A. An insurance institution, agent, or insurance-support organization shall not disclose any medical-record information or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is with the written authorization of the individual, provided:
1. If the authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirements of § 38.2-606; or
2. If the authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization is:
a. Dated,
b. Signed by the individual, and
c. Obtained two years or less prior to the date a disclosure is sought pursuant to this subdivision.
B. Notwithstanding the provisions of subsection A of this section, an insurance institution, agent, or insurance-support organization may disclose personal or privileged information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:
1. To a person other than an insurance institution, agent, or insurance-support organization, provided the disclosure is reasonably necessary:
a. To enable that person to perform a business, professional or insurance function for the disclosing insurance institution, agent, or insurance-support organization and that person agrees not to disclose the information further without the individual's written authorization unless the further disclosure:
(1) Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or
(2) Is reasonably necessary for that person to perform its function for the disclosing insurance institution, agent, or insurance-support organization; or
b. To enable that person to provide information to the disclosing insurance institution, agent, or insurance-support organization for the purpose of:
(1) Determining an individual's eligibility for an insurance benefit or payment; or
(2) Detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction; or
2. To an insurance institution, agent, or insurance-support organization, or self-insurer, provided the information disclosed is limited to that which is reasonably necessary:
a. To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or
b. For either the disclosing or receiving insurance institution, agent or insurance-support organization to perform its function in connection with an insurance transaction involving the individual; or
3. To a medical-care institution or medical professional for the purpose of (i) verifying insurance coverage or benefits, (ii) informing an individual of a medical problem of which the individual may not be aware or (iii) conducting an operations or services audit, provided only that information is disclosed as is reasonably necessary to accomplish the foregoing purposes; or
4. To an insurance regulatory authority; or
5. To a law-enforcement or other government authority:
a. To protect the interests of the insurance institution, agent or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or
b. If the insurance institution, agent, or insurance-support organization reasonably believes that illegal activities have been conducted by the individual; or
c. Upon written request of any law-enforcement agency, for all insured or claimant information in the possession of an insurance institution, agent, or insurance-support organization which relates an ongoing criminal investigation. Such insurance institution, agent, or insurance-support organization shall release such information, including, but not limited to, policy information, premium payment records, record of prior claims by the insured or by another claimant, and information collected in connection with an insurance company's investigation of an application or claim. Any information released to a law-enforcement agency pursuant to such request shall be treated as confidential criminal investigation information and not be disclosed further except as provided by law. Notwithstanding any provision in this chapter, no insurance institution, agent, or insurance-support organization shall notify any insured or claimant that information has been requested or supplied pursuant to this section prior to notification from the requesting law-enforcement agency that its criminal investigation is completed. Within ninety days following the completion of any such criminal investigation, the law-enforcement agency making such a request for information shall notify any insurance institution, agent, or insurance-support organization from whom information was requested that the criminal investigation has been completed; or
6. Otherwise permitted or required by law; or
7. In response to a facially valid administrative or judicial order, including a search warrant or subpoena; or
8. Made for the purpose of conducting actuarial or research studies, provided:
a. No individual may be identified in any actuarial or research report, and
b. Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed, and
c. The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or
9. To a party or a representative of a party to a proposed or consummated sale, transfer, merger, or consolidation of all or part of the business of the insurance institution, agent, or insurance-support organization, provided:
a. Prior to the consummation of the sale, transfer, merger, or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation, and
b. The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or
10. To a nonaffiliated third party whose only use of such information will be in connection with the marketing of a nonfinancial product or service, provided:
a. No medical-record information, privileged information, or personal information relating to an individual's character, personal habits, mode of living, or general reputation is disclosed, and no classification derived from the information is disclosed,
b. The individual has been given an opportunity, in accordance with the provisions of subsection A of § 38.2-612.1, to indicate that he does not want financial information disclosed for marketing purposes and has given no indication that he does not want the information disclosed, and
c. The nonaffiliated third party receiving such information agrees not to use it except in connection with the marketing of the product or service; or
11. (i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) or (ii) from a consumer report reported by a consumer reporting agency; or
12. To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution's or agent's operations or services, provided the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit; or
13. To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional; or
14. To a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable; or
15. To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction; or
16. To a lienholder, mortgagee, assignee, lessor or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance, or to persons acting in a fiduciary or representative capacity on behalf of the individual, provided that:
a. No medical record information is disclosed unless the disclosure would be permitted by this section; and
b. The information disclosed is limited to that which is reasonably necessary to permit such person to protect his interest in the policy; or
17. Necessary to effect, administer, or enforce a transaction requested or authorized by the individual, or in connection with servicing or processing an insurance product or service requested or authorized by the individual, or necessary for reinsurance purposes, or for stop loss or excess loss agreements provided for in subsection B of § 38.2-109; or
18. Pursuant to any federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services.
C. An insurance institution, agent, or insurance-support organization may disclose information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:
1. To a nonaffiliated third party whose only use of such information will be to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution's product or service or the marketing of products or services offered pursuant to a joint marketing agreement, provided:
a. No medical-record information or privileged information is disclosed without the individual's written authorization unless such disclosure is otherwise permitted by subsection B of this section,
b. With respect to financial information, the individual has been given the notice required by subsection B of § 38.2-604.1, and
c. The person receiving such financial information agrees, by contract, (i) not to use it except to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution's product or service or the marketing of products or services offered pursuant to a joint marketing agreement, or as permitted under subsection B of this section and (ii) to maintain the confidentiality of such information and not disclose it to any other nonaffiliated third party unless such disclosure would otherwise be permitted by this section if made by the insurance institution, agent, or insurance-support organization;
2. To an affiliate, provided:
a. No medical-record information or privileged information is disclosed without the individual's written authorization unless such disclosure is otherwise permitted by subsection B of this section, and
b. The affiliate receiving the information does not disclose the information except as would otherwise be permitted by this section if such disclosure were made by the insurance institution, agent, or insurance-support organization.
D. 1. No person proposing to issue, re-issue, or renew any policy, contract, or plan of accident and sickness insurance defined in § 38.2-109, but excluding disability income insurance, issued by any (i) insurer providing hospital, medical and surgical or major medical coverage on an expense incurred basis, (ii) corporation providing a health services plan, or (iii) health maintenance organization providing a health care plan for health care services shall disclose any genetic information about an individual or a member of such individual's family collected or received in connection with any insurance transaction unless the disclosure is made with the written authorization of the individual.
2. For the purpose of this subsection, "genetic information" means information about genes, gene products, or inherited characteristics that may derive from an individual or a family member.
3. Agents and insurance support organizations shall be subject to the provisions of this subsection to the extent of their participation in the issue, re-issue, or renewal of any policy, contract, or plan of accident and sickness insurance defined in § 38.2-109, but excluding disability income insurance.
E. Any notices, disclosures, or authorizations required by this section may be provided electronically if the individual agrees.
F. Any privileged information about an individual that is disclosed in violation of this section shall be available to that individual in accordance with the provisions of §§ 38.2-608 and 38.2-609.
G. Except in the case of disclosures made pursuant to subdivision B 10 of this section, the requirements of subsection A of § 38.2-612.1 shall not apply when information is disclosed pursuant to this section.
1981, c. 389, § 38.1-57.16; 1986, c. 562; 1987, c. 325; 1996, c. 704; 2001, c. 371.