July 13, 2026
11 min read
By Albert Wong, PhD · Clinical Psychologist
You finished a session twenty minutes ago. Your client is doing meaningful work. The therapeutic relationship is strong. But instead of sitting with that, you are staring at a blank note wondering: did I document her location? Was it Colorado or Connecticut this week? And which modifier does Blue Cross want again? Over 60% of psychologists now provide telehealth services, according to the APA. Most of them were never trained in the documentation minefield that comes with it.
Here is the hard truth. Telehealth documentation has to meet every requirement that in-person notes do, and then some. Where was the client sitting? Was your platform actually HIPAA compliant, or just "probably fine"? Did the client sign a telehealth-specific consent, or did you assume the general one covered it? These are not trivial details. They are the details that surface during audits, trigger claim denials, and show up in malpractice depositions. The stakes are real, and pretending otherwise does not make them smaller.
So let us walk through this together. Every telehealth documentation requirement, from federal and state regulations to the exact elements that belong in every progress note. Whether you are just starting with virtual sessions or you have been doing this for years and quietly hoping your notes are good enough, this guide will help you close the gaps and sleep a little better.
Nobody went to grad school dreaming about regulatory patchwork. But here you are. Telehealth rules live at both the federal and state level, and the two layers do not always agree. At the federal level, HIPAA sets the floor: your telehealth platform must use end-to-end encryption, enforce access controls, and have a signed Business Associate Agreement (BAA). That part is relatively straightforward. The next part is not.
State-level requirements are where things get messy. Every state writes its own telehealth rules covering licensure, informed consent, prescribing, and documentation standards. And here is the part that catches people: the state that governs your session is determined by where your client is sitting, not where your office is. Your client on vacation in Arizona? You are now subject to Arizona's rules. That is how it works, whether you knew it or not.
HIPAA Privacy and Security Rules
Every telehealth platform must use encryption, secure data storage, and access controls. FaceTime, standard Zoom, Google Meet out of the box — none of them are HIPAA compliant without specific configurations or signed BAAs. "But everyone uses it" is not a defense.
42 CFR Part 2 (Substance Use Disorder Records)
Working with clients who have substance use disorders? An extra layer of federal confidentiality protection applies to those telehealth records. These restrictions go beyond standard HIPAA requirements and limit how information can be shared or disclosed.
Ryan Haight Act
Primarily relevant to prescribers, but worth knowing. This act governs when controlled substances can be prescribed via telehealth. The pandemic-era flexibilities around in-person evaluation requirements have been extended, but they could change again. Stay current.
Medicare and Medicaid Telehealth Policies
Medicare and Medicaid each have their own telehealth coverage rules around eligible services, originating sites, and documentation. These policies shift regularly. What was true six months ago may not be true today. Check before you bill.
Almost every state requires a separate informed consent specifically for telehealth, above and beyond your standard treatment consent. This must be in the client's record before you start delivering services remotely. Many states demand written consent. Some will accept verbal consent if you document it clearly in the clinical record. "Clearly" is doing a lot of work in that sentence. Be specific.
Think of telehealth consent as an ongoing conversation, not a one-time checkbox you click and forget. Technology changes. Regulations shift. Your practice evolves. Revisiting consent with your clients is not just a compliance exercise. It is an act of respect for the relationship.
You already know how to write a progress note. You have done it thousands of times. But telehealth adds a second layer of required data points that most clinicians were never taught. Miss any of them and you have a compliance gap waiting to surface in an audit, an insurance review, or — worst case — a legal proceeding.
Client Location (State) at Time of Service
Write down the city and state where your client is physically sitting during the session. Not where they usually are. Where they are right now. This determines which state's laws govern the encounter and whether your license covers you. Ask every single session. Yes, even your Tuesday regulars. People travel. People move. People forget to tell you.
Provider Location
Document where you are too. Some states and insurers require it, and it matters for determining which regulations apply. Are you in your licensed office? Your home office? A hotel room at a conference? Note it. If your location changes, your compliance obligations might change with it.
Platform Used and Its HIPAA Compliance
Name the platform. "Video call" is not good enough. Write "HIPAA-compliant Zoom for Healthcare with signed BAA" or "Doxy.me with end-to-end encryption." Be specific. This is how you demonstrate that you did your homework on telehealth compliance and chose a platform that actually protects your clients.
Informed Consent for Telehealth
Reference your client's telehealth-specific consent and include the date it was signed or verbally obtained. If you updated consent during the session — say you switched platforms or discussed a new privacy consideration — document exactly what changed and that the client acknowledged it.
Technology Issues Encountered During Session
The screen froze. The audio cut out for two minutes. You reconnected and kept going. But did you write it down? Document every disruption: what happened, how long it lasted, how you handled it ("Reconnected after 3-minute interruption; session extended by 5 minutes"), and whether it affected the clinical quality of the encounter.
Verification of Client Identity
Note how you confirmed your client's identity at the start of the session. For someone you have been seeing for months, visual confirmation via video is typically sufficient. For a new client you have never met in person, you may need to verify a photo ID on camera. Document the method you used.
Emergency Contact and Local Resources
This one keeps therapists up at night, and it should. If your client is in crisis during a telehealth session and you do not know where they are or what local resources exist there, you cannot help them in the way they need. Confirm their emergency contact and local crisis resources — hospital, crisis line — for wherever they are right now. Not where they were last week.
A strong telehealth consent form is not just a legal shield. It is a conversation starter. It tells your client: I take this seriously enough to be transparent about how it works, what could go wrong, and what we will do about it. Make it a standalone document, separate from your general treatment consent. Give it the weight it deserves.
Description of telehealth services
Tell them what telehealth actually means in your practice. Video? Phone? Secure messaging? How is it different from sitting across from you in a room? Use plain language, not jargon.
Benefits and risks of telehealth
Be honest about both sides. The convenience is real. So are the risks: technology failures, losing nonverbal cues to a pixelated screen, and the fact that someone might overhear the session from their client's end.
Privacy and confidentiality safeguards
Explain the encryption and security features of your platform. Mention your BAA. Then tell them what they can do on their end — find a private room, use headphones, close the door. Privacy is a shared responsibility.
Technology requirements and backup plan
What device do they need? What internet speed? And when the connection inevitably drops, what happens next? Spell it out: "If video fails, I will call your phone number on file within 5 minutes." Remove the ambiguity before it becomes anxiety.
Emergency procedures
What happens if there is a clinical emergency and your client is 500 miles away? Outline how local crisis resources will be contacted. Your client needs to know the plan exists before they need it.
Client rights
They can change their mind. Anytime. Include their right to withdraw telehealth consent and request in-person sessions instead. If you use any recording features, include their right to refuse. Autonomy is not optional.
Fees and insurance coverage
Be upfront about money. Are telehealth sessions billed at the same rate as in-person? Are there differences in insurance coverage they should know about? Surprises on a bill erode trust faster than almost anything else.
"I understand that telehealth means receiving mental health services through live audio, video, or other electronic communication. I understand there are risks, including the possibility that technology may fail during a session, that my personal information could be disrupted or distorted by technical problems, and that my therapist may not be able to provide the same quality of care remotely as in person. I know I can withdraw my consent to telehealth at any time without losing my right to future care. I have been told which telehealth platform is being used, how it protects my information, and what I should do to ensure privacy on my end during sessions. I confirm that I will be located in a state where my therapist is licensed at the time of each session and will let my therapist know if my location changes."
Most of what you already document stays the same. Presenting problem. Observations. Interventions. Response. Plan. That does not change just because there is a screen between you. But telehealth adds requirements on top of all that, and the differences matter more than they might seem at first glance.
| Documentation Element | In-Person | Telehealth |
|---|---|---|
Client Location | Implied — your office address | Must document city and state every session |
Provider Location | Implied — your office address | Must document; you might not be at your office |
Service Delivery Method | Rarely noted | Must specify: video, phone, or hybrid |
Technology Platform | N/A | Name the platform and confirm HIPAA compliance |
Informed Consent | General treatment consent | Separate telehealth-specific consent required |
Technical Disruptions | N/A | Document any connectivity, audio, or video issues |
Identity Verification | You see them walk in | Document how you verified identity on screen |
Emergency Resources | Local to your office area | Must match client's current physical location |
Environment Assessment | You observe it in your office | Note client's apparent privacy and setting appropriateness |
Billing Codes | Standard CPT codes, POS 11 | May require modifier 95 or GT; POS 10 (telehealth in home) |
Let us talk about money, because this is where mistakes get expensive. Telehealth billing demands the right modifier codes, the right place of service codes, and attention to each payer's specific rules. Get any of it wrong and you face claim denials, delayed reimbursement, or — in the worst case — allegations of fraud. None of these are abstract risks. They happen to real therapists every week.
POS 10 — Telehealth Provided in Patient's Home
Your client is on their couch, in their bedroom, at their kitchen table. They are home. This is the POS code you will use most often for outpatient telehealth therapy.
POS 02 — Telehealth Provided Other Than in Patient's Home
Your client is at work, at school, in a parked car in a parking lot. Anywhere that is not their home. This is the code for that.
POS 11 — Office (In-Person)
This is for in-person sessions at your physical office. Do not use it for telehealth. This single mistake is one of the most common billing errors in virtual care.
On top of the right POS code, most payers want a specific modifier appended to your CPT code that signals "this was telehealth." Here is what you need to know.
| Modifier | Description | When to Use |
|---|---|---|
95 | Live audio/video telehealth — synchronous, real-time | Most commercial payers; the default for live video sessions |
GT | Interactive audio and video telecommunications | Some Medicaid plans and legacy payer systems — always verify |
FQ | Audio-only telehealth service | Phone-only sessions where permitted by payer and state law |
93 | Synchronous telephone or audio-only service | Some Medicare and commercial plans for audio-only encounters |
Good clinicians make these mistakes. Experienced ones. The kind who care deeply about their work. It happens because telehealth documentation requires a different muscle than in-person notes, and most of us are still building it. Here are the errors that show up most often.
Failing to Document Client Location
The number one mistake. The one that shows up in almost every audit finding. Client location determines which laws apply and whether you are even licensed to treat them. Write down the city and state at every session, not just intake. A client who quietly moved to a new state three months ago is a licensure problem you did not see coming.
Missing or Incomplete Telehealth Consent
Your general consent form does not cover telehealth. It just does not. Telehealth consent needs to address technology risks, privacy limitations in the client's environment, emergency procedures when you are not in the same zip code, and their right to choose in-person care instead. Review it annually. Re-sign when things change.
Not Documenting Technology Issues
The video freezes. You reconnect. You keep going. You never write it down. This is more common than anyone admits, and it is a problem. Technology disruptions affect clinical quality, session duration, and they become relevant in audits and malpractice reviews. Write down what happened, how long it lasted, and what you did about it.
Using Non-Compliant Platforms Without Documentation
Your usual platform crashes five minutes before a session. You switch to something else to avoid canceling. It happens. But if that backup platform is not fully HIPAA compliant, you need to document why you used it, what platform you switched to, and that the client verbally consented to proceed with reduced privacy protections. This should be rare, not routine.
Incorrect Billing Codes or Modifiers
POS 11 instead of POS 10. Missing the modifier 95. These are small errors that lead to claim denials or, in the worst case, allegations of fraudulent billing. Match your codes to how the service was actually delivered. Every time. No shortcuts.
Neglecting to Update Emergency Plans
Your office emergency plan means nothing when your client is 200 miles away. If they are in crisis and you do not know their current address or the nearest ER, you cannot help them fast enough. This is not hypothetical. Confirm their location and local emergency resources at every session. The time you need this information is the time you cannot afford to be searching for it.
"I remember thinking telehealth would simplify everything. No commute, no waiting room, just me and my clients. Nobody told me about the documentation. I had to teach myself an entirely new compliance layer — client locations, platform verification, telehealth consent separate from my general consent. My advice? Treat telehealth documentation as harder than in-person, not easier. Because it is."– Licensed clinical social worker, telehealth practice
You became a therapist to help people, not to spend your evenings deciphering modifier codes. The documentation burden of telehealth is real, and it sits on top of everything else you already carry. Practice Harbor was built to take that weight off your shoulders by weaving telehealth-specific documentation into the natural flow of your session.
Built-In HIPAA-Compliant Video
Run your telehealth sessions right inside Practice Harbor. No juggling third-party platforms, no hunting down BAAs, no wondering whether your video tool is actually compliant. One platform, end-to-end encrypted, with a signed BAA already in place.
AI-Powered Session Notes
With client consent, our AI listens to your session and drafts a progress note while you focus on what matters — being present with your client. You review it, adjust what needs adjusting, and finalize in minutes. Not 30 minutes. Not an hour. Minutes.
Documentation That Fits Your Workflow
Whether you prefer SOAP, DAP, BIRP, or another format, your notes are structured the way you need them. The AI drafts follow your preferred template, so you are not reformatting every note to match your clinical style.
Telehealth is not going anywhere. Neither are the documentation requirements. If anything, they are getting tighter and the enforcement is getting more serious. The therapists who will be fine are the ones who stop treating telehealth documentation as an afterthought and start treating it as a core clinical skill. Location. Platform. Consent. Disruptions. Billing codes. Every session. No exceptions.
Here is the good news. Once you build these habits, they become automatic. The key is having something — a checklist, a template, a platform like Practice Harbor — that prompts you for the right information at the right moment so you never have to rely on memory alone. The goal is not perfection. The goal is a consistent, reliable process that protects your clients, your license, and the practice you have worked so hard to build.
Start today. Pull up your last five telehealth notes and check them against this guide. Look for the gaps. Update your consent forms. Double-check your billing codes. Build a process for capturing location and technology details at every session. It will take an afternoon. It will save you from something much worse later. Your future self will be grateful you did this now.
Practice Harbor handles the HIPAA-compliant video and the AI-powered documentation — so you can be fully present with your clients instead of mentally drafting notes during session. Audio is deleted after processing. No data is used for AI training. One platform, one BAA, one less thing to worry about.
Categories: Telehealth, Compliance, Documentation
Back to Blog