This is a question many doctors, nurses, dentists and other covered entities ask. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are prohibited from disclosing any personally identifiable Protected Health Information (PHI) without the patient's written permission. If a patient wants to give his or her mother authority to access their records, for instance, the patient must complete an authorization form. This begs the question, however, do HIPAA authorization forms require an expiration date?
Conventional wisdom should lead you to believe that such authorization forms must include an expiration date. If a patient grants someone authorization to access his or her files, there must be some type of measure to stop this authorization in the future; otherwise, it could lead to a world of problems later down the road. So to answer this question, yes HIPAA requires that all authorization forms contain either a specified expiration date or expiration “event” that covers the individual or the purpose of use/disclosure.
The requirement to include an expiration date or expiration event in patient authorization forms is part of the HIPAA Privacy Rule. As you already know, the Privacy Rule is a set of national standards designed to protect the personal health information of medical patients and health insurance customers. One of the many stipulations of the HIPAA Privacy Rule is that all authorization forms must include either an expiration date or expiration event.
As noted on the HHS website, an authorization to access and/or use PHI remains valid until this expiration date or expiration event is met, unless it's revoked beforehand by the individual.
“An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event,” wrote the U.S. Department of Health and Human Services (HHS) on its website. “The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.”
The bottom line is that you must include either an expiration date or expiration event in each and every authorization form your practice or organization uses. Even if the expiration date exceeds the period established by your respective state, the authorization is still legal and valid.