Want to create interactive content? It’s easy in Genially!

Get started free

Governance, Oversight & Security Essentials - Caleb Leibee DO

Emily Sheehy

Created on February 22, 2026

Start designing with a free template

Discover more than 1500 professional designs like these:

Magazine dossier

Momentum: Onboarding Escape Game

Momentum: Manager Guide

Wizardry Letter

Search Bar Card

Piñata

Microlearning: When to Use Chat, Meetings or Email

Explore all templates

Transcript

Governance, Oversight & Security Essentials

Caleb Leibee DO
Emergency Medicine Physician Digital Health & Telemedicine

Start

Governance, Oversight & Security Essentials

TELEHEALTH expands access and complexity

WHY GOVERNANCE EXISTS

Care without physical proximity introduces new risksRules protect patients, clinicians, and institutionsGovernance allows innovation without compromising safety

LECTURE FRAMEWORK

Use this framework for every telehealth scenario

POLICY

LAW

Rules set by payers or organizations

What you must comply with

BEST PRACTICE

TEMPORARY

Professional judgement

Waivers, extensions, and evolving rules

  • Often where artificial intelligence and new technology live

We will apply this framework repeatedly to real cases

Governance, Oversight & Security Essentials

who the players are

KNOW THEIR ROLES

STATE AUTHORITIES
FEDERAL REGULATORS
STANDARDS & ACCREDITATION

LICENSURE & STANDARD OF CARE

Law & Enforcement

NOT LAW

  • State medical boards
  • State licensure laws
  • State privacy and consent laws
  • Department of Health and Human Services (HHS)
  • Centers for Medicare & Medicaid Services (CMS)
  • Drug Enforcement Administration (DEA)
  • Food and Drug Administration (FDA)
  • Federal Trade Commission (FTC)
  • The Joint Commission
  • National Committee for Quality Assurance (NCQA)
  • Utilization Review Accreditation Commission (URAC)
  • American Telemedicine Association (ATA)
  • Federation of State Medical Boards (FSMB)
Governance, Oversight & Security Essentials

the case: A realistic scenario

A 74-year-old man with limited mobility
  • Lives in Pennsylvania
  • Cannot easily leave home
  • Wants a video visit with his primary care physician (PCP) in New Jersey
Question

Who can legally care for him — and under what rules?

The next day:

Weeks later:

  • Develops depression
  • Wants to see his psychiatrist, who practices in New York
  • Suffers an acute stroke
  • Transported by ambulance
  • Treated by a stroke neurologist
Governance, Oversight & Security Essentials

why this case is hard

And useful

This single patient creates a collision of:
We will figure this out —

but first, we need to understand the rules and the players.

  • Interstate licensure
  • Emergency vs non-emergency telehealth
  • Primary care vs mental health
  • Controlled substance prescribing
  • Platform and data governance

Governance, Oversight & Security Essentials

FEderal Law vs State Law

Telehealth lives at the intersection of both

FEDERAL LAW GOVERNS

  • Privacy and security (Health Insurance Portability and Accountability Act — HIPAA)
  • Controlled substances (Drug Enforcement Administration — DEA)
  • Regulated medical devices and software (Food and Drug Administration — FDA)
  • Consumer health data outside HIPAA (Federal Trade Commission — FTC)

STATE LAW GOVERNS

  • Medical licensure
  • Scope of practice
  • Standard of care
  • Additional consent and privacy rules

For licensure and standard-of-care purposes:
Governance, Oversight & Security Essentials
  • Telehealth is typically treated as occurring where the patient is located
  • This determines licensure requirements

Where Telehealth Is Treated as Occurring

Example:

New Jersey physician + Pennsylvania patient → Pennsylvania authority usually required

Distorts the true relationship

There is no national telehealth license
Legal pathways include:

Governance, Oversight & Security Essentials

Full license in the patient’s state

Lawful Ways

Interstate Medical Licensure Compact

to Practice Across State Lines

Expedited licensure pathway

State-specific telehealth registration programs

Limited emergency or consult exceptions

Privacy and security are not optional
  • HIPAA applies to covered entities
  • Applies equally to in-person and telehealth care
  • Applies to video, audio-only, and asynchronous care

Governance, Oversight & Security Essentials

HIpaa is law

Important Nuance
  • Many consumer health apps are not covered by HIPAA

Distorts the true relationship

Governance, Oversight & Security Essentials

DEA & Controlled Substance Prescribing

Controlled substances are governed at the federal level

KEY PRINCIPLES:

  • The Drug Enforcement Administration (DEA) regulates prescribing
  • Federal law applies regardless of telehealth modality
  • Telehealth prescribing exceptions have been temporarily extended, not eliminated

CORE RULE TO REMEMBER

  • If you are not authorized in the patient’s state, you generally cannot prescribe controlled substances for that patient

Programs must continuously monitor DEA updates.

Governance, Oversight & Security Essentials

FDA & Telehealth Technology

KEY DISTINCTION:

When does the Food and Drug Administration (FDA) matter?

FDA clearance means a tool is approved for a specific medical use — not that every telehealth platform requires FDA oversight.

FDA regulates:

  • Medical devices
  • Certain remote patient monitoring tools
  • Some artificial intelligence diagnostic software
  • Software as a Medical Device (SaMD)

FDA does NOT regulate:

  • Routine video visit platforms
  • General teleconferencing software

FTC Health Breach Notification Rule

KEY TAKEAWAY:

Non-HIPAA tools still carry risk

HIPAA is not the only data enforcement framework.

  • Federal Trade Commission (FTC) oversight
  • Applies to many health and wellness apps
  • Requires breach notification even without HIPAA coverage

WHAT POLICY ACTUALLY IS

POLICY IS NOT LAW

Policy Includes:

  • Rules created by payers
  • Organizational standards
  • Coverage criteria
  • Operational requirements

Governance, Oversight & Security Essentials

Policy Determines:

  • How care is delivered
  • Whether care is paid for

Policy does not override licensure law

REIMBURSEMENT POLICY

HIGH LEVEL

Who Controls Payment Rules?

  • Medicare (federal policy via CMS)
  • Medicaid (state-specific policy)
  • Commercial insurers
  • Employer plans

Governance, Oversight & Security Essentials

Important Reality:

  • Some telehealth policies are permanent
  • Others remain time-limited and adjustable

Details are addressed in a separate update lecture

HEALTH SYSTEM POLICY

LOCAL RULES MATTER

Health Systems May Define:

  • Approved telehealth platforms
  • Documentation standards
  • Credentialing and privileging requirements
  • Artificial intelligence tool approval

Governance, Oversight & Security Essentials

Violating policy may not be illegal— but it can still end careers.

A Brief Timeline

2020

Governance, Oversight & Security Essentials

Broad emergency telehealth waivers

2023

covid to now:

Public Health Emergency ends

why change is constant

2024 - 2026

Gradual tightening and selective permanence

Lesson

Telehealth rules are dynamic, not static

assume change
Anything involving:

Reimbursement

Governance, Oversight & Security Essentials

Practical Takeaway

Prescribing

Modality

Patient Location

→ must be actively monitored
law and policy

Governance, Oversight & Security Essentials

rarely cover every scenario

why best

Best Practice:

practice matters

  • Protects patients
  • Protects clinicians
  • Protects institutions
  • Allows responsible innovation
not a checkbox—
a process

Governance, Oversight & Security Essentials

informed

Best Practice Includes:

of virtual exams and escalation options in the patient’s environment

  • Limits
  • Alternatives
  • Privacy risks

consent in telehealth

Artificial intelligence nuance: Transparency when AI tools are used in care or documentation.

TELEHEALTH does not lower expectations

Governance, Oversight & Security Essentials

Same professional duty

STANDARD OF CARE

Same accountability

Often lower threshold for escalation

In Some Cases, telehealth requires a higher index of caution

Governance, Oversight & Security Essentials

clinical risk management

Preventable predictable failures
Asynchronous care:

requires clear boundaries for response time and escalation.

  • Define what is inappropriate for telehealth
  • Establish escalation triggers
  • Plan for emergencies
Governance, Oversight & Security Essentials

Platform & Artificial

Intelligence Governance

Artificial Intelligence documentation tools:
Baseline expectations:
  • Is protected health information stored or reused?
  • Is data used for model training?
  • Does a clinician review outputs before they enter the medical record?
  • Encryption
  • Access controls
  • Audit logs
  • Business Associate Agreement (BAA)
Governance, Oversight & Security Essentials

security governance

clinician level

Security is a shared responsibility
Security failures

affect licensure and trust.

  • Verify patient identity and location
  • Do not use unapproved recording tools or screenshots
  • Report suspected breaches immediately

Governance, Oversight & Security Essentials

returning to the case:

Different care, different rules

We now apply the framework by type of care

Acute Stroke Care

Primary Care (PCP)

Psychiatry and mental health

Each has distinct legal and policy implications

Governance, Oversight & Security Essentials

pcp in new jersey

PRIMARY CARE TELEMEDICINE, POST-JAN 31, 2026

LAW
BEST PRACTICE
POLICY
  • For Original Medicare, most routine primary care telehealth is no longer covered from the patient’s home
  • Coverage generally reverts to rural + medical facility originating sites
  • Exceptions may exist via Medicare Advantage, Accountable Care Organizations, or
  • commercial payers
  • Patient is in Pennsylvania → PCP generally must have Pennsylvania licensure or
  • authorization
  • Licensure is determined by patient location
  • Document patient location and consent every visit
  • Telehealth for PCPs is now limited and situational
  • Use for triage, coordination, or select follow-ups
  • Establish a local in-person pathway for homebound patients
  • Clearly document limitations of virtual primary care
Governance, Oversight & Security Essentials

Stroke neurologist

ACUTE STROKE TELEMEDICINE

LAW
BEST PRACTICE
POLICY
  • Medicare continues to allow telehealth for acute stroke diagnosis, evaluation, and treatment
  • Includes emergency departments, hospitals, and mobile stroke units
  • Acute stroke care remains a specific carve-out despite broader telehealth tightening
  • Licensure still typically tracks patient location
  • Hospitals manage this via credentialing, privileging, and multi-state licensure
  • Emergency consilt exceptions may apply in limited settings
  • Pre-defined telestroke protocols
  • Clear imaging, transfer, and escalation pathways
  • Focus on time-to-treatment metrics
Governance, Oversight & Security Essentials
TEMPORARY

Psychiatrist in new york

  • DEA telemedicine prescribing flexibilities are extended through December 31, 2026
  • Permanent federal framework is still pending

MENTAL & BEHAVIORAL HEALTH TELEMEDICINE

LAW
BEST PRACTICE
POLICY
  • Medicare continues to broadly allows telehealth for mental and behavioral health
  • Services may be delivered in the patient's home
  • Audio-only may be permitted when clinically appropriate
  • Patient is in Pennsylvania -> psychiatrist generally must have Pennsylvania licensure or authorization
  • Controlled substance prescribing governed by the Drug Enforcement Administration (DEA) and state law
  • Suicide risk assessment and safety planning
  • Local emergency contacts and crisis pathways
  • Conservative prescribing with careful documentation
PRIMARY CARE
  • Most restricted post-2026
  • Limited Medicare coverage from home
  • Requires strong in-person backup

Governance, Oversight & Security Essentials

Case summary:

ACUTE STROKE
  • Protected clinical exception
  • Broad telehealth allowance remains
  • Protocol-driven emergency care

how the rules differ by type of care

MENTAL & BEHAVIORAL HEALTH
  • Most durable telehealth support
  • Home-based care remains common
  • Prescribing rules remain under active scrutiny

Bottom Line: Different care types -> different telehealth rules

Governance, Oversight & Security Essentials

staying current

Do not memorize—

your dashboard

know where to look

  • Licensure & General Rules: Telehealth.HHS.gov, Federation of State Medical Boards
  • Reimbursement Policy: Centers for Medicare & Medicaid Services updates, payer bulletins
  • Controlled Substances: Drug Enforcement Administration announcements
  • Privacy & Security: HHS Office for Civil Rights
  • Artificial Intelligence Guidance: American Telemedicine Association and specialty societies
Governance, Oversight & Security Essentials

Telehealth Governance & Regulation - References

  • American Telemedicine Association. Practice Guidelines for Telehealth. American Telemedicine Association, www.americantelemed.org/resources/practice-guidelines/.
  • Centers for Medicare & Medicaid Services. Telehealth Services. CMS, www.medicare.gov/coverage/telehealth.
  • Centers for Medicare & Medicaid Services. Telehealth Policy Updates. CMS, www.cms.gov/medicare/telehealth.
  • Epstein Becker Green. Telemental Health Laws: 2026 Overview. Epstein Becker Green, 2026, www.ebglaw.com/insights/publications/telemental-health-laws-2026-overview.
  • Federation of State Medical Boards. U.S. States and Territories Modifying Licensure Requirements for Telehealth in Response to COVID-19. FSMB, www.fsmb.org/siteassets/advocacy/pdf/states-waiving-licensure-requirements-for-telehealth-in-response-to-covid-19.pdf.
  • Federation of State Medical Boards. Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine. FSMB, www.fsmb.org/siteassets/advocacy/policies/fsmb-telemedicine-policy.pdf.
  • Food and Drug Administration. Digital Health Policy Navigation. U.S. Food and Drug Administration, www.fda.gov/medical-devices/digital-health-center-excellence/digital-health-policy-navigation.
  • Food and Drug Administration. Software as a Medical Device (SaMD). U.S. Food and Drug Administration, www.fda.gov/medical-devices/software-medical-device-samd.
  • Health Resources and Services Administration. Telehealth Programs. U.S. Department of Health and Human Services, telehealth.hhs.gov.
  • Office for Civil Rights. HIPAA and Telehealth. U.S. Department of Health and Human Services, www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html.
  • Office for Civil Rights. Guidance on HIPAA & Audio-Only Telehealth. U.S. Department of Health and Human Services, www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html
  • Drug Enforcement Administration. Telemedicine Prescribing of Controlled Substances. U.S. Department of Justice, www.deadiversion.usdoj.gov/telemedicine.html.
  • U.S. Department of Health and Human Services. DEA and HHS Extend Telemedicine Flexibilities for Controlled Substances Through 2026. HHS Press Office, www.hhs.gov/press-room/dea-telemedicine-extension-2026.html.
  • Federal Trade Commission. Health Breach Notification Rule. Federal Trade Commission, www.ftc.gov/business-guidance/privacy-security/health-breach-notification-rule
  • The Joint Commission. Telehealth Accreditation Program. The Joint Commission, www.jointcommission.org/accreditation/telehealth.
  • National Committee for Quality Assurance. Virtual Care Accreditation. NCQA, www.ncqa.org/programs/health-care-providers-practices/virtual-care-accreditation/.
  • National Institute of Standards and Technology. An Introductory Resource Guide for Implementing the HIPAA Security Rule (SP 800-66 Rev. 2). NIST, 2024, csrc.nist.gov/publications/detail/sp/800-66/rev-2/final.
  • Health Affairs. Regulating Telemedicine: Policy, Payment, and Practice. Health Affairs, www.healthaffairs.org

Caleb Leibee DO

Emergency Medicine Physician| Digital Health & Telemedicine Sarasota, FL crleibee@me.com