Telehealth informed consent in California: SB 801, CCR §1815.5, and what each license type needs
Telehealth went from a niche modality to about half of all California therapy sessions in five years. The disclosure requirements went from "general" to "very specific" — and most clinicians using inherited or out-of-state templates are missing pieces they don't know exist.
This post walks through the three regulatory layers that govern telehealth informed consent for California-licensed therapists, the BBS-specific language that applies to MFTs, LCSWs, LPCCs, and LEPs, and the specific content that has to appear before a client's first session.
It's an operational guide, not legal advice. If you're staring at a draft consent and trying to decide whether it's adequate, you'll want a California-practice attorney's eyes on it before you put it in use.
The three layers of requirement (you have to satisfy all of them)
California telehealth informed consent is governed by three stacked layers. Most templates address one or two and quietly miss the third.
Layer 1 — Federal baseline
HIPAA Privacy Rule + cross-state considerations
45 CFR §164.520 · Federal HIPAA Notice of Privacy Practices
HIPAA doesn't have a telehealth-specific informed-consent requirement, but its Notice of Privacy Practices rules apply equally to telehealth as in-person care. The NPP needs to disclose telehealth-related transmission risks and the platforms you use. If you serve clients across state lines, additional federal considerations apply (interstate practice, the absence of HIPAA's "treatment relationship" carveout for some telehealth use cases).
Layer 2 — California general telehealth statute
Business and Professions Code §2290.5
BPC §2290.5 · General California telehealth informed consent
This is the foundational California telehealth statute that applies to all licensed healthcare providers — physicians, psychologists, BBS-licensed clinicians, dentists, etc. It requires verbal informed consent before each telehealth encounter (documented in the medical record) and explicit disclosure of the modality, the limitations, the alternatives, and the patient's right to refuse telehealth and request in-person care.
Most clinicians satisfy BPC §2290.5 with a written informed-consent form signed at intake, plus a verbal confirmation at the start of each session (often a one-liner: "We're meeting by video today; you can switch to in-person anytime. Any questions about that?").
Layer 3 — BBS-specific (applies to MFT/LCSW/LPCC/LEP)
CCR Title 16 §1815.5
CCR Title 16 §1815.5 · BBS-specific telehealth notice for licensed behavioral health clinicians
This is the layer that catches clinicians off guard. The Board of Behavioral Sciences promulgated additional, more specific requirements for the four BBS license types. Inherited templates from psychologists (who report to a different board) or from out-of-state clinicians won't have this layer. SimplePractice's national templates didn't have it for a long time; some still don't.
What §1815.5 adds beyond BPC §2290.5: required content on confirming client identity at the start of each session, required content on the clinician's verification of being in California (the practitioner must be physically located in California while providing telehealth services, with limited exceptions), and required content on protocols for clinical emergencies that arise during a telehealth session.
What the written disclosure must contain
Combining all three layers, your telehealth informed consent document needs to address the following at minimum:
- Nature of telehealth. What it is (real-time video/audio), what platform you use (and that it's HIPAA-compliant — Zoom for Healthcare, Doxy.me, SimplePractice's built-in tool, etc.), how it differs from in-person therapy.
- Verification of clinician location. A statement that you (the clinician) are physically located in California while providing the session, and the address where you typically practice.
- Client identity confirmation protocol. How you'll verify the client's identity at the start of each session (typically: visual confirmation + a confidential phrase or session-opening protocol).
- Limitations of telehealth. Technology can fail. Transmission can be delayed or interrupted. Some clinical situations are not appropriate for telehealth (active crisis, dissociative states, certain trauma work). Some assessments require in-person observation.
- Risks specific to telehealth. Privacy risks (someone in earshot), technology risks (recordings stored on platforms, transcripts if you use any), the fact that telehealth records are subject to the same privacy laws as in-person records (CMIA + HIPAA).
- Alternatives to telehealth. The client's right to in-person sessions, to phone-only sessions, to switch modality at any time, to withdraw consent for telehealth without affecting their right to in-person care.
- Emergency protocols. What you'll do if a clinical emergency arises during a telehealth session — this is the §1815.5-specific requirement. Includes: collecting an emergency contact at intake, collecting the client's current physical location at the start of every session (so you can dispatch local emergency services if needed), knowing the local emergency resources at the client's location, and having a plan for what you'll do if the session is disconnected during a crisis moment.
- Cross-jurisdictional clarification. If you only practice with California-located clients, state that explicitly. If you ever serve clients who travel out of state, state your policies on that (most clinicians don't continue telehealth across state lines; the rules vary by state and most clinicians are only licensed in California).
- Right to withdraw consent. The client can withdraw consent for telehealth at any time without consequence to their right to receive in-person care.
- Signature and date. Both the client's signature and yours, dated. Best practice is to obtain this before the first telehealth session, not after.
License-type variations
The BBS regulates four license types and the telehealth disclosure language varies slightly across them. The variations are in the BBS notice block (required by SB 801 / BPC §§4980.55, 4996.21, 4999.66) and in what scope-of-practice language appears in your consent. The §1815.5 requirements apply equally across all four.
| License | What changes in the consent |
|---|---|
| LMFT | BBS notice block uses "marriage and family therapists" language. Scope-of-practice section references BPC §4980 et seq. |
| LCSW | BBS notice block uses "licensed clinical social workers." Scope of practice references BPC §4996 et seq. |
| LPCC | BBS notice block uses "licensed professional clinical counselors." Scope references BPC §4999 et seq. |
| LEP | BBS notice block uses "licensed educational psychologists." Scope of practice is narrower than the other three (educational and counseling settings, not full clinical scope) — your telehealth consent should reflect that narrower scope. |
If you hold multiple licenses (some clinicians are LMFT + LPCC, for example), the cleanest approach is to use the more restrictive scope language in your consent and explicitly note both licenses in your header.
Three common gotchas
1. The "where are you right now?" question
CCR §1815.5 effectively requires that you ask your client where they're physically located at the start of every telehealth session. This is the emergency-services dispatch requirement — if a client is mid-suicidal-crisis on a video call, you need to know which city's 911 to call.
Most clinicians address this by adding it to the session-opening verbal protocol ("Before we get into anything, where are you joining from today?") and documenting the response in the session note. Some EHRs have a structured field for it.
The gotcha is that the consent document needs to flag this practice so clients aren't surprised by the question every session. A sentence like "I'll ask where you are at the start of every session — this is so I know which local emergency services to contact if a crisis arises" suffices.
2. Clients traveling out of state
A client who's normally in California but travels to Arizona for a week and wants to keep their session — that's a multi-state practice question. California licensing only authorizes you to provide therapy to a client located in California (with limited exceptions for short-term continuity of care). Arizona has its own licensing requirements that you don't satisfy.
Most clinicians' telehealth consent handles this with explicit language: "Telehealth sessions are only available when you are physically located in California. If you travel out of state, we'll need to pause sessions until you return, unless you and I have specifically discussed an arrangement for short-term continuity." Be explicit; the silent version creates risk.
3. The recording question
Most HIPAA-compliant telehealth platforms (Zoom for Healthcare, Doxy.me, SimplePractice) do not record sessions by default. But platforms generate logs, retain metadata, and some have AI-transcription features that can be enabled accidentally. The consent should state your recording policy explicitly — typically "I do not record sessions; the platform I use does not record sessions" — and address what happens if a recording is ever necessary (clinical supervision, court-ordered, etc.).
One additional question that's not in §1815.5 but matters in practice: what happens if you record a session for clinical supervision (with the client's consent)? The recording is itself protected health information under both HIPAA and CMIA §§56–56.36. Your retention, encryption, and destruction policy for that recording is part of your standard of care. Your consent should mention this even if recording is rare.
How to render it (format requirements)
The format requirements that apply to your telehealth consent are mostly inherited from the broader California informed-consent framework:
- BBS notice block at the top. Required per SB 801. Minimum 12-point font. Specific language (see the citations post for the exact wording).
- Body text in readable form. No statutory minimum font size for the body, but 11- or 12-point is the practical standard. Plain language at 8th-grade reading level is the standard of care.
- Signature line at the end. Client signature, date, and your signature/date. Some clinicians also include the client's printed name, address, and emergency contact in the same form; others have those on a separate intake form. Either works.
- Date of last review. Recommended (not required) to include a footer with "Last reviewed: [date]" so future-you knows when to revisit it. California passes telehealth-related bills regularly.
What to do with this
Three options:
- Audit your existing telehealth consent against the checklist above. If you find gaps — especially around the §1815.5 items (clinician location, client identity, emergency protocol) — you have a punch list to fix.
- Draft from scratch using the layered requirements. Plan on 10–15 hours: 4–6 for research, 3–5 for drafting, 2–4 for peer review and revision.
- Use a pack with the requirements already addressed. The Practice Launch Pack includes a Telehealth Informed Consent template (separate from the in-person consent) that covers all three layers, with the §1815.5 requirements explicitly noted in the document's grounds-to comments so you know which sections came from where.
The telehealth consent template, ready to customize.
Both in-person and telehealth informed consent documents in the pack. All three regulatory layers addressed. 11 customization points per document.
See the pack