Consent vs. Authorization Under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits, but does not require (except for psychotherapy notes), a physician to obtain patient consent for uses and disclosures of protected health information for treatment, payment, or health care operations. If you do decide to obtain consent, you have complete discretion to design a process that best suits your needs.

By contrast, the Privacy Rule requires an "authorization" for uses and disclosure of protected health information not otherwise allowed by the rule. An authorization is a detailed document that gives your practice permission to use protected health information for specified purposes (generally for other than treatment, payment, or health care operations) or to disclose protected health information to a third party specified by the patient. With limited exceptions, you may not condition treatment of patients on their providing authorization.

An authorization must specify: 

  • A description of the health information to be used and disclosed,
  • The person authorized to make the disclosure,
  • The person to whom the disclosure may be made,
  • An expiration date, and
  • The purpose for which the information may be used or disclosed (in some cases).

For more information about HIPAA, visit the TMA HIPAA Resource Center.

TMA Practice E-tips main page

Last Updated On

March 18, 2022

Originally Published On

March 23, 2010

Related Content

HIPAA