• E-mail
• Print
• RSS

Can "indefinite" be written as the expiration on an authorization for disclosure of records?

HIPAA Weekly Advisor, November 8, 2004

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

HIPAA's authorization for release of PHI, or any other authorization for use or release of personal information, includes, for example:

• Description of information that will be released
• Purpose for release or use of the information
• Clarification on whether the information will be used or released by a given date or event or whether it will be ongoing
• Notice that the information released may no longer be protected
• Right of the patient to refuse to sign for the release (and a clear description of the consequences, if any) without retaliation

The intent is to provide the individual with enough information to make an informed decision about whether he or she wants to authorize a disclosure. In the case of HIPAA, if the authorization form meets all the criteria, then a covered entity may ask an individual for authorization to do anything with his or her PHI, even post it on the Internet.

HIPAA's privacy rule initially required that all authorizations have an end date or event; the government later changed this rule to permit open-ended authorizations for research purposes. Limit the time period based on the purpose for the release. You can do this by using a date or an event.

In most cases, unless the release is for research, you cannot write "indefinite" as the expiration on an authorization for disclosure of records. But usually an authorization can be written with an end date or event that will satisfy HIPAA.

Editor's note: This question was answered by Kate Borten, CISSP, CISM. This is not legal advice. Consult with your facility's legal counsel for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive