Current through Reg. 50, No. 187; September 24, 2024
(1) Except as
provided in subsections (2) and (3) of this rule, a licensee shall not disclose
nonpublic personal health information about a consumer or customer unless an
authorization is obtained from the consumer or customer whose nonpublic
personal health information is sought to be disclosed.
(2) Nothing in this rule shall prohibit,
restrict, or require an authorization for the disclosure of nonpublic personal
health information by a licensee for the performance of the following insurance
functions by or on behalf of the licensee:
(a)
Claims administration;
(b) Claims
adjustment and management;
(c)
Detection, investigation or reporting of actual or potential fraud,
misrepresentation or criminal activity;
(d) Underwriting;
(e) Policy placement or issuance;
(f) Loss control;
(g) Ratemaking and guaranty fund
functions;
(h) Reinsurance and
excess loss insurance;
(i) Risk
management;
(j) Case
management;
(k) Disease
management;
(l) Quality
assurance;
(m) Quality
improvement;
(n) Performance
evaluation;
(o) Provider
credentialing verification;
(p)
Utilization review;
(q) Peer review
activities;
(r) Actuarial,
scientific, medical or public policy research;
(s) Grievance procedures;
(t) Internal administration of compliance,
managerial, and information systems;
(u) Policyholder service functions;
(v) Auditing;
(w) Reporting;
(x) Database security;
(y) Administration of consumer disputes and
inquiries;
(z) External
accreditation standards;
(aa) The
replacement of a group benefit plan or workers' compensation policy or
program;
(bb) Activities in
connection with a sale, merger, transfer or exchange of all or part of a
business or operating unit;
(cc)
Any activity that permits disclosure without authorization pursuant to the
Federal Health Insurance Portability And Accountability Act privacy rules
promulgated by the U.S. Department of Health And Human Services;
(dd) Disclosure that is required, or is one
of the lawful or appropriate methods, to enforce the licensee's rights or the
rights of other persons engaged in carrying out a transaction or providing a
product or service that a consumer requests or authorizes; and
(ee) Any activity otherwise permitted by law,
required pursuant to governmental reporting authority, or to comply with legal
process.
(ff) Disclosure of
information obtained by a licensee to a hospital, physician, or other medical
care provider in connection with the provision of health care services to a
customer of the licensee.
(gg)
Additional insurance functions that the Office of Insurance Regulation
determines to be necessary for appropriate performance of insurance functions
and that are fair and reasonable to the interest of
consumers.
(3) Non-public
health information may be disclosed for scientific, medical, or public policy
research in accordance with federal law regardless of whether the research is
conducted by or on behalf of the licensee.
Rulemaking Authority
624.308,
626.9651 FS. Law Implemented
624.307(1),
626.9651
FS.
New 12-16-01, Formerly 4-128.017,
69B-128.017.