(a) An insurance institution, agent or insurance support organization that regularly collects, uses or discloses medical record information, as defined in section 38a-976, shall develop and implement written policies, standards and procedures for the management, transfer and security of medical record information, including policies, standards and procedures to guard against the unauthorized collection, use or disclosure of medical record information by the insurance institution, agent or insurance support organization or any employee or agent thereof. Such policies, standards and procedures shall include:
(1) Limitation on access to medical record information by only those persons who need to use the medical record information in order to perform their jobs;
(2) Appropriate training for all employees identified in subdivision (4) of this subsection;
(3) Disciplinary measures for violations of the medical record information policies, standards and procedures;
(4) Identification of the job titles of persons that are authorized to use or disclose medical record information;
(5) Procedures for authorizing and restricting the collection, use or disclosure of medical record information;
(6) Methods for handling, disclosing, storing and disposing of medical record information;
(7) Periodic monitoring of the employees' compliance with the policies, standards and procedures in a manner sufficient for the insurance institution, agent or insurance support organization to determine compliance with this section and to enforce its policies, standards and procedures; and
(8) Additional protection against unauthorized disclosure of sensitive health information, which shall include information regarding: Sexually transmitted diseases; mental health; substance abuse; the human immunodeficiency virus and acquired immune deficiency syndrome; and genetic testing, including the fact that an individual has undergone a genetic test.
(b) An insurance institution, agent or insurance support organization shall make the medical record information policies, standards and procedures developed pursuant to this section available for review by the Insurance Commissioner.
(c) A summary of such policies, standards and procedures shall be made available to enrollees upon enrollment and upon request.
(P.A. 99-284, S. 25, 60; P.A. 14-235, S. 10.)
History: P.A. 99-284 effective July 1, 2000; P.A. 14-235 made a technical change in Subsec. (a).
Structure Connecticut General Statutes
Chapter 705 - Connecticut Insurance Information and Privacy Protection Act
Section 38a-976. (Formerly Sec. 38-501). - Definitions.
Section 38a-977. (Formerly Sec. 38-502). - Applicability. Exceptions.
Section 38a-978. (Formerly Sec. 38-503). - Use of pretext interviews.
Section 38a-979. (Formerly Sec. 38-504). - Notice of insurance information practices.
Section 38a-982. (Formerly Sec. 38-507). - Investigative consumer reports.
Section 38a-983. (Formerly Sec. 38-508). - Access to recorded personal information.
Section 38a-988. (Formerly Sec. 38-513). - Disclosure limitations and conditions.
Section 38a-989. (Formerly Sec. 38-514). - Powers of commissioner.
Section 38a-990. (Formerly Sec. 38-515). - Hearings; subpoenas; service of process.
Section 38a-992. (Formerly Sec. 38-517). - Commissioner to prepare findings.
Section 38a-993. (Formerly Sec. 38-518). - Penalties.
Section 38a-994. (Formerly Sec. 38-519). - Appeals from orders.
Section 38a-995. (Formerly Sec. 38-520). - Individual remedies.
Section 38a-996. (Formerly Sec. 38-521). - Immunity.
Section 38a-997. (Formerly Sec. 38-522). - Obtaining information under false pretenses. Fine.
Section 38a-998. (Formerly Sec. 38-523). - Severability.
Section 38a-999. - Written policies, standards and procedures re medical record information.