Back to blog

How to Document Telehealth Sessions: HIPAA Requirements + Best Practices

How to Document Telehealth Sessions: HIPAA Requirements + Best Practices

5

Min read

Documenting a telehealth session means meeting the same clinical standards as an in-person note, plus a handful of telehealth-specific elements that protect both your compliance and your reimbursement.

With behavioral health telehealth now a permanent fixture of practice, knowing exactly what to record and which HIPAA rules apply is no longer optional.

This guide covers the documentation requirements, the current HIPAA landscape, and the practices that keep your virtual records audit-ready.


Key Takeaways

  • A telehealth note must capture everything an in-person note does, plus the modality used, the client's physical location, verification of identity, and confirmation of consent to telehealth.

  • The COVID-era HIPAA enforcement flexibility ended in August 2023, so every telehealth session now requires a HIPAA-compliant platform backed by a signed Business Associate Agreement.

  • Behavioral health telehealth flexibilities, including delivering care to a client's home without geographic restrictions, are now permanent under federal policy, but state privacy laws can be stricter than HIPAA and must also be met.


Why Telehealth Documentation Has Its Own Rules

A telehealth note carries the same clinical weight as an in-person note. It still has to document presentation, interventions, progress, risk, and plan. What's added is a layer of information specific to delivering care remotely, because the setting itself creates compliance and billing requirements that a face-to-face visit doesn't.

Payers want to confirm the service was genuinely a telehealth encounter, which means your note needs to establish the modality and the location of both you and the client.

Regulators want assurance that you protected the client's information across a remote connection. And from a clinical risk standpoint, knowing where your client physically is during a session matters enormously if a safety concern arises mid-session. These added elements are why telehealth documentation deserves its own checklist rather than being treated as an ordinary note with a video footnote.

The good news is that the clinical core doesn't change. The same progress note structure you use in person carries over, and you're simply layering the telehealth-specific elements on top. Before getting to those elements, it's worth grounding the discussion in the current HIPAA reality.


The Current HIPAA Landscape for Telehealth

During the COVID-19 public health emergency, the Office for Civil Rights exercised enforcement discretion that let clinicians use everyday consumer tools for telehealth without penalty. That discretion ended permanently on August 9, 2023. Today there are no pandemic exceptions, and every covered provider delivering remote care operates under the full Privacy, Security, and Breach Notification Rules.

In practical terms, that means three things. You must use a HIPAA-compliant platform built for healthcare, not a personal video tool.

You must have a signed Business Associate Agreement with the platform vendor, because the technology handling your clients' information is your business associate under HIPAA. And conducting a session on a platform without a BAA is a violation even if the platform is technically secure, which rules out personal Zoom, standard FaceTime, personal Gmail, and similar consumer apps for clinical care.

CMS doesn't publish an approved-platform list, so the standard is functional: the tool must support secure, real-time communication and be covered by a BAA. Choosing the right tool is foundational, and comparing HIPAA-compliant telehealth platforms against your practice's needs is worth doing carefully, as is vetting the broader set of teletherapy platforms for clinical fit. With the platform settled, the documentation itself comes into focus.


What to Include in Every Telehealth Note

Beyond your standard clinical content, a defensible telehealth note captures a specific set of telehealth elements.

  • The modality, specifying whether the session was synchronous audio-video or audio-only.

  • The client's physical location during the session, including at minimum the city and state, since this affects both licensure and emergency response.

  • Your location as the provider.

  • Verification of the client's identity at the start of the session.

  • Confirmation that consent to telehealth was obtained and is on file.

  • Any technology issues that affected the session, such as dropped connections or a switch from video to audio-only.

  • A safety plan reference, including how you would reach emergency services at the client's location if needed.

These elements turn a generic note into one that withstands a payer audit and documents that you managed the unique risks of remote care. Documenting the consent piece is easier when you have a standardized form, and a telehealth consent form template ensures the consent your note references actually exists in the record. With the content defined, a few practices make telehealth documentation reliable rather than ad hoc.


Best Practices for Telehealth Documentation

Strong telehealth documentation is mostly about consistency, since the telehealth-specific elements are easy to forget when you're focused on the clinical work.

First, verify identity and location at the top of every session and document it immediately. Asking your client to confirm where they are physically located isn't a formality; it determines which state's laws apply and where help would come from in a crisis. Second, build the telehealth elements into your note template so they're prompted every time rather than reconstructed from memory. Third, document any consent conversations and keep the signed consent accessible, because telehealth consent is something payers and regulators look for specifically.

It also helps to think through how confidentiality plays out differently over video. A client may not be alone, the connection may be observed, and the limits of confidentiality take on new dimensions when you can't control the physical environment on the other end. Noting that you confirmed the client was in a private space is a small habit that protects everyone. Where the documentation itself lives matters too, and using HIPAA-compliant notes tools keeps the record secure from creation to storage.


Telehealth Billing and Documentation Work Together

Your telehealth note doesn't just satisfy clinical and compliance standards; it supports your claim. The CPT code itself doesn't change when you go virtual. A 45-minute video session is still 90834. What changes is the modifier and place of service.

Most payers expect modifier 95 for synchronous audio-video telehealth, and place of service tells the payer where the client was: POS 10 for the client's home, which reimburses at the higher non-facility rate, and POS 02 for other telehealth sites. Your note needs to support those billing choices by documenting the modality and the client's location, which is exactly why the telehealth elements above double as billing documentation. When your note and your claim tell the same story, denials drop. For practices managing this at scale, a reliable EHR system that handles telehealth coding cleanly removes a lot of friction.

One current note worth tracking: federal policy has made behavioral health telehealth flexibilities permanent, including delivering care to a client's home without geographic restrictions and allowing audio-only sessions for mental health. Even so, state privacy and licensure laws can be stricter than federal HIPAA requirements, and when you treat clients across state lines you have to meet the rules of the state where the client is physically located. That's one more reason documenting location precisely is not just a billing detail.


How Berries AI Supports Compliant Telehealth Documentation

Telehealth adds documentation requirements at exactly the moment you're juggling a screen, a connection, and a clinical conversation, which is where an AI scribe built for this work earns its keep.

Berries is a HIPAA-compliant AI scribe designed specifically for mental health professionals, with telehealth in mind from the start. It captures your virtual session and generates a structured clinical note in your preferred format within seconds, so the clinical content is handled while you stay present with your client. Built for both in-person and telehealth sessions, it integrates with any EMR and maintains strict HIPAA and PHIPA compliance, with data encryption and secure processing throughout. Berries also provides ready-to-use client consent forms, which helps close the telehealth consent loop your notes depend on. Your first 20 sessions are free, with no credit card required.


Frequently Asked Questions

What has to be in a telehealth note that an in-person note doesn't need?

The modality (audio-video or audio-only), the client's physical location, your location, verification of the client's identity, confirmation of telehealth consent, and any technology issues that affected the session. These elements support both compliance and billing and aren't part of a standard in-person note.

Can I use Zoom or FaceTime for telehealth sessions?

Not the consumer versions. The COVID-era enforcement flexibility ended in August 2023, so you need a HIPAA-compliant platform with a signed Business Associate Agreement. Personal Zoom, standard FaceTime, and similar consumer tools don't meet that standard, even though healthcare-tier versions of some platforms do.

Why does the client's location matter so much?

It determines which state's laws and licensure rules apply, and it tells you how to reach emergency services if a safety concern arises during the session. Documenting at least the city and state where your client is physically located is both a clinical safety practice and a billing requirement.

Do CPT codes change for telehealth sessions?

No. The code reflects the service and time, so a 45-minute session is 90834 whether in person or virtual. What changes is the modifier (typically 95) and the place of service (POS 10 for the home, POS 02 for other sites), and your documentation should support those choices.

Are telehealth flexibilities for mental health permanent?

Behavioral health telehealth flexibilities, including delivering care to the client's home without geographic restrictions and allowing audio-only sessions, have been made permanent under federal policy. State laws can still be stricter than HIPAA, however, so always confirm the requirements of the state where your client is located.

This article is for educational purposes and professional development only. It does not constitute clinical supervision or replace professional judgment in therapeutic practice. Telehealth regulations and payer rules change frequently; always verify current HIPAA, state licensure, and payer requirements for your jurisdiction.