An authorization required by this subchapter shall:
(1) be in writing or electronic form (if the consumer has agreed
to conduct business with the covered entity electronically), and shall:
(A) state the identity of the consumer who is the subject of
the nonpublic personal health information;
(B) describe:
(i) the types of nonpublic personal health information to be
disclosed;
(ii) the parties to whom the covered entity discloses nonpublic
personal health information;
(iii) the purpose of the disclosure;
(iv) how the information disclosed will be used; and
(v) the procedure for revoking the authorization.
(C) include the signature which (if the consumer has agreed
to conduct business with the covered entity electronically) may be in electronic
form, and date signed, of:
(i) the consumer who is the subject of the nonpublic personal
health information; or
(ii) a person who is legally empowered to authorize disclosure
of the subject consumer's nonpublic personal health information.
(D) provide notice:
(i) of the length of time for which the authorization is valid;
and
(ii) that the consumer may revoke the authorization at any
time.
(2) An authorization subject to this subchapter shall specify
the period of time for which the authorization shall remain valid, but shall
in no event be valid:
(A) in the case of an authorization signed by the consumer
that is the subject of the nonpublic personal health information, for a period
of more than 24 months from the date it was signed; and
(B) in the case of an authorization signed by another person
who is legally empowered to authorize disclosure on behalf of the consumer,
for a period that ends at the later of:
(i) the date the covered entity receives notice that the person
has lost the legal capacity to authorize disclosure, or
(ii) 24 months from the date it was signed.
(3) A covered entity obtaining an authorization pursuant to
this subchapter shall retain the original authorization or a copy thereof
in its records of the consumer who is the subject of nonpublic personal health
information.
(4) A covered entity may obtain a subsequent authorization
to replace an authorization that has by its terms expired, provided that the
subsequent authorization:
(A) complies with the requirements of paragraph (1)(C) of this
section, and
(B) meets all other applicable requirements of this section.
|