Health Information Compliance Alert

READER QUESTIONS:

'CONSENT' DOESN'T IMPLY 'AUTHORIZATION'

Question: What is the difference between "consent" and "authorization" under the Privacy Rule? 


Utah Subscriber


Answer:  There is a difference.  According to the Rule, a covered entity may opt to obtain consent from patients for uses and disclosures of protected health information for purposes related to payment, treatment, or health care operations.

Authorizations, however, are required by the Privacy Rule for uses and disclosures of PHI that are not otherwise permitted by the Rule; thus, voluntary consent cannot stand in place of an authorization in such cases unless the conditions for obtaining consent satisfy the requirements of a valid authorization. 

A valid authorization is "a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual," states the Department of Health and Human Services on its Web site. Authorizations must specify certain pieces of information, including:

• The protected health information to be used and disclosed;
• The person authorized to make the use or disclosure;
• The person to whom the covered entity may make the disclosure;
• An expiration date;
• In some cases, the purpose for which the information may be used or disclosed

Also, according to HHS, "with limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization."

Other Articles in this issue of

Health Information Compliance Alert

View All