Who Is in the Room: Roles, Identity, and Consent

This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

If you are building a telemedicine product, identity and consent are the first features a regulator, a health-plan auditor, or a malpractice lawyer will ask about — and the last features most teams design. Founders budget for video quality and EHR integration, then discover that "add the patient's mother to the call" touches state consent law, that an interpreter has a federally defined quality bar, and that a prescription flow needs a second, stricter identity check the signup flow never did. This article gives you the foundation-level map: who can be in the room, what proof each person needs, and which consents must exist before the camera turns on. It builds on the anatomy of a telemedicine platform and feeds the deeper compliance articles in Block 2. If you read only one thing, read the room-roster model at the end — it is the cheapest insurance policy in telehealth engineering.

The cast: six roles, three questions each

A normal video call has participants. A telemedicine call has roles — and the difference is legal, not cosmetic. For every person who can appear in a clinical session, your product must answer three questions. Who are they? (identity). What may they do here? (permission). Who agreed to their presence? (consent). Miss any of the three for any role and you have a gap an auditor can put a finger on.

Here is the full cast you should plan for, even in a v1 product:

Figure 1. The cast of a telemedicine room: six roles, and the three questions — identity, permission, consent — your product must answer for each.

Two things make this table harder than it looks. First, the room is dynamic: an interpreter joins mid-call, a parent walks into frame, a supervising physician drops in for two minutes. Each event changes the legal composition of the visit and must be captured. Second, the answers are jurisdictional: the patient's location at the time of the visit — not your company's address — usually decides which state's consent and licensing rules apply. Keep both ideas in mind; the rest of the article walks the cast one layer at a time.

Identity is a ladder, not a checkbox

Start with a definition, because the word "verified" hides two different jobs. Identity proofing is establishing that a real-world person exists and that the account belongs to them — checking the passport at the hotel desk. Authentication is confirming that the person returning today is the same one who checked in — the room key. The US standard for both is NIST Special Publication 800-63, Digital Identity Guidelines, revised as SP 800-63-4 in 2025 [1]. It grades proofing as Identity Assurance Levels (IAL1–IAL3) and login strength as Authentication Assurance Levels (AAL1–AAL3).

In plain language, the proofing rungs look like this. IAL1: the system collects identity attributes and validates them against authoritative sources — enough to support that the claimed identity exists and limit mass-produced fake accounts [1]. IAL2: stronger evidence and a more rigorous check that the applicant is actually the person on the evidence — in practice, a government photo ID plus a live selfie matched to it, remotely [1]. IAL3: an attended, in-person session with biometric collection — rare in consumer telehealth, normal for high-security government work [1]. The authentication rungs mirror them: AAL1 accepts single-factor (a password), AAL2 requires two distinct factors — and Revision 4 expects AAL2 deployments to offer a phishing-resistant option such as a passkey — and AAL3 requires hardware-grade cryptographic authenticators [1]. The 2025 revision also recognizes mobile driver's licenses and verifiable digital credentials as identity evidence, which matters for onboarding friction [1].

Why a telehealth team should care is not abstract. HIPAA's Security Rule makes "person or entity authentication" a named technical safeguard — 45 CFR §164.312(d) — alongside the audit controls of §164.312(b) [2]. The proposed Security Rule update (NPRM, 90 FR 898, published 2025-01-06; still proposed, not final, as of 2026-06-11) would make multi-factor authentication effectively mandatory across regulated systems [3]. And the fraud it guards against is industrial-scale: the Department of Justice's June 2025 national health-care fraud takedown charged 324 defendants over $14.6 billion in alleged false claims, including $1.17 billion tied to telemedicine and genetic-testing schemes, and one scheme — "Operation Gold Rush" — built $10.6 billion of claims on the stolen identities of more than one million Americans [4]. Weak identity at the front door of a telehealth product is exactly how stolen identities become claims.

Figure 2. The identity ladder: each product moment — signup, sign-in, visit, prescribing — carries its own assurance requirement, and the rungs come from different rulebooks.

The patient ladder: proof what the action requires

The practical question is not "what is the strongest check we can run" but "which rung does each action require". A growing number of US states require providers to verify a patient's identity for telehealth encounters at all — a 2023 McDermott 50-state survey tracks the patchwork [5] — and health plans increasingly require it contractually. Beyond that floor, let the risk of the action choose the rung. Browsing educational content needs no proofing. Opening an account that will hold PHI justifies IAL1-style validation. Receiving a controlled-substance prescription, changing a payout account, or granting a caregiver access to records justifies a step up to an IAL2-grade document-plus-selfie check.

Step-up design is also where the economics land. Walk the arithmetic once, with labeled assumptions: a document-plus-selfie verification at a typical 2026 list price of $2.50 per check, 10,000 patient signups per month, and 22% of patients ever reaching a prescribing flow.

• Verify everyone at signup: 10,000 × $2.50 = $25,000 per month.
• Verify only at the prescribing step: 10,000 × 0.22 = 2,200 checks → 2,200 × $2.50 = $5,500 per month.

Same compliance outcome where the rule attaches to prescribing — and $19,500 a month of difference. Friction follows the same logic: if one in ten users abandons at an ID check, front-loading it costs you 1,000 signups a month; step-up moves that loss to 220, and only among patients already committed to treatment. The one mistake to avoid is silently lowering the rung where a rule sets it: knowledge-based quizzes ("which of these streets have you lived on?") draw on exactly the breached data the Gold Rush defendants allegedly bought, which is why modern guidance keeps moving toward document-and-biometric evidence [1][4].

The provider ladder: licensed where the patient sits

The provider's identity stack is heavier, and it is mostly organizational rather than biometric. Four layers stack up. Licensure: the clinician must generally hold a license valid in the state where the patient is located at visit time — the cross-state problem the licensing article covers in depth. Registry identity: every US provider has a National Provider Identifier (NPI) in CMS's public NPPES registry; your directory should store and re-validate it. Credentialing: hospitals must formally vet a practitioner's qualifications. Medicare's hospital Conditions of Participation allow credentialing by proxy — the patient-side hospital may rely on the distant-site entity's credentialing decisions under a written agreement, provided the practitioner holds a license issued or recognized by the state where the patients are, the distant site shares the current privilege list, and the patient-side hospital feeds back periodic peer review including all adverse events and complaints (42 CFR §482.22(a)(3)–(4)) [6]. Those contractual duties — privilege lists flowing one way, adverse-event reports the other — are product features: directory sync, document exchange, and an incident-reporting path.

Prescribing is the top rung. Remote prescribing of controlled substances sits under the Ryan Haight Act's in-person-exam baseline (21 U.S.C. §829(e)), currently bridged by DEA telemedicine flexibilities extended — for the fourth time — through December 31, 2026 (Federal Register, 2025-12-31), while the proposed special-registration framework from January 2025 remains unfinalized [7]. Electronic Prescribing of Controlled Substances (EPCS) then writes identity engineering directly into regulation: the prescriber must obtain a two-factor credential from a federally approved credential service provider that proofs identity at "Assurance Level 3" of NIST SP 800-63-1 — the DEA rule still cites the 2011-era vocabulary — with the credential issued across two separate channels (21 CFR §1311.105), and every signing must use two of three factors: something known, a hard or soft token possessed, or a biometric (21 CFR §1311.115) [8]. If your roadmap includes prescribing, the e-prescribing and EPCS article turns this into an integration plan.

One consistency note: patients and providers authenticate into the same sessions. A product that proofs patients at IAL2 but lets clinicians share a ward iPad with one password has solved the wrong half of the problem — authentication and identity for patients and providers covers MFA, SSO, and session design for both sides.

Consent is a stack, not a checkbox

Consent fails in telemedicine products the same way encryption does: teams treat a many-layered legal object as one boolean. Lay the layers out and the data model almost designs itself.

Layer 1 — consent to be treated by telehealth. The majority of US states require telehealth-specific informed consent in statute, administrative code, or Medicaid policy, and most require it to be documented in the record; some accept verbal consent if logged, others demand written consent for some services [9][10]. The consent must typically be captured before or at the start of the first telehealth encounter. Treat the consent text itself as versioned content: when counsel updates the wording, old records must still point at the wording the patient actually saw.

Layer 2 — consent to be recorded. Separate from consent to treatment, and governed by state wiretap law: roughly a dozen states — California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington, with several mixed-rule states — require every participant's consent to record a conversation [11]. A recorded session is also instantly PHI, with retention and access rules attached. The clean product rule: recording is off by default, requires an explicit in-session consent event from each participant, and the consent event itself is stored with the recording. Patient consent, recording, and data retention is the deep-dive.

Layer 3 — consent to data use beyond the visit. Treatment, payment, and operations are permitted uses under HIPAA; marketing, research, and most analytics sharing need a separate HIPAA authorization — a distinct legal artifact with required elements, not a pre-ticked box in onboarding. Substance-use-disorder records carry their own consent regime under 42 CFR Part 2, whose 2024 overhaul reached its compliance deadline on February 16, 2026 [12]. If your product touches behavioral health, model Part 2 consent as its own object from day one.

Layer 4 — consent on behalf of someone else. For minors and adults under guardianship, HIPAA defers to state law through the personal representative rule: a person with authority to make health-care decisions for the patient is treated as the patient for privacy purposes (45 CFR §164.502(g)) [13]. The age of majority is 18 in most states, but nearly every state lets minors consent on their own to specific categories — commonly mental health, reproductive health, or substance-use care, with thresholds as low as 12 in California — and those minor-consented services often carry confidentiality against the parent [14]. Engineering translation: guardian access cannot be modeled as "second login on the patient account". It is a separate identity, with a verified relationship, scoped permissions, and — for adolescent care — per-category visibility rules.

Figure 3. The consent stack: four distinct legal objects with four capture moments — one signup checkbox cannot represent them.

A useful mental model: consent records are evidence, not settings. A setting is mutable state; evidence is append-only. Store each consent as an immutable event — who consented, to which document version, for whom, via which channel, at what timestamp — and "revoke" as a new event, never an overwrite. Auditors ask "what had the patient agreed to on March 3rd", and an overwritten boolean cannot answer.

The room is dynamic: joins, interpreters, supervisors

Everything so far happens before the visit. The hard engineering is during it, because telemedicine rooms change composition mid-call, and every change is a compliance event. The pattern that works is a join checkpoint: nobody enters the media session without passing identity → role assignment → consent → announcement → log, in that order. The waiting room is simply this checkpoint given a UI for patients; the same gate must exist for every role, including staff.

Figure 4. The join checkpoint: verify, role-tag, capture consent, announce to the room, write the audit event — for every participant, every time.

Interpreters are the role teams most often get legally wrong, in two opposite ways. First, who may interpret: under Section 1557 of the ACA, covered entities must offer a qualified interpreter and may not rely on an accompanying adult except in narrow emergencies or at the patient's specifically documented request — and may rely on a minor child only in an emergency with no qualified interpreter available (45 CFR §92.201(c), (e), 2024 final rule) [15]. "The patient's cousin can translate" is not a fallback; it is a violation with a named section. Second, how well the video must work: the same rule writes a quality-of-service bar for video remote interpreting — real-time, full-motion video and audio over a dedicated high-speed connection, no lags, choppy, blurry or grainy images, a sharply delineated face large enough to see, clear audio, and trained users (45 CFR §92.201(f)) [15]. That is a latency-and-bitrate SLA sitting inside a civil-rights regulation: your interpreter video tier cannot be the degraded one. Multi-party mechanics — selective audio channels, role-based layouts — live in the multi-party consult article.

Supervising physicians got a permanent rule in 2026. Many services billed "incident to" a physician require direct supervision — historically, the supervisor physically in the suite. CMS's CY 2026 Physician Fee Schedule final rule made virtual direct supervision permanent from January 1, 2026: presence and immediate availability may be satisfied through real-time, two-way audio-video — explicitly excluding audio-only — for applicable incident-to services, diagnostic tests, and pulmonary and cardiac rehab (with global-surgery exceptions) [16]. Product translation: a supervisor "drop-in" path that is one click, full audio-video, role-labeled on screen, and logged with join and leave timestamps — because the billing record may need to prove availability.

Scribes and observers — human or AI — round out the cast. A human scribe is workforce, covered by the entity's HIPAA training and access rules; an AI scribe is a vendor inside the PHI boundary, which means a Business Associate Agreement and explicit patient disclosure before it listens. The clinical wiring of ambient documentation is its own article; the room-level rule here is simple: nothing listens without being on the roster.

The data model that holds it together

Pull the threads together and the foundation artifact appears: a room roster — the visit-scoped record that joins identity, role, and consent. A workable v1 schema has five tables. Persons (one row per human or agent, with proofing level and evidence pointers). Credentials (licenses, NPI, DEA registration, EPCS credential — with expiry dates and re-verification jobs). Consents (immutable events: subject, grantor, document version, scope, channel, timestamp). Sessions (the visit). Participations (person × session × role × join/leave timestamps × the consent events that authorized them). HIPAA's audit-control safeguard (45 CFR §164.312(b)) and its access rules stop being abstract once this exists: the audit question "who saw this patient's data, when, and on what authority" becomes a JOIN, not an investigation [2]. Audit logging and access controls builds the full event catalog on top of exactly this structure.

The test for your design is concrete. Pick any minute of any visit from last quarter and demand: every person in the media session at that minute, the role each held, the proofing level each identity carried, and the consent version that covered each presence. If any of the four comes back blank, the gap is in the schema — and schemas are cheapest to fix before launch.

The common mistake: one checkbox to rule them all. The recurring failure in telemedicine builds is a single signup checkbox — "I agree to the Terms, Privacy Policy, and telehealth treatment" — silently standing in for the whole stack. It fails as treatment consent in states that require separate, documented telehealth consent; it fails entirely as recording consent in all-party-consent states because the other participants never consented; it fails as a HIPAA authorization for marketing or analytics because authorizations have required elements a terms-checkbox lacks; and it proves nothing about guardianship. The siblings of this mistake are unlogged mid-call joiners ("the resident just watched"), the family-member interpreter, and consent text that was edited in place so nobody can prove what version 1.3 said. Every one of these is findable in discovery — and fixable in the schema.

Where Fora Soft fits in

Fora Soft has built real-time video software since 2005 — telemedicine, video conferencing, streaming, OTT, e-learning, surveillance, AR/VR, across 239+ shipped projects — and the identity-and-consent layer is where our telemedicine engagements usually start, because it is the layer that cannot be retrofitted cheaply. We design the room-roster model first: proofing levels mapped to product actions per NIST SP 800-63-4, consent as versioned immutable events, join checkpoints in the call flow, and the audit trail HIPAA's §164.312 safeguards expect. Then we wire the video layer — including the interpreter-grade quality tier §92.201(f) demands — on top of a structure an auditor can query. The requirement comes first; the capability follows.

What to read next

• Audit logging and access controls for clinical video — the event catalog your roster feeds.
• Patient consent, recording, and data retention — the recording layer in depth.
• Authentication and identity for patients and providers — MFA, SSO, and session design.

Building a telemedicine product? The identity and consent layer decides whether your platform passes its first audit. Talk to our telemedicine team about HIPAA-ready identity architecture, see our case studies, or download the Roles, Identity & Consent Worksheet and map your own room.

Call to action

• Talk to a telemedicine engineer — book a 30-minute scoping call to talk through your telemedicine identity verification plan.
• See our case studies — 250+ shipped projects across video streaming, WebRTC, OTT, telemedicine, e-learning, surveillance, and AR/VR.
• Download the Roles, Identity & Consent Worksheet — One page to map your own telemedicine room: the six roles with their identity, permission, and consent checks, the four consent layers, and the join-checkpoint steps — with checkboxes for an audit dry run.

References

1. NIST Special Publication 800-63-4, Digital Identity Guidelines (final, 2025), incl. SP 800-63A-4 (identity proofing) and SP 800-63B-4 (authentication) — IAL/AAL definitions, AAL2 phishing-resistant expectation, mDL/verifiable-credential evidence. https://pages.nist.gov/800-63-4/
2. HIPAA Security Rule, Technical Safeguards — 45 CFR §164.312(d) (person or entity authentication), §164.312(b) (audit controls); personal representatives at §164.502(g). https://www.ecfr.gov/current/title-45/part-164
3. HHS, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information (NPRM), 90 FR 898, 2025-01-06 — proposed mandatory MFA; still proposed, not final, as of 2026-06-11. https://www.federalregister.gov/documents/2025/01/06/2024-30983/
4. US Department of Justice, National Health Care Fraud Takedown press release, 2025-06-30 — 324 defendants, $14.6B alleged fraud; $1.17B telemedicine/genetic-testing schemes; Operation Gold Rush ($10.6B, 1M+ stolen identities). https://www.justice.gov/opa/pr/national-health-care-fraud-takedown-results-324-defendants-charged-connection-over-146
5. McDermott Will & Emery, 50-State Survey: States That Require Identity Verification for Telemedicine Encounters, March 2023. https://www.mcdermottlaw.com/insights/50-state-survey-states-that-require-identity-verification-for-telemedicine-encounters/
6. 42 CFR §482.22(a)(3)–(4) — hospital Conditions of Participation, telemedicine credentialing by proxy: written agreement, license recognized by the patient-side state, privilege list, periodic peer review with adverse events. https://www.ecfr.gov/current/title-42/part-482/section-482.22
7. DEA/HHS, Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications, Federal Register, published 2025-12-31 — flexibilities through 2026-12-31; Ryan Haight baseline at 21 U.S.C. §829(e); special-registration NPRM (Jan 2025) unfinalized. https://www.federalregister.gov/documents/2025/12/31/2025-24123/
8. 21 CFR §1311.105 (two-factor credential; identity proofing at NIST SP 800-63-1 Assurance Level 3; two-channel issuance) and §1311.115 (two of three factors: knowledge, token, biometric). https://www.ecfr.gov/current/title-21/part-1311
9. Center for Connected Health Policy (CCHP), State Telehealth Laws and Reimbursement Policies, Fall 2025 — majority of states with telehealth-specific consent requirements; per-state detail in the Policy Finder. https://www.cchpca.org/
10. HHS Telehealth.HHS.gov, Obtaining informed consent — federal guidance on documenting telehealth consent. https://telehealth.hhs.gov/providers/preparing-patients-for-telehealth/obtaining-informed-consent
11. Justia, Recording Phone Calls and Conversations — 50-State Survey (current as of 2025) — one-party vs all-party consent states. https://www.justia.com/50-state-surveys/recording-phone-calls-and-conversations/
12. 42 CFR Part 2 (SAMHSA), Confidentiality of Substance Use Disorder Patient Records, 2024 final rule — compliance date 2026-02-16. https://www.ecfr.gov/current/title-42/part-2
13. 45 CFR §164.502(g) — HIPAA personal-representative rule: guardians and others with decision authority treated as the individual. https://www.ecfr.gov/current/title-45/part-164/section-164.502
14. National Center for Youth Law, Minor Consent and Confidentiality Compendium (2024) — state-by-state minor-consent categories and ages. https://youthlaw.org/sites/default/files/2024-10/NCYLMinorConsentCompendium2024.pdf
15. 45 CFR §92.201 (Section 1557 final rule, 89 FR 37692, 2024-05-06) — qualified interpreters (c), restrictions on adults/minors interpreting (e), video remote interpreting quality standards (f). https://www.ecfr.gov/current/title-45/part-92/section-92.201
16. CMS, CY 2026 Medicare Physician Fee Schedule Final Rule (CMS-1832-F), Federal Register 2025-11-05 — permanent virtual direct supervision via real-time audio-video (audio-only excluded), effective 2026-01-01. https://www.federalregister.gov/documents/2025/11/05/2025-19787/

Where lower-tier sources disagreed with rule text, the rule text was followed: vendor identity-verification blogs describing knowledge-based quizzes as sufficient proofing were overridden by NIST SP 800-63-4's evidence-based model [1], and "any bilingual staff member can interpret" claims were overridden by 45 CFR §92.201's qualified-interpreter requirement [15].