What is the Difference Between Consent & Authorization Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule permits, but does not require, a covered entity to voluntarily obtain patient consent for uses and disclosures of protected health information (“PHI”) for treatment, payment, and health care operations. Covered entities that obtain patient consent have complete discretion to design a process that best suits their needs.

On the other hand, an authorization under the HIPAA Privacy Rule is a detailed document that gives covered entities permission to use PHI for specified purposes, which are usually other than treatment, payment, or health care operations, or to disclose PHI to a third party designated by the individual.  An authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some instances, the purpose for which the information may be used or disclosed.

The Privacy Rule requires authorization for uses and disclosures of PHI not otherwise allowed under HIPAA. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of PHI unless it also satisfies the requirements of a valid authorization.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com