After reviewing provider forums, professional guidance, and a 2024 federal court filing, a clear pattern emerges: most providers fall into one of four camps when it comes to verifying patient location. Only one of them is sustainable.
Telehealth location compliance sounds simple: before each session, verify that your patient is physically located in a state where you're authorized to practice. Document it. Move on.
In practice, providers have developed very different approaches to this requirement — and most of them don't hold up under scrutiny.
This is the largest group. Many solo practitioners and small group practices simply don't know that location verification is required on a per-session basis. The common misconceptions are understandable: the patient's address on file is sufficient, being licensed in the patient's "home state" covers every session, or interstate compacts eliminate the need for location checks entirely.
None of these are correct. A patient's home address tells you where they live, not where they are right now. Interstate compacts still require knowing which state the patient is in — the compact determines whether you're covered in that state, but only if you actually check. And licensure in a patient's home state doesn't help when that patient is sitting in their sister's living room in a different state for Thanksgiving.
Why it doesn't work: Ignorance isn't a defense. Professional guidance is clear on this point — multiple malpractice insurers have published advisories stating that it is the provider's responsibility to verify patient location at every session. Not knowing the rule doesn't protect you if the rule is enforced.
The good news: This group is the most receptive to solutions once they understand the risk. There's no ideological resistance — just a knowledge gap.
Some providers understand the compliance requirement but feel the burden is unmanageable, especially those practicing across five or more states. Their workaround: ask the patient verbally at the start of each session, make a note in the chart, and hope for the best.
These providers will often admit — privately, in forums and peer groups — that their documentation wouldn't survive a serious audit. They know that "patient stated she is in Connecticut" written in their own clinical notes is them corroborating themselves, not independent verification.
Why it doesn't work: Verbal confirmation creates no independent documentation. If you're audited, you have your own notes attesting to a fact that only you witnessed. That's the compliance equivalent of grading your own homework. It's also vulnerable to honest patient error — patients don't always realize they need to tell you they crossed a state line for the weekend.
What makes this group important: They're actively looking for a better solution. They understand the problem and would adopt automation if it existed and didn't add friction to their sessions.
A smaller but notable group deliberately avoids asking about patient location. Their logic: if they don't know the patient is in a non-compliant state, they can claim ignorance.
This isn't just an individual provider behavior. A 2024 federal lawsuit — Illinois Nurses Association v. Rosenblatt et al. (N.D. Ill., No. 1:24-cv-12379) — revealed that a major hospital system's internal guidance stated there was no requirement for nurses to ask patients for their physical location during certain telehealth interactions. The nurses' union challenged this posture, arguing it put nurses at personal legal risk by requiring them to provide telehealth services to patients in states where they weren't licensed, without ever establishing which state the patient was in.
The case illuminated something important: some healthcare organizations have formalized a de facto "don't ask" approach to location compliance — not out of ignorance, but as a deliberate operational choice to avoid triggering obligations they'd rather not meet.
Why it doesn't work: This is the riskiest approach of all. Professional guidance uniformly states that ignorance of patient location is not a defense — the responsibility to verify falls on the provider regardless of whether they asked. And if it ever comes to light that a provider or organization deliberately avoided checking, that transforms a compliance gap into something that looks much more like willful non-compliance. Auditors and licensing boards treat those very differently.
The fourth approach — and the only sustainable one — uses technology to verify the patient's physical location independently, check it against the provider's licensure and compact coverage, screen against federal exclusion lists, and produce a cryptographically signed compliance packet that any third party can verify independently.
This means the provider doesn't rely on the patient's self-report, doesn't create their own documentation of a fact only they witnessed, and has an independent audit trail where every record is mathematically linked to the one before it — making it impossible to alter, remove, or reorder entries without detection. The compliance packet is signed with an Ed25519 digital signature, and anyone — an insurer, an auditor, a licensing board — can verify it using a public key without needing access to the provider's systems.
Why it works: It satisfies the compliance requirement, creates documentation that holds up under audit, screens every encounter against the HHS Office of Inspector General's exclusion list in real time, and runs in the background without disrupting the clinical encounter. When an insurer asks "how did you verify compliance?", the answer isn't "I asked the patient" — it's a signed, independently verifiable record that proves exactly what was checked, when, and what the result was.
There's a reason approaches 1 through 3 are so common: both providers and patients have incentives to look the other way.
Providers don't want to discover that a session is non-compliant — because then they face a choice between canceling the session (losing revenue, disappointing a patient) or proceeding with documented knowledge that they're out of compliance. Patients, meanwhile, sometimes actively want to disguise their location. In online forums, patients ask questions about using VPNs to hide their location during telehealth visits so they can continue seeing a provider they trust in another state.
When both sides prefer not to look too closely, the compliance gap grows invisibly. That's precisely why it's so dangerous: the violations accumulate without anyone noticing, until an audit, a malpractice claim, or an insurer review brings them to light all at once.
The providers relying on approaches 1 through 3 aren't bad practitioners. Most of them are doing their best with the tools and information available to them. But the compliance landscape is shifting: the DOJ's 2025 national healthcare fraud takedown — the largest in U.S. history — charged 324 defendants in connection with $14.6 billion in alleged fraud, with telehealth schemes as a significant component. The OIG has flagged telehealth compliance for priority auditing. Malpractice carriers are updating their coverage language. States are tightening enforcement.
The window for getting ahead of these changes is still open. But the providers who will navigate this transition most smoothly are the ones who move to independent, documented location verification before anyone comes asking for it — not after.