2003 Montana Legislature

HOUSE BILL NO. 205

INTRODUCED BY FRANKLIN

BY REQUEST OF THE STATE AUDITOR

AN ACT REVISING MONTANA'S INSURANCE PRIVACY LAWS TO COMPLY WITH THE FEDERAL GRAMM-LEACH-BLILEY ACT AND THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; ALLOWING A LIMITED EXEMPTION FROM THE PRIVACY ACT FOR ENTITIES COVERED BY THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 PRIVACY REGULATIONS; REQUIRING NATIONAL NOTICE FORMS TO REFER TO THE SPECIFIC STATE NOTICE FORM; AUTHORIZING DISCLOSURE OF CERTAIN NONMEDICAL INFORMATION TO A LIENHOLDER, MORTGAGEE, ASSIGNEE, OR LESSOR; AMENDING SECTIONS 33-19-104, 33-19-105, 33-19-202, 33-19-301, 33-19-306, AND 33-19-307, MCA; AND PROVIDING EFFECTIVE DATES AND AN APPLICABILITY DATE.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:

Section 1. Section 33-19-104, MCA, is amended to read:

"33-19-104. Definitions. As used in this chapter, the following definitions apply:

(1) (a) "Adverse underwriting decision" means any of the following actions with respect to insurance transactions involving insurance coverage that are individually underwritten:

(i) a declination of insurance coverage;

(ii) a termination of insurance coverage;

(iii) failure of an insurance producer to apply for insurance coverage with a specific insurance institution that the insurance producer represents and that is requested by an applicant;

(iv) in the case of a property or casualty insurance coverage:

(A) placement by an insurance institution or insurance producer of a risk with a residual market mechanism, an unauthorized insurer, or an insurance institution that specializes in substandard risks; or

(B) the charging of a higher rate on the basis of information that differs from that which the applicant or policyholder furnished;

(v) in the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.

(b) The following actions are not adverse underwriting decisions, but the insurance institution or insurance producer responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence:

(i) the termination of an individual policy form on a class or statewide basis;

(ii) a declination of insurance coverage solely because the coverage is not available on a class or statewide basis; or

(iii) the rescission of a policy.

(2) "Affiliate" or "affiliated" means a person who directly, or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person.

(3) "Applicant" means a person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.

(4) "Consumer report" means any written, oral, or other communication of information bearing on a natural person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction.

(5) "Consumer reporting agency" means a person who:

(a) regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee;

(b) obtains information primarily from sources other than insurance institutions; and

(6) "Control", including the terms "controlled by" or "under common control with", means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.

(7) "Declination of insurance coverage" means a denial, in whole or in part, by an insurance institution or insurance producer of requested insurance coverage.

(8) "Individual" means a natural person who:

(a) regarding property or casualty insurance, is a past, present, or proposed named insured or certificate holder;

(b) regarding life, health, or disability insurance, is a past, present, or proposed principal insured or certificate holder;

(d) is a past or present applicant;

(e) is a past or present claimant; or

(f) derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this chapter.

(9) "Institutional source" means a person or governmental entity that provides information about an individual to an insurance producer, insurance institution, or insurance-support organization, other than:

(a) an insurance producer;

(b) the individual who is the subject of the information; or

(10) "Insurance function" means claims administration, claims adjustment and management, fraud investigation, fraud prevention, underwriting, loss control, ratemaking functions, reinsurance, risk management, case management, disease management, quality assessment, quality improvement, provider credentialing verification, utilization review, peer review activities, subrogation, grievance procedures, insurance transactions, and internal administration of compliance and policyholder service functions, and technical, administrative, or professional services related to the provision of the functions described in this subsection.

(11) (a) "Insurance institution" means a corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd's insurer, fraternal benefit society, or other person engaged in the business of insurance, including health maintenance organizations, and health service corporations as defined in 33-30-101.

(b) Insurance institution does not include insurance producers or insurance-support organizations.

(12) "Insurance producer" means an insurance producer as defined in 33-17-102 and 33-30-311.

(13) (a) "Insurance-support organization" means a person who assembles or collects information about natural persons for the purpose of providing the information to an insurance institution or insurance producer for insurance transactions, including:

(i) the furnishing of consumer reports or investigative consumer reports to an insurance institution or insurance producer for use in connection with an insurance transaction; or

(ii) the collection of personal information from insurance institutions, insurance producers, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity.

(b) The following persons are not insurance-support organizations for purposes of this chapter: insurance producers, government institutions, medical care institutions, and medical professionals.

(14) "Insurance transaction" means a transaction involving insurance primarily for personal, family, or household needs, rather than for business or professional needs, that entails:

(a) the determination of an individual's eligibility for an insurance coverage, benefit, or payment; or

(b) the servicing of an insurance application, policy, contract, or certificate.

(15) "Investigative consumer report" means a consumer report or portion of a consumer report containing information about a natural person's character, general reputation, personal characteristics, or mode of living obtained through personal interviews with the person's neighbors, friends, associates, acquaintances, or others who may have knowledge concerning this type of information.

(16) "Licensee" means:

(a) an insurance institution, insurance producer, or other person who is licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered pursuant to this title; or

(b) a surplus lines insurer.

(17) "Medical care institution" means a facility or institution that is licensed to provide health care services to natural persons, including but not limited to health maintenance organizations, home health agencies, hospitals, medical clinics, public health agencies, rehabilitation agencies, and skilled nursing facilities.

(18) "Medical professional" means a person who is licensed or certified to provide health care services to natural persons, including but not limited to a chiropractor, clinical dietitian, clinical psychologist, dentist, nurse, occupational therapist, optometrist, pharmacist, physical therapist, physician, podiatrist, psychiatric social worker, or speech-language pathologist.

(19) "Medical record information" means personal information that:

(a) relates to an individual's physical or mental condition, medical history, medical claims history, or medical treatment; and

(b) is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian.

(20) "Person" means a natural person, corporation, association, partnership, or other legal entity.

(21) "Personal information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. Personal information includes an individual's name and address and medical record information but does not include privileged information.

(22) "Policyholder" means a person who:

(a) in the case of individual property or casualty insurance, is a present named insured;

(b) in the case of individual life, health, or disability insurance, is a present policyowner; or

(23) "Pretext interview" means an interview during which a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:

(a) pretends to be someone else;

(b) pretends to represent a person not in fact being represented;

(d) refuses to provide identification upon request.

(24) "Privileged information" means any individually identifiable information that:

(a) relates to a civil or criminal proceeding involving an individual; and

(b) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. Information otherwise meeting the requirements of privileged information under this subsection is considered personal information under this chapter if it is disclosed in violation of 33-19-306.

(25) "Residual market mechanism" means an association, organization, or other entity defined or described in 61-6-144.

(26) "Separate, written authorization" means an individual's written authorization that is:

(a) given to obtained by the recipient of personal or privileged information that has been disclosed to the recipient pursuant to 33-19-306(3) through (22) 33-19-306(10), (11), (14), (15), and (17); and

(b) separate from any written authorization obtained by the disclosing insurance institution, insurance producer, or insurance-support organization.

(27) "Termination of insurance coverage" or "termination of an insurance policy" means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.

(28) "Unauthorized insurer" means an insurance institution that has not been granted a certificate of authority by the commissioner to transact the business of insurance in this state."

Section 2. Section 33-19-105, MCA, is amended to read:

"33-19-105. Exemption based on federal medical privacy rules standards for privacy of individually identifiable health information -- notice to commissioner required. (1) If a licensee is subject to and in compliance with a Beginning on [the effective date of this act], the obligations imposed under this chapter do not apply to a licensee that is a covered entity under the provisions of federal rule regulations that is are part of the federal health insurance portability and accountability privacy rules Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR, parts 160 and 164, and the federal rule with which the licensee complies is inconsistent with a provision of this chapter and not less protective of consumer privacy, the licensee is exempt from compliance with the inconsistent provision of this chapter standards for privacy of individually identifiable health information as to any use or disclosure of personal information that is covered under the HIPAA privacy regulations, except for the following provisions:

(a) Notices of insurance information practices described as notices of privacy practices for protected health information under HIPAA privacy regulations must be delivered annually, as provided for in 33-19-202(1).

(b) To the extent that an insurer collects, discloses, or uses personal information that is not covered under the HIPAA notice of privacy practices, a separate Montana specific notice must be delivered pursuant to the provisions of 33-19-202.

(c) A disclosure authorization remains valid for a period that does not exceed 24 months, as provided for in 33-19-206(2).

(d) Reasons for adverse underwriting decisions must be specified, as provided for in 33-19-303.

(e) Disclosure of underwriting information is required, as provided for in 33-19-308.

(2) The commissioner may adopt rules regarding the exceptions from the exemption provisions described in subsection (1), including additional exceptions that embody substantive provisions of this chapter but would not be preempted by HIPAA privacy regulations.

(2)(3) If a licensee considers itself exempt from a provision of this chapter for the reason provided in subsection (1), the licensee shall give written notice to the commissioner of that exemption and a brief statement describing why it is a HIPAA-covered entity. The notice must include a statement of the reason for the claimed exemption.

(4) A licensee may claim an exemption only as to those lines of business that are subject to HIPAA privacy regulations. All other lines of business are subject to this chapter.

(5) A third-party administrator that is a party to a valid business associate agreement required by HIPAA privacy regulations is exempt from the provisions of this chapter, but only as to the scope of that particular agreement. Any activities of the third-party administrator that fall outside of the scope of that agreement are subject to the provisions of this chapter.

(6) The commissioner retains the authority to conduct complete market conduct examinations of the licensee as to the privacy policies and practices that are subject to state privacy laws.

(7) Beginning July 1, 2005:

(a) if a licensee is subject to and in compliance with a federal regulation that is part of the federal health insurance portability and accountability privacy regulations, 45 CFR, parts 160 and 164, and the federal regulation with which the licensee complies is inconsistent with a provision of this chapter and not less protective of consumer privacy, the licensee is exempt from compliance with the inconsistent provision of this chapter;

(b) if a licensee considers itself exempt from a provision of this chapter for the reason provided in subsection (7)(a), the licensee shall give written notice to the commissioner of that exemption, unless the requirements of this subsection (7) are preempted by HIPAA privacy regulations. The notice must include a statement of the reason for the claimed exemption."

Section 3. Section 33-19-202, MCA, is amended to read:

"33-19-202. Notice of insurance information practices -- delivery of notice. A licensee shall provide a clear and conspicuous notice of information practices that accurately reflects its privacy policies and practices to individuals about whom personal information is collected and disclosed by the licensee in connection with insurance transactions as follows:

(1) (a) Except as provided in subsection (2), in the case of a policyholder or certificate holder, a notice must be delivered by an insurance institution:

(i) in the case of policies issued after July 1, 2001, no later than at the time of the delivery of the insurance policy or certificate, unless the notice delivered to the policyholder or certificate holder pursuant to subsection (4)(a) (5)(a) when the policyholder or certificate holder was an applicant is still accurate;

(ii) at least annually, the 12-month period for which may be defined by the insurance institution and must be used consistently. The notice to certificate holders required in this subsection (1)(a)(ii) is not required if the insurance institution has not had any communication, including receiving a claim, from a certificate holder since the initial or last annual notice provided to the certificate holder.

(iii) in the case of a policy renewed after July 1, 2001, no later than the policy renewal date, except that notice is not required in connection with a policy renewal if:

(A) personal information is collected only from the policyholder or from public records; or

(B) a notice meeting the requirements of this section has been given within the previous 12 months.

(b) When a policyholder or certificate holder obtains a new insurance product or service or when a policy is reinstated and any notices already provided are no longer accurate with respect to the new product, service, or reinstatement, a new or revised and accurate notice must be delivered to the policyholder or certificate holder no later than the time that the product or service is provided by the licensee or at the time of reinstatement, except that notice is not required if personal information is collected only from the policyholder or from public records.

(2) (a) An insurance institution is not required to meet the requirements of this section with respect to certificate holders until the insurance institution has personally identifiable information regarding the certificate holder.

(b) Until the notice requirements of subsection (1) are met, a third-party administrator or other agent or representative of an insurance institution may not disclose personal information, except as allowed in 33-19-306(2).

(3) The notice required in subsection (1) must be in writing and must state:

(a) the categories of personal information that may be collected from persons other than the individual or individuals covered;

(b) if a licensee discloses personal or privileged information to a third party without an authorization pursuant to an exception in 33-19-306 or 33-19-307, a separate description of the categories of information and the categories of third parties to whom the licensee discloses personal information;

(c) the categories of personal information about a former policyholder or certificate holder that the licensee discloses pursuant to 33-19-306 and 33-19-307 and the categories of persons to whom the disclosure may be made;

(d) any disclosure that the licensee makes pursuant to section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act, 15 U.S.C. 1681, et seq.; and

(e) the licensee's policies and practices with respect to protecting the confidentiality and security of personal and privileged information;.

(4) The following information must be contained in the initial notice delivered at the time of application and in any subsequent annual notice if the policy renews periodically:

(f)(a) a description of the rights established under 33-19-301 and 33-19-302 and the manner in which those rights may be exercised;

(g)(b) that information obtained from a report prepared by an insurance-support organization may be retained by the insurance-support organization and disclosed to other persons if the licensee collects or uses information from or discloses personal information to an insurance-support organization; and

(h)(c) that an individual is entitled to receive, upon written request to the licensee, a record of any subsequent disclosures of medical record information, as described in 33-19-301, made by the licensee pursuant to 33-19-306 that must include:

(i) the name, address, and institutional affiliation, if any, of each person receiving or examining the medical information during the preceding 3 years;

(ii) the date of the receipt or examination; and

(iii) to the extent practicable, a description of the information disclosed and 33-19-307.

(4)(5) In the case of individuals who are not policyholders or certificate holders:

(a) except as provided in subsection (7) (8), in the case of an applicant, an insurance institution shall provide a notice as described in subsection (3) when the applicant submits an application;

(b) for all other individuals, a notice must be given when a licensee seeks an authorization pursuant to 33-19-306(2) to make a disclosure that is not allowed by a disclosure exception provided for in 33-19-306(3) through (22) (24) or 33-19-307. A notice given pursuant to this subsection (4)(b) (5)(b) may be in an abbreviated form and must state that:

(i) personal information may be collected from persons other than the individual or individuals proposed for coverage;

(ii) the information as well as other personal or privileged information subsequently collected by the insurance institution or insurance producer may in certain circumstances be disclosed to third parties without authorization;

(iii) a right of access and correction exists with respect to all personal information collected; and

(iv) the notice prescribed in subsection (3) must be furnished upon request. The abbreviated notice provided for in this subsection (4)(b) (5)(b) must explain a reasonable means by which an individual may obtain that notice.

(5)(6) The obligations imposed by this section upon a licensee may be satisfied:

(a) by another licensee authorized to act on its behalf;

(b) by sending a notice to the primary policyholder of an individual policy or to the primary certificate holder.

(6)(7) A licensee shall provide a notice required by this section so that an intended recipient can reasonably be expected to receive actual notice in writing or, if the intended recipient agrees, electronically, as follows:

(a) by hand-delivering a printed copy of the notice to the intended recipient;

(b) by mailing a printed copy of the notice to the last-known address of the individual separately or in a policy, billing, or other written communication; or

(c) for an individual who has agreed to conduct transactions electronically, as provided in applicable law, by posting the notice on the electronic site and requiring the individual to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service.

(7)(8) An insurance institution may provide the notice required in subsection (4)(a) (5)(a) telephonically if an application is submitted by telephone. A telephone notice under this subsection may be in abbreviated form as provided for in subsections (4)(b)(i) through (4)(b)(iv) (5)(b)(i) through (5)(b)(iv).

(8)(9) If a licensee is required to provide notice concerning privacy in addition to the notice required by this section, the A licensee may satisfy the notice requirements in this section through the use of combined or separate notices. If more than one notice form is used, a notice containing provisions specific to Montana must conspicuously refer to any other notice form. the licensee shall refer the individual to state specific notice forms that may be used. Any national notice form must give individuals clear and conspicuous notice that when state law is more protective of individuals than federal privacy law, the licensee will protect information in accordance with state law."

Section 4. Section 33-19-301, MCA, is amended to read:

"33-19-301. Access to recorded personal information. (1) If an individual, after proper identification, submits a written request to an insurance institution, insurance producer, or insurance-support organization for access to recorded personal information about the individual that is reasonably described by the individual and reasonably locatable and retrievable by the insurance institution, insurance producer, or insurance-support organization, the insurance institution, insurance producer, or insurance-support organization shall, within 30 business days from the date such that the request is received:

(a) inform the individual of the nature and substance of the recorded personal information in writing, by telephone, or by other oral communication, whichever the insurance institution, insurance producer, or insurance-support organization prefers;

(b) permit the individual to see and copy, in person, the recorded personal information pertaining to him the individual or to obtain a copy of the recorded personal information by mail, whichever the individual prefers. If the recorded personal information is in coded form, an accurate translation in plain language must be provided in writing.

(c) except for the tracking of disclosures of medical record information that must be recorded and disclosed under subsection (2), disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, insurance producer, or insurance-support organization has disclosed the personal information within 2 years prior to the request and, if the identity is not recorded, the names of those insurance institutions, insurance producers, insurance-support organizations, or other persons to whom such the information is normally disclosed; and

(d) provide the individual with a summary of the procedures he that the individual may use to request correction, amendment, or deletion of recorded personal information.

(2) (a) If an individual, after proper identification, submits a written request to a licensee for a record of disclosures of medical record information, the licensee shall provide to the individual a record of all disclosures of medical record information made by the licensee pursuant to 33-19-306(8), (9), other than disclosures made to law enforcement authorities, (10)(b), (12)(a)(iii), (13), (14), only as to medical record information that has not been deidentified, (15), (21), only as to medical record information that has not been deidentified, or (22) or 33-19-307. The record of those disclosures must include:

(i) the name, address, and institutional affiliation, if any, of each person receiving or examining the medical information during the preceding 2 years;

(ii) the date of the receipt or examination; and

(iii) to the extent practicable, a description of the information disclosed.

(b) If an individual submits a written request to a licensee for a record of disclosures of medical record information and the licensee may have made medical record information disclosures pursuant to 33-19-306(4)(b), (5), (11), (12)(a)(i), (12)(a)(ii), (12)(b), (16), (18), or (19), the licensee must provide the individual with a description of the types of medical record information that the licensee may disclose under those exceptions, along with a general description of the usual recipients of that information. Individual tracking of each disclosure of medical record information is not required.

(2)(3) Personal information provided pursuant to subsection (1) must identify the source of the information if such the source is an institutional source.

(3)(4) Medical record information supplied by a medical care institution or medical professional and requested under subsection (1), together with the identity of the medical professional or medical care institution that provided the information, shall must be supplied either directly to the individual or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates, whichever the insurance institution, insurance producer, or insurance-support organization prefers. If it elects to disclose the information to a medical professional designated by the individual, the insurance institution, insurance producer, or insurance-support organization shall notify the individual, at the time of the disclosure, that it has provided the information to the medical professional. The medical professional may review and interpret the information and, at the request of the affected individual, shall consult with the affected individual.

(4)(5) Except for personal information provided under 33-19-303, an insurance institution, insurance producer, or insurance-support organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal information to individuals.

(5)(6) The obligations imposed by this section upon an insurance institution or insurance producer may be satisfied by another insurance institution or insurance producer authorized to act on its behalf. With respect to the copying and disclosure of recorded personal information pursuant to a request under subsection (1), an insurance institution, insurance producer, or insurance-support organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy and disclose recorded personal information on its behalf.

(6)(7) The rights granted to individuals in this section extend to all natural persons to the extent information about them is collected, and maintained, and disclosed by an insurance institution, insurance producer, or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subsection do not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them, except for the tracking of medical record information as provided for in subsection (2).

(7)(8) For the purposes of this section, the term "insurance-support organization" does not include "consumer reporting agency"."

Section 5. Section 33-19-306, MCA, is amended to read:

"33-19-306. Disclosure limitations and conditions. (1) Except as provided in this section, a licensee may not disclose personal or privileged information about an individual collected or received in connection with an insurance transaction.

(2) Disclosure may be made with the written authorization of the individual. The authorization must be in the form provided in 33-19-206.

(3) Disclosure limited to that which is reasonably necessary may be made to a person to enable the person to provide information to the disclosing licensee for the purpose of detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction. A person to whom information is disclosed pursuant to this subsection shall agree in writing not to further disclose the information, but this requirement for an agreement does not prevent disclosure of information that is necessary to obtain further information for the purposes set forth in this subsection.

(4) (a) Disclosure may be made between licensees if the information disclosed is limited to that which is reasonably necessary:

(i) to detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or

(ii) for either the disclosing or receiving licensee to perform its insurance function in connection with an insurance transaction involving an individual.

(b) A licensee receiving information pursuant to this subsection (4) may not further disclose the information unless otherwise permitted by this section.

(5) Disclosure may be made to a medical care institution, a medical professional, or the individual to whom the information pertains if that information is reasonably necessary for the following purposes:

(a) verifying insurance coverage or benefits;

(b) informing an individual of a medical problem of which the individual may not be aware;

(d) determining the reasonableness or necessity of medical services.

(6) Disclosure:

(a) may be made to an insurance regulatory authority that agrees not to further disclose the information without the individual's separate, written authorization;

(b) must be made as required by law; and

(7) Disclosure may be made by a licensee or an insurance-support organization to a law enforcement or other government authority or to an insurance regulatory agency:

(a) to protect the interests of a licensee in preventing, investigating, or prosecuting the perpetration of fraud upon a licensee; or

(b) if the licensee or insurance-support organization reasonably believes that illegal activities have been conducted by the individual.

(8) Disclosure that is limited to that which is reasonably necessary may be made as otherwise permitted or required by law.

(9) Disclosure that is limited to that which is reasonably necessary may be made in response to a facially valid administrative or judicial order, including a search warrant or subpoena.

(10) (a) Except as provided in subsection (10)(b), disclosure that is limited to that which is reasonably necessary may be made for the purpose of conducting actuarial or research studies if:

(i) an individual is not identified in any actuarial or research report;

(ii) materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed; and

(iii) the actuarial or research organization agrees not to further disclose the information without the individual's separate, written authorization.

(b) Disclosure of information may be made for:

(i) health research that is subject to the approval of an institutional review board and the requirements of federal law and regulations governing biomedical research; or

(ii) epidemiological or drug therapy outcomes research that requires information that has been made anonymous to protect the identity of the patient through coding or encryption.

(11) Disclosure may be made to a party or a representative of a party to a proposed sale, transfer, merger, or consolidation of all or part of the business of the licensee or insurance-support organization if:

(a) prior to the consummation of the sale, transfer, merger, or consolidation only information is disclosed that is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation; and

(b) the recipient agrees not to further disclose the information without the individual's separate, written authorization.

(12) (a) Disclosure that is limited to that which is reasonably necessary may be made to a licensee's affiliate as follows:

(i) to allow use of the information in connection with an audit of the licensee;

(ii) to enable a licensee to perform an insurance function; or

(iii) as allowed by 33-19-307.

(b) A licensee disclosing pursuant to this section must have a written agreement with the affiliate that the affiliate will not use or further disclose information received except to carry out the purposes set forth in subsection (12) (a) and that if further disclosure is necessary to meet those purposes, the disclosure will be made only to the licensee or to a person who agrees in writing to be bound by the same prohibition on use and disclosure. A disclosure allowed by 33-19-307 is governed by that section.

(13) Disclosure that is limited to that which is reasonably necessary may be made to an insurance-support organization to perform insurance-support services for the licensee. The insurance-support organization may redisclose the information to the extent necessary to provide its services to its member or subscriber licensees and other insurance-support organizations or as otherwise permitted by law, but not for a marketing purpose.

(14) Notwithstanding any other provision of this section, disclosure Disclosure may be made to a group policyholder for the purpose of reporting claims experience or conducting an audit of the licensee's operations or services if the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit and the group policyholder agrees not to further disclose the information without the individual's separate, written authorization. Information Medical record information disclosed pursuant to this subsection must be edited to prevent the identification of the applicant, policyholder, or certificate holder. Employer audits that are required by the Employee Retirement Income Security Act of 1974, 29 U.S.C. 1001, et seq., as amended, are not subject to the provisions of this subsection.

(15) Disclosure that is limited to that which is reasonably necessary may be made to a professional peer review organization for the purpose of reviewing the service or conduct of a medical care institution or medical professional if the professional peer review organization agrees not to further disclose the information without the individual's separate, written authorization.

(16) Disclosure that is limited to that which is reasonably necessary may be made to a governmental authority as required by federal or state law or for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable.

(17) Disclosure that is limited to that which is reasonably necessary may be made to a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction. Disclosure pursuant to this subsection may not be made to a group policyholder without a separate, written authorization from the individual.

(18) Disclosure may be made to a person contractually engaged to provide services to enable a licensee to perform an insurance function, or to perform an insurance function on behalf of a licensee, if the person agrees in writing that the person will not use or further disclose information obtained or developed pursuant to the engagement except to carry out the limited purpose of the engagement and that if further disclosure is necessary to perform the insurance function, that disclosure will be made only to the licensee or to a person who agrees in writing to be bound by the same prohibitions on use and disclosure.

(19) If a licensee has to disclose personal or privileged information in order to perform an insurance function and disclosure is not permitted under another exception in this section, disclosure may be made to a person other than a licensee if the disclosure is limited to that which is reasonably necessary to enable the person to perform services or an insurance function for the disclosing licensee and if the person is notified by the licensee that the person is prohibited from:

(a) using the information other than to carry out the limited purpose for which the information is disclosed; and

(b) disclosing the information other than to the licensee and as allowed in subsection (3).

(20) Disclosure may be made to a lienholder, mortgagee, assignee, lessor, or other person shown on the records of an insurance institution or insurance producer as having a legal interest in a policy of insurance if:

(a) medical record information is not disclosed; and

(b) the information disclosed is limited to that which is reasonably necessary to permit the person with a legal interest in the policy to protect that person's interests in that policy.

(21) Disclosure may be made to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, and the licensee's attorneys, accountants, and auditors, if the disclosure is limited to that which is reasonably necessary to enable the person or entity to perform services or an insurance function for the disclosing licensee and if the person or entity is notified by the licensee that the person or entity is prohibited from using the information, other than to carry out the limited purpose for which the information is disclosed.

(20)(22) Notwithstanding any other provision of this chapter, disclosure for a marketing purpose may be made only as allowed by 33-19-307.

(21)(23) Nothing in this section may be construed to prevent the disclosure of personal information that is otherwise discoverable pursuant to the Montana Rules of Civil Procedure.

(22)(24) The commissioner may adopt rules creating additional exceptions to disclosure restrictions for the purpose of allowing a licensee or insurance-support organization to carry out a necessary insurance function. The commissioner shall adopt rules establishing the methods that must be used by licensees to prevent identification as described in subsection (14)."

Section 6. Section 33-19-307, MCA, is amended to read:

"33-19-307. Personal information used for marketing purposes -- restrictions. (1) Except as permitted in this section, a licensee may not use or disclose personal information for a marketing purpose. For the purposes of this section, an insurance producer who describes to the producer's clients products or services available through the producer is not engaged in marketing.

(2) A licensee may use or disclose to another licensee personal information that is reasonably necessary to enable the licensee to market insurance products or services. A licensee may use or disclose to another licensee personal information, excluding medical record information, that is reasonably necessary to enable the licensee to market financial products and services. A licensee that receives personal information under this section from a disclosing licensee may not further disclose the information or use the information for any purpose other than marketing insurance and financial products and services.

(3) A licensee may disclose personal information that is reasonably necessary to enable an affiliate that is not a licensee to market insurance products and services. A licensee may disclose to an affiliate that is not a licensee personal information, excluding medical record information, that is reasonably necessary to enable the affiliate to market financial products and services. Disclosures under this subsection may be made only with a written agreement with the affiliate that the affiliate will not further disclose the information and will use it only for marketing insurance or financial products and services.

(4) A licensee may disclose personal information that is reasonably necessary to enable a person contractually engaged to provide services for or on behalf of the licensee to market insurance or financial products or services if the person agrees in writing that the person will not use or further disclose information obtained or developed pursuant to the engagement except to carry out the limited purpose of the engagement. A licensee shall adopt, and maintain, and monitor policies and procedures reasonably designed to ensure that third parties with whom the licensee contracts under this subsection comply with the requirements of this section.

(5) A licensee may use or disclose personal information for purposes other than those specified in subsections (2) and (3) through (4) only with an individual's separate written authorization as described in 33-19-306(2). In addition to meeting the requirements of 33-19-206, the authorization must:

(a) clearly and conspicuously state that the disclosed information is intended to be used for marketing purposes;

(b) specify each entity or type of entity to which the licensee intends to disclose the information;

(d) specify the type of marketing that the individual might receive pursuant to the disclosure."

Section 7. Effective dates -- applicability. (1) [Section 2 and this section] are effective on passage and approval.

(2) [Sections 1 and 3 through 6] are effective January 1, 2004, and apply to policies issued or renewed on or after January 1, 2004.

- END -

Latest Version of HB 205 (HB0205.ENR)
Processed for the Web on April 8, 2003 (11:33am)

New language in a bill appears underlined, deleted material appears stricken.

Sponsor names are handwritten on introduced bills, hence do not appear on the bill until it is reprinted.

See the status of this bill for the bill's primary sponsor.

Status of this Bill | 2003 Legislature | Leg. Branch Home
All versions of this bill inPDF
Authorized print version w/line numbers (PDF format)

Prepared by Montana Legislative Services
(406) 444-3064