Utah Admin. Code R590-206-19 - Authorization

(1) A valid authorization to disclose nonpublic personal health information pursuant to Sections R590-206-18 through R590-206-22 shall be in written or electronic form and contain the following:

(a) the identity of the consumer or customer who is the subject of the nonpublic personal health information;

(b) a general description of the type of nonpublic personal health information to be disclosed;

(c) a general description of the party to whom the licensee discloses nonpublic personal health information, including the purpose of the disclosure and how the information will be used;

(d) the signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally authorized to grant authority, and the date signed; and

(e) notice of:

(i) the length of time the authorization is valid;

(ii) that the consumer or customer may revoke the authorization at any time; and

(iii) the procedure to revoke the authorization.

(2) An authorization under Sections R590-206-18 through R590-206-22 shall specify the length of time the authorization will remain valid, but may not be valid for more than 24 months.

(3) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization under Sections R590-206-18 through R590-206-22 at any time, subject to the rights of the individual who acted in reliance on the authorization before revocation.

(4) A licensee shall retain the authorization, or a copy thereof, in the record of the individual who is the subject of nonpublic personal health information.

Notes

Utah Admin. Code R590-206-19

Amended by Utah State Bulletin Number 2017-15, effective 7/11/2017 Adopted by Utah State Bulletin Number 2023-23, effective 11/21/2023