7 Audio-Only Telehealth Compliance Mistakes Behavioral Health Providers Are Making (And How to Fix Them Before Your Next Audit)

Audio-only telehealth isn't going anywhere. For behavioral health providers, it's often the only way to reach certain patients, those in rural areas without reliable internet, older adults uncomfortable with video technology, or clients in crisis who need immediate access to care.

But here's the problem: audio-only telehealth is a compliance minefield.

What worked during the Public Health Emergency (PHE)? That enforcement discretion is long gone. OCR isn't cutting anyone slack on HIPAA violations. Medicare is tightening up documentation requirements. State Medicaid programs have wildly different policies on what codes are billable. And if your behavioral health policies aren't updated to reflect 2026's regulatory landscape, you're walking into your next audit with a target on your back.

We've worked with dozens of behavioral health providers navigating post-PHE telehealth compliance, and we keep seeing the same mistakes pop up. The good news? They're fixable. Let's walk through the seven most common audio-only telehealth compliance gaps, and exactly how to close them before a surveyor, auditor, or payor finds them first.

Mistake #1: You're Not Verifying Patient Identity Before Audio-Only Sessions

The Problem: When you can't see the person on the other end of the line, how do you prove you're delivering care to the right patient? Many providers skip this step entirely or rely on caller ID, which isn't compliant.

Medicare, Medicaid, and most commercial payors require oral or written identity verification before delivering audio-only services. If you can't document that you verified the patient's identity, you can't bill for the service, and in an audit, it looks like you provided care to an unverified individual.

The Fix: Build identity verification into your mental health compliance workflow: ✅ Train clinicians to verbally confirm the patient's full name, date of birth, and address at the start of every audio-only session. ✅ Document the verification method in your EHR (e.g., "Patient identity verified via DOB and address confirmation"). ✅ For written verification, use secure patient portals or text-based consent forms that log patient responses.

Pro Tip: If you're using a telehealth vendor, make sure your platform auto-logs identity verification steps. It's one less thing for your clinicians to remember, and one more audit defense you have in writing.

Mistake #2: You're Skipping Active Consent for Audio-Only Delivery

The Problem: Audio-only telehealth is only compliant when the provider has video capability but the patient cannot or will not use it. If your practice doesn't have video capability at all, you're not meeting the standard.

Even if you do have video, you can't just default to audio because it's easier. You need to document that the patient actively chose audio-only, or that they lack the technology/connectivity to use video.

The Fix: Update your intake and session workflows to include: ✅ A documented offer of video telehealth at every encounter. ✅ Patient acknowledgment (in writing or verbally documented) that they were offered video and declined or were unable to access it. ✅ A checkbox or note field in your EHR template: "Patient offered video telehealth. Patient selected audio-only due to: [lack of device/connectivity issue/patient preference]."

For Medicare patients specifically: CMS requires that audio-only is only used when the beneficiary doesn't have access to two-way video technology. Document this explicitly, or you risk billing denials.

Mistake #3: You're Ignoring In-Person Visit Requirement Deadlines

The Problem: The in-person visit requirement for behavioral health telehealth services has been delayed, but it's not canceled. For most Medicare services, the deadline is January 30, 2026. For FQHCs and RHCs providing mental health services via telehealth to patients in their homes, the deadline is January 1, 2026.

Many providers assume this doesn't apply to them because they've been operating telehealth-first since the pandemic. That assumption will cost you in a Medicare audit.

The Fix: ✅ Review your patient panel now. Flag any Medicare beneficiaries who have only received telehealth services (audio or video) without an in-person visit. ✅ Schedule in-person visits before the January 2026 deadlines for applicable patients, or document why an exemption applies (e.g., patient is homebound and meets waiver criteria). ✅ Update your behavioral health policies to reflect the in-person requirement and train staff on how to track compliance.

Medicaid & Commercial Payors: These deadlines vary by state and plan. Don't assume Medicaid follows Medicare's rules, check your state's specific policies and update your compliance calendar accordingly.

Mistake #4: You Don't Have Business Associate Agreements (BAAs) With Your Telehealth Vendors

The Problem: If your telehealth platform stores call recordings, generates transcripts, or offers translation/transcription services, it's a business associate under HIPAA. That means you need a signed BAA in place, and OCR is actively enforcing this now that the PHE enforcement discretion has ended.

We've seen providers get hit with HIPAA violations not because they mishandled PHI, but because their vendor did, and there was no BAA on file to prove the vendor was held to HIPAA standards.

The Fix: ✅ Audit every telehealth vendor you use. Ask: Does this vendor access, store, or process any patient data? ✅ If the answer is yes, obtain a signed BAA. If the vendor refuses, find a new vendor. ✅ Document your BAA inventory and review it annually as part of your HIPAA compliance program.

Red Flag Alert: If you're using consumer-grade platforms (like FaceTime Audio or standard phone lines) without encryption or BAAs, you're creating a massive HIPAA liability. Switch to HIPAA-compliant platforms immediately.

Mistake #5: Your Documentation Doesn't Specify "Audio-Only Technology"

The Problem: When you bill for audio-only services, your documentation must clearly state that the encounter was conducted via audio-only technology. If your notes just say "telehealth visit" or don't specify the modality, payors can (and will) deny the claim.

This is especially critical for Medicare, which has specific billing codes for audio-only services (e.g., 99441–99443 for time-based phone codes, or behavioral health codes like 90832 when audio-only is allowed).

The Fix: ✅ Update your EHR templates to include a mandatory field: "Modality of service: [Audio-only / Video / In-person]." ✅ For time-based audio-only codes, document the exact call length (start and end times). ✅ For non-time-based behavioral health codes, you don't need to document duration, but you do need to document that the service was delivered via audio-only.

Compliance Shortcut: Create a smart phrase or macro in your EHR that auto-populates: "This session was conducted via audio-only telehealth technology per patient request/inability to access video." One click, full compliance.

Mistake #6: You're Not Addressing Patient Location and Privacy Risks

The Problem: For Medicare's audio-only behavioral health services, the patient must be located in their home during the session. If they're calling from a public place, their car, a coffee shop, their workplace break room, you're not meeting the requirement.

Even if the location technically qualifies, audio-only sessions conducted in public spaces or using speakerphones create privacy risks that must be disclosed to the patient and documented in your mental health compliance records.

The Fix: ✅ Train clinicians to verbally confirm the patient's location at the start of every audio-only session: "Are you in a private location where you feel comfortable discussing your care?" ✅ Document the patient's location in the encounter note (e.g., "Patient confirmed location: home, private room"). ✅ If the patient is in a public or semi-public space, document that you discussed privacy risks and that the patient consented to proceed.

For Medicaid & Commercial Payors: Location requirements vary. Some states allow audio-only from any location; others have "originating site" restrictions. Know your payors' rules and document accordingly.

Mistake #7: You're Using the Same Audio-Only Codes Across All Payors

The Problem: Medicare has a specific list of allowed audio-only CPT codes. Medicaid programs have different lists. Commercial payors? They're all over the map.

We've seen providers bill the same audio-only codes to Medicare, Medicaid, and United Healthcare, only to get denials from two out of three because the codes weren't on that payor's approved list.

The Fix: ✅ Create a payor-specific audio-only code matrix. List out which codes each of your major payors allows for audio-only delivery. ✅ Train your billing team to verify the payor before submitting audio-only claims. ✅ When in doubt, call the payor. Yes, it's time-consuming: but a 10-minute verification call saves you a month-long appeals process.

Real-World Example: Arkansas Medicaid allows specific audio-only codes that Medicare doesn't: and vice versa. If you're operating in multiple states or serving diverse payor mixes, this matrix isn't optional. It's survival.

How to Audit-Proof Your Audio-Only Telehealth Program in 3 Steps

Fixing these seven mistakes is critical: but behavioral health policies are only as good as your ability to operationalize them. Here's how to move from "policy on paper" to "audit-ready practice":

Step 1: Conduct an internal audit. Pull 10–15 audio-only encounter notes from the past 90 days. Check for: identity verification, active consent documentation, modality specification, patient location, and appropriate CPT codes per payor.

Step 2: Update your EHR templates and workflows. Build compliance checkpoints directly into your documentation. If your clinicians can't complete a note without verifying identity and documenting consent, they won't forget.

Step 3: Train your team: then train them again. Schedule a 30-minute training session on audio-only compliance for clinical and billing staff. Revisit this quarterly as regulations evolve.

Need help? We specialize in building audit-ready behavioral health policies that your team can actually use. From telehealth compliance reviews to EHR workflow optimization, we've got your back.

The Bottom Line: Audio-Only Compliance Isn't Optional Anymore

The days of "we'll figure it out later" are over. Auditors are looking at audio-only telehealth documentation with a magnifying glass. Payors are tightening billing requirements. And if your mental health compliance program isn't built to handle this scrutiny, you're setting yourself up for denials, recoupments, and findings.

The good news? These mistakes are fixable. With the right policies, training, and documentation workflows, your audio-only telehealth program can be both patient-centered and audit-proof.

Your move: Pick one mistake from this list and fix it this week. Then tackle the next one. Compliance doesn't happen overnight: but it does happen when you take it one step at a time.

Need a second set of eyes on your telehealth policies? That's exactly what we're here for. Let's talk. 👉 Get in touch with KBBG Systems