806 KAR 3:220. Privacy of health information.
RELATES TO: 15 U.S.C. 6801(b)
STATUTORY AUTHORITY: KRS 304.2-110(1), 15 U.S.C. 6801(b), 6805
NECESSITY, FUNCTION, AND CONFORMITY: KRS 304.2-110(1) authorizes the commissioner to promulgate reasonable administrative regulations necessary for or as an aid to the effectuation of any provision of the Kentucky Insurance Code. 15 USC 6801(b) and 6805(b)(2) require state insurance executive directors to establish standards for insurers, agencies, and agents to safeguard the security and confidentiality of consumer records and information. This administrative regulation establishes privacy requirements for an insurer, agency, or agent’s use of consumers’ health information.
Section 1. Definitions. (1) "Affiliate" means any company that controls, is controlled by, or is under common control with another company.
(2) "Clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
(3) "Executive Director" is defined in KRS 304.1-050(1).
(4) "Consumer" means an individual who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information, or that individual’s legal representative.
(5) "Continuing relationship" between a consumer and a licensee means:
(a) The consumer is a current policyholder of an insurance product issued by or through the licensee; or
(b) The consumer obtains financial, investment, or economic advisory services relating to an insurance product or service from the licensee for a fee.
(6) "Control" means:
(a) Ownership, control, or power to vote twenty-five (25) percent or more of the outstanding shares of any class of voting security of the company or acting through one (1) or more persons;
(b) Control, in any manner, over the election of a majority of the directors, trustees or general partners, or individuals exercising similar functions, of the company; or
(c) The power to exercise a controlling influence over the management or policies of the company.
(7) "Customer" means a consumer who has a customer relationship with a licensee.
(8) "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides to the consumer one (1) or more insurance products or services that are to be used primarily for personal, family, or household purposes.
(9) "Health care" means preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that:
(a) Relates to the physical, mental, or behavioral condition of an individual;
(b) Affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs, or any other tissue; or
(c) Prescribing, dispensing, or furnishing to an individual drugs or biologicals, or medical devices or health care equipment and supplies.
(10) "Health care provider" is defined in KRS 304.17A-005(23).
(11) "Health information" means any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:
(a) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(b) The provision of health care to an individual; or
(c) Payment for the provision of health care to an individual.
(12) "Insurer" is defined in KRS 304.1-040.
(13) "Licensee" means a licensed insurer, producer, or other person licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to KRS Chapter 304.
(14) "Nonpublic personal health information" means health information:
(a) That identifies an individual who is the subject of the information; or
(b) With respect to which there is a reasonable basis to believe that the information may be used to identify an individual.
(15) "Person" is defined in KRS 304.1-020.
Section 2. Continuing Relationship. A consumer shall not be deemed to have a continuing relationship with the licensee if:
(1) The consumer applies for insurance but does not purchase the insurance;
(2) The licensee sells the consumer airline travel insurance in an isolated transaction;
(3) The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
(4) The consumer is a beneficiary or claimant under a policy and has submitted a claim under that policy choosing a settlement option involving an ongoing relationship with the licensee;
(5) The consumer is a beneficiary or claimant under a policy and has submitted a claim under that policy choosing a lump sum settlement option;
(6) The customer’s policy has lapsed, expired, or is otherwise inactive or dormant under the licensee’s business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve (12) consecutive months, other than annual privacy notices, material required by law or administrative regulation, communication at the direction of a state or federal authority, or promotional materials;
(7) The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity; or
(8) The individual’s last known address according to the licensee’s records is deemed invalid. An address of record shall be deemed invalid if mail sent to that address by the licensee is returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual are unsuccessful.
Section 3. When Authorization Required for Disclosure of Nonpublic Personal Health Information. (1) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization in compliance with Section 4 of this administrative regulation is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
(2) Nothing in this section shall prohibit, restrict, or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee:
(a) Claims administration;
(b) Claims adjustment and management;
(c) Detection, investigation, or reporting of actual or potential fraud;
(d) Misrepresentation or criminal activity;
(f) Policy placement or issuance;
(g) Loss control;
(h) Ratemaking and guaranty fund functions;
(i) Reinsurance and excess loss insurance;
(j) Risk management;
(k) Case management;
(l) Disease management;
(m) Quality assurance;
(n) Quality improvement;
(o) Performance evaluation;
(p) Provider credentialing verification;
(q) Utilization review;
(r) Peer review activities;
(s) Actuarial, scientific, medical or public policy research;
(t) Grievance procedures;
(u) Internal administration of compliance, managerial, and information systems;
(v) Policyholder service functions;
(y) Database security;
(z) Administration of consumer disputes and inquiries;
(aa) External accreditation standards;
(bb) The replacement of a group benefit plan or workers’ compensation policy or program;
(cc) Activities in connection with a sale, merger, transfer, or exchange of all or part of a business or operating unit;
(dd) Any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rule which is promulgated by the U.S. Department of Health and Human Services at 45 CFR 160 to 164;
(ee) Disclosure that is required, or is one (1) of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and
(ff) Any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process.
(3) Additional functions may be added through administrative regulations to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.
Section 4. Authorizations. (1) A valid authorization to disclose nonpublic personal health information pursuant to this administrative regulation shall:
(a) Be in written or electronic form; and
(b) Contain all of the following:
1. The identity of the consumer or customer who is the subject of the nonpublic personal health information;
2. A general description of the types of nonpublic personal health information to be disclosed;
3. General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure, and how the information will be used;
4. The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed;
5. Notice of the length of time for which the authorization is valid, which in no event shall be for more than twenty-four (24) months; and
6. Advise the consumer or customer that he may revoke the authorization, subject to the rights of an individual who acted in reliance on the authorization prior to the notice of revocation at any time, and the procedure for making a revocation.
(2) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to this administrative regulation at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation.
(3) A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information.
Section 5. Delivery of Authorization Requests. (1) A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt-out notice pursuant to 806 KAR 3:210(10), if the request and authorization form are clear and conspicuous.
(2) An authorization request form shall be delivered to the consumer or customer or included in any other notices if the licensee intends to disclose protected health information, except as permitted under Section 3(2) of this administrative regulation.
(3) An authorization form shall be in compliance with Section 4 of this administrative regulation.
Section 6. Relationship to Federal Rules. Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services at 45 CFR 160 to 164, if a licensee complies with all requirements of 45 CFR 160 to 164, the licensee shall not be subject to the provisions of this administrative regulation.
Section 7. Relationship to Kentucky Laws. Nothing in this administrative regulation shall preempt or supersede existing Kentucky laws related to medical records, health, or insurance information privacy. (28 Ky.R. 1532; Am. 1839; eff. 2-11-2002; TAm eff. 8-9-2007.)