Telehealth Consent Form

A Telehealth Consent Form in the United States records a party's informed permission for a specified act, authorising it to proceed.

The legal framework governing telehealth consent in the United States is a patchwork of state statutes, state medical board regulations, and federal requirements for Medicare and Medicaid reimbursement. California Business & Professions Code § 2290.5 requires healthcare providers to obtain verbal or written informed consent from patients before providing telehealth services and to document that consent in the patient's medical record. Texas Occupations Code § 111.005 requires written telehealth consent before the initiation of a telehealth service. New York's telehealth statute (Public Health Law § 2999-cc) requires patient consent and prohibits telehealth providers from providing services that are not clinically appropriate for telehealth delivery. These state requirements operate independently of any federal consent requirements.

HIPAA's Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (45 CFR Part 164, Subpart C) apply to telehealth services provided by covered entities and their business associates. Under the Privacy Rule, protected health information (PHI) transmitted during a telehealth encounter — including audio, video, diagnostic images, and clinical notes — must be protected with administrative, physical, and technical safeguards consistent with the applicable standard for the sensitivity of the information. The Security Rule requires covered entities to implement specific technical safeguards for electronic PHI (ePHI), including access controls, encryption, transmission security, and audit controls. Business Associate Agreements (BAAs) under 45 CFR § 164.504(e) must be executed with all telehealth platform vendors that have access to ePHI.

During the COVID-19 Public Health Emergency declared under 42 U.S.C. § 247d, HHS's Office for Civil Rights issued an enforcement discretion notice permitting covered healthcare providers to use non-HIPAA-compliant consumer video communication products (FaceTime, Zoom for Healthcare) for telehealth without penalty. That enforcement discretion ended on May 11, 2023, and telehealth providers must now use HIPAA-compliant platforms with executed BAAs for all telehealth visits. Telehealth consent forms executed during the Public Health Emergency should be updated to reflect current platform compliance status.

The Drug Enforcement Administration (DEA) regulations at 21 CFR § 1306.03 and the Ryan Haight Online Pharmacy Consumer Protection Act (21 U.S.C. § 829(e)) require that controlled substances (Schedule II-V drugs) generally not be prescribed via telehealth without a prior in-person examination, subject to limited exceptions. Temporary DEA waivers issued during the COVID-19 pandemic are being phased out under proposed permanent rules in 2024. Telehealth consent forms for providers who prescribe controlled substances should disclose these limitations.

A Telehealth Consent Form is needed before every initial telehealth encounter and, per the requirements of most state telehealth consent statutes, should be refreshed or reconfirmed for patients whose consent was obtained more than a specified period ago.

Primary care and urgent care telehealth visits for common acute conditions — upper respiratory infections, urinary tract infections, minor rashes, anxiety, and medication refills — represent the highest volume of telehealth encounters in the US. Platforms including Teladoc Health, MDLive, Amwell, and health system-affiliated telehealth programs serving patients in California, New York, Texas, and Florida must obtain consent compliant with each state's specific requirements before connecting patients with providers.

Behavioral health telehealth — including outpatient psychotherapy, psychiatric medication management, and addiction counseling — expanded dramatically during the COVID-19 pandemic and has maintained elevated utilization. Behavioral health telehealth consent forms must address specific limitations of remote assessment for acute psychiatric presentations, the emergency referral protocol when a patient expresses suicidal or homicidal ideation, and the provider's obligations under state mandatory reporting laws (duty to warn under Tarasoff v. Regents of the University of California, 17 Cal.3d 425 (1976)) when a patient presents a credible threat to an identifiable third party.

Remote patient monitoring (RPM) — continuous or periodic collection of physiological data (blood pressure, glucose, weight, SpO2) from patients in their home settings using connected medical devices — requires both a telehealth consent form and a separate RPM consent addressing data collection frequency, clinical review protocols, and alert thresholds. CMS reimburses RPM services under CPT codes 99453, 99454, 99457, and 99458 when documented consent is obtained.

Cross-state telehealth practice — where a provider licensed in one state provides services to a patient located in another state — requires the provider to be licensed in the patient's location state or to qualify for an interstate compact exemption. The Interstate Medical Licensure Compact (IMLC), administered by the Interstate Medical Licensure Compact Commission (IMLCC), provides expedited licensure for qualifying physicians in member states. The telehealth consent form should disclose the provider's state license(s) and confirm the patient's physical location at the time of the visit.

School-based telehealth programs that deliver services to students through school health offices require consent forms that comply with both HIPAA and FERPA (the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g), and must address parental consent requirements for minor students consistent with applicable state minor consent statutes.

A complete US Telehealth Consent Form addresses the following essential elements required by state telehealth consent statutes, HIPAA, professional licensing standards, and CMS reimbursement documentation requirements.

The telehealth definition and technology description section explains what telehealth means in the context of the provider's practice — whether the services are delivered through live video (synchronous), store-and-forward image transmission (asynchronous), telephone-only, remote patient monitoring, or a combination — and identifies the technology platform to be used. The consent form should disclose the name of the telehealth platform or application (e.g., Zoom for Healthcare, Doxy.me, Epic MyChart, Teladoc) and confirm that it is HIPAA-compliant with an executed Business Associate Agreement.

The benefits of telehealth section describes the advantages of telehealth relevant to the patient — access to care without travel, reduced wait times, continuity of care — without overstating the clinical capability of telehealth services or making promises about availability or response times.

The limitations and risks of telehealth section is among the most legally important disclosures in the consent form. Required disclosures include: the inability to conduct a physical examination, which may limit the accuracy of diagnosis or require referral for in-person evaluation; potential for technology failures — poor internet connectivity, audio/video interruptions, or platform outages — that may delay or interrupt care; the possibility that the provider may determine the patient's condition is not suitable for telehealth management and refer to in-person care; limitations on prescribing controlled substances without a prior in-person examination; and the risk that confidentiality could be compromised if the patient is in a non-private location or uses an unsecured internet connection during the session.

The HIPAA privacy and security disclosure section explains how the patient's PHI will be transmitted, stored, and protected during the telehealth encounter. The disclosure should identify the telehealth platform's security measures (encryption in transit and at rest, access controls, BAA), the categories of information that may be shared (video image, voice, clinical notes, diagnostic results), and any limitations on the provider's ability to control the security of the patient's home technology environment.

The emergency protocols section discloses the provider's procedures for responding to medical emergencies arising during a telehealth visit. The section must require the patient to disclose their physical location at the start of each visit (address where they are physically located, not their mailing address) so that emergency services (911) can be dispatched if needed. The section should also state that in a medical emergency, the patient should immediately hang up the telehealth call and call 911 or proceed to the nearest emergency department.

The provider licensure and location section discloses the provider's state license number(s), the state(s) in which the provider is licensed to practice, and the requirement that the patient be physically located in a state where the provider is licensed at the time of the encounter. This disclosure is necessary to comply with state telehealth statutes and to protect the provider from practicing medicine without a license in an unlicensed state.

The consent confirmation and electronic signature section records the patient's agreement to the terms of the telehealth consent, the date of consent, and either the patient's electronic signature (using a compliant electronic signature method under the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 et seq.) or verbal consent acknowledgment documented by the provider. The consent should be stored in the patient's medical record as required by applicable state medical records retention statutes.