Telehealth Compliance Architecture (HIPAA + State Boards + Prescribing)
The state board is the regulator with teeth in telehealth, not OCR. The architecture that survives a board complaint, not just a HIPAA audit, is built differently than most telehealth platforms ship.
Why HIPAA is the easy part of telehealth compliance When a telehealth platform engages us, the compliance brief almost always opens at HIPAA. PHI in transit and at rest. Videoconference vendor under BAA. EHR integration encrypted. Audit log retained for six years. The questions are correct, and the platform's CTO and general counsel have already answered them twice before we walked in. HIPAA is the part of telehealth compliance that is well-documented, well-understood, and well-supported by the vendor ecosystem. That is not the regulator the partners worry about for a multi-state platform. The regulator with teeth is the state medical board, the state nursing board, the state pharmacy board, the state behavioral health licensing authority. These are the bodies that issue the licenses every prescriber and clinician on the platform depends on, and the bodies that suspend, restrict, and revoke those licenses, quickly, publicly, and without the patient-by-patient deliberation an OCR investigation requires. A board complaint does not need to prove a breach. It needs to prove that a clinician practiced outside the scope of their license, prescribed in violation of the board's telehealth rules, or failed an obligation specific to remote care that does not appear anywhere in HIPAA. We have read board orders against telehealth prescribers in eleven states over the last two years. The HIPAA posture was, in every case, defensible. The clinician's license was at risk because of something else: a patient in a state where the clinician was not licensed, a controlled substance prescribed without satisfying the in-person evaluation requirement that applied to that state on that drug, a session recording made without two-party consent under that state's wiretap statute, an informed consent form that did not include language the state's telehealth rule specifically required. None of these failures show up on a HIPAA audit. All of them show up on a board complaint. The architecture that survives both regulators is not the architecture most telehealth platforms ship. Most ship the HIPAA architecture and assume the board layer is the practitioner's personal problem. That assumption is reasonable for a brick-and-mortar practice. It is unreasonable for a multi-state platform where patient location, practitioner licensure footprint, and platform routing logic together determine whether the encounter is legal. On a multi-state platform, the architecture is the practitioner's first line of defense, and if it does not enforce the board rules, the platform has delegated license risk to clinicians who do not have the data to manage it. This is a reference for building the architecture that satisfies both regulators. It walks through the licensing question, the prescribing rules post-Ryan Haight including the 2024 and 2025 DEA changes, the consent and recording rules the boards actually enforce, the architecture pattern that produces a board-defensible audit trail, the additional layer required for behavioral health under 42 CFR Part 2, and the named diagnostic the partners run inside the Pass-Your-Next-Audit line. Every regulatory assertion in this guide should be confirmed against current state board guidance with counsel before it is encoded into a platform's enforcement layer; state telehealth law moves, and the architecture that anticipates the movement is what holds up. Multi-state licensing: the practitioner question The first architectural decision for a multi-state telehealth platform is how it answers the licensing question on every encounter. The rule: a clinician must be licensed in the state where the patient is physically located at the time of the encounter, not where the clinician sits, not where the platform is incorporated, not where the patient's insurance is issued. The patient's physical location is the dispositive fact, and most state boards have been explicit that the burden of confirming it sits on the clinician. A clinician who treats a patient who turns out to be across a state line where the clinician is not licensed has practiced medicine without a license in that state, regardless of how the appointment was booked. The interstate compacts soften this in some specialties. The Interstate Medical Licensure Compact (IMLC) accelerates licensure in member states for qualifying physicians; it is not a single license, it is a faster path to multiple licenses. PSYPACT extends a true privilege-to-practice across member states for licensed psychologists doing telehealth. The Nurse Licensure Compact (NLC) extends a multistate privilege to RNs and LPN/LVNs. The Audiology and Speech-Language Pathology Compact, the Physical Therapy Compact, the Counseling Compact, and the Social Work Compact each cover their respective specialties. None of the compacts cover controlled-substance prescribing on their own; that lives separately under DEA rules. None cover every state. The compacts move, states join, states withdraw, the privilege rules change, and a platform that hard-codes the compact map is signing up to refactor the licensing layer every year. The pattern that holds up is the explicit licensure-status service. Before the connection is initiated, the platform resolves three facts: the patient's current state of physical presence (asked, attested, cross-checked against IP geolocation and the address on file), the clinician's primary licensure record, and the clinician's compact privileges or supplementary state licenses that cover the patient's state. The encounter is allowed only if the cross-product produces a positive answer. The cross-product is enforced at the platform layer, not left as a prompt to the clinician. The audit log records the resolution: which patient, which state, which clinician, which license, which compact privilege, which timestamp. The pattern matters because of how board complaints are adjudicated. When a complaint arrives, patient was in Ohio, clinician was licensed only in Pennsylvania, prescription was issued, the board does not ask the platform's CTO whether HIPAA was satisfied. It asks the clinician to produce the record showing how they confirmed the patient's state of presence at the moment of the encounter. If the platform produced that confirmation and recorded it, the clinician has a defense. If the platform asked the clinician to confirm it manually and the answer was "I assumed" or "the system let me proceed," the defense is weaker. We have seen both outcomes. The platforms that produce the record routinely retain the clinician through the complaint; the platforms that pushed the question to the clinician routinely lose the clinician. There is a secondary concern: licensure-status integration with primary-source verification. License status changes daily. A clinician clear last quarter may be on probation, restricted, or surrendered today. The platform that pulls a primary-source feed and refuses to route encounters to a clinician whose license is no longer in good standing has prevented a category of complaint the platform relying on annual credentialing has not. The licensing layer is not glamorous. It is the layer that, when wrong, ends the encounter in a board complaint the platform's HIPAA posture cannot defend against. Build it explicit, build it real-time, and record the resolution. Controlled substance prescribing post-Ryan Haight + 2025 changes The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 set the federal floor for online controlled-substance prescribing. In its original form, the rule required an in-person medical evaluation before a controlled substance could be prescribed via telemedicine, with narrowly defined exceptions. The COVID-19 public health emergency, declared in early 2020, suspended the in-person requirement under DEA's emergency telemedicine flexibilities, and a generation of telehealth platforms built their product on the assumption that the flexibilities would become permanent or be replaced by an equivalent permanent rule. The DEA's path to a permanent rule has been longer than the platforms expected. The first proposed permanent rule, published in early 2023, would have re-imposed an in-person requirement for most controlled substances and was withdrawn after public-comment volume exceeded thirty-eight thousand responses. The DEA extended the COVID-era flexibilities through a series of temporary rules, through 2023, through 2024, and into 2025, while developing a successor framework. The 2025 framework introduced a special-registration pathway for telemedicine prescribers, alongside narrower carve-outs for specific drug categories and treatment contexts. Which flexibilities apply to which drug schedules, prescribers, and patient circumstances has changed multiple times, and any platform encoding the rule into its enforcement layer should reconfirm the current DEA position with counsel before deployment. The guidance below is the architectural pattern, not a current-state regulatory summary. The pattern is straightforward. Every controlled-substance prescription written through the platform must produce a record that demonstrates, at minimum: the prescriber's DEA registration in good standing, the prescriber's state controlled-substance authority in the patient's state of physical presence, the basis for the encounter under the telemedicine rule that applies on the date of the prescription (in-person prior exam by this prescriber, in-person prior exam by a referring prescriber, special-registration eligibility, emergency exception, applicable carve-out), the patient's identity verification, and the PDMP query conducted before issuing the prescription. The platform records each as structured data, not free text, so a board or DEA investigator can be answered with a query rather than a clinician's recollection. Special handling applies to two categories that boards and DEA scrutinize most aggressively. The first is buprenorphine for opioid-use-disorder treatment. The X-waiver was eliminated by the Mainstreaming Addiction Treatment Act, but state-by-state rules on buprenorphine telehealth prescribing remain heterogeneous, and several state boards have brought actions against telehealth prescribers who satisfied federal rules but violated state-specific telehealth-MAT requirements. A platform serving buprenorphine prescribing should encode the state-by-state ruleset and refuse encounters the cross-product does not support, including consent-form, follow-up-cadence, and care-coordination requirements specific to MAT telehealth. The second category is Schedule II stimulants, particularly for ADHD, where multiple boards have brought enforcement actions against telehealth platforms whose prescribing patterns the boards interpreted as inconsistent with the standard of care. Schedule II controlled-substance telehealth requires the most rigorous architectural enforcement, identity verification at the encounter, PDMP query recorded at the encounter, frequency and quantity within standard-of-care guardrails, and explicit clinical documentation distinguishing initial diagnosis from continuation prescribing. The audit-trail expectation, as we have seen it cited in board orders, is that the platform produces on demand a per-prescription evidence pack: the encounter note, the licensure resolution from section 2, the controlled-substance authority resolution, the PDMP query result, the identity-verification step, the prescriber's clinical reasoning recorded contemporaneously, and the patient's consent acknowledgment. Platforms that produce the evidence pack survive the investigation. Platforms that produce the prescription record but cannot connect it to the licensure, the PDMP, the identity check, and the consent typically settle. For platforms operating across the DEA controlled-substances boundary, the per-prescription evidence pack is the first artifact the partners ask to see in the diagnostic. State telehealth-specific consent and recording rules HIPAA's notice of privacy practices is necessary. It is not the consent form a state board will ask for after a complaint. Most states have adopted telehealth-specific informed-consent rules that require the form to address topics HIPAA does not: that the encounter is being conducted via telehealth rather than in person, the patient's right to decline telehealth in favor of an in-person visit, the limits of telehealth for the patient's specific condition, the technology being used, the alternative if the technology fails, the licensure footprint of the clinician, and in some states the specific risks of telehealth the patient is acknowledging. The exact list varies by state; some boards have a one-paragraph requirement, others a multi-page model form, and a handful permit verbal consent recorded in the chart while most require written acknowledgment. The architectural implication is that the consent form is not a one-size-fits-all PDF. The form rendered must vary based on the patient's state of presence and the clinician's specialty, and the platform must record both which version the patient acknowledged and the timestamp. Versioning matters: when a state updates its telehealth consent requirement, every encounter conducted under the prior version must remain attached to the prior version's text. Platforms that overwrite the consent form with the latest version lose the ability to demonstrate, at audit, that the consent obtained at the time of a 2023 encounter was current as of 2023. Recording rules are the second consent layer and sit at the intersection of state wiretap law and state telehealth rules. Wiretap statutes split into one-party-consent and two-party-consent (sometimes called all-party-consent) jurisdictions. In a one-party state, the clinician's consent is sufficient. In a two-party state, every participant must consent. Approximately a dozen states fall on the two-party side, and the line shifts. A platform that records every encounter for quality, training, or evidence purposes must obtain consent from the patient on every encounter where any party may be in a two-party state, the cleanest architecture is to obtain consent from every patient regardless. The consent capture must be specific to recording; buried in the general telehealth consent is not, in several state interpretations, sufficient. Beyond wiretap, several state boards have specific positions on whether and how clinical encounters may be recorded, retained, used for training, or disclosed. Some prohibit recording absent clinical justification; others require it; most are silent and wiretap rules govern by default. The architecture should support per-state, per-specialty recording defaults, and the audit log should record the decision, the consent capture, the retention period, and access controls on the recorded artifact. The third consent layer is waiting-room privacy. State boards have, in several recent enforcement actions, treated the telehealth waiting-room equivalent as part of the encounter, whoever can see or hear the patient before the clinician joins counts as a participant in the patient's care. Multi-patient virtual waiting rooms have produced complaints. Receptionist or technician access to pre-encounter video has produced complaints. The architecture should default to one-patient-per-room, no-cross-patient-visibility, and recorded access logs for any non-clinician who entered the encounter space. These are not HIPAA controls; they are board-of-medicine controls dressed in technology requirements, and the platform that does not enforce them at the architecture layer is asking each clinician to enforce them by hand. The architecture that proves compliance to a state board A board complaint produces an evidence request that looks different from an OCR data request. OCR asks for policies, procedures, and audit log entries relevant to a specific patient or workforce member. A board asks for the encounter, the licensure resolution, the consent record, the recording (if any), the prescription record (if any), the identity verification, the clinical note, the timestamps, the technology stack the encounter ran on, and the chain of custody for each artifact. The board asks the clinician to produce this; the clinician asks the platform; the platform either produces it within the response window or the clinician's defense weakens. The architecture that produces the evidence pack on demand is built around five integrations most telehealth platforms either skip or under-implement. We list them in the order the board reads them. Practitioner-license-status integration. The platform queries primary-source verification on a defined cadence (daily for active providers, with an event-driven re-query on every routing decision) and stores the result with timestamp and source. When a complaint arrives, the platform produces the licensure status as it existed on the date and time of the encounter, not as it exists today. License status histories are the artifact, not snapshots. Most platforms that built credentialing as an annual workflow cannot produce a daily history; that is a refactor before the complaint arrives, not after. Patient-state-of-presence integration. The platform captures the patient's state of physical presence at the start of every encounter, both as patient attestation and as a corroborating signal (IP geolocation, device location with consent, address on file). The capture is recorded with the encounter, and the resolution to "this clinician is authorized to treat in this state" is the explicit output that determines whether the encounter proceeds. State-of-residence (the address on file) is a different question from state-of-presence (where the patient is sitting right now); the board asks the latter. Consent-record retention and versioning. Every consent form ever rendered to a patient is retained, with the version, the patient's acknowledgment, the timestamp, and the encounter to which it is attached. Versioning is load-bearing. A consent form from 2024 must remain accessible exactly as the patient saw it in 2024, even after the platform updates the form for 2025. Recording-policy enforcement. Whether an encounter is recorded is a function of the patient's state, the clinician's specialty, the platform's policy, and the patient's consent. The platform records the policy decision, the consent capture, the recording itself (or its explicit absence), the retention period, the access events, and the disposition. Recording without consent in a two-party state, or recording without the platform's policy supporting it, is the kind of finding a board converts directly into a sanction. Prescription evidence pack. Per section 3, every controlled-substance prescription is bound to the licensure resolution, the controlled-substance-authority resolution, the PDMP query, the identity verification, the clinical reasoning, and the consent. The pack is generated at the time of the prescription, not assembled after the fact, because the audit-trail integrity of an after-the-fact assembly is exactly what a board investigator probes. The five integrations together produce the evidence pack the board asks for, and they reduce variance in clinician documentation. Clinicians do not need to remember the rule; the platform enforces it and records the enforcement. The clinicians document the clinical reasoning. The platform documents the regulatory compliance. The audit trail is the union of the two, and the board reads the union. This separation of concerns is the pattern the partners codify in the healthcare and behavioral-health reference engagements. Behavioral health telehealth and 42 CFR Part 2 Substance use disorder treatment records are governed by 42 CFR Part 2 in addition to HIPAA, and the Part 2 rule is meaningfully more restrictive than HIPAA on consent for disclosure. Part 2 was significantly amended by the 2024 final rule that aligned aspects of consent, breach notification, and patient rights with HIPAA, but the core distinction, that information identifying a patient as an SUD patient at a Part 2 program requires patient consent for disclosure beyond the boundaries permitted under the rule, remains in force. For behavioral health platforms that include SUD treatment, the Part 2 layer sits on top of the HIPAA layer, the licensing layer, and the consent layer described above. The architectural difference is not subtle. The platform must distinguish, at the data layer, between records subject to Part 2 and records that are not. A combined behavioral-health-and-primary-care platform cannot simply apply the same access controls to both populations; Part 2 records require an additional consent capture before they can be disclosed to a downstream entity that HIPAA permitted-disclosure rules would otherwise allow. Care coordination, claims submissions, EHR integrations, and some quality-reporting flows must be evaluated against the Part 2 consent rule and either gated by patient consent or segmented from the disclosure path entirely. The 2024 Part 2 amendments harmonized several rules with HIPAA, including a single consent for future uses and disclosures within certain treatment, payment, and operations purposes, alignment of breach-notification rules, and alignment of accounting-of-disclosures expectations. The single-consent option is operationally cleaner, but the consent must still be documented, version-controlled, and revocable, and the revocation must propagate to every downstream system that received data under the original consent. Platforms that implemented Part 2 consent before the 2024 rule and have not refactored typically have one of two failure modes: still requiring multiple consents the rule no longer requires, or operating under the single-consent model without the revocation-propagation infrastructure the rule still requires. The most common architectural shortfall, in our reading of remediation files, is data-layer commingling. The underlying database does not distinguish Part 2 data from non-Part-2 data, the application layer applies the controls in code, and an integration written six months later for an unrelated feature bypasses those controls. The fix is at the data layer: Part 2 data is segmented physically (separate schemas, separate stores, or row-level enforcement) so that a downstream service that does not know to ask cannot reach it. Application-layer enforcement is fragile by definition; data-layer enforcement is durable. The other common shortfall is in the recording layer from section 4. SUD telehealth encounters that are recorded carry the recording into Part 2 scope. The recording is itself a Part 2 record; its access controls, retention, and disclosure consent must be Part 2 compliant. Platforms that built the recording layer for general behavioral health and added SUD-specific handling later frequently discovered the recording infrastructure was a Part 2 disclosure path they had not consented for. The remediations are expensive, and the patient-notification obligations under the harmonized breach-notification rule are real. A behavioral health platform that includes SUD treatment is solving for five overlapping rule sets, HIPAA, licensing, consent and recording, controlled-substance prescribing where MAT is in scope, and 42 CFR Part 2, none of which is satisfied by the others. The architecture that supports the union is built once, intentionally, and audited against each rule set separately. Where the Diagnostic fits When a multi-state telehealth platform engages us inside the Pass-Your-Next-Audit line, the named methodology is the Telehealth Compliance Diagnostic. Same shape as the partners' other diagnostics: a fixed-scope, fixed-price written assessment that produces a report the platform's CIO, CCO, or general counsel can hand to the board, the auditor, or the next state board investigator. It is not implementation. The partners offer the productized vCISO retainer as a separate engagement for platforms that want ongoing oversight, but the Diagnostic stands alone. The Diagnostic walks the platform's architecture against five rule layers, HIPAA, multi-state licensing, controlled-substance prescribing where applicable, consent and recording, and 42 CFR Part 2 where applicable, and produces a control matrix mapping each rule to the architecture component that satisfies it (or the gap that does not). The output is the prioritized remediation list, the evidence-pack readiness assessment per encounter type, and the partner-reviewed Multi-State Compliance Map for the platform's specific licensure footprint. The Diagnostic typically runs three to four weeks; the timeline is longer than HIPAA-only diagnostics because the state-by-state cross-walk requires partner-and-counsel review per state in scope. Three actions a telehealth CIO or CCO can take this month, regardless of whether the platform engages us: 1. Inventory the licensure-resolution path on the highest-volume encounter type. Document, end-to-end, how the platform answers the question "is this clinician licensed in this patient's state of physical presence right now" before the encounter is initiated. Most platforms cannot produce this document in a single afternoon. Where the document is incomplete, fill the gap before the next encounter routes through it. 2. Pull the per-prescription evidence pack on a recent controlled-substance prescription. Ask the platform to produce, for one specific recent controlled-substance prescription, the licensure resolution, the controlled-substance-authority resolution, the PDMP query, the identity verification, the clinical reasoning, and the consent, connected, with timestamps, in a single artifact. If the platform cannot, that is the architecture gap that fails a board investigation. 3. Confirm the consent-form versioning and the recording-consent capture for every state in the platform's footprint. The consent forms rendered to patients vary by state; the versions in production today must match the current rule in each state, and the historical versions must be preserved with the encounters they were attached to. Recording consent must be specific to recording, not buried in general telehealth consent, in every two-party state the platform routes encounters into. Three actions, one quarter, no engagement required. If the inventory or the evidence pack or the consent-versioning surfaces gaps the platform cannot close internally, or if the multi-state cross-walk itself is the work, that is where the Diagnostic comes in. The paired artifact, the Telehealth Multi-State Compliance Map, is the partner-reviewed starting cross-walk we use on every Diagnostic engagement; it is not a substitute for counsel review per state, and the partners maintain it the same way they maintain the HIPAA framework reference, quarterly, against the current rule, as the rule moves. HIPAA is the easy part. The state board is the regulator with teeth. The architecture that survives both is built once, intentionally, and audited against each rule set separately, not bolted on after the first complaint arrives.