In health care, prior informed consent has typically been reserved for invasive or experimental procedures/treatments. Due to concerns about privacy & security, some states & payers have made informed consent a requirement for telehealth. Here you will find the answers to some of our most frequently asked questions about informed consent.

Is informed consent for telehealth required?  Many states either require informed consent within their Medicaid program or in their statute or rules regulating health professionals. Some states define very specific required elements within the consent process. To find out if and what your state requires in terms of consent, click here and then follow the instructions below:

  • Select your state of interest from the State dropdown box at the top of the webpage.
  • Now click on the Medicaid box and select "Consent Requirements" to see if there are any specific requirements by the funder.
  • Finally, click on Professional Requirements and click on "Consent Requirements" to see if there are any specific requirements by the professional licensing board.

Medicare does not require that informed consent be obtained from a patient prior to a telehealth visit, but Medicare reimburses for a set of Communication Technology Based Services (formerly known as Virtual Communications Services) that they do not consider as "telehealth".  These include things like remote evaluation/virtual check-in and remote physiological/remote patient monitoring.  For these services, there is an informed consent requirement.

We believe it's good practice to get consent, whether it is required or not.

What goes into telehealth consent?  In telehealth, informed consent is used to explain what telehealth is, what they can expect from a telehealth visit, lay out the potential benefits and possible risks associated with a telehealth visit, and explain any measures being taken to manage such risks. 

The Federation of State Medical Boards has established a policy for The Appropriate Use of Telemedicine Technologies in the Practice of Medicine. This document was designed for State licensing boards. In this document, they recommend as a baseline, including the following terms:

    • Identification of the patient, and the patient's location
    • Identification of the physician, the physician’s credentials, and the physician’s state or territory of practice
    • Identification of the patient’s primary care physician, if available
    • Types of transmissions permitted using telemedicine technologies (e.g. prescription refills, patient education, etc.)
    • The patient agrees that the physician determines, in conjunction with applicable laws, whether or not the condition being diagnosed and/or treated is appropriate for a telemedicine encounter
    • Details on security measures taken with the use of telemedicine technologies, such as encrypting data, enabling password protection of data files, or utilizing other reliable authentication techniques, as well as potential risks to privacy notwithstanding such measures (note that HIPAA Rules do not require covered health care providers to education patients about these risks, but it is a best practice!)
    • Hold harmless clause for information lost due to technical failures
    • Requirement for express patient consent to forward patient-identifiable information to a third party, if consistent with state and federal law.

If you are not a physician, your particular profession (or professional organization) may have guidance about consent and recommended elements of consent as well.

How often do I need to obtain consent and does it need to be written consent?  Requirements may vary by State. Unless your State and/or State Medicaid program explicitly requires the consent form to be signed (most places do not), it may be done verbally.  Unless your State and/or State Medicaid program specifically requires you to obtain consent before every visit (most places do not or are not explicit about frequency), it may be done once (or preferably once a year).  It is recommended that you have a written process (by whom and when) and protocol (with script) developed that is considered standard operating procedure.  Make sure you date the protocol and include a revision date each time it is revised.  Once that is in place, in most cases, you just need to document in the medical record that your consent process/protocol (include the version date) was used and that the patient provided consent.