Don't share your patient's new vision information without a new authorization One year ago, your patient signed an authorization permitting the release of medical information to his employer. Today, you receive a request from the employer asking for information regarding the patient's most recent office visit. Can the office release the information to the employer? Note This Expiration Exception There is a specific circumstance in which a PHI authorization does not need to have an expiration event or date, which is authorization for research purposes. For example, on its Web site http://vpfweb.harvard.edu/osr/support/sup_tra_regs_hipaa_path.shtml#2, the Harvard University Research Administration states, "Unlike other authorizations, one for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues 'until the end of the research study.' " Don't Overlook State Law One other point to remember is that the authorization has to comply not only with HIPAA but also with any other state law that applies, says Barbara Dagney, practice manager at TotalVision Eyecare Center in Manchester, Conn. If the state privacy laws are more stringent, they take precedence, Dagney says.
"Absolutely not," says Betty Thompson, office manager at the Capital Medical Center in Olympia, Wash. The patient's authorization has expired, because the signature is only good for information from the date of signing backward, not for future information, she says.
In general, "The authorization can't be forever," says Marvel J. Hammer, RN, CPC, CCS-P, CHCO, owner of MJH Consulting in Denver.
An authorization generally must have an expiration date or an expiration event, and the event must have some sort of relationship to the individual or the reason why the authorization is needed, says Elizabeth C. Stone, JD, of von Briesen & Roper SC, in Madison, Wisc. The event can't be something such as the stock market breaking 11,000; it has to be related to the purpose of the use or the disclosure for which the authorization is sought, she says.
For example, Stone says, if it were an authorization for release of PHI for litigation, the expiration event could be the "end of the litigation." In the case mentioned above, the authorization could have a specific expiration date ("Jan. 1, 2005" or "one year from the date of signature") or an expiration event, such as the employer's fitness-for-duty determination.
Of course, patients have the right to revoke most authorizations at any time, says Rebecca L. Williams, RN, JD, partner and co-chair of the HIT/HIPAA practice group of Davis Wright Tremaine LLP in Seattle. Therefore, you need to have some way to track the authorizations.
The section continues, "An authorization for a research purpose may be combined with a consent form to participate in a study, or with any other legal permission related to the research study. This way, a research subject will sign only one form."
For example, if an authorization is drafted that is compliant with HIPAA, and its expiration date occurs one and a half years after the patient signs, but state law only allows authorizations to be valid for one year, the state law takes precedence, Stone says. Therefore, you should ensure that your authorization complies with the applicable state law as well as with HIPAA.
Moreover, the time limit under state law may differ depending on the purpose of the authorization, Williams says.
For example, the state law may allow an authorization for disclosures for payment purposes to have a different termination period than an authorization for other purposes. As another twist, if you are dealing in multiple state jurisdictions, you also need to comply with each set of state laws, Williams says.