Current through Register Vol. 63, No. 12, December 1, 2024
(1) A
licensee or insurance-support organization may disclose personal or privileged
information about an individual collected or received in connection with a
health insurance transaction without obtaining the written authorization
required by OAR 836-080-0665 if the disclosure
meets one or more of the following conditions, in which a disclosure:
(a) Is reasonably necessary to enable a
person other than the licensee or insurance support organization to:
(A) Perform a business, professional or
insurance function for the disclosing licensee or insurance-support
organization and the person agrees not to disclose the information further
without the individual's written authorization unless the further disclosure:
(i) Would otherwise be permitted by this rule
if made by a licensee or insurance-support organization; or
(ii) Is reasonably necessary for the person
to perform its function for the disclosing licensee or insurance-support
organization.
(B) Provide
information to the disclosing licensee or insurance-support organization for
the purpose of:
(i) Determining an
individual's eligibility for a health insurance benefit or payment;
or
(ii) Detecting or preventing
criminal activity, fraud, material misrepresentation or material nondisclosure
in connection with a health insurance
transaction.
(b) Is to a licensee, insurance-support
organization or self-insurer, if the information disclosed is limited to that
which is reasonably necessary:
(A) To detect
or prevent criminal activity, fraud, material misrepresentation or material
nondisclosure in connection with an insurance transaction; or
(B) For either the disclosing or receiving
licensee or insurance-support organization to perform its function in
connection with an insurance transaction involving the individual.
(c) Is to a medical care
institution or medical professional and discloses only such information as is
reasonably necessary to accomplish one or more of the following purposes:
(A) Verifying insurance coverage or
benefits.
(B) Informing an
individual of a medical problem of the individual, of which the individual may
not be aware.
(C) Conducting an
operations or services audit.
(d) Is required or authorized for compliance
with federal, state or local laws, rules or other applicable legal
requirements.
(e) Is required for
compliance with a properly authorized civil, criminal or regulatory
investigation or a subpoena or summons by a federal, state or local
authority.
(f) Is required for
response to judicial process or a government regulatory authority having
jurisdiction over a licensee for examination, compliance or other purposes as
authorized by law.
(g) Is required
for protection of the confidentiality or security of a licensee's records
pertaining to the individual, service, product or transaction.
(h) Is required for institutional risk
control or for resolving disputes or inquiries relating to the
individual.
(i) Is to a person
holding a legal or beneficial interest relating to the individual.
(j) Is to a person acting in a fiduciary or
representative capacity on behalf of the individual.
(k) Is to provide information to an insurance
rate advisory organization, a guaranty fund or agency, an agency that is rating
a licensee, a person that is assessing the licensee's compliance with industry
standards, or the licensee's attorneys, accountants and auditors.
(l) Is allowed or required under other
provisions of law and in accordance with the federal Right to Financial Privacy
Act of 1978 (12 U.S.C. 3401 et
seq.) to law enforcement agencies, but only to the extent that disclosure is
specifically allowed or required, including the Federal Reserve Board, Office
of the Comptroller of the Currency, Federal Deposit Insurance Corporation,
Office of Thrift Supervision, National Credit Union Administration, the
Securities and Exchange Commission, the Secretary of the Treasury, with respect
to 31 U.S.C. (Chapter 53, Subchapter II (Records and Reports on Monetary
Instruments and transactions) and 12 U.S.C. Chapter 21 (Financial
record-keeping), a state insurance authority, and the federal Trade
Commission), a self-regulatory organization or for an investigation on a matter
related to public safety, or is otherwise specifically permitted or required by
law.
(m) Meets any of the following
conditions:
(A) It is necessary to effect,
administer or enforce a transaction that an individual requests or authorizes,
in that the disclosure is required or is a usual, appropriate or acceptable
method of handling the transaction. The condition in this subparagraph has the
meaning given in section 509 of the federal Gramm-Leach-Bliley Act
(P.L.
106-102).
(B) It is in connection with treatment,
payment or health care operations.
(C) It is in connection with servicing or
processing an insurance product or service that an individual requests or
authorizes.
(D) It is in connection
with maintaining or servicing an individual's account with the licensee, a
proposed or actual securitization, secondary market sale or similar transaction
related a transaction of the individual.
(n) Is made for the purpose of conducting
actuarial or research studies, if:
(A) No
individual may be identified in any resulting actuarial or research
report;
(B) Materials allowing the
individual to be identified are returned or destroyed as soon as they are no
longer needed; and
(C) The
actuarial or research organization agrees not to disclose the information
unless the disclosure would otherwise be permitted by this section if made by a
licensee or insurance-support organization.
(o) Is to a party or a representative of a
party to a proposed or consummated sale, transfer, merger or consolidation of
all or part of the business of the licensee or insurance-support
organization.
(p) Is to an
affiliate whose only use of the information will be in connection with an audit
of the licensee.
(q) Is to a
consumer reporting agency in accordance with the federal Fair Credit Reporting
Act (15 U.S.C.
1681 et seq.) or from a consumer report
prepared by a consumer reporting agency.
(r) Is to a group policyholder for the
purpose of reporting claims experience or conducting an audit of the licensee's
operations or services, and the information disclosed is reasonably necessary
for the group policyholder to conduct the review or audit.
(s) Is to a licensee for purposes related to
replacement of a group benefit plan, a group health plan or a group welfare
plan.
(t) Is to a professional peer
review organization for the purpose of reviewing the service or conduct of a
medical care institution or medical professional.
(u) Is to a governmental authority for the
purpose of determining the individual's eligibility for health benefits for
which the governmental authority may be liable.
(v) Is to a policyholder or certificate
holder, or an agent or other representative thereof, for the purpose of
providing information regarding the status of a health insurance
transaction.
(2) A
licensee may disclose personal or privileged information to an affiliate in
connection with the marketing of a financial product or service if the
affiliate agrees not to disclose the information for any other purpose or to an
unaffiliated persons except as authorized in section (1) of this rule. If a
disclosure under this section is made for marketing a product or service other
than the product or service of the disclosing licensee, individually
identifiable health information may not be disclosed without the authorization
required by OAR 836-080-0665.
(3) A licensee may disclose personal or
privileged information to a nonaffiliated third party whose only use of the
information will be pursuant to a joint marketing agreement for marketing of a
product or service. As used in this subsection, "joint marketing agreement"
means a formal written contract pursuant to which an insurer jointly offers,
endorses or sponsors a financial product or service with a financial
institution. Information that may be disclosed under this subsection does not
include individually identifiable health information, privileged information or
personal information relating to an individual's character, personal habits,
mode of living or general reputation, or any classification derived from such
information, except as authorized in section (1) of this rule.
(4) A licensee or insurance support
organization shall not disclose an access number or access code for an
individual's policy or transaction account, whether directly or through an
affiliate, to any nonaffiliate for use in telemarketing, direct mail marketing
or other marketing through electronic mail to an individual, other than to a
consumer reporting agency. This section does not apply if a licensee or
insurance support organization discloses an access number or access code:
(a) To its service provider solely in order
to perform marketing for its own products or services, as long as the service
provider is not authorized to directly initiate charges to the
account;
(b) To an insurance
producer solely in order to perform marketing for its own products or services;
or
(c) To a participant in an
affinity or similar program where the participants in the program are
identified to the individual when the individual enters into the program. An
access number or access code does not include a number or code in an encrypted
form, as long as the licensee or insurance support organization does not
provide the recipient with a means to decode the number or code. For purposes
of this subsection, a policy or transaction account is an account other than a
deposit account or a credit card account. A policy or transaction account does
not include an account to which third parties cannot initiate
charges.
(5) Personal or
privileged information may be acquired by a group practice prepayment health
care service contractor from providers that contract with the health care
service contractor and may be transferred among providers that contract with
the health care service contractor for the purpose of administering plans
offered by the health care service contractor. The information may not be
disclosed otherwise by the health care service contractor except in accordance
with OAR 836-080-0670 or
836-080-0675.
(6) This rule does not authorize the
disclosure of personal or privileged information that is also individually
identifiable health information when disclosure of the individually
identifiable health information is prohibited or is otherwise regulated under
the federal Health Insurance Portability and Accountability Act of 1996
(P.L.
104-191).
Stat. Auth.: ORS
731.244 &
746.608
Stats. Implemented: ORS
746.600 &
746.607
