Current through Register Vol. 46, No. 12, March 20, 2024
(a) An
insurer shall develop and implement a confidentiality protocol whereby, except
with the express consent of the individual who delivers to the insurer a valid
order of protection, the insurer shall keep confidential and shall not disclose
the address and telephone number of the victim of domestic violence, or any
child residing with the victim, and the name, address, and telephone number of
a person providing covered services to the victim, to a policyholder or another
insured covered under the policy against whom the victim has a valid order of
protection, if the victim, the victim's legal representative, or if the victim
is a child, the child's parent or guardian, delivers to the insurer at its home
office a valid order of protection pursuant to Insurance Law section 2612(f)
and (g).
(b) In addition to the
requirements of subdivision (a) of this section, a health insurer shall develop
and implement a confidentiality protocol whereby the health insurer shall
accommodate a reasonable request made by a requestor for a covered individual
to receive communications of claim related information from the health insurer
by alternative means or at alternative locations. Except with the express
consent of the requestor, a health insurer shall not disclose to the
policyholder or another insured covered under the policy:
(1) the address, telephone number, or any
other personally identifying information of the covered individual or any child
residing with the covered individual;
(2) the nature of the health care services
provided to the covered individual;
(3) the name, address, and telephone number
of the provider of the covered health care services; or
(4) any other information from which there is
a reasonable basis to believe the foregoing information could be
obtained.
(c) The
insurer's confidentiality protocol shall include written procedures to be
followed by its employees, agents, representatives, or other persons with whom
the insurer contracts and who may have access to the information sought to be
kept confidential. The written procedures shall include:
(1) with respect to a health issuer, the
procedure by which a requestor may make a reasonable request, provided that the
procedure shall not require a justification as part of the reasonable
request;
(2) the procedure by which
a victim of domestic violence or a covered individual may provide an
alternative address, telephone number, or other method of contact;
(3) the procedure for limiting access to
personally identifying information, such as the name, address, telephone
number, and social security number of a victim or covered individual and any
other information from which there is a reasonable basis to believe the
foregoing information could be obtained;
(4) the procedure for limiting or removing
personal identifiers before information is used or disclosed, where
possible;
(5) a system of internal
control procedures, which the insurer shall review at least annually, to ensure
the confidentiality of:
(i) addresses,
telephone numbers, or other methods of contact;
(ii) the fact that a requestor made a
reasonable request or that an order of protection was delivered to the insurer,
and any information contained therein; and
(iii) any other information from which there
is a reasonable basis to believe the information specified in subparagraphs (i)
and (ii) of this paragraph could be obtained; and
(6) with respect to a health insurer, the
procedure by which a requestor may revoke a reasonable request, provided,
however, that the health insurer may require the requestor to submit a sworn
statement revoking the request.
(d)
(1) An
insurer shall notify its employees, agents, representatives, and other persons
with whom the insurer contracts who have access to the information sought to be
kept confidential, that the insurer's protocol is to be followed for the
specified victim of domestic violence or covered individual, within three
business days of:
(i) receipt of a valid
order of protection and an alternative address, telephone number, or other
method of contact; or
(ii) receipt
of a reasonable request, with regard to a health insurer.
(2) Upon receipt of a valid order of
protection or a reasonable request, an insurer shall inform the individual who
delivered the order of protection or the requestor that the insurer has up to
three business days to implement paragraph (1) of this subdivision.
(e) A health insurer may require a
requestor to make a reasonable request in writing pursuant to Insurance Law
section 2612(h)(3). However, a health insurer may not require a requestor to
provide a justification for the reasonable request.
(f)
(1)
Prior to releasing any information prohibited to be disclosed pursuant to
subdivisions (a) and (b) of this section pursuant to a warrant, subpoena, or
court order involving the policyholder or another insured covered under the
policy, an insurer shall notify the individual who delivered the order of
protection or the requestor, as soon as reasonably practicable, that it intends
to release information and specify what type of information it intends to
release, unless prohibited by the warrant, subpoena, or court order.
(2) Upon release of information pursuant to a
warrant, subpoena, or court order, an insurer shall advise the person to whom
the insurer is releasing the information that the information is confidential
and that the person should continue to maintain the confidentiality of the
information to the extent possible.
(g) An insurer shall comply with Parts 420
and 421 of this Title (Insurance Regulations 169 and 173) and where applicable,
the Federal Health Insurance Portability and Accountability Act of 1996, as
amended, with respect to any information submitted pursuant to Insurance Law
section 2612 or this Part.
(h) An
agent, representative, or designee of an insurer, a corporation organized
pursuant to Insurance Law article 43, a health maintenance organization
certified pursuant to Public Health Law article 44, or a provider issued a
special certificate of authority pursuant to Public Health Law section 4403-a,
who is regulated pursuant to the Insurance Law, need not develop its own
confidentiality protocol pursuant to this section if the agent, representative,
or designee follows the protocol of the insurer, corporation, health
maintenance organization, or provider.
