Telehealth Across State Lines: What Digital Health Founders Need to Know Before Expanding

The Patchwork Problem

The rule that catches most telehealth founders off guard is deceptively simple: medical practice is legally deemed to occur where the patient is physically located, not where the provider sits. A physician licensed only in Texas is practicing medicine without a license the moment a California patient logs in — regardless of where the platform is incorporated, where the servers live, or where the doctor happens to be sitting. For founders building multi-state telehealth platforms, that single rule multiplies into dozens of simultaneous compliance obligations the moment you expand beyond your home state.

That obligation doesn't fall only on physicians. Nurses, psychologists, and advanced practice providers each operate under separate state-by-state licensing frameworks, meaning a platform that employs multiple provider types faces several parallel licensing regimes running simultaneously. Adding a new state to your coverage map is not a product decision — it's a legal event for every licensed practitioner type on your platform.

The regulatory environment compounding this challenge is far from settled. Medicare telehealth flexibilities that became standard operating procedure during the pandemic have been reverting and re-extending in waves — most recently, Congress intervened again after flexibilities began rolling back toward pre-pandemic restrictions as recently as October 2025. Founders who built compliance programs around emergency-era rules are finding the ground still shifting beneath them.

Federal Framework — What Washington Covers (and What It Doesn't)

Federal law sets a baseline every telehealth platform must clear — but it leaves two of the biggest compliance burdens entirely to the states. Understanding where federal authority ends is as important as understanding where it begins.

The most significant federal rule for prescribing platforms is the Ryan Haight Online Pharmacy Consumer Protection Act (21 U.S.C. § 829(e)), which prohibits prescribing controlled substances via telemedicine without a prior in-person medical evaluation. That prohibition is a hard floor — no state can lower it. For platforms operating in behavioral health, pain management, or psychiatry, Ryan Haight is a foundational constraint on your clinical model. COVID-era DEA flexibilities suspended the in-person requirement, and those waivers were extended through January 2026 while permanent rules finalize. The DEA has also proposed a special registration framework that would create new prescribing pathways without requiring an in-person visit, but that framework has not been finalized and cannot be relied on for current compliance planning.

HIPAA operates on the same floor-setting logic. It establishes minimum standards for how covered entities and their business associates handle protected health information — and under 45 C.F.R. § 160.203, it preempts state law only when state law is less protective. When a state has stricter health data rules — tighter breach notification windows, narrower consent exceptions, special protections for reproductive or mental health data — those state rules survive and stack on top of HIPAA. HIPAA compliance alone does not mean privacy compliance in every state where your platform operates.

What federal law does not touch at all is state medical licensing. Neither Ryan Haight nor HIPAA preempts, replaces, or simplifies the requirement that a clinician hold an active license in the state where the patient receives care. That requirement is governed entirely at the state level, and it's where multi-state expansion gets operationally complex — which is where the next section picks up.

State Medical Licensing — Compacts and the Non-Compact Gap

Multi-state licensing compacts are the closest thing to a fast lane in telehealth expansion — but they are not all built the same, and none of them removes the underlying state licensing obligation entirely. The Interstate Medical Licensure Compact (IMLC) now covers 44 jurisdictions — 42 states plus the District of Columbia and Guam — making it the dominant pathway for physicians seeking to practice across state lines. What it actually does, though, is streamline the application process: each compact state still issues its own license, sets its own standards, and retains full authority over practice within its borders. Physicians using the IMLC are not operating under a single federal credential; they are applying to multiple states simultaneously through a coordinated system.

Other clinician types have compacts that work differently — and in some cases, more favorably. The Psychology Interjurisdictional Compact (PSYPACT), now covering approximately 43 jurisdictions, grants a true "authority to practice" across member states — a meaningfully stronger right than the IMLC's license-per-state model. Nurses fare even better: the Nurse Licensure Compact (NLC), covering 43 jurisdictions, issues a single multi-state license valid simultaneously in all member states. For platform operators who employ or contract with multiple practitioner types, this creates a compliance footprint that varies by profession even within the same state — a physician and a nurse on the same call with the same patient may be operating under completely different licensing frameworks.

The more immediate operational problem is the non-compact gap. California, New York, and Florida are not IMLC members for physicians. Providers who want to see patients in those states must go through standard individual state licensing processes, which routinely take three to six months and require extensive documentation. Founders who build an expansion roadmap without accounting for that lead time discover the hard way that you cannot flip on a new state overnight. Therapists, social workers, and counselors face a parallel problem: their professional licensing boards participate in separate compacts with different membership maps, so the compact coverage a platform has for physicians tells you nothing about coverage for behavioral health providers.

State Privacy Laws Beyond HIPAA

Clearing HIPAA is not the finish line for privacy compliance — it's the floor. Federal law explicitly allows states to impose stricter health privacy protections, and those state laws survive and must be followed alongside HIPAA wherever they provide greater rights to patients. For a telehealth platform expanding across state lines, that means the privacy rules governing your platform are set by whichever state imposes the highest standard on the data you collect — not by the federal baseline you already meet.

Washington's My Health My Data Act, effective March 2024, is one of the most aggressive examples. It applies to any entity that conducts business in Washington or that targets Washington residents — meaning a telehealth platform headquartered in Texas that serves Washington patients is squarely within its reach. The Act requires explicit consent before collecting or sharing consumer health data. Critically, it does not fully exempt HIPAA-covered entities: Protected Health Information handled under a covered HIPAA transaction is carved out, but data collected outside that transaction — app usage patterns, symptom tracker inputs, scheduling metadata — remains subject to the Act's requirements.

California takes a different angle on mental health specifically. The state expanded its Confidentiality of Medical Information Act to classify any business offering a "mental health digital service" as a provider of health care for purposes of the law — subjecting those platforms to CMIA's stricter consent and disclosure standards even when they fall outside HIPAA's covered-entity definition entirely. A mental health telehealth app that structured itself to avoid HIPAA coverage is not structuring itself out of California's reach.

The practical question founders should ask when mapping an expansion isn't only "which states require a medical license?" — it's "which states do our patients come from, and what does each of those states require us to do with their data?" Those states' laws apply to you regardless of where your servers are or where your company is incorporated. Before signing the first patient in a new state, a state-by-state privacy gap analysis should already be complete.

Prescribing Across State Lines — Controlled Substances and the DEA

The COVID-era telehealth flexibilities that let practitioners prescribe controlled substances without a prior in-person visit are still in force — but only through a temporary extension. Once those extensions expire, the Ryan Haight Online Pharmacy Consumer Protection Act (21 U.S.C. § 829(e)) reasserts its default rule: a practitioner must conduct at least one in-person evaluation before prescribing any controlled substance via telemedicine. Founders building prescribing workflows today should treat the current flexibility as borrowed time, not a permanent baseline.

The DEA has published proposed rules creating a tiered special registration framework for telemedicine prescribing — including a general registration pathway for Schedule III–V non-narcotic controlled substances and an advanced pathway for specialist prescribers that would cover Schedule II substances under a volumetric cap. These proposed rules were open for public comment in early 2025 and have not been finalized as of mid-2026. Do not build compliance infrastructure around proposed rules that may be modified or withdrawn before finalization.

Even within the proposed TPCS framework, the multi-state registration burden does not disappear. Practitioners must hold a DEA registration in each state where they write controlled substance prescriptions, plus separate state-level controlled substance authority where required. TPCS enrollment is a federal overlay — it does not replace or consolidate state registrations. For a platform operating in ten states with fifteen prescribers, that registration matrix is a significant operational overhead that needs to be tracked, renewed, and audited on an ongoing basis.

Building a Multi-State Compliance Framework

Multi-state telehealth compliance is not a problem you solve once at launch. It is an operational function that runs in parallel with your business. The good news: it is manageable when you treat it as a structured process rather than a scattered checklist. The five steps below give founders a concrete starting point.

1. Map your provider-patient footprint. For every provider type on your platform — physicians, nurses, psychologists, therapists — identify which states they are currently licensed in and which states your patients are located in. The overlap (a California-licensed physician treating a Texas patient) is your compliance exposure map. Every subsequent decision flows from this matrix.
2. Run a compact eligibility audit. Once you know which states are in scope, check whether each provider type has a multi-state compact pathway for those states. Physicians can use the Interstate Medical Licensure Compact; nurses fall under the Nurse Licensure Compact. Not every discipline has a compact, and not every state has joined. Document the gaps — those are the providers who need individual state licenses.
3. Build in lead time for non-compact states. Individual state medical licenses can take three to six months to obtain. If you plan to serve patients in a state with no compact coverage, start that licensing process at least a quarter before your intended launch date. Missing this window is one of the most common — and most avoidable — expansion mistakes.
4. Run a state privacy law gap analysis. HIPAA sets the floor, but several states have raised it substantially. Washington's My Health My Data Act and California's Confidentiality of Medical Information Act impose requirements that go well beyond federal law. For each state you enter, cross-reference your data practices against those state-specific rules — consent mechanisms, data minimization obligations, and breach notification timelines included.
5. Set up a compliance calendar, not just a launch checklist. State licenses expire. Compact membership changes. DEA rules get finalized. A compliance calendar tracks renewal deadlines, flags regulatory changes in active states, and keeps your platform from drifting into exposure after launch. A single lapsed license or missing DEA registration can expose the platform itself to regulatory action — not just the individual clinician whose credential slipped.

The stakes are real. Regulatory risk in telehealth does not stop at the provider level — platforms that facilitate unlicensed practice or unauthorized prescribing face their own enforcement exposure. Getting this right from the start costs far less than correcting it under pressure.