Telehealth Platform Compliance: Ryan Haight Act and State Licensing Architecture

Telehealth platform compliance is a multi-layered problem that combines federal law, DEA regulation, and 50 independent state licensing regimes. The platforms that built large controlled substance prescribing businesses during the COVID-19 public health emergency operated under temporary DEA flexibilities that have since expired or been extended under increasingly constrained terms. The compliance architecture required to operate a telehealth prescribing platform in 2025 is substantially different from what was required in 2020, and many platforms have not yet completed the transition.

The Ryan Haight Act: Federal Framework for Telemedicine Prescribing

The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 generally prohibits practitioners from prescribing controlled substances by means of the internet — including through telemedicine — without an in-person medical evaluation of the patient. The practical effect is that controlled substances cannot be prescribed at an initial telehealth encounter unless the patient has previously had an in-person evaluation by a practitioner with a DEA registration.

The Act created seven exceptions to the in-person requirement. The most relevant for telehealth platforms are: telemedicine visits at a DEA-registered hospital or clinic, telemedicine visits where the prescribing practitioner is treating a patient at a DEA-registered practice in the same state, public health emergency declarations, and the special registration exception — which allows DEA to create a special registration category for practitioners who meet specified criteria. DEA proposed rules for the special registration pathway in 2023. As of 2025, the implementation remains incomplete, creating significant uncertainty for platforms that planned their compliance architecture around it.

COVID-19 Waivers and the Post-PHE Landscape

During the COVID-19 public health emergency, DEA issued blanket exceptions to the Ryan Haight in-person evaluation requirement, allowing practitioners to prescribe controlled substances to new telehealth patients without a prior in-person evaluation. Several major telehealth platforms built substantial business lines on this flexibility, including Schedule II through V prescribing for ADHD medications, buprenorphine for opioid use disorder, and anxiolytics.

The COVID-19 PHE ended in May 2023. The current regulatory posture — extensions, proposed rules, and partial implementation of the special registration pathway — creates a compliance environment where platforms must track active DEA notices and adjust prescribing workflows as the regulatory situation evolves.

Platforms that cannot prescribe Schedule II through IV controlled substances via telemedicine under post-PHE rules must implement patient referral workflows that route patients requiring those medications to in-person evaluation. The technical implementation — identifying when a prescription triggers the in-person requirement, routing the patient to the appropriate referral pathway, and documenting the referral decision — is a compliance engineering problem.

State Medical Licensing: The 50-Jurisdiction Problem

A physician licensed in New York cannot legally practise medicine on a patient located in California without a California medical licence. The patient's location at the time of the telemedicine encounter determines which state's licensing law applies. The platform must track the licence status of every practitioner in every state where they are permitted to see patients, and enforce the geographic restriction in the patient-practitioner matching logic.

The Interstate Medical Licensure Compact provides a streamlined multistate licensing pathway for physicians, but it is not a single licence — it is a compact that allows physicians to obtain licences in participating states through an expedited process. Real-time patient location verification is a compliance requirement, not just a user experience feature. Patients who travel across state lines during an existing care relationship create a specific compliance scenario that must be handled through the platform's session initiation workflow.

Prescribing Platform Architecture: Compliance Controls

A telehealth prescribing platform's compliance architecture must enforce at minimum: practitioner DEA registration validity verification before any controlled substance prescription, practitioner state licence verification for the patient's location at session initiation, Ryan Haight in-person evaluation history verification before controlled substance prescribing, and state-specific prescribing restrictions more limiting than the federal baseline.

These controls must be implemented at the platform layer, not as documentation requirements for practitioners. A practitioner who incorrectly attests that they have met an in-person evaluation requirement does not relieve the platform of liability for enabling a prescribing violation. Platform liability for telemedicine prescribing violations has been tested in federal enforcement actions, and the outcome has consistently been that platforms are responsible for the verification infrastructure that their practitioners rely on.

The Algorithm Approach: Telehealth Compliance Architecture

The Algorithm designs telehealth prescribing platform compliance architectures with licensing enforcement, DEA verification, and Ryan Haight controls implemented as system constraints rather than policy attestations. We build real-time practitioner credential verification integrations with state licensing boards and DEA systems, enforce geographic prescribing restrictions at session initiation, and implement prescribing history checks for controlled substance encounter workflows. Our regulatory team maintains current tracking of DEA telemedicine rules and state-level prescribing restrictions, ensuring the compliance architecture reflects the current legal environment.