By Drew Duffy ClearPath Compliance

Introduction

Telehealth has evolved from a temporary solution during the COVID-19 pandemic to a permanent fixture in modern healthcare delivery. As we move further into 2025, healthcare providers must adapt to a rapidly changing regulatory environment to ensure compliance and continue delivering quality care.

1. Reinstatement of Pre-Pandemic Restrictions

The Centers for Medicare & Medicaid Services (CMS) has begun reinstating certain telehealth policies that were relaxed during the public health emergency. These changes include:

• Geographic Restrictions: Telehealth services are now limited to rural areas and specific healthcare settings.

• Eligible Providers: Only certain healthcare professionals are authorized to offer telehealth services.

• In-Person Visit Requirements: Some services now require an in-person visit within a specified timeframe.

These reinstatements aim to balance the convenience of telehealth with the need for in-person evaluations in certain situations.

2. Expansion of Telehealth Services

Despite the reinstatement of some restrictions, there have been notable expansions in telehealth services:

• Coverage for Additional Services: Medicare now covers a broader range of telehealth services, including physical therapy and occupational therapy.

• Audio-Only Telehealth: CMS has permanently expanded the definition of "interactive telecommunications system" to include two-way, real-time audio-only communication, allowing providers to offer services to patients who may not have access to video technology.

These expansions aim to increase access to care, particularly for patients in underserved areas.

3. Interstate Licensure Compacts

To address the challenges of providing telehealth across state lines, several licensure compacts have been established:

• Interstate Medical Licensure Compact (IMLC): Allows physicians to practice in multiple states with a single license.

• Nurse Licensure Compact (NLC): Permits nurses to practice in member states without obtaining additional licenses.

These compacts facilitate the delivery of telehealth services across state lines, improving access to care for patients in various regions.

4. Enhanced HIPAA Compliance Requirements

The U.S. Department of Health and Human Services (HHS) has proposed new regulations to enhance cybersecurity protections for electronic protected health information (ePHI) under HIPAA. Key proposed changes include:

• Mandatory Annual Technical Inventories: Healthcare providers must conduct annual inventories of their technical systems.

• Enhanced Vendor Oversight: Business associates must notify entities within 24 hours of activating a contingency plan.

• Mandatory Multi-Factor Authentication (MFA): Providers must implement MFA for accessing ePHI.

• Encryption Standards: All ePHI must be encrypted both at rest and in transit.

These proposed changes aim to strengthen security controls and reduce breach risks, ensuring greater protection of ePHI.

5. State-Specific Regulations

In addition to federal regulations, healthcare providers must navigate state-specific laws that govern telehealth practices. These laws can vary significantly and may include:

• Consent Requirements: Some states require explicit patient consent for telehealth services.

• Prescribing Regulations: Certain states have specific rules regarding the prescription of medications via telehealth.

• Record-Keeping Mandates: States may impose additional documentation requirements for telehealth encounters.

It's essential for providers to familiarize themselves with the telehealth regulations in each state where they practice to ensure compliance.

Conclusion

The telehealth landscape in 2025 presents both opportunities and challenges for healthcare providers. By staying informed about the latest regulatory changes and implementing robust compliance strategies, providers can continue to offer high-quality care while mitigating legal and financial risks.

At ClearPath Compliance, we specialize in helping healthcare organizations navigate the complexities of telehealth regulations. Contact us today to learn how we can support your compliance efforts.

Sources:

• Reuters: Top 10 takeaways from the new HIPAA security rule NPRM

• MarketWatch: 67 million Medicare recipients face 'chaos' if Congress cuts telehealth benefits

• Wipfli: New healthcare policies and regulations 2025

• Seabridge Health: Recent Updates in Telehealth Regulations (2025)

• HHS.gov: HIPAA and Telehealth

By Drew Duffy | ClearPath Compliance Founder/CEO

The Quiet Compliance Killer

In the complex world of healthcare regulation, the most dangerous threats often come from the least obvious places. While most practices focus heavily on HIPAA training, audit prep, and coding accuracy, many overlook a crucial blind spot: third-party vendor risk.

From your billing company to your IT provider to the cloud service that stores patient documents — these “behind-the-scenes” vendors could be exposing your practice to regulatory violations, data breaches, or even federal penalties.

And in 2025, the stakes have never been higher.

A Regulatory Crackdown on Vendor Oversight

Over the past 18 months, regulators at the Office for Civil Rights (OCR), Centers for Medicare & Medicaid Services (CMS), and even the Federal Trade Commission (FTC) have sharpened their focus on third-party vendors in healthcare. This is largely in response to several high-profile data breaches — including Change Healthcare’s February 2024 ransomware attack, which exposed sensitive health information tied to nearly 1 in 3 Americans [1].

In a 2024 statement, OCR Director Melanie Fontes Rainer said:

"Covered entities cannot outsource accountability. Business associates must be monitored, audited, and held to the same privacy and security standards as internal staff." [2]

Translation: You’re responsible for your vendors. And in 2025, regulators are coming to verify that you know it.

Real-World Risks for Small Practices

Let’s break this down with examples that directly impact smaller providers and clinics:

Vendor TypeCompliance RiskIT & Cloud StoragePoorly secured servers can lead to HIPAA breaches or data lossBilling & RCM FirmsImproper coding, unverified licenses, or kickback exposure under the Stark and Anti-Kickback lawsTelehealth PlatformsUnvetted APIs or third-party data analytics without BAAsMarketing VendorsSharing patient data for testimonials or ad targeting = HIPAA violationCredentialing ServicesFalsified documents or inconsistent monitoring can expose you to liability

The No-Surprises Act Connection

The No Surprises Act also makes vendors a potential source of legal exposure — especially in how they manage cost estimates, out-of-network data, or coordination with insurance carriers. If your outsourced vendors don’t comply with federal guidelines for transparency, your name ends up on the penalty notice.

What You Should Be Doing Right Now

Here's what ClearPath Compliance recommends all healthcare providers implement immediately:

1. Review All Business Associate Agreements (BAAs)

• Ensure each is current, signed, and explicitly defines security expectations.

• Include a right to audit clause whenever possible.

2. Vet Vendors Like You’d Vet an Employee

• Check licensing, insurance, references, and data protection practices.

• Use a standardized vendor risk checklist — we can provide one.

3. Audit Your Critical Vendors Annually

• Especially for billing, IT, and cloud storage partners.

• Document everything — OCR considers written records essential.

4. Limit Data Access

• Follow the “minimum necessary” rule with vendors just as you would internally.

• Use role-based access and data encryption wherever possible.

5. Train Your Staff

• Staff should know how to spot a suspicious vendor request or data access pattern.

• Ensure everyone understands the importance of vendor security awareness.

Closing Thought

You may trust your vendors — but that won’t protect you if something goes wrong.

In 2025, federal agencies are making it crystal clear: outsourced does not mean off the hook. The healthcare organizations that stay ahead are the ones who treat vendor risk with the same urgency as HIPAA compliance or audit readiness.

At ClearPath Compliance, we help clinics like yours identify hidden risks, tighten policies, and build a defensible posture against government scrutiny. Don’t let a trusted partner become your weakest link.

📚 Sources:

1. HHS Statement on Change Healthcare Cyberattack

2. OCR Director Remarks on Business Associate Oversight

3. FTC Health Breach Notification Rule Update

© ClearPath Compliance 2025
Need help reviewing your vendor risk? Call us at 1-888-996-8376 or Contact Us for a free consultation.

July 17, 2025

Under the Microscope: Looming Medicare & Medicaid Overhauls That Could Shake Your Practice to Its Core

In April 2025, Washington unveiled a flurry of Medicare and Medicaid policy shifts that—while touted as cost‑containment and quality‑of‑care measures—carry the potential to undercut patient access and saddle providers with new layers of risk. From radical payment‑model rewrites to unprecedented data‑sharing pacts, these changes demand immediate attention. Without a proactive strategy, healthcare organizations could find themselves scrambling to stay compliant—or worse, fighting for their financial survival.

1. Medicare’s Double‑Edged Payment Proposals

On July 15, 2025, CMS floated a rule that would boost physician fees by up to 3.8% in 2026—but only for those in certain alternative payment models. Others would see a smaller 3.3% increase, effectively rewarding large, value‑based systems over small or independent practices . More ominously, on July 16, 2025, CMS proposed an $8.1 billion increase in hospital outpatient payments—yet simultaneously slashing reimbursement for high‑cost services like chemotherapy, in a push toward “site‑neutral payments” that pay the same whether care is delivered in a hospital or a private office.

These shifts are far from benign:

• Winners & Losers: Practices unable to join advanced payment models risk seeing their Medicare revenue fall further behind peers.

• Operational Overhaul: Changing reimbursement indices and billing codes will strain EHR and billing teams, raising denials and compliance flags.

• Patient Impact: Site‑neutral cuts may force hospitals to shift oncology and other specialty services back to outpatient clinics ill‑equipped to handle complex cases.

2. Medicaid on the Chopping Block—and Under ICE Surveillance

While providers grapple with Medicare’s mixed bag, Medicaid now faces two parallel storms: massive federal spending cuts and a controversial data‑sharing deal. In April 2025, the U.S. House budget resolution set the stage for $880 billion in Medicaid cuts over the next decade, a move that experts warn could strip coverage from millions and destabilize safety‑net hospitals.

At the same time, this July, CMS quietly agreed to grant ICE access to 79 million Medicaid records, including names, Social Security numbers, and addresses—ostensibly to detect fraud, but decried by advocates as a “privacy betrayal” that could deter vulnerable populations from seeking care.

The combined effect is terrifying:

• Coverage Cliff: State agencies, facing leaner federal dollars, may tighten eligibility, increase premiums, or slash optional benefits like dental and vision.

• Trust Erosion: Families who fear deportation could avoid necessary treatments, fueling public‑health crises and uncompensated‑care burdens.

• Compliance Minefield: Healthcare entities must navigate conflicting obligations—protect patient privacy under HIPAA while honoring a federal subpoena to hand over data.

3. Why You Can’t Afford to Wait

These policy changes aren’t distant threats—they’re unfolding now. Practices that delay will face:

• Revenue Shock: Misaligned billing workflows and missed opportunities to qualify for advanced payment models.

• Legal Exposure: Privacy lapses or flawed consent processes could trigger hefty civil penalties.

• Operational Chaos: Untrained staff and outdated policies will struggle under shifting audit criteria and enforcement priorities.

4. ClearPath Compliance: Your Strategic Shield

At ClearPath Compliance, we’ve distilled our decades of healthcare regulatory expertise into an Integrated Response Framework designed to neutralize these threats and bolster your competitive edge:

1. Advanced Revenue Optimization

• Analyze your current Medicare billing mix and identify high‑yield alternative payment models you qualify for.

• Remap EHR coding workflows to preempt denials under new site‑neutral and fee‑schedule rules.

2. Medicaid Program Resilience

• Conduct state‑by‑state impact assessments to forecast coverage changes and adapt enrollment strategies.

• Develop patient‑centric consent protocols and vendor agreements that safeguard privacy—even when federal data‑requests arrive.

3. Regulatory & Audit Readiness

• Revise privacy policies and train staff on handling ICE subpoenas without violating HIPAA.

• Perform mock audits for both Medicare and Medicaid regulations, ensuring your documentation survives heightened scrutiny.

4. Advocacy & Stakeholder Engagement

• Craft white‑papers and testimony to influence state budget committees on Medicaid funding decisions.

• Facilitate community outreach programs that reassure patients and preserve trust in your practice.

Don’t get blindsided by the next wave of policy mandates. Call ClearPath Compliance at 1‑888‑996‑8376 or visit clearpathcompliance.com to schedule your free 30‑minute strategic consultation. Together, we’ll transform regulatory upheaval into an opportunity for growth and reinforce your status as a trusted healthcare leader.

Drew Duffy,  MHA, FACHE

By A. Calder Nash, contributing policy and compliance analyst at ClearPath Compliance

What Is the Stark Law?

The Stark Law, also known as the Physician Self-Referral Law, prohibits physicians from referring Medicare patients to entities they have a financial relationship with—unless an exception applies. Its core goal is to prevent conflicts of interest that could drive up healthcare costs or compromise care.

What Changed in 2024?

In April 2024, the Centers for Medicare & Medicaid Services (CMS) implemented key updates to the Stark Law under the CY2024 Medicare Physician Fee Schedule Final Rule. These changes reflect CMS’s continuing efforts to modernize healthcare regulation under value-based care models.

1. Expanded Flexibility for Value-Based Arrangements

CMS has broadened exceptions for:

• Shared savings programs

• Coordinated care models

• Health tech-enabled partnerships

Implication:
Physician practices and clinics entering into care coordination or quality improvement programs now have more legal protection when financial relationships are involved — as long as they’re structured properly.

Tip: If you're participating in an ACO or using digital tools for shared care, this rule may now protect you more than it did in 2023.

2. Clarification on "Commercial Reasonableness"

CMS clarified what counts as commercially reasonable — a core requirement for many Stark Law exceptions. The 2024 definition now explicitly allows arrangements that result in losses, as long as they still make sense from a business and care perspective.

Implication:
Medical groups no longer need to worry that unprofitable arrangements automatically violate Stark Law — as long as they have a logical, documented purpose (e.g., expanding access in rural areas).

Tip: Keep a clear justification in writing for any agreements that don’t look profitable on paper.

3. Tighter Language Around Indirect Compensation

New guidance narrows down the criteria for what qualifies as indirect compensation—meaning more arrangements may now fall under the Stark Law than before.

Implication:
Organizations that work with management companies, staffing agencies, or other third-party vendors must re-evaluate their indirect relationships. Many arrangements that flew under the radar now require a formal review.

Tip: If you contract out billing, staffing, or tech services, revisit those agreements now.

Why This Matters to Small Clinics and Independent Providers

You might think Stark Law is only for hospitals or large systems — but it absolutely affects:

• Solo practitioners

• Multi-specialty groups

• Concierge practices

• Clinics participating in Medicare

Failure to comply can mean:

• Civil penalties up to $15,000 per service

• Exclusion from federal programs

• Reputational harm

How to Stay Compliant in 2024

• Review your contracts (especially tech, staffing, or shared-revenue agreements)

• Document your commercial reasoning

• Know your value-based care exceptions

• Consult a compliance specialist (like ClearPath Compliance) if you’re unsure

📚 Sources

1. CMS CY2024 Final Rule (Medicare Physician Fee Schedule)

2. Federal Register: Stark Law Revisions

3. OIG Stark Law Overview

🧠 Final Thought

Regulations are evolving. So should your compliance strategy.
If you're unsure how these changes impact your practice, ClearPath Compliance is here to help.

Written by A. Calder Nash, contributing policy and compliance analyst at ClearPath Compliance.