When an insurer audits a telehealth claim, they ask one question: can you prove the provider was licensed in the patient's state at the time of service? Here's what that process looks like — and what separates the providers who pass from those who don't.
Most providers have never been through a telehealth compliance audit. But the mechanics are straightforward: an insurer pulls session records and asks a single question: Was the provider properly licensed in the patient's state at the time of service?
The answer needs to be provable. Not asserted. Not reconstructed from memory. Not inferred from a chart note saying "patient confirmed in-state." Provable in a way that an external auditor — someone with no stake in your answer — can independently verify.
This is where most providers discover a gap between what they think they documented and what actually stands up to scrutiny.
An audit examines a specific checklist. If you understand what's on it, you understand what needs to be in place before an auditor ever arrives at your door.
Was the provider licensed in the patient's state? This seems basic, but it's not. A provider can be licensed in 15 states. If a patient takes a session from a state where the provider isn't licensed, the session is non-compliant — full stop. The auditor will cross-reference the provider's NPI against state licensing board databases for the state where the patient was located.
Was the provider's license active at the time of service? A license can be current on the day the session happened but have been suspended or expired the day before. Auditors run date-specific checks against state licensing boards to confirm the license was in good standing at the moment of care.
Was the provider a member of an applicable interstate compact? IMLC (physical therapy, occupational therapy) and PSYPACT (psychology) allow providers to practice across state lines under specific conditions. Membership status matters, and so does whether the session falls within the compact's allowable scope. An auditor will verify compact membership and confirm the session type is covered.
Was the provider excluded from federal healthcare programs? The Office of Inspector General maintains the HHS Exclusion List — 8,375+ excluded providers as of 2026. If a provider is on that list, they cannot bill Medicare, Medicaid, or other federal programs, period. An auditor runs the provider's NPI against the exclusion list and flags any match immediately.
Is there documentation of patient location verification? Auditors want proof that location was actually checked. A chart note from the session isn't proof — it's a claim made by the provider. Independent verification (GPS, IP address analysis, third-party confirmation) carries weight that a provider's own notation doesn't.
When was the documentation created? This is the question that trips up most providers. Was the compliance determination created at the time of service, in real time? Or was it reconstructed later, when the audit request came in? The timestamp matters enormously. Documentation created after an audit is requested is viewed with suspicion. Documentation created at the moment of care, before any regulatory pressure, is treated as reliable.
Most providers can answer "yes" to the first few questions. The problem is proving it.
A typical scenario: A provider's chart note says "Patient confirmed location: Connecticut." This is documentation. But whose documentation? The provider's own documentation. An auditor reads this and notes that the provider is making a claim about what the patient said, but there's no independent record of the patient confirming anything. The patient could have been confused. The provider could have misunderstood. There's no timestamp showing when this notation was added. It could have been written in real time, or it could have been added three months later when the audit question came in.
This isn't about bad faith. It's about the standard of evidence. Self-generated documentation and independently verified records are treated very differently in a compliance audit. Auditors understand that when someone's being questioned, they're incentivized to reconstruct a favorable narrative. That's why independent verification carries weight that self-attestation doesn't.
The consequence is subtle but critical: if your documentation hinges entirely on your own chart notes, an auditor has grounds to question it. You've created what's called "single-source verification"—you're the only person saying location was checked. An auditor wants to see records where someone other than the provider has made an independent determination.
Audit-grade documentation has three properties that transform how auditors treat it: it's timely, it's independently verifiable, and it's tamper-proof.
Timely: The compliance determination is generated at the moment of care, during the session or immediately after — before any question is raised, before any audit request arrives. This eliminates the suspicion that documentation was reconstructed to respond to scrutiny.
Independently verifiable: The record includes elements that someone outside the provider's organization can confirm. An OIG exclusion check run against the federal HHS exclusion list isn't the provider's opinion — it's a yes-or-no fact that can be re-checked against the same authoritative source. A license status check can be verified against state licensing databases. Location verification with cryptographic proof can be checked against a public key, without needing access to the provider's systems.
Tamper-proof: The documentation is cryptographically signed so that any alteration since creation is immediately detectable. If an auditor verifies the signature, they know the record hasn't been modified since it was created. For organizations managing multiple providers across multiple sessions, hash-chained audit logs make it impossible to remove, alter, or reorder records without breaking the mathematical chain linking them. If even one byte changes, the entire chain breaks. An auditor can audit the audit trail itself.
This is what separates documentation that an auditor views with skepticism from documentation that an auditor accepts as conclusive. When a compliance packet exists with cryptographic proof of integrity, with each element independently verifiable against authoritative sources, with a timestamp proving it was created in real time — that's documentation that passes audit scrutiny.
And critically, all of this needs to happen fast. Not days later. Not during billing reconciliation. During the session, in under 2 seconds, automatically.
For compliance officers and organizations managing multiple providers: insurers are increasingly demanding portfolio-level visibility into compliance status. They want to see, in real time, that every provider is properly licensed, every session is documented, and every OIG check has been performed.
This shifts the compliance model from reactive to proactive. Reactive compliance means scrambling to produce records after an audit request arrives. You're searching through charts, pulling together notes, trying to reconstruct what happened weeks or months ago. Proactive compliance means the records exist, are verified, and are ready before anyone asks for them.
A dashboard showing real-time compliance status across all providers and sessions does several things:
It surfaces non-compliance before it becomes a liability. If a provider's license is about to expire, the dashboard flags it. If a provider is working in a state outside their compact coverage, the system alerts you. If an OIG exclusion occurs, you know immediately.
It prepares your response to audits. When an insurer requests records for a specific session, you can immediately drill into that session's signed compliance packet, pull the cryptographic signature, and hand the auditor a complete, verifiable record. You're not reconstructing. You're not searching. The documentation exists and is ready.
It demonstrates institutional control to auditors. When an insurer sees that you have systematic, automated compliance checking for every session, with independently verifiable documentation for every provider, the audit process moves from suspicion ("Can you prove this?") to confirmation ("Yes, here's your proof").
The financial and regulatory consequences of failing a compliance audit are substantial and extend well beyond the specific audited claim.
These aren't hypothetical scenarios. They're what insurers do when compliance documentation fails to hold up to scrutiny.
The providers who pass audits without issue are rarely the ones scrambling to produce documentation after the fact. They're the ones whose documentation was created automatically, at the moment of care, with cryptographic proof that it hasn't been changed since.
Their compliance packet includes:
When an auditor requests this, they get a complete, verifiable record. They can check the signature themselves using a public key. They can re-run the OIG exclusion check against the federal database and confirm the result matches the packet's documentation. They can see that the record was created at the moment of service, not reconstructed later.
The audit moves quickly. The documentation passes. The risk is managed.
Telehealth audit activity is increasing. The OIG's work plan has prioritized telehealth compliance for multiple consecutive years. Federal enforcement actions are hitting record levels. State boards are getting more aggressive. Malpractice insurers are adding telehealth-specific endorsements that explicitly address location verification.
Most providers still haven't been audited. That doesn't mean audits aren't coming. It means we're still in a period where compliance failures are common but detection is incomplete. That window is closing.
The time to have documentation in place is now, before an auditor ever asks for it. Not because you're afraid of being caught, but because when documentation matters this much, it's simply what responsible practice looks like.