P.R. Laws tit. 26, § 9240
(a) A health insurance organization or issuer shall not collect, use or disclose protected health information without a valid authorization from the subject of the protected health information, except as permitted by § 9241 of this title or as required by law or court order. An authorization for the disclosure of protected health information may be obtained for any purpose, provided that the authorization meets the requirements of this section.
(b) A health insurance organization or issuer shall retain a copy of the authorization in the record of the individual who is the subject of such information.
(c) A valid authorization shall be in writing and contain all the following:
(1) The identity of the individual who is the subject of the protected health information.
(2) A description of the types of protected health information to be collected, used or disclosed.
(3) The identity of the person or entity authorized to use or disclose protected heath information.
(4) The name and address of the person to whom the protected health information is to be disclosed.
(5) The purpose of the authorization, including the reason for the collection, the intended use, and the scope of any disclosures that may be made.
(6) The signature of the individual who is the subject of the protected health information or the individual who is legally empowered to grant authority and the date signed.
(7) A statement that the individual who is the subject of the protected health information may revoke the authorization at any time, and that such cancellation shall be a prospective one.
(8) A statement advising the individual that the information used or disclosed in accordance with the authorization may be disclosed, in turn, by the recipient thereof and may not be protected under the applicable privacy laws.
(d) An authorization shall specify the length of time for which it shall remain valid, which in no event shall be for more than twenty-four (24) months, except an authorization signed for one of the following purposes:
(1) To support an application for, a reinstatement of, or a change in benefits under a life insurance policy, in which event the authorization shall remain valid for thirty (30) months or until the application is denied, whichever occurs first, or
(2) to support or facilitate ongoing treatment of a chronic condition or illness or rehabilitation from an injury.
(e) A health insurance organization or issuer shall require a separate authorization to disclose protected health information to an individual's employer, including the employer's designated risk manager or producer, unless:
(1) The protected health information is disclosed pursuant to the employer's workers' compensation program, to the extent necessary for the performance of the employer's and health insurance organization or issuer's rights and duties under Commonwealth laws on the matter.
(2) Subscription and eligibility information of the participants and beneficiaries of a group health plan is disclosed to the employer such as the coverage of each person, enrollment in or termination of plan, among others.
(3) Statistical information of the health plan is disclosed to the employer without identifiers.
(4) The health information is necessary for the administration of claims pursuant to a commercial lines policy.
(f) A health insurance organization or issuer shall obtain a separate authorization to collect, use or disclose protected health information if the purpose of the collection, use or disclosure is for the marketing of services or goods, or for other commercial gain. The purpose of the collection, use or disclosure shall appear as a separate paragraph in bold type not smaller than twelve (12) point. The purpose shall be stated in clear and simple terms. The request for authorization shall specify that the authorization shall remain valid for not more than twenty-four (24) months and may be revoked at any time. The request for authorization shall state that the terms and conditions of all insurance policies will not be affected in any way by a refusal to give authorization. Notwithstanding the foregoing, a separate authorization is not required if the use or disclosure is internal or to an affiliate of the health insurance organization or issuer and the only use of the information will be in connection with the marketing of an insurance product, provided the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons.
(g) An individual who is the subject of protected health information may revoke an authorization for disclosure at any time, subject to the rights of any person who acted in reliance on the authorization prior to notice of revocation. A revocation of an authorization shall be in writing, dated and signed. A revocation of an authorization shall be retained by the health insurance organization or issuer in the record of the individual who is the subject of the protected health information. A health insurance organization or issuer shall give prompt notice of the revocation to all persons to whom the health insurance organization or issuer has disclosed protected health information in reliance on the initial authorization.
(h)
(1) A health insurance organization or issuer that has collected protected health information pursuant to a valid authorization in accordance with this chapter may use and disclose such information to authorized persons.
(2) The protected health information shall not be used or disclosed for any purpose other than in the performance of the health insurance organization or issuer's insurance functions, except as otherwise permitted in this chapter or by federal law.
(i) An authorization to collect, use, or disclose protected health information pursuant to this chapter or a production of protected health information pursuant to a court order shall not be construed to constitute a waiver of any other privacy right that may be provided to an individual who is the subject of protected health information under other federal or Commonwealth laws, case law, or Rules of Evidence.
(j) A person who receives protected health information from a health insurance organization or issuer shall not use the protected health information for any purpose other than the lawful purpose for which it was disclosed.
(k) A health insurance organization or issuer that has collected protected health information prior to the effective date of this chapter is not required to obtain an authorization for the information. However, the information may only be used or disclosed in accordance with this chapter after the effective date.
History —Aug. 29, 2011, No. 194, added as § 14.100 on Aug. 23, 2012, No. 203, § 1, eff. 90 days after Aug. 23, 2012.