(1) A valid authorization to disclose nonpublic personal health information pursuant to sections 44-916 to 44-920 shall be in written or electronic form and shall contain all of the following:
(a) The identity of the consumer or customer who is the subject of the nonpublic personal health information;
(b) A general description of the types of nonpublic personal health information to be disclosed;
(c) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure, and how the information will be used;
(d) The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed; and
(e) Notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation.
(2) An authorization for the purposes of sections 44-916 to 44-920 shall specify a length of time for which the authorization shall remain valid, which in no event shall be for more than twenty-four months.
(3) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to sections 44-916 to 44-920 at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation.
(4) A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information.