.18 Authorizations for Disclosure of Health Information.

A. A valid authorization to disclose nonpublic personal health information pursuant to this regulation shall be in written or electronic form and shall contain all of the following:

(1) The identity of the consumer or customer who is the subject of the nonpublic personal health information;

(2) A general description of the types of nonpublic personal health information to be disclosed;

(3) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure, and how the information will be used;

(4) The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed; and

(5) Notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation.

B. An authorization for the purposes of this regulation shall specify a length of time for which the authorization shall remain valid, which may not be for more than 24 months.

C. A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to this regulation at any time, subject to the rights of an individual who acted in reliance on the authorization before notice of the revocation.

D. A licensee shall retain the authorization or a copy of the authorization in the record of the individual who is the subject of nonpublic personal health information.