Current through Reg. 49, No. 49; December 6, 2024
Section 22.54 - AuthorizationsAn authorization required by this subchapter shall:
(1) be in writing or electronic form (if the consumer has agreed to conduct business with the covered entity electronically), and shall:(A) state the identity of the consumer who is the subject of the nonpublic personal health information;(B) describe: (i) the types of nonpublic personal health information to be disclosed;(ii) the parties to whom the covered entity discloses nonpublic personal health information;(iii) the purpose of the disclosure;(iv) how the information disclosed will be used; and(v) the procedure for revoking the authorization.(C) include the signature which (if the consumer has agreed to conduct business with the covered entity electronically) may be in electronic form, and date signed, of:(i) the consumer who is the subject of the nonpublic personal health information; or(ii) a person who is legally empowered to authorize disclosure of the subject consumer's nonpublic personal health information.(D) provide notice:(i) of the length of time for which the authorization is valid; and(ii) that the consumer may revoke the authorization at any time.(2) An authorization subject to this subchapter shall specify the period of time for which the authorization shall remain valid, but shall in no event be valid: (A) in the case of an authorization signed by the consumer that is the subject of the nonpublic personal health information, for a period of more than 24 months from the date it was signed; and(B) in the case of an authorization signed by another person who is legally empowered to authorize disclosure on behalf of the consumer, for a period that ends at the later of: (i) the date the covered entity receives notice that the person has lost the legal capacity to authorize disclosure, or(ii) 24 months from the date it was signed.(3) A covered entity obtaining an authorization pursuant to this subchapter shall retain the original authorization or a copy thereof in its records of the consumer who is the subject of nonpublic personal health information.(4) A covered entity may obtain a subsequent authorization to replace an authorization that has by its terms expired, provided that the subsequent authorization: (A) complies with the requirements of paragraph (1)(C) of this section, and(B) meets all other applicable requirements of this section.28 Tex. Admin. Code § 22.54
The provisions of this §22.54 adopted to be effective September 1, 2002, 27 TexReg 6504