What is the Difference Between Consent & Authorization Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule permits, but does not require, a covered entity to voluntarily obtain patient consent for uses and disclosures of protected health information (“PHI”) for treatment, payment, and health care operations. Covered entities that obtain patient consent have complete discretion to design a process that best suits their needs.

On the other hand, an authorization under the HIPAA Privacy Rule is a detailed document that gives covered entities permission to use PHI for specified purposes, which are usually other than treatment, payment, or health care operations, or to disclose PHI to a third party designated by the individual.  An authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some instances, the purpose for which the information may be used or disclosed.

The Privacy Rule requires authorization for uses and disclosures of PHI not otherwise allowed under HIPAA. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of PHI unless it also satisfies the requirements of a valid authorization.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s