Forms
What Generic Consent Forms Miss (and How to Fix Yours)
Estimated reading time: 12 minutes
Your EHR does many things well. Scheduling, notes, and billing. It's easy to assume that forms are just as reliable.
But those universal intake forms, informed consent documents, and Notices of Privacy Practices (NPP) were designed to fit anyone. This means they weren't designed to work specifically for you, in your state, with your license type, as they should be.
The good news? Fixing this is more manageable than you think.
Here's what you'll actually need to do:
- Review your core documents: your Notice of Privacy Practices, informed consent, authorization for release of records, and, if applicable, your telehealth consent and SUD consent.
- Check them against your state requirements, license type, and ethics code
- Add any missing elements (often just a paragraph or two)
- Set up a workflow so that updates don't mean rebuilding from scratch
This guide will walk you through each step, show you where to find reliable guidance, and help you set up a system that keeps your forms up to date over time.
TL;DR: Generic consent forms from EHRs are not designed to meet your state laws, license rules, or ethics code, so they often leave out required disclosures. HIPAA sets a baseline, but state regulations, telehealth rules, and professional ethics usually require more. Some information, such as psychotherapy notes, substance use disorder records (42 CFR Part 2), and reproductive health information, requires separate, specific consent forms that generic templates do not cover.
You do not need to rewrite everything. Most practices can close the gaps by reviewing a few core documents, adding missing language, and setting up a workflow that makes updates manageable over time.
Why generic consent forms don't meet HIPAA and ethics requirements
The one-size-fits-all approach doesn't fit mental health practices. This isn't a failure of any one platform. It's a limitation of scale.
If a form truly worked for all states and all license types, it would need to be hundreds of pages long. The EHR provider would need an entire law firm dedicated to keeping up with the changes. That makes universal forms logically impossible, not just imperfect.
EHR vendors build for scale, not specificity. They're trying to serve therapists in 50 states, multiple license types, and countless specialties. Unfortunately, the way forms are presented during onboarding doesn't make it clear that they need to be customized, and there's no guidance on how to use them correctly.
“The HIPAA and mental health attorneys on the PCT team of experts strongly advise against using generic templates. They must be customized and specific.”
Liath Dalton, Director, Person Centered Tech (PCT)
If you're using the standard forms provided by your EHR, determine whether you can customize them or use your own. It varies between platforms.
The federal government's model Notice of Privacy Practices templates state in their instructions: "Part 2 requires you to describe any state or other laws that require greater limits on disclosures."
“I see practitioners all the time who've been using the same EHR template for years without realizing it doesn't reflect their state's specific requirements. It's not negligence. It's just that nobody told them to check.”
Liath Dalton, Person Centered Tech (PCT)
So what exactly are these requirements that generic forms miss?
State requirements vary more than you think
Mental health practice sits at the intersection of multiple regulatory layers: federal law, state law, licensing board rules, and professional ethics codes. Each state has its own requirements for what must be disclosed, how consent must be documented, and what specific language must appear in your forms.
Here are just a few examples:
| State | Requirement | Source |
|---|---|---|
| California | The Board of Behavioral Sciences (BBS) requires a specific "Notice to Clients" in at least 12-point font with exact language, plus your license expiration date | California BBS |
| New York | For clients with serious mental illness, documentation of a physician consultation may be required. | NY State Education Department |
| Texas | Marriage and family therapists must include a records custody plan in case of death or incapacitation. | 22 Tex. Admin. Code § 801.48(h) |
| Colorado | Specific written disclosure elements are required before treatment begins. | C.R.S. § 12-43-214 |
And if you provide telehealth, the complexity multiplies. You're subject to the requirements of every jurisdiction that governs that session: where the therapist is physically located, where the client is physically located, and where the therapist is licensed. This could mean three different jurisdictions for a single session.
It sounds like a lot, but this is why telehealth consent exists. You're not expected to memorize all of this. Instead, you're expected to document that you addressed it.
Telehealth examples:
| State | Requirement | Source |
|---|---|---|
| Arizona | Requires specific telehealth documentation, including the client's physical address | Arizona Revised Statute § 36-3602 |
| Alaska | Therapists providing telehealth to clients in Alaska must register with the Telemedicine Business Registry and hold a valid Alaska business license. | Alaska Division of Corporations |
| Maryland | A telehealth practitioner must be licensed in Maryland when providing services to a client located in the state; the clinician can be located anywhere. | MD Health Occupations Code § 1-1005 |
Your ethics code expects more than HIPAA requires
Each code has specific informed consent requirements that generic templates don't address. Some examples:
| Professional association | Key informed consent requirements | Source |
|---|---|---|
| American Counseling Association (ACA) | Standard A.2.b. lists specific "types of information needed," including purposes, goals, techniques, procedures, limitations, risks, benefits, credentials, approach to counseling, continuation of services upon incapacitation or death, role of technology, fees, and billing | ACA Code of Ethics |
| American Mental Health Counselors Association (AMHCA) | Professional disclosure statement must include expectations and responsibilities of both counselor and client, professional orientation and values, emergency procedures, supervision status (if applicable), and business practices | AMHCA Code of Ethics |
| Clinical Social Work Association (CSWA) | Informed consent must cover the extent and nature of services offered, mutual limits, rights, opportunities, and obligations, and payment arrangements. For consent to be valid, clients must be informed clearly, choose freely without undue influence, and have the capacity to make an informed choice | CSWA Code of Ethics |
| American Association for Marriage and Family Therapy (AAMFT) | Standard 1.2 requires that the client (a) has capacity to consent, (b) has been adequately informed of treatment processes and procedures, (c) has been adequately informed of potential risks and benefits, (d) has freely and without undue influence expressed consent, and (e) has provided consent that is appropriately documented | AAMFT Code of Ethics |
All these examples treat informed consent as an ongoing documented conversation throughout treatment, not just a form signed at intake and filed away. When a client updates their communication or consent preferences, document the change in their clinical record.
“A signed form at intake satisfies almost no ethics code I'm aware of. Informed consent is a process, not a checkbox.”
Liath Dalton, Director, Person Centered Tech (PCT)
⚠️ A note on AI: If you use AI for any clinical applications, clients must give informed consent before you use it. Describe how it works, the risks and benefits, including potential bias. Don't rely on the AI platform's consent language. This doesn't mean you can't use AI responsibly. It means your consent language needs to reflect how you're actually using it.
Three areas where generic forms need special attention
Some types of information are subject to additional federal or state protections that require separate, specific forms.
1. Psychotherapy notes
HIPAA requires a separate authorization for the release of psychotherapy notes. This authorization cannot be combined with any other consent form (45 CFR 164.508(b)(3)(ii)). A checkbox on a general records release is invalid.
This means you need a standalone psychotherapy notes authorization form, separate from your general authorization for release of records. Most EHRs don't automatically provide this, and some don't segregate psychotherapy notes properly in the first place.
Your Notice of Privacy Practices must also address psychotherapy notes. Under HIPAA, psychotherapy notes have special protections, but only if your state law also protects them. Your NPP must state whether you take psychotherapy notes and whether your state protects them.
Source: 45 CFR 164.508(b)(3)(ii)
2. Substance use disorder records (42 CFR Part 2)
Federal law requires written consent with specific elements, separate from your general intake forms. Generic HIPAA consent forms don't meet Part 2 requirements. EHRs typically don't provide these forms, and some don't allow the customization you need.
New rules take effect February 16, 2026, with updated requirements including how to revoke consent in writing.
Source: HHS Fact Sheet: 42 CFR Part 2 Final Rule
3. Reproductive health information
The 2024 federal reproductive health rule was vacated by the current administration, so it did not take effect. However, several states are stepping in with their own requirements. California, Washington, and Nevada now require explicit consent before sharing reproductive health data.
Source: California AB 352
💡 Takeaway: These aren't edge cases. If you provide any SUD services, keep process notes, or discuss reproductive health, you likely need forms that your EHR didn't provide.
Which consent and HIPAA forms therapists need to customize
Every provider must obtain informed consent, and a generic form is not sufficient to meet ethical requirements. The details to include are specific to your practice, license, and state.
As discussed earlier, psychotherapy notes are part of your NPP, so anyone providing an NPP needs to customize it. SUD forms? EHRs typically don't provide those, and some don't even let you customize.
Here's what to review against your specific requirements:
- Notice of Privacy Practices: Does it name your privacy officer? Does it mention whether you take psychotherapy notes and whether your state protects them? Does it include state-specific disclosure requirements? These are the elements practitioners most frequently leave out. HIPAA gives psychotherapy notes special protection, and in many states, additional protections apply. Your NPP must reflect how psychotherapy notes are handled under both HIPAA and your state law.
- Informed consent for treatment: Does it cover all the elements required by your ethics code? Does it address AI use if applicable?
- Telehealth consent: Do you have a separate telehealth-specific informed consent? Does it meet the requirements of every jurisdiction involved in the session?
- Authorization for release of records: Do you have a separate form for psychotherapy notes? A checkbox on a general records release is invalid.
- SUD consent (if applicable): Do you have a Part 2 compliant consent form, separate from your general intake?
You don't have to rewrite everything from scratch. Often, it's a matter of adding a paragraph or two to existing forms.
Where to find reliable guidance
You don't have to figure this out alone. Here's where to look, in order of usefulness.
Start with your professional association's local chapter
This is the most useful resource for helping you practice the right way. Your local chapter understands your state's specific requirements and can point you to resources.
- ACA: Find your state branch through counseling.org
- AMHCA: State chapters listed at amhca.org
- AAMFT: State divisions at aamft.org
Check your licensing board (for requirements, not language)
Your licensing board publishes specific disclosure requirements you must meet. However, their role is to protect the public, not the practitioner. They won't provide template language or help you draft your forms.
Consider specialized consultation
Organizations like Person Centered Tech offer guidance on HIPAA compliance, general risk management, and legal and ethical considerations for mental health practices.
Note: PCT supports compliance frameworks but does not provide form customization for specific states. For state-specific templates, you'll need to work with your local professional association or a mental health attorney in your state.
Look at state agency NPPs for reference
Hospital and agency Notices of Privacy Practices in your state often include state-specific language you can reference.
“Your state's hospital NPP is actually a great starting point. It's already been reviewed for state-specific requirements. You're not copying it, but you're seeing what language your state expects.”
Liath Dalton, Director, Person Centered Tech
Making updates manageable: How Hushmail helps
Customizing your forms isn't a one-time project. It's an annual (or as-needed) review. You'll need to revisit your forms when:
- You renew your license
- Your state updates its regulations
- You add a new service (like telehealth or group therapy)
- You need to comply with new federal rules (like the February 2026 Part 2 deadline)
- You start using AI in any clinical application
When rules change, the problem isn't knowing what to update. The problem is the workflow:
- Rebuilding forms from scratch
- Resending PDFs and hoping clients return them
- Tracking which version each client signed
- Managing multiple documents that all need the same update
This is where having editable, centralized forms matters.
Hushmail lets you build custom forms. It makes it practical to keep your forms up to date over time.
- One place to update the language. When a requirement changes, you update it once. You're not hunting through folders or rebuilding PDFs.
- New clients automatically get the current version. No resending, no version confusion. Your intake process always uses the current data.
- Old forms stay archived, time-stamped, and traceable. If you ever need to show a client's signature and timestamp, it's there.
- Secure delivery is built in. Clients complete and sign forms digitally through encrypted email. Every Hushmail for Healthcare plan includes a signed Business Associate Agreement, ensuring baseline compliance before you start customizing.
💡 Pro tip: When practitioners search for help with "HIPAA forms" or "authorization for release of information," they're often looking for guidance on exactly these documents. Getting your forms right protects both you and your clients.
Your next step: One form at a time
Universal forms were not designed to protect your practice. They were designed to be good enough for everyone, which means they're not quite right for anyone.
Your next step: Pull up your informed consent and compare it against your ethics code's requirements. You might find it's mostly fine, or you might spot a gap you didn't know existed.
When you're ready to make updates, Hushmail makes it realistic to keep your forms current without rebuilding everything from scratch.
Reviewed by: Liath Dalton, Director of Person Centered Tech, and Steven O. Youngman, VP of Legal and Compliance, Hushmail.
