Back to News and Insights

HHS Issues Guidance Regarding Informed Consent and Patient Privacy in Medical Training Settings


On April 1, 2024, the Department of Health and Human Services (“HHS”) published a memorandum to State Survey Agency Directors, sent a corresponding letter to teaching hospitals and medical schools, and (a few days prior) issued an HHS Office for Civil Rights (“OCR”) FAQ to clarify hospitals’ informed consent and privacy obligations to patients during examinations or procedures conducted for educational and training purposes.

HHS’s guidance, which are summarized below, comes as a response to reports of instances in which patients under anesthesia were subjected to examinations, including pelvic, breast, prostate, and rectal examinations, without proper informed consent. These examinations were conducted as part of medical students’ courses of training. HHS’s Directive says that, while it “recognizes that these patient exams are often conducted as part of the vital skills clinical students must obtain during their training and education,” HHS also firmly believes that “patients have the right to make informed decisions on the healthcare services they receive” to be able to “give their full consent for those services including any training- and education-related examinations that may be performed.”

Informed Consent Guidance

 In its memorandum, HHS announced revisions to the State Operations Manual Appendix A (at tag A-0955; website not yet updated with revised language) that amend the Centers for Medicare & Medicaid Services’ (“CMS”) interpretive guidance on the Conditions of Participation for surgical services, 42 C.F.R. § 482.51(b)(2). (Other requirements related to informed consent for hospitals are found at 42 C.F.R. § 482.13(b)(2) (Patient’s Rights) and § 482.24(c)(4)(v) (Medical Record Services).)

The revised interpretive guidance language advises that hospital informed consent forms, policies, and processes include (as applicable) informing patients that other trainees beyond residents, including medical trainees, advanced practice provider trainees, and other students, will perform important tasks related to surgery. The guidance language also advises that consent forms, policies, and processes include informing patients if any providers other than the operating practitioner will be performing “examinations or invasive procedures for educational and training purposes.” The memorandum specifically advises including language that “[e]xaminations or invasive procedures conducted for educational and training purposes include, but are not limited to, breast, pelvic, prostate, and rectal examinations, as well as others specified under state law.”

The memorandum makes clear that permission for these sorts of exams is “an essential part of the informed consent process for hospitals, and necessary for compliance with the informed consent requirements in the CMS hospital [Conditions of Participation].”

HIPAA Privacy Rule Responsibilities

HHS also issued a new Frequently Asked Question (“FAQ”) document to explain individuals’ right under the HIPAA Privacy Rule to request that covered entities restrict the use and disclosure of their protected health information (“PHI”) for treatment, payment or health care operations, and the obligation of covered entities to comply with restrictions to which they agree except in emergencies. By way of example, the FAQ notes that an individual concerned about medical trainees observing a pelvic exam without their consent while they are unconscious may request their health care provider not to disclose their PHI to medical trainees. If the covered health care provider agrees to the request, the provider may not disclose the individual’s PHI to medical trainees (even if they are members of the provider’s workforce). This means that, in that instance, medical trainees could not be in the room with, observe, or provide care to the individual or otherwise access the individual’s PHI except in an emergency. And, in the event of an emergency, the covered entity would be permitted to use or disclose only that of the restricted PHI that is needed to provide emergency treatment.

HHS’s letter to teaching hospitals and medical schools says, “The HIPAA Privacy Rule safeguards protected health information (PHI) from impermissible use and disclosure and further gives individuals the right to restrict who has access to their PHI, including in scenarios where they may be unconscious during a medical procedure.” This is misleading: HIPAA gives patients the right to request restrictions on the use and disclosure of their PHI, but with a narrow exception relating to disclosure to health plans when the patient pays out of pocket for a service, covered entities have no obligation under HIPAA to agree to a restriction if it is requested.

The letter also notes that OCR investigates complaints alleging that PHI was used or disclosed to medical trainees in violation of HIPAA. Further, the letter emphasizes that OCR does and will continue to ensure covered entities’ policies and practices related to sensitive examinations do not discriminate against patients on any basis protected by federal civil rights laws.


Together, this guidance from HHS clarifies and emphasizes hospitals’ obligations to obtain informed consent and protect patient privacy even in medical education and training settings. The guidance does not create new legal rules, but clarifies that violations of patient consent and privacy, even in training settings, could expose hospitals to legal consequences under HIPAA, the CMS Conditions of Participation, or federal civil rights laws.

For further questions regarding this guidance or questions regarding informed consent, HIPAA, or patient privacy, please contact Rachel Zacharias or Kelly Carroll in Washington, DC, Alicia Macklin in Los Angeles, Andrea Frey or Paul Smith in San Francisco, or any member of the HLB team.