§2215. Disclosure limitations and conditions
1. Disclosure of personal information. A regulated insurance entity or insurance support organization may not disclose any personal information about a consumer collected or received in connection with an insurance transaction unless the disclosure is made with due consideration for the safety and reputation of all persons who may be affected by the disclosure, is limited to the minimum amount of personal information necessary to accomplish a lawful purpose and is disclosed:
A. With the written authorization of the individual, only:
(1) If that authorization is submitted directly by the consumer, a person purporting to represent the consumer, another regulated insurance entity or insurance support organization and the authorization meets the requirements of section 2208; or
(2) If the authorization is submitted by a person other than a regulated insurance entity or insurance support organization and the authorization describes with reasonable particularity the nature of the information to be disclosed and the purpose of the disclosure and is:
(a) Dated;
(b) Signed by the consumer, except that another authorized individual may provide authorization or the consumer may authorize disclosure in electronic or telephonic form in accordance with section 2208, subsection 1; and
(c) Obtained one year or less before the date a disclosure is sought pursuant to this subsection; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
B. To a person other than a regulated insurance entity or insurance support organization, only if that disclosure is reasonably necessary:
(1) To enable that person to perform a business, professional or insurance function for the disclosing regulated insurance entity or insurance support organization and that person agrees not to disclose the information further without the consumer's written authorization unless the further disclosure:
(a) Would otherwise be permitted by this section if made by a regulated insurance entity or insurance support organization; or
(b) Is reasonably necessary for that person to perform its function for the disclosing regulated insurance entity or insurance support organization; or
(2) To enable that person to provide information to the disclosing regulated insurance entity or insurance support organization for the purpose of:
(a) Determining a consumer's eligibility for an insurance benefit or payment; or
(b) Detecting or preventing criminal activity, fraud, material misrepresentation or material nondisclosure in connection with an insurance transaction; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
C. To a regulated insurance entity, insurance support organization or self-insurer, only if the information disclosed is limited to that which is reasonably necessary:
(1) To detect or prevent criminal activity, fraud, material misrepresentation or material nondisclosure in connection with insurance transactions; or
(2) For either the disclosing or the receiving regulated insurance entity or insurance support organization to perform its function in connection with an insurance transaction involving the consumer; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
D. To a health care provider for the purpose of:
(1) Verifying insurance coverage or benefits;
(2) Informing a consumer of a medical problem of which the consumer may not be aware; or
(3) Conducting an operations or services audit to verify the consumers of the regulated insurance entity or insurance support organization treated by the health care provider; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
E. To an insurance regulatory authority; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
F. To a law enforcement or other governmental authority to protect the interests of the regulated insurance entity or insurance support organization in preventing or prosecuting the perpetration of fraud upon that entity or organization; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
G. In response to a facially valid administrative or judicial order, including a search warrant or subpoena, or otherwise required by law; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
H. For the purpose of conducting actuarial or research studies, except that:
(1) No insurance consumer may be identified in any actuarial or research report;
(2) Materials allowing the consumer to be identified must be returned or destroyed as soon as they are no longer needed; and
(3) The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by a regulated insurance entity or insurance support organization; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
I. To a party or representative of a party to a proposed or consummated sale, transfer, merger or consolidation of all or part of the business of the regulated insurance entity or insurance support organization, only if:
(1) Before the consummation of the sale, transfer, merger or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger or consolidation; and
(2) The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by a regulated insurance entity or insurance support organization; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
J. To a person whose only use of the information will be in connection with the marketing of a product or service, only if:
(1) No health care information, confidential investigative information or information relating to a consumer's character, personal habits, mode of living or general reputation is disclosed and no classification derived from any such information is disclosed;
(2) The consumer has been given an opportunity to indicate that the consumer does not want personal information disclosed for marketing purposes and has given no indication that the consumer does not want the information disclosed; and
(3) The person receiving the information agrees not to use it except in connection with the marketing of a product or service; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
K. By a consumer reporting agency to a person other than a regulated insurance entity; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
L. To a group policyholder for the purpose of reporting claims experience or conducting an audit of the regulated insurance entity's operations or services, only if the information disclosed is aggregate information and reasonably necessary for the group policyholder to conduct the review or audit; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
M. To a professional peer review organization for the purpose of reviewing the service or conduct of a health care provider; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
N. To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction; [PL 1997, c. 677, §3 (NEW); PL 1997, c. 677, §5 (AFF).]
O. To a lienholder, mortgagee, assignee, lessor or other person shown on the records of a carrier or producer as having a legal or beneficial interest in a policy of insurance, only if:
(1) No health care information is disclosed unless the disclosure would otherwise be permitted by this section; and
(2) The information disclosed is limited to that which is reasonably necessary to permit that person to protect its interests in the policy; [PL 2001, c. 457, §21 (AMD).]
P. To an affiliate whose only use of the information will be in connection with an audit of the regulated insurance entity or the marketing of a product or service of the affiliate, if the information disclosed for marketing purposes does not include health care information and if the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons; [PL 2005, c. 127, §1 (AMD).]
Q. In order to protect the public health and welfare, to state governmental entities only insofar as necessary to enable those entities to perform their duties when reporting is required or authorized by law; or [PL 2005, c. 127, §2 (AMD).]
R. By a regulated insurance entity that is also a covered entity or is a business associate of a covered entity under the standards for privacy of individually identifiable health information, 45 Code of Federal Regulations, Parts 160 and 164 (2004), if the disclosure is made for purposes of treatment, payment or health care operations of the disclosing or receiving entity and is made in full compliance with the requirements of the standards for privacy of individually identifiable health information and any applicable business associate agreement. [PL 2005, c. 127, §3 (NEW).]
[PL 2005, c. 127, §§1-3 (AMD).]
SECTION HISTORY
PL 1997, c. 677, §3 (NEW). PL 1997, c. 677, §5 (AFF). PL 2001, c. 457, §§21,22 (AMD). PL 2005, c. 127, §§1-3 (AMD).