This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

Every telemedicine platform ships a consent screen, and most teams treat it as a checkbox to get past — until a recording surfaces in a lawsuit, a patient demands a copy of their session, or a regulator asks why a 2023 consult is still sitting in a storage bucket nobody owns. This article is for the founder, product manager, or compliance lead who has to decide what the consent flow captures, whether the camera's output becomes part of the medical record, how long every artifact lives, and what happens when a patient asks for a copy or a deletion. Each of those is a product decision with a named rule behind it, and getting one wrong is expensive: wiretap statutes carry criminal penalties, and the HHS Office for Civil Rights (OCR) had brought 53 enforcement actions for right-of-access failures alone by March 2026. You will leave with the four-consent framework, the exact regulatory citations, the retention arithmetic, and a one-page checklist to run against your build.

One word, four legal objects

The word "consent" works like the word "insurance." Car, home, and life insurance share a name, but nobody believes one policy covers all three. Telemedicine teams routinely make exactly that mistake with consent: they capture one signature at signup and assume it covers the visit, the recording, the analytics, and the AI scribe. It covers, at most, one of the four.

Here is the first surprise for most product teams: the Health Insurance Portability and Accountability Act (HIPAA) — the US law protecting health information that can be tied to a person, called protected health information (PHI) — does not require any consent to use PHI for treatment, payment, or running the practice. The Privacy Rule permits those uses outright, and 45 CFR §164.506(b) makes a written consent for them strictly optional. The consents your product must capture come from four other directions, and each is a different document with different rules.

Consent layer What it covers Where the rule lives Typical form
Telehealth informed consent Agreeing to be treated by video at all — its risks, limits, and alternatives State telehealth statutes (45 states + DC by 2026 counts); Medicare rules for virtual services Verbal or written, documented in the record; some states demand written
HIPAA authorization Any use of PHI beyond treatment, payment, and operations: marketing, sale, research, most model training 45 CFR §164.508 Written or electronic, six core elements, signed and dated
Recording consent Capturing the audio/video of the session at all State wiretap and eavesdropping laws; all-party ("two-party") consent in 11–15 states Captured before recording starts, from every participant
Specialty consents Substance-use-disorder records (42 CFR Part 2), psychotherapy notes, minors 42 CFR Part 2 (2024 final rule, compliance 2026-02-16); 45 CFR §164.508(a)(2); state law Separate, more specific documents; cannot be bundled freely

The four layers stack. A behavioral-health video visit that is recorded for the chart and summarized by an artificial-intelligence (AI) scribe can require all four at once: the state's telehealth consent, the wiretap-law recording consent from everyone on the call, a HIPAA authorization if the audio also trains a vendor's model, and 42 CFR Part 2 consent if substance-use treatment is involved. Miss any layer and the other three do not save you.

Diagram of four stacked consent layers in telemedicine: telehealth consent, HIPAA authorization, recording consent, specialty consents Figure 1. The consent stack. One signature at signup covers one layer at most — each layer has its own rule, form, and revocation path.

Consent to the telehealth visit itself

The first layer is the patient agreeing to receive care through a screen. This is the "informed consent" most state telehealth laws mean: before or at the start of the first virtual encounter, the provider explains what telemedicine is, what it cannot do (no hands-on examination, dependence on connectivity), what the alternatives are (in-person care), how emergencies are handled, and that the patient may withdraw at any time. By 2026 counts, 45 states plus the District of Columbia require some version of this for telehealth, and the Center for Connected Health Policy (CCHP) maintains the authoritative state-by-state tracker.

The variation between states is exactly the kind that breaks hard-coded product flows. Arizona, California, Colorado, and Maryland accept verbal consent as long as it is documented in the medical record. Delaware demands written consent for most professions. Idaho requires a periodic "special informed consent" that names security measures and the risk of data loss. A handful of states — Florida, Georgia, Hawaii among them — impose no telehealth-specific consent at all, though ordinary medical-consent law still applies. States also disagree on renewal: some accept one consent per provider relationship, others expect it per episode of care or whenever the modality changes.

Medicare adds a federal layer for specific virtual services. For communication-technology-based services such as virtual check-ins and e-visits, the Centers for Medicare & Medicaid Services (CMS) requires beneficiary consent, which may be verbal, may be captured by ancillary staff under supervision, and may be obtained once annually rather than per interaction (CMS Telehealth FAQ, updated February 2026). State Medicaid programs each set their own consent rules — CCHP tracks those too.

The product translation: consent is jurisdictional and time-stamped, so capture it that way. The governing state is generally where the patient is located during the visit — not their signup address, and not your company's state. A snowbird who signed up in New York and takes a January call from Florida changed your consent obligations without telling you. The consent flow should therefore confirm the patient's current location at the start of each visit (a one-tap prompt, validated against rough geolocation), select the consent text version for that jurisdiction, and store which version was shown. We cover who may consent — adults, minors, caregivers, legal representatives — in roles, identity, and consent in telemedicine.

The HIPAA authorization: when "more than treatment" needs a signature

The second layer is HIPAA's own consent document, called an authorization. Remember the baseline: treatment, payment, and health-care operations (TPO) need no patient permission under HIPAA. The authorization exists for everything else. The general rule at 45 CFR §164.508(a)(1) is blunt: outside the permitted categories, a covered entity may not use or disclose PHI without a valid authorization, and the use must match what the authorization says.

For a telemedicine product, the authorization question almost always arrives through the recording. Recording a consult for clinical use — the treating clinician reviewing it, the chart holding it — sits inside TPO; HIPAA itself demands no authorization (state recording law still applies, next section). But the moment the recording serves another master, §164.508 wakes up. Using session footage in marketing requires an authorization, full stop (§164.508(a)(3)). Selling recordings or transcripts — and the rule's definition of "sale" reaches most arrangements where you receive remuneration for PHI — requires an authorization that says remuneration is involved (§164.508(a)(4)). Letting an AI vendor train its general models on your patients' sessions is not treatment and is not your operations; without de-identification it needs an authorization too. The de-identification alternative — stripping data until it is no longer PHI — has its own article: de-identification and analytics on health data.

A valid authorization is a specific document, and §164.508(c) lists its anatomy. Six core elements: a meaningful description of what information will be used; who may disclose it; who receives it; each purpose; an expiration date or event; and the individual's signature with date. Three required statements: the right to revoke in writing and how; whether treatment can be conditioned on signing (almost always it cannot — §164.508(b)(4) forbids it, with narrow exceptions); and the warning that disclosed information may be redisclosed and lose HIPAA protection. Plus two duties teams forget: the document must be in plain language, and the patient must receive a copy (§164.508(c)(3)–(4)). An authorization missing any element is legally void (§164.508(b)(2)) — a checkbox reading "I agree to the use of my data" satisfies none of the six.

Two engineering consequences follow. First, authorizations are scoped objects with lifecycles, not booleans: your data model needs the scope, the expiration, the version of the text signed, and a revocation state — because patients may revoke at any time in writing, and revocation stops future use but not actions already taken in reliance (§164.508(b)(5)). Second, signed authorizations are compliance documentation you must keep for six years (§164.508(b)(6), pointing to §164.530(j)) — they have their own retention clock, separate from the medical record's.

One more trap hides in behavioral health. Psychotherapy notes — defined in 45 CFR §164.501 as notes recorded in any medium by a mental-health professional documenting or analyzing a counseling conversation, kept separate from the rest of the record — enjoy HIPAA's strongest protection: nearly every disclosure requires an authorization that cannot be combined with other authorizations (§164.508(a)(2), (b)(3)(ii)). Whether a raw session recording stored separately could qualify as a psychotherapy note is an open question — the definition's "any medium" language invites the argument. Do not architect around a guess; put the question to counsel before you build recording for therapy sessions, and read the mental-health playbook for the product side.

The wiretap layer: who must say yes before you press record

The third layer has nothing to do with HIPAA. Every US state has a wiretap or eavesdropping statute governing who may record a conversation, and these laws carry criminal penalties. Most states are "one-party consent": any participant in the conversation may consent to its recording, so a provider recording their own consult is covered. But a substantial minority — commonly counted between 11 and 15 states depending on edge cases — require all-party consent (often called "two-party consent"): everyone on the call must agree before recording starts. California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington appear on essentially every list; Connecticut, Delaware, Oregon, and Vermont are qualified cases that counsel should classify for you.

Telemedicine makes this worse than it sounds, because a video consult routinely crosses state lines, and the call is governed by the laws on both ends. The safe and standard engineering posture: treat every multi-state call as all-party consent. Concretely, the platform asks every participant — patient, provider, interpreter, caregiver — before the first frame is captured, and refuses to record until everyone has agreed.

The 2025–2026 ambient-AI wave turned this from a compliance footnote into live litigation. An AI scribe that listens to the visit and drafts the note is recording in the eyes of a wiretap statute, even if no video file is ever shown to a human. In November 2025, a proposed class action was filed against a major health system alleging that its vendor's ambient documentation tool recorded encounters without consent, in violation of California's all-party wiretap law (CIPA) and its medical-confidentiality statute — and that the AI-generated notes contained boilerplate language asserting the patient had consented when no consent had occurred. New York enacted a 2025 requirement that patients be notified before an AI tool materially assists in creating their medical record — notice after the note is drafted is too late. Washington's My Health My Data Act adds a separate consent for collecting "consumer health data," which state guidance reads to include ambient audio — a second yes on top of the wiretap yes. The clinical-AI side of this is covered in the AI scribe article; the rule of this section is simpler: an AI that hears the visit needs the same consent a camera does, captured before it starts listening.

The classic mistake: the fabricated consent trail. The most damaging allegation in the 2025 ambient-AI class action was not the recording itself — it was that the documentation said "patient was advised of and consented to recording" as template boilerplate, regardless of whether anyone had asked. A consent assertion your system auto-inserts is worse than no assertion: it is evidence that your consent records cannot be trusted. The consent record must be an event — who was asked, what text version they saw, what they answered, when, on which device — written by the consent flow itself, never by a documentation template. If the event does not exist, the answer to "did the patient consent?" is no, and the product must behave accordingly: no event, no recording.

Decision flow for recording a telemedicine session: purpose check, participant states, all-party consent capture, AI scribe notification Figure 2. The recording decision, as the product should enforce it. The recording service checks for a complete set of consent events — one per participant — before the first frame is captured; non-TPO purposes additionally require a HIPAA authorization.

The consent-capture UX that holds up

A consent that cannot be proven later might as well not exist. US law has accepted electronic signatures since the ESIGN Act of 2000 (15 U.S.C. §7001) and the state-level UETA — a tapped checkbox or typed name is legally a signature. What separates a consent that survives a deposition from one that collapses is not the ink; it is the record behind it. The consent event your platform stores should answer six questions: who consented (the authenticated identity, with the verification method), to what (the exact text version, by content hash or version ID), in which role (patient, caregiver, personal representative — with their authority noted, as §164.508(c)(1)(vi) requires for representatives), when (timestamp, and the patient's stated location for jurisdiction), how (tap, voice — keep the audio clip of a verbal consent), and until when (the expiration or triggering event, for authorizations).

{
  "event_type": "consent.granted",
  "timestamp": "2026-06-11T15:04:22Z",
  "subject": { "patient_ref": "pt_88421", "stated_location": "US-WA" },
  "actor": { "user_id": "u_88421", "role": "patient", "auth_method": "portal+otp" },
  "consent": {
    "kind": "recording_all_party",
    "scope": "session ses_9120 audio+video, clinical use only",
    "text_version": "rec-consent-v3.2-wa",
    "method": "in_call_prompt_tap",
    "expires": "end_of_session"
  },
  "outcome": "granted"
}

Around that event, five UX rules keep the layers honest. Show a persistent recording indicator to every participant whenever capture is active, and announce starts out loud — surprise is the enemy in both wiretap law and patient trust. Make consent participant-complete: when an interpreter or family member joins mid-call while recording runs, the platform pauses or prompts them — their wiretap rights are not covered by the patient's tap. Trigger re-consent on material change: a new patient location, a new purpose (the marketing team wants the testimonial), a new listening tool, or a minor reaching majority. Make revocation as easy as the grant — a portal control, not a certified letter — and wire it to actually stop the machinery: future recordings blocked, pending non-TPO uses cancelled, the revocation event logged. And write every consent, prompt, refusal, and revocation into the audit trail, because the consent record is exactly the kind of evidence the audit-logging article teaches you to make immutable.

For substance-use-disorder programs there is a fourth layer with its own paperwork. Records from federally assisted SUD treatment fall under 42 CFR Part 2, rewritten by the February 2024 final rule with a compliance deadline of February 16, 2026 — meaning it is fully in force as you read this. The 2024 rule allows a single consent to cover all future TPO uses, aligns much of Part 2 with HIPAA, but creates a separate, stricter consent for "SUD counseling notes" and forbids combining consent for legal proceedings with any other consent. If your platform serves addiction medicine, the consent model needs Part 2 objects distinct from HIPAA authorizations — details in state and specialty rules.

Retention: five clocks, one policy

Now the data exists. The next question every team gets wrong: how long must it live? The popular answer — "HIPAA says six years" — is wrong twice over. HIPAA's Privacy Rule sets no retention period for medical records at all; HHS says so in plain words in its FAQ. And the six-year clock that does exist in HIPAA (45 CFR §164.530(j) in the Privacy Rule, §164.316(b)(2)(i) in the Security Rule) covers compliance documentation — policies, risk analyses, signed authorizations, consent records — not the chart and not your recordings.

The clocks that actually govern PHI data retention come from elsewhere, and you are on all of them simultaneously:

Clock What it covers How long Source
State medical-record law The medical record, including artifacts that are part of it Commonly 5–10 years from last encounter; ~3 years at the short end, 20+ at the long; minors: until majority plus the state's adult period Each state's statute / medical board
CMS conditions of participation Hospital records (Medicare/Medicaid participation) 5 years minimum 42 CFR §482.24(b)(1)
HIPAA documentation rule Policies, risk analyses, BAAs, signed authorizations, consent events 6 years from creation or last effective date 45 CFR §164.530(j); §164.316(b)(2)(i)
42 CFR Part 2 SUD treatment records and consents Part 2 program policies + state law; stricter handling throughout 42 CFR Part 2 (2024 final rule)
Litigation / payer holds Anything subject to a legal hold or payer audit Until released; Medicare managed-care audits reach back 10 years Court orders; CMS program rules

The operating rule is the same as everywhere in compliance: the strictest applicable clock wins. A hospital client in Massachusetts puts you on a 20-year hospital clock; a pediatric vertical means "age of majority plus" arithmetic per state; a Medicare Advantage contract quietly adds a 10-year audit window. Your retention policy is therefore not a number — it is a function of artifact type, jurisdiction, patient age, and contract, evaluated per record. Write it down, because the written policy is itself required documentation on the six-year clock.

Timeline chart comparing retention clocks: state medical records, CMS hospital rule, HIPAA documentation, minors, audit holds Figure 3. The retention clocks compared. No single federal number exists for clinical data; the policy is the strictest applicable clock per artifact, jurisdiction, and patient.

Is long retention expensive? Run the arithmetic before assuming. A 30-minute consult recorded at 1.5 Mbps (a typical 720p H.264 stream) produces 1.5 Mbit/s × 1,800 s = 2,700 Mbit ≈ 340 MB. Ten thousand consults a year is 10,000 × 0.34 GB ≈ 3.4 TB per year of recordings. Holding one year's worth for six years in hot object storage (S3 Standard at $0.023/GB-month, June 2026 US-East pricing) costs 3,400 GB × $0.023 × 72 months ≈ $5,600. The same data in archival storage (S3 Glacier Deep Archive at $0.00099/GB-month) costs 3,400 × $0.00099 × 72 ≈ $242. Storage is not the problem. The real costs of retention are the obligations that ride along with the data: every retained recording is PHI you must encrypt, log access to, produce within 30 days on request, and protect for the full life of the clock — and a breach of a bucket of old recordings starts the same 60-day notification countdown as a breach of live data.

Is the recording part of the medical record?

Here is the decision that sets which clock your recordings are on, and most teams never make it consciously. HIPAA's right-of-access and the state retention laws attach to the designated record set — defined in 45 CFR §164.501 as the medical and billing records plus any records used to make decisions about individuals. A session recording that the clinician reviews to write the note, or that documents the basis of a diagnosis, is being used for care decisions: it is part of the designated record set, full retention clock, full access rights, discoverable in litigation.

That gives you exactly two defensible postures, and the worst place to be is between them. Posture A — the recording is a clinical artifact. It is ingested alongside the chart, indexed to the encounter, retained on the medical-record clock, included in access requests, and protected accordingly. Choose this when recordings serve care directly: complex-case review, supervision in behavioral health, procedure documentation. Posture B — the recording is a transient operational artifact. It exists for a named non-clinical purpose (quality assurance, dispute resolution), is never opened by the treating clinician for care decisions, never feeds the note, and is destroyed on a short fixed timer — 30 to 90 days — by an automated lifecycle rule. Document the purpose and the timer in policy, and enforce the "never used for care" boundary technically, because one clinician pulling a QA recording to check a dosage just moved it into the designated record set. The undeclared middle — recordings accumulating in a bucket with no policy, no owner, and no deletion — is the posture that produces both the discovery nightmare and the breach headline. The architecture for each posture (where the recorder sits, who holds keys, how the bucket is locked) is in recording clinical sessions, and the encryption duties in the encryption article.

Deletion that actually deletes

Retention clocks end, and then the data must actually die. HIPAA's Security Rule makes disposal a required specification: 45 CFR §164.310(d)(2)(i) demands policies for the final disposition of electronic PHI and its media, and (d)(2)(ii) requires removal of ePHI before media re-use. HHS's disposal guidance points to NIST SP 800-88, the federal media-sanitization standard, which defines three levels — Clear (logical overwrite), Purge (rendering recovery infeasible, including cryptographic erase: destroy the encryption keys and ciphertext becomes noise), and Destroy (physical). For cloud-native telemedicine stacks, cryptographic erase plus the provider's documented sanitization is the practical Purge.

The hard part is not the storage API call — it is the propagation map. A telemedicine recording does not live in one place. It has cross-region replicas, backup snapshots, a transcript, an AI summary, embeddings in a search index, thumbnails, possibly cached segments on a content delivery network, and rows referencing it in a dozen tables. "Deleted" means the deletion reached all of them. Build the map when you build the feature: every derived artifact registers its lineage, deletion fans out through it, backups either expire on a documented schedule shorter than your deletion promise or support targeted purge, and the audit log records a deletion event — what was destroyed, when, under which policy, by what mechanism — because the proof of disposal is documentation you keep for six years. One deliberate exception: the audit events about the recording (who viewed it, who deleted it) are references, not PHI payloads, and they stay on their own retention clock.

And one asymmetry to engrave into the roadmap: HIPAA gives patients no right to erasure. A patient can demand a copy of their record; they cannot demand you delete it — and where a retention statute applies, you must not, even on request. This is the sharpest single contrast with Europe's GDPR, whose Article 17 right to erasure does reach health-adjacent products, with carve-outs — if you serve EU users, the dual-regime design is covered in GDPR, PIPEDA, and global health-data law. For US-scope products, the honest patient-facing copy is "we delete what the law lets us delete, when it lets us" — and the honest engineering is a lifecycle engine that executes the policy without a human remembering to.

Deletion propagation pipeline from primary recording store through replicas, backups, derived artifacts, caches, to a logged disposal certificate Figure 4. Deletion that actually deletes. The lifecycle engine fans the disposal out through every replica, backup, and derived artifact, then writes a disposal event to the audit trail — the proof you keep after the data is gone.

The right of access: 30 days, no excuses

The retention story has a counterparty: the patient's federal right to see and copy everything you keep about them, for as long as you keep it. Under 45 CFR §164.524, an individual may inspect and obtain a copy of their PHI in the designated record set — which, per the last section's decision, may include your session recordings. The mechanics are precise. You must act within 30 calendar days of the request, with one extension of up to 30 more days allowed only if you give the patient a written reason and a completion date within the first window (§164.524(b)(2)). You must provide the copy in the form and format requested if readily producible — for a recording, that means an ordinary playable file, not a proprietary export (§164.524(c)(2)). You may charge only a reasonable, cost-based fee limited to labor for copying, supplies, and postage (§164.524(c)(4)) — no "records processing" markups. And on a signed written request, you must transmit the copy directly to a third party the patient designates (§164.524(c)(3)(ii)). The exceptions are narrow: psychotherapy notes and litigation-preparation materials sit outside the right (§164.524(a)(1)).

OCR treats this as a flagship enforcement program. Its Right of Access Initiative, launched in 2019, had produced 53 enforcement actions by March 2025 — roughly one every 38 days — against organizations from solo practices to academic medical centers, including a $200,000 civil monetary penalty against a university health system in 2025 and a long tail of five- and six-figure settlements for the simple failure to send records on time. Most actions began the same way: one patient, one unanswered request, one complaint form.

The product translation is a workflow, not a PDF generator: an intake surface for access requests with identity verification proportionate to risk; a designated-record-set map (which systems hold chart data, recordings, transcripts, messages — the documentation §164.524(e) expects); an assembly pipeline that can export the encounter bundle, recordings included, in standard formats; a delivery channel through the portal with the fee calculation shown; and a deadline tracker that pages someone at day 20, because the 30-day clock has no pause button. Every step lands in the audit log. If you build it as a quarterly manual scramble, you will eventually miss the window; teams that wire it into the platform answer in days — and the same pipeline, pointed at a third party, satisfies §164.524(c)(3)(ii) and most state record-request laws for free.

Where Fora Soft fits in

Consent, recording, retention, and access are where our two specialties — real-time video systems and HIPAA-compliant product engineering — meet in one feature set. Since 2005 we have built telemedicine, video-conferencing, surveillance, e-learning, and streaming platforms, and the recurring pattern in healthcare work is exactly this article's stack: jurisdiction-aware consent flows wired to the session lifecycle, recording pipelines whose storage posture is decided before the first byte is captured, lifecycle engines that retain and dispose on policy, and patient-facing export workflows that meet the 30-day federal clock. We design the compliance boundary first — which artifacts become part of the record, under which consents, behind which Business Associate Agreements — and then build the video stack inside it.

What to read next

Call to action

References

  1. 45 CFR §164.508 — Uses and disclosures for which an authorization is required. eCFR, current through June 2026. Read in full 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508 (Tier 1)
  2. 45 CFR §164.524 — Access of individuals to protected health information. eCFR, current through June 2026. Read in full 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524 (Tier 1)
  3. 45 CFR §164.506 — Uses and disclosures to carry out treatment, payment, or health care operations (consent optional under (b)). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.506 (Tier 1)
  4. 45 CFR §164.530(j) — Documentation; six-year retention. 45 CFR §164.316(b)(2)(i) — Security Rule documentation retention. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164 (Tier 1)
  5. 45 CFR §164.310(d)(2) — Device and media controls: disposal and media re-use (required specifications). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310 (Tier 1)
  6. 42 CFR §482.24(b)(1) — Hospital conditions of participation: medical records retained at least 5 years. https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-482/subpart-C/section-482.24 (Tier 1)
  7. HHS — Fact Sheet: 42 CFR Part 2 Final Rule (Feb 2024; compliance date 2026-02-16): single TPO consent, SUD counseling notes, legal-proceedings consent separation. https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html (Tier 1)
  8. HHS OCR — Individuals' Right under HIPAA to Access their Health Information (45 CFR §164.524 guidance: timeliness, form and format, fees). https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html (Tier 1)
  9. HHS FAQ 580 — The Privacy Rule does not set medical-record retention periods; state law governs. https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html (Tier 1)
  10. HHS FAQ 575 + Disposal FAQs — disposal of PHI; reference to NIST media-sanitization guidance. https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html (Tier 1)
  11. NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization (Clear / Purge / Destroy; cryptographic erase). https://csrc.nist.gov/pubs/sp/800/88/r1/final (Tier 1)
  12. CMS — Telehealth FAQ (updated 2026-02-26): beneficiary consent for communication-technology-based services, annual verbal consent, ancillary staff. https://www.cms.gov/files/document/telehealth-faq-updated-02-26-2026.pdf (Tier 1)
  13. ESIGN Act, 15 U.S.C. §7001 — legal validity of electronic signatures and records. https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title15-section7001 (Tier 1)
  14. Center for Connected Health Policy — State telehealth consent requirements tracker (Medicaid and cross-state survey). https://www.cchpca.org/topic/consent-requirements-medicaid-medicare/ (Tier 5)
  15. Justia — Recording Phone Calls and Conversations: 50-State Survey (one-party vs all-party consent). https://www.justia.com/50-state-surveys/recording-phone-calls-and-conversations/ (Tier 5)
  16. Becker's Hospital Review / ABA Health Law analyses — November 2025 proposed class action over ambient AI scribe consent (CIPA/CMIA allegations; boilerplate consent language). https://www.beckershospitalreview.com/strategy/ambient-ai-lawsuit-highlights-importance-of-patient-consent/ (Tier 5)
  17. Healthcare Law Insights / Nixon Peabody trackers — OCR Right of Access Initiative: 52nd–53rd enforcement actions (Jan–Mar 2025), $200,000 CMP, cadence since 2019. https://www.healthcarelawinsights.com/2026/02/enforcement-ramps-up-on-patient-right-of-access-what-providers-need-to-know/ (Tier 5)
  18. Accountable HQ — Telemedicine Informed Consent Requirements by State: 2026 Guide (45 states + DC count; state form variations). Competitor/orientation reference; all regulatory claims re-verified against primary sources above. (Tier 7)

Where lower-tier sources disagreed with rule text, the rule text won: the popular claim that "HIPAA requires six-year medical-record retention" (multiple vendor blogs) is overridden by HHS FAQ 580 and §164.530(j) — six years attaches to compliance documentation, not the chart. Vendor claims that an in-product consent banner alone satisfies all-party wiretap law are overridden by the statutes' all-participant requirement and the 2025 CIPA litigation.