38.2-613 - Disclosure limitations and conditions.
§ 38.2-613. Disclosure limitations and conditions.
A. An insurance institution, agent, or insurance-support organization shallnot disclose any medical-record information or privileged information aboutan individual collected or received in connection with an insurancetransaction unless the disclosure is with the written authorization of theindividual, provided:
1. If the authorization is submitted by another insurance institution, agent,or insurance-support organization, the authorization meets the requirementsof § 38.2-606; or
2. If the authorization is submitted by a person other than an insuranceinstitution, agent, or insurance-support organization, the authorization is:
a. Dated,
b. Signed by the individual, and
c. Obtained two years or less prior to the date a disclosure is soughtpursuant to this subdivision.
B. Notwithstanding the provisions of subsection A of this section, aninsurance institution, agent, or insurance-support organization may disclosepersonal or privileged information about an individual collected or receivedin connection with an insurance transaction, without written authorization,if the disclosure is:
1. To a person other than an insurance institution, agent, orinsurance-support organization, provided the disclosure is reasonablynecessary:
a. To enable that person to perform a business, professional or insurancefunction for the disclosing insurance institution, agent, orinsurance-support organization and that person agrees not to disclose theinformation further without the individual's written authorization unless thefurther disclosure:
(1) Would otherwise be permitted by this section if made by an insuranceinstitution, agent, or insurance-support organization; or
(2) Is reasonably necessary for that person to perform its function for thedisclosing insurance institution, agent, or insurance-support organization; or
b. To enable that person to provide information to the disclosing insuranceinstitution, agent, or insurance-support organization for the purpose of:
(1) Determining an individual's eligibility for an insurance benefit orpayment; or
(2) Detecting or preventing criminal activity, fraud, materialmisrepresentation, or material nondisclosure in connection with an insurancetransaction; or
2. To an insurance institution, agent, or insurance-support organization, orself-insurer, provided the information disclosed is limited to that which isreasonably necessary:
a. To detect or prevent criminal activity, fraud, material misrepresentation,or material nondisclosure in connection with insurance transactions; or
b. For either the disclosing or receiving insurance institution, agent orinsurance-support organization to perform its function in connection with aninsurance transaction involving the individual; or
3. To a medical-care institution or medical professional for the purpose of(i) verifying insurance coverage or benefits, (ii) informing an individual ofa medical problem of which the individual may not be aware or (iii)conducting an operations or services audit, provided only that information isdisclosed as is reasonably necessary to accomplish the foregoing purposes; or
4. To an insurance regulatory authority; or
5. To a law-enforcement or other government authority:
a. To protect the interests of the insurance institution, agent orinsurance-support organization in preventing or prosecuting the perpetrationof fraud upon it; or
b. If the insurance institution, agent, or insurance-support organizationreasonably believes that illegal activities have been conducted by theindividual; or
c. Upon written request of any law-enforcement agency, for all insured orclaimant information in the possession of an insurance institution, agent, orinsurance-support organization which relates an ongoing criminalinvestigation. Such insurance institution, agent, or insurance-supportorganization shall release such information, including, but not limited to,policy information, premium payment records, record of prior claims by theinsured or by another claimant, and information collected in connection withan insurance company's investigation of an application or claim. Anyinformation released to a law-enforcement agency pursuant to such requestshall be treated as confidential criminal investigation information and notbe disclosed further except as provided by law. Notwithstanding any provisionin this chapter, no insurance institution, agent, or insurance-supportorganization shall notify any insured or claimant that information has beenrequested or supplied pursuant to this section prior to notification from therequesting law-enforcement agency that its criminal investigation iscompleted. Within ninety days following the completion of any such criminalinvestigation, the law-enforcement agency making such a request forinformation shall notify any insurance institution, agent, orinsurance-support organization from whom information was requested that thecriminal investigation has been completed; or
6. Otherwise permitted or required by law; or
7. In response to a facially valid administrative or judicial order,including a search warrant or subpoena; or
8. Made for the purpose of conducting actuarial or research studies, provided:
a. No individual may be identified in any actuarial or research report, and
b. Materials allowing the individual to be identified are returned ordestroyed as soon as they are no longer needed, and
c. The actuarial or research organization agrees not to disclose theinformation unless the disclosure would otherwise be permitted by thissection if made by an insurance institution, agent, or insurance-supportorganization; or
9. To a party or a representative of a party to a proposed or consummatedsale, transfer, merger, or consolidation of all or part of the business ofthe insurance institution, agent, or insurance-support organization, provided:
a. Prior to the consummation of the sale, transfer, merger, or consolidationonly such information is disclosed as is reasonably necessary to enable therecipient to make business decisions about the purchase, transfer, merger, orconsolidation, and
b. The recipient agrees not to disclose the information unless the disclosurewould otherwise be permitted by this section if made by an insuranceinstitution, agent, or insurance-support organization; or
10. To a nonaffiliated third party whose only use of such information will bein connection with the marketing of a nonfinancial product or service,provided:
a. No medical-record information, privileged information, or personalinformation relating to an individual's character, personal habits, mode ofliving, or general reputation is disclosed, and no classification derivedfrom the information is disclosed,
b. The individual has been given an opportunity, in accordance with theprovisions of subsection A of § 38.2-612.1, to indicate that he does not wantfinancial information disclosed for marketing purposes and has given noindication that he does not want the information disclosed, and
c. The nonaffiliated third party receiving such information agrees not to useit except in connection with the marketing of the product or service; or
11. (i) To a consumer reporting agency in accordance with the Fair CreditReporting Act (15 U.S.C. § 1681 et seq.) or (ii) from a consumer reportreported by a consumer reporting agency; or
12. To a group policyholder for the purpose of reporting claims experience orconducting an audit of the insurance institution's or agent's operations orservices, provided the information disclosed is reasonably necessary for thegroup policyholder to conduct the review or audit; or
13. To a professional peer review organization for the purpose of reviewingthe service or conduct of a medical-care institution or medical professional;or
14. To a governmental authority for the purpose of determining theindividual's eligibility for health benefits for which the governmentalauthority may be liable; or
15. To a certificate holder or policyholder for the purpose of providinginformation regarding the status of an insurance transaction; or
16. To a lienholder, mortgagee, assignee, lessor or other person shown on therecords of an insurance institution or agent as having a legal or beneficialinterest in a policy of insurance, or to persons acting in a fiduciary orrepresentative capacity on behalf of the individual, provided that:
a. No medical record information is disclosed unless the disclosure would bepermitted by this section; and
b. The information disclosed is limited to that which is reasonably necessaryto permit such person to protect his interest in the policy; or
17. Necessary to effect, administer, or enforce a transaction requested orauthorized by the individual, or in connection with servicing or processingan insurance product or service requested or authorized by the individual, ornecessary for reinsurance purposes, or for stop loss or excess lossagreements provided for in subsection B of § 38.2-109; or
18. Pursuant to any federal Health Insurance Portability and AccountabilityAct privacy rules promulgated by the United States Department of Health andHuman Services.
C. An insurance institution, agent, or insurance-support organization maydisclose information about an individual collected or received in connectionwith an insurance transaction, without written authorization, if thedisclosure is:
1. To a nonaffiliated third party whose only use of such information will beto perform services for or functions on behalf of the insurance institutionin connection with the marketing of the insurance institution's product orservice or the marketing of products or services offered pursuant to a jointmarketing agreement, provided:
a. No medical-record information or privileged information is disclosedwithout the individual's written authorization unless such disclosure isotherwise permitted by subsection B of this section,
b. With respect to financial information, the individual has been given thenotice required by subsection B of § 38.2-604.1, and
c. The person receiving such financial information agrees, by contract, (i)not to use it except to perform services for or functions on behalf of theinsurance institution in connection with the marketing of the insuranceinstitution's product or service or the marketing of products or servicesoffered pursuant to a joint marketing agreement, or as permitted undersubsection B of this section and (ii) to maintain the confidentiality of suchinformation and not disclose it to any other nonaffiliated third party unlesssuch disclosure would otherwise be permitted by this section if made by theinsurance institution, agent, or insurance-support organization;
2. To an affiliate, provided:
a. No medical-record information or privileged information is disclosedwithout the individual's written authorization unless such disclosure isotherwise permitted by subsection B of this section, and
b. The affiliate receiving the information does not disclose the informationexcept as would otherwise be permitted by this section if such disclosurewere made by the insurance institution, agent, or insurance-supportorganization.
D. 1. No person proposing to issue, re-issue, or renew any policy, contract,or plan of accident and sickness insurance defined in § 38.2-109, butexcluding disability income insurance, issued by any (i) insurer providinghospital, medical and surgical or major medical coverage on an expenseincurred basis, (ii) corporation providing a health services plan, or (iii)health maintenance organization providing a health care plan for health careservices shall disclose any genetic information about an individual or amember of such individual's family collected or received in connection withany insurance transaction unless the disclosure is made with the writtenauthorization of the individual.
2. For the purpose of this subsection, "genetic information" meansinformation about genes, gene products, or inherited characteristics that mayderive from an individual or a family member.
3. Agents and insurance support organizations shall be subject to theprovisions of this subsection to the extent of their participation in theissue, re-issue, or renewal of any policy, contract, or plan of accident andsickness insurance defined in § 38.2-109, but excluding disability incomeinsurance.
E. Any notices, disclosures, or authorizations required by this section maybe provided electronically if the individual agrees.
F. Any privileged information about an individual that is disclosed inviolation of this section shall be available to that individual in accordancewith the provisions of §§ 38.2-608 and 38.2-609.
G. Except in the case of disclosures made pursuant to subdivision B 10 ofthis section, the requirements of subsection A of § 38.2-612.1 shall notapply when information is disclosed pursuant to this section.
(1981, c. 389, § 38.1-57.16; 1986, c. 562; 1987, c. 325; 1996, c. 704; 2001,c. 371.)