33-19-206. Disclosure authorizations -- content -- conditions prohibited. If a disclosure authorization is required by this chapter, the following requirements apply:
(1) A valid authorization to disclose personal information must be in written form, or in electronic form as provided by applicable law, and must contain the following:
(a) the identity of the individual who is the subject of the personal information;
(b) a description of the types of personal information to be disclosed;
(c) a description of the entity or type of entity to which the licensee discloses personal information, the purpose of the disclosure, and how the information will be used;
(d) the signature of the individual who is the subject of the personal information or the individual who may by law allow the disclosure and the date on which the authorization is signed; and
(e) notice of the length of time for which the authorization is valid, notice that the individual may revoke the authorization at any time, and notice of the procedure for revocation.
(2) An authorization remains valid for a period stated in the authorization that does not exceed 24 contiguous months.
(3) An individual who is the subject of personal information and has signed an authorization may revoke the authorization at any time.
(4) A licensee shall retain the original authorization or a copy of it in the record of the individual who is the subject of personal information.
(5) A licensee may not condition enrollment, coverage, benefits, or rates on an individual's signing of a disclosure authorization unless the disclosure sought through the authorization is necessary for the licensee to perform an insurance function.
History: En. Sec. 6, Ch. 341, L. 2001.