Question: Under the HIPAA Privacy Rule, what is the difference between “consent” and “authorization?”
Answer: The term “consent” relates to disclosing protected health information (PHI) for treatment, payment, and healthcare operations (TPO) purposes. The Privacy Rule allows (but does not require) you to voluntarily obtain patient consent for such disclosures, and allows complete discretion to design a process that best suits a provider’s needs.
On the other hand, patient “authorization” relates to PHI disclosures not otherwise allowed under the Privacy Rule, according to the HHS Office for Civil Rights (OCR). You must have a signed patient authorization that gives you permission to use PHI for specified purposes, generally other than TPO purposes. You would also need an authorization to disclose a patient’s PHI to a third party.
OCR lists the following specific elements that you must include in an authorization: