Covered entities under the HIPAA Privacy Rule, which includes all care providers, must obtain written authorization before releasing protected health information under certain circumstances. For example, authorization is required before a physician can disclose information to an employer regarding a patient’s pre-employment physical.
The authorizations must contain the right to revoke in writing, specifics about how the information will be used or disclosed, the names of the individuals disclosing and receiving the information and an expiration date or event. According to the U.S. Department of Health and Human Services, that expiration date or event may be marked by anything from a time-specific deadline to an age-related occurrence.
Covered entities cannot disclose or release information beyond that date or event. That is, if the expiration event is listed as “upon termination of enrollment in the health plan,” a physician cannot disclose information while the patient is still enrolled. Doing so would be in violation of the HIPAA Privacy Rule.
How HIPAA Help Center can assist covered entities in authorization expiration date compliance
HIPAA Help Center does not just educate application users on HIPAA compliance; it also aids in internal management. Violations of the authorization date often occur from losing track of these important deadlines. The Task List feature helps practices remain aware of and comply with authorization expiration dates or events.
Frequently asked questions about the authorization expiration date:
Do all authorizations require an expiration date?
Yes. Every authorization must include an explicit expiration date or event. The authorization must also include a statement about the patient’s right to revoke.
What if the authorization does not have an expiration date?
The authorization is not valid unless it contains an expiration date or event. Even a handwritten, patient-generated authorization does not protect covered entities from the repercussions of disclosing ePHI, as this form likely does not contain expiration details or a statement on the right to revoke the authorization. As such, covered entities may benefit from providing patients with a blank form that includes all the necessary components for the authorization to comply with the Privacy Rule.
What happens if covered entities release ePHI after the authorization has expired?
Releasing ePHI after an expiration date is considered a HIPAA Privacy Rule violation, and the offenders are subject to civil and criminal penalties. The Incident Response module can guide you through the necessary steps if a violation occurs.