Question: Does an authorization always need an expiration date?
Answer: The Privacy Rule requires that an authorization have an expiration date or "an expiration event that relates to the individual or the purpose of the use or disclosure," according to the Web site for the Department of Health and Human Services.
For instance, HHS says that deadlines for authorizations may be set according to certain milestones, such as when the patient reaches the "age of majority" or when a year has elapsed since the signing of the authorization. Alternatively, HHS also says you may set an authorization to expire when certain conditions are met--for example, when someone terminates his or her enrollment in a health plan.
Authorizations remain valid until their expiration date or event unless the individual concerned revokes the authorization in writing before that date or event. According to HHS, instances in which an expiration date on an authorization exceeds a time period established by state law "[do] not invalidate the authorization under the Privacy Rule, but a more restrictive state law would control how long the authorization is effective."