33-19-306. Disclosure limitations and conditions. (1) Except as provided in this section, a licensee may not disclose personal or privileged information about an individual collected or received in connection with an insurance transaction.
(2) Disclosure may be made with the written authorization of the individual. The authorization must be in the form provided in 33-19-206.
(3) Disclosure limited to that which is reasonably necessary may be made to a person to enable the person to provide information to the disclosing licensee for the purpose of detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction. A person to whom information is disclosed pursuant to this subsection shall agree in writing not to further disclose the information, but this requirement for an agreement does not prevent disclosure of information that is necessary to obtain further information for the purposes set forth in this subsection.
(4) (a) Disclosure may be made between licensees if the information disclosed is limited to that which is reasonably necessary:
(i) to detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or
(ii) for either the disclosing or receiving licensee to perform its insurance function.
(b) A licensee receiving information pursuant to this subsection (4) may not further disclose the information unless otherwise permitted by this section.
(5) Disclosure may be made to a medical care institution, a medical professional, or the individual to whom the information pertains if that information is reasonably necessary for the following purposes:
(a) verifying insurance coverage or benefits;
(b) informing an individual of a medical problem of which the individual may not be aware;
(c) conducting an operations or services audit; or
(d) determining the reasonableness or necessity of medical services.
(6) Disclosure:
(a) may be made to an insurance regulatory authority;
(b) must be made as required by law; and
(c) must be or may be made to the commissioner as required or permitted by law.
(7) Disclosure may be made by a licensee or an insurance-support organization to a law enforcement or other government authority or to an insurance regulatory agency:
(a) to protect the interests of a licensee in preventing, investigating, or prosecuting the perpetration of fraud upon a licensee; or
(b) if the licensee or insurance-support organization reasonably believes that illegal activities have been conducted by the individual.
(8) Disclosure that is limited to that which is reasonably necessary may be made as otherwise permitted or required by law.
(9) Disclosure that is limited to that which is reasonably necessary may be made in response to a facially valid administrative or judicial order, including a search warrant or subpoena.
(10) (a) Except as provided in subsection (10)(b), disclosure that is limited to that which is reasonably necessary may be made for the purpose of conducting actuarial or research studies if:
(i) an individual is not identified in any actuarial or research report;
(ii) materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed; and
(iii) the actuarial or research organization agrees not to further disclose the information without the individual's separate, written authorization.
(b) Disclosure of information may be made for:
(i) health research that is subject to the approval of an institutional review board and the requirements of federal law and regulations governing biomedical research; or
(ii) epidemiological or drug therapy outcomes research that requires information that has been made anonymous to protect the identity of the patient through coding or encryption.
(11) Disclosure may be made to a party or a representative of a party to a proposed sale, transfer, merger, or consolidation of all or part of the business of the licensee or insurance-support organization if:
(a) prior to the consummation of the sale, transfer, merger, or consolidation only information is disclosed that is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation; and
(b) the recipient agrees not to further disclose the information without the individual's separate, written authorization.
(12) (a) Disclosure that is limited to that which is reasonably necessary may be made to a licensee's affiliate as follows:
(i) to allow use of the information in connection with an audit of the licensee;
(ii) to enable a licensee to perform an insurance function; or
(iii) as allowed by 33-19-307.
(b) A licensee disclosing pursuant to this section must have a written agreement with the affiliate that the affiliate will not use or further disclose information received except to carry out the purposes set forth in subsection (12)(a) and that if further disclosure is necessary to meet those purposes, the disclosure will be made only to the licensee or to a person who agrees in writing to be bound by the same prohibition on use and disclosure. A disclosure allowed by 33-19-307 is governed by that section.
(13) Disclosure that is limited to that which is reasonably necessary may be made to an insurance-support organization to perform insurance-support services for the licensee. The insurance-support organization may redisclose the information to the extent necessary to provide its services to its member or subscriber licensees and other insurance-support organizations or as otherwise permitted by law, but not for a marketing purpose.
(14) Disclosure may be made to a group policyholder for the purpose of reporting claims experience or conducting an audit of the licensee's operations or services if the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit and the group policyholder agrees not to further disclose the information without the individual's separate, written authorization. Medical record information disclosed pursuant to this subsection must be edited to prevent the identification of the applicant, policyholder, or certificate holder. Employer audits that are required by the Employee Retirement Income Security Act of 1974, 29 U.S.C. 1001, et seq., as amended, are not subject to the provisions of this subsection.
(15) Disclosure that is limited to that which is reasonably necessary may be made to a professional peer review organization for the purpose of reviewing the service or conduct of a medical care institution or medical professional if the professional peer review organization agrees not to further disclose the information without the individual's separate, written authorization.
(16) Disclosure that is limited to that which is reasonably necessary may be made to a governmental authority as required by federal or state law or for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable.
(17) Disclosure that is limited to that which is reasonably necessary may be made to a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction. Disclosure pursuant to this subsection may not be made to a group policyholder without a separate, written authorization from the individual.
(18) Disclosure may be made to a person contractually engaged to provide services to enable a licensee to perform an insurance function, or to perform an insurance function on behalf of a licensee, if the person agrees in writing that the person will not use or further disclose information obtained or developed pursuant to the engagement except to carry out the limited purpose of the engagement and that if further disclosure is necessary to perform the insurance function, that disclosure will be made only to the licensee or to a person who agrees in writing to be bound by the same prohibitions on use and disclosure.
(19) If a licensee has to disclose personal or privileged information in order to perform an insurance function and disclosure is not permitted under another exception in this section, disclosure may be made to a person other than a licensee if the disclosure is limited to that which is reasonably necessary to enable the person to perform services or an insurance function for the disclosing licensee and if the person is notified by the licensee that the person is prohibited from:
(a) using the information other than to carry out the limited purpose for which the information is disclosed; and
(b) disclosing the information other than to the licensee and as allowed in subsection (3).
(20) Disclosure may be made to a lienholder, mortgagee, assignee, lessor, or other person shown on the records of an insurance institution or insurance producer as having a legal interest in a policy of insurance if:
(a) medical record information is not disclosed; and
(b) the information disclosed is limited to that which is reasonably necessary to permit the person with a legal interest in the policy to protect that person's interests in that policy.
(21) Disclosure may be made to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, and the licensee's attorneys, accountants, and auditors if the disclosure is limited to that which is reasonably necessary to enable the person or entity to perform services or an insurance function for the disclosing licensee and if the person or entity is notified by the licensee that the person or entity is prohibited from using the information, other than to carry out the limited purpose for which the information is disclosed.
(22) Notwithstanding any other provision of this chapter, disclosure for a marketing purpose may be made only as allowed by 33-19-307.
(23) Nothing in this section may be construed to prevent the disclosure of personal information that is otherwise discoverable pursuant to the Montana Rules of Civil Procedure.
(24) The commissioner may adopt rules creating additional exceptions to disclosure restrictions for the purpose of allowing a licensee or insurance-support organization to carry out a necessary insurance function. The commissioner shall adopt rules establishing the methods that must be used by licensees to prevent identification as described in subsection (14).
History: En. Sec. 15, Ch. 580, L. 1981; amd. Sec. 1, Ch. 713, L. 1989; amd. Sec. 4, Ch. 212, L. 1999; amd. Sec. 7, Ch. 341, L. 2001; amd. Sec. 5, Ch. 385, L. 2003.