Complete guide to managing TeleVerify across your organization.
Log in at televerify.org/login with your admin credentials. The dashboard automatically detects your role and shows the admin view with organization-wide controls.
Admin accounts are created by your organization's designated account owner during setup. If you need access but don't have an account, contact your organization administrator.
Provider view: Individual clinicians see their own sessions, licenses, regulatory alerts, and integrations. Providers manage only their own compliance data.
Admin view: Compliance officers and operations managers see organization-wide analytics, all providers, compliance heatmaps, regulatory intelligence, and full audit controls.
Both roles log in at the same URL. The dashboard automatically shows the appropriate view based on your account role. Org admins can switch between views using the "Switch to Provider View" / "Switch to Org Admin View" link at the bottom of the sidebar.
In the admin dashboard, navigate to the Providers tab and click Add Provider. You'll be prompted to enter:
Once added, the provider receives an invitation email with a setup link. They complete their own credential verification before they can run checks.
You can add multiple providers at once by uploading a CSV with provider data. Contact support for the CSV template.
Yes. Many organizations have multiple admins to ensure compliance oversight doesn't depend on a single person. Common structures include:
TeleVerify supports multiple roles: admin (full organization control), org admin (team management plus provider functions), compliance admin (compliance queue and co-sign authority), and provider (individual clinician). Each role sees a different dashboard sidebar tailored to their responsibilities. Org admins can switch between their admin and provider views.
Phase 1: Account Setup — Your organization's account owner creates an admin login and selects an organization plan. The admin URL is configured.
Phase 2: Provider Onboarding — You add your providers to the system via the Providers tab. Providers receive invitation emails and complete their own credential verification.
Phase 3: Configuration — In the Settings tab, you configure override policies (which compliance gaps providers can override in emergencies). This is typically a 10-minute conversation with your compliance team.
Phase 4: Go-live — Providers begin running checks. You monitor the Audit Log to ensure checks are running correctly and compliance rates are where you expect them.
Most organizations are fully operational within 1–2 weeks of signing up.
Providers can only manage their own account and view their own check history. Admins have organization-wide capabilities:
Admins cannot override individual compliance checks (that's the provider's choice in their app). Admins can only control which override options are available to providers via the Settings tab.
The admin dashboard sidebar has six main sections:
1. Overview: Organization-wide compliance metrics at a glance — pass rate, compact utilization, risk exposure, non-compliant sessions, and sessions needing review. Includes recent activity feed and quick links to deeper views.
2. Providers: A list of all registered providers in your organization, showing their NPI, licensed states, total check count, and compliance rate. Click any provider to drill into their individual check history and analytics.
3. Compliance by State: A heatmap showing compliance breakdown by state. See which states have the most sessions, highest non-compliance rates, and where compact coverage is being used. Click any state to drill into its sessions.
4. Sessions: A system-wide view of every compliance check run by every provider. Filterable by provider, time range, compliance status, and state. Exportable as CSV. This is your primary tool for compliance oversight.
5. Regulatory Intelligence: Tracks regulatory changes, compact membership updates, and state law changes that affect your providers. Alerts flag changes that may require action.
6. Settings: Organizational configuration including override policies, compliance targets, and account management.
The admin Overview displays organization-wide metrics:
Use the Pass Rate as your primary audit-readiness indicator. Most organizations target 95%+ compliance rates. The Risk Exposure metric helps quantify the financial argument for compliance investment.
COMPLIANT: The provider is licensed in the patient's state through direct state licensure. No compact needed.
COMPLIANT_VIA_COMPACT: The provider is not directly licensed in that state, but is covered by an interstate compact (IMLC, PSYPACT, NLC, PT Compact, etc.) and meets all compact requirements for that specific encounter.
NON_COMPLIANT: The provider is neither directly licensed nor covered by an applicable compact. The encounter does not have a legal compliance pathway. The provider must either reschedule the patient, refer out, or document an emergency exception (if override options are enabled).
The audit log shows the actual determination in each row. Use the status filters to see breakdowns (e.g., "How many checks returned COMPLIANT_VIA_COMPACT this month?").
The dashboard updates in real-time. When a provider runs a compliance check in their app, it appears in your Audit Log within seconds. The overall compliance rate and check counts update immediately as well.
If you need historical snapshots (e.g., "what was our compliance rate on March 15?"), export the CSV and filter it locally or import it into your compliance database.
The dashboard view is fixed — all admins see the same three tabs and metrics. However, you can:
If you need custom dashboarding or deeper analytics integrations, contact support about advanced reporting options.
At the top of the Sessions page, you'll see a Provider dropdown. Click it to select a single provider, or select "All Providers" to see the entire organization's sessions.
Filtering by a specific provider is useful for:
The filter persists until you change it, so you can export the filtered log as CSV without re-filtering.
Next to the Provider dropdown, you'll see a Date Range selector with presets:
These presets are designed for quick audits. If you need a custom date range (e.g., "March 15–April 22"), export the "All Time" log and filter it locally in Excel.
Click the Export as CSV button at the top-right of the Sessions page. The system generates a CSV file containing all rows matching your current filter (provider, date range, state, and status).
The file downloads to your computer immediately. You can then open it in Excel, import it into your compliance database, or share it with external auditors.
If you export a very large log (e.g., 50,000+ checks), the file may take 10–15 seconds to generate. Be patient and don't close the page.
The CSV includes these columns:
All timestamps are in UTC. Packet hashes can be used to independently verify packet integrity.
Use the filter dropdown to select the provider involved. This narrows the log to that provider's checks only. Then scan visually or open the CSV in Excel and use Ctrl+F (Cmd+F) to search for a date, patient state, or other identifier.
If you're looking for a session from a specific patient encounter, ask the provider for the approximate time the check was run. You can then filter by date and scan the results.
You cannot search by patient name or medical record number — TeleVerify stores only state-level location data, not patient identifiers. If you need to tie a check to a specific patient encounter, cross-reference the timestamp with your EHR.
Each entry in the audit log represents a single compliance check run by a provider. The entry shows:
Click on any entry to expand it and see the full signed compliance packet. This packet contains the complete cryptographic proof and can be forwarded to insurers or regulators.
Audit records are retained indefinitely. Your organization owns all compliance data, and TeleVerify does not automatically delete records.
You can delete records only through a formal data deletion request to compliance@televerify.org (rare, and requires documentation of a data error or compliance issue). Normal compliance audits do not trigger record deletion.
Because records are hash-chained, any deletion is cryptographically detectable. This maintains audit integrity even if individual records are removed.
The audit log uses SHA-256 hash-chaining to create a tamper-proof record sequence. Each new entry contains a hash of the previous entry, creating an unbroken chain back to your organization's first-ever compliance check.
This means:
The hash chain is cryptographic proof that your audit log is complete and unaltered. This is extremely valuable in regulatory audits — it shows that your compliance data is authentic and hasn't been falsified.
You can verify the hash chain integrity yourself using TeleVerify's open-source verification tools. Export your audit log as CSV, then run the verification command (Python, JavaScript, or curl provided on the audit verification page at /website/audit.html).
The verification tool walks the chain and confirms that every record's hash links correctly to the previous one, proving the sequence is unaltered.
You don't need special tools to verify this — you can even do it in Excel by manually computing hashes, though the provided scripts are much faster.
Records cannot be modified after creation. The cryptographic signature on each packet makes tampering detectable.
Records can only be deleted by TeleVerify staff in response to a formal data deletion request, and only if there's a documented reason (e.g., a data error or patient privacy request). Standard compliance audits never trigger deletion.
When a record is deleted, the hash chain breaks, and the gap is cryptographically visible. This prevents silent deletion.
Do not attempt to delete or modify records yourself. This is not possible through the admin dashboard and would violate the integrity of your audit trail. If you need records corrected, contact support.
In the Providers tab, each provider row shows a Licensed States field listing all states where they hold active licensure (e.g., "CA, TX, FL, NY").
Click on any provider to see more details, including:
If a provider's licensed states are incorrect, contact them to update their account. They can add/remove states in their provider profile.
The Providers tab shows each provider's Compliance Rate — the percentage of their checks that returned COMPLIANT or COMPLIANT_VIA_COMPACT (as opposed to NON_COMPLIANT).
A high compliance rate (95%+) suggests the provider understands location requirements and is running checks correctly. A low rate (<80%) suggests:
Use the compliance rate to identify providers who may need training or credentialing review.
Click on a provider's name to drill into their analytics. You'll see:
This view is useful for credentialing committees, compliance reviews, and provider feedback conversations.
In the Providers tab, click the Remove button on any provider's row. You'll be asked to confirm.
Important: Removing a provider does not delete their historical compliance records. The audit log retains all checks they ran. Only their active provider account is deactivated — they can no longer run new checks.
This is the intended behavior for compliance. You need to retain providers' check history for audits, even after they leave your organization.
License expiration is not automatically detected by TeleVerify. It's the provider's responsibility to update their licensed states in their profile before their license expires.
If a provider's license expires and they continue to run checks without updating their state list:
Best practice: Set a calendar reminder to reach out to all providers 30 days before their license renewal deadlines and confirm they've updated their TeleVerify profile. This prevents expired licenses from creating compliance gaps in your audit trail.
Override settings control which compliance gaps your providers are permitted to override. When a compliance check returns NON_COMPLIANT, a provider can:
If override options are disabled, NON_COMPLIANT checks block the encounter entirely (no override option offered).
Override settings are organization-wide, configured in the Settings tab. All providers in your organization see the same override options.
This is a policy decision for your compliance team and legal counsel.
Arguments for enabling: Emergency situations exist (stroke, sepsis, etc.) where delaying care for compliance documentation is harmful. The emergency override acknowledges this reality and requires the provider to document why they proceeded. This is better than having undocumented emergencies.
Arguments for disabling: Every NON_COMPLIANT determination should trigger a reschedule or referral. Allowing overrides, even documented, creates liability exposure.
Middle ground (common): Enable the emergency override but require a detailed explanation (e.g., "patient had active chest pain, EMS already notified, continuing assessment is clinically appropriate"). Review override usage in your audit log monthly to ensure providers are using it appropriately, not as a rubber stamp.
If you enable emergency overrides, you're stating that your organization accepts the liability of allowing non-compliant encounters. Make sure your malpractice and compliance insurance policies support this decision.
This override allows providers to proceed with established patients even if compliance checking returns NON_COMPLIANT on a particular encounter (e.g., a patient temporarily in a state where the provider isn't licensed).
Arguments for enabling: Continuity of care is valuable. A patient who has been seeing a provider for 2 years and is temporarily visiting another state might reasonably continue care with their regular provider if there's follow-up documentation.
Arguments for disabling: "Established patient" has no legal weight. State licensing law applies regardless of prior relationship. The provider must be licensed in the patient's current location, period.
Real-world practice: Many organizations enable this but with high audit friction. They allow the override to document continuity-of-care situations, but flag every override for compliance review. This satisfies both liability concerns and practical care delivery.
Unlike emergency overrides, established patient overrides are commonly used (not exceptional). Monitor your audit log — if >5% of encounters are overridden, you may have an adoption issue (providers avoiding compliance checks).
When a provider overrides a NON_COMPLIANT determination, the audit log entry shows:
The compliance status stays NON_COMPLIANT — the override doesn't retroactively mark it as compliant. The override flag just indicates the provider proceeded anyway.
When you export the CSV, these override fields are included. This allows you to filter for all NON_COMPLIANT-with-override entries and audit them separately.
Not through the current dashboard interface. Settings are organization-wide — all providers see the same override options.
However, you can achieve per-provider policies through manual review:
For true role-based settings (e.g., "mid-level providers can override, physicians cannot"), contact support about custom policy configurations.
Insurers typically request one of three things:
1. Audit Log CSV: Export your full audit log (Audit Log tab → Export as CSV) and share via secure email or file transfer. The CSV contains all check records and is self-documenting.
2. Individual Compliance Packets: For specific encounters, click on the audit entry and download the signed compliance packet. This packet is independently verifiable and provides cryptographic proof of compliance for that session.
3. Portfolio-wide Compliance Summary: Your dashboard shows your overall compliance rate. You can screenshot the stats and share as a summary: "Our organization ran 18,500 checks this year with a 97.2% compliance rate."
Insurers often have data-sharing agreements that cover what format they need. Contact them directly about their preferred submission method.
A compliance packet is a complete record of a single compliance check, signed with TeleVerify's private Ed25519 key. The packet contains:
The signature mathematically proves two things: (1) TeleVerify created this packet, and (2) nothing has been altered since creation.
An insurer, auditor, or regulator can verify a TeleVerify compliance packet without accessing TeleVerify's systems. They need only:
They run the verification code and get a yes/no answer: "This packet is authentic" or "This packet is forged/altered."
This is independent verification — no account, no API key, no TeleVerify intermediary needed. It's how compliance packets become third-party evidence.
TeleVerify's public Ed25519 key is published at:
It's also embedded in the audit verification page at /website/audit.html, which provides a browser-based verification tool.
The key is immutable and versioned. Any changes are announced in advance through our blog.
Navigate to /website/audit.html. The page provides:
This page is useful to share with insurers and auditors so they can verify your compliance records independently.
Prepare these materials:
Most insurers only ask for the CSV and a summary. Provide the rest only if requested. Having these materials ready allows you to respond quickly to surprise audits.
No. Insurers cannot log into your admin dashboard. They can only access compliance records through:
This protects your organization's privacy. Insurers see only the specific compliance data you choose to share, not your provider list, settings, or other operational details.
Negligence in compliance documentation usually means "we didn't check at all" or "we checked but didn't keep records." A TeleVerify compliance packet proves the opposite:
If a NON_COMPLIANT check was overridden, the packet documents that decision too. Regulators and insurers see "you identified the non-compliance and made a deliberate choice to proceed despite it," which is far more defensible than operating without any verification.
Compliance packets are not a liability shield. But they are evidence that your organization took compliance seriously and followed a documented process. This is the foundation of a negligence defense.
The HHS Office of Inspector General publishes the List of Excluded Individuals & Entities (LEIE), containing 8,375+ NPIs of providers who have been convicted of healthcare fraud, terminated from Medicare/Medicaid, or violated other federal healthcare laws.
Why it matters: If your organization bills federal programs (Medicare, Medicaid, Veterans Affairs, TRICARE, etc.) for services provided by a provider on this list, you violate the Anti-Kickback Statute and False Claims Act. Penalties are severe: treble damages + civil penalties of $13,946–$27,894 per occurrence (2025 figures), plus possible criminal liability.
Your responsibility: You must screen all providers against LEIE before credentialing and periodically after. TeleVerify screens every provider on every check. This is automated proof that you're complying with this requirement.
TeleVerify updates the OIG exclusion list daily. The HHS publishes updates roughly weekly, and we refresh our copy the next business day. This means exclusions are current within a few days of publication.
Very recent exclusions (added within the last 48 hours) may not yet be reflected in your checks. For critical credentialing decisions, perform a manual check at https://exclusions.oig.hhs.gov/.
TeleVerify will immediately flag any checks run by that provider as NON_COMPLIANT due to exclusion status. You'll see this in the Audit Log.
Your next steps:
This is a serious compliance event. Having TeleVerify flag it automatically is better than discovering it months later during an audit. But immediate escalation and remediation are critical to minimize exposure.
Each audit log entry includes an "OIG Screening" field (or it's embedded in the compliance packet). It will show either "PASS" (provider not on list) or "EXCLUDED" (provider on list).
To verify screening is running consistently:
If you find entries without OIG Screening results, contact support.
Civil Penalties: False Claims Act violations: treble damages (3x the amount improperly billed) + civil penalties of $13,946–$27,894 per occurrence. If your organization billed $500,000 in services by an excluded provider, liability could exceed $2 million.
Program Exclusion: HHS can exclude your entire organization from federal healthcare programs, effectively ending your ability to bill Medicare/Medicaid.
Criminal Liability: Knowing violations can result in criminal prosecution of organization leadership, with fines and imprisonment.
License/Credentialing Loss: Joint Commission, state boards, and other accrediting bodies can revoke your organization's credentials if you bill with excluded providers.
The penalties for this are among the most severe in healthcare compliance. Automated screening (like TeleVerify provides) is essential — manual credentialing processes miss exclusions that have occurred since initial onboarding.
TeleVerify stores each provider's interstate compact memberships (IMLC, PSYPACT, NLC, PT Compact, etc.) in their profile. On each check, the system evaluates:
This evaluation runs automatically on every check across all providers. You don't need to manually track who's in which compacts — the system does it.
This is handled correctly by the system. Each provider's record stores their individual compact memberships. So:
When Dr. Smith checks a patient in a non-licensed state, the system checks "Is this state in IMLC?" When Dr. Jones checks the same state, the system checks "Is this state in PSYPACT?" Different results are possible and expected.
At scale with 50+ providers, each potentially in different compacts, this multi-provider compact handling is essential. TeleVerify handles it automatically.
Compact memberships change when a provider joins or withdraws from a compact. The provider is responsible for updating their profile in their own provider account.
How to monitor changes:
If a provider updates their compact membership in TeleVerify but it doesn't immediately affect their checks, there may be a sync delay. Wait a few minutes and retry.
TeleVerify categorizes compliance into three pathways:
direct_only: The provider is directly licensed in the patient's state (no compact needed). Example: Dr. Smith is licensed in California and checks a patient in California. Compliance pathway: direct_only.
compact_full: The provider is not directly licensed in the patient's state, but is fully covered by an interstate compact. Example: Dr. Smith holds an IMLC license and checks a patient in Arizona (IMLC member state where Dr. Smith doesn't hold direct licensure). Compliance pathway: compact_full.
compact_partial: This pathway is less common. It indicates the provider is covered by a compact for that state, but with restrictions or limitations (e.g., limited supervision or specific patient population). Some compacts have partial membership tiers.
In your audit log, these pathways appear in the compliance packet details. Use them to understand the legal basis for each encounter's compliance determination.
States not in any compact (rare, but examples include California, which is not part of IMLC despite being a major telehealth market) require direct state licensure. There's no compact workaround.
If a provider isn't directly licensed in a non-compact state, TeleVerify will return NON_COMPLIANT. The only options are:
Compact coverage cannot bridge the gap for non-compact states. This is a hard legal constraint, not something TeleVerify policy can soften.
About providers: NPI, name, licensed states, specialty, interstate compact memberships, credential verification timestamp.
About patients: State-level location only. No names, no medical record numbers, no diagnoses, no contact information. Just the state where the patient was located at the time of the check.
About encounters: Timestamp, provider NPI, patient state, compliance result, compact used (if applicable), OIG screening result.
Deleted data: IP addresses and GPS coordinates used for location verification are not stored long-term. They're used only to determine the state and are then discarded.
TeleVerify does not store Protected Health Information (PHI). It's designed to verify compliance with minimal data exposure.
TeleVerify does not store PHI and operates under a "data minimization" principle. Because we collect only provider NPI and patient state-level location, standard HIPAA Safe Harbor does not apply in the usual sense — there's no patient identifier to worry about.
However, state and patient location could theoretically be combined by a data broker to re-identify patients. For this reason:
A Business Associate Agreement (BAA) is available for organizations that want contractual HIPAA compliance assurances. Contact support to request one.
Yes. If your organization requires a Business Associate Agreement for HIPAA compliance, contact support@televerify.org and request a BAA. We have a standard template that can be executed within 5–10 business days.
The BAA covers:
Even without a formal BAA, your compliance records are secure and encrypted. A BAA is mainly useful if you need contractual assurances for your own compliance documentation.
In transit: All connections use HTTPS with TLS 1.3. Data moving between your browser and TeleVerify, or between your EHR and TeleVerify, is encrypted end-to-end.
At rest: Patient location data and provider information are encrypted in our PostgreSQL database using AES-256-GCM encryption. The encryption keys are managed separately from the database.
Compliance packets: Each packet is signed with Ed25519 cryptography, which is not encryption but provides tamper-proof integrity. The packet contents are not themselves encrypted (they're readable), but the signature proves they're authentic.
If you need more detailed security documentation (penetration testing reports, etc.), contact our compliance team.
Your audit log is retained indefinitely by default. Your organization owns the data and can request deletion, but standard compliance practice recommends retaining it permanently.
If you want to purge data older than a certain date (e.g., keep only 5 years), contact support. This is a custom request and requires documentation of the reason and compliance with your retention policies.
Deleting audit records breaks the hash chain and is cryptographically visible. Only delete data if you have a documented business reason and legal/compliance sign-off.
TeleVerify employees with access to production systems are limited to:
Access is logged and monitored. Customer data is never accessed for marketing, analytics, or other business purposes without explicit consent.
For detailed information about data access controls and security practices, contact support@televerify.org.
Licensed states in TeleVerify are managed by the provider themselves in their profile. You (as admin) cannot directly edit a provider's licensed states.
To fix this:
Verification: After the provider updates, check the Providers tab in your admin dashboard. Refresh the page — the updated state list should appear within a minute.
Past checks using the old (incorrect) state list are not retroactively updated. If the provider was using an incomplete state list for a month, those checks' compliance determinations remain based on the old list. Document this in your compliance records if necessary.
This likely means a provider ran a check outside of normal operations. Possible explanations:
To investigate: Click on the audit entry and examine the details. Check the timestamp — was this during normal business hours for the provider? Drill into their analytics to see if this check is an outlier or part of a pattern.
If the check seems fraudulent: Contact support immediately with the entry details.
Step 1: Verify your URL — The dashboard is at televerify.org/login. Make sure you're not on a different site or a cached page.
Step 2: Verify your credentials — Are you using the correct email and password? If you've forgotten your password, click "Forgot Password" on the login page.
Step 3: Check your account status — Your admin account may have been deactivated if your organization's subscription ended or your account was removed for security reasons. Contact your organization's account owner to verify.
Step 4: Check browser cache — Clear your browser cookies and cache, then try again. Sometimes stale session data causes login issues.
Step 5: Contact support — If none of the above work, email support@televerify.org with your email and the exact error message you're seeing. We can investigate account access issues.
In the Settings tab, you toggle "Allow Emergency Override" and "Allow Established Patient Override." If these settings don't save:
Step 1: Wait and refresh — Sometimes there's a slight delay in the UI updating. Wait 5 seconds, then refresh the page. Do the settings persist after refresh?
Step 2: Check your admin permissions — Only admins with "settings edit" permissions can modify these toggles. If you don't have permission, you'll see the toggles but they won't save. Contact your organization's primary admin to verify you have settings edit permission.
Step 3: Try a different browser — Browser extensions or cached data can interfere. Try a different browser (Firefox vs. Chrome, etc.) to see if the issue persists.
Step 4: Contact support — If none of the above work, contact support@televerify.org. We can check the server logs to see why the settings update is failing.
If a check returned a compliance status you disagree with, investigate:
Step 1: Verify the provider's licensed states — Click on the provider in the Providers tab and confirm they're listed as licensed in the patient's state. If the provider's licensed states are wrong in TeleVerify, that explains the incorrect determination. Have the provider update their profile (see "A provider says their licensed states are incorrect").
Step 2: Verify the compact membership — If the check returned NON_COMPLIANT but should have returned COMPLIANT_VIA_COMPACT, check if the provider's compact memberships are correctly registered. The provider can update these in their profile.
Step 3: Review the signed packet — Click on the audit entry to see the full compliance packet. This shows exactly which states and compacts the system checked. Is the data in the packet correct?
Step 4: Contact support — If you believe the determination is wrong despite correct provider data, contact support with the audit entry details. There may be a bug in the verification logic.
Do not assume the determination is wrong. TeleVerify uses HHS licensing databases and official compact rosters, which are authoritative. If there's a discrepancy with your internal credentialing records, your records may be outdated.
Have a question not answered here? Email our compliance support team at support@televerify.org. We typically respond within 24 hours.