Specialty Practices Built Telehealth Fast. Compliance Did Not Keep Up.
When specialty practices launched telehealth programs during the pandemic, speed mattered more than regulatory precision. CMS temporarily relaxed dozens of rules, and providers focused on getting patients connected. That approach made sense in 2020. In 2026, it creates compliance exposure.
The temporary flexibilities are gone or narrowed. The enforcement environment has returned to normal. And specialty practices that have not audited their telehealth programs against current regulations are operating on assumptions that may no longer be valid.
Here are the five compliance blind spots we see most frequently.
Blind Spot 1: The In-Person Visit Requirement for Mental Health
CMS requires that patients receiving Medicare telehealth mental health services have an in-person visit within six months of the initial telehealth encounter and at least annually thereafter. Psychiatry, psychology, and behavioral health practices that built fully virtual models during the pandemic must now ensure patients are seen face-to-face on the required schedule.
The exception process is narrow. A provider can waive the in-person requirement for a particular patient if they document that the in-person visit is not clinically warranted or the patient is unable to travel. But this exception must be documented in the medical record for each instance. Blanket waivers do not satisfy the requirement.
Practices without a tracking system for in-person visit compliance are at significant audit risk.
Blind Spot 2: Modifier Usage Errors
Telehealth claims require specific modifiers that indicate the service was delivered remotely. Modifier 95 (synchronous telemedicine) and modifier GT (via interactive audio and video) have different applications depending on the payer. Medicare currently uses modifier 95 for real-time audio-video telehealth.
Place of Service (POS) codes add another layer. POS 02 (telehealth provided other than in the patient’s home) and POS 10 (telehealth provided in the patient’s home) must be applied correctly. Using the wrong POS code changes the reimbursement rate and can trigger audit flags.
Many specialty practices are still using pandemic-era modifier and POS code combinations that no longer align with current CMS guidance. A billing audit focused specifically on telehealth modifier accuracy should be a priority.
Blind Spot 3: State Licensure for Cross-Border Telehealth
During the PHE, many states temporarily waived the requirement that telehealth providers hold a license in the state where the patient is located. Those waivers have largely expired. Specialty practices seeing patients across state lines via telehealth must verify that the rendering provider holds an active license in the patient’s state.
Interstate medical licensure compacts help for some specialties and some states, but coverage is not universal. Practices operating across multiple states need a licensure tracking system that flags when providers are seeing patients in states where they lack credentials.
The compliance risk here is not just billing. Practicing medicine without a valid state license is a regulatory violation that can result in disciplinary action, fines, and exclusion from federal programs.
Blind Spot 4: HIPAA Platform Compliance
The HIPAA enforcement discretion that allowed providers to use consumer-grade platforms like FaceTime and standard Zoom during the PHE ended in 2023. Every telehealth encounter must now take place on a HIPAA-compliant platform with a signed Business Associate Agreement (BAA) between the practice and the technology vendor.
Some specialty practices still have clinicians using non-compliant platforms, particularly for ad hoc patient communications or follow-up check-ins that do not feel like formal telehealth encounters but technically qualify as protected health information exchanges.
Audit your platform usage across every provider and every clinical workflow. If PHI is being transmitted, the platform must be HIPAA-compliant. No exceptions.
Blind Spot 5: Informed Consent Documentation
Most states require documented informed consent before delivering telehealth services. The specific requirements vary: some states require written consent, others accept verbal consent with documentation in the medical record, and some require consent to be renewed annually.
Many practices obtained consent during initial pandemic-era telehealth visits and have not updated or renewed it since. If your state requires annual renewal and your consent forms are three years old, you have a documentation gap that creates liability.
Build telehealth consent into your standard patient intake workflow and renewal process. Document the consent method, date, and any patient questions in the medical record.
These five blind spots are fixable. The practices that audit proactively will avoid the practices that wait for an audit notification to discover the problems.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Nexwell Health Partners provides management services, telehealth solutions, and compliance support for safety-net hospitals, FQHCs, and specialty practices. Contact us to schedule a consultation.
Sources