CHAPTER 705

CONNECTICUT INSURANCE INFORMATION
AND PRIVACY PROTECTION ACT

Table of Contents

Sec. 38a-975. (Formerly Sec. 38-500). Short title: Connecticut Insurance Information and Privacy Protection Act.

Sec. 38a-976. (Formerly Sec. 38-501). Definitions.

Sec. 38a-977. (Formerly Sec. 38-502). Applicability. Exceptions.

Sec. 38a-978. (Formerly Sec. 38-503). Use of pretext interviews.

Sec. 38a-979. (Formerly Sec. 38-504). Notice of insurance information practices.

Sec. 38a-980. (Formerly Sec. 38-505). Insurer to specify questions for marketing or research purposes.

Sec. 38a-981. (Formerly Sec. 38-506). Content of disclosure authorization forms. Disclosure of health benefits to exclusive bargaining agent or subgroup of a multi-bargaining-unit group.

Sec. 38a-982. (Formerly Sec. 38-507). Investigative consumer reports.

Sec. 38a-983. (Formerly Sec. 38-508). Access to recorded personal information.

Sec. 38a-984. (Formerly Sec. 38-509). Correction, amendment or deletion of recorded personal information.

Sec. 38a-985. (Formerly Sec. 38-510). Insurer to provide its reasons for adverse underwriting decisions.

Sec. 38a-986. (Formerly Sec. 38-511). Information concerning previous adverse underwriting decisions and coverage through residual market mechanisms.

Sec. 38a-987. (Formerly Sec. 38-512). Insurer prohibited from considering previous adverse underwriting decision or past residual market mechanism coverage.

Sec. 38a-988. (Formerly Sec. 38-513). Disclosure limitations and conditions.

Sec. 38a-988a. Sale of individually identifiable medical record information prohibited. Written consent re disclosure for marketing purposes. Exceptions. Cause of action for violations.

Sec. 38a-989. (Formerly Sec. 38-514). Powers of commissioner.

Sec. 38a-990. (Formerly Sec. 38-515). Hearings; subpoenas; service of process.

Sec. 38a-991. (Formerly Sec. 38-516). Insurance-support organizations to appoint commissioner to accept service of process.

Sec. 38a-992. (Formerly Sec. 38-517). Commissioner to prepare findings.

Sec. 38a-993. (Formerly Sec. 38-518). Penalties.

Sec. 38a-994. (Formerly Sec. 38-519). Appeals from orders.

Sec. 38a-995. (Formerly Sec. 38-520). Individual remedies.

Sec. 38a-996. (Formerly Sec. 38-521). Immunity.

Sec. 38a-997. (Formerly Sec. 38-522). Obtaining information under false pretenses. Fine.

Sec. 38a-998. (Formerly Sec. 38-523). Severability.

Sec. 38a-999. Written policies, standards and procedures re medical record information.

Sec. 38a-999a. Disclosure of individually identifiable medical record information with malicious intent prohibited. Penalty.

Sec. 38a-999b. Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.


Sec. 38a-975. (Formerly Sec. 38-500). Short title: Connecticut Insurance Information and Privacy Protection Act. Sections 38a-975 to 38a-998, inclusive, may be cited as the “Connecticut Insurance Information and Privacy Protection Act”.

(P.A. 81-368, S. 1, 25.)

History: Sec. 38-500 transferred to Sec. 38a-975 in 1991.

Sec. 38a-976. (Formerly Sec. 38-501). Definitions. As used in sections 38a-975 to 38a-998, inclusive:

(1) “Adverse underwriting decisions” means:

(A) Any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten: (i) A declination or termination of insurance coverage; (ii) failure of an agent to apply for insurance coverage with a specific insurance institution which the agent represents and which is requested by an applicant; (iii) in the case of a property or casualty insurance coverage, (I) placement by an insurance institution or agent of a risk with a residual market mechanism, an unauthorized insurer or an insurance institution which specializes in substandard risks, (II) the charging of a higher rate on the basis of information which differs from that which the applicant or policyholder furnished, or (III) changing a risk from a preferred rate program to a standard rate program or from a standard rate program to a nonstandard rate program within the same company or between two companies in the same group; and (iv) in the case of a life, health or disability insurance coverage, an offer to insure at higher than standard rates.

(B) Notwithstanding the provisions of subparagraph (A) of this subdivision, the following actions shall not be considered adverse underwriting decisions: (i) The termination of an individual policy form on a class or state-wide basis; (ii) a declination of insurance coverage solely because such coverage is not available on a class or state-wide basis; or (iii) the rescission of a policy.

(2) “Affiliate” or “affiliated” has the same meaning as provided in section 38a-1.

(3) “Agent” has the same meaning as “insurance producer”, as defined in section 38a-702a.

(4) “Applicant” means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.

(5) “Commissioner” means the Insurance Commissioner.

(6) “Consumer report” means any written, oral or other communication of information bearing on an individual's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or expected to be used in connection with an insurance transaction.

(7) “Consumer reporting agency” means any person who: (A) Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a fee; (B) obtains information primarily from sources other than insurance institutions; and (C) furnishes consumer reports to other persons.

(8) “Control”, including the terms “controlled by” or “under common control with”, has the same meaning as provided in section 38a-1.

(9) “Declination of insurance coverage” means a denial, in whole or in part, by an insurance institution or agent, of requested insurance coverage.

(10) “Individual” means any person who: (A) In the case of property or casualty insurance, is a past, present or proposed named insured or certificate holder; (B) in the case of life, health or disability insurance, is a past, present or proposed principal insured or certificate holder; (C) is a past, present or proposed policyowner; (D) is a past or present applicant or claimant; or (E) derived, derives or is proposed to derive insurance coverage under an insurance policy or certificate subject to sections 38a-975 to 38a-998, inclusive.

(11) “Institutional source” means any person or governmental entity that provides information about an individual to an agent, insurance institution or insurance-support organization, other than: (A) An agent; (B) the individual who is the subject of the information; or (C) an individual acting in a personal capacity rather than a business or professional capacity.

(12) “Insurance institution” means any corporation, limited liability company, association, partnership, reciprocal exchange, interinsurer, Lloyd's insurer, fraternal benefit society or other person engaged in the business of insurance, including health care centers, as defined in section 38a-175, medical service corporations, as defined in section 38a-214, managed care organizations, as defined in section 38a-478 and hospital service corporations, as defined in section 38a-199. It shall not include agents or insurance-support organizations.

(13) (A) “Insurance-support organization” means any person who regularly engages, in whole or in part, in the practice of assembling or collecting information concerning individuals for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including: (i) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction; (ii) the collection of personal information from insurance institutions, agents or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity; or (iii) collecting medical record information from, disclosing medical record information to, or collecting medical record information on behalf of an insurance institution or agent in the ordinary course of business, including, but not limited to, utilization review companies, benefit management entities, including, but not limited to, pharmaceutical benefit and disease management entities and information or computer management entities.

(B) Notwithstanding subparagraph (A) of this subdivision, the following persons shall not be considered “insurance-support organizations” for purposes of sections 38a-975 to 38a-998, inclusive: Agents, government institutions, insurance institutions, medical care institutions, medical professionals, pharmacies, universities and schools.

(14) “Insurance transaction” means any transaction involving insurance primarily for personal, family or household needs rather than business or professional needs that involves: (A) The determination of an individual's eligibility for an insurance coverage, benefit or payment; or (B) the servicing of an insurance application, policy, contract or certificate.

(15) “Investigative consumer report” means a consumer report or portion thereof in which information about an individual's character, general reputation, personal characteristics or mode of living is obtained through personal interviews with the person's neighbors, friends, associates, acquaintances or others who may have such knowledge.

(16) “Medical-care institution” means any facility or institution that is licensed to provide health care services to individuals, including but not limited to health care centers, home-health agencies, hospitals, medical clinics, public health agencies, rehabilitation agencies and skilled nursing facilities.

(17) “Medical professional” means any person licensed or certified to provide health care services to individuals, including, but not limited to, a chiropractor, clinical dietitian, clinical psychologist, dentist, nurse, occupational therapist, optometrist, pharmacist, physical therapist, physician, podiatrist, psychiatric social worker or speech therapist.

(18) “Medical-record information” means personal information that: (A) Relates to the physical, mental or behavioral health condition, medical history or medical treatment of an individual or a member of the individual's family; and (B) is obtained from a medical professional or medical-care institution, from a pharmacy or pharmacist, from the individual, or from the individual's spouse, parent or legal guardian or from the provision of or payment for health care to or on behalf of an individual or a member of the individual's family. “Medical-record information” does not include such information from which personal identifiers that either directly reveal the identity of the patient, or provide a means of identifying the patient, have been removed or have been encrypted or encoded such that the identity of the individual is not revealed without the use of an encryption key or code.

(19) “Person” has the same meaning as provided in section 38a-1.

(20) “Personal information” means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health or any other personal characteristics. “Personal information” includes an individual's name and address and “medical-record information” but does not include “privileged information”.

(21) “Policyholder” means any person who: (A) In the case of individual property or casualty insurance, is a present named insured; (B) in the case of individual life, health or disability insurance, is a present policyowner; or (C) in the case of group insurance that is individually underwritten, is a present group certificate holder.

(22) “Pretext interview” means an interview where a person, in an attempt to obtain information about an individual, performs one or more of the following acts: (A) Pretends to be someone he is not; (B) pretends to represent a person he is not in fact representing; (C) misrepresents the true purpose of the interview; or (D) refuses to identify himself upon request.

(23) “Privileged information” means any individually identifiable information that: (A) Relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual; and (B) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or a civil or criminal proceeding involving an individual. Information otherwise meeting the requirements of this subdivision shall nevertheless be considered “personal information” under sections 38a-975 to 38a-998, inclusive, if it is disclosed in violation of section 38a-988.

(24) “Residual market mechanism” means an association, organization or other entity defined or described in sections 38a-328, 38a-329 and 38a-670.

(25) “Termination of insurance coverage” or “termination of an insurance policy” means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.

(26) “Unauthorized insurer” has the same meaning as provided in section 38a-1.

(P.A. 81-368, S. 2, 25; P.A. 83-177, S. 1, 2; P.A. 90-243, S. 165; P.A. 94-160, S. 23, 24; P.A. 95-79, S. 152, 189; P.A. 99-284, S. 17, 60; P.A. 01-113, S. 29, 42; P.A. 14-122, S. 175; 14-235, S. 6.)

History: P.A. 83-177 amended Subsec. (a) by redefining “adverse underwriting decision” to include any change from a preferred rate program to a standard rate program or from a standard rate program to a nonstandard rate program and amended Subsec. (x) by including agreements to insure uninsurable applicants as outlined in Sec. 38-201h, within the definition of a “residual market mechanism”; P.A. 90-243 redefined “affiliate”, “affiliated”, “control”, “person” and “unauthorized insurer”; Sec. 38-501 transferred to Sec. 38a-976 in 1991; P.A. 94-160 substituted “producer” for “insurance broker” in definition of “agent” to accurately reflect the modernization and nomenclature of the industry, effective June 2, 1994; P.A. 95-79 redefined “insurance institution” to include a limited liability company, effective May 31, 1995; P.A. 99-284 amended definition of “insurance institution” to include managed care organizations, amended definition of “insurance-support organization” to add Subpara. (1)(C) re collecting or disclosing medical record information in the ordinary course of business, and amended Subdiv. (2) to exclude “pharmacies, universities and schools” from the definition of “insurance-support organization”, and amended definition of “medical-record information” to substitute “information which: (1) Relates to the physical, mental or behavioral health condition, medical history or medical treatment of an individual or a member of the individual's family” for “information which: (1) Relates to an individual's physical or mental condition, medical history or medical treatment”, amended Subdiv. (2) to include information obtained from a pharmacy or pharmacist, or from the provision of or payment for health care re an individual or member of the individual's family, and excluded from definition encrypted or encoded information or other information from which personal identifiers have been removed, effective July 1, 2000; P.A. 01-113 amended definition of “agent” to delete “insurance agent” from definition, make a technical change and substitute “section 38a-702a” for “section 38a-702”, effective September 1, 2002; P.A. 14-122 made a technical change; P.A. 14-235 replaced alphabetic designators with numeric designators and made technical changes.

Sec. 38a-977. (Formerly Sec. 38-502). Applicability. Exceptions. (a) The obligations imposed by sections 38a-975 to 38a-998, inclusive, shall apply to those insurance institutions, agents or insurance-support organizations which, on or after October 1, 1982: (1) In the case of life, health or disability insurance: (A) Collect, receive or maintain information in connection with insurance transactions which pertains to individuals who are residents of this state or (B) engage in insurance transactions with applicants, individuals or policyholders who are residents of this state, and (2) in the case of property or casualty insurance: (A) Collect, receive or maintain information in connection with insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this state or (B) engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this state.

(b) The rights granted by sections 38a-975 to 38a-998, inclusive, shall extend to: (1) In the case of life, health or disability insurance, the following persons who are residents of this state: (A) Individuals who are the subject of information collected, received or maintained in connection with insurance transactions and (B) applicants, individuals or policyholders who engage in or seek to engage in insurance transactions, and (2) in the case of property or casualty insurance, the following persons: (A) Individuals who are the subject of information collected, received or maintained in connection with insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in the state and (B) applicants, individuals or policyholders who engage in or seek to engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this state.

(c) For purposes of this section, a person shall be considered a resident of this state if the person's last-known mailing address, as shown in the records of the insurance institution, agent or insurance-support organization, is located in this state.

(d) Notwithstanding the provisions of subsections (a) and (b) of this section, sections 38a-975 to 38a-998, inclusive, shall not apply to information collected from the public records of a governmental authority and maintained by an insurance institution or its representatives for the purpose of insuring the title to real property located in this state.

(P.A. 81-368, S. 3, 25; P.A. 82-472, S. 119, 183.)

History: P.A. 82-472 made technical changes and corrections; Sec. 38-502 transferred to Sec. 38a-977 in 1991.

Sec. 38a-978. (Formerly Sec. 38-503). Use of pretext interviews. No insurance institution, agent or insurance-support organization shall use or authorize the use of a pretext interview to obtain information in connection with an insurance transaction; except it may be used to obtain information from a person or institution that does not have a recognized privileged relationship with the person to whom the information relates for the purpose of investigating a claim where, based upon specific information available for review by the commissioner, there is a reasonable basis for suspecting criminal activity, fraud, material misrepresentation or material nondisclosure in connection with the claim.

(P.A. 81-368, S. 4, 25; P.A. 82-472, S. 120, 183.)

History: P.A. 82-472 made technical grammatical correction; Sec. 38-503 transferred to Sec. 38a-978 in 1991.

Sec. 38a-979. (Formerly Sec. 38-504). Notice of insurance information practices. (a) An insurance institution or agent shall provide a notice of information practices to all applicants or policyholders in connection with insurance transactions as provided in this section: (1) In the case of an application for insurance, (A) at the time of the delivery of the insurance policy or certificate when personal information is collected only from the applicant or public records or (B) at the time the collection of personal information is initiated when personal information is collected from a source other than the applicant or public records, (2) in the case of a policy renewal, the renewal date, except that no notice shall be required in connection with a policy renewal if: (A) Personal information is collected only from the policyholder or from public records, or (B) a notice meeting the requirements of this section has been given within the previous twenty-four months, or (3) in the case of a policy reinstatement or change in insurance benefits, the time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution, except that no notice shall be required if personal information is collected only from the policyholder or public records.

(b) The notice shall be in writing and shall state: (1) Whether personal information may be collected from persons other than the individual proposed for coverage, (2) the types of personal information that may be collected, the kinds of investigative techniques that may be used to collect such information and the sources from which such information may be collected, (3) the types of disclosures identified in subdivisions (2) to (6), inclusive, (9), (11), (12) and (14) of section 38a-988 and the circumstances under which such disclosures may be made without prior authorization; provided only those circumstances need be described which occur with such frequency as to indicate a general business practice, (4) a description of the rights established under sections 38a-983 and 38a-984 and the manner in which these rights may be exercised, and (5) that information obtained from a report prepared by an insurance-support organization may be retained by the organization and disclosed to other persons.

(c) In lieu of the notice prescribed in subsection (b) of this section, the insurance institution or agent may provide an abbreviated notice informing the applicant or policyholder that: (1) Personal information may be collected from persons other than the individual proposed for coverage, (2) such information as well as other personal or privileged information subsequently collected by the insurance institution or agent may in certain circumstances be disclosed to third parties without authorization, (3) a right of access and correction exists with respect to all personal information collected, and (4) the notice prescribed in subsection (b) of this section must be furnished to the applicant or policyholder upon request.

(d) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf.

(P.A. 81-368, S. 5, 25; P.A. 02-24, S. 9.)

History: Sec. 38-504 transferred to Sec. 38a-979 in 1991; P.A. 02-24 amended Subsec. (b) to substitute references to subdivisions of Sec. 38a-988 for subsection references.

Sec. 38a-980. (Formerly Sec. 38-505). Insurer to specify questions for marketing or research purposes. An insurance institution or agent shall specify those questions designed solely to obtain information for marketing or research purposes from an individual in connection with an insurance transaction.

(P.A. 81-368, S. 6, 25; P.A. 82-472, S. 121, 183.)

History: P.A. 82-472 made nonsubstantive change in wording; Sec. 38-505 transferred to Sec. 38a-980 in 1991.

Sec. 38a-981. (Formerly Sec. 38-506). Content of disclosure authorization forms. Disclosure of health benefits to exclusive bargaining agent or subgroup of a multi-bargaining-unit group. (a) Notwithstanding any provision of the general statutes, no insurance institution, agent or insurance-support organization may utilize as its disclosure authorization form in connection with insurance transactions, a form or statement that authorizes the disclosure of personal or privileged information concerning an individual to an insurance institution, agent, or insurance-support organization unless the form or statement: (1) Is written in plain language substantially complying with the tests enumerated in subsection (b) of section 42-152; (2) is dated; (3) specifies the types of persons authorized to disclose information concerning the individual; (4) specifies the nature of the information authorized to be disclosed; (5) identifies the insurance institution or agent and the types of representatives of the insurance institution to whom the individual has authorized the information to be disclosed; (6) specifies the purposes for which the information is collected; (7) specifies the length of time such authorization shall remain valid, which shall be not longer than: (A) In the case of authorizations signed for the purpose of collecting information in connection with an application for an insurance policy, a policy reinstatement or a request for a change in policy benefits, (i) thirty months from the date the authorization is signed if the application or request involves life, health or disability insurance, or (ii) one year from the date the authorization is signed if the application or request involves property or casualty insurance; (B) in the case of authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy, (i) the term of coverage of the policy if the claim involves a health insurance benefit, or (ii) the duration of the claim if it involves an insurance benefit which is not a health insurance benefit; and (8) advises the individual or a person authorized to act on such individual's behalf that such individual or authorized person is entitled to receive a copy of the authorization form.

(b) (1) An insurance institution or a third-party administrator providing insurance or administrative services with respect to an employer's employee benefit plan that provides its employees with health benefits shall, upon written request of an exclusive bargaining agent for such employees, provide such bargaining agent with information regarding description of health benefits available to such employees, claim experience regarding such benefits and the cost to the employer for such coverage or administrative services, as the case may be, for employees in the bargaining unit represented by such bargaining agent. If such employees constitute a subgroup of a multi-bargaining-unit group, the information provided by the insurance institution or administrator shall, upon written request of the exclusive bargaining agent for the subgroup, include a description of available health benefits, claim experience regarding such benefits and the cost to the employer for such coverage or administrative services, as the case may be, for the entire multi-bargaining-unit group or for subgroups within the multi-bargaining-unit group. A copy of such information shall be provided at the same time to the employer by the insurance institution or administrator. Such information shall be made available to the bargaining agent and the employer only if the bargaining agent agrees in writing to pay all reasonable costs, as determined by the insurance institution or administrator, that are incurred by the insurance institution or administrator in developing and distributing the information. The information provided to such agent shall relate to the group of employees as a whole and shall not include any information relating to specific individuals. No requests made pursuant to this subdivision shall seek information that relates to a period of time more than twenty-four months prior to the date such request was made.

(2) Prior to providing any information pursuant to subdivision (1) of this subsection, an insurance institution or third-party administrator may require the bargaining agent requesting such information to provide evidence in writing that such bargaining agent is currently designated or certified by the proper state or federal authority as the exclusive bargaining representative or agent of the employees who are the subject of the request.

(3) The provisions of this subsection shall not apply to employees participating in an employee welfare benefit plan subject to the provisions of Title I of the Employee Retirement Income Security Act of 1974, P.L. 93-406, as amended from time to time, or to the exclusive bargaining agents of such employees.

(P.A. 81-368, S. 7, 25; P.A. 82-21, S. 1; P.A. 92-104; P.A. 03-119, S. 3; P.A. 04-10, S. 13; 04-257, S. 65; P.A. 09-74, S. 29.)

History: P.A. 82-21 replaced the readable language standards of Sec. 38-68u with those of Sec. 42-152(b) and made several technical corrections; Sec. 38-506 transferred to Sec. 38a-981 in 1991; P.A. 92-104 divided the section into Subsecs., added a provision requiring an insurer who provides health benefits to provide bargaining agents with information re description of the health benefits being offered to employees, claim experience re such benefits and the employer's cost for the coverage provided such coverage relates to the group as a whole and not to specific individuals if bargaining agent agrees to compensate the insurer for reasonable costs of providing such information; (Revisor's note: In 2001 the internal alphabetic and numeric indicators in Subsec. (a) were changed editorially by the Revisors for consistency with customary statutory usage); P.A. 03-119 amended Subsec. (b)(1) to allow disclosure to a subgroup of a multi-bargaining-unit group; P.A. 04-10, effective October 1, 2004, and P.A. 04-257, effective June 14, 2004, both made identical technical change in Subsec. (b)(1) and (3); P.A. 09-74 made technical changes throughout, effective May 27, 2009.

Sec. 38a-982. (Formerly Sec. 38-507). Investigative consumer reports. (a) No insurance institution, agent or insurance-support organization shall prepare or request an investigative consumer report pertaining to an individual in connection with an insurance transaction involving an application for insurance, a policy renewal, reinstatement or a change in insurance benefits unless the insurance institution or agent informs the individual that: (1) The individual may request to be interviewed in connection with the preparation of the investigative consumer report and (2) upon request pursuant to section 38a-983, the individual is entitled to receive a copy of the investigative consumer report.

(b) If an investigative consumer report is to be prepared by an insurance institution or agent, the institution or agent shall establish reasonable procedures pertaining to the conduct of a personal interview requested by an individual.

(c) If an investigative consumer report is to be prepared by an insurance-support organization, the institution or agent desiring such report shall inform the insurance-support organization whether a personal interview has been requested by the individual. The insurance-support organization shall establish reasonable procedures pertaining to the conduct of such interviews, if requested.

(P.A. 81-368, S. 8, 25; P.A. 08-110, S. 4.)

History: Sec. 38-507 transferred to Sec. 38a-982 in 1991; P.A. 08-110 made technical changes in Subsec. (a), effective May 27, 2008.

Sec. 38a-983. (Formerly Sec. 38-508). Access to recorded personal information. (a) If an individual, after proper identification, submits a written request to an insurance institution, agent or insurance-support organization for access to recorded personal information concerning himself which is reasonably described and accessible, the institution, agent or insurance-support organization shall within thirty business days from the date such request is received: (1) Inform the individual of the nature and substance of such recorded personal information in writing, by telephone or by other means of oral communication; (2) permit the individual to see and copy, in person, such recorded personal information pertaining to him or to obtain a copy of such information by mail, unless such information is in coded form, in which case an accurate translation in readable language shall be provided in writing; (3) disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent or insurance-support organization has disclosed such personal information within two years prior to such request, and if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations or other persons to whom such information is normally disclosed; and (4) provide the individual with a summary of the procedures by which he may request correction, amendment or deletion of recorded personal information.

(b) Any personal information provided pursuant to subsection (a) of this section shall identify the source of the information if it is an institutional source.

(c) Medical-record information supplied by a medical-care institution or medical professional and requested under subsection (a) of this section, together with the identity of the medical professional or medical-care institution which provided such information, shall be supplied either directly to the individual or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates by the insurance institution, agent or insurance-support organization. If it elects to disclose the information to a medical professional designated by the individual, the insurance institution, agent or insurance-support organization shall notify the individual, at the time of the disclosure, that it has provided the information to the medical professional.

(d) Except for personal information provided under section 38a-985, an insurance institution, agent or insurance-support organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal information to individuals.

(e) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. With respect to the copying and disclosure of recorded personal information pursuant to a request under subsection (a) of this section, an insurance institution, agent or insurance-support organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy and disclose such information on its behalf.

(f) The rights granted to individuals in this section shall extend to all individuals to the extent information concerning them is collected and maintained by an insurance institution, agent or insurance-support organization in connection with an insurance transaction. The rights granted to all individuals by this subsection shall not extend to information concerning them that relates to and is collected in connection with or in reasonable anticipation of, a claim or a civil or criminal proceeding involving them.

(g) For purposes of this section, the term “insurance-support organization” does not include “consumer reporting agency”.

(P.A. 81-368, S. 9, 25; P.A. 82-21, S. 3.)

History: P.A. 82-21 specified that section provisions apply to personal or privileged information collected or received before or after October 1, 1982; Sec. 38-508 transferred to Sec. 38a-983 in 1991.

Sec. 38a-984. (Formerly Sec. 38-509). Correction, amendment or deletion of recorded personal information. (a) Not later than thirty business days from the date of receipt of a written request from an individual to correct, amend or delete any recorded personal information concerning the individual within its possession, an insurance institution, agent or insurance-support organization shall: (1) Correct, amend or delete the portion of the recorded personal information in dispute; or (2) notify the individual of: (A) Its refusal to make such correction, amendment or deletion; (B) the reasons for the refusal; and (C) the individual's right to file a statement as provided in subsection (c) of this section.

(b) If the insurance institution, agent or insurance-support organization corrects, amends or deletes recorded personal information in accordance with subdivision (1) of subsection (a) of this section, it shall so notify the individual in writing and furnish the correction, amendment or fact of deletion to: (1) Any person specifically designated by the individual who may have, within the preceding two years, received such recorded personal information; (2) any insurance-support organization whose primary source of personal information is insurance institutions if such organization has systematically received such information from the insurance institution within the preceding seven years, provided the correction, amendment or deletion need not be furnished if the organization no longer maintains the information about the individual; and (3) any insurance-support organization that furnished the personal information that has been corrected, amended or deleted.

(c) Whenever an individual disagrees with an institution's, agent's or organization's refusal to correct, amend or delete recorded personal information, the individual shall be permitted to file with the institution, agent or organization: (1) A concise statement specifying what the individual believes to be the correct, relevant or fair information, and (2) a concise statement of the reasons the individual disagrees with the institution's, agent's or organization's refusal to correct, amend or delete recorded personal information.

(d) In the event an individual files either statement as described in subsection (c) of this section, the insurance institution, agent or support organization shall: (1) File the statement with the disputed personal information and provide a means by which anyone reviewing such information will be cognizant of the individual's statement and have access to it, (2) in any subsequent disclosure by the institution, agent or organization of the recorded personal information that is the subject of disagreement, clearly identify the matter in dispute and provide the individual's statement along with the information being disclosed, and (3) furnish the statement to the persons in the manner specified in subsection (b) of this section.

(e) The rights granted to individuals in this section shall extend to all individuals to the extent information concerning such individuals is collected and maintained by an insurance institution, agent or insurance-support organization in connection with an insurance transaction, except with respect to information that relates to and is collected in connection with or in reasonable anticipation of, a claim or a civil or criminal proceeding involving such individuals.

(f) For purposes of this section, the term “insurance-support organization” does not include “consumer reporting agency”.

(P.A. 81-368, S. 10, 25; P.A. 82-21, S. 3; P.A. 08-110, S. 5; P.A. 09-74, S. 30.)

History: P.A. 82-21 specified that provisions apply to personal or privileged information collected or received before or after October 1, 1982; Sec. 38-509 transferred to Sec. 38a-984 in 1991; P.A. 08-110 made technical changes in Subsecs. (a) and (e), effective May 27, 2008; P.A. 09-74 made technical changes in Subsec. (b), effective May 27, 2009.

Sec. 38a-985. (Formerly Sec. 38-510). Insurer to provide its reasons for adverse underwriting decisions. (a) Subject to the provisions of sections 38a-307, 38a-323 and 38a-343, in the event of an adverse underwriting decision, the insurance institution or agent responsible for the decision shall: (1) Either provide the applicant, policyholder or individual proposed for coverage with the specific reason for the adverse underwriting decision in writing or advise such person that upon written request he may receive the specific reason in writing, and (2) provide the applicant, policyholder or individual proposed for coverage with a summary of the rights established under subsection (b) of this section and sections 38a-983 and 38a-984.

(b) Upon receipt of a written request within ninety business days from the date of the mailing of notice or other communication of an adverse underwriting decision to an applicant, policyholder or individual proposed for coverage, the insurance institution or agent shall furnish such person not later than twenty-one business days after the date of receipt of such written request: (1) The specific reason for the adverse underwriting decision, in writing, if such information was not initially furnished in writing pursuant to subdivision (1) of subsection (a) of this section; (2) the specific items of personal and privileged information that support those reasons, except that: (A) The insurance institution or agent shall not be required to furnish specific items of privileged information if it has a reasonable suspicion, based upon specific information available for review by the commissioner, that the applicant, policyholder or individual proposed for coverage has engaged in criminal activity, fraud, material misrepresentation or material nondisclosure, and (B) specific items of medical-record information supplied by a medical-care institution or medical professional shall be disclosed either directly to the individual to whom the information relates or to a medical professional designated by the individual and licensed to provide medical care with respect to the condition to which the information relates; and (3) the names and addresses of the institutional sources that supplied the specific items of information pursuant to subdivision (2) of subsection (b) of this section, except that the identity of any medical professional or medical-care institution shall be disclosed either directly to the individual or to the designated medical professional.

(c) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf.

(d) When an adverse underwriting decision results solely from an oral request or inquiry, the explanation of reasons and summary of rights required by subsection (a) of this section may be given orally.

(e) The insurance institution or agent responsible for the occurrence of any action specified in subparagraph (B) of subdivision (1) of section 38a-976 that is not an adverse underwriting decision shall provide the applicant or policyholder with the specific reason for its occurrence.

(P.A. 81-368, S. 11, 25; P.A. 82-472, S. 122, 183; P.A. 85-156, S. 3; P.A. 14-235, S. 8; P.A. 17-15, S. 93.)

History: P.A. 82-472 made technical changes; P.A. 85-156 substituted reference to Sec. 38-185w for reference to Sec. 38-175i in Subsec. (a); Sec. 38-510 transferred to Sec. 38a-985 in 1991; P.A. 14-235 made technical changes in Subsec. (e); P.A. 17-15 made technical changes in Subsec. (b).

Sec. 38a-986. (Formerly Sec. 38-511). Information concerning previous adverse underwriting decisions and coverage through residual market mechanisms. No insurance institution, agent or insurance-support organization shall seek information in connection with an insurance transaction concerning any previous adverse underwriting decisions experienced by an individual, or any previous insurance coverage obtained by an individual through a residual market mechanism, unless such institution, agent or organization also requests the reasons for any previous adverse underwriting decision or the reasons insurance coverage was previously obtained through a residual market mechanism.

(P.A. 81-368, S. 12, 25; P.A. 84-546, S. 98, 173; P.A. 08-110, S. 6.)

History: P.A. 84-546 made technical change, deleting previously existing Subdiv. indicators; Sec. 38-511 transferred to Sec. 38a-986 in 1991; P.A. 08-110 made a technical change, effective May 27, 2008.

Sec. 38a-987. (Formerly Sec. 38-512). Insurer prohibited from considering previous adverse underwriting decision or past residual market mechanism coverage. No insurance institution or agent shall base an adverse underwriting decision in whole or in part:

(1) On a previous adverse underwriting decision or on the fact that an individual previously obtained insurance coverage through a residual market mechanism, provided an insurance institution or agent may base an adverse underwriting decision on further information obtained from an insurance institution or agent responsible for a previous adverse underwriting decision;

(2) On personal information received from an insurance-support organization whose primary source of information is an insurance institution, provided an insurance institution or agent may base an adverse underwriting decision on further personal information obtained as the result of information received from an insurance-support organization.

(P.A. 81-368, S. 13, 25; P.A. 02-24, S. 10; P.A. 08-110, S. 7.)

History: Sec. 38-512 transferred to Sec. 38a-987 in 1991; P.A. 02-24 substituted Subdiv. designators “(1)” and “(2)” for “(a)” and “(b)”; P.A. 08-110 made a technical change, effective May 27, 2008.

Sec. 38a-988. (Formerly Sec. 38-513). Disclosure limitations and conditions. An insurance institution, agent or insurance-support organization shall not disclose any personal or privileged information concerning an individual collected or received in connection with an insurance transaction unless the disclosure is:

(1) Made with the written authorization of the individual, provided: (A) If such authorization is submitted by another insurance institution, agent or insurance-support organization, it meets the requirements of section 38a-981, or (B) if such authorization is submitted by a person other than an insurance institution, agent or insurance-support organization, it shall be: (i) Dated, (ii) signed by the individual, and (iii) obtained within one year prior to the date a disclosure is sought pursuant to this subdivision;

(2) Made to a person other than an insurance institution, agent or insurance-support organization, provided such disclosure is reasonably necessary: (A) To enable such person to perform a business, professional or insurance function for the disclosing insurance institution, agent or insurance-support organization, and such person agrees not to disclose the information without the individual's written authorization unless the disclosure: (i) Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization, or (ii) is reasonably necessary for such person to perform such person's function for the disclosing insurance institution, agent or insurance-support organization; or (B) to enable such person to provide information to the disclosing insurance institution, agent or insurance-support organization for the purpose of: (i) Determining an individual's eligibility for an insurance benefit or payment, or (ii) detecting or preventing criminal activity, fraud, material misrepresentation or material nondisclosure in connection with an insurance transaction;

(3) Made to an insurance institution, agent, insurance-support organization or self-insurer, provided the information disclosed is limited to that which is reasonably necessary: (A) To detect or prevent criminal activity, fraud, material misrepresentation or material nondisclosure in connection with insurance transactions, or (B) for either the disclosing or receiving insurance institution, agent or insurance-support organization to perform its function in connection with an insurance transaction involving the individual;

(4) Made to a medical-care institution or medical professional for the purpose of: (A) Verifying insurance coverage or benefits; (B) informing an individual of a medical problem of which such individual may not be aware; or (C) conducting an operations or services audit, provided only such information is disclosed as is reasonably necessary to accomplish the foregoing purposes;

(5) Made to an insurance regulatory authority;

(6) Made to a law enforcement or other government authority: (A) To protect the interests of the insurance institution, agent or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or (B) if the institution, agent or organization reasonably believes that illegal activities have been conducted by the individual;

(7) Otherwise permitted or required by law;

(8) In response to a facially valid administrative or judicial order, including a search warrant or subpoena;

(9) Made for the purpose of conducting actuarial or research studies, provided: (A) No individual may be identified in any actuarial or research report; (B) materials in which the individual may be identified are returned or destroyed as soon as they are no longer necessary; and (C) the actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent or insurance-support organization;

(10) Made to a party or a representative of a party to a proposed or consummated sale, transfer, merger or consolidation of all or part of the business of the insurance institution, agent or insurance-support organization, provided: (A) Prior to the consummation of the sale, transfer, merger or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger or consolidation; and (B) the recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent or insurance-support organization;

(11) Made to a person whose only use of such information will be in connection with the marketing of a product or service, provided: (A) No medical-record information, privileged information, or personal information relating to an individual's character, personal habits, mode of living or general reputation is disclosed, and no classification derived from such information is disclosed; (B) the individual has been afforded an opportunity to indicate that the individual does not wish personal information disclosed for marketing purposes and has given no indication that the individual does not wish the information disclosed; and (C) the person receiving such information agrees not to use it except in connection with the marketing of a product or service;

(12) Made to an affiliate whose only use of the information will be in connection with an audit of the insurance institution or agent or the marketing of an insurance product or service, provided (A) with regard to individually identifiable medical records information, written consent of the individual to whom the individually identifiable medical record pertains is obtained prior to disclosure for marketing purposes, and (B) the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons;

(13) Made by a consumer reporting agency, provided the disclosure is made to a person other than an insurance institution or agent;

(14) Made to a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution's or agent's operations or services, provided the information disclosed is reasonably necessary for the recipient to conduct the audit;

(15) Made to a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional;

(16) Made to a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable;

(17) Made to a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction;

(18) Made to a lienholder, mortgagee, assignee, lessor or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance, provided: (A) No medical-record information is disclosed unless the disclosure would otherwise be permitted by this section; and (B) the information disclosed is limited to that which is reasonably necessary to permit such person to protect its interests in such policy;

(19) Made pursuant to section 53-445;

(20) Made to the Department of Public Health in conjunction with the investigation of a health care provider pursuant to section 19a-14.

(P.A. 81-368, S. 14, 25; P.A. 82-21, S. 2, 3; P.A. 93-430, S. 6, 9; P.A. 99-284, S. 39, 60; P.A. 02-24, S. 11; P.A. 06-195, S. 17.)

History: P.A. 82-21 added Subsec. (r), providing that an insurer cannot disclose personal or privileged information unless disclosure is made to persons having legal interest in the insurance policy and specified that provisions apply to personal or privileged information collected or received before or after October 1, 1982; Sec. 38-513 transferred to Sec. 38a-988 in 1991; P.A. 93-430 made technical changes for accuracy and added Subdiv. (s), providing that an insurer cannot disclose personal or privileged information unless such disclosure is made pursuant to health insurance fraud under Sec. 53-445, effective October 1, 1994; P.A. 99-284 amended Subdiv. (l) by adding Subpara. (1) re individually identifiable medical records and designated existing proviso as Subpara. (2), effective July 1, 2000; P.A. 02-24 changed Subdiv. designators from (a) to (s) to (1) to (19), deleted “or” at the end of Subdivs. and made technical changes; P.A. 06-195 added Subdiv. (20) to permit insurers to make disclosures to Department of Public Health in conjunction with investigation of a health care provider.

Sec. 38a-988a. Sale of individually identifiable medical record information prohibited. Written consent re disclosure for marketing purposes. Exceptions. Cause of action for violations. (a) No person, including, but not limited to, insurance institutions, agents, insurance support organizations, health care professionals, medical care centers, pharmacies, pharmaceutical companies, schools and universities, and no person's agent, contractor or employee, shall sell or offer for sale individually identifiable medical record information, as defined in section 38a-976. No person shall disclose, for purposes of marketing, individually identifiable medical record information without the prior written consent of the individual to whom the individually identifiable medical record information pertains or, in the case of a minor, of the minor's parent or guardian. Nothing in this section shall be construed to prohibit (1) a person from disclosing individually identifiable medical record information as permitted under section 38a-988, any other applicable state or federal law or in connection with a collectively bargained agreement, or (2) a health care provider from transferring individual identifiable medical record information for the purposes of clinical research, utilization review, quality review, performance improvement, billing for services or other functions performed by health care providers or their agents in support of direct patient care, provided (A) in the case of clinical research, no individually identifiable medical record information may be disclosed by the clinical researcher, unless the disclosure would otherwise be permitted, and (B) the entity to whom the information is transferred agrees not to disclose the information unless the disclosure would otherwise be permitted if made by the transferer. Nothing in this section shall be construed to prohibit a person from transferring individually identifiable medical record information to another person as part of a consummated sale of that person to another person or consummated merger by that person with another person or to a successor in interest. For the purposes of this section, “insurance transaction” as used in section 38a-988 shall apply to any insurance including insurance for personal, family, household, business or professional needs, and “insurance institution” as used in said section 38a-988 includes self-insured employers for workers' compensation purposes and third-party administrators.

(b) An individual harmed by a violation of this section may bring an action for equitable relief, damages or both. Any person who violates the provisions of this section shall be liable to the individual harmed for double damages, costs and reasonable attorneys' fees. No action under this section shall be brought but within two years from the date when the violation first occurs or is discovered, or in the exercise of reasonable care should have been discovered, and except that no such action may be brought more than five years from the date of the violation complained of.

(P.A. 99-284, S. 18, 60; P.A. 14-235, S. 9.)

History: P.A. 99-284 effective July 1, 2000; P.A. 14-235 made a technical change in Subsec. (a).

Sec. 38a-989. (Formerly Sec. 38-514). Powers of commissioner. (a) The commissioner shall have power to examine and investigate into the affairs of every insurance institution or agent doing business in this state to determine whether the institution or agent has been engaged or is engaging in any conduct in violation of sections 38a-975 to 38a-998, inclusive.

(b) The commissioner shall have the power to examine and investigate into the affairs of every insurance-support organization acting on behalf of an insurance institution or agent which transacts business within this state or without this state which has an effect on a resident of this state in order to determine whether such insurance-support organization has been engaged or is engaging in any conduct in violation of sections 38a-975 to 38a-998, inclusive.

(P.A. 81-368, S. 15, 25; P.A. 99-284, S. 19, 60.)

History: Sec. 38-514 transferred to Sec. 38a-989 in 1991; P.A. 99-284 made a technical change, effective July 1, 2000.

Sec. 38a-990. (Formerly Sec. 38-515). Hearings; subpoenas; service of process. (a) Whenever the commissioner has reason to believe that an insurance institution, agent or insurance-support organization has been engaged or is engaging in conduct in this state which violates this chapter, or if the commissioner believes that an insurance-support organization has been engaged or is engaging in conduct outside this state which has an effect on a resident of this state and which violates sections 38a-975 to 38a-998, inclusive, the commissioner shall issue and serve upon such insurance institution, agent or insurance-support organization a statement of the charges and a notice of a hearing to be held at a time and place fixed in the notice. The date of such hearing shall not be less than thirty days after the date of service.

(b) At the time and place fixed for such hearing, the insurance institution, agent or insurance-support organization shall have an opportunity to answer the charges against it and present evidence on its own behalf. Upon good cause shown, the commissioner shall permit any adversely affected person to intervene, appear and be heard at such hearing by counsel or in person.

(c) At any hearing conducted pursuant to this section, the commissioner may administer oaths, examine and cross-examine witnesses and receive oral and documentary evidence. The commissioner shall have the power to subpoena witnesses, compel their attendance and require the production of books, papers, records, correspondence or other documents that the commissioner deems relevant to the hearing. A stenographic record of the hearing shall be made upon the request of any party or at the discretion of the commissioner. If no stenographic record is made and if judicial review is sought, the commissioner shall prepare a statement of the evidence for use on review. Hearings conducted under this section shall be governed by the same rules of evidence and procedure applicable to administrative proceedings conducted under the insurance laws of this state.

(d) Statements of charges, notices, orders and other processes of the commissioner under sections 38a-975 to 38a-998, inclusive, may be served in the manner provided by law for service of process in civil actions or by registered mail. A copy of the statement of charges, notice, order or other process shall be provided to the person whose rights under said sections have been allegedly violated. A verified return specifying the manner of service, or return receipt in the case of registered mail, shall be sufficient proof of service.

(P.A. 81-368, S. 16, 25; P.A. 99-284, S. 20, 60.)

History: Sec. 38-515 transferred to Sec. 38a-990 in 1991; P.A. 99-284 substituted “the commissioner” for “he” and “that” for “which” and made a technical change, effective July 1, 2000.

Sec. 38a-991. (Formerly Sec. 38-516). Insurance-support organizations to appoint commissioner to accept service of process. For purposes of sections 38a-975 to 38a-998, inclusive, an insurance-support organization transacting business outside this state which affects a resident of this state shall be deemed to have appointed the commissioner to accept service of process on its behalf as provided in section 38a-25.

(P.A. 81-368, S. 17, 25; P.A. 90-243, S. 166; P.A. 99-284, S. 21, 60.)

History: P.A. 90-243 provided that the provisions of section 38a-25 re service of process be applicable to out-of-state insurance-support organizations; Sec. 38-516 transferred to Sec. 38a-991 in 1991; P.A. 99-284 made a technical change, effective July 1, 2000.

Sec. 38a-992. (Formerly Sec. 38-517). Commissioner to prepare findings. (a) If, after a hearing pursuant to section 38a-990, the commissioner determines that the insurance institution, agent or insurance-support organization charged has engaged in conduct or practices in violation of sections 38a-975 to 38a-998, inclusive, the commissioner shall reduce the findings to writing and shall issue and cause to be served upon such institution, agent or organization a copy of such findings and an order requiring such institution, agent or organization to cease and desist from engaging in such conduct or practices.

(b) If, after a hearing pursuant to section 38a-990, the commissioner determines that the insurance institution, agent or insurance-support organization charged has not engaged in conduct or practices in violation of sections 38a-975 to 38a-998, inclusive, the commissioner shall prepare a written report which sets forth the findings of fact and conclusions. Such report shall be served upon the insurance institution, agent or insurance-support organization charged and upon the person, if any, whose rights under said sections were allegedly violated.

(c) The commissioner may modify or set aside any order or report issued under this section until the expiration of the time allowed under section 38a-994 for filing a petition for review or until such petition is actually filed, whichever occurs first. If, after the expiration of the time allowed under section 38a-994 for filing a petition for review, no petition has been filed, the commissioner may, after notice and opportunity for hearing, alter, modify or set aside, in whole or in part, any order or report issued under this section whenever conditions of fact or law warrant such action or if the public interest so requires.

(P.A. 81-368, S. 18, 25; P.A. 99-284, S. 22, 60.)

History: Sec. 38-517 transferred to Sec. 38a-992 in 1991; P.A. 99-284 substituted “the commissioner” for “he” and “the findings” for “his findings” and made a technical change, effective July 1, 2000.

Annotation to former section 38-517:

Cited. 215 C. 277.

Sec. 38a-993. (Formerly Sec. 38-518). Penalties. (a) In any case where a hearing pursuant to section 38a-990 results in the finding of a negligent violation of sections 38a-975 to 38a-998, inclusive, the commissioner may, in addition to the issuance of a cease and desist order as prescribed in section 38a-992, order payment of a penalty of not more than two thousand dollars for each violation but not to exceed twenty thousand dollars in the aggregate for multiple violations.

(b) (1) In any case where a hearing pursuant to section 38a-990 results in the finding of an intentional violation of sections 38a-975 to 38a-998, inclusive, the commissioner may, in addition to the issuance of a cease and desist order as prescribed in section 38a-992, order payment of a penalty of not more than five thousand dollars for each violation but not to exceed fifty thousand dollars in the aggregate for multiple violations.

(2) In any case where a hearing pursuant to section 38a-990 results in the finding of an intentional violation of section 38a-988a, the commissioner may, in addition to the issuance of a cease and desist order as prescribed in section 38a-992, order payment of a penalty of not more than twenty thousand dollars for each violation but not to exceed one hundred thousand dollars in the aggregate for multiple violations.

(c) Any person who violates a cease and desist order of the commissioner under section 38a-992 may, after notice and hearing and upon order of the commissioner, be subject to one or more of the following, at the discretion of the commissioner: (1) A penalty of not more than twenty thousand dollars for each violation; or (2) a penalty of not more than one hundred thousand dollars if the commissioner finds that violations have occurred with such frequency as to indicate a general business practice; or (3) suspension or revocation of an insurance institution's or agent's license.

(P.A. 81-368, S. 19, 25; P.A. 97-99, S. 23; P.A. 99-284, S. 23, 60.)

History: Sec. 38-518 transferred to Sec. 38a-993 in 1991; P.A. 97-99 amended Subsec. (a) to increase penalty from $500 to $2,000 and limit maximum to $20,000 rather than $10,000; P.A. 99-284 amended Subsec. (a) to substitute “a negligent violation” for “an intentional violation” re sections 38a-975 to 38a-998, inclusive, inserted new Subdiv. (b)(1) re an intentional violation of said sections, inserted new Subdiv. (b)(2) re an intentional violation of Sec. 38a-988a, redesignated former Subsec. (b) as (c), amended Subdiv. (c)(1) to substitute $20,000 for $10,000 re penalty for each violation and amended Subdiv. (c)(2) to substitute $100,000 for $50,000 re penalty for violations that indicate a general business practice, effective July 1, 2000.

Sec. 38a-994. (Formerly Sec. 38-519). Appeals from orders. (a) Any person aggrieved by an order of the commissioner issued pursuant to sections 38a-975 to 38a-998, inclusive, may appeal therefrom in accordance with the provisions of section 4-183, except venue for such appeal shall be in the judicial district of New Britain.

(b) No order or report of the commissioner under sections 38a-975 to 38a-998, inclusive, or order of a court to enforce the same shall in any way relieve or absolve any person affected by such order or report from any liability under any other laws of this state.

(P.A. 81-368, S. 20, 25; P.A. 88-230, S. 1, 12; P.A. 90-98, S. 1, 2; P.A. 93-142, S. 4, 7, 8; P.A. 95-220, S. 46; 99-215, S. 24, 29; P.A. 99-284, S. 24, 60.)

History: P.A. 88-230 replaced “judicial district of Hartford-New Britain” with “judicial district of Hartford”, effective September 1, 1991; P.A. 90-98 changed the effective date of P.A. 88-230 from September 1, 1991, to September 1, 1993; Sec. 38-519 transferred to Sec. 38a-994 in 1991; P.A. 93-142 changed the effective date of P.A. 88-230 from September 1, 1993, to September 1, 1996, effective June 14, 1993; P.A. 95-220 changed the effective date of P.A. 88-230 from September 1, 1996, to September 1, 1998, effective July 1, 1995; P.A. 99-215 replaced “judicial district of Hartford” with “judicial district of New Britain” in Subsec. (a), effective June 29, 1999; P.A. 99-284 made a technical change, effective July 1, 2000.

Sec. 38a-995. (Formerly Sec. 38-520). Individual remedies. (a) If an insurance institution, agent or insurance-support organization fails to comply with section 38a-983, 38a-984 or 38a-985 with respect to the rights granted under those sections, any person whose rights are violated may bring an action for equitable relief.

(b) An insurance institution, agent or insurance-support organization that discloses information in violation of section 38a-988 shall be liable for damages sustained by the individual concerning whom the information relates, except that no individual shall be entitled to a monetary award that exceeds the actual damages sustained by such individual as a result of a violation of section 38a-988.

(c) In any action brought pursuant to this section, the court may award costs and reasonable attorney's fees to the prevailing party.

(d) No action under this section shall be brought but within two years from the date the alleged violation is or should have been discovered.

(e) Except as specifically provided in this section, there shall be no remedy available to individuals, in law or in equity, for occurrences constituting a violation of any provision of sections 38a-975 to 38a-998, inclusive.

(P.A. 81-368, S. 21, 25; P.A. 17-15, S. 94.)

History: Sec. 38-520 transferred to Sec. 38a-995 in 1991; P.A. 17-15 made technical changes in Subsec. (b).

Sec. 38a-996. (Formerly Sec. 38-521). Immunity. Any person who discloses personal or privileged information in accordance with sections 38a-975 to 38a-998, inclusive, or who furnishes such information to an insurance institution, agent or insurance-support organization, shall be immune from any civil liability on account of such act, unless such person disclosed or furnished false information with malice or wilful intent to injure any person.

(P.A. 81-368, S. 22, 25.)

History: Sec. 38-521 transferred to Sec. 38a-996 in 1991.

Sec. 38a-997. (Formerly Sec. 38-522). Obtaining information under false pretenses. Fine. Any person who knowingly and wilfully obtains information concerning an individual from an insurance institution, agent or insurance-support organization under false pretenses shall be fined not more than twenty thousand dollars.

(P.A. 81-368, S. 23, 25; P.A. 08-178, S. 49.)

History: Sec. 38-522 transferred to Sec. 38a-997 in 1991; P.A. 08-178 increased maximum fine from $10,000 to $20,000.

Sec. 38a-998. (Formerly Sec. 38-523). Severability. If any provision of sections 38a-975 to 38a-998, inclusive, or the application thereof to any person or circumstance is for any reason held to be invalid, the remainder of said sections and the application of such provision to other persons or circumstances shall not be affected thereby.

(P.A. 81-368, S. 24, 25.)

History: Sec. 38-523 transferred to Sec. 38a-998 in 1991.

Sec. 38a-999. Written policies, standards and procedures re medical record information. (a) An insurance institution, agent or insurance support organization that regularly collects, uses or discloses medical record information, as defined in section 38a-976, shall develop and implement written policies, standards and procedures for the management, transfer and security of medical record information, including policies, standards and procedures to guard against the unauthorized collection, use or disclosure of medical record information by the insurance institution, agent or insurance support organization or any employee or agent thereof. Such policies, standards and procedures shall include:

(1) Limitation on access to medical record information by only those persons who need to use the medical record information in order to perform their jobs;

(2) Appropriate training for all employees identified in subdivision (4) of this subsection;

(3) Disciplinary measures for violations of the medical record information policies, standards and procedures;

(4) Identification of the job titles of persons that are authorized to use or disclose medical record information;

(5) Procedures for authorizing and restricting the collection, use or disclosure of medical record information;

(6) Methods for handling, disclosing, storing and disposing of medical record information;

(7) Periodic monitoring of the employees' compliance with the policies, standards and procedures in a manner sufficient for the insurance institution, agent or insurance support organization to determine compliance with this section and to enforce its policies, standards and procedures; and

(8) Additional protection against unauthorized disclosure of sensitive health information, which shall include information regarding: Sexually transmitted diseases; mental health; substance abuse; the human immunodeficiency virus and acquired immune deficiency syndrome; and genetic testing, including the fact that an individual has undergone a genetic test.

(b) An insurance institution, agent or insurance support organization shall make the medical record information policies, standards and procedures developed pursuant to this section available for review by the Insurance Commissioner.

(c) A summary of such policies, standards and procedures shall be made available to enrollees upon enrollment and upon request.

(P.A. 99-284, S. 25, 60; P.A. 14-235, S. 10.)

History: P.A. 99-284 effective July 1, 2000; P.A. 14-235 made a technical change in Subsec. (a).

Sec. 38a-999a. Disclosure of individually identifiable medical record information with malicious intent prohibited. Penalty. (a) No person shall disclose individually identifiable medical record information, as defined in subsection (r) of section 38a-976, with the malicious intent to damage an individual's reputation or character.

(b) Any person who violates subsection (a) of this section shall be fined not more than five hundred dollars or imprisoned not more than three months or both for the first offense and shall be fined not more than two thousand dollars or imprisoned not more than one year or both for each subsequent offense.

(P.A. 99-284, S. 26, 60.)

History: P.A. 99-284 effective July 1, 2000.

Sec. 38a-999b. Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty. Section 38a-999b is repealed, effective October 1, 2021.

(P.A. 15-142, S. 5; P.A. 19-117, S. 401; 19-196, S. 9.)