Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Bulletin website includes the following: Rulemakings by State agencies; Proposed Rulemakings by State agencies; State agency notices; the Governor’s Proclamations and Executive Orders; Actions by the General Assembly; and Statewide and local court rules.

PA Bulletin, Doc. No. 02-1878

RULES AND REGULATIONS

Title 31--INSURANCE

INSURANCE DEPARTMENT

[31 PA. CODE CH. 146b]

Privacy of Consumer Health Information

[32 Pa.B. 5268]

   The Insurance Department (Department) hereby adopts Chapter 146b (relating to privacy of consumer health information) to read as set forth in Annex A.

Statutory Authority

   This final-form rulemaking is adopted under sections 205, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P. S. §§ 66, 186, 411 and 412), and under the guidance of section 648 of The Insurance Department Act of 1921 (40 P. S. § 288) (Act 40). Likewise, this final-form rulemaking is promulgated under the Department's rulemaking authority under the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.14). The authority is further explained in PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977), because the Insurance Commissioner has determined that the improper disclosure or marketing, or both, of nonpublic personal health information by members of the insurance industry constitutes an unfair method of competition and an unfair or deceptive act or practice.

Comments and Response

   Notice of proposed rulemaking was published at 32 Pa.B. 1406 (March 16, 2002) with a 30-day comment period. During the 30-day comment period, comments were received from the Alliance of American Insurers (AAI), the American Council of Life Insurers (ACLI), the American Insurance Association (AIA), Blue Cross of Northeastern Pennsylvania, Capital Blue Cross (CBC), Highmark, Inc. (Highmark), Independence Blue Cross (IBC), the Insurance Federation of Pennsylvania, Inc. (IFP), the Managed Care Association of Pennsylvania (MCAP), the Pennsylvania Association of Mutual Insurance Companies (PAMIC) and the Pennsylvania Association of Non-Profit Homes for the Aging (PANPHA). During its regulatory review, the Independent Regulatory Review Commission (IRRC) submitted comments to the Department. The following is a response to those comments.

General comments

Inconsistent with the Gramm-Leach-Bliley Act

   AAI commented that the proposed health privacy rulemaking is neither required by Federal law nor consistent with the act of November 12, 1999 (Pub. L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C.A. §§ 6801--6827) and the Federal privacy regulations that apply to depository institutions and securities entities. See, for example, 12 CFR Parts 40.1 and 216.1 (relating to privacy of consumer financial information; and privacy of consumer financial information (Regulation P)).

   Although it is true that the Federal banking and securities regulations treat nonpublic personal health information in the same manner as nonpublic financial information by requiring only that consumers be provided with an opportunity to opt-out of a disclosure of their health information, section 507 of the GLBA (15 U.S.C.A. § 6807) explicitly allows states to afford ''any person'' greater protection than that provided in the GLBA or in the Federal privacy regulations promulgated under Title V of the GLBA (15 U.S.C.A. §§ 6801--6827). Therefore, the GLBA not only allows, but envisions, states providing broader insurance privacy protection to consumers, as well as affording privacy protection to classes of persons not addressed in the GLBA or the Federal privacy regulations. For this reason, this final-form rulemaking is not inconsistent with the GLBA.

Section 146b.1

   With regard to its stated purpose, the proposed rulemaking used the term ''affirmative consent'' rather than ''authorization,'' which is used throughout the rulemaking. IBC and IFP both commented that the Department should change the reference in § 146b.1(a)(3) (relating to purpose) from ''affirmative consent'' to ''authorization.''

   The Department agrees with these comments and has made the requested change in this final-form rulemaking.

Section 146b.2

   Consumer--With regard to the definition of ''consumer,'' IFP suggested that either workers' compensation claimants be excluded in the definition, or the final-form rulemaking be clarified to state that it is not intended to modify the ''existing information sharing practices'' in the workers' compensation industry. No explanation or description was provided as to what constitutes ''existing information sharing practices.''

   The Department has retained its inclusion of workers' compensation insurance in this final-form rulemaking's definition of ''consumer.'' As previously mentioned, section 507 of the GLBA explicitly allows states to afford ''any person'' greater protection than that provided in the GLBA or in the Federal privacy regulations promulgated under Title V of the GLBA. Therefore, the Department asserts that workers' compensation claimants are properly within the scope of the privacy rulemaking.

   In addition, it is important to note that claimants under a workers' compensation insurance plan generally are unable to choose the licensees with whom they transact business. Rather, that choice is made by their employer, who is the policyholder in the workers' compensation insurance plan. Unlike other types of consumers who are able to choose the licensees with whom they transact business, workers' compensation insurance claimants are unable to ''shop around'' for a licensee that has a privacy policy that suits their needs. Therefore, it is critical that these persons be afforded the privacy protections instituted by this final-form rulemaking.

   Licensee--With regard to the definition of ''licensee,'' IBC commented that the definition should be modified so that licensees that administer a governmental health insurance program are exempt from the rulemaking. IRRC also commented on this aspect of the definition, stating that that the definition of ''licensee'' should be clarified as to whether a licensee that administers a governmental health insurance program is bound by the rulemaking. Also, IFP seeks a clarification to the definition wherein the Department explains what entities beyond insurers it considers to be a ''licensee.''

   Although the Department believes that because the programs do not meet the definition of ''licensee,'' Children's Health Insurance Program, Medicaid, Medicare+ Choice and other governmental health insurance programs would not be subject to the privacy regulation even without a specific exception, this final-form rulemaking nonetheless includes specific exceptions for these programs, as requested by the interested parties. However, this exception does not extend to entities that enroll participants through these programs, hence the clarification in subparagraph (iv). In addition, the language in subparagraphs (iii) and (iv) is identical to the language that is included in the definition of ''licensee'' in Chapter 146a (relating to privacy of consumer financial information).

   The Department does not agree with IBC's comment that licensees who enroll participants through a governmental health insurance program should be exempt from the final-form rulemaking. Governmental health insurance program enrollees are entitled to the same privacy protection other persons who obtain health insurance in the private marketplace or through their employers. Therefore, contrary to the request of IBC, licensees that enroll participants through governmental health insurance programs will not be excluded from the definition of ''licensee.''

   In response to IRRC's comment that the definition should be clarified as to whether a licensee that administers a governmental health insurance program is bound by the final-form rulemaking, the Department believes that the final-form rulemaking is sufficiently clear. Also, the language of the definition is identical to that used in the definition of ''licensee'' in § 146a.2 (relating to definitions). Therefore, in the interest of uniformity between these two closely related rulemakings, the Department has not changed the definition of ''licensee.''

   The Department also does not agree with IFP's comment that the definition should explicitly identify the entities beyond insurers that the Department considers to be ''licensees.'' The definition is abundantly clear that a person or entity licensed or required to be licensed by the Department is required to comply with this final-form rulemaking unless the entity is specifically excluded from the definition of ''licensee.'' The only license holders that are specifically excluded are bail bondsmen as defined in 42 Pa.C.S. § 5741 (relating to definitions), motor vehicle physical damage appraisers as defined in section 2 of the Motor Vehicle Damage Appraiser Act (63 P. S. § 852) and the governmental health insurance programs previously discussed.

   Nonpublic personal health information--IFP commented that the exception for ''nonpublic personal financial information'' should be removed from the definition of ''nonpublic personal health information'' because it believes that health information is always an exception to financial information, but not vice versa. Also, IRRC and AIA commented that the wording in subparagraph (i)(B) of the definition of ''nonpublic personal health information'' is not parallel to subparagraph (i)(A).

   The Department disagrees with IFP. By including an exception for nonpublic personal financial information within the definition of ''nonpublic personal health information,'' the Department has clarified that the opt-in requirements of this final-form rulemaking apply only to ''nonpublic personal health information'' and not to ''nonpublic personal financial information.'' Also, because there is an exception for ''nonpublic personal health information'' within the definition of ''nonpublic personal financial information'' in Chapter 146a, the Department believes that the corresponding exception in this final-form rulemaking is both necessary and appropriate.

   The Department concurs in the suggestion proposed by the IRRC and AIA regarding the wording used in subparagraph (i)(A) and (B). The Department has made an appropriate change to make the wording in these two clauses parallel.

Section 146b.11

   General--IFP has suggested that the final-form rulemaking needs clarification to establish that Chapter 146b's requirements are directed at the sharing of nonpublic personal health information for marketing purposes, and not information sharing for the purposes of first and third party claims administration and processing among and between carriers. IFP made a similar suggestion in their comments to Chapter 146a.

   The Department asserts that, as with Chapter 146a, this final-form rulemaking clear that claims processing functions, including the administration and processing of first and third party claims, are included under the insurance function exemptions found in § 146b.11(b) (relating to authorization required for disclosure of nonpublic personal health information). Therefore, similar to the exception for first and third party claims administration and processing in Chapter 146a, the authorization requirement of this final-form rulemaking does not attach to information sharing associated with first and third party claims administration and processing.

   ''Minimum necessary'' requirement--The Department's proposed rulemaking included a provision requiring that when nonpublic personal health information is disclosed by licensees or nonlicensed third parties for the purpose of carrying out certain listed insurance functions, disclosure could be made only to the extent that the disclosure is necessary for the performance of the insurance function by the licensee or nonlicensed third party. AAI commented that this ''minimum necessary'' requirement in § 146b.11(b) is inconsistent with the National Association of Insurance Commissioners Privacy of Consumer Financial and Health Information Model Regulation (NAIC Model) and that the requirement is unworkable because it injects subjective preconditions into the ''safe harbors'' provided by the exceptions. In addition, PAMIC stated that the new requirement would introduce an element of uncertainty into the regulation exceptions. Likewise, AIA commented that the additional requirement should be deleted because it prohibits uniformity among the states, and because the standard is too vague.

   The Department respectfully disagrees with the comments provided by AAI, PAMIC and AIA. Although the ''minimum necessary'' requirement is not found in the NAIC Model, the requirement is not inconsistent with the intent of the rulemaking, nor is it unworkable. A similar requirement is found in the Healthcare Insurance Portability and Accountability Act (Pub. L. No. 104-191, 110 Stat. 1836) (HIPAA) privacy regulation promulgated by the United States Department of Health and Human Services at 45 CFR Parts 160--164, to which many of the Department's licensees are already subject. Furthermore, this additional requirement provides an additional layer of privacy protection to consumer's nonpublic personal health information in that only the minimum amount of nonpublic personal health information that is necessary to perform an insurance function listed in § 146b.11 (b)(1)--(33) will be disclosed without an authorization from the consumer. This requirement is not unworkable, but instead is an appropriate balance between the protection of consumer health information and the uninterrupted performance of common insurance functions.

   Although IFP also commented that the ''minimum necessary'' requirement should be deleted from the final-form rulemaking, it also suggested in the alternative that a definition of ''necessary'' should be included stating that it means disclosures that are ''required'' or are a ''usual, appropriate or acceptable'' method of performing the underlying function. Likewise, IRRC commented that the language at issue should either be deleted or the criteria used to determine when disclosure is ''necessary'' should be included in the final-form rulemaking. IRRC also commented that it would like an explanation of when, and by whom, the ''necessary'' disclosure determination is made.

   The Department agrees and has added subsection (c) to clarify that disclosure of nonpublic personal health information is necessary only when the disclosure is ''required or when disclosure is usual, appropriate or acceptable for the purpose of performing an insurance function identified in subsection (b).'' This additional explanation and guidance as to what the Department considers ''necessary'' in terms of the performance of the insurance function exceptions to the authorization requirement should be sufficient to alleviate the concerns raised by the interested parties.

   To address IRRC's comment, a determination of what is considered ''necessary'' will be made by the Department in the context of an investigation, consumer complaint, market conduct examination or other analysis of a licensee's compliance with this regulation.

   Insurance function exceptions--This final-form rulemaking includes an enumerated list of specific ''insurance functions'' in § 146b.11(b)(1)--(33) that do not require an authorization to the extent that disclosure of nonpublic personal health information is necessary for the performance of the insurance functions. Several commentators raised concerns that several legitimate insurance functions were not included in the exception to the final-form rulemaking's general rule that an authorization is required for the disclosure of nonpublic personal health information. For example, IFP suggested that the Department clarify in either the rulemaking or the preamble that the exceptions for ''claims administration, adjustment and management'' in paragraphs (1) and (2) also cover claims investigation, negotiation and settlement. IFP also commented that the wording in paragraph (31) should be changed back to the language in the NAIC Model (that is, to state ''complying with legal process''). In addition, IBC recommended that paragraph (11) should be changed from ''disease management'' to ''disease management and wellness programs'' and that paragraph (15) be changed from ''provider credentialing verification'' to ''provider training, accreditation, certification, licensure and credentialing.'' IBC also suggested that an exception be added for ''lawful reporting of disease, injury, vital statistics, child abuse, adult abuse, neglect or domestic violence.'' Finally, both IFP and IRRC requested that paragraph (23) be clarified by incorporating types of ''reporting'' that are included in the scope of the exception, including reporting to various index and consumer reporting bureaus.

   The Department has no objection to these changes and has made appropriate revisions to the insurance function exceptions in the final-form rulemaking.

   MCAP suggested deleting the phrase ''that do not require disclosure of nonpublic personal information that a consumer has not previously disclosed directly to the recipient of the information'' from paragraph (33) because there is a possibility that the new physician would receive protected or identifiable information prior to the member's initial visit with the new doctor.

   The Department has not adopted the recommendation made by MCAP because deleting the phrase at issue would significantly expand paragraph (33) in a manner that is directly contrary to the intent and spirit of the final-form rulemaking.

   Third party confidentiality agreements--The Department's proposed rulemaking included a requirement in § 146b.11(c) (now § 146b.11(d)) that when a licensee disclosed nonpublic personal health information to a nonlicensed third party for the purpose of having the third party perform one of the insurance functions previously described on its behalf, the licensee must enter into an agreement with the nonlicensed third party wherein that third party cannot disclose the nonpublic personal health information other than for the purpose of performing the insurance function. Several comments were raised on this provision. First, AAI commented that the requirement that licensees enter into third party confidentiality agreements is inconsistent with the NAIC Model and is unnecessary because there is a requirement that the authorization indicate the third parties who will receive the information and how the information will be used by those third parties. Second, IFP recommended deleting this requirement from the rulemaking because it is not needed, or in the alternative, the Department should use a requirement that insurers send a ''notice'' of confidentiality requirements to third parties instead of having a written agreement. Third, AIA suggested that the confidentiality agreement requirement be deleted because it is overly burdensome. Finally, IRRC requested clarification of how the Department intends to enforce this provision and a specification of a licensee's responsibilities with regard to the agreements if a third party breaches the same.

   To address the several concerns raised with regard to the third party confidentiality agreement, the Department has deleted the requirement that an actual agreement be entered into and inserted a blanket prohibition against the disclosure of nonpublic personal health information by a nonlicensed third party other than for the purpose of performing an insurance function exception to the authorization requirement. Although the requirement for a confidentiality agreement has been deleted, licensees must still be cognizant of the disclosure practices of nonlicensed third parties performing insurance functions on their behalf. For example, the Department would consider a licensee's continued use of the services a nonlicensed third party that the licensee knows or reasonably should have known has improperly disclosed nonpublic personal health information to be a violation of this final-form rulemaking. However, when a licensee did not know or reasonably could not have known that a third party has not maintained the confidentiality of nonpublic personal health information, the Department would likely not find a violation by the licensee. The Department has also added, at IRRC's request, new language to subsection (d) (formerly (c)).

   Additional insurance function exceptions--The Department's proposed rulemaking included a provision in § 146b.11(d) (now § 146b.11(e) wherein additional insurance function exceptions could be added by publishing a notice in the Pennsylvania Bulletin. IRRC commented that additional insurance function exceptions must follow the rulemaking process because the addition of insurance function exceptions constitutes a change to the substantial requirements of the rulemaking.

   The Department agrees with IRRC's comment. Accordingly, the last sentence in subsection (e) has been deleted.

Section 146b.12

   Duration of authorization--Several comments addressed the requirement in § 146b.12(b) of the proposed rulemaking that authorizations remain valid for no more than 2 years. IFP and ACLI commented that the maximum length of time for authorizations should be extended from 24 months to 30 months because life insurers have a 24 month contestability period and if a problem arises at the end of the 24-month period, they may need 6 more months to resolve the problem. BCNP suggested that the 2-year limitation for authorizations be eliminated to be more consistent with the Federal rule. PANPHA recommended that the authorizations be permitted to remain valid until the consumer is discharged from the facility.

   The Department has considered these comments, but is unwilling to deviate from the NAIC Model with regard to the requirement that authorizations remain valid for no more than 2 years. Two years is a reasonable time period for the duration of the authorizations required by this final-form rulemaking. After 2 years, consumers should be given an opportunity to reassess whether they want to grant authorization for the disclosure of their nonpublic personal health information for purposes other than performing the insurance functions identified in the final-form rulemaking, especially since a consumer's health status and health information can change dramatically in a 2 year period. Therefore, to be consistent with the NAIC Model, the Department has retained the requirement that authorizations remain valid for no more than 2 years.

   To specifically address the comments made by IFP and ACLI, although the Department understands that life insurers have a 2 year contestability period in their policies, and that problems such as a fraud investigation may arise in the last month of the contestability period that would require additional time to resolve the issue, the Department does not believe that an extension of the 2 year limitation on the duration of the authorization is necessary. If a fraud investigation were to be initiated in the final month of the contestability period, it is important to recall that no authorization is required for disclosures that are made under the insurance function exceptions in § 146b.11(b), which include an exception for the ''detection, prevention, investigation or reporting of action or potential fraud, misrepresentation or criminal activity.'' The Department believes that this exception and the other exceptions in § 146b.11(b) obviate the need for life insurers to obtain an authorization to resolve contestability issues, so no extension of the 2 year limitation on the duration of authorizations is needed.

   Record of authorization--IFP recommended that the record retention requirement in § 146b.12(d) (relating to authorizations) be reduced from 6 years, but did not provide other alternative number of years that retention would be acceptable. Also, IRRC questioned why it is necessary for authorizations to be maintained for 6 years when they last only for 2 years.

   The Department did not change any language in § 146b.12(d) regarding the recordkeeping requirement for executed authorizations. The Department requires that licensees maintain the authorization for 6 years because the maximum duration of the authorization is 2 years and the standard statute of limitations for a contract claim is 4 years. See 42 Pa.C.S. § 5525 (relating to four year limitation). Therefore, the Department believes that it is entirely reasonable that licensees be required to maintain the authorizations in their records for 6 years.

Section 146b.24

   Annual receipts--To be consistent with the HIPAA privacy regulation, the compliance date for this final-form rulemaking varies depending upon whether a licensee has more than $5 million in ''annual receipts.'' IFP commented that the reference to ''annual receipts'' is confusing and suggests, along with IRRC, that the term ''premium'' should be used instead.

   The Department has not adopted the recommendation that the term ''premium'' be used instead of the term annual receipts because certain licensees such as insurance agents and third party administrators do not base their annual income on premium volume. However, the Department has added a definition of ''annual receipts'' to § 146b.2 (relating to definitions) to alleviate the concerns of IFP and IRRC.

   Compliance date--To be consistent with the HIPAA privacy regulation's compliance date, the Department's proposed rulemaking indicated that the compliance date for this rulemaking would be April 14, 2002, or April 14, 2003 (depending upon the amount of the licensee's annual receipts). However, since the proposed rulemaking, several amendments have been proposed to the HIPAA privacy regulation. Because of these proposed amendments and because it is possible that the compliance date for the HIPAA privacy regulation might be extended or delayed, CBC, PAHPHA, Highmark and IRRC suggested that the final-form rulemaking should only generally reference the Federal rule compliance dates rather than imposing a date certain.

   The Department agrees and has changed the compliance date so that the compliance date for this final-form rulemaking is the same as ''the corresponding compliance date applicable to the Federal regulation.''

   Five million dollars in annual receipts--As previously explained, the compliance date for this final-form rulemaking varies depending upon whether a licensee has more than $5 million in annual receipts. With regard to this provision, Highmark and IRRC recommended that the rulemaking be clarified to address which compliance date is to be followed when licensees have exactly $5 million in annual receipts.

   The Department agrees with the suggestion made by Highmark and IRRC. To that end, the Department has clarified § 146b.24 (relating to compliance dates) so that licensees with $5 million or more in annual receipts must comply with the rulemaking by the corresponding date in the HIPAA privacy regulation and licensees with less than $5 million in annual receipts must comply 1 year later as specified in the HIPAA privacy regulation.

Affected Parties

   The final-form rulemaking applies to all entities that are, or are required to be, licensed by the Department. The only exceptions are bail bondsmen as defined in 42 Pa.C.S. § 5741, motor vehicle physical damage appraisers as defined in section 2 of the Motor Vehicle Physical Damage Appraisers Act and governmental health insurance programs.

Fiscal Impact

State Government

   The adoption of Chapter 146b will not cause an increase in costs to the Department.

General Public

   There will be no fiscal impact to the public arising from the adoption of Chapter 146b.

Political Subdivisions

   Because they are generally not licensed by the Department, this final-form rulemaking will not impose additional costs on political subdivisions.

Private Sector

   The final-form rulemaking may result in additional costs to licensees of the Department that are subject to this final-form rulemaking. These costs will relate to the development, printing, retention and compliance with the authorizations required by this final-form rulemaking. These costs, however, are substantially outweighed by the privacy protections that are afforded to consumers by this final-form rulemaking.

Paperwork

   The adoption of the final-form rulemaking will not impose additional paperwork on the Department or the insurance industry.

Effectiveness/Sunset Date

   This final-form rulemaking becomes effective upon publication in the Pennsylvania Bulletin. No sunset date has been assigned.

Contact Person

   Questions regarding this final-form rulemaking should be directed to Peter J. Salvatore, Regulatory Coordinator, Office of Special Projects, 1326 Strawberry Square, Harrisburg, PA 17120, (717) 787-4429, fax (717) 772-1969, e-mail psalvatore@state.pa.us.

Regulatory Review

   Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), on September 5, 2002, the Department submitted a copy of the notice of proposed rulemaking, published at 32 Pa.B. 1406, to IRRC and to the Chairpersons of the House Insurance Committee and the Senate Banking and Insurance Committee for review and comment.

   Under section 5(c) of the Regulatory Review Act, IRRC and the Committees were provided with copies of the comments received during the public comment period, as well as other documents when requested. In preparing this final-form rulemaking, the Department has considered the comments received from IRRC, the Committees and the public.

   Under section 5.1(d) of the Regulatory Review Act (71 P. S. § 745.5a(d)), on September 25, 2002, this final-form rulemaking was deemed approved by the House and Senate Committees. Under section 5.1(e) of the Regulatory Review Act, IRRC met on September 26, 2002, and approved the final-form rulemaking.

Findings

   The Department finds that:

   (1)  Public notice of intention to adopt a rulemaking as amended by this order has been given under sections 201 and 202 of the act of July 31, 1968 (P. L. 769, No. 240) (45 P. S. §§ 1201 and 1202) and the regulations thereunder, 1 Pa. Code §§ 7.1 and 7.2.

   (2)  The adoption of this rulemaking in the manner provided in this order is necessary and appropriate for the administration and enforcement of the authorizing statutes.

Order

   The Department, acting under the authorizing statutes, orders that:

   (a)  The regulations of the Department, 31 Pa. Code, are amended by adding §§ 146b.1, 146b.2, 146b.11--146b.13 and 146b.21--146b.24 to read as set forth in Annex A.

   (b)  The Commissioner shall submit this order and Annex A to the Office of General Counsel and Office of Attorney General for approval as to form and legality as required by law.

   (c)  The Commissioner shall certify this order and Annex A and deposit them with the Legislative Reference Bureau as required by law.

   (d)  The rulemaking shall take effect upon final-form publication in the Pennsylvania Bulletin.

M. DIANE KOKEN,   
Insurance Commissioner

   (Editor's Note:  For the text of the order of the Independent Regulatory Review Commission, relating to this document, see 32 Pa.B. 5145 (October 12, 2002).)

   Fiscal Note:  Fiscal Note 11-209 remains valid for the final adoption of the subject regulations.

Annex A

TITLE 31.  INSURANCE

PART VIII.  MISCELLANEOUS PROVISIONS

CHAPTER 146b.  PRIVACY OF CONSUMER HEALTH INFORMATION

Subch.

A.GENERAL PROVISIONS
B.RULES FOR DISCLOSURE OF NONPUBLIC PERSONAL HEALTH INFORMATION
C.ADDITIONAL PROVISIONS

Subchapter A.  GENERAL PROVISIONS

Sec.

146b.1.Purpose.
146b.2.Definitions.

§ 146b.1.  Purpose.

   (a)  Purpose. This chapter:

   (1)  Governs the treatment of all nonpublic personal health information about individuals by various licensees of the Department.

   (2)  Describes the conditions under which a licensee may disclose nonpublic personal health information about consumers to a third party.

   (3)  Requires licensees to obtain an authorization from consumers prior to disclosing nonpublic personal health information, unless otherwise permitted in this chapter.

   (b)  Compliance. A licensee domiciled in this Commonwealth that is in compliance with this chapter and Chapter 146a (relating to privacy of consumer financial information) in a state that has not enacted laws or regulations that meet the requirements of Title V of the act of November 12, 1999 (Pub. L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) (15 U.S.C.A. §§ 6801--6827) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in the other state.

   (c)  Examples. The examples provided in this chapter are for illustrative purposes only and do not otherwise limit or restrict the scope of this chapter.

§ 146b.2.  Definitions.

   The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:

   Act--The Insurance Department Act of 1921 (40 P. S. §§ 1--321).

   Annual receipts--Premium, commissions, fees or operating revenue received in a 12-month period.

   Commissioner--The Insurance Commissioner of the Commonwealth.

   Company--A corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization.

   Consumer--

   (i)  An individual, or that individual's legal representative, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal health information. Examples include:

   (A)  An individual who provides nonpublic personal health information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service, regardless of whether the licensee establishes an ongoing advisory relationship.

   (B)  An applicant for insurance prior to the inception of insurance coverage.

   (C)  A beneficiary of a life insurance policy underwritten by the licensee.

   (D)  A claimant under an insurance policy issued by the licensee.

   (E)  An insured under an insurance policy or an annuitant under an annuity issued by the licensee.

   (F)  A mortgagor of a mortgage covered under a mortgage insurance policy.

   (G)  A participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary.

   (H)  An individual covered under a group or blanket insurance policy or group annuity contract issued by the licensee.

   (I)  A claimant in a workers' compensation plan.

   (ii)  Examples of persons who are not consumers are as follows:

   (A)  An individual is not a consumer solely because the individual is a beneficiary of a trust for which the licensee is a trustee.

   (B)  An individual is not a consumer solely because the individual has designated the licensee as trustee for a trust.

   (C)  An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.

   Department--The Insurance Department of the Commonwealth.

   Federal regulation--The Federal Health Insurance Portability and Accountability Act (HIPAA) privacy regulation as promulgated by the United States Department of Health and Human Services in 45 CFR Parts 160--164.

   Financial institution--

   (i)  An institution the business of which is engaging in activities that are financial in nature or incidental to the financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)).

   (ii)  The term does not include the following:

   (A)  A person or entity with respect to a financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C.A. §§ 1--25).

   (B)  The Federal Agricultural Mortgage Corporation or an entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C.A. §§ 2001--2279cc).

   (C)  Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.

   Health care--

   (i)  Preventative, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that either:

   (A)  Relates to the physical, mental or behavioral condition of an individual.

   (B)  Affects the structure or function of the human body or a part of the human body, including the banking of blood, sperm, organs or other tissue.

   (ii)  Prescribing, dispensing or furnishing to an individual drugs or biologicals, or medical devices or health care equipment and supplies.

   Health care provider--

   (i)  A physician or other health care practitioner licensed, accredited or certified to perform specified health services consistent with the laws of the Commonwealth.

   (ii)  A health care facility.

   Health information--Information or data except age, gender or nonpublic personal financial information, whether oral or recorded in a form or medium, created by or derived from a health care provider or the consumer that relates to one or more of the following:

   (i)  The past, present or future physical, mental or behavioral health or condition of an individual.

   (ii)  The provision of health care to an individual.

   (iii)  Payment for the provision of health care to an individual.

   Insurance product or service--A product or service that is offered by a licensee under the insurance laws of the Commonwealth. Insurance service includes a licensee's evaluation, brokerage or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.

   Licensee--

   (i)  A licensed insurer, as defined in section 201-A of the act (40 P. S. § 65.1-A), a producer and other persons or entities licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under the act or The Insurance Company Law of 1921 (40 P. S. §§ 361--991.2361), including health maintenance organizations holding a certificate of authority under section 201 of the Health Care Facilities Act (35 P. S. § 448.201).

   (ii)  The term does not include:

   (A)  Bail bondsmen as defined in 42 Pa.C.S. § 5741 (relating to definitions).

   (B)  Motor vehicle physical damage appraisers as defined in section 2 of the Motor Vehicle Physical Damage Appraiser Act (63 P. S. § 852) and § 62.1 (relating to definitions).

   (iii)  Subject to subparagraph (iv), the term does not include governmental health insurance programs such as the following:

   (A)  The Children's Health Insurance Program as provided for in the Children's Health Care Act (40 P. S. §§ 991.2301--991.2361).

   (B)  The Medicaid program as provided for in sections 441.1--453 of the Public Welfare Code (62 P. S. §§ 441.1--453).

   (C)  The Medicare+Choice program as provided for in the Balanced Budget Act of 1997, sections 1851--1859, Medicare Part C under Title XVIII of the Social Security Act (42 U.S.C.A. §§ 1395w-21--1395w-29).

   (D)  The Adult Basic Care program as provided for in the Tobacco Settlement Act. See section 1303 of the Tobacco Settlement Act (35 P. S. § 5701.1303).

   (iv)  The term includes a licensee that enrolls, insures or otherwise provides an insurance related service to participants that procure health insurance through a governmental health insurance program exempted under subparagraph (iii).

   (v)  Subject to subparagraph (ii), the term ''licensee'' shall also include a nonadmitted insurer that accepts business placed through a surplus lines licensee (as defined in section 1602 of The Insurance Company Law of 1921 (40 P. S. § 991.1602) in this Commonwealth, but only in regard to the surplus lines placements placed under Article XVI of The Insurance Company Law of 1921 (40 P. S. §§ 991.1601--991.1625).

   Nonpublic personal financial information--As defined in § 146a.2 (relating to definitions).

   Nonpublic personal health information--

   (i)  The term means either of the following:

   (A)  Health information that identifies an individual who is the subject of the information.

   (B)  Health information that there is a reasonable basis to believe could be used to identify an individual.

   (ii)  The term does not include nonpublic personal financial information.

   Producer--An insurance agent or broker licensed or required to be licensed by the Department under the act.

[Continued on next Web Page]



No part of the information on this site may be reproduced for profit or sold for profit.

This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.