If you practice telehealth across state lines, the compliance landscape has already changed around you. Here's what happened — and what's still coming.
Most telehealth providers handle location compliance the same way: ask the patient where they are, jot it in the notes, move on. It worked well enough for a while. No one was fined for it. No one lost their license over it.
That era is ending — not because of one dramatic event, but because four separate forces converged at the same time, and most providers haven't caught up.
The COVID-era flexibilities that allowed many providers to practice across state lines without full licensure have spent the past two years expiring, being reinstated, expiring again, and being extended. Key Medicare flexibilities lapsed on September 30, 2025. A spending bill restored them through January 30, 2026. The Consolidated Appropriations Act, 2026, then extended core flexibilities through December 31, 2027.
On its face, that sounds like good news. But the compliance risk isn't gone — it's changed shape.
First, the extensions are not universal. Physical therapists, occupational therapists, speech-language pathologists, and audiologists lost Medicare telehealth coverage starting January 31, 2026. Providers in those categories who assumed the extensions would cover them as before are now potentially practicing without reimbursement authorization and possibly without licensure coverage — without realizing it.
Second, the cycle of near-misses has trained providers to believe that Congress will always come through. That assumption has no foundation. Each extension is negotiated separately, attached to must-pass funding bills, and subject to political uncertainty. Providers who have structured their practices around the assumption that flexibilities are permanent have created structural compliance risk.
Third, the extensions don't eliminate the core obligation: knowing which state your patient is physically located in, and being authorized to practice there. That requirement exists under state licensing law regardless of whether Medicare flexibilities are in effect. The waivers affect reimbursement. They don't create a license.
Some malpractice carriers have begun flagging that they would struggle to defend a claim if the provider had inadequate documentation of the patient's geographic location at the time of the session. This isn't a coverage mandate yet, but it's the early signal that precedes one.
The standard professional liability policy covers services rendered "within the scope of licensure." If you deliver care to a patient in a state where you're not properly licensed, your insurer has grounds to deny the claim entirely — leaving you personally liable for the full amount.
When insurers start requiring location documentation as a coverage condition — the way they already require informed consent documentation — providers who can't produce it will face a very different conversation with their carrier. Several major carriers have already added explicit telehealth endorsements and exclusions to their standard policy language.
Where your patient is located now affects more than just licensing. Washington's My Health My Data Act prohibits geofencing around health facilities and tightly regulates consumer health data not covered by HIPAA. California AB 352 restricts out-of-state disclosures for sensitive services including reproductive care, contraception, and gender-affirming care.
These laws mean that a patient's physical location at the time of a session determines not just whether you're licensed to treat them, but which data handling rules apply, which consent requirements you must meet, and which disclosure restrictions govern the encounter. Location verification is becoming multi-purpose compliance infrastructure, not just a licensing checkbox.
More states are moving in this direction. At least 19 states have enacted or substantially advanced consumer health data privacy legislation modeled on Washington's law.
The Office of Inspector General's work plan has explicitly included telehealth compliance as a priority audit area for multiple consecutive years, and the enforcement numbers have followed. In June 2025, the DOJ announced the largest healthcare fraud takedown in U.S. history: 324 defendants charged in connection with over $14.6 billion in alleged fraud, with telehealth schemes as a significant component. This followed the 2024 action that charged 193 defendants with $2.75 billion in intended losses.
The November 2025 conviction of Done Global's CEO and clinical president — in the DOJ's first criminal drug distribution prosecution arising directly from a telehealth company's prescribing model — marked a clear shift in how federal prosecutors view telemedicine-enabled violations. The legal infrastructure for telehealth enforcement now exists, is funded, and is producing results.
When auditors start pulling session records and asking "how did you verify the patient's location?", the providers who can produce a timestamped, independent verification record will fare very differently from those who say "I asked them."
None of these forces are theoretical. The waiver cliff has already happened — twice. Insurers are already updating their coverage language. State privacy laws are already in effect. The 2025 DOJ enforcement action is already on the books.
The providers who have documentation infrastructure in place before enforcement ramps up will be the ones who navigate it smoothly. The ones still relying on verbal confirmation and chart notes will be the ones scrambling to catch up.
This is why the standard for compliance documentation is moving beyond simple timestamped records. The question an auditor will ask isn't just "did you verify?" but "can you prove the record hasn't been altered since the session?" Cryptographically signed compliance packets — where every determination is digitally signed at the moment of care and independently verifiable by any third party — represent the emerging standard. Combined with real-time screening against the OIG's List of Excluded Individuals and hash-chained audit logs that make tampering mathematically detectable, this is what defensible compliance infrastructure looks like in the current enforcement environment.
The question isn't whether location compliance will matter. It's whether you'll be ready when someone comes asking.