Under the HIPAA Privacy Rule, consent is a voluntary, flexible process that allows healthcare providers to use or disclose protected health information (PHI) for routine purposes like treatment, payment, and healthcare operations (TPO). In contrast, authorization is required for any uses or disclosures of PHI outside of TPO, such as for marketing or sharing information with third parties.
Under HIPAA, consent refers to a patient's voluntary permission for a healthcare provider to use or disclose PHI for routine purposes: treatment, payment, and healthcare operations (TPO). The Privacy Rule permits but does not require, covered entities to obtain patient consent for these activities.
While HIPAA does not require consent, some organizations may collect it for internal reasons, to build patient trust, or to meet additional legal obligations. Even when healthcare providers choose to obtain consent, the HHS clarifies that they "have complete discretion to design a process that best suits their needs.".
Read more: Patient consent: What you need to know
Authorization is required when a covered entity intends to use or disclose PHI for purposes outside TPO, such as marketing, research, or sharing patient data with third parties not directly involved in care. According to a recent study on patient perspectives and preferences for consent in the digital health context, "There is evidence suggesting that many patients are willing to consent for various purposes, especially when there is greater transparency on how the PHI is used and oversight mechanisms are in place." Authorization must meet specific requirements outlined by HIPAA and requires more detailed patient permission than consent.
A valid authorization must include:
According to the HHS, "Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.".
Related: How to develop a HIPAA compliant authorization form
Patients can revoke their authorization at any time. They must do so in writing, and the revocation will not affect any disclosures made before it was received.
There are exceptions where authorization is not required, such as disclosures for public health activities, law enforcement, or certain research activities that comply with specific regulatory criteria.
Yes, healthcare organizations can share PHI with family members if the patient is present and does not object, or if the disclosure is in the patient’s best interest and the information is directly relevant to the family member’s involvement in their care.