Inpatient Facility Coding & Compliance Alert

Reader Question:

Understand the Difference Between 'Consent' and 'Authorization'

Question: What’s the difference between “consent” and “authorization under the HIPAA Privacy Rule?”

Missouri Subscriber

Answer: The term “consent” relates to disclosing protected health information (PHI) for treatment, payment, and healthcare operations (TPO) purposes. The Privacy Rule allows (but does not require) you to voluntarily obtain patient consent for such disclosures, and allows complete discretion to design a process that best suits a provider’s needs.

On the other hand, patient “authorization” relates to PHI disclosures not otherwise allowed under the Privacy Rule, according to the HHS Office for Civil Rights (OCR). You must have a signed patient authorization that gives you permission to use PHI for specified purposes, generally other than TPO purposes. You would also need an authorization to disclose a patient’s PHI to a third party.

OCR lists the following specific elements that you must include in an authorization:

  • A description of the PHI that you’ll use or disclose;
  • The person authorized to  use or make disclosure;
  • The person to whom you may make the disclosure;
  • An expiration date; and
  • The purpose for using or disclosing the PHI (in some cases). 

Other Articles in this issue of

Inpatient Facility Coding & Compliance Alert

View All