement Administration (DEA) — Telemedicine
- Interstate Medical Licensure Compact Commission (IMLCC)
- National Conference of State Legislatures (NCSL) — Telehealth Payment Parity
- Center for Connected Health Policy (CCHP) — State Telehealth Laws and Reimbursement Policies
- American Telemedicine Association (ATA)
- American Medical Association — CPT Codes
- Ryan Haight Online Pharmacy Consumer Protection Act — 21 U.S.C. § 829
- Social Security Fairness Act of 2023 — enacted January 5, 2025