Patient Consent for Electronic Health Information Exchange and Interoperability

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits but does not require covered health care entities to get patient consent before using or disclosing Protected Health Information (PHI) for treatment, payment, and health care operations. Entities can share PHI digitally or by phone, fax, or mail.

Although HIPAA does not require that health care entities offer patients a choice about the sharing of their PHI, many entities and states have adopted policies or laws that require patient consent. HIPAA is designed to work in tandem with more privacy protective policies, so in those states the entity is required to get the patient’s basic consent preference (e.g., the entity must document if the patient wishes to opt-in or opt-out of electronic exchange).

Consent and Federal and State Privacy Laws

Adding complexity to sensitive health situations is the fact that privacy laws and policies vary between states and entities. This can complicate a situation where the health entities that want to share patient information are in different states. In addition, Information Technology (IT) systems’ ability to separate a patient’s health information into categories are not always in step with current law and policy. 

Click here to learn more about how HIPAA’s consent rules interact with other consent laws and state law.  This is why the Office of the National Coordinator for Health Information Technology (ONC) is working with states and other health policy groups [PDF - 3.5 MB] to enable interoperable data sharing.

Examples of Patient Consent Scenarios under Various Federal and State Regulations and Laws

Click here for a few examples of patient consent scenarios and how data flows in line with the patient’s consent preference.


See ONC’s interoperability road map: “Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap.” View Roadmap [PDF - 3.5 MB]

Patient Consent Considerations

Learn more about the considerations providers, patients, and policy researchers/implementers should take into account related to consent policies for patients.


Research and Patient Consent

To learn more about some of the technical & policy considerations for patient consent in a medical/health research environment, please view the ONC-led efforts:


The information here is not intended to serve as legal advice nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.