The promise of expanded access and operational efficiency has fueled an unprecedented surge in multi-state healthcare operations, particularly within the telehealth and medspa sectors. Yet, beneath this exciting frontier lies a formidable regulatory challenge: the Corporate Practice of Medicine (CPOM) doctrine. For founders, operators, and compliance officers, navigating CPOM is not merely a legal formality; it is the bedrock of sustainable business. In 2025-2026, as states refine their post-PHE telehealth stances and enforcement actions intensify, understanding and meticulously structuring operations to comply with CPOM is more critical than ever.
For more on this topic, see our analysis: The CPOM Gauntlet: Navigating Corporate Practice of Medicine Across State Lines in 2025-2026.
What is the Corporate Practice of Medicine (CPOM)?
At its core, CPOM is a legal doctrine that prohibits corporations, or other non-licensed entities, from practicing medicine or employing physicians to provide medical services. The rationale behind CPOM is to safeguard the integrity of the physician-patient relationship, prevent commercial interests from influencing clinical judgment, and ensure that medical decisions are made by licensed professionals, free from corporate control. While the specifics vary wildly by state, the general principle is clear: only licensed individuals or professional entities owned by licensed individuals can practice medicine.
For more on this topic, see our analysis: The CPOM Gauntlet: Navigating Corporate Practice of Medicine Across State Lines in 2025-2026.
This doctrine impacts a broad spectrum of healthcare businesses:
- Telehealth Brands: Especially those offering direct-to-consumer (DTC) services (e.g., weight loss, sexual health, mental health, dermatology).
- Medspas: Which often integrate medical procedures (injectables, lasers) with aesthetic services.
- Dental and Chiropractic Practices: While often governed by separate boards, similar principles apply to prevent unlicensed corporate control.
- Management Services Organizations (MSOs): Entities providing administrative and non-clinical support to professional practices.
The Multi-State Conundrum: A Patchwork of Regulations
The most significant challenge for expanding healthcare businesses is the lack of a uniform federal CPOM standard. Each state interprets and enforces CPOM differently, creating a complex, often contradictory, regulatory patchwork. What is permissible in Nevada might be strictly prohibited in New York or California. This necessitates a granular, state-by-state compliance strategy.
Strict CPOM States: New York, California, Texas
States like New York, California, and Texas are renowned for their stringent CPOM enforcement. In these jurisdictions, the prohibition against corporate control over medical practice is robust, often leading to aggressive scrutiny of business models that appear to compromise physician autonomy.
- New York: As highlighted in recent intelligence, New York maintains one of the nation's strictest CPOM doctrines. It explicitly prohibits corporations from employing physicians or practicing medicine. For telehealth companies, this mandates a robust Physician-Controlled Management Services Organization (PC-MSO) structure. The professional entity (PE) must be truly physician-owned and controlled, retaining complete clinical autonomy, including hiring/firing clinical staff and setting medical policies. The MSO's role is strictly limited to non-clinical administrative support, and any perceived influence over clinical decisions can trigger severe penalties from the New York State Education Department (NYSED) Office of Professional Discipline (OPD).
- California: Similar to New York, California rigorously enforces CPOM. The Medical Board of California actively investigates arrangements where non-physician entities exert control over medical practice. This means MSOs must be carefully structured to avoid any appearance of dictating clinical protocols, influencing physician compensation based on referrals, or owning medical records. The professional corporation (PC) must be owned by licensed California physicians.
- Texas: Texas also has a strong CPOM doctrine. While MSO models are common, the agreements must clearly delineate the MSO's non-clinical role and the physician group's absolute control over medical decisions. Enforcement can be particularly keen on arrangements that resemble fee-splitting or illegal referral inducements.
Flexible CPOM States: Nevada and Others
Some states, while technically having CPOM doctrines, exhibit a more flexible enforcement posture, often accommodating well-structured MSO models.
- Nevada: Nevada maintains a CPOM doctrine but is often considered more flexible than stricter states. It generally allows MSO models for telehealth and medspa businesses, provided specific guidelines are followed to preserve physician autonomy. The key is ensuring the MSO does not control clinical decision-making, physician employment, or engage in illegal fee-splitting. Meticulously drafted MSO agreements are crucial to clearly separate administrative support from clinical authority. This flexibility, however, is not an invitation for lax compliance; it still demands careful structuring and legal counsel.
States with Exceptions or Nuances
Other states may have specific carve-outs or different interpretations. For example, some states may allow certain types of entities (e.g., hospitals, non-profits) to employ physicians, or have different rules for specific specialties (e.g., optometry, podiatry).
The PC-MSO Model: A Primary Compliance Strategy
For multi-state telehealth and medspa operations, the Physician-Controlled Management Services Organization (PC-MSO) model has emerged as the predominant strategy for CPOM compliance. This structure involves two distinct entities:
- The Professional Entity (PE) / Professional Corporation (PC): This entity is owned and controlled exclusively by licensed physicians (or other licensed professionals, depending on the service and state). It employs the clinical staff (physicians, PAs, NPs) and delivers all medical services. The PE retains full authority over clinical decisions, patient care, and professional employment.
- The Management Services Organization (MSO): This entity is typically owned by non-physicians (e.g., the telehealth brand founders, investors). It provides all non-clinical administrative, technical, and management services to the PE under a Management Services Agreement (MSA). These services can include billing, marketing, IT, real estate, equipment, human resources (for non-clinical staff), and general business support.
Key Elements of a Compliant PC-MSO Structure:
- Clinical Autonomy: The PE must retain absolute control over all medical decisions, treatment protocols, hiring/firing of clinical staff, and setting professional fees. The MSO cannot dictate patient care.
- Fair Market Value (FMV) Compensation: All financial arrangements between the MSO and PE (e.g., management fees, equipment leases) must be at fair market value and commercially reasonable. They should not be tied to patient volume or revenue in a way that could be construed as illegal fee-splitting or inducements.
- Separate Identity: The MSO and PE must operate as distinct legal entities with separate governance, bank accounts, and operational responsibilities.
- MSA Precision: The Management Services Agreement (MSA) is the critical document. It must meticulously delineate the services provided by the MSO, the fees charged, and explicitly state the PE's retained clinical control. Ambiguity here is a significant risk.
- No Control Over Medical Records: While the MSO may provide IT services for electronic health records (EHRs), the PE must ultimately control access to and ownership of patient medical records.
Beyond CPOM: Intersecting Regulatory Challenges
While CPOM is central, it doesn't exist in a vacuum. Multi-state telehealth and medspa operations must concurrently navigate other critical compliance areas:
1. State-Specific Telehealth Regulations
Each state has its own rules regarding the establishment of a patient-provider relationship, permissible modalities (audio-only vs. audio-visual), and prescribing authority. For example, sexual wellness platforms must meticulously track these variations, especially concerning controlled substances, where the DEA's Ryan Haight Act and state medical/pharmacy board rules create a complex overlay. Similarly, chiropractic telehealth has specific limitations on remote consultations vs. hands-on procedures.
2. Informed Consent
Informed consent requirements for telehealth vary significantly by state. A general consent form is insufficient. Businesses must implement dynamic consent workflows that present state-specific disclosures, covering technology limitations, data privacy, and the scope of virtual care. (As per recent intelligence, this is a critical, state-specific requirement across all 50 states and D.C.).
3. Pharmacy Compliance
For businesses that prescribe medications, pharmacy board regulations are crucial. The District of Columbia, for instance, has specific rules on telehealth prescribing, compounding, and fulfillment. This includes ensuring proper patient-provider relationships, legitimate prescriptions, and using DC-licensed pharmacies for fulfillment, especially for compounded medications.
4. Anti-Kickback Statute (AKS) and Stark Law
The DOJ's intensified enforcement against telehealth fraud and kickback schemes means that financial relationships between the MSO, PE, and any third-party vendors (e.g., labs, pharmacies, lead generators) must be scrupulously compliant with AKS and Stark Law. Any arrangement that incentivizes referrals or is not at FMV poses a significant risk. This is particularly relevant for DTC telehealth weight loss brands, where financial models can easily be misconstrued as illegal inducements.
5. Supervision and Delegation
For practices utilizing PAs and NPs, state-specific supervision and delegation requirements are paramount. The Washington State Medical Commission (WMC) and Nursing Care Quality Assurance Commission (NCQAC), for example, emphasize robust, documented processes for ongoing collaboration and oversight in telehealth and medspa settings. This impacts who can perform procedures, the level of physician involvement, and the documentation required.
6. Billing and Coding
Telehealth billing and coding compliance is a constant challenge. Providers must navigate varying commercial insurance policies, use correct CPT/HCPCS codes, modifiers (e.g., -95, -GT, -GQ, -G0), and place of service (POS) codes (02 or 10). For self-pay models, price transparency and adherence to the No Surprises Act (for good faith estimates) are critical to avoid consumer protection issues.
Practical Checklist for Multi-State CPOM Compliance
To navigate the CPOM gauntlet effectively, consider the following actionable steps:
- State-Specific Legal Counsel: Engage healthcare regulatory counsel with deep expertise in each target state's CPOM and telehealth laws. A generalist approach is insufficient.
- Robust MSO/PE Structuring: Ensure your MSO and PE agreements (especially the MSA) are meticulously drafted to clearly delineate roles, responsibilities, and financial terms, explicitly preserving PE clinical autonomy.
- Physician Ownership & Control: Verify that the PE is genuinely owned and controlled by licensed physicians in each state of operation. Avoid any arrangements that dilute this control.
- Fair Market Value (FMV) Assessments: Obtain independent FMV opinions for all services and assets exchanged between the MSO and PE to mitigate AKS and Stark Law risks.
- Clinical Protocol Development: The PE, not the MSO, must develop and approve all clinical protocols, treatment guidelines, and quality assurance programs.
- Credentialing & Licensure: Implement rigorous processes for verifying and maintaining provider licensure in every state where services are rendered, including any necessary DEA registrations.
- Dynamic Informed Consent: Develop a system for obtaining and documenting state-specific informed consent for telehealth services.
- Compliance Program: Establish a comprehensive compliance program that includes regular audits, staff training on CPOM, AKS, and state-specific regulations, and a mechanism for reporting concerns.
- Documentation Excellence: Maintain impeccable documentation of all patient encounters, clinical decisions, and business arrangements to demonstrate compliance.
- Vetting Third-Party Vendors: Scrutinize all relationships with third-party vendors (e.g., marketing agencies, lead generators, pharmacies) to ensure they do not create illegal referral or fee-splitting arrangements.
What This Means For Your Practice
For telehealth founders, medspa owners, and healthcare executives eyeing multi-state expansion, CPOM is not a barrier to entry but a fundamental design constraint. Ignoring it invites severe legal, financial, and reputational consequences, including license revocation, civil monetary penalties, and even criminal charges. The Department of Justice's intensified enforcement actions underscore that federal authorities are actively scrutinizing business models that push the boundaries of legitimate practice.
Proactive, meticulous compliance is your competitive advantage. By investing in expert legal counsel, structuring your operations with precision, and fostering a culture of regulatory adherence, you can build a scalable, resilient healthcare enterprise that thrives in the complex regulatory environment of 2025-2026 and beyond. TrueEval stands ready to help you navigate this intricate landscape, transforming regulatory challenges into strategic opportunities for growth and innovation, while always prioritizing patient safety and ethical practice.
Further Reading
- The CPOM Gauntlet: Navigating Corporate Practice of Medicine Across State Lines in 2025-2026
- The Unseen Hand: Navigating Corporate Practice of Medicine (CPOM) in a Multi-State Telehealth Landscape
- The MSO Tightrope: Navigating CPOM Compliance Across Diverse State Landscapes in 2025-2026
- Navigating the Regulatory Gauntlet: CPOM, Telehealth Prescribing, and Enforcement in 2024
