CMS Tripled Telehealth Penalty Rates: What It Means for Your Practice

The numbers are no longer theoretical

The Centers for Medicare & Medicaid Services has updated its per-violation penalty rates for telehealth compliance failures. The current enforcement range is $11,665 to $23,331 per violation. That is per session, not per complaint, not per audit. Every single non-compliant telehealth encounter is a separate assessable violation.

These are not aspirational figures buried in a Federal Register notice that nobody enforces. They are the rates that OIG and state licensing boards reference in active enforcement actions. The increase represents roughly a threefold jump from the rates that were in effect just a few years ago, and it reflects a deliberate policy decision to make telehealth compliance violations economically untenable.

The math for a typical provider

Consider a licensed therapist who sees patients across state lines. A reasonable cross-state caseload might be eight patients per week in states other than the provider's home state. That is 416 sessions per year.

At the new penalty rates, the annual risk exposure for those sessions is $4.85 million to $9.7 million. That is the theoretical maximum if every session were found non-compliant.

Of course, most providers are not 100% non-compliant. But the math is still alarming at much smaller failure rates:

• 5% non-compliance rate (roughly 21 sessions): $242,000 to $485,000 in exposure
• 2% non-compliance rate (roughly 8 sessions): $93,000 to $187,000 in exposure
• A single violation: $11,665 to $23,331

These numbers exceed most providers' annual revenue. A handful of violations can exceed malpractice insurance policy limits. The penalty structure is designed to make non-compliance an existential risk, not merely an administrative inconvenience.

What constitutes a violation

The core violation is straightforward: providing telehealth services to a patient located in a state where you are not authorized to practice. Authorization means holding an active license in that state or being eligible under an applicable interstate compact.

The scenarios that create violations are often less obvious than providers expect:

• A patient who normally lives in a state where you are licensed travels to a different state for a week. You conduct the session without confirming their current location. That is a violation.
• A patient moves to a new state between appointments. You continue treatment without verifying whether your licensing covers the new state. That is a violation.
• You hold licenses in 12 states. Your patient is in the 13th. The breadth of your licensing does not provide a defense for the states you do not cover.

The common thread is that compliance is determined by the patient's location at the time of the session, not by any prior assumption about where the patient usually is.

Interstate compacts help, but they do not eliminate the verification step

Interstate practice compacts (PSYPACT for psychologists, IMLC for physicians, NLC for nurses, ASWB's mobility initiative for social workers) are genuinely valuable tools. They expand the number of states where a provider is authorized to practice without requiring individual state licenses.

But compacts do not remove the need for location verification. You still need to know which state the patient is in to determine whether the compact applies. PSYPACT covers 44 states and territories, not all 50. IMLC covers 43. NLC covers 41. If your patient is in a non-member state, the compact provides no coverage.

Compacts expand your safety net. They do not eliminate the need to check whether the net extends to where your patient is sitting.

What adequate documentation looks like

Enforcement actions consistently cite inadequate documentation as an aggravating factor. "The patient told me they were in California" is not a defensible verification method in a formal proceeding. Adequate documentation for each session includes:

• Timestamp of the location verification
• Patient location (state, at minimum) with the method used to verify it
• Provider license status in that state at the time of the session
• Compact eligibility check, if applicable, confirming both the provider and the patient's state are compact members

This documentation needs to exist for every session, not just the ones where there is a question. An auditor reviewing your records will expect to see consistent verification across your entire caseload.

Quantify your exposure

Not sure what your specific risk profile looks like? The numbers vary significantly depending on your caseload, the states you serve, and your current licensing coverage. We built a free Compliance Risk Calculator that estimates your annual exposure in about 30 seconds. It factors in your cross-state volume, compact eligibilities, and the current CMS penalty rates.

Building compliant workflows

The documentation requirements described above are not complex in isolation, but they are difficult to maintain manually across a full caseload. A provider seeing 30 patients per week needs to verify and document location, licensing, and compact eligibility 30 times per week, every week, without exception.

TeleVerify generates this documentation automatically for every telehealth session. It checks patient location against provider licensing and compact eligibility in real time, creates the audit trail, and flags sessions that require attention before they become violations. You can see how it works on our features page.

At the new penalty rates, the cost of a single missed verification exceeds a full year of compliance tooling by an order of magnitude. The economics have changed. The documentation standard has not.