The Regulatory Squeeze: DOJ, DEA, and FDA Intensify Scrutiny on Telehealth, Medspas, and Digital Health

The rapid expansion of telehealth and digital health services has been a transformative force in healthcare, democratizing access and fostering innovation. However, this growth has also brought unprecedented scrutiny from federal and state regulators. Recent intelligence from the Department of Justice (DOJ), Drug Enforcement Administration (DEA), Office of Inspector General (OIG), and the Food and Drug Administration (FDA), alongside numerous state boards, reveals a concerted effort to ensure that innovation does not outpace compliance. The message is clear: the regulatory grace period is over, and a robust, proactive approach to compliance is no longer optional—it's a fundamental requirement for survival and growth.

This digest synthesizes the most critical trends emerging from recent enforcement actions and guidance, offering a roadmap for telehealth founders, medspa owners, practice groups, and investors to navigate this increasingly complex environment.

Theme 1: The Federal Hammer Falls – Intensified Enforcement on Prescribing and Financial Relationships

Recent actions from the DOJ, DEA, and OIG demonstrate a significant escalation in enforcement, particularly targeting telehealth's unique vulnerabilities. This isn't just about bad actors; it's about systemic risks within the digital health ecosystem.

Controlled Substances: The Post-PHE Reckoning

The expiration of the COVID-19 Public Health Emergency (PHE) waivers has fundamentally reshaped the landscape for controlled substance prescribing via telehealth. The DEA's intensified enforcement against telehealth companies for controlled substance violations and prescription drug diversion underscores a zero-tolerance policy for practices that bypass the spirit of the Ryan Haight Act. This means:

• In-Person Exam Mandate: The default rule requiring an in-person medical evaluation for Schedule II-V controlled substances is back in full force, with only narrow exceptions. While the DEA has proposed new permanent rules, the current environment demands strict adherence to existing regulations. Businesses relying on purely virtual models for initial controlled substance prescriptions are operating at extreme risk.
• Legitimate Medical Purpose: The DEA emphasizes that prescriptions must serve a legitimate medical purpose in the usual course of professional practice. This requires robust patient assessment, identity verification, and comprehensive documentation. Companies with 'pill mill' characteristics, characterized by high-volume, rapid-fire prescribing with minimal patient interaction, are prime targets.
• Organizational Accountability: Enforcement extends beyond individual prescribers to the entire telehealth organization. Companies are expected to implement stringent internal controls, training, and auditing mechanisms to prevent diversion. This includes monitoring prescribing patterns and ensuring compliance with 'bona fide' patient-prescriber relationship requirements.

Actionable Insight: Telehealth platforms, mental health providers, and pain management clinics must immediately audit their controlled substance prescribing protocols. This may necessitate integrating in-person components, partnering with local providers, or significantly enhancing virtual evaluation standards. For medspas and dental practices that occasionally prescribe controlled substances (e.g., for anxiety or post-procedure pain), vigilance is equally critical. Ensure every controlled substance prescription, even for a short course, is preceded by a compliant medical evaluation.

Stark Law and Anti-Kickback Scrutiny in Digital Health

The DOJ's intensified Stark Law scrutiny on telehealth physician self-referral arrangements signals a critical shift. Historically focused on traditional practices, enforcement now clearly extends to the digital realm. The core principle remains: financial relationships that could improperly influence referrals for Designated Health Services (DHS) are prohibited unless they fit squarely within a Stark Law exception.

• Broad Scope: This applies to any arrangement where a physician (or their immediate family) has a financial relationship with an entity providing DHS (e.g., lab testing, imaging, durable medical equipment) and refers patients to that entity. This includes common telehealth integrations like affiliated labs or diagnostic services.
• Indirect Compensation: Regulators are vigilant about arrangements that might appear benign but could be construed as indirect compensation or disguised referrals, such as volume-based compensation for telehealth providers who refer to an affiliated lab.

Actionable Insight: All healthcare businesses, especially telehealth brands, medspas, and practices with ancillary services, must thoroughly re-evaluate all physician compensation models, joint ventures, and referral agreements. Proactive legal review of all financial relationships, particularly those involving physicians and entities providing DHS, is essential to mitigate significant regulatory risk.

Theme 2: The Patchwork of State Regulations – Licensure, CPOM, and Telehealth Parity

While federal agencies focus on fraud and abuse, state medical boards and legislatures continue to define the parameters of telehealth practice, creating a complex, state-specific compliance matrix.

Multi-State Licensure and Practice Standards

The challenge of navigating multi-state telehealth hormone optimization exemplifies the broader issue: medical licensure and the practice of medicine are regulated at the state level. A provider must be licensed in every state where their patient is located at the time of service delivery.

• Valid Patient-Provider Relationship: States have varying definitions of what constitutes a 'valid patient-provider relationship' via telehealth, ranging from requiring initial in-person exams to synchronous audio-visual encounters. Missouri's specific requirements for establishing a valid relationship are a case in point, necessitating robust, interactive audio-visual encounters for prescribing.
• Scope of Practice and Supervision: State boards, like the Indiana Medical Board, are emphasizing compliance with professional practice standards, appropriate supervision, and adherence to scope of practice, especially in medspas. Vermont's evolving rules for PAs and NPs highlight the divergence: NPs may have full practice authority, while PAs still require collaborative agreements, impacting supervision models for telehealth and medspas.

Actionable Insight: Businesses expanding across state lines must implement robust systems for verifying patient location and provider licensure. A 'one-size-fits-all' approach is insufficient. Develop dynamic compliance protocols that adapt to each state's specific regulations, including those for establishing a patient-provider relationship, prescribing, and supervision. For medspas, ensure medical directors are licensed in every state of operation and actively engaged in oversight, aligning with state-specific delegation rules.

Corporate Practice of Medicine (CPOM) – A Persistent Hurdle

CPOM doctrines, like those in Nebraska, continue to shape business structures, prohibiting unlicensed entities from employing physicians or controlling medical decision-making. This is particularly relevant for telehealth and medspas.

• MSO Models: The Management Services Organization (MSO) model remains the primary compliant structure. The MSO provides administrative services, while the professional entity (owned by licensed professionals) delivers clinical care. The key is to ensure the MSO does not exert control over clinical decisions or engage in prohibited fee-splitting.
• Medspa Scrutiny: Medspas, combining medical procedures with aesthetic services, face intense scrutiny. Medical procedures must be performed under the supervision and direction of a licensed physician, and the clinical entity must comply with CPOM. Non-physician ownership of the clinical side is generally prohibited.

Actionable Insight: Any healthcare business, especially those with non-clinician founders or investors, must carefully structure their operations to comply with CPOM laws in every state they operate. Legal counsel specializing in healthcare MSO structures is indispensable to avoid severe penalties, including license revocation and criminal charges for illegal corporate practice.

Telehealth Parity and Payer Compliance

State-specific telehealth parity laws significantly impact coverage and reimbursement. These laws vary widely, dictating whether health plans must cover telehealth services at the same rate and to the same extent as in-person services.

• Payer-Specific Policies: Beyond state laws, telehealth billing and coding compliance requires meticulous adherence to payer-specific policies, proper CPT/HCPCS coding, and transparent financial practices. Inadequate documentation is a primary driver of audit findings and recoupments.
• Self-Pay Transparency: Even self-pay models carry obligations for transparent pricing and adherence to consumer protection laws.

Actionable Insight: Proactively verify patient eligibility, benefits, and payer-specific telehealth coverage policies. Implement robust systems for tracking diverse state parity laws and payer rules. Invest in ongoing staff training and regular internal audits of billing practices to mitigate fraud, waste, and abuse risks.

Theme 3: The Digital Frontier – FDA Oversight of AI and Diagnostics

The integration of advanced technology, from at-home diagnostics to AI-powered clinical decision support, is under increasing FDA scrutiny, balancing innovation with patient safety.

At-Home Diagnostics: Verification is Key

The FDA's oversight of at-home diagnostic testing kits means that any kit used in telehealth models must be FDA-authorized, properly labeled, and used within its intended scope. Utilizing unauthorized or misbranded kits, even inadvertently, exposes practices to enforcement actions.

Actionable Insight: Conduct thorough due diligence on any diagnostic kit recommended or distributed. Verify FDA authorization status, understand intended use and limitations, and ensure all labeling and promotional materials are accurate. Providers must ensure results are interpreted by qualified personnel and integrated into a comprehensive care plan, aligning with both federal device regulations and state practice standards.

AI-Powered Clinical Decision Support: Navigating the Regulatory Gray Area

The FDA's evolving oversight of AI-powered Clinical Decision Support (CDS) software and the regulatory and liability landscape for AI-assisted CDS highlight a critical distinction: is your AI tool a regulated medical device or unregulated health software? The key lies in its intended use and the level of clinical judgment it replaces or augments.

• Medical Device vs. Health Software: If an AI algorithm provides a definitive diagnosis without substantial human clinician review, or dictates a treatment protocol that could cause harm, it's more likely a regulated medical device. Tools that merely provide information for a clinician to consider are generally not.
• Liability and Professional Judgment: The liability for adverse outcomes from AI recommendations ultimately rests with the supervising licensed professional. AI is a tool to augment, not supersede, professional expertise.
• Data Privacy: AI tools process vast amounts of sensitive patient data, making HIPAA and state privacy law adherence paramount. Ensure AI vendors have appropriate data security measures and BAAs are in place.

Actionable Insight: Telehealth platforms, medspas, dental practices, and chiropractic offices leveraging AI must establish robust internal processes for evaluating new AI/ML tools. Conduct vendor due diligence, understand the regulatory status (FDA clearance if applicable), and implement clear policies for AI usage, staff training, and documentation of independent clinical review of AI-generated insights. Prioritize data security and privacy in all AI integrations.

Pharmaceutical Advertising in the Digital Age

The FDA's clarification on direct-to-consumer telehealth pharmaceutical advertising requirements is a crucial reminder for any business marketing prescription drugs or services that lead to prescriptions. The principles of 'fair balance,' risk disclosure, and substantiation of claims apply rigorously to digital promotions.

Actionable Insight: Ensure all promotional materials maintain a 'fair balance' between benefits and risks, prominently displaying safety information. All claims must be truthful, non-misleading, and substantiated by evidence. Rigorous internal review processes are essential to prevent unsubstantiated claims or misleading portrayals, especially for services promoting conditions treated by specific prescription drugs.

What This Means For Your Practice

The current regulatory environment demands a proactive and integrated approach to compliance. The days of viewing compliance as a separate, reactive function are over. It must be woven into the very fabric of your business strategy and operations.

• Invest in Robust Compliance Programs: The OIG's emphasis on compliance program guidance is a direct call to action. This includes written policies, designated compliance personnel, ongoing training, regular auditing, and clear enforcement mechanisms. For multi-state operators, this means a dynamic program that adapts to a patchwork of federal and state laws.
• Prioritize Legal Counsel: Engage experienced healthcare regulatory counsel early and often. The complexity of these regulations is such that attempting to navigate them without expert guidance is a significant risk.
• Due Diligence is Non-Negotiable: Whether evaluating a new diagnostic kit, an AI tool, a potential MSO partner, or a multi-state expansion, thorough due diligence on regulatory compliance is paramount.
• Culture of Compliance: Foster a culture where compliance is everyone's responsibility, from the front-line provider to the executive suite. Encourage reporting of concerns and demonstrate leadership's commitment to ethical practices.

The regulatory landscape for telehealth, medspas, and digital health is not merely evolving; it is maturing rapidly. Those who proactively embrace stringent compliance measures will not only mitigate risk but also build a foundation of trust and integrity that will be essential for long-term success in the digital healthcare era. Ignoring these signals is an invitation for severe penalties, reputational damage, and ultimately, operational failure. TrueEval stands ready to partner with you in building and maintaining this critical compliance infrastructure.