Section 2028.30  Confidentiality Protocol

a)         A company shall develop and implement a confidentiality protocol to accommodate a reasonable request by a requestor to receive communications of claim-related information from the company by alternative means or at alternative locations if the requestor clearly states that disclosure of all or part of the information could endanger the insured. The confidentiality protocol shall provide that, except with the express consent of the requestor, the company shall not disclose to the policyholder:

1)         the address, telephone number or any other personally identifying information of the insured or child for whose benefit a request was made;

2)         the nature of the health care services provided;

3)         the name or address of the provider of the health care services; or

4)         any other information from which there is a reasonable basis to believe the foregoing information could be obtained.

b)         A company may require that:

1)         a requestor making a request do so in writing;

2)         the request contain a statement that disclosure of all or part of the claim‑related information to which the request pertains could endanger the insured or child; and

3)         the request specify an alternative address, telephone number or other method of contact.

c)         The company's confidentiality protocol shall include written procedures to be followed by its employees, agents, representatives or other persons with whom the company contracts and who may have access to the information sought to be kept confidential. The written procedures shall include:

1)         the procedure by which a requestor may make a reasonable request, provided that the procedure shall not require a justification as part of the reasonable request;

2)         the procedure by which the requestor may provide an alternative address, telephone number or other method of contact;

3)         the procedure for limiting access to personally identifying information, such as the name, address, telephone number and social security number of an insured and any other information from which there is a reasonable basis to believe the foregoing information could be obtained;

4)         the procedure for limiting or removing personal identifiers before information is used or disclosed, when possible;

5)         a system of internal control procedures, which the company shall review at least annually, to ensure the confidentiality of:

A)        addresses, telephone numbers or other methods of contact;

B)        the fact that a requestor made a reasonable request or that an order of protection was delivered to the company, and any information contained in the request or order; and

C)        any other information from which there is a reasonable basis to believe the information specified in subsections (c)(5)(A) and (B) could be obtained; and

6)         the procedure by which a requestor may revoke a reasonable request; provided, however, that the company may require the requestor to submit a sworn statement revoking the request.

d)         Notification of Company's Protocol

1)       A company may receive a request electronically (email or fax) or in hardcopy (mail, hand or other means of delivery).  In the case of electronic delivery, the company shall have three business days to assess the reasonableness of the request.  In the case of hardcopy delivery, the company shall have five business days to assess the reasonableness of the request.  If the request is determined to be reasonable, the procedures of this subsection (d) shall be followed.  A determination that a request is reasonable shall not be unduly withheld, and the company's determination shall be documented as part of the internal control procedures required by subsection (c)(5).

2)       A company shall notify its employees, agents, representatives and other persons with whom the company contracts who have access to the information sought to be kept confidential that the company's protocol is to be followed for the specified insured, within three business days after:

A)        receipt of a reasonable request; or

B)        receipt of a valid order of protection and an alternative address, telephone number or other method of contact.

3)         Upon receipt of a reasonable request or a valid order of protection, a company shall inform the individual who delivered the order of protection or the requestor that the company has up to three business days to implement the requirements of subsection (d)(1).

e)         A company may not require a requestor to provide a justification for the reasonable request.

f)         Notification of Release of Information

1)         Prior to releasing any information prohibited to be disclosed under Section 355b of the Code, pursuant to a warrant, subpoena or court order involving the policyholder or another insured covered under the policy, a company shall notify the individual who delivered the order of protection or the requestor, as soon as reasonably practicable, that it intends to release information. The notification shall specify what type of information the company intends to release, unless prohibited by the warrant, subpoena or court order.

2)         Upon release of information pursuant to a warrant, subpoena or court order, a company shall advise the person to whom the company is releasing the information that the information is confidential and that the person should continue to maintain the confidentiality of the information to the extent possible.

g)         A company shall comply with Article XL of the Code regarding Insurance Information and Privacy Protection and, if applicable, the federal Health Insurance Portability and Accountability Act of 1996, as amended, with respect to any information submitted pursuant to Section 355b of the Code or this Part.