Legal
Telehealth Compliance Policy
Effective Date: February 2026
Document Version: 1.0
This Telehealth Compliance Policy (“Policy”) establishes the regulatory requirements, consent procedures, technical safeguards, and operational standards governing telehealth services delivered through the Rymeda platform operated by Rymeda, Inc. (“Rymeda,” “we,” “us”).
1. Regulatory Framework
Telehealth services on the Rymeda platform are subject to the following regulatory requirements:
| Regulation | Scope | Key Requirements |
|---|---|---|
| HIPAA Security Rule | 45 CFR §164.312 | ePHI transmitted during telehealth must be encrypted in transit (TLS 1.3), with access controls, audit logging, and integrity controls |
| CA BPC §2290.5 | California telehealth consent | Written informed consent required before telehealth consultation, including limitations of telehealth and right to in-person visit |
| CA HSC §1374.13 | Reimbursement parity | Telehealth services reimbursed at same rate as equivalent in-person services |
| CA Penal Code §632 | Recording consent | Two-party consent required before recording any telehealth session. Criminal penalties for non-compliance |
| Ryan Haight Act | 21 USC §829(e) | Prescribing controlled substances via telehealth requires at least one in-person medical evaluation, subject to applicable exemptions |
| State Licensure | Multi-state requirements | Providers must hold active licensure in the state where the patient is located at the time of the telehealth encounter |
2. Technical Platform
Rymeda’s telehealth functionality is powered by 100ms, a HIPAA-eligible video infrastructure provider.
- Video Infrastructure: 100ms provides real-time video, audio, and session management with end-to-end encryption
- Session Types: Appointments are classified as
telehealthtype with duration tracking (default 30 minutes) and provider availability scheduling - Host Controls: Providers (session hosts) can mute participants and remove users from sessions for safety and moderation
- Access Control: Telehealth sessions require verified provider status. Host verification is enforced before session creation
- Audit Trail: All session operations (creation, join, leave, mute, remove, recording start/stop) are logged in the audit system
3. Informed Consent
Per California BPC §2290.5 and equivalent state requirements, the following disclosures are provided and acknowledged before any telehealth session:
- The nature and limitations of telehealth services compared to in-person care
- The patient’s right to refuse telehealth and request an in-person visit
- That all applicable confidentiality protections apply to telehealth encounters
- Potential risks including technology failures, interruptions, and limitations of remote examination
- How the patient’s data will be stored, encrypted, and protected
- The provider’s licensure status and the state(s) in which they are licensed
- Separate recording consent if voice or video recording will occur (§632)
- AI processing consent if the encounter will be transcribed or analyzed by AI (AB 3030)
Consent is captured electronically, timestamped, and linked to the specific appointment record. Patients may withdraw consent at any time.
4. Provider Requirements
- Licensure: Providers must hold an active, unrestricted license in the state where the patient is physically located during the telehealth encounter
- NPI Verification: Provider NPI numbers are validated against the CMS NPPES Registry. Only verified providers (
verification_status: verified) can conduct telehealth sessions - Scope of Practice: Telehealth encounters must fall within the provider’s scope of practice and licensure
- Clinical Documentation: Telehealth encounters must be documented in the clinical record to the same standard as in-person visits, including SOAP notes
- Emergency Protocols: Providers must have a plan for managing emergencies, including obtaining the patient’s physical location and directing to local emergency services when necessary
- Prescribing: Controlled substance prescriptions via telehealth must comply with the Ryan Haight Act and applicable state prescribing regulations
5. Recording & AI Processing
Telehealth sessions may be recorded or transcribed for clinical documentation purposes, subject to the following requirements:
- Separate Consent: Recording consent is separate from telehealth consent and must be obtained from all parties before recording begins (CA Penal Code §632)
- Encrypted Storage: Recordings stored in Amazon S3 with AES-256 SSE-KMS encryption and per-tenant encryption keys
- AI Transcription: If the session is transcribed by AI (OpenAI Whisper, Zero Data Retention), additional consent is obtained per AB 3030 disclosure requirements
- No Training Use: Telehealth recordings and transcriptions are never used for AI model training without explicit, separate patient authorization per 45 CFR §164.508(c)
- Retention: Recordings follow the same 7-year retention schedule as clinical records. See Data Retention & Destruction Policy
6. Technical Safeguards
| Safeguard | Implementation | HIPAA Reference |
|---|---|---|
| Encryption in Transit | TLS 1.3 for all video, audio, and data streams. End-to-end encryption via 100ms infrastructure | §164.312(e)(1) |
| Access Control | Authenticated session access. Only the scheduled provider and patient (plus authorized care team) can join the session | §164.312(a)(1) |
| Audit Logging | Session creation, join/leave events, recording events, and moderation actions logged with timestamps, user IDs, and IP addresses | §164.312(b) |
| Session Integrity | Host controls (mute, remove) prevent unauthorized participation. Sessions linked to verified appointments | §164.312(c)(1) |
| BAA Coverage | 100ms operates under a Business Associate Agreement (BAA) for HIPAA compliance | §164.308(b)(1) |
7. Billing & Reimbursement
- Telehealth appointments are tracked with
appointment_type: "telehealth"for accurate billing classification - Invoice line items support telehealth-specific CPT codes with reimbursement parity per CA HSC §1374.13
- Insurance claims include telehealth modifier codes and place-of-service indicators
- The billing system distinguishes between telehealth and in-person encounters for reporting and compliance
Contact
Legal Team