Section 2028.5  Purpose

 

People experiencing actual or threatened violence frequently establish new addresses and telephone numbers to protect their health and safety. Section 355b of the Code requires the Director to adopt rules to guide companies in guarding against disclosure of information protected pursuant to that Section. This Part establishes requirements for health companies so that they effectively respond to reasonable requests for receipt of claim-related information by alternative means and keep that information confidential in conformance with Section 355b of the Code.

 

Section 2028.10  Applicability

 

a)                  This Part shall apply to a company that issues, delivers, amends or renews an individual or group policy of accident and health insurance in this State on or after January 1, 2014.

 

b)         With respect to a company authorized to write other kinds of insurance in addition to accident and health insurance, this Part shall apply only with respect to accident and health insurance coverage.

 

Section 2028.20  Definitions

 

As used in this Part:

 

"Accident and health insurance" shall have the meaning set forth in Section 4 Class 1(b) and Class 2(a) of the Code and includes those coverages authorized by the Health Maintenance Organization Act [215 ILCS 125], the Limited Health Service Organization Act [215 ILCS 130], and the Voluntary Health Services Plan Act [215 ILCS 165]. With regard to a fraternal benefit society, the term includes coverages authorized by Section 297.1(4) and (5) of the Code.

 

"Address" means a street address, mailing address or e-mail address.

 

"Claim related information" means all claim or billing information relating specifically to an insured, subscriber or person covered by an individual or group policy of accident and health insurance issued, delivered, amended or renewed by a company doing business in this State.

 

"Code" means the Illinois Insurance Code [215 ILCS 5].

 

"Company" means a company, as defined in Section 2 of the Code, that issues, delivers, amends or renews an individual or group policy of accident and health insurance or other insurance providing accident and health insurance benefits.

 

"Director" means the Director of the Illinois Department of Insurance.

 

"Fraternal benefit society" shall have the meaning set forth in Section 282.1 of the Code.

 

"Insured" means a natural person who is, has been or will be covered under an individual or group accident and health policy or a policy including accident and health coverage.

 

"Person" means a natural person or legal entity, including a partnership, limited liability company, association, trust or corporation.

 

"Policy" means a policy, contract or certificate of accident and health insurance.

 

"Policyholder" means a person to whom a policy has been issued.

 

"Reasonable request" means:

 

a statement that disclosure of all or part of the claim related information to which the request pertains could endanger an individual; or

 

a copy of a valid protective order from a court of competent jurisdiction.

 

The request shall specify an alternative address, telephone number or other method of contact.

 

"Requestor" means an insured making a request to receive claim-related information by alternative means, or the insured's legal representative, or, with regard to an insured who is a child, the child's parent or guardian.

 

Section 2028.30  Confidentiality Protocol

 

a)         A company shall develop and implement a confidentiality protocol to accommodate a reasonable request by a requestor to receive communications of claim-related information from the company by alternative means or at alternative locations if the requestor clearly states that disclosure of all or part of the information could endanger the insured. The confidentiality protocol shall provide that, except with the express consent of the requestor, the company shall not disclose to the policyholder:

 

1)         the address, telephone number or any other personally identifying information of the insured or child for whose benefit a request was made;

 

2)         the nature of the health care services provided;

 

3)         the name or address of the provider of the health care services; or

 

4)         any other information from which there is a reasonable basis to believe the foregoing information could be obtained.

 

b)         A company may require that:

 

1)         a requestor making a request do so in writing;

 

2)         the request contain a statement that disclosure of all or part of the claim‑related information to which the request pertains could endanger the insured or child; and

 

3)         the request specify an alternative address, telephone number or other method of contact.

 

c)         The company's confidentiality protocol shall include written procedures to be followed by its employees, agents, representatives or other persons with whom the company contracts and who may have access to the information sought to be kept confidential. The written procedures shall include:

 

1)         the procedure by which a requestor may make a reasonable request, provided that the procedure shall not require a justification as part of the reasonable request;

 

2)         the procedure by which the requestor may provide an alternative address, telephone number or other method of contact;

 

3)         the procedure for limiting access to personally identifying information, such as the name, address, telephone number and social security number of an insured and any other information from which there is a reasonable basis to believe the foregoing information could be obtained;

 

4)         the procedure for limiting or removing personal identifiers before information is used or disclosed, when possible;

 

5)         a system of internal control procedures, which the company shall review at least annually, to ensure the confidentiality of:

 

A)        addresses, telephone numbers or other methods of contact;

 

B)        the fact that a requestor made a reasonable request or that an order of protection was delivered to the company, and any information contained in the request or order; and

 

C)        any other information from which there is a reasonable basis to believe the information specified in subsections (c)(5)(A) and (B) could be obtained; and

 

6)         the procedure by which a requestor may revoke a reasonable request; provided, however, that the company may require the requestor to submit a sworn statement revoking the request.

 

d)         Notification of Company's Protocol

 

1)       A company may receive a request electronically (email or fax) or in hardcopy (mail, hand or other means of delivery).  In the case of electronic delivery, the company shall have three business days to assess the reasonableness of the request.  In the case of hardcopy delivery, the company shall have five business days to assess the reasonableness of the request.  If the request is determined to be reasonable, the procedures of this subsection (d) shall be followed.  A determination that a request is reasonable shall not be unduly withheld, and the company's determination shall be documented as part of the internal control procedures required by subsection (c)(5).

 

2)       A company shall notify its employees, agents, representatives and other persons with whom the company contracts who have access to the information sought to be kept confidential that the company's protocol is to be followed for the specified insured, within three business days after:

 

A)        receipt of a reasonable request; or

 

B)        receipt of a valid order of protection and an alternative address, telephone number or other method of contact.

 

3)         Upon receipt of a reasonable request or a valid order of protection, a company shall inform the individual who delivered the order of protection or the requestor that the company has up to three business days to implement the requirements of subsection (d)(1).

 

e)         A company may not require a requestor to provide a justification for the reasonable request.

 

f)         Notification of Release of Information

 

1)         Prior to releasing any information prohibited to be disclosed under Section 355b of the Code, pursuant to a warrant, subpoena or court order involving the policyholder or another insured covered under the policy, a company shall notify the individual who delivered the order of protection or the requestor, as soon as reasonably practicable, that it intends to release information. The notification shall specify what type of information the company intends to release, unless prohibited by the warrant, subpoena or court order.

 

2)         Upon release of information pursuant to a warrant, subpoena or court order, a company shall advise the person to whom the company is releasing the information that the information is confidential and that the person should continue to maintain the confidentiality of the information to the extent possible.

 

g)         A company shall comply with Article XL of the Code regarding Insurance Information and Privacy Protection and, if applicable, the federal Health Insurance Portability and Accountability Act of 1996, as amended, with respect to any information submitted pursuant to Section 355b of the Code or this Part.

 

Section 2028.40  Notice

 

a)         A company shall post conspicuously on its website and annually provide all its participating health service providers with:

 

1)         a description of Section 355b of the Code;

 

2)         the information required by Section 2028.30(c)(1), (2) and (6); and

 

3)         the phone number for the State of Illinois Domestic Violence Helpline.

 

b)         A company shall recommend to its participating health service providers that the providers print and post the information in their offices.