Cross-State Telehealth and the AI Receptionist: HIPAA Meets State License Law

A federally compliant AI receptionist booking a California patient with a clinician licensed only in Texas is a HIPAA non-issue and a California Medical Board problem. The 2026 stack must handle both.

What the law actually says

flowchart LR
  Voice[Voice call] --> Redact[PII / PHI redaction]
  Redact --> LLM[LLM with BAA]
  LLM --> Resp[Response]
  Resp --> Sanitize[Remove non-needed PHI]
  Sanitize --> Caller[Caller]
  Resp --> AuditDB[(Audit DB)]

HIPAA at 45 CFR 160.203 establishes federal preemption only when state law is contrary to and less stringent than the Privacy Rule. State laws that are more protective of the patient — and most state telehealth licensing laws are — survive untouched. State medical, dental, nursing, psychology, and behavioral health boards each define telehealth as the practice of medicine occurring at the location of the patient at the time of the encounter. That means a clinician must be licensed in the state where the patient is physically located when the visit happens — not where the clinic is incorporated.

In 2025 and into 2026, states have layered new mechanisms onto this baseline. The Interstate Medical Licensure Compact (IMLC), the Psychology Interjurisdictional Compact (PSYPACT), the Counseling Compact, and the Audiology and Speech-Language Pathology Compact all shorten the path to multi-state practice. Colorado (Senate Bill 24-168), California (Senate Bill 1192), and a growing list of states have enacted out-of-state telehealth registration regimes that allow non-licensed providers to deliver telehealth under specific conditions and registration.

The Drug Enforcement Administration (DEA) Special Registration for Telemedicine, repeatedly delayed through 2025 and 2026, also intersects whenever a controlled substance prescription is in play.

What this means for AI voice and chat agents

An AI receptionist is not practicing medicine — but it is the gatekeeper that decides which clinician sees which patient. If the agent books a Texas-licensed therapist with a patient on a Colorado phone number, it has just helped create the conditions for a Colorado Mental Health Board complaint. The compliance burden falls on the practice, not on the AI vendor, but the vendor's design directly determines whether the practice can defend itself.

The minimum viable design is patient-state detection at intake (phone area code is a first signal but not authoritative — ANI manipulation and forwarding break it), clinician-licensure mapping in a structured table, real-time match logic before the booking is offered, and a written record of which licensure check fired and why. For multi-state groups, the agent must also surface state-specific Notices of Privacy Practices and consent flows — California's CMIA, New York's SHIELD Act, Texas HB 300, and Washington's My Health My Data Act each impose disclosures that go beyond HIPAA.

How CallSphere implements

CallSphere's Healthcare Voice Agent does state-aware routing as a first-class feature. The intake flow asks for patient ZIP code or address, validates the state, and consults a clinician licensure table inside our healthcare_voice PostgreSQL database. Each clinician row carries an array of state licenses, compact memberships (IMLC, PSYPACT, Counseling Compact), and DEA telemedicine status. Before any appointment is offered, the agent runs a license-state match. Mismatches are routed to a human or to the next licensed clinician — never silently booked. Across 50+ businesses on the platform, this logic has prevented hundreds of non-licensed bookings. Our behavioral-health LP at /lp/behavioral-health ships with PSYPACT logic on by default. State-specific notices and consent capture are part of the post-call analytics record alongside sentiment (–1.0 to +1.0), lead score (0–100), and the AI summary. Multi-state groups should review /industries/healthcare and /industries/behavioral-health, and start with a 14-day trial.

Compliance and build checklist

1. Capture patient state at first intake — ZIP or address, never just area code.
2. Maintain a clinician-licensure table with state arrays and compact memberships.
3. Block bookings where the clinician is not licensed in the patient's state at appointment time.
4. Track PSYPACT, IMLC, Counseling Compact, ASLP-IC, NLC, and PT Compact status per clinician.
5. For controlled-substance workflows, route only to clinicians with current DEA telemedicine authority.
6. Surface state-specific NPPs (CMIA in CA, SHIELD in NY, HB 300 in TX, MHMDA in WA).
7. Log every license-state check and outcome for audit — minimum 6 years.
8. Reconfirm licensure data quarterly — boards revoke and lapse silently.
9. For Medicaid bookings, layer state Medicaid telehealth eligibility on top of licensure.
10. For minors, layer state-specific minor-consent rules on top of HIPAA (covered separately).

FAQ

Does HIPAA preempt state telehealth licensing? No. HIPAA preempts only state laws that are less stringent than the Privacy Rule. State licensing laws are about the practice of medicine, not privacy, so they sit alongside HIPAA — not under it.

Is the patient's location or the clinician's location what counts? The patient's physical location at the time of the encounter. Every state medical board has confirmed this since the 2020 emergency declarations expired.

What about PSYPACT and IMLC? Compacts shortcut multi-state licensure for participating clinicians. The agent must check membership and active status, not just registration.

Does the AI vendor need state licenses too? No. The AI is not practicing medicine. But the vendor's product must give the practice the tools to comply.

What about the DEA Special Registration for Telemedicine? Delayed multiple times through 2026. Until it lands, controlled-substance prescribing across state lines uses the in-person and Ryan Haight Act exceptions.

Sources

• 45 CFR 160.203, Preemption: https://www.ecfr.gov/current/title-45/section-160.203
• HHS Telehealth — Licensing Across State Lines: https://telehealth.hhs.gov/licensure/licensing-across-state-lines
• Federation of State Medical Boards — IMLC: https://www.fsmb.org/advocacy/interstate-licensing/
• PSYPACT Commission: https://psypact.gov/
• CCHP State Telehealth Laws Report (Fall 2025): https://www.cchpca.org/resources/state-telehealth-laws-and-reimbursement-policies-report-fall-2025/