An insurance institution, agent or insurance-support organization shall not disclose any personal or privileged information concerning an individual collected or received in connection with an insurance transaction unless the disclosure is:
(1) Made with the written authorization of the individual, provided: (A) If such authorization is submitted by another insurance institution, agent or insurance-support organization, it meets the requirements of section 38a-981, or (B) if such authorization is submitted by a person other than an insurance institution, agent or insurance-support organization, it shall be: (i) Dated, (ii) signed by the individual, and (iii) obtained within one year prior to the date a disclosure is sought pursuant to this subdivision;
(2) Made to a person other than an insurance institution, agent or insurance-support organization, provided such disclosure is reasonably necessary: (A) To enable such person to perform a business, professional or insurance function for the disclosing insurance institution, agent or insurance-support organization, and such person agrees not to disclose the information without the individual's written authorization unless the disclosure: (i) Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization, or (ii) is reasonably necessary for such person to perform such person's function for the disclosing insurance institution, agent or insurance-support organization; or (B) to enable such person to provide information to the disclosing insurance institution, agent or insurance-support organization for the purpose of: (i) Determining an individual's eligibility for an insurance benefit or payment, or (ii) detecting or preventing criminal activity, fraud, material misrepresentation or material nondisclosure in connection with an insurance transaction;
(3) Made to an insurance institution, agent, insurance-support organization or self-insurer, provided the information disclosed is limited to that which is reasonably necessary: (A) To detect or prevent criminal activity, fraud, material misrepresentation or material nondisclosure in connection with insurance transactions, or (B) for either the disclosing or receiving insurance institution, agent or insurance-support organization to perform its function in connection with an insurance transaction involving the individual;
(4) Made to a medical-care institution or medical professional for the purpose of: (A) Verifying insurance coverage or benefits; (B) informing an individual of a medical problem of which such individual may not be aware; or (C) conducting an operations or services audit, provided only such information is disclosed as is reasonably necessary to accomplish the foregoing purposes;
(5) Made to an insurance regulatory authority;
(6) Made to a law enforcement or other government authority: (A) To protect the interests of the insurance institution, agent or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or (B) if the institution, agent or organization reasonably believes that illegal activities have been conducted by the individual;
(7) Otherwise permitted or required by law;
(8) In response to a facially valid administrative or judicial order, including a search warrant or subpoena;
(9) Made for the purpose of conducting actuarial or research studies, provided: (A) No individual may be identified in any actuarial or research report; (B) materials in which the individual may be identified are returned or destroyed as soon as they are no longer necessary; and (C) the actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent or insurance-support organization;
(10) Made to a party or a representative of a party to a proposed or consummated sale, transfer, merger or consolidation of all or part of the business of the insurance institution, agent or insurance-support organization, provided: (A) Prior to the consummation of the sale, transfer, merger or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger or consolidation; and (B) the recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent or insurance-support organization;
(11) Made to a person whose only use of such information will be in connection with the marketing of a product or service, provided: (A) No medical-record information, privileged information, or personal information relating to an individual's character, personal habits, mode of living or general reputation is disclosed, and no classification derived from such information is disclosed; (B) the individual has been afforded an opportunity to indicate that the individual does not wish personal information disclosed for marketing purposes and has given no indication that the individual does not wish the information disclosed; and (C) the person receiving such information agrees not to use it except in connection with the marketing of a product or service;
(12) Made to an affiliate whose only use of the information will be in connection with an audit of the insurance institution or agent or the marketing of an insurance product or service, provided (A) with regard to individually identifiable medical records information, written consent of the individual to whom the individually identifiable medical record pertains is obtained prior to disclosure for marketing purposes, and (B) the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons;
(13) Made by a consumer reporting agency, provided the disclosure is made to a person other than an insurance institution or agent;
(14) Made to a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution's or agent's operations or services, provided the information disclosed is reasonably necessary for the recipient to conduct the audit;
(15) Made to a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional;
(16) Made to a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable;
(17) Made to a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction;
(18) Made to a lienholder, mortgagee, assignee, lessor or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance, provided: (A) No medical-record information is disclosed unless the disclosure would otherwise be permitted by this section; and (B) the information disclosed is limited to that which is reasonably necessary to permit such person to protect its interests in such policy;
(19) Made pursuant to section 53-445;
(20) Made to the Department of Public Health in conjunction with the investigation of a health care provider pursuant to section 19a-14.
(P.A. 81-368, S. 14, 25; P.A. 82-21, S. 2, 3; P.A. 93-430, S. 6, 9; P.A. 99-284, S. 39, 60; P.A. 02-24, S. 11; P.A. 06-195, S. 17.)
History: P.A. 82-21 added Subsec. (r), providing that an insurer cannot disclose personal or privileged information unless disclosure is made to persons having legal interest in the insurance policy and specified that provisions apply to personal or privileged information collected or received before or after October 1, 1982; Sec. 38-513 transferred to Sec. 38a-988 in 1991; P.A. 93-430 made technical changes for accuracy and added Subdiv. (s), providing that an insurer cannot disclose personal or privileged information unless such disclosure is made pursuant to health insurance fraud under Sec. 53-445, effective October 1, 1994; P.A. 99-284 amended Subdiv. (l) by adding Subpara. (1) re individually identifiable medical records and designated existing proviso as Subpara. (2), effective July 1, 2000; P.A. 02-24 changed Subdiv. designators from (a) to (s) to (1) to (19), deleted “or” at the end of Subdivs. and made technical changes; P.A. 06-195 added Subdiv. (20) to permit insurers to make disclosures to Department of Public Health in conjunction with investigation of a health care provider.