A straightforward walkthrough of what happens when TeleVerify runs a compliance check—from patient location verification to cryptographically signed audit packets.
TeleVerify is a telehealth compliance platform that runs a multi-step verification at the moment of every patient encounter. This post walks through exactly what happens during that check—from the patient's location verification to the signed compliance packet that comes out the other end. No marketing language, just the actual flow.
When a telehealth session starts (via the Zoom sidebar integration or direct platform access), the patient confirms their physical location. TeleVerify verifies this using GPS-based geolocation, cross-referenced against IP data. The system detects VPN and proxy connections and flags them—because a patient using a VPN could mask their true location, which defeats the purpose of location-based compliance.
The verified location is then resolved to a state code. This becomes the jurisdiction for all downstream checks.
With the patient's state confirmed, TeleVerify checks whether the provider holds an active license in that state. This pulls from the provider's credential record, which includes all state licenses, their status, and expiration dates. A single denied match here would normally stop the flow—but interstate compacts can change that outcome.
If the provider doesn't hold a direct license in the patient's state, TeleVerify checks whether an interstate compact covers them. The major compacts each have different member states and eligibility rules:
TeleVerify knows which compacts the provider belongs to and which states each compact covers. It determines whether compact privilege applies to this specific encounter in seconds.
Before the compliance determination is finalized, the provider's NPI is checked against the HHS Office of Inspector General's List of Excluded Individuals/Entities (LEIE). This is the federal sanctions list—providers on it are barred from participating in federal healthcare programs.
TeleVerify maintains a local copy of the LEIE containing 8,375+ excluded provider NPIs, refreshed daily from HHS. If the provider is on the list, the determination is automatically NON_COMPLIANT with a sanctions block, regardless of licensure status.
All four checks converge into a single compliance determination. The result is one of three states:
Each determination includes specific reasons and flags. This entire process happens in under 2 seconds.
This is where TeleVerify goes beyond a simple pass/fail check. The entire compliance determination—every field, every data source, every timestamp—is assembled into a canonical packet and digitally signed using Ed25519 cryptography. The signature mathematically proves that the packet hasn't been altered since it was created.
The signing key rotates quarterly, and old packets remain verifiable against the key that signed them. This means a compliance check from six months ago can still be independently verified, creating an immutable record.
Anyone can verify a TeleVerify compliance packet. The public verification key is available at a public API endpoint. TeleVerify publishes working verification code in JavaScript, Python, and curl+openssl. An insurer doesn't need to trust TeleVerify—they can verify the signature themselves, confirm the packet is unaltered, and know exactly what was checked at the moment of care. This is the same standard used in financial transaction systems and legal document authentication.
The compliance packet isn't proprietary. The signature proves the data hasn't been tampered with, but you're not locked into accepting our word for it. You can verify independently.
Every compliance check is recorded in a hash-chained audit log. Each record's hash incorporates the previous record's hash, creating a mathematical chain. Altering, removing, or reordering any record breaks the chain—and an integrity check instantly detects it. This means the audit trail itself is tamper-evident, not just the individual packets.
In a regulatory audit or dispute, you have proof not just that compliance was checked, but that the entire record of checks hasn't been manipulated.
For solo providers: Every session produces proof that compliance was verified, automatically, without disrupting the clinical encounter. You're protected by cryptographic evidence, not just documentation.
For organizations: The insurer dashboard provides portfolio-wide compliance visibility with drill-down into any session's signed packet. You can show payers, attorneys, and regulators exactly what was verified and when.