The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits but does not require covered health care entities to get patient consent before using or disclosing Protected Health Information (PHI) for treatment, payment, and health care operations. Entities can share PHI digitally or by phone, fax, or mail.
Although HIPAA does not require that health care entities offer patients a choice about the sharing of their PHI, many entities and states have adopted policies or laws that require patient consent. HIPAA is designed to work in tandem with more privacy protective policies, so in those states the entity is required to get the patient’s basic consent preference (e.g., the entity must document if the patient wishes to opt-in or opt-out of electronic exchange).
Adding complexity to sensitive health situations is the fact that privacy laws and policies vary between states and entities. This can complicate a situation where the health entities that want to share patient information are in different states. In addition, Information Technology (IT) systems’ ability to separate a patient’s health information into categories are not always in step with current law and policy.
Click here to learn more about how HIPAA’s consent rules interact with other consent laws and state law. This is why the Office of the National Coordinator for Health Information Technology (ONC) is working with states and other health policy groups [PDF - 3.5 MB] to enable interoperable data sharing.
Click here for a few examples of patient consent scenarios and how data flows in line with the patient’s consent preference.
- Learn more about work ONC has done regarding enabling patient choice regarding exchanging electronic health information: Meaningful Choice
- Learn more about policy, technology and ONC’s draft Trusted Exchange Framework to enable interoperable exchange of Electronic Health Information
- Learn more about using technology to support care coordination: Behavioral Health Consent Management and Technology
See ONC’s interoperability road map: “Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap.” View Roadmap [PDF - 3.5 MB]
Learn more about the considerations providers, patients, and policy researchers/implementers should take into account related to consent policies for patients.
Research and Patient Consent
To learn more about some of the technical & policy considerations for patient consent in a medical/health research environment, please view the ONC-led efforts:
- PCOR Technical Project on Consent
- Legal and Ethical Architecture for PCOR Data
- Sync for Science API Privacy and Security: ONC led an independent privacy and security technical and administrative testing, analysis, and assessment of a voluntary subset of S4S pilot organizations’ implementations of the S4S API. Read to learn more about some key privacy and security considerations for healthcare APIs, informed by project activities.
Some Guiding Principles for Patient Choice
- Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information [PDF - 61 KB]
- Privacy and Security Framework Requirements and Guidance for the State Health Information Exchange Cooperative Agreement Program [PDF - 258 KB]
- Meaningful Consent
- Health IT Policy Committee Recommendations to ONC [PDF - 119KB]
HIPAA Permitted Uses & Disclosures
The information here is not intended to serve as legal advice nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.