XBF=1>
 

REPORT TITLE:
Health Information


DESCRIPTION:
Provides for administration of protected health information that
is used, maintained, collected, and disclosed by property and
casualty insurers.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        
THE SENATE                              S.B. NO.           2439
TWENTIETH LEGISLATURE, 2000                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                   A  BILL  FOR  AN  ACT

RELATING TO PROTECTION OF HEALTH INFORMATION BY PROPERTY AND
   CASUALTY INSURERS.
 


BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The purpose of this Act is to set standards to
 
 2 safeguard protected health information from unauthorized
 
 3 collection, use, and disclosure by requiring property and
 
 4 casualty insurers to establish procedures for the treatment of
 
 5 all protected health information.
 
 6      SECTION 2.  Chapter 431, Hawaii Revised Statutes, is amended
 
 7 by adding a new part to article 10 to be appropriately designated
 
 8 and to read as follows:
 
 9           "PART    . PROTECTION OF HEALTH INFORMATION
 
10      431:10-A  Definitions.  As used in this part, except as
 
11 otherwise specifically provided:
 
12      "Commissioner" means the insurance commissioner of this
 
13 State.
 
14      "Department" means the department of commerce and consumer
 
15 affairs.
 
16      "Disclose" means to release or transfer protected health
 
17 information to any person other than to the protected individual
 
18 who is the subject of the protected health information.
 
Page 2                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1      "Facility" means an institution providing health care
 
 2 services or a health care setting, including hospitals and other
 
 3 licensed inpatient centers, ambulatory surgical or treatment
 
 4 centers, skilled nursing centers, residential treatment centers,
 
 5 diagnostic, laboratory and imaging centers, and rehabilitation
 
 6 and other therapeutic health settings.
 
 7      "Health care" means:
 
 8      (1)  Preventive, diagnostic, therapeutic, rehabilitative,
 
 9           maintenance, or palliative care, services, procedures,
 
10           tests, or counseling that:
 
11           (A)  Relates to the physical, mental, or behavioral
 
12                condition of an individual; or
 
13           (B)  Affects the structure or function of the human
 
14                body or any part of the human body; or
 
15      (2)  Prescribing, dispensing, or furnishing to an individual
 
16           drugs or biologicals, or medical devices or health care
 
17           equipment and supplies.
 
18      "Health care professional" means a physician or other health
 
19 care practitioner licensed, accredited, or certified to perform
 
20 specified health services consistent with state law.
 
21      "Health care provider" or "provider" means a health care
 
22 professional or facility.
 
23      "Health information" means any information or data that
 
 
 
Page 3                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1 states personal facts or information that relates to a protected
 
 2 individual's past, present, or future health care including
 
 3 invoices or billing records that identify a protected
 
 4 individual's treatment, condition, or diagnosis; provided,
 
 5 however, that health information does not include non-medical
 
 6 information collected by an insurer in anticipation of or in
 
 7 connection with an injury or illness claim.
 
 8      "Insurance support organization" means a person that
 
 9 regularly engages, in whole or in part, in the practice of
 
10 assembling or collecting information from insurers, agents, or
 
11 other organizations for the purpose of ratemaking or ratemaking-
 
12 related functions, regulatory or legislative cost analysis,
 
13 detecting or preventing fraud, material misrepresentation, or
 
14 material nondisclosure in connection with insurance underwriting,
 
15 or insurance claim activity.
 
16      "Insured" means the person identified by name in a policy
 
17 that falls under this part.
 
18      "Insurer" means any property and casualty insurer within the
 
19 definition of section 431:1-206, 431:1-207, 431:1-208, 431:1-209,
 
20 431:1-210, or 431:1-211 and is licensed under article 3, but
 
21 shall not include monoline mortgage guaranty insurers, financial
 
22 guaranty insurers, title insurers, disability insurers, or
 
23 accident or sickness insurers.
 
 
 
Page 4                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1      "Person" means any person within the definition of section
 
 2 431:1-212.
 
 3      "Protected health information" means health information:
 
 4      (1)  That identifies a protected individual; or
 
 5      (2)  With respect to which there is a reasonable basis to
 
 6           believe that the information could be used to identify
 
 7           a protected individual.
 
 8      "Protected individual" means an individual who is the
 
 9 subject of the protected health information.
 
10      "Unauthorized" means a collection, use, or disclosure of
 
11 protected health information made by an insurer without the
 
12 authorization of the protected individual or that is not in
 
13 compliance with this part, unless collection, use, or disclosure
 
14 without an authorization is permitted by this part or another
 
15 state or federal law.
 
16      431:10-B  Applicability and scope.  This part applies to
 
17 all insurers and governs the management of protected health
 
18 information, including the collection, use, and disclosure of
 
19 protected health information by insurers.
 
20      431:10-C  Protected health information policies, standards,
 
21 and procedures.(a)  An insurer shall develop and implement
 
22 written policies, standards, and procedures for the management of
 
23 protected health information, including policies, standards, and
 
 
 
Page 5                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1 procedures to guard against the unauthorized collection, use, or
 
 2 disclosure of protected health information by the insurer.
 
 3      (b)  In any contractual arrangement between an insurer and a
 
 4 person other than a protected individual or health care provider
 
 5 where the person collects or uses protected health information on
 
 6 behalf of the insurer, or where the insurer discloses protected
 
 7 health information to the person, an insurer shall inform the
 
 8 person of its obligation to comply with any applicable state and
 
 9 federal statutory and regulatory requirements governing the
 
10 collection, use, or disclosure of protected health information.
 
11      (c)  An insurer shall make the protected health information
 
12 policies, standards, and procedures developed pursuant to this
 
13 section available for review by the commissioner.
 
14      431:10-D  Notice of protected health information policies,
 
15 standards, and procedures.(a)  The insurer shall prominently
 
16 post or provide a notice of its confidentiality practices.
 
17 Regardless of the form used, it shall be in clear type, and, if
 
18 transmitted electronically, reasonably capable of being
 
19 reproduced in clear type.  In order to assure uniformity and
 
20 compliance with legislative policy regarding the sufficiency of
 
21 the notice, it shall contain the following language:
 
22              "DRAFT NOTICE PROVISION FOR PART   ,
 
23                    ARTICLE 10 OF CHAPTER 431:
 
 
 
Page 6                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1                 PROTECTION OF HEALTH INFORMATION
 
 2      IMPORTANT:  THIS NOTICE DEALS WITH THE SHARING OF
 
 3 INFORMATION FROM YOUR MEDICAL RECORDS.  PLEASE READ IT CAREFULLY.
 
 4 This Notice provides a general description of your
 
 5 confidentiality rights as they relate to information from your
 
 6 medical records and an explanation of the circumstances under
 
 7 which information from your medical records may be shared with
 
 8 others.  You are receiving this Notice because it is required by
 
 9 Hawaii insurance law.  If you wish to have complete information
 
10 on the Hawaii Protection of Health Information Act, please ask
 
11 for a copy of Part ___, Article 10 of Chapter 431, Hawaii Revised
 
12 Statutes.  This is a part of the Hawaii Insurance Code.
 
13      YOUR RIGHTS WITH RESPECT TO INFORMATION FROM YOUR MEDICAL
 
14 RECORDS.  Your medical records contain "health information",
 
15 which is information or data that states personal facts or
 
16 information about events or relationships that relate to your
 
17 past, present, or future health care, or that relate to invoices
 
18 or billing records that identify your treatment, condition, or
 
19 diagnosis.  Health information does not include non-medical
 
20 information collected by an insurer in anticipation of or in
 
21 connection with an injury or illness claim.  "Protected health
 
22 information" is health information that identifies you, or for
 
23 which there is a reasonable basis to believe that the information
 
 
 
Page 7                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1 could be used to identify you.
 
 2      Your right to receive a record of disclosures of protected
 
 3 health information.  If you make a request, an insurer must
 
 4 provide the details concerning the disclosure of your protected
 
 5 health information.  These details must include the date,
 
 6 purpose, recipient and relevant authorization or basis for the
 
 7 disclosure.  The insurer may charge you a reasonable fee for
 
 8 providing this information.  However, an insurer is not required
 
 9 to provide you with details regarding any disclosures of
 
10 protected health information that were compiled in preparation
 
11 for litigation, law enforcement, or fraud investigation.
 
12      AUTHORIZATION FOR COLLECTION, USE, OR DISCLOSURE OF YOUR
 
13 PROTECTED HEALTH INFORMATION.  An insurer must not collect, use,
 
14 or disclose your protected health information without a valid
 
15 authorization from you, except for specific activities as
 
16 permitted or required by law or court order.  These circumstances
 
17 are described in the next section of this Notice.
 
18      An insurer may obtain from you a written authorization for
 
19 the disclosure of protected health information for any purpose.
 
20 However, the authorization must contain the following details:
 
21      (1)  Your identity;
 
22      (2)  A general description of the types of protected health
 
23           information to be collected, used, or disclosed;
 
 
 
Page 8                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1      (3)  A general description of the sources from which
 
 2           protected health information will be collected;
 
 3      (4)  The name and address of the person to whom the
 
 4           protected health information is to be disclosed.
 
 5           However, this specific information does not need to be
 
 6           shown where the insurer is collecting protected health
 
 7           information to support certain insurance functions.  In
 
 8           those cases, the authorization may generally describe
 
 9           the persons to whom the protected health information
 
10           may be disclosed;
 
11      (5)  The purpose of the authorization, including the reason
 
12           for the collection, the intended use of the protected
 
13           health information, and the scope of any disclosures
 
14           that may be made in carrying out the purpose for which
 
15           the authorization is requested; provided those
 
16           disclosures are not otherwise prohibited by law;
 
17      (6)  Your signature, or the signature of the individual who
 
18           is legally empowered to grant authority for you and the
 
19           date signed; and
 
20      (7)  A statement regarding your right to revoke the
 
21           authorization at any time, and the limitations on that
 
22           right.
 
23      An insurer must obtain from you a separate authorization if
 
 
 
Page 9                                                     
                                     S.B. NO.           2439
                                                        
                                                        


 1 it wishes to disclose protected health information to your
 
 2 employer, including the employer's designated risk manager.  This
 
 3 is not required, however, if the protected health information is:
 
 4      (1)  Disclosed pursuant to your employer's workers'
 
 5           compensation program, to the extent necessary for the
 
 6           performance of your employer's and the insurer's rights
 
 7           and duties under state laws governing workers'
 
 8           compensation;
 
 9      (2)  Disclosed pursuant to your employer's administration of
 
10           a health and welfare benefit plan; or
 
11      (3)  Necessary to the administration of claims pursuant to a
 
12           commercial lines policy.
 
13      An insurer that has collected protected health information
 
14 prior to the effective date of the law is not required to obtain
 
15 an authorization for the information.  However, the information
 
16 the insurer collected may only be used or disclosed in accordance
 
17 with the law.
 
18      Procedures for revoking your authorization and effects upon
 
19 benefits or claims in the absence of protected health
 
20 information.  You may revoke your authorization at any time.  The
 
21 revocation must be in writing, and you must sign and date it.
 
22 However, an insurer is not required to provide a benefit, or
 
23 commence or continue to pay a claim, in the absence of protected
 
 
 
Page 10                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 health information to support or deny the benefit or claim.  This
 
 2 means that if you revoke an authorization and the insurer cannot
 
 3 obtain information it determines it needs to support your claim,
 
 4 it may choose to deny you benefits.
 
 5      Limitations on use and disclosure.  A person who receives
 
 6 protected health information from an insurer is prohibited by law
 
 7 from using or disclosing such information for any purpose other
 
 8 than the lawful purpose for which it was disclosed.
 
 9      An authorization is not a waiver.  Your authorization for an
 
10 insurer to collect, use, or disclose protected health
 
11 information, or a production of protected health information
 
12 pursuant to a court order, does not mean you are waiving any
 
13 other privacy right provided to you by other federal or state
 
14 laws, common law, or rules of evidence.
 
15      COLLECTION, USE, OR DISCLOSURE OF PROTECTED HEALTH
 
16 INFORMATION WITHOUT YOUR AUTHORIZATION.  An insurer may engage in
 
17 specific activities permitted by the law with regard to protected
 
18 health information without your authorization.  The following is
 
19 a general description of some of the activities that are
 
20 permitted by law:
 
21      (1)  The collection of protected health information from or
 
22           disclosure of protected health information to an
 
23           insurer; provided that the insurer that is receiving
 
 
 
Page 11                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1           the information is investigating, evaluating,
 
 2           adjusting, or settling a claim involving you; or has
 
 3           become or may become liable under a policy insuring you
 
 4           as a result of a merger, acquisition, or other
 
 5           assumption of such liability;
 
 6      (2)  The collection, use, or disclosure of protected health
 
 7           information to the extent necessary to investigate,
 
 8           evaluate, subrogate, or settle third-party claims
 
 9           (generally, third-party claims are claims that do not
 
10           involve you or the insured); provided that you are the
 
11           claimant and the information is used for no other
 
12           purpose without a valid authorization or the use is
 
13           otherwise permitted under federal or state law;
 
14      (3)  The collection, use, or disclosure of protected health
 
15           information to or from an insurance support
 
16           organization; provided that the information is used
 
17           only to perform the insurance functions of claims
 
18           settlement, detection, and prevention of fraud, or
 
19           detection and prevention of material misrepresentation
 
20           or material nondisclosure; or collected and used
 
21           internally only to perform specific insurance functions
 
22           permitted by law;
 
23      (4)  If the protected health information is necessary to
 
 
 
Page 12                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1           provide ongoing health care treatment, and if the
 
 2           disclosure has not been limited or prohibited by you,
 
 3           the collection of protected health information from or
 
 4           the disclosure of the information to:
 
 5           (A)  A health care provider, employed by the insurer,
 
 6                who is furnishing health care to you;
 
 7           (B)  A health care provider with whom the insurer
 
 8                contracts to provide health care services to you;
 
 9                or
 
10           (C)  A referring health care provider who continues to
 
11                furnish health care to you;
 
12      (5)  The disclosure of protected health information to a
 
13           person engaged in the assessment, evaluation or
 
14           investigation of the quality of health care furnished
 
15           by a provider pursuant to statutory or regulatory
 
16           standards or pursuant to the requirements of a private
 
17           or public program authorized to provide for the payment
 
18           of health care;
 
19      (6)  The collection, use, or disclosure of protected health
 
20           information when the information is necessary for the
 
21           performance of the insurer's obligations under any
 
22           property and casualty insurance law or contract;
 
23      (7)  The collection of protected health information from
 
 
 
Page 13                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1           you; and
 
 2      (8)  The collection, use, or disclosure of protected health
 
 3           information when the information is obtained from
 
 4           public sources such as newspapers, public agency
 
 5           reports, and law enforcement or public safety reports.
 
 6      Unless otherwise restricted by the law, an insurer who has
 
 7 collected protected health information without your authorization
 
 8 pursuant to one of the circumstances listed above may use and
 
 9 disclose the information to a person acting on behalf of or at
 
10 the direction of the insurer to perform any of the insurer's
 
11 insurance functions.
 
12      An insurer must disclose protected health information
 
13 without your authorization when the insurer is required to do so
 
14 under federal, state, or county law."
 
15      (b)  The insurer shall provide the notice to:
 
16      (1)  The protected individuals when requesting an
 
17           authorization;
 
18      (2)  Any other person upon request; and
 
19      (3)  Insureds at the time the policy is first issued or
 
20           renewed on or after the effective date of this part.
 
21           No further notice shall be required for any renewal or
 
22           replacement policy issued thereafter.
 
23      (c)  The notice may be provided by mail or other practicable
 
 
 
Page 14                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 means.  The signature of the recipient, certificate of mailing,
 
 2 or return receipt is not required.
 
 3      431:10-E  Record of disclosures of protected health
 
 4 information.(a)  An insurer shall provide, upon request by a
 
 5 protected individual, details regarding disclosure of that
 
 6 individual's protected health information.  This information
 
 7 shall include the date, purpose, recipient, and relevant
 
 8 authorization or basis for the disclosure.  The insurer may
 
 9 charge a reasonable fee for providing the information regarding
 
10 the disclosures of information.
 
11      (b)  An insurer is not required to provide any disclosures
 
12 of protected health information that were compiled in preparation
 
13 for litigation, law enforcement, fraud investigation, or in the
 
14 course of a claim investigation.
 
15      431:10-F  Authorization for collection, use, or disclosure
 
16 of protected health information.(a)  An insurer shall not
 
17 collect, use, or disclose protected health information without a
 
18 valid authorization from the protected individual, except as
 
19 permitted by section 431:10-G, or as permitted or required by law
 
20 or court order.  Authorization for the disclosure of protected
 
21 health information may be obtained for any purpose; provided that
 
22 the authorization meets the requirements of this section.
 
23      (b)  An insurer shall retain the authorization or a copy
 
 
 
Page 15                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 thereof in the record of the protected individual for a minimum
 
 2 of three years.
 
 3      (c)  A valid authorization shall be in writing and cover the
 
 4 following:
 
 5      (1)  The identity of the protected individual;
 
 6      (2)  A general description of the types of protected health
 
 7           information to be collected, used, or disclosed;
 
 8      (3)  A general description of the sources from which
 
 9           protected health information will be collected;
 
10      (4)  The name and address of the person to whom the
 
11           protected health information is to be disclosed, except
 
12           that an authorization provided to an insurer for
 
13           collection of protected health information to support
 
14           insurance functions listed in subsection (f) may
 
15           generally describe the persons to whom protected health
 
16           information may be disclosed;
 
17      (5)  The purpose of the authorization, including the reason
 
18           for the collection, the intended use of the protected
 
19           health information, and the scope of any disclosures
 
20           that may be made in carrying out the purpose for which
 
21           the authorization is requested; provided those
 
22           disclosures are not otherwise prohibited by law;
 
23      (6)  The signature of the protected individual, or the
 
 
 
Page 16                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1           individual who is legally empowered to grant authority
 
 2           for the protected individual, and the date signed; and
 
 3      (7)  A statement regarding the protected individual's right
 
 4           to revoke the authorization and the limitations to
 
 5           those revocation rights.
 
 6      (d)  An insurer shall obtain a separate authorization to
 
 7 disclose protected health information to an individual's
 
 8 employer, including the employer's designated risk manager,
 
 9 unless:
 
10      (1)  The protected health information is disclosed pursuant
 
11           to the employer's workers' compensation program, to the
 
12           extent necessary for the performance of the employer's
 
13           and insurer's rights and duties under state laws
 
14           governing workers' compensation;
 
15      (2)  The protected health information is disclosed pursuant
 
16           to the employer's administration of a health and
 
17           welfare benefit plan; or
 
18      (3)  The protected health information is necessary to the
 
19           administration of claims pursuant to a commercial lines
 
20           policy.
 
21      (e)  A protected individual may revoke an authorization at
 
22 any time, subject to the rights of any person who acted in
 
23 reliance on the authorization prior to notice of revocation and
 
 
 
Page 17                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 subject to subsection (i).  A revocation of an authorization
 
 2 shall be in writing, dated and signed by the protected
 
 3 individual.  A revocation of an authorization shall be retained
 
 4 by the insurer in the record of the protected individual for a
 
 5 minimum of three years.  An insurer shall give prompt notice of
 
 6 the revocation to all persons to whom the insurer has disclosed
 
 7 protected health information in reliance on the initial
 
 8 authorization.
 
 9      (f)  An insurer that has collected protected health
 
10 information pursuant to a valid authorization in accordance with
 
11 this part may use and disclose the protected health information
 
12 to a person acting on behalf of or at the direction of the
 
13 insurer for the performance of the insurer's insurance functions
 
14 including:  claims administration, claims adjustment and
 
15 management, fraud investigation, underwriting, loss control,
 
16 ratemaking functions, reinsurance, risk management, case
 
17 management, disease management, quality assessment, quality
 
18 improvement, provider credentialing verification, utilization
 
19 review, peer review activities, grievance procedures, internal
 
20 audit or administration of compliance, managerial information
 
21 systems, and policyholder service functions.  The protected
 
22 health information shall not be used or disclosed for any purpose
 
23 other than in the performance of the insurer's insurance
 
 
 
Page 18                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 functions, except as otherwise permitted in this part.
 
 2      (g)  An authorization to collect, use, or disclose protected
 
 3 health information pursuant to this part, or a production of
 
 4 protected health information pursuant to a court order, shall not
 
 5 be construed to constitute a waiver of any other privacy right
 
 6 provided to a protected individual by other federal or state
 
 7 laws, common law, or rules of evidence.
 
 8      (h)  A person who receives protected health information from
 
 9 an insurer shall not use or disclose the protected health
 
10 information for any purpose other than the lawful purpose for
 
11 which it was disclosed.
 
12      (i)  Nothing in this part shall be interpreted as requiring
 
13 an insurer to provide a benefit or commence or continue payment
 
14 of a claim, including workers' compensation claims, in the
 
15 absence of protected health information to support or deny the
 
16 benefit or claim.
 
17      (j)  An insurer that has collected protected health
 
18 information prior to the effective date of this part is not
 
19 required to obtain an authorization for the information; however,
 
20 the information may only be used or disclosed in accordance with
 
21 this part after the effective date of this Act.
 
22      431:10-G  Collection, use, or disclosure of protected
 
23 health information without authorization:  generally.(a)  An
 
 
 
Page 19                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 insurer may engage in the following activities with regard to
 
 2 protected health information without authorization in the
 
 3 following circumstances or as otherwise permitted by law:
 
 4      (1)  Collect protected health information from or disclose
 
 5           protected health information to an insurer; provided
 
 6           that the insurer that is receiving the information:
 
 7           (A)  Is investigating, evaluating, adjusting, or
 
 8                settling a claim involving the protected
 
 9                individual; or
 
10           (B)  Has become or may become liable under a policy
 
11                insuring the protected individual as a result of a
 
12                merger, acquisition, or other assumption of that
 
13                liability;
 
14      (2)  Collect, use, or disclose protected health information
 
15           to the extent necessary to investigate, evaluate,
 
16           subrogate, or settle third-party claims; provided that
 
17           the claimant is the protected individual and the
 
18           protected health information is used for no other
 
19           purpose without a valid authorization or the use is
 
20           otherwise permitted under federal or state law;
 
21      (3)  (A)  Collect, use, or disclose protected health
 
22                information to or from an insurance support
 
23                organization provided that:
 
 
 
Page 20                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1                (i)  The protected health information is used only
 
 2                     to perform the insurance functions of claims
 
 3                     settlement, detection and prevention of
 
 4                     fraud, or detection and prevention of
 
 5                     material misrepresentation or material
 
 6                     nondisclosure; or
 
 7               (ii)  The protected health information is collected
 
 8                     and used internally only to perform the
 
 9                     insurance functions of ratemaking and
 
10                     ratemaking-related functions, underwriting or
 
11                     underwriting-related functions, or regulatory
 
12                     or legislative cost analysis;
 
13           (B)  Additional insurance functions may be added to
 
14                paragraph (3)(A)(i) and (ii) with prior approval
 
15                of the commissioner;
 
16      (4)  If the protected health information is necessary to
 
17           provide ongoing health care treatment, and if the
 
18           disclosure has not been limited or prohibited by the
 
19           protected individual, collect protected health
 
20           information from or disclose protected health
 
21           information to:
 
22           (A)  A health care provider, employed by the insurer,
 
23                who is furnishing health care to a protected
 
 
 
Page 21                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1                individual;
 
 2           (B)  A health care provider with whom the insurer
 
 3                contracts to provide health care services to a
 
 4                protected individual; or
 
 5           (C)  A referring health care provider who continues to
 
 6                furnish health care to a protected individual;
 
 7      (5)  Disclose protected health information to a person
 
 8           engaged in the assessment, evaluation, or investigation
 
 9           of the quality of health care furnished by a provider
 
10           pursuant to statutory or regulatory standards or
 
11           pursuant to the requirements of a private or public
 
12           program authorized to provide for the payment of health
 
13           care;
 
14      (6)  Collect, use, or disclose protected health information
 
15           when the protected health information is necessary for
 
16           the performance of the insurer's obligations under any
 
17           property and casualty insurance law or contract;
 
18      (7)  Collect protected health information from or disclose
 
19           protected health information to a reinsurer, stop-loss
 
20           or excess-loss insurer for the purpose of underwriting,
 
21           claims adjudication and conducting claim file audits;
 
22      (8)  Collect protected health information from the protected
 
23           individual; and
 
 
 
Page 22                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1      (9)  Collect, use, or disclose protected health information
 
 2           when the protected health information is obtained from
 
 3           public sources such as newspapers, public agency
 
 4           reports, and law enforcement or public safety reports.
 
 5      (b)  Unless otherwise restricted by this section, an insurer
 
 6 that has collected protected health information without an
 
 7 authorization pursuant to subsection (a), may use and disclose
 
 8 the information to a person acting on behalf of or at the
 
 9 direction of the insurer to perform the insurance functions
 
10 listed in section 431:10-F(f).
 
11      (c)  An insurer shall disclose protected health information
 
12 in any of the following circumstances:
 
13      (1)  To federal, state, or local governmental authorities to
 
14           the extent the insurer disclosing the protected health
 
15           information is required by law to report protected
 
16           health information or for fraud reporting purposes;
 
17      (2)  The protected health information is needed for one of
 
18           the following purposes:
 
19           (A)  To identify a deceased individual;
 
20           (B)  To determine the cause and manner of death by a
 
21                chief medical examiner or the medical examiner's
 
22                designee; or
 
23           (C)  To provide necessary protected health information
 
 
 
Page 23                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1                about a deceased individual who is a donor of an
 
 2                anatomical gift;
 
 3      (3)  To a state department of insurance that is performing
 
 4           an examination, investigation, or audit of the insurer;
 
 5           or
 
 6      (4)  Pursuant to a court order issued after the court's
 
 7           determination that the public interest in disclosure
 
 8           outweighs the protected individual's privacy interest
 
 9           and that the protected health information is not
 
10           reasonably available by other means.
 
11      431:10-H  Unauthorized collection, use, or disclosure of
 
12 protected health information.  An unauthorized collection, use,
 
13 or disclosure of protected health information by an insurer is
 
14 prohibited and subject to the penalties set forth in section
 
15 431:10-J.  An unauthorized collection, use, or disclosure
 
16 includes:
 
17      (1)  Unauthorized publication of protected health
 
18           information;
 
19      (2)  Unauthorized collection, use, or disclosure of
 
20           protected health information for personal or
 
21           professional gain;
 
22      (3)  Unauthorized sale of protected health information;
 
23      (4)  Unauthorized manipulation of coded or encrypted health
 
 
 
Page 24                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1           information that reveals protected health information;
 
 2           and
 
 3      (5)  Use of deception, fraud, or threat to procure
 
 4           authorization to collect, use, or disclose protected
 
 5           health information.
 
 6      431:10-I  Signatures and forms.(a)  Any provision of this
 
 7 part or its corresponding rules that requires a written signature
 
 8 may be satisfied by:
 
 9      (1)  The use of electronic authentication, including
 
10           electronic signatures, digital signatures, biometric
 
11           signatures, or recorded oral authorizations; or
 
12      (2)  The use of any symbol or method of authentication that
 
13           becomes part of or logically associated with an
 
14           electronic record that indicates an intent to be bound.
 
15      (b)  Any provision of this part or its corresponding
 
16 regulations that require a form or document to be in writing may
 
17 be satisfied by the use of an electronic or computer-based
 
18 format.
 
19      431:10-J  Sanctions.(a)  Civil penalties.
 
20      (1)  Whenever the department has reason to believe that a
 
21           person has committed gross negligence in violation of a
 
22           material provision of this part and that an action
 
23           under this section is in the public interest, the
 
 
 
Page 25                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1           department may bring an action to enjoin violations of
 
 2           this part.  An injunction issued under this section
 
 3           shall be issued without bond.
 
 4      (2)  In addition to the relief available pursuant to
 
 5           paragraph (1), the department may request and the court
 
 6           may order any other temporary or permanent relief as
 
 7           may be in the public interest, including any of the
 
 8           following, or any combination of the following:
 
 9           (A)  A civil penalty of not more than $500 for each
 
10                violation, not to exceed $5,000 in the aggregate
 
11                for multiple violations;
 
12           (B)  A civil penalty of not more than $25,000 if the
 
13                court finds that violations of this part have
 
14                occurred with sufficient frequency to constitute a
 
15                general business practice as defined in section
 
16                431:1-216; and
 
17           (C)  Reasonable attorney fees, investigation, and court
 
18                costs.
 
19      (b)  In any claim made under this section relating to an
 
20 unauthorized disclosure in which an insurer is being sued under a
 
21 theory of vicarious liability for the actions or omissions of the
 
22 insurer's employees, it shall be an affirmative defense that the
 
23 insurer substantially complied with the requirements of section
 
 
 
Page 26                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 431:10-C.
 
 2      (c)  An individual may not maintain an action against an
 
 3 insurer that disclosed protected health information in good faith
 
 4 reliance on the individual's authorization, if that authorization
 
 5 meets the requirements of section 431:10-F and if the disclosure
 
 6 was made in compliance with the requirements of this part.
 
 7      431:10-L  Rules.  The commissioner shall prescribe rules
 
 8 subject to chapter 91 to carry out this part."
 
 9      SECTION 3.  Chapter 323C, Hawaii Revised Statutes, is
 
10 amended by adding a new section to be appropriately designated
 
11 and to read as follows:
 
12      "323C-    Applicability to property and casualty insurers.
 
13 Issues provided in this chapter as they relate to property and
 
14 casualty insurers shall be administered by the insurance
 
15 commissioner as provided in chapter 431, article 10, part     ."
 
16      SECTION 4.  In codifying the new sections added by section 2
 
17 of this Act, the revisor of statutes shall substitute appropriate
 
18 section numbers for the letters used in designating the new
 
19 sections in this Act.
 
20      SECTION 5.  New statutory material is underscored.
 
21      SECTION 6.  Section 431:10-L of section 2 of this Act shall
 
22 take effect upon approval.  Section 1, all other provisions of
 
23 section 2, and sections 3, 4, and 5  shall take effect upon its
 
 
 
Page 27                                                    
                                     S.B. NO.           2439
                                                        
                                                        


 1 approval; provided that these provisions shall not become
 
 2 operative until:
 
 3      (1)  January 1, 2002; or
 
 4      (2)  One hundred eighty days after the effective date of
 
 5           rules authorized under section 431:10-L;
 
 6 whichever is later.
 
 7 
 
 8                           INTRODUCED BY:  _______________________