California Telehealth Regulations: 2026 Compliance Guide for Providers

Key Compliance Requirements

• Licensure and standard of care: Treat the patient as if seen in person. If the patient is in California at the time of care, you must be authorized to practice in California and follow the California Business and Professions Code and board rules.
• Patient consent before care: Inform patients that telehealth will be used, obtain verbal or written consent, and document it once before services begin. For Medi-Cal, include DHCS’ model consent elements and obtain separate consent for audio-only services.
• Privacy and security: Comply with the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), and—when applicable—42 CFR Part 2 for substance use disorder records. Use only platforms and vendors covered by Business Associate Agreements (BAAs).
• Prescribing safeguards: Use electronic prescribing (eRx) for almost all prescriptions. For controlled substance teleprescribing, comply with federal rules in effect through December 31, 2026, and California’s CURES checks before prescribing Schedule II–V drugs.
• Documentation essentials: Record the modality (video, audio-only, store-and-forward, remote patient monitoring), patient and provider locations, participants, consent, clinical appropriateness, and—if audio-only—why video was unavailable or declined.
• Billing accuracy: Bill the same CPT/HCPCS codes as in-person when clinically appropriate; apply payer-required modifiers and place-of-service (POS) codes; and follow Medi-Cal Telehealth Policies from the California Department of Health Care Services (DHCS).

Relevant Regulations and Statutes

Core California statutes

• California Business and Professions Code § 2290.5 (telehealth): Defines telehealth, requires patient consent before telehealth, and affirms that all confidentiality and professional standards apply.
• Electronic prescribing mandate (BPC § 688): Requires electronic transmission of most prescriptions, including controlled substances, with limited exceptions for emergencies and outages.
• Confidentiality of Medical Information Act (CMIA) (Civil Code § 56 et seq.): Adds California-specific privacy, authorization, and breach obligations in addition to HIPAA.
• Prescription Drug Monitoring Program (CURES) (Health & Safety Code §§ 11165.1, 11165.4): Mandates prescriber registration and timely CURES consultation before and during ongoing controlled-substance therapy.
• Medi-Cal telehealth coverage (Welf. & Inst. Code § 14132.72 and related provisions): No in‑person prerequisite for services clinically appropriate via telehealth; payment and documentation governed by DHCS manuals and guidance.
• Commercial plan parity (Insurance Code §§ 10123.855, 10123.85): Requires coverage on the same basis and to the same extent as in‑person services and prohibits plans from limiting coverage to select third‑party telehealth vendors.

Federal frameworks

• HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164): Require risk analysis, administrative/physical/technical safeguards, minimum necessary, BAAs, and timely breach notices.
• 42 CFR Part 2 (SUD confidentiality): Aligns more closely with HIPAA in 2024; compliance is required in 2026 for consent, redisclosure limits, and accounting of disclosures when handling Part 2 records.
• Controlled Substance Teleprescribing: Federal telemedicine flexibilities continue through December 31, 2026; prescribers must still meet legitimate‑purpose, identity, eRx/EPCS, and state PDMP/CURES requirements.

Technology and Security Standards

Platform selection and vendor management

• Choose technologies that support end‑to‑end encryption, access controls, audit logging, and role‑based permissions. Execute BAAs with conferencing, messaging, RPM, and eRx vendors.
• Disable recording by default; if recording is clinically necessary, document the purpose, retain securely, and limit access.

Security program essentials (HIPAA Security Rule)

• Administrative safeguards: Perform and update a security risk analysis, implement risk management, workforce training, incident response, and vendor oversight.
• Physical safeguards: Secure facilities, workstations, and portable media. Maintain device and media controls for storage, reuse, and disposal.
• Technical safeguards: Enforce unique user IDs, strong authentication (preferably MFA), automatic logoff, encryption in transit and at rest, and integrity controls.

Clinical workflow and identity verification

• Verify patient identity at each visit; confirm the patient’s current physical location for emergency response and licensure compliance.
• For EPCS, follow DEA identity‑proofing and two‑factor authentication requirements; retain audit trails.

Breach readiness

• Maintain written incident response and breach notification procedures that satisfy HIPAA timelines and California’s breach rules (including patient and, when required, Attorney General notifications).

Patient Consent and Privacy Rules

Telehealth consent form essentials

• Baseline consent (BPC § 2290.5): Tell the patient telehealth will be used; obtain and document verbal or written consent before care.
• Medi-Cal additions (SB 184/DHCS): Communicate the right to in‑person services, voluntariness and revocation, transportation availability for in‑person care, and any modality‑specific limitations/risks; obtain separate consent for audio‑only services.
• Language access and minors: Provide consent in a language the patient understands; apply California minor‑consent and “sensitive services” rules where applicable.

Privacy layering: HIPAA, CMIA, and Part 2

• HIPAA sets national privacy/security baselines; CMIA may impose stricter authorization and breach timelines for California patients.
• Substance use disorder records (42 CFR Part 2) require explicit consent for most disclosures and careful redisclosure controls, even within otherwise HIPAA‑compliant systems.

Billing and Reimbursement Guidelines

Medi-Cal (DHCS) telehealth billing

• Code selection: Bill the same CPT/HCPCS code you would use in person when telehealth is clinically appropriate and code requirements are met.
• POS and modifiers: Use POS 02 for telehealth. Apply modifier 95 for synchronous audio‑video and modifier GQ for asynchronous store‑and‑forward when required by DHCS guidance.
• Originating site fees: Eligible originating sites may bill Q3014 once per patient per day. Transmission fees may apply for certain synchronous interactions; check the current DHCS manual. FQHCs/RHCs generally cannot bill Q3014 or transmission fees but are paid their PPS rate when telehealth services qualify.
• Audio‑only: Covered when clinically appropriate and when documentation supports patient request or lack of video access; restrictions apply for establishing new patients (with limited exceptions for sensitive services).
• Remote patient monitoring (RPM): Medi-Cal covers RPM when program and code requirements are met; follow the DHCS manuals for covered codes, frequency limits, and device criteria.

Medicare and commercial payers (California context)

• Medicare: Many telehealth flexibilities are extended through December 31, 2027; typical billing uses standard CPT/HCPCS plus POS 10 (patient at home) or POS 02 and modifier 95 for video; select services may use modifier 93 for audio‑only when allowed.
• Commercial parity: California Insurance Code requires coverage on the same basis and to the same extent as in‑person care; apply plan‑specific POS/modifier rules and avoid limiting coverage to select corporate telehealth vendors.

2026 Regulatory Updates and Changes

• Controlled Substance Teleprescribing: Federal agencies extended COVID‑era telemedicine flexibilities for prescribing controlled medications through December 31, 2026. You must still use EPCS where required, verify identity, and complete CURES checks under California law.
• HIPAA/Part 2 alignment: Notice of Privacy Practices updates and key 42 CFR Part 2 changes are in effect in 2026. Update policies, NPPs, consent workflows, and redisclosure controls to reflect the new standards.
• California BPC § 2290.5 refresh: The telehealth statute remains the cornerstone for consent and definitions, with amendments effective January 1, 2026, clarifying terms and reinforcing consent and confidentiality obligations.
• Board‑level updates: Several California boards continue refining telehealth practice standards in 2026; verify discipline‑specific rules (e.g., psychology, behavioral health) for supervision, documentation, and out‑of‑state/temporary practice nuances.
• Medicare horizon: Separate from state rules, Medicare telehealth flexibilities now run through December 31, 2027—useful for California providers billing Medicare alongside Medi-Cal and commercial payers.

Conclusion

To stay compliant in 2026, anchor your program to California’s consent rule (BPC § 2290.5), DHCS’ Medi-Cal Telehealth Policies, HIPAA/CMIA privacy and security controls, and CURES/eRx prescribing mandates. Layer in federal 2026 updates (controlled‑substance teleprescribing and HIPAA/Part 2 changes), apply correct POS/modifiers, and keep discipline‑specific board rules current. Doing so positions your organization to deliver safe, lawful, and fully reimbursable telehealth care across California.

FAQs

What are the patient consent requirements for telehealth in California?

Before delivering care via telehealth, you must inform the patient that telehealth will be used, obtain verbal or written consent, and document it in the record. For Medi-Cal, incorporate DHCS’ model elements (right to in‑person services; voluntariness and revocation; transportation availability; modality risks) and obtain separate consent if you use audio‑only. A single, well‑crafted Telehealth Consent Form can satisfy both the California Business and Professions Code and Medi-Cal requirements.

How does HIPAA compliance affect telehealth technology use?

HIPAA requires you to perform a security risk analysis; implement administrative, physical, and technical safeguards; and sign BAAs with vendors that create, receive, maintain, or transmit PHI. Use encrypted platforms, strong access controls (preferably MFA), audit logs, and minimum necessary data flows. If your services involve substance use disorder records, apply 42 CFR Part 2’s consent and redisclosure limits in addition to HIPAA. California’s CMIA adds state‑specific privacy and breach duties that run in parallel with HIPAA.

What billing codes are accepted for telehealth services in California?

Use the same CPT/HCPCS codes you would for in‑person care when the service is clinically appropriate for telehealth. For Medi-Cal, report POS 02 and add modifier 95 for live audio‑video or GQ for asynchronous store‑and‑forward when required; eligible originating sites may bill Q3014. FQHCs/RHCs are generally paid their PPS rate when telehealth encounters qualify and typically cannot bill Q3014. Medicare and some commercial plans also use POS 10 (home) and may require modifier 93 for audio‑only services—always confirm the payer’s current policy.

Are there new telehealth mandates effective in 2026?

Yes. Federal telemedicine flexibilities for prescribing controlled substances remain in effect through December 31, 2026. HIPAA/Part 2 alignment and Notice of Privacy Practices updates apply in 2026, requiring policy and form revisions. California’s telehealth statute (BPC § 2290.5) continues to govern consent and definitions, with 2026 amendments in force, and DHCS’ Medi-Cal Telehealth Policies remain the operative billing and coverage framework for Medi-Cal providers.