Telehealth has evolved from a pandemic emergency measure into a permanent fixture of healthcare delivery. In 2025, 37% of all outpatient visits included a telehealth component, and the virtual care market is projected to exceed $450 billion globally by 2028. Medicare, Medicaid, and virtually all private insurers now cover telehealth services, and most states have enacted permanent telehealth parity laws requiring equal reimbursement for virtual and in-person care.
But with permanence comes regulatory structure. The informal consent practices that were tolerated during the COVID-19 public health emergency — verbal consent over the phone, implied consent by joining a video call, or no consent at all — are no longer acceptable in most jurisdictions. States have been steadily enacting or tightening telehealth consent requirements, and healthcare organizations that haven't formalized their consent processes face both compliance risk and malpractice exposure.
This guide explains the legal requirements for telehealth informed consent, covers the specific disclosures that federal and state law mandate, addresses special situations (behavioral health, minors, cross-state practice), and provides a practical framework for implementing telehealth consent at scale without creating administrative friction for patients or providers.
Legal Framework for Telehealth Consent
Telehealth consent requirements come from multiple legal sources that practitioners must navigate simultaneously.
Federal Requirements
While there is no single federal telehealth consent statute, several federal frameworks impact consent requirements:
- CMS (Centers for Medicare & Medicaid Services): Medicare Conditions of Participation require informed consent for treatment, which extends to telehealth. CMS guidance specifies that patients must be informed that they are receiving virtual care and must consent to this modality
- HIPAA: The Privacy Rule requires covered entities to obtain consent or authorization for the use and disclosure of PHI. Telehealth introduces additional privacy considerations (recording, screen sharing, data transmission) that should be addressed in the consent
- FTC Act: The Federal Trade Commission has enforcement authority over deceptive health practices, including misrepresentations about telehealth services, technology security, and data collection practices
- Ryan Haight Act: For prescribing controlled substances via telehealth, the DEA requires an initial in-person examination unless a specific exception applies. The telehealth prescribing flexibilities introduced during COVID are being gradually narrowed.
State Requirements
Most telehealth consent requirements are imposed at the state level:
States requiring written consent before the first telehealth visit:
- California, Texas, New York, Florida, Georgia, Virginia, and many others explicitly require documented consent
- Several states accept verbal consent but require written documentation that consent was obtained
States with specific disclosure requirements:
- Many states mandate specific disclosures about the technology used, privacy risks, the limitations of telehealth compared to in-person care, the patient's right to refuse or withdraw, and the provider's licensing jurisdiction
- Some states provide model consent form language that must be included verbatim
States allowing implied consent:
- A minority of states accept participation in the telehealth visit as implied consent, though even these states typically recommend documented consent as a best practice
Medical Board Standards
State medical boards independently regulate telehealth practice standards, and many have issued telehealth-specific practice guidelines that address consent requirements, documentation standards, prescribing limitations, and technology standards. Practitioners must comply with both the state statute and their medical board's telehealth regulations.
Essential Disclosures in a Telehealth Consent Form
A comprehensive telehealth consent form should include the following categories of information and patient acknowledgments:
Nature and Scope of Telehealth Services
- Definition of telehealth: A clear explanation that services will be provided through electronic communication rather than in-person contact, and a description of the modalities used (live video, store-and-forward, remote monitoring, audio-only)
- Services offered via telehealth: Which services will be provided virtually and which may still require an in-person visit
- Provider identification: Name, credentials, and license number of the provider; the state(s) in which they are licensed
- Location requirements: Whether the patient must be physically located in a specific state during the visit (required by most state licensing laws)
Limitations and Risks
Patients must understand what telehealth cannot do:
- Diagnostic limitations: Telehealth may limit the provider's ability to perform physical examinations, diagnostic tests, or procedures. Some conditions require in-person evaluation
- Technology risks: Connection interruptions, audio/video quality issues, and the possibility that the provider may determine telehealth is not appropriate and refer the patient for in-person care
- Emergency limitations: Telehealth is not appropriate for medical emergencies. The consent should direct patients to call 911 or go to the nearest emergency room for emergencies
- Prescribing limitations: Certain medications (controlled substances, in particular) may have restrictions on telehealth prescribing
Privacy and Technology Disclosures
- Platform identification: The specific technology platform used for the visit (Zoom, Doxy.me, platform integrated with the EHR, etc.)
- Encryption: Whether the connection is encrypted end-to-end
- Recording: Whether the session may be recorded, and if so, for what purpose (documentation, quality assurance, training) and how recordings are stored and protected
- Location privacy: Reminder that the patient should conduct the visit from a private location where others cannot overhear the conversation
- Data storage: Where visit data, including recordings, images, and notes, will be stored and for how long
- Third-party access: Whether any third parties (platform vendor, IT support, interpreters) may have access to the session data
Patient Rights
- Right to refuse or withdraw: The patient may refuse telehealth at any time and request an in-person visit instead, without penalty or negative impact on their care
- Right to stop the session: Either party may end the telehealth session at any time if the connection quality is insufficient for safe care
- Right to ask questions: The patient should have the opportunity to ask questions about the telehealth process before signing consent
- Right to a copy: The patient is entitled to a copy of the signed consent form
Special Situations: Behavioral Health, Minors, and Cross-State
Behavioral Health Telehealth
Telehealth for mental health and behavioral health services involves additional consent considerations:
- Therapeutic relationship: Disclosure that establishing and maintaining a therapeutic relationship via telehealth may differ from in-person care
- Crisis protocols: Clear instructions for what the patient should do in a mental health crisis, including local crisis hotline numbers, emergency contacts, and the 988 Suicide & Crisis Lifeline
- Psychotherapy notes: If the provider maintains psychotherapy notes (as defined by HIPAA), separate disclosure about how these are handled in a telehealth context
- Substance use disorder: Additional consent requirements under 42 CFR Part 2 for telehealth substance abuse treatment
- Group therapy via telehealth: Additional privacy considerations when multiple patients participate in group sessions via video — consent should address the expectation that participants maintain confidentiality
Minors and Dependent Adults
When the patient is a minor or dependent adult:
- Parental/guardian consent: A parent or legal guardian must sign the telehealth consent for patients under 18 (with exceptions for emancipated minors and specific services where minor consent is sufficient under state law)
- Mature minor considerations: Some states have "mature minor" doctrines that allow minors above a certain age to consent to specific categories of healthcare (mental health, reproductive health, substance abuse treatment) without parental consent
- Supervision: Whether a parent or guardian should be present during the telehealth visit, or whether the clinician needs to speak with the minor privately
- Technology access: Ensuring the minor has private access to the necessary technology for the visit
Cross-State Telehealth
- Licensing compliance: The provider must be licensed in the state where the patient is physically located during the visit. The consent should verify patient location at each visit
- Interstate compacts: For physicians (IMLC), psychologists (PSYPACT), nurses (NLC), and other providers, interstate compacts allow practice across member states. The consent should note the applicable compact
- Prescribing across state lines: Prescription authority follows the patient's location state rules. The consent should address any limitations on prescribing for patients in certain states
- Choice of law: The consent may specify which state's law governs the provider-patient relationship (typically the state where the patient is located)
Building a Scalable Telehealth Consent Workflow
Healthcare organizations providing telehealth at scale need efficient consent workflows that don't create barriers to care while maintaining full compliance.
Pre-Visit Digital Consent
The most efficient model sends the consent form to the patient before the scheduled visit:
- Automated trigger: When a telehealth appointment is scheduled, the system automatically sends the consent form to the patient's email or patient portal
- Electronic signature: The patient reviews and signs the consent form from their device. The form is pre-populated with the provider's information and the appointment details
- Smart form logic: The form adapts based on the service type — behavioral health consents include additional mental health-specific disclosures; pediatric consents route to the guardian for signature
- Verification: The system confirming that consent was received and valid before the visit can proceed
- Storage: The signed consent is automatically filed in the patient's electronic health record
Consent Duration and Renewal
Practice policies vary on how often telehealth consent must be renewed:
- Per-visit consent: The most conservative approach, required in some states. Each telehealth encounter requires a new consent
- Annual consent: The patient signs once per year, covering all telehealth encounters during that period. This is the most common and practical approach for ongoing care relationships
- Standing consent: The patient signs once and consent remains valid until revoked. Less common but used by some organizations for established patients
Template Management
Organizations offering telehealth across multiple states need a template management strategy:
- Base template: A comprehensive consent form that meets the requirements of the most restrictive applicable state
- State-specific modules: Additional language or checkboxes required by specific states, added dynamically based on the patient's location
- Service-specific addenda: Additional terms for behavioral health, substance abuse, pediatrics, and other specialties with unique requirements
- Version control: Track template changes over time with clear effective dates, ensuring that the consent form used for each patient is the version that was current at the time of signing
ZiaSign for Telehealth Consent
ZiaSign supports healthcare organizations with HIPAA-compliant telehealth consent management:
- Pre-visit consent forms sent automatically when appointments are scheduled
- Electronic signature with identity verification and timestamped audit trails
- Smart templates that adapt to service type and patient location
- Secure storage integrated with document management workflows
- Annual renewal reminders and consent status tracking across patient populations
Implement telehealth consent with ZiaSign →