The difference between consent and authorization

Under the HIPAA Privacy Rule, consent is a voluntary, flexible process that allows healthcare providers to use or disclose protected health information (PHI) for routine purposes like treatment, payment, and healthcare operations (TPO). In contrast, authorization is required for any uses or disclosures of PHI outside of TPO, such as for marketing or sharing information with third parties.

What is consent under HIPAA?

Under HIPAA, consent refers to a patient's voluntary permission for a healthcare provider to use or disclose PHI for routine purposes: treatment, payment, and healthcare operations (TPO). The Privacy Rule permits but does not require, covered entities to obtain patient consent for these activities. 

While HIPAA does not require consent, some organizations may collect it for internal reasons, to build patient trust, or to meet additional legal obligations. Even when healthcare providers choose to obtain consent, the HHS clarifies that they "have complete discretion to design a process that best suits their needs.". 

Read more: Patient consent: What you need to know

What is authorization under HIPAA?

Authorization is required when a covered entity intends to use or disclose PHI for purposes outside TPO, such as marketing, research, or sharing patient data with third parties not directly involved in care. According to a recent study on patient perspectives and preferences for consent in the digital health context, "There is evidence suggesting that many patients are willing to consent for various purposes, especially when there is greater transparency on how the PHI is used and oversight mechanisms are in place." Authorization must meet specific requirements outlined by HIPAA and requires more detailed patient permission than consent.

A valid authorization must include:

• A description of the PHI to be used or disclosed.
• Who is authorized to make the disclosure.
• Who will receive the information.
• The purpose of the disclosure (in some cases).
• An expiration date.
• Information on the individual’s right to revoke the authorization.

According to the HHS, "Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.". 

Related: How to develop a HIPAA compliant authorization form

Differences between consent and authorization

• Voluntary vs. Required: Consent is voluntary under HIPAA, while authorization is mandatory for non-TPO disclosures.
• Broad vs. Specific: Consent applies broadly to treatment, payment, and operations, while authorization is specific to particular uses outside these routine activities.
• Flexible vs. Structured: Consent processes can be flexible and adapted to the organization’s needs, whereas authorization must meet HIPAA’s strict requirements.
• Conditioning of Services: Treatment or coverage typically cannot be conditioned on a patient's authorization.

Common situations requiring authorization

• Marketing: If a provider wants to send marketing communications that involve PHI, they must first obtain authorization from the patient.
• Research: Using PHI for research purposes that do not fall under TPO requires specific authorization.
• Third-party disclosures: Sharing PHI with a third party not involved in patient care, such as an employer or non-healthcare-related company, requires patient authorization.

Practical tips for healthcare organizations

1. Develop clear policies: Ensure your organization has clear policies that define when to obtain consent and when authorization is required. Educate staff to differentiate between these two concepts.
2. Ensure authorization forms are complete: When authorization is required, ensure the forms meet all of HIPAA’s requirements, including detailed descriptions of what information will be disclosed, who is receiving it, and the purpose of the disclosure.
3. Train your team: Regular training for staff on the differences between consent and authorization helps avoid improper disclosures. Ensure they understand when authorization is necessary and how to manage these situations.
4. HIPAA compliant technology: Use secure digital forms like Paubox Forms to streamline the consent and authorization process. This can help reduce errors and improve patient communication regarding their rights.

FAQs

What should patients do if they want to revoke their authorization?

Patients can revoke their authorization at any time. They must do so in writing, and the revocation will not affect any disclosures made before it was received.

Are there any exceptions to requiring authorization for disclosures?

There are exceptions where authorization is not required, such as disclosures for public health activities, law enforcement, or certain research activities that comply with specific regulatory criteria.

Can healthcare organizations share PHI with family members without consent or authorization?

Yes, healthcare organizations can share PHI with family members if the patient is present and does not object, or if the disclosure is in the patient’s best interest and the information is directly relevant to the family member’s involvement in their care.