Q&A: Consent vs. authorization under HIPAA

Q: What is the difference between "consent" and "authorization" under the HIPAA Privacy Rule?

A: “Consent” is a general term under the Privacy Rule, but “authorization” has much more specific requirements.

The Privacy Rule permits, but does not require, a CE to obtain patient “consent” for uses and disclosures of PHI for treatment, payment, and healthcare operations. There are no specific requirements for consents, and CEs are free to establish their own procedures. Since this is not required, most CEs do not obtain consent for these disclosures.

An “authorization” is required by the Privacy Rule for uses and disclosures of PHI not otherwise allowed by the Rule. An authorization is a detailed document that gives CEs permission to use PHI for specified purposes, which are generally other than treatment, payment, or healthcare operations, or to disclose PHI to a third party specified by the individual.

An authorization must be in writing and specify a number of elements, including:

• A description of the PHI to be used or disclosed
• The person authorized to make the use or disclosure
• The person to whom the CE may make the disclosure
• An expiration date for the authorization
• In some cases, the purpose for which the information may be used or disclosed

Editor’s note: This question was answered by Mary Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.