[§323C-23] Authorization to disclose protected health information other than for treatment, payment, or qualified health care operations. (a) An entity may disclose protected health information for purposes other than those noticed under section 323C-22, pursuant to a separate written authorization to disclose executed by the individual who is the subject of the information. The authorization must meet the requirements of subsection (b).

(b) To be valid, an authorization shall be separate from any other notice or authorization required by this part, shall be either in writing, dated, and signed by the individual, or in electronic form, dated, and authenticated by the individual using a unique identifier, shall not have been revoked, and shall do the following:

(c) An individual may revoke in writing an authorization under this section at any time. An authorization obtained by a health plan under this section is deemed to be revoked at the time of the cancellation or nonrenewal of enrollment in the health plan. An entity that discloses protected health information pursuant to an authorization that has been revoked under this subsection shall not be subject to any liability or penalty under this part for the disclosure if that entity acted in good faith and had no actual or constructive notice of the revocation.

(d) Sections 323C-31 to 323C-39 provide for exceptions to the requirement for the authorization.

(e) A recipient of protected health information pursuant to an authorization under this section may use the information solely to carry out the purpose for which the information was authorized for release.

(f) Each entity collecting or storing protected health information shall maintain for seven years, as part of an individual's protected health information, a record of each authorization by the individual and any revocation of authorization by the individual. [L 1999, c 87, pt of §2]