Question: What is the difference between “consent” and “authorization” in the context of the HIPAA privacy rule? Colorado Subscriber Answer: Under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, the U.S. Department of Health and Human Services (HHS) allows covered entities (CEs) to obtain patient consent for uses and disclosures of protected health information (PHI). “The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs,” HHS says on its website. Authorization: On the other hand, authorization is required regarding information a CE might want to access, use, or share beyond the scope of what’s allowed in the HIPAA Privacy Rule. A compliant authorization is much more detailed than basic patient consent. “Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual,” HHS says.