(a) A covered entity may disclose, without an authorization,
nonpublic personal health information to the extent that the disclosure is
necessary to perform the following insurance functions or legally required
activity on behalf of that covered entity:
(1) the investigation or reporting of actual or potential fraud,
misrepresentation, or criminal activity;
(2) underwriting;
(3) the placement or issuance of an insurance product;
(4) loss control services;
(5) ratemaking and guaranty fund functions;
(6) reinsurance and excess loss insurance;
(7) risk management;
(8) case management;
(9) disease management;
(10) quality assurance;
(11) quality improvement;
(12) performance evaluation;
(13) health care provider credentialing verification;
(14) utilization review;
(15) peer review activities;
(16) actuarial, scientific, medical, or public policy research;
(17) grievance procedures;
(18) the internal administration of compliance, managerial,
and information systems;
(19) policyholder services;
(20) auditing;
(21) reporting;
(22) database security;
(23) the administration of consumer disputes and inquiries;
(24) external accreditation standards;
(25) the replacement of a group benefit plan or workers' compensation
policy or program;
(26) activities in connection with a sale, merger, transfer,
or exchange of all or part of a business or operating unit;
(27) any activity that permits disclosure without authorization
under the federal Health Insurance Portability and Accountability Act of 1996
(42 U.S.C. Section 1320d et seq.), as amended;
(28) disclosure that is required, or is a lawful or appropriate
method, to enforce the covered entity's rights or the rights of other persons
engaged in carrying out a transaction or providing an insurance product or
service that the consumer requests or authorizes;
(29) claims administration, adjustment, and management;
(30) any activity otherwise permitted by law, required pursuant
to a governmental reporting authority, or required to comply with legal process;
and
(31) any other insurance functions that the commissioner approves
that are:
(A) necessary for appropriate performance of insurance functions;
and
(B) fair and reasonable to the interests of consumers.
(b) A disclosure for marketing purposes shall not be considered
to be an insurance function or any other type of activity that constitutes
an exception under this section.
|