Many doctors and other covered entities are confused regarding the terminology of “authorization” and “consent” when used in the context of the Health Insurance Portability and Accountability Act (HIPAA). More specifically, the HIPAA Privacy Rule frequently uses these terms when describing patient rights. Unless you know exactly what these terms mean, however, you may struggle to maintain a HIPAA-compliant healthcare practice.
So, what's the difference between authorization and consent? Consent is merely optional, such as cases in which a covered entity may ask a patient for his or her consent in order to use and/or disclosure Protected Health Information (PHI) for the purpose of diagnosing a condition, treating the condition, payment, or other healthcare operations. The HIPAA Privacy Rule does not require covered entities to obtain the patient's consent for these purposes, but rather it permits them to.
An authorization, on the other hand, is required by the HIPAA Privacy Rule anytime PHI is being used in a manner that's not allowed by the Privacy Rule. If a doctor or other covered entity wishes to use a patient's PHI in a manner that's outside the boundaries of the Privacy Rule, he or she must obtain authorization from the patient.
As noted by the Department of Health and Human Services (HHS), voluntary consent isn't always enough to permit use or disclosure of PHI unless it meets the requirements of a valid authorization. Valid authorizations often involve the use of PHI for healthcare treatment, payment, and similar acts. The authorization must be conducted in a written document which gives the covered entity permission to use the patient's PHI for a specific purpose or purposes.
A typical HIPAA authorization form must include a description of the PHI that is being used or disclosed, the name of the person who gave the covered entity authorization, the person or business associate (if applicable) whom will use the PHI, an expiration date on which the authorization will end, and the purpose of the PHI being disclosed. If a covered entity fails to include all of this information in the authorization form, it may be deemed invalid by the HHS.
Hopefully, this will give you a better understanding of the difference between consent and authorization in regards to HIPAA. Just remember that consent is optional, whereas authorization is required.