Most Telehealth Consent Forms Are a Liability Pretending to Be Compliance

If your telehealth consent is a single paragraph buried at the bottom of a general intake form, you do not have a telehealth consent. You have a paragraph. In a board complaint or a malpractice review, the difference matters a lot.

Boards, payers, and malpractice carriers have all converged on the same expectation in 2026. A patient consenting to a virtual visit must understand what is different about virtual care, what can go wrong, what their rights are, and what your practice will do in specific situations. A generic "I consent to treatment" sentence checks none of those boxes. The form most practices use is the form they downloaded once in 2020 when telehealth was an emergency stopgap. It is overdue for a real one.

The good news is that a defensible telehealth consent is short, plain, and a one-time build. You write it once, sign clients once, document it in the chart, and you're done. This guide walks through what actually needs to be in the form, the parts most templates miss, where state law adds requirements, and a plain-language template you can adapt to your practice today.

The Nine Elements Every Telehealth Consent Should Cover

These nine elements show up across state medical board guidance, AMA telehealth policy, and almost every malpractice carrier checklist. If your form covers them in plain language, you're in the safe range for almost every state and specialty.

  • What telehealth is, in one sentence. Real-time video, phone, or secure messaging used in place of an in-person visit. Patients should not have to guess what they're consenting to.
  • The benefits, briefly and honestly. Convenience, access, no travel, easier follow-up. Skip the marketing language. Two sentences is enough.
  • The risks and limits. Technology can fail. Some conditions cannot be diagnosed without a physical exam. Image quality can hide findings. Network or device problems can cut a session short. Confidentiality on the patient's end depends on where they are sitting.
  • Privacy and security. The visit uses encrypted, HIPAA-grade infrastructure. You have a Business Associate Agreement with your platform vendor. No part of the session is recorded without separate written consent.
  • How emergencies are handled. Telehealth is not for medical emergencies. In an emergency, the patient calls 911 or goes to the nearest ER. You will collect their physical location at the start of every visit so you can direct emergency services if needed.
  • Right to refuse or switch to in-person. The patient can decline telehealth at any time, end a visit at any time, or ask for an in-person appointment without penalty.
  • Billing and insurance. Telehealth visits may be billed to insurance the same way as in-person visits, and the patient may owe a copay, coinsurance, or deductible. If a payer denies the visit, the patient is responsible.
  • Provider licensure and patient location. You can only treat patients physically located in states where you are licensed. The patient agrees to tell you where they are at each visit, and to reschedule or convert to in-person if they have traveled outside a licensed state.
  • Signature, date, and the patient's printed name. Plus a witness or representative signature if the patient is a minor or has a legal guardian.

That's the whole list. One page, plain language, the patient signs once, and you have a real consent. Anything else you add is either a state-specific requirement or your own practice's policy choices. Do not pad the form with legalese. Long forms get skimmed, and a skimmed consent is barely better than no consent.

The Common Omissions That Get Practices in Trouble

The forms we see in audits and board reviews fail in the same handful of places. None of these are obscure. All of them are easy to fix in a single afternoon.

  • No mention of patient location. This is the single biggest gap. If a patient sits in a state you are not licensed in, you have practiced medicine across state lines, and the consent does not save you. The consent should explicitly say that the patient agrees to disclose location at each visit and that you reserve the right to reschedule if they are out of state.
  • No emergency protocol. "Call 911 in an emergency" is the minimum. Better forms also state that the provider will document the patient's location at the start of session for exactly this reason.
  • Recording silence. Patients increasingly assume sessions are recorded, and a quiet number of patients try to record providers without consent. Say in the form that you do not record sessions, and that the patient agrees not to record without your written permission.
  • No mention of asynchronous channels. If your practice uses SMS, secure messaging, or audio-only check-ins, the consent should name those as separate visit types with their own limits. A consent that only covers video does not cover the text exchange you had last Tuesday.
  • Bundled consent. A telehealth consent buried as paragraph fourteen of an eight-page intake packet is the worst of both worlds. Patients did not see it, did not understand it, and the form has no real defensive value. Make it a separate document, separate signature, separate date.
  • No renewal cadence. Consent is not signed once and forever. Most boards expect re-consent at least annually, or whenever your practice materially changes telehealth services (adds SMS visits, changes platforms, adds a new state).
  • No minor or guardian language. Pediatric practices, family medicine, and any practice that ever sees patients under eighteen need explicit guardian consent language and a path to document parental presence at the start of pediatric visits.

If your current form is missing more than two of these, treat the rewrite as an urgent administrative task, not a someday-project.

How State Law Changes the Picture

Telehealth consent is governed at the state level, and the rules vary more than most national templates suggest. You cannot rely on a generic form to clear every state where your patients sit. A short tour of the major patterns helps.

States that require written informed consent specifically for telehealth. California, Texas, Colorado, Connecticut, Kentucky, Maine, Maryland, Mississippi, New Hampshire, Oklahoma, and several others spell out a separate telehealth consent in statute or board rule. In these states, an in-person consent does not cover telehealth. The form must be its own document and must be signed before the first virtual visit.

States that allow verbal consent if documented. A meaningful number of states accept verbal consent provided the encounter note shows what was discussed, when, and that the patient agreed. This is convenient for established patients but creates extra documentation work and is harder to defend in a complaint. Even where verbal is allowed, a signed written consent is the stronger choice.

States with extra disclosures for specific specialties. Mental health, substance use treatment, and reproductive health typically have additional consent or disclosure requirements layered on top of general telehealth consent. If you practice in one of these areas, your form needs the general telehealth elements plus the specialty-specific disclosures.

Pediatric and minor consent. States vary on who can consent for a minor, when adolescents can consent for themselves (typically reproductive, mental health, or substance use care), and how guardian presence must be documented for a virtual visit. Build a separate minor-consent form rather than trying to patch one form for everything.

Practical rule of thumb: if you treat patients in more than one state, write a consent that meets the most demanding state's requirements and use it everywhere. It is far cheaper than maintaining a different form per state. Your malpractice carrier and your state medical board are both happy to confirm the specifics for your states in writing. Use them.

A Plain-Language Telehealth Consent Template You Can Adapt

This is a working template, not legal advice. Run it past your malpractice carrier and your state board before deploying. The structure mirrors the nine elements above, in language a patient can actually read.

Telehealth Consent for [Practice Name]

What telehealth is. Telehealth is a medical visit where you and your provider meet using secure video, phone, or text messaging instead of meeting in our office.

Benefits. Telehealth gives you access to care from your home, your work, or anywhere you have a private space and an internet or phone connection. It can save you travel time and make follow-up care easier.

Risks and limits. Technology can fail. A video call may drop, audio may cut out, or image quality may not be good enough to see a finding clearly. Some conditions need an in-person exam, lab work, or imaging that cannot be done virtually. Your provider may decide during the visit that you need to come in or go to an urgent care or ER, and will tell you if that is the case.

Privacy. Your visits use encrypted, HIPAA-grade software. We have a Business Associate Agreement with our telehealth vendor. We do not record your visits. Please join from a private space where others cannot overhear you.

Recording. We do not record video or audio of your visit. You agree not to record the visit without our written permission.

Emergencies. Telehealth is not for emergencies. If you think you are having a medical emergency, hang up and call 911 or go to the nearest emergency room. At the start of each visit, we will ask where you are physically located so we can direct emergency services to you if needed.

Your right to refuse. You can decline a telehealth visit at any time and ask for an in-person appointment instead. You can also end a telehealth visit at any time. Refusing telehealth will not affect your care or your relationship with our practice.

Billing. Telehealth visits are billed the same way as in-person visits in most cases. You may be responsible for a copay, coinsurance, or deductible. If your insurance denies the visit, you will be responsible for the cost.

Where you are. Your provider can only treat you when you are physically located in a state where they are licensed. At the start of every visit, we will ask where you are. If you are out of a licensed state, we will reschedule the visit or convert it to in-person.

Asynchronous visits. If our practice offers text message or secure messaging visits, those are separate from video visits. Text visits are for non-urgent questions only. We respond during business hours. Do not use text for emergencies.

Consent. I have read this form. I have had a chance to ask questions. I understand the benefits, risks, and limits of telehealth. I consent to receive care through telehealth from [Practice Name].

Signatures: Patient printed name, patient signature, date. For minors, add guardian printed name and guardian signature.

That's the entire form. About 400 words, one page printed, signs in two minutes. Re-sign annually or when your services change. Keep the signed copy in the patient chart and provide a copy to the patient on request.

How to Actually Get the Form Signed

The best form in the world is useless if it sits in a drawer. How you collect the signature determines whether the consent holds up in a complaint or audit. A few practical patterns work well for small practices.

  • Send it before the first visit, not during. Email or text a link to the consent form when the patient books their first telehealth visit. Ask them to sign and return it before the visit starts. This avoids the awkward five minutes of the patient reading a legal form on camera while the clock ticks.
  • Use an e-signature tool with a BAA. Free e-signature tools without a BAA are not HIPAA-grade. Use a healthcare e-signature tool, your EHR's intake module, or a HIPAA-grade form builder. The signed PDF should land in the patient chart automatically.
  • Have a paper fallback. Older patients, patients without smartphones, and patients with low digital literacy will need a paper option. Mail it in advance with a stamped return envelope, or have them sign at a one-time in-person intake if your practice supports that.
  • Confirm verbally at the start of the first visit. Even with a signed form on file, take 30 seconds at the start of the first visit to confirm: "Did you have a chance to read the telehealth consent we sent you? Do you have any questions about it?" Note the patient's response in the chart. This is the belt-and-suspenders move that makes complaints go away.
  • Re-sign annually and after major changes. Calendar an annual re-consent task. Also re-consent any time you add a new visit type (SMS, async), change platforms, or change states served.
  • Track signatures in one place. Your front desk needs a single view of which patients have a current signed consent and which do not. An expired consent list is one of the easiest pre-visit checks to automate.

Treat the consent like the safety check it is, not a hoop. When the form is sent in advance, signed with a real e-signature, confirmed at the start of session, and refreshed annually, you have a defensible workflow that takes about five minutes per patient per year.

What the Platform Should Do for You

A telehealth platform cannot write your consent form for you, but it should make the workflow around the consent easy. When you're choosing or auditing a platform, the consent-adjacent capabilities to look for are short and specific.

  • A signed BAA, in 24 hours, no haggling. Without a BAA, you cannot honestly tell a patient their visit is HIPAA-protected. Vendors that drag their feet on a BAA are showing you who they are.
  • Pre-visit intake links. The platform should let you send the consent form (and any other intake) before the visit, with the signed copy attached to the visit record. If you have to email it separately and chase the patient down, you'll skip it on busy days.
  • Visible patient location capture. Either an intake question at the start of every visit asking the patient to confirm their state and city, or a prompt to the provider to ask and document. This single field defends the cross-state licensing line.
  • Multi-channel support, with consent visibility. If your platform supports video, phone dial-in, and SMS, the consent should clearly cover all three and the system should make it easy to see which channels a patient has agreed to.
  • Audit log of who joined what visit and when. Not glamorous, very useful when a board complaint arrives 18 months later asking what happened in a specific visit.
  • No patient account required for the visit itself. Consent is signed once, in the intake flow. The visit itself should be a single-link join with no account or app required, especially for older patients and patients without smartphones. Adding friction at the visit step undoes the work the consent did.

This is exactly how we built SimplyTelehealth. A signed BAA in the first week, intake links you can send before the visit, location capture at the start of every visit, video plus phone dial-in plus SMS visits as first-class channels, full practice branding, no patient downloads or accounts, and flat $29 per month pricing for the whole practice. Get the consent right, pick a platform that respects how it gets used, and the rest of telehealth is easy.