Current through Register Vol. 48, No. 12, March 22, 2024
a) A
company shall develop and implement a confidentiality protocol to accommodate a
reasonable request by a requestor to receive communications of claim-related
information from the company by alternative means or at alternative locations
if the requestor clearly states that disclosure of all or part of the
information could endanger the insured. The confidentiality protocol shall
provide that, except with the express consent of the requestor, the company
shall not disclose to the policyholder:
1) the
address, telephone number or any other personally identifying information of
the insured or child for whose benefit a request was made;
2) the nature of the health care services
provided;
3) the name or address of
the provider of the health care services; or
4) any other information from which there is
a reasonable basis to believe the foregoing information could be
obtained.
b) A company
may require that:
1) a requestor making a
request do so in writing;
2) the
request contain a statement that disclosure of all or part of the claim-related
information to which the request pertains could endanger the insured or child;
and
3) the request specify an
alternative address, telephone number or other method of contact.
c) The company's confidentiality
protocol shall include written procedures to be followed by its employees,
agents, representatives or other persons with whom the company contracts and
who may have access to the information sought to be kept confidential. The
written procedures shall include:
1) the
procedure by which a requestor may make a reasonable request, provided that the
procedure shall not require a justification as part of the reasonable
request;
2) the procedure by which
the requestor may provide an alternative address, telephone number or other
method of contact;
3) the procedure
for limiting access to personally identifying information, such as the name,
address, telephone number and social security number of an insured and any
other information from which there is a reasonable basis to believe the
foregoing information could be obtained;
4) the procedure for limiting or removing
personal identifiers before information is used or disclosed, when
possible;
5) a system of internal
control procedures, which the company shall review at least annually, to ensure
the confidentiality of:
A) addresses,
telephone numbers or other methods of contact;
B) the fact that a requestor made a
reasonable request or that an order of protection was delivered to the company,
and any information contained in the request or order; and
C) any other information from which there is
a reasonable basis to believe the information specified in subsections
(c)(5)(A) and (B) could be obtained; and
6) the procedure by which a requestor may
revoke a reasonable request; provided, however, that the company may require
the requestor to submit a sworn statement revoking the request.
d) Notification of Company's
Protocol
1) A company may receive a request
electronically (email or fax) or in hardcopy (mail, hand or other means of
delivery). In the case of electronic delivery, the company shall have three
business days to assess the reasonableness of the request. In the case of
hardcopy delivery, the company shall have five business days to assess the
reasonableness of the request. If the request is determined to be reasonable,
the procedures of this subsection (d) shall be followed. A determination that a
request is reasonable shall not be unduly withheld, and the company's
determination shall be documented as part of the internal control procedures
required by subsection (c)(5).
2) A
company shall notify its employees, agents, representatives and other persons
with whom the company contracts who have access to the information sought to be
kept confidential that the company's protocol is to be followed for the
specified insured, within three business days after:
A) receipt of a reasonable request;
or
B) receipt of a valid order of
protection and an alternative address, telephone number or other method of
contact.
3) Upon receipt
of a reasonable request or a valid order of protection, a company shall inform
the individual who delivered the order of protection or the requestor that the
company has up to three business days to implement the requirements of
subsection (d)(1).
e) A
company may not require a requestor to provide a justification for the
reasonable request.
f) Notification
of Release of Information
1) Prior to
releasing any information prohibited to be disclosed under Section 355b of the
Code, pursuant to a warrant, subpoena or court order involving the policyholder
or another insured covered under the policy, a company shall notify the
individual who delivered the order of protection or the requestor, as soon as
reasonably practicable, that it intends to release information. The
notification shall specify what type of information the company intends to
release, unless prohibited by the warrant, subpoena or court order.
2) Upon release of information pursuant to a
warrant, subpoena or court order, a company shall advise the person to whom the
company is releasing the information that the information is confidential and
that the person should continue to maintain the confidentiality of the
information to the extent possible.
g) A company shall comply with Article XL of
the Code regarding Insurance Information and Privacy Protection and, if
applicable, the federal Health Insurance Portability and Accountability Act of
1996, as amended, with respect to any information submitted pursuant to Section
355b of the Code or this Part.