[32 Pa.B. 5268]
[Continued from previous Web Page]
Subchapter B. RULES FOR DISCLOSURE OF NONPUBLIC PERSONAL HEALTH INFORMATION Sec.
146b.11. Authorization required for disclosure of nonpublic personal health information. 146b.12. Authorizations. 146b.13. Authorization request delivery. § 146b.11. Authorization required for disclosure of nonpublic personal health information.
(a) Authorization required. A licensee may not disclose nonpublic personal health information about a consumer unless an authorization is obtained from the consumer whose nonpublic personal health information is sought to be disclosed.
(b) Insurance function exception. Nothing in this section prohibits, restricts or requires an authorization for the disclosure of nonpublic personal health information by a licensee to the extent that the disclosure of nonpublic personal health information is necessary for the performance of one or more of the following insurance functions by or on behalf of the licensee:
(1) Claims administration, including coordination of benefits and subrogation.
(2) Claims adjustment, investigation, negotiation, settlement and management.
(3) Detection, prevention, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity.
(4) Underwriting.
(5) Policy placement or issuance.
(6) Loss control.
(7) Ratemaking and guaranty fund functions.
(8) Reinsurance and excess loss insurance.
(9) Risk management.
(10) Case management.
(11) Disease management and wellness programs.
(12) Quality assurance.
(13) Quality improvement.
(14) Performance evaluation.
(15) Provider training, accreditation or certification by a recognized accrediting or certifying body, license and credential verification.
(16) Utilization review.
(17) Peer review activities.
(18) Actuarial, scientific, medical or public policy research.
(19) Grievance and complaint procedures.
(20) Internal administration of compliance, managerial and information systems.
(21) Policyholder service functions.
(22) Auditing.
(23) Reporting (examples include reporting to medical index or consumer reporting bureaus and legally required reporting of disease, injury, vital statistics, child or adult abuse, neglect or domestic violence).
(24) Database security.
(25) Administration of consumer disputes and inquiries.
(26) External accreditation standards.
(27) The replacement of a group benefit plan or workers compensation policy or program.
(28) Activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit.
(29) An activity that permits disclosure without authorization under the Federal regulation.
(30) Disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes.
(31) An activity otherwise permitted by law, required under governmental regulatory or reporting authority, or to comply with legal process.
(32) Compliance with qualified medical child support Orders.
(33) Preventive service reminders that do not require disclosure of nonpublic personal health information that a consumer has not previously disclosed directly to the recipient of the information.
(c) Disclosure of nonpublic personal health information. Disclosure of nonpublic personal health information is necessary when the disclosure is required or when disclosure is usual, appropriate or acceptable for the purpose of performing an insurance function identified in subsection (b).
(d) Insurance functions performed by third parties on behalf of the licensee. A licensee may disclose nonpublic personal health information to a third party not licensed by the Department provided that the nonpublic personal health information is disclosed only for the purposes of carrying out one or more of the insurance functions identified in subsection (b). The Department may hold a licensee responsible for disclosures made by a third party that violate the requirements of this chapter.
(e) Additional insurance functions. Additional insurance functions may be added with the approval of the Commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.
§ 146b.12. Authorizations.
(a) Valid authorization contents. A valid authorization to disclose nonpublic personal health information under § 146b.11(a) (relating to authorization required for disclosure of the nonpublic personal health information) shall be in written or electronic form and shall contain all of the following:
(1) The identity of the consumer who is the subject of the nonpublic personal health information.
(2) A general description of the types of nonpublic personal health information to be disclosed.
(3) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used.
(4) The signature of the consumer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed.
(5) Notice of the length of time for which the authorization is valid and that the consumer may revoke the authorization at any time and the procedure for making a revocation.
(b) Duration of authorization. An authorization for the purposes of § 146b.11(a) shall specify a length of time for which the authorization shall remain valid, which may not be for more than 24 months.
(c) Revocation of authorization. A consumer who is the subject of nonpublic personal health information may revoke an authorization provided under this subchapter at any time, subject to the rights of an individual or licensee who acted in reliance on the authorization prior to notice of the revocation.
(d) Record of authorization. A licensee shall retain the authorization and a revocation of the authorization, or copies thereof, for 6 years in the record of the individual who is the subject of nonpublic personal health information.
§ 146b.13. Authorization request delivery.
A request for authorization and an authorization form may be delivered to a consumer as part of a privacy notice delivered under Chapter 146a (relating to privacy of consumer financial information), provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or included in other notices unless the licensee intends to disclose nonpublic personal health information under § 146b.11(a) (relating to authorization required for disclosure of nonpublic personal health information).
Subchapter C. ADDITIONAL PROVISIONS Sec.
146b.21. Relationship with other laws. 146b.22. Nondiscrimination. 146b.23. Violation. 146b.24. Compliance dates. § 146b.21. Relationship with other laws.
(a) Relationship with the Federal regulation. Irrespective of whether a licensee is subject to the Federal regulation, if a licensee complies with the Federal regulation, the licensee will not be subject to this chapter.
(b) Relationship with other state law or regulation. Nothing in this chapter preempts or supersedes existing laws or regulations of the Commonwealth that relate to medical records, health or insurance information privacy.
(c) Relationship with the Fair Credit Reporting Act. This chapter will not be construed to modify, limit or supersede the operation of the Federal Fair Credit Reporting Act (15 U.S.C.A. §§ 1681--1681u), and no inference may be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under section 603 of that act (15 U.S.C.A. § 1681a).
(d) Relationship with section 648 of the act (40 P. S. § 288). This chapter will not be construed to modify, limit or supersede the operation of section 648 of the act (40 P. S. § 288) regarding customer privacy.
§ 146b.22. Nondiscrimination.
A licensee may not unfairly discriminate against a consumer because that consumer has not granted authorization for the disclosure of nonpublic personal health information under this chapter.
§ 146b.23. Violation.
Violations of this chapter are deemed and defined by the Commissioner to be an unfair method of competition and an unfair or deceptive act or practice and shall be subject to applicable penalties or remedies contained in the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.15).
§ 146b.24. Compliance dates.
(a) Licensees with $5 million or more in annual receipts shall comply with the applicable requirements of this chapter by the corresponding compliance date applicable to the Federal regulation.
(b) Licensees with less than $5 million in annual receipts shall comply with the applicable requirements of this chapter by the corresponding compliance date applicable to the Federal regulation.
[Pa.B. Doc. No. 02-1878. Filed for public inspection October 25, 2002, 9:00 a.m.]
No part of the information on this site may be reproduced for profit or sold for profit.This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.