What Is Consent? What Is Authorization?
The final version of the HIPAA privacy rule on medical-record confidentiality uses the terms “consent” and “authorization,” which in the context of the federal rule are not interchangeable.
Consent refers to the patient’s giving permission for electronic medical records to be released to third parties involved in treatment, utilization review, insurance payment, quality assurance, and continuity of care.
Authorization is required for all other uses to which a patient’s medical records may be put. These include some marketing efforts, for example, or release of records to a patient’s attorney in conjunction with a legal proceeding.
Physicians cannot make treatment provision conditional on receiving a patient’s authorization; they can, however, make it conditional on receiving a patient’s consent. Patients have the right to revoke consents and authorizations they have given.