persona-logo
Published May 07, 2026
Last updated May 07, 2026

The DEA telehealth extension: how to prepare for new patient identity verification requirements

With the DEA's fourth extension, stricter patient verification is on the horizon. Here’s how to build compliant systems before final rules take effect.
Jennifer Lowe
Jennifer Lowe
5 min
Blog image - new patient verification rules
Key takeaways
Telehealth and digital health companies will need to demonstrate that they know who their patients are and that they have systems capable of proving it. 
The proposed requirements suggest verification will need to happen at multiple points in the prescribing journey: initial onboarding, prescription requests, and refills.
Building a compliant patient verification system takes time. Companies that wait for the final rule risk running out of implementation runway.

On December 31, 2025, the DEA issued its fourth temporary extension of the COVID-era telemedicine flexibilities, keeping the current rules in place through December 31, 2026. For telehealth companies prescribing controlled substances, the extension was welcome news. 

However, one line in the announcement signals stricter patient verification requirements on the horizon: the extension provides “time to finalize and implement regulations that balance access to care with the necessary safeguards against drug diversion." 

If you’re a compliance professional in digital health, this update is perhaps one of the most closely watched regulatory issues facing your industry. It’s also one of the most uncertain. While the Special Registration rule, which would require government-issued photo ID capture and PDMP checks, has been proposed, it remains unfinalized. 

Digital health companies are caught between current flexibilities with minimal requirements versus future, potentially stricter requirements. Without clarity on the transition period or a unified federal standard for patient verification, knowing what your patient verification infrastructure will need to do is murky. But companies that wait for the final rule risk running out of implementation runway.

The path forward is clearer than it seems. In this article, we'll walk through what compliant patient identity verification looks like in practice, what audit-ready documentation systems need to include, and how to prepare for the proposed DEA requirements now.

When should telehealth companies start preparing for DEA patient verification requirements? 

Telehealth companies should begin to build defensible patient verification infrastructure now while they still have time. More pointedly, they should not wait until after the final rule is published.

While the DEA hasn't published final rules for long-term telemedicine prescribing, its proposed rule on Special Registrations for Telemedicine explicitly includes patient identity verification standards. Though most telehealth companies already verify patients at onboarding, the proposed requirements suggest verification will need to happen at multiple points in the prescribing journey: initial onboarding, prescription requests, and refills.

Building a compliant patient verification system takes time. Vendor selection involves security reviews, BAA negotiations, and often legal approval. Technical integration requires development resources, testing across your existing systems, and user-friendly workflow design. Staff training, documentation updates, and audit readiness take additional months. If you wait for the DEA to finalize its Special Registration rule before starting implementation, you may not have enough time to prepare when it takes effect.

The stakes for getting this wrong extend far beyond regulatory penalties: inadequate verification enables the exact fraud patterns that triggered the Done Global prosecution and the 2025 DOJ Takedown. Most critically, verification failures create direct patient safety risk.

The regulatory posture is clear even if the final rules aren't: companies operating in the remote prescribing space will need to demonstrate that they know who their patients are and that they have systems capable of proving it. 

How telehealth companies should implement patient verification requirements

Telehealth companies can prepare for the final DEA Special Registration rule by moving beyond one-time verification at onboarding. Here's what a compliant patient verification infrastructure needs to do: 

  1. Verify rigorously at onboarding. Collect a government-issued photo ID (driver's license, passport, state ID) from every patient during initial enrollment. Your verification system should validate the document's authenticity by checking security features, expiration status, and detecting signs of forgery, tampering, or AI-generated documents. NIST IAL2 (the federal benchmark for rigorous remote identity proofing) provides a useful standard for what telehealth companies should aim for. 

  2. Verify at multiple points in the prescribing journey. Reauthenticate patients when they request controlled substance prescriptions and at refills to prevent account sharing and takeovers. By reverifying, you can demonstrate who was actually on the call each time a prescription was issued and not just who signed up for the account.

  3. Integrate PDMP checks and document them. The proposed DEA requirements include mandatory PDMP (Prescription Drug Monitoring Program) checks to identify prescription shopping patterns across providers. Your system needs to document which state databases were queried, when, and what the results showed.

  4. Build audit-ready documentation for every verification event. For each identity verification, your system should automatically capture the method used, timestamp and encounter ID, verification outcome, patient physical location at time of encounter, and modality confirmation. If an OIG auditor requests documentation, you should be able to produce defensible records for every controlled substance prescription.

  5. Manage vendor risk as a HIPAA compliance issue. If you work with an identity verification vendor, it becomes a business associate under HIPAA. Ensure your vendor signs a BAA, encrypts data both in transit and at rest, has clear data retention and deletion policies, and can demonstrate compliance with HIPAA Security Rule requirements. 

When done well, patient identity verification can help recreate the verification steps that typically happen during an in-person visit: the provider sees the patient, the front desk checks their ID, and staff confirms they are the person on file. Patient visits have witnesses and documentation, with prescription tied to a physical interaction. 

Remote verification must replicate those safeguards digitally. Following these best practices ensures you can deliver the assurance, documentation, and audit defensibility that in-person visits naturally provide.

8 tips to improve online customer verification
Learn how to balance risk-based segmentation and verification.
Read now

Build compliant patient verification with Persona

Persona is a HIPAA-compliant identity verification platform that helps telehealth companies seamlessly verify patient identity, prevent fraud, and meet evolving regulatory requirements. Healthcare companies like K Health, Circle Medical, and Citizen Health trust us to build patient verification that scales with regulation. Gartner® has named Persona a Leader in its 2025 Magic Quadrant™ for Identity Verification. 

Persona’s all-in-one platform allows you to adapt verification to your specific use case, whether that's stricter verification for Schedule II prescriptions or state-specific documentation standards. We enable:

  • Identity proofing at onboarding. Collect and verify patient identity at the start of the patient journey with government ID verification, selfie matching, and insurance card collection and extraction via OCR. Patients can complete the process on their phone in seconds while compliance teams get a documented verification record automatically.

  • Reverification at high-risk moments. Persona allows you to build and implement risk-based verification flows that trigger at key points, such as a first controlled substance prescription, a refill request, or a request to access health records.

  • Full auditability. Every verification generates a record of what was collected, what verification methods ran, what decision was made, and when. This audit trail helps compliance teams address how a patient was verified.

  • HIPAA compliance and NIST IAL2 certification. Persona is HIPAA-compliant, offers a BAA upon request, and holds NIST IAL2 certification, which is the identity assurance standard required for high-stakes healthcare verification scenarios.

  • Flexible, configurable flows. Telehealth verification can't be one-size-fits-all. State-specific rules, substance categories, and practice types all affect what verification is appropriate. Persona's flows are configurable without requiring engineering rework each time the regulatory environment shifts.

Closing the door on diversion starts with knowing who your patient is when you’re onboarding, prescribing, and refilling. Learn how Persona can support your patient verification needs or reach out for a demo.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Jennifer Lowe
Jennifer Lowe
Jennifer Lowe is a content marketer at Persona focused on workforce identity, candidate fraud, crypto, age assurance, and telehealth. Based in Los Angeles, she enjoys exploring the local theater scene.
Continue reading