N.Y. Comp. Codes R. & Regs. tit. 11 § 244.3

Current through Register Vol. 46, No. 50, December 11, 2024
Section 244.3 - Confidentiality protocol
(a) An insurer shall develop and implement a confidentiality protocol whereby, except with the express consent of the individual who delivers to the insurer a valid order of protection, the insurer shall keep confidential and shall not disclose the address and telephone number of the victim of domestic violence, or any child residing with the victim, and the name, address, and telephone number of a person providing covered services to the victim, to a policyholder or another insured covered under the policy against whom the victim has a valid order of protection, if the victim, the victim's legal representative, or if the victim is a child, the child's parent or guardian, delivers to the insurer at its home office a valid order of protection pursuant to Insurance Law section 2612(f) and (g).
(b) In addition to the requirements of subdivision (a) of this section, a health insurer shall develop and implement a confidentiality protocol whereby the health insurer shall accommodate a reasonable request made by a requestor for a covered individual to receive communications of claim related information from the health insurer by alternative means or at alternative locations. Except with the express consent of the requestor, a health insurer shall not disclose to the policyholder or another insured covered under the policy:
(1) the address, telephone number, or any other personally identifying information of the covered individual or any child residing with the covered individual;
(2) the nature of the health care services provided to the covered individual;
(3) the name, address, and telephone number of the provider of the covered health care services; or
(4) any other information from which there is a reasonable basis to believe the foregoing information could be obtained.
(c) The insurer's confidentiality protocol shall include written procedures to be followed by its employees, agents, representatives, or other persons with whom the insurer contracts and who may have access to the information sought to be kept confidential. The written procedures shall include:
(1) with respect to a health issuer, the procedure by which a requestor may make a reasonable request, provided that the procedure shall not require a justification as part of the reasonable request;
(2) the procedure by which a victim of domestic violence or a covered individual may provide an alternative address, telephone number, or other method of contact;
(3) the procedure for limiting access to personally identifying information, such as the name, address, telephone number, and social security number of a victim or covered individual and any other information from which there is a reasonable basis to believe the foregoing information could be obtained;
(4) the procedure for limiting or removing personal identifiers before information is used or disclosed, where possible;
(5) a system of internal control procedures, which the insurer shall review at least annually, to ensure the confidentiality of:
(i) addresses, telephone numbers, or other methods of contact;
(ii) the fact that a requestor made a reasonable request or that an order of protection was delivered to the insurer, and any information contained therein; and
(iii) any other information from which there is a reasonable basis to believe the information specified in subparagraphs (i) and (ii) of this paragraph could be obtained; and
(6) with respect to a health insurer, the procedure by which a requestor may revoke a reasonable request, provided, however, that the health insurer may require the requestor to submit a sworn statement revoking the request.
(d)
(1) An insurer shall notify its employees, agents, representatives, and other persons with whom the insurer contracts who have access to the information sought to be kept confidential, that the insurer's protocol is to be followed for the specified victim of domestic violence or covered individual, within three business days of:
(i) receipt of a valid order of protection and an alternative address, telephone number, or other method of contact; or
(ii) receipt of a reasonable request, with regard to a health insurer.
(2) Upon receipt of a valid order of protection or a reasonable request, an insurer shall inform the individual who delivered the order of protection or the requestor that the insurer has up to three business days to implement paragraph (1) of this subdivision.
(e) A health insurer may require a requestor to make a reasonable request in writing pursuant to Insurance Law section 2612(h)(3). However, a health insurer may not require a requestor to provide a justification for the reasonable request.
(f)
(1) Prior to releasing any information prohibited to be disclosed pursuant to subdivisions (a) and (b) of this section pursuant to a warrant, subpoena, or court order involving the policyholder or another insured covered under the policy, an insurer shall notify the individual who delivered the order of protection or the requestor, as soon as reasonably practicable, that it intends to release information and specify what type of information it intends to release, unless prohibited by the warrant, subpoena, or court order.
(2) Upon release of information pursuant to a warrant, subpoena, or court order, an insurer shall advise the person to whom the insurer is releasing the information that the information is confidential and that the person should continue to maintain the confidentiality of the information to the extent possible.
(g) An insurer shall comply with Parts 420 and 421 of this Title (Insurance Regulations 169 and 173) and where applicable, the Federal Health Insurance Portability and Accountability Act of 1996, as amended, with respect to any information submitted pursuant to Insurance Law section 2612 or this Part.
(h) An agent, representative, or designee of an insurer, a corporation organized pursuant to Insurance Law article 43, a health maintenance organization certified pursuant to Public Health Law article 44, or a provider issued a special certificate of authority pursuant to Public Health Law section 4403-a, who is regulated pursuant to the Insurance Law, need not develop its own confidentiality protocol pursuant to this section if the agent, representative, or designee follows the protocol of the insurer, corporation, health maintenance organization, or provider.

N.Y. Comp. Codes R. & Regs. Tit. 11 § 244.3

Adopted, New York State Register April 9, 2014/Volume XXXVI, Issue 14, eff.4/9/2014