Telemedicine Best Practices: Compliance and Security

Telemedicine has evolved from its pandemic-era role to become a standard part of care delivery. As federal and state regulators revisit temporary waivers that expanded access during the COVID-19 public health emergency, physicians must remain vigilant to changing rules. Heightened HIPAA oversight and increased scrutiny of documentation standards mean that telehealth regulations are becoming more complex. Key exposures in telemedicine related to legal and regulatory issues include licensing, remote prescribing, HIPAA compliance and cybersecurity.  

This article addresses the legal, privacy and security requirements for telemedicine and the actions organizations must take to meet them.

Recommended Actions

New Norms and Evolving Expectations 

Telehealth adoption surged during the COVID-19 public health emergency (PHE) and remains a significant component of healthcare. As of 2022, over 74% of physicians worked in practices offering telehealth. Today, hybrid and virtual-first care models are becoming more common, supported by improved integration with electronic health records (EHRs) and greater access to real-time patient data via remote monitoring. These advancements help improve care continuity and mitigate physician shortages. 

However, as telemedicine use increases, so do cybersecurity concerns. In 2024, legislators proposed changes to HIPAA to enhance security, which could impact telemedicine programs. Reimbursement policies and regulatory standards also remain inconsistent. While most payers reimburse for telemedicine, payment parity is not guaranteed. Flexibilities for audio-only visits and relaxed geographic restrictions may not be permanent. As policies evolve, physicians must stay current on federal and state regulations to avoid compliance risks.  The following best practices are rooted in guidance from the Federation of State Medical Boards (FSMB), the AMA and other leading authorities. 

Understand Licensure Requirements 

While many states issued temporary telemedicine waivers during the PHE, most have since expired. Through January 2026, Medicare beneficiaries can receive telehealth services anywhere in the U.S. Starting January 31, 2026, except for behavioral health services, beneficiaries will generally need to be in a medical facility and in a rural area to receive Medicare telehealth services. 

Typically, physicians must be licensed in the state where the patient is physically located. This determines which state’s medical board has jurisdiction. Physicians must comply with each state’s permanent licensing rules. Some states offer a telemedicine-specific registration, while over 40 states participate in the Interstate Medical Licensure Compact (IMLC), which expedites licensure in member states. 

For updates, the FSMB compiled a list of states that have relaxed or waived certain licensure requirements. 

Stay on Top of Remote Prescribing Rules

Before prescribing, physicians must establish a valid physician-patient relationship and conduct a thorough evaluation. This can be done via a real-time encounter or a combination of synchronous and asynchronous technologies. 

With controlled substances, regulations generally require a separate Drug Enforcement Administration (DEA) registration in the state where the patient is located. The DEA  extended temporary waivers to the Ryan Haight Act through December 31, 2025, allowing for remote prescribing of certain controlled substances. While a rule posted on the Office of Management and Budget (OMB) registry signals that the DEA may pursue an additional extension, those flexibilities remain time limited. 

In 2025, the DEA finalized rules expanding access to buprenorphine via telemedicine, including prescribing without a prior in-person evaluation, while delaying implementation until the end of the year. As a result, the temporary telehealth flexibilities in place during 2025 are expiring, and providers should prepare for a more permanent regulatory framework. In parallel, the DEA has proposed — but not yet finalized — a special registration pathway that would allow certain providers to prescribe controlled substances via telemedicine without an in-person visit. As these changes take effect, close attention to updated federal and state requirements will be essential. 

Maintain Comprehensive Telehealth Records 

Telemedicine medical records must meet the same standards as those for in-person care. This includes thorough documentation of all communications, evaluations, prescriptions and instructions. Records should note the patient’s location, the modality used and be stored in a transferable format that meets retention requirements. Insufficient detail on patient-reported symptoms or brief encounters due to connectivity issues are common gaps that weaken documentation. 

Choose HIPAA-Compliant Partners 

All telemedicine services must now fully comply with HIPAA. This requires ensuring both your organization and any vendors meet requirements for protecting electronic patient health information (ePHI). Select a platform that offers robust, built-in privacy protections and is willing to sign a business associate agreement (BAA). Do not rely on vague claims of compliance; request detailed documentation of their privacy and security practices. 

Implement Privacy and Security Safeguards 

Protecting patient privacy is a core component of telemedicine best practices. The federal government is intensifying its oversight of telehealth security. The Office for Civil Rights (OCR) has proposed updates to the HIPAA Security Rule, which include new requirements for encryption of ePHI, use of multi-factor authentication and formal compliance audits. 

Key recommendations for telemedicine privacy include: 

• Verifying who is present during each visit. 
• Using unique user IDs, password-protected platforms and automatic logoffs. 
• Encrypting all transmitted health data. 
• Clearly disclosing patient rights related to health data access and use.

Telemedicine Resources   

To assist with telemedicine compliance, consider the following:   

American Hospital Association – Telemedicine Waivers   

American Telemedicine Association   

Center for Connected Health Policy   

Centers for Medicare & Medicaid Services 

HHS – HIPAA & Telehealth Guidance   

The National Consortium of Telehealth Resource Centers