Cardiology Coding Alert

Reader Question:

Puzzle Out HIPAA Language

Question: I’m confused by some of the language in the Health Insurance Portability and Accountability Act (HIPAA) forms we give patients on their first visits. What is the difference between “consent” and “authorization” in the context of HIPAA privacy and security?

California Subscriber

Answer: The U.S. Department of Health and Human Services (HHS) allows covered entities (CEs) to obtain patient consent for protected health information (PHI).

“The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs,” HHS says on its website.

Authorization, on the other hand, is required regarding information a CE might want to access, use, or share beyond the scope of what’s allowed in the HIPAA Privacy Rule. A compliant authorization is much more detailed than basic patient consent.

“Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual,” HHS says.


Other Articles in this issue of

Cardiology Coding Alert

View All