AN ACT CONCERNING TRANSPARENCY IN HEALTH INSURANCE CLAIMS DATA.

This bill requires an insurer or similar entity to disclose to an employer with more than 50 employees or a government entity sponsoring a group health care insurance policy certain information related to (1) claims incurred, including claims experience for medical, dental, and pharmacy benefits; (2) premiums paid; and (3) the number of enrollees by coverage tier (e. g. , single, two-person, family) (see COMMENT).

The bill specifies that an insurer must provide the information (1) at the employer or government entity's request, (2) for the shorter of the most recent 36 months or entire coverage period, and (3) in a specified format. It also specifies that the insurer does not have to (1) provide the information more than once in a 12-month period or (2) disclose any information the law requires it to keep confidential.

The bill makes any claim information a government entity receives under it's provisions (1) confidential and privileged; (2) exempt from disclosure under the Freedom of Information Act; (3) not subject to subpoena or discovery; and (4) not admissible as evidence in a private lawsuit. The bill does not prohibit the government entity from providing the claims data to a collective bargaining unit to fulfill its statutory duties.

The bill applies to an insurer, health care center (i. e. , HMO), hospital or medical service corporation, or other entity delivering, issuing, renewing, amending, or continuing a group health insurance policy in Connecticut.

The bill defines an “employer” as a person, firm, corporation, limited liability company, partnership, or association actively engaged in business for at least three consecutive months that, on at least 50% of its working days during the last 12 months, had more than 50 full-time employees. (Thus, it does not include a small employer. ) “Government entity” is the state or any of its political subdivisions.

1. all data on claims incurred under the policy, including claims for any medical, dental, and pharmacy benefits;

2. policy premiums the employer or government entity paid, by month; and

3. the number of insureds under the policy, by month and coverage tier, including single, two-person, and family.

Under the bill, the insurer must provide complete information and include all data available to it for the period requested.

The insurer must provide the information (1) in a written report, (2) electronically in a secure e-mail or through a file transfer protocol site, or (3) through a secure website or website portal the employer or government entity can access.

The federal Health Insurance Portability and Accountability Act (HIPAA) limits an insurer's release of protected health information (PHI). PHI includes medical information that contains information that could identify a person, including name, Social Security number, telephone number, medical record number, and ZIP code. Federal regulations protect this information regardless of how it is stored or transmitted.

The penalty under HIPAA for wrongful disclosure of individually identifiable health information is a $ 50,000 fine, imprisonment up to one year, or both. Wrongful disclosure under false pretenses is punishable by a $ 100,000 fine, imprisonment up to five years, or both. Committing wrongful disclosure with intent to sell the information is punishable by a $ 250,000 fine, imprisonment up to 10 years, or both.

The law requires anyone in possession of personal information about a person to safeguard the data, and computer files and documents containing it, from misuse by third parties (CGS § 42-471). The law does not apply to a state agency or political subdivision.

The law defines “personal information” as information capable of being associated with a particular individual through one or more identifiers, such as a Social Security number, driver's license number, state identification card number, account number, health insurance identification number, credit or debit card number, passport number, or alien registration number. It does not include publicly available information lawfully made available from federal, state, or local government records or widely distributed media.

A person who intentionally violates the law is subject to a fine of up to $ 500 for each violation, not to exceed $ 500,000.

The law prohibits an insurer, agent, or support organization from disclosing any personal or privileged information about a person that was collected or received in connection with an insurance transaction, but specifies numerous instances when disclosure is permissible. For example, disclosure of personal information is permissible if it is (1) made to a group policyholder for the purpose of (a) reporting claims experience or (b) conducting an audit of the insurer's or agent's operations or services, provided the information disclosed is reasonably necessary for the policyholder to conduct the audit. Disclosure is also permissible if otherwise permitted or required by law (CGS § 38a-988). An insurer or agent must provide all insurance applicants and policyholders a written notice of its information practices, including the types of, and circumstances under which, it may disclose personal information. The notice must describe only those circumstances that occur with such frequency as to indicate a general business practice (CGS § 38a-979).

The law defines “personal information” as any individually identifiable information, including a person's name, address, and medical record information, collected in connection with an insurance transaction from which judgments can be made about the person's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. “Privileged information” is individually identifiable information relating to an insurance claim or a civil or criminal proceeding involving the person.

“Medical record information” is information (1) related to a person's physical, mental, or behavioral health condition or medical history or treatment and (2) a medical professional or institution obtained from a pharmacy or pharmacist; the person or person's spouse, parent, or legal guardian; or providing or paying for health care. The law excludes from the definition such information if personal identifiers that either directly reveal the patient's identity, or provide a means of identifying the patient, have been removed or have been encrypted or encoded so that the patient's identity is not revealed without having to use an encryption key or code.

The law subjects a person who violates it (1) negligently to a fine of up to $ 2,000 for each violation, not to exceed $ 20,000, and (2) intentionally to a fine of up to $ 5,000 for each violation, not to exceed $ 50,000.

Federal and state laws restrict the information an insurer can disclose about a person and his or her medical records and claims data (see BACKGROUND). Presumably, this bill's information disclosure requirement is effective to the extent permitted by law

State law explicitly permits an insurer to disclose personal or privileged information obtained in connection with an insurance transaction if it is (1) made to a group policyholder for the purpose of (a) reporting claims experience or (b) conducting an audit of the insurer's or agent's operations or services, provided the information disclosed is reasonably necessary for the policyholder to conduct the audit. Thus, state law already permits a group policyholder (regardless of its number of employees) to receive certain claim experience and other policy data from an insurer, but without the limitations (e. g. , deadline, format) the bill specifies.

Yea

Nay

(03/05/2009)