Question: If a patient does not revoke their consent, are HIPAA requests for information still required to have an automatic expiration time frame associated with them? If so, are there regulations around minimum and maximum time frames for automatic expirations?
Answer:
The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor’s age of majority," or "upon termination of enrollment in the health plan."
An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.
HIPAA does not stipulate the minimum or maximum time frames for automatic expiration. But please note that the Minimum Necessary Rule requires you to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. So an unnecessarily long time frame would be incongruent with this guideline.
References:
- https://www.hhs.gov/hipaa/for-professionals/faq/476/must-an-authorization-include-an-expiration-date/index.html
- https://www.hhs.gov/hipaa/for-professionals/faq/207/how-are-covered-entities-to-determine-what-is-minimum-necessary/index.html
____
The Real Talk article series includes real customer questions and our answers. Since these are questions directly from actual clinics, practices, hospitals, and businesses, we thought you might have these questions too. We hope that you find this format helpful. Stay tuned for more Real Talk - your question might even be featured!