What Medical Directors Need to Understand About the Role, the Rules, and the Risk
The medical director role has expanded significantly over the past several years. Telehealth growth, the rise of cash-pay clinics, med spas, IV therapy centers, weight management practices, and wellness companies have created demand for physicians willing to serve as medical directors, often remotely, for $500 to $2,000 per month.
Many physicians accept these roles with limited understanding of what the position actually requires. They may not have been given clear guidance, and most do not have a compliance team, a quality management department, or billing oversight staff behind them -- the infrastructure that traditionally exists in larger health systems to catch errors, flag issues, and support compliant operations.
The result is a growing number of physicians who hold the title of medical director but are not performing the oversight functions the role requires. In some cases, this leads to federal fraud investigations and large settlements. But in the majority of cases, the issues are more ordinary: a clinic's marketing makes claims the medical director has never reviewed, a medical assistant is explaining prescriptions to patients without realizing that crosses a legal line, a billing vendor is submitting codes the physician has never audited, or the business entity itself is structured in a way that creates corporate practice of medicine exposure.
This article is intended as a practical reference. It covers what the medical director role actually involves, the regulatory framework that governs it, recent enforcement trends, common gaps in oversight, and a set of questions physicians can use to evaluate whether their current arrangement meets the standard.
What the Medical Director Role Actually Is
A medical director is a licensed physician who is responsible for the clinical governance of a healthcare operation that functions under their license. The specifics vary by state, practice type, and payer environment, but the core responsibilities are consistent across nearly all settings.
The OIG has outlined that a medical director role should be supported by: actively overseeing clinical care in the facility, leading the medical staff to meet the standard of care, ensuring proper training, education, and oversight for physicians, nurses, and other staff members, and identifying and addressing quality problems (HCH Lawyers, Nov. 2024, citing OIG guidance). These are not optional add-ons to a contract. They are the baseline expectation.
Clinical Oversight
The medical director is responsible for ensuring that the clinical services being offered meet the applicable standard of care. This includes reviewing and approving treatment protocols and standing orders, establishing which services are within the scope of practice for each staff member, setting chart review cadence and conducting those reviews, overseeing informed consent processes, and managing adverse event response. In a large health system, these functions are supported by a quality management team, a compliance department, medical staff committees, and credentialing offices. In a small virtual clinic or med spa, the medical director is often the only person performing these functions, or at minimum, the only person accountable for them.
Staff and Delegation
One of the most common areas where medical directors run into compliance issues is delegation -- specifically, not understanding the boundaries of what each staff member can and cannot do under state law. Every state defines the scope of practice differently for NPs, PAs, RNs, MAs, and aestheticians. The medical director needs to know these rules for the state where the clinic operates (not the state where the director is licensed, if different).
For example, in most states a medical assistant cannot independently explain a prescription, discuss side effects, or counsel a patient on medication use. That is considered practicing medicine or pharmacy without a license. But in a small clinic without compliance training, it can happen routinely, and the medical director may never know unless they have a system in place to monitor what is actually occurring in patient interactions.
The ProAssurance risk management library includes a case study of a dermatologist who served as medical director of a med spa and was named in a lawsuit after a patient was injured during laser hair removal performed by an aesthetician (ProAssurance, Oct. 2025). The physician had no training in the procedure, had not reviewed treatment protocols, and had never seen the patient. Defense experts noted the physician could not meaningfully supervise a procedure they had no competency in. The case took nearly two years to resolve.
Business Entity and Corporate Practice
The medical director should understand how the business is structured. In corporate practice of medicine (CPOM) states like California, Texas, and New York, a non-physician entity cannot own or control a medical practice. The typical workaround is a Management Services Organization (MSO) model, where a professional corporation (PC) owned by a physician contracts with an MSO for administrative services.
But the MSO model only works if the medical director retains actual clinical authority. California's SB 351, effective January 2026, codifies this: if an MSO dictates patient volume, billing codes, or clinical staffing based on profit motives, the arrangement is a CPOM violation and both the medical director and MSO leadership can be penalized (Qualiphy, Dec. 2025, summarizing CA SB 351). The ByrdAdatto law firm published a case study in which a physician asked to serve as a medical director received a "General Partnership Agreement" instead of a medical director agreement, which would have exposed the physician to unlimited personal liability for all business debts (ByrdAdatto, Mar. 2025).
Billing and Reimbursement
This is an area many virtual medical directors overlook entirely. The clinic may be billing Medicare, Medicaid, commercial insurance, or operating on a cash-pay basis. Each of these environments has different compliance requirements:
Medicare and Medicaid: Federal and state fraud statutes apply, including the Anti-Kickback Statute, the Stark Law, and the False Claims Act. Billing must be supported by medical necessity documentation. The medical director should understand what codes are being submitted, by whom, and whether the documentation supports them.
Commercial insurance: Payer contracts typically incorporate similar medical necessity and documentation standards. Improper billing can result in audits, recoupment, and exclusion from networks.
Cash pay: While cash-pay practices avoid some payer-related regulations, they are still subject to state practice acts, CPOM rules, informed consent requirements, scope of practice limits, and advertising regulations. Cash pay does not exempt a practice from clinical compliance.
The medical director does not need to personally audit every claim, but they should know who the billing vendor is, what services are being billed, what codes are being used, and whether there is any system in place to flag discrepancies. In a health system, a revenue cycle management team handles this. In a standalone virtual clinic, the medical director may be the last line of oversight.
Marketing Review
Many clinics, particularly in the aesthetics and wellness space, use aggressive marketing. The medical director should be reviewing marketing materials, website content, and social media posts for claims that are clinically inaccurate, that promise outcomes the evidence does not support, or that use titles or credentials in a misleading way. Regulators in several states have begun using automated tools to identify social media posts where staff use prohibited titles like "Medical Aesthetician" or where a clinic implies physician involvement that does not actually exist (DocuHealth, Mar. 2026).
The Systems Gap: Virtual Oversight Without Infrastructure
In a traditional health system, the medical director role exists within a broader compliance infrastructure. There is typically a compliance officer, a quality management committee, a credentialing department, a billing and coding team, legal counsel, and established policies for incident reporting, chart review, peer review, and corrective action. These systems are not optional. They exist because the complexity of healthcare operations requires multiple layers of oversight to catch errors, flag risks, and maintain compliance.
When a physician agrees to serve as virtual medical director of a small clinic -- an IV therapy practice, a weight loss telehealth company, a med spa network -- that infrastructure usually does not exist. The physician is stepping into a role that, in a health system, would be supported by an entire department. But in this context, they are often the only person with any compliance responsibility at all.
This does not mean the role is impossible. But it does mean the physician needs to build or require the basic systems that make oversight functional:
A documented chart review process with a set cadence (weekly, biweekly, monthly) and written findings.
Standing orders and protocols that are specific to the services being offered, reviewed and updated regularly, and signed by the medical director.
A credentialing and competency verification process for every clinical staff member, including documentation of training, licensure, and scope of practice.
An adverse event and incident reporting system so the medical director is notified when something goes wrong, including when s licensed provider has any licensing issues.
A communication log documenting consultations, availability, and clinical decisions -- timestamped and linked to the director's NPI.
A billing review process even if it is a quarterly audit of a sample of claims, to confirm that what is being billed matches what is being documented and performed.
A marketing review process to ensure the clinic's public-facing materials are accurate and compliant.
These are the same functions that exist in any accredited healthcare organization. The format may be different in a small practice, but the substance is the same. CMS, state boards, and the OIG do not reduce the standard of oversight simply because the practice is small or the director is remote.
Virtual Supervision: The 2026 Regulatory Framework
CMS permanently adopted virtual direct supervision in the 2026 Medicare Physician Fee Schedule (MPFS), effective January 1, 2026 (MSN Healthcare Solutions, Dec. 2025; National Law Review, Jul. 2025). This means physicians can meet the "immediate availability" requirement for incident-to services and many diagnostic tests through real-time, two-way audio-video communication.
Several key requirements apply:
Audio-video is required. Audio-only communication (phone calls) does not satisfy the direct supervision standard and will trigger full recoupment of incident-to billings.
Global surgical packages are excluded. Procedures with 10-day or 90-day global indicators still require physical on-site presence.
On-site clinical staff must be present. The clinic must have appropriately trained staff physically on-site to handle emergencies, even when the supervising physician is remote.
Documentation of the supervision method is required for Medicare reimbursement. The supervising physician's availability and any interventions must be recorded (Tether Supervision, Dec. 2025, citing CMS final rule).
The permanence of virtual direct supervision is a positive development for telehealth. But it also means the standards are no longer provisional. They are codified, and non-compliance carries defined consequences.
For medical directors overseeing virtual or hybrid clinics, the critical point is that "virtual" does not mean "less." The same oversight obligations apply. The physician still needs to review charts, approve protocols, verify staff competency, and be reachable for clinical questions. The medium has changed; the standard has not.
What Goes Wrong: The Spectrum of Compliance Failures
It is important to understand that compliance failures exist on a spectrum. At the extreme end, there are cases involving deliberate fraud, schemes to bill for services never rendered, and kickback arrangements disguised as medical director fees. Those cases generate headlines and large settlements.
But the majority of compliance issues that medical directors encounter are not fraud. They are operational gaps that stem from a lack of systems, a lack of guidance, and a lack of understanding of what the role requires. The purpose of oversight is not to catch criminals. It is to catch errors, flag areas where the practice may be out of compliance, identify ways to adjust, and make sure the operation is running correctly.
Everyday Compliance Gaps
The following are examples of compliance issues that can arise in clinics where the medical director is not actively engaged in oversight. None of these require bad intent. They are the kinds of things that happen when there is no system in place to prevent them:
A medical assistant begins explaining prescriptions to patients -- discussing dosing, side effects, or how to take a medication. In most states, this is outside an MA's scope of practice and constitutes practicing medicine or pharmacy without a license. The MA may not realize this. Without training and monitoring, the medical director may never know it is happening.
The clinic adds a new service line (GLP-1 prescribing, peptide therapy, exosome treatments) without updating standing orders or protocols, and without the medical director reviewing whether the new service falls within the scope of the clinic's license, staff credentials, and applicable state regulations.
Marketing materials on the clinic's website or social media make outcome claims that are not supported by evidence, use before-and-after photos without proper consent documentation, or imply a level of physician involvement that does not reflect reality.
The billing vendor submits codes that do not match the documentation in the chart, or bills at a level of complexity that is not supported by the encounter note. Over time, this creates audit exposure that the medical director may not discover until a payer or regulator requests records.
Informed consent forms are outdated, incomplete, or not being used consistently. The clinic may be performing procedures without documenting that the patient was informed of risks, alternatives, and expected outcomes.
Staff credentials are not verified at hire or renewal. A provider's license may have lapsed, or their scope of practice may not cover the services they are performing. The medical or clinic director is responsible for all staff hiring which typically is reviewing these credentials before an official contract can be issued.
The practice has no incident reporting process. When an adverse event occurs, there is no defined protocol for how it is documented, who is notified, or how it is resolved. The medical director may not learn about the event at all.
Each of these is a correctable issue. The purpose of medical director oversight is to identify these gaps and address them before they become regulatory problems, malpractice claims, or patient safety events.
When It Escalates: Enforcement Cases
At the far end of the spectrum, oversight failures become enforcement actions. The following are recent cases that illustrate the consequences when medical director arrangements lack substance:
TelevisitMD (Florida, March 2026). The owner of a Fort Lauderdale telemedicine company pleaded guilty to a $46.2 million Medicare fraud scheme involving unnecessary braces and genetic tests. The DOJ found that physicians were paid to sign orders without conducting real examinations and without genuine medical relationships with patients (DOJ, Mar. 27, 2026).
Traditions Health (Oklahoma/Texas, January 2026). Traditions Health agreed to pay $34 million to resolve False Claims Act allegations that it billed Medicare for unnecessary home health services and paid physician-medical directors for patient referrals in violation of the Anti-Kickback Statute and Stark Law (DOJ, Jan. 22, 2026).
Healthicity "Deeper Than the Headlines" (January 2026). A New York hospital system paid over $4 million to an oncology practice through medical director agreements. The government alleged the payments violated the Anti-Kickback Statute. The core issue was not the contracts but the absence of documentation that any services were performed. No time records. No oversight logs. Settlement: $616,000 (Healthicity, Jan. 5, 2026).
Little River Healthcare (Texas, October 2024). The DOJ settled for $5.3 million with the CEO of a Rockdale, Texas hospital over allegations that a physician was paid $2,000 per month as a medical director when no genuine services were rendered (HCH Lawyers, Nov. 2024, citing DOJ).
Texas Medical Board -- Dr. Luis Silva (June 2024). The TMB disciplined Dr. Silva after a patient died under care, finding he failed to adequately supervise midlevel providers. He was ordered to complete CME in supervision and placed under monitoring (TMB, Jun. 21, 2024).
North Carolina Medical Board Advisory (August 2024). The NCMB published a case study involving a physician who became medical director of an NP-run med spa for $2,000/month, was never on-site, and did not know which clinicians he was supervising. The Board characterized this as a "straw practice" and warned it constitutes aiding unlicensed practice (JD Supra / Smith Anderson, Aug. 2024).
New York Med Spa Inspections (2025-2026). The NYC Council and state agencies inspected 223 med spas and cited 87 for probable illegal medical practice. Violations included unlicensed procedures, absent medical oversight, unhygienic conditions, and missing liability insurance. Statewide, the Department of State inspected additional facilities and issued fines, suspensions, and revocations (NYC Council, Dec. 2025; NY Dept. of State, Jan. 2026).
Ohio Clinic Closures (2026). Ohio closed over 30 clinics for violations including supervision failures, improper drug handling, documentation gaps, and sourcing issues (Portrait Care, Mar. 2026).
These cases represent the extreme outcomes. But the oversight gaps that led to them are the same kinds of gaps that exist in arrangements where no fraud is intended -- where the physician simply did not have systems in place to monitor what was happening.
Self-Assessment: Questions Every Medical Director Should Ask
The following questions are intended as a practical self-audit. If a medical director cannot answer these questions clearly, that does not necessarily mean the arrangement is unlawful. It means there are gaps that need to be addressed.
CLINICAL OVERSIGHT
Do I know every service the clinic is currently offering to patients?
Have I reviewed and signed the standing orders and clinical protocols for each of those services?
Do I have a defined chart review schedule, and am I documenting the results of each review?
If a patient had an adverse event today, would I be notified? Is there a written process for that?
Am I clinically competent to supervise every service being offered under my license?
STAFF AND DELEGATION
Do I know every provider and staff member practicing under my license?
Have I verified their credentials, licensure status, and scope of practice?
Do I know whether any non-clinical staff (MAs, front desk, health coaches) are performing tasks outside their scope, such as explaining prescriptions, making clinical recommendations, or adjusting treatment plans?
Do I have input into hiring and firing decisions for clinical staff?
Are delegation agreements, collaborative practice agreements, or supervision agreements in place as required by state law?
BUSINESS AND COMPLIANCE
Do I know how the business entity is structured? Is it a PC, PLLC, LLC, or general partnership?
In a CPOM state, does the structure comply with corporate practice rules?
If there is an MSO, does my agreement give me clinical authority, or does the MSO control patient volume, staffing, or treatment decisions?
Is my compensation a fixed fair market value amount, or is it tied to referrals, patient volume, or revenue?
Do I have a written, signed medical director agreement that defines my specific duties?
BILLING AND REIMBURSEMENT
Do I know whether the clinic bills Medicare, Medicaid, commercial insurance, or operates on a cash-pay basis?
Do I know who the billing vendor is?
Have I ever reviewed a sample of claims to verify that what is being billed matches what is being documented and performed?
If the clinic bills federal programs, am I aware of the Anti-Kickback Statute, Stark Law, and False Claims Act requirements that apply to my arrangement?
Is there any process in place to audit billing accuracy, even on a periodic basis?
MARKETING AND PATIENT-FACING MATERIALS
Have I reviewed the clinic's website, social media, and advertising materials?
Are the claims being made about services, outcomes, or provider credentials accurate?
Does the marketing imply a level of physician involvement that does not reflect reality?
Are before-and-after photos being used with proper consent documentation?
INSURANCE AND RISK
Does my malpractice insurance cover medical director duties, or only direct patient care?
Have I confirmed this with my carrier in writing?
Does my agreement include indemnification provisions that I understand and have reviewed with an attorney?
Can I terminate the agreement if I discover compliance issues?
The Right Framework: Just Oversee
The purpose of medical director oversight is not to catch people committing fraud. In the vast majority of practices, the people involved are trying to operate correctly. They may not know the rules. They may not have been trained. They may not have a compliance background. That is exactly why the medical director role exists -- to provide the clinical and regulatory guidance that ensures the practice stays within bounds.
In a health system, compliance is a team function. There are compliance officers whose job is to monitor regulatory changes, conduct internal audits, train staff, and manage corrective actions. There are quality management teams that track outcomes, review incidents, and implement improvements. There are billing and coding departments that audit claims before submission. There are credentialing teams that verify every provider's license and qualifications.
A physician serving as medical director of a small or virtual practice does not need to replicate all of this alone. But they do need to ensure that the basic functions are being performed by someone, and that they have visibility into the results. If the practice cannot or will not put these systems in place, that is important information for the physician to have before agreeing to the role.
Its recommended that organizations always include the compliance officer in physician arrangement discussions, hold physicians accountable for their documented expectations, and ensure that medical directorships are substantive, well-defined, and compliant with applicable laws. These are practices that scale down to any size operation.
Recent Regulatory Developments (2025-2026)
CMS 2026 Medicare Physician Fee Schedule: Virtual direct supervision made permanent for incident-to services and diagnostic tests effective January 1, 2026. Audio-only does not qualify. Global surgical packages require on-site presence (MSN Healthcare Solutions, Dec. 2025).
California SB 351 (effective January 2026): Codifies that MSOs cannot interfere with clinical judgment. If an MSO controls clinical decisions based on profit motives, both the medical director and MSO leadership face personal liability for CPOM violations (Qualiphy, Dec. 2025).
California AB 1501 (effective 2026): Expands the PA-to-physician supervision ratio to 8:1, but each supervising physician must still fulfill specific oversight obligations including documentation of supervisory activities (MIEC, 2026).
New York Med Spa Enforcement (2025-2026): NYC Council and state agencies inspected 223 med spas, cited 87 for violations. Statewide, the Department of State issued fines, suspensions, and revocations (NYC Council, Dec. 2025; NY Dept. of State, Jan. 2026).
Ohio Clinic Closures (2026): Over 30 clinics closed for supervision, drug handling, documentation, and sourcing violations (Portrait Care, Mar. 2026).
Texas Medical Board Rule 169 (2025-2026 updates): Requires med spas to display the delegating physician's name and license number and maintain written, signed, site-specific delegation orders with version history (DocuHealth, Mar. 2026).
DOJ Operation Protect the Public (June 2025): 324 defendants charged in the largest healthcare fraud takedown in history, covering $14.6 billion in alleged fraud (DOJ, Jun. 2025).
References and Resources
The following sources are cited in this article or provide additional detail on the topics discussed.
Enforcement and Case Law
"Medical Directorships Under Increased Scrutiny for Stark Law, AKS Compliance" -- HCH Lawyers (November 2024). https://www.hchlawyers.com/blog/2024/november/medical-directorships-under-increased-scrutiny-f/
"Deeper Than the Headlines: When Medical Director Agreements Become Compliance Risks" -- Healthicity (January 2026). https://www.healthicity.com/blog/deeper-than-the-headlines-when-medical-director-agreements-become-compliance-risks
"Telemedicine Company Owner Pleads Guilty to $46M Medicare Fraud Scheme" -- DOJ (March 2026). https://www.justice.gov/opa/pr/telemedicine-company-owner-pleads-guilty-46m-medicare-fraud-scheme
"Traditions Health Agrees to Pay $34M to Resolve False Claims Act Liability" -- DOJ (January 2026). https://www.justice.gov/opa/pr/traditions-health-agrees-pay-34m-resolve-false-claims-act-liability-relating-home-health
"Attorney General Jeff Jackson Announces $8.8 Million Health Care Fraud Settlement" -- NC DOJ (January 2026). https://ncdoj.gov/attorney-general-jeff-jackson-announces-8-8-million-health-care-fraud-settlement/
"National Health Care Fraud Takedown Results in 324 Defendants Charged" -- DOJ (June 2025). https://www.justice.gov/opa/pr/national-health-care-fraud-takedown-results-324-defendants-charged-connection-over-146
"NC Medical Board Links Physician Supervision to Corporate Practice of Medicine" -- Smith Anderson / JD Supra (August 2024). https://www.jdsupra.com/legalnews/north-carolina-medical-board-links-8774730/
"TMB Disciplines 27 Physicians at June Meeting" -- Texas Medical Board (June 2024). http://www.tmb.state.tx.us/about-us/newsroom/tmb-disciplines-27-physicians-at-june-meeting-adopts-rule-changes
"NYC Council Investigation of Med Spa Service Providers" -- NYC Council / OID (December 2025). https://council.nyc.gov/press/2025/12/11/3027/
"NY Department of State Issues Warning After Med Spa Investigations" -- NY Dept. of State (January 2026). https://dos.ny.gov/news/new-york-department-state-issues-warning-consumers-after-investigations-med-spa-service
Regulatory and Compliance Guidance
"Virtual Oversight, Real Impacts: Incident-To and Beyond in CMS's CY 2026 PFS" -- National Law Review (July 2025). https://natlawreview.com/article/virtual-oversight-real-impacts-incident-and-beyond-cmss-cy-2026-pfs-proposed-rule
"CMS Makes Virtual Direct Supervision Permanent Effective January 1, 2026" -- Tether Supervision (December 2025). https://www.tethersupervision.com/blog/cms-makes-virtual-direct-supervision-permanent-effective-january-1-2026
"2026 New Law Alert: California (AB 1501 PA Supervision Ratio)" -- MIEC (2026). https://www.miec.com/knowledge-library/2026-new-law-alert-california/
"Med Spa Regulation News for 2026: Important Updates by State" -- Portrait Care (March 2026). https://www.portraitcare.com/post/med-spa-regulation-news-for-2026-important-updates-by-state
"Medical Directorships: Compliance Best Practices" -- Ovation Healthcare (December 2025). https://ovationhc.com/medical-directorships-compliance-best-practices/
"Florida Medical Director Requirements for Medspas" -- Medical Director Co. (November 2025). https://www.medicaldirectorco.com/florida-medical-director-requirements-for-medspas-2025-compliance-checklist/
Practical Guidance and Case Studies
"Understanding the Risks Associated with Medical Directorships" -- ProAssurance (October 2025). https://riskmanagement.proassurance.com/article-library/understanding-the-risks-associated-with-medical-directorships
"When Medical Directors Become Liability Risks" -- DocuHealth (March 2026). https://docuhealth.com/when-medical-directors-become-liability-risks/
"Remote Medical Director Models: Risks and Limits" -- DocuHealth (March 2026). https://docuhealth.com/remote-medical-director-models-risks-and-limits/
"Case Study: Medical Director Agreement vs. the MSO Model" -- ByrdAdatto (March 2025). https://byrdadatto.com/banter/case-study-medical-director-agreement-vs-mso-model/
"Making Sure a Medical Directorship Is Not a Kickback" -- Massachusetts Bar Association (March-April 2025). https://www.massbar.org/publications/section-review/section-review-article/section-review-2025-march-april-2025/making-sure-a-medical-directorship-is-not-a-kickback
"So, You've Been Asked to be a Medical Director?" -- Cooperative of American Physicians (2021 (updated)). https://www.capphysicians.com/articles/so-youve-been-asked-be-medical-director
"How Medical Director Agreements Enhance Compliance and Reduce Risk" -- ProMed Preferred (November 2025). https://www.promedpreferred.com/how-medical-director-agreements-enhance-compliance-and-reduce-risk/
"Before You Sign -- Minimizing Medical Director Liability Exposure" -- Kerr Russell (July 2025). https://www.kerr-russell.com/before-you-sign-minimizing-medical-director-liability-exposure/
"Physician Contract Red Flags You Should Never Ignore" -- Review Physician Contracts (February 2026). https://reviewphysiciancontracts.com/physician-contract-red-flags-you-should-never-ignore/
This article is intended for informational and educational purposes. It does not constitute legal, medical or tax advice. Physicians should consult a healthcare attorney for guidance on their specific arrangements and state requirements.
