New York Codes Rules Regulations (Last Updated: March 27,2024) |
TITLE 11. Insurance |
Chapter XIX. Privacy of Consumer FinancialandHealth Information |
Part 420. Privacy of Consumer Financial and Health Information |
Rules for Health Information |
Sec. 420.18. Authorizations
Latest version.
- (a) A valid authorization to disclose nonpublic personal health information pursuant to this Part shall be in written or electronic form and shall contain all of the following:(1) the identity of the consumer or customer who is the subject of the nonpublic personal health information;(2) a general description of the types of nonpublic personal health information to be disclosed;(3) general descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used;(4) the signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed; and(5) notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation.(b) An authorization shall specify a length of time, for which the authorization shall remain valid, which in no event shall be for more than 24 months.(c) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to this Part at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation.(d) A licensee that is subject to examination by this department shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information for a period of six years from the date the authorization ends or until the examination is completed, whichever is greater. A licensee that is not subject to examination by this department shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information for a period of six years from the date the authorization ends.