Consent vs Authorization


Frankly, I can not determine a difference in Consent Authorization or Delegation

We also see Authorized, Authorise or Authorization as the same other than the noun vs verb and possibly the Context.

There maybe some narrow legal definitions (like HIPAA) that delineate differences between consent and authorization and Delegation but in general, they are could be used interchangeably

What is Consent? (According to HIPAA)[1]#

A consent as defined by the HIPAA Privacy Rule is a general document that gives healthcare providers, which have a direct treatment relationship with a patient, permission to use and disclose all PHI for TPO. It gives permission only to that provider, not to any other person. Health Care Providers may condition the provision of treatment on the individual providing this consent. One consent may cover all uses and disclosures for TPO by that provider, indefinitely. A consent need not specify the particular information to be used or disclosed, nor the recipients of disclosed information.

Only doctors or other health care providers with a direct treatment relationship with a patient are required to obtain consent. Generally, a "direct treatment provider" is one that treats a patient directly, rather than based on the orders of another provider, and/or provides health care services or test results directly to patients. Other health care providers, health plans, and health care clearinghouses may use or disclose information for TPO without consent, or may choose to obtain a consent.

What is Authorization (According to HIPAA)#

An authorization is a more customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a Third-party specified by the individual. Covered entities may not condition treatment or coverage on the individual providing an authorization. An authorization is more detailed and specific than a consent. It (the Authorization) covers only the uses and disclosures and only the PHI stipulated in the authorization:
  • it has an Expiration Date
  • and, in some cases, it also states the purpose for which the information may be used or disclosed.

An authorization is required for use and disclosure of PHI not otherwise allowed by the rule. In general, this means an authorization is required for purposes that are not part of TPO and not described in § 164.510 (uses and disclosures that require an opportunity for the individual to agree or to object) or § 164.512 (uses and disclosures for which consent, authorization, or an opportunity to agree or to object is not required). Situations in which an authorization is required for TPO purposes are identified and discussed in the next question.

All covered entities, not just direct treatment providers, must obtain an authorization to use or disclose PHI for these purposes.

For example, a covered entity would need an authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose information for eligibility for life insurance. A covered entity will never need to obtain both an individual’s consent and authorization for a single use or disclosure. However, a provider may have to obtain consent and authorization from the same patient for different uses or disclosures. For example, an obstetrician may, under the consent obtained from the patient, send an appointment reminder to the patient, but would need authorization from the patient to send her name and address to a company marketing a diaper service.

More Information#

There might be more information for this subject on one of the following: