CHAPTER 33.  INSURANCE.

Article 6D
All Articles
Article 7
ARTICLE 6F. DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION.

§33-6F-1. Privacy; rules.

(a) No person shall disclose any nonpublic personal information contrary to the provisions of Title V of the Gramm-Leach-Bliley Act, Pub. L. 106-102 (1999).

(b) On or before July 1, 2001, the commissioner shall propose rules for legislative approval in accordance with article twenty, chapter twenty-nine-a of this code necessary to carry out the provisions of Title V of the Gramm-Leach-Bliley Act, Pub. L. 106-102 (1999) and this article.

(c) Medical records and medical billing records obtained by insurers in connection with insurance claims or civil litigation shall be confidentially maintained by insurers in accordance with state and federal law, including the provisions of Title 114, Series 57 of the Code of State Rules, and no additional restrictions or conditions may be imposed that contradict or are inconsistent with any applicable policy of insurance or the performance of insurance functions permitted or authorized by state and federal law. The Insurance Commissioner shall review the provisions of Title 114, Series 57 of the Code of State Rules and, to the extent determined necessary, shall propose new rules or modify existing rules by December 31, 2017 to address:

(1) The circumstances under which an insurance company may disclose medical records and medical billing records to other persons or entities;

(2) The circumstances under which personal identifying information of a person must be redacted before that person’s medical records or medical billing records may be disclosed to other persons or entities;

(3) The steps an insurance company is required to undertake before medical records or medical billing records are disclosed to other persons or entities to assure that any person or entity to which an insurance company is disclosing a person’s medical records or medical billing records will be using such records only for purposes permitted by law; and,

(4) The implementation of the requirement that the insurance company has processes or procedures in place to prevent the unauthorized access by its own employees to a person’s confidential medical records or medical billing records.