If a covered entity is going to obtain authorizations from patients to make pharmaceutical manufacturer-funded communications to the patients about currently prescribed drugs or biologics, is the covered entity required to obtain a new authorization each time a prescription is renewed?
No. A HIPAA authorization remains valid until it expires or is revoked by the individual. While a HIPAA authorization must contain an expiration date or event that relates to the individual or the purpose of the use or disclosure, the Privacy Rule does not otherwise prescribe the expiration date or event that must apply to the authorization, which may vary based on the circumstances. For example, in the case of communications to individuals concerning currently prescribed drugs, a HIPAA authorization could expire at the time, or within a specified period of time after, a prescription expires or is no longer valid; or at the time a patient opts out of receiving such communications from the covered entity or opts out of participating in the prescription drug adherence or education program. Further, the scope of the authorization need not be limited to communications related to a single drug or biologic or the drugs or biologics of only one pharmaceutical manufacturer. The authorization must adequately describe the intended purposes of the requested uses and disclosures and otherwise contain the elements and statements of a valid authorization under 45 CFR 164.508. For these purposes, this includes stating in the authorization that the covered entity is receiving financial remuneration from one or more pharmaceutical manufacturers to make the communications, and that the individual may revoke the authorization in writing at any time he or she wishes to stop receiving the communications.