HIPAA and the Law of Informed Consent

The HIPAA Privacy Rule requires covered entities to implement safeguards to guard against unauthorized uses and disclosures of protected health information (PHI). The rule leaves untouched many state laws that traditionally govern the doctor-patient relationship. One of these laws is embodied in what is known as the doctrine of informed consent. 

HIPAA and the Law of Informed Consent

What is Informed Consent?

Under the doctrine of informed consent, a doctor must inform a patient as to the risks and benefits of a proposed course of treatment. This information must be provided by the doctor for several reasons: patients may have a limited understanding of medicine; patients have the right to know what parts of the anatomy a proposed course of treatment will involve or affect (the right to this knowledge stems from the general right to have autonomy over one’s own body); patients, if they are not fully informed as to risks and benefits of a proposed course of treatment, may decide to undergo a procedure to which they might not have consented, if they had been informed of the risks involved.

There are consequences to covered entities (healthcare providers) who do not follow the doctrine of informed consent. If a doctor fails to sufficiently disclose risks and benefits of a proposed course of treatment to a patient, and the omission results in some kind of injury to the patient, that results in legal damages, the doctor may have committed an act of negligence, for which he or she can be liable under medical malpractice law.

An example: A patient develops a rare form of cancer, for which there is no conventional therapy. The patient consults with a physician, who advises the patient that an experimental treatment exists. The experimental treatment has been successful in the few cases where it has been tried. Notably, though, the experimental treatment has, in a substantial number of instances, whether successful or not, resulted in undesirable side effects that have significantly impaired the ability of one more major organs to properly function.

Say that the doctor in this hypothetical scenario informs the patient of the experimental treatment. However, the doctor only informs the patient that the treatment exists, and that it has been successful in the few cases where it has been tried. The doctor omits the side effects information. The doctor also gives the patient no information whatsoever about whether, based on the doctor’s knowledge of the particular patient’s medical condition, the treatment poses risks specific to that particular patient.

The patient decides to undergo the treatment. The treatment fails. In addition, a side effect that the doctor failed to warn the patient about develops.

Under this scenario, the doctor may be liable for malpractice, because he or she breached the duty to provide informed consent. That is, the doctor did not provide the patient with enough details to ensure that the patient’s agreeing to the procedure was reasonably well-informed.

If there is a violation of the duty to provide informed consent, the violation results in harm to the patient, and the patient sustains damages (i.e., financial and non-financial losses for which the law requires he or she be compensated), the doctor may have committed medical malpractice.

Over the years, questions have arisen about the scope of the doctrine of informed consent, such as whether doctors must inform patients about each and every potential risk of a procedure; and whether doctors must inform patients about each and every benefit.

State laws – not HIPAA –  provide the answers here. Some states impose a “reasonable physician” standard, while others impose a “reasonable patient” standard. 

Under the reasonable physician standard, a patient, to successfully sue the doctor, must demonstrate what a reasonable physician would have told the patient under the same circumstances. This showing typically requires expert medical testimony. If the expert testimony concludes that a reasonable physician would, under the same circumstances, have told the patient of the side effect that the patient’s doctor did not, the doctor may be liable. If a reasonable physician would not have informed the patient about a side effect (either because, say, the chances of the effect materializing were either miniscule, remote, or wholly hypothetical), then the patient’s doctor who did not inform the patient about the side effect would not be liable.

Other states instead follow what is called the reasonable patient standard. Under this standard, the patient establishes a lack of informed consent when a reasonable person in the position of the patient would have decided against the treatment. 

Do HIPAA and the Doctrine of Informed Consent Conflict with Each Other?

No. The HIPAA Privacy Rule does not contradict the doctrine of informed consent or conflict with it. This means that providers must comply with the HIPAA Privacy Rule AND the doctrine of informed consent. The Privacy Rule does not implicate the doctrine of informed consent (and vice versa) because the Privacy Rule prohibits unauthorized PHI use and disclosure, while the doctrine of informed consent requires simply that doctors use patient PHI as is necessary to provide enough information to allow informed consent to be made. Disclosure or discussion or use of a patient’s PHI for the purpose of treating that particular patient is expressly permitted under the HIPAA Privacy Rule. If the PHI is electronically stored (that is, if it is ePHI, or electronic protected health information), disclosure for treatment purposes (disclosure necessary to allow for informed consent), does not violate HIPAA either – whether the information is maintained in paper or electronic form, the doctor may use it or disclose it to the patient (or to other physicians involved in the patient;s treatment) for treatment purposes, including when necessary to obtain informed consent.

While HIPAA was created to set national standards for the privacy and security of protected health information, the law was not created to displace, or “federalize” state laws governing the practice of medicine. Providing medical advice to a patient as part of a patient’s treatment is the essence of the practice of medicine. HIPAA was neither designed, nor intended, to interfere with this aspect of the doctor-patient relationship.

Nevertheless, doctors must be mindful that use and disclosure of PHI for any purpose – including informed consent –  must be authorized. To guard against unauthorized use of PHI or ePHI, doctors and healthcare providers must implement administrative, technical, and physical safeguards, as required by the HIPAA Privacy Rule and the HIPAA Security Rule

HIPAA Compliance Software

Learn How Simple Compliance Can Be