While informed consent in healthcare is usually associated with invasive or experimental procedures, some states and payers have made it a requirement for telehealth due to privacy and security concerns. Here are answers to frequently asked questions about informed consent for telehealth:

Is Informed Consent Required for Telehealth?

  • State Requirements: Many states mandate informed consent for telehealth, either within their Medicaid programs or via laws governing health professionals.  Some states specify elements that must be included in the consent process.
    • Check State Requirements.  To confirm your state's requirements, click here and then:
      • Select your state from the State dropdown box at the top of the webpage then:
      • Click on Medicaid and select "Consent Requirements" for Medicaid-specific requirements
      • Click on Professional Requirements and select
        "Consent Requirements" to view requirements from the professional licensing board.
  • Medicare: Medicare does not require consent for general telehealth visits.  However, it does require consent for Communication Technology Based Services (e.g., virtual check-in, remote patient monitoring) that are not classified as telehealth.

While consent may not always be required, obtaining it is a recommended best practice for clarity and compliance.

What Should Be Included in Telehealth Consent?  Informed consent for telehealth typically explains what telehealth involves, outlines expectations, highlights benefits and potential risks, and details how risks are managed. The Federation of State Medical Boards, in their policy on The Appropriate Use of Telemedicine Technologies in the Practice of Medicine recommends including the following:

  • Patient and Provider Identification:  Include the patient's identity and location and the provider's identity, credentials and state of practice.
  • Primary Care Physician: Document the primary care physician's details, if available.
  • Permitted Activities:  Specificy what types of services (e.g., prescriptions, patient education) can be done via telehealth.
  • Suitability for Telehealth:  State that the provider will determine, in accordance with laws, if a condition is appropriate for telehealth.
  • Privacy and Security Measures: Describe any security protocols used (e.g., data encryption, password protection) and potential privacy risks.  HIPAA does not require education on these risks, but it is best practice to inform patients.
  • Hold Harmless Clause:  Include a clause absolving liability for informtion lost due to technical failures.
  • Consent to Share Information. Obtain express patient consent before sharing identifiable information with third parties, following state and federal regulations.

For non-physicians, check your profession's guidance for any specific consent requirements.

How Often and In What Format Should Consent be Gathered?  

  • Written or Verbal Consent:  Check state and Medicaid requirements to see if written consent is required; most allow verbal consent.
  • Consent Frequency: Most states do not require consent before each visit and many are not explicit about frequency of consent.  Annual consent is typically recommended.
  • Consent Protocol and Documentation:  It is recommended that you have a written process (by whom, when/frequency) and protocol (script for initial consent and for annual) developed that is considered standard operating procedure.  Date the protocol and include a revision date each time it is revised.  We recommend reviewing annually and revising as needed.  Once that is in place, you just need to document in the medical record that your consent process/protocol (include the version date) was used and that the patient provided consent.  Click HERE to learn more about best practices for documentation.

Do I Need a Separate Consent if My Telehealth Workflow Includes the Use of Text Messaging for Things Like Appointment Reminders?  The short answer is "Maybe".  Text messaging is easy and quick for most people, but providers need to be careful about HIPAA.

  • If you use a secure platform (software or EMR based) where you have a Business Associates Agreement that requires the patient to log-in with a password, then the patient is providing defacto consent simply by logging in.  Click HERE to learn more about HIPAA and Telehealth.
  • If you are using one-way only text-based communication through unsecured channels, and you (the provider) do not send any messages with PHI, then you only need the patient to consent to receive messages by text (e.g., appointment reminders).  That consent should include:
    • An explanation of the purpose of the text message communications
    • Assurance that no PHI will be involved in those communications
    • A caution that for some patients (depending on their cellular service provider) those communications may incur a fee.
    • Assurance that they may withdraw their consent at any time, and an explanation for how to do that (in most cases, they would just reply "STOP")

If you are using two-way text-based communication through unsecured channels (any situation where the patient can reply by text), no matter how careful you (the provider) are in not including PHI; the patient could reply with PHI.  In those cases, you should obtain patient consent for text messaging communications and address privacy and security concerns associated with transmitting sensitive health information through unsecured channels.  The consent should include:

  • An explanation of the purpose of text messaging communications.
  • The types of information that may be transmitted and any limitations or exclusions.  
  • Inform patients about the benefits and risks of text messaging communications, dissuading patients from using text messaging to communicate PHI.  However, if they chose to do so, they are acknowledging they understand the risks.
  • Provide assurance that they may withdraw consent for text messaging communications at any time and a clear explanation for how to revoke consent.

What kind of consent is needed if I am using AI for scribing during my telehealth visit?  Your first order of business is to make sure you have a strong Governance Structure in place for the use of AI.  The Health Care Artificial Intelligence (AI )Toolkit developed by the California TRC has a nice section on Governance.  At minimum, keep in mind the following:

  • The AI scribing industry is still relatively unregulated, and training and certification requirements may vary. It is important for healthcare providers to ensure that any AI scribe technology they use meets industry standards and safeguards patient data.
  • The Health Insurance Portability and Accountability Act (HIPAA) in the United States does not specifically require patient consent for the use of AI scribes. However, it does require healthcare providers to have contracts in place with any third-party companies involved in handling patient data, ensuring that patient information is protected. 

Once you do those things, then here are some key considerations for consenting patients when using AI for scribing:

  • Type of informed consent: You may use the same procedures you use for other services (e.g., telehealth), so whether that is written or verbal consent, you would do the same with AI scribing.
  • Information to include when having the consent conversationClearly communicate to patients that an AI scribe will be involved in their healthcare process.  
    • Explain the purpose, benefits, and potential risks of using AI scribes.
    • Provide detailed information about the AI scribe's capabilities, limitations, and potential impact on their healthcare.
    • Provide information about how the AI scribe will be used in your practice, what data will be collected, stored, used and how it will be protected (e.g., clinicians review the notes for accuracy and are required to sign off on them).
    • Inform your patient that you will keep them updated if there are any changes to how AI scribing will be used in the future.
  • Opt-out option:  Allow patients to ask questions and address any concerns they may have.   Give patients the option to decline the use of AI scribes if they are uncomfortable with it. Respect their decision and provide alternative methods for documentation if necessary.

Additional Consent Resources: