|
consent
(HIPAA)
Under HIPAA's Privacy Rule,
covered
entities may optionally obtain a "consent" from
patients for the use and disclosure of protected
health information (PHI) for treatment,
payment or other health
care operations (TPO).
The previous
version of the Rule, under which consent was required,
specified the components of and process for consent in considerable
detail. Covered
entities are now given "complete discretion" in
designing consent mechanisms, if they choose to adopt one.
(For example, each entity can decide for itself how it will
handle the revocation of a consent, or a refusal to provide
one in the first place.)
Note that though
the terms are sometimes used interchangeably in common discourse,
a consent is different from a HIPAA authorization.
The latter is required to permit "extra" disclosures
above and beyond TPO, e.g., for fundraising. A consent cannot
be used to permit types of use or disclosure for which authorizations
are mandated.
As a partial substitute,
covered entities are now required to make a good faith effort
to obtain written acknowledgment of receipt of the notice
of privacy practices. Signing of an acknowledgment can
provide the opportunity for discussion of an entity's information
practices (that would have come when a consent was signed).
As with any other
provision of HIPAA, the principle of preemption
applies: States may impose consent requirements which provide
stronger protections for medical and psychotherapeutic privacy.
Indeed, most if not all states require consents for treatment
and other purposes already, and covered entities may choose
to include information use permission within such documents.
See also:
|
