Question: Our patient forms pertaining to HIPAA have an expiration date of one year from the date signed. Could we extend the expiration date to reduce the amount of paperwork for our front desk staff? Washington Subscriber Answer: The Office for Civil Rights (OCR) says the HIPAA Privacy Rule notes that all authorization forms need to have an expiration date. The expiration date helps the authorizer understand when or to whom or why information might be disclosed.
According to the OCR, “An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.” Solution: Instead of a specific date or timeline, the authorization date can be an event, like when the patient terminates their enrollment in a health plan, unless your state has specific requirements that are stricter than the OCR’s.