While informed consent in healthcare is usually associated with invasive or experimental procedures, some states and payers have made it a requirement for telehealth due to privacy and security concerns. Here are answers to frequently asked questions about informed consent for telehealth:

Is Informed Consent Required for Telehealth?

  • State Requirements: Many states mandate informed consent for telehealth, either within their Medicaid programs or via laws governing health professionals.  Some states specify elements that must be included in the consent process.
    • Check State Requirements.  To confirm your state's requirements, click here and then:
      • Select your state from the State dropdown box at the top of the webpage then:
      • Click on Medicaid and select "Consent Requirements" for Medicaid-specific requirements
      • Click on Professional Requirements and select
        "Consent Requirements" to view requirements from the professional licensing board.
  • Medicare: Medicare does not require consent for general telehealth visits.  However, it does require consent for Communication Technology Based Services (e.g., virtual check-in, remote patient monitoring) that are not classified as telehealth.

While consent may not always be required, obtaining it is a recommended best practice for clarity and compliance.

What Should Be Included in Telehealth Consent?  Informed consent for telehealth typically explains what telehealth involves, outlines expectations, highlights benefits and potential risks, and details how risks are managed. The Federation of State Medical Boards, in their policy on The Appropriate Use of Telemedicine Technologies in the Practice of Medicine recommends including the following:

  • Patient and Provider Identification:  Include the patient's identity and location and the provider's identity, credentials and state of practice.
  • Primary Care Physician: Document the primary care physician's details, if available.
  • Permitted Activities:  Specificy what types of services (e.g., prescriptions, patient education) can be done via telehealth.
  • Suitability for Telehealth:  State that the provider will determine, in accordance with laws, if a condition is appropriate for telehealth.
  • Privacy and Security Measures: Describe any security protocols used (e.g., data encryption, password protection) and potential privacy risks.  HIPAA does not require education on these risks, but it is best practice to inform patients.
  • Hold Harmless Clause:  Include a clause absolving liability for informtion lost due to technical failures.
  • Consent to Share Information. Obtain express patient consent before sharing identifiable information with third parties, following state and federal regulations.

For non-physicians, check your profession's guidance for any specific consent requirements.

How Often and In What Format Should Consent be Gathered?  

  • Written or Verbal Consent:  Check state and Medicaid requirements to see if written consent is required; most allow verbal consent.
  • Consent Frequency: Most states do not require consent before each visit and many are not explicit about frequency of consent.  Annual consent is typically recommended.
  • Consent Protocol and Documentation:  It is recommended that you have a written process (by whom, when/frequency) and protocol (script for initial consent and for annual) developed that is considered standard operating procedure.  Date the protocol and include a revision date each time it is revised.  We recommend reviewing annually and revising as needed.  Once that is in place, you just need to document in the medical record that your consent process/protocol (include the version date) was used and that the patient provided consent.  Click HERE to learn more about best practices for documentation.

Do I Need a Separate Consent if My Telehealth Workflow Includes the Use of Text Messaging for Things Like Appointment Reminders?  The short answer is "Maybe".  Text messaging is easy and quick for most people, but providers need to be careful about HIPAA.

  • If you use a secure platform (software or EMR based) where you have a Business Associates Agreement that requires the patient to log-in with a password, then the patient is providing defacto consent simply by logging in.  Click HERE to learn more about HIPAA and Telehealth.
  • If you are using one-way only text-based communication through unsecured channels, and you (the provider) do not send any messages with PHI, then you only need the patient to consent to receive messages by text (e.g., appointment reminders).  That consent should include:
    • An explanation of the purpose of the text message communications
    • Assurance that no PHI will be involved in those communications
    • A caution that for some patients (depending on their cellular service provider) those communications may incur a fee.
    • Assurance that they may withdraw their consent at any time, and an explanation for how to do that (in most cases, they would just reply "STOP")

If you are using two-way text-based communication through unsecured channels (any situation where the patient can reply by text), no matter how careful you (the provider) are in not including PHI; the patient could reply with PHI.  In those cases, you should obtain patient consent for text messaging communications and address privacy and security concerns associated with transmitting sensitive health information through unsecured channels.  The consent should include:

  • An explanation of the purpose of text messaging communications.
  • The types of information that may be transmitted and any limitations or exclusions.  
  • Inform patients about the benefits and risks of text messaging communications, dissuading patients from using text messaging to communicate PHI.  However, if they chose to do so, they are acknowledging they understand the risks.
  • Provide assurance that they may withdraw consent for text messaging communications at any time and a clear explatation for how to revoke consent.

Resources