Pennsylvania Code
Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Code website reflects the Pennsylvania Code changes effective through 54 Pa.B. 488 (January 27, 2024).

Pennsylvania Code



Subchapter B. RULES FOR DISCLOSURE OF NONPUBLIC PERSONAL HEALTH INFORMATION


Sec.


146b.11.    Authorization required for disclosure of nonpublic personal health information.
146b.12.    Authorizations.
146b.13.    Authorization request delivery.

§ 146b.11. Authorization required for disclosure of nonpublic personal health information.

 (a)  Authorization required. A licensee may not disclose nonpublic personal health information about a consumer unless an authorization is obtained from the consumer whose nonpublic personal health information is sought to be disclosed.

 (b)  Insurance function exception. Nothing in this section prohibits, restricts or requires an authorization for the disclosure of nonpublic personal health information by a licensee to the extent that the disclosure of nonpublic personal health information is necessary for the performance of one or more of the following insurance functions by or on behalf of the licensee:

   (1)  Claims administration, including coordination of benefits and subrogation.

   (2)  Claims adjustment, investigation, negotiation, settlement and management.

   (3)  Detection, prevention, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity.

   (4)  Underwriting.

   (5)  Policy placement or issuance.

   (6)  Loss control.

   (7)  Ratemaking and guaranty fund functions.

   (8)  Reinsurance and excess loss insurance.

   (9)  Risk management.

   (10)  Case management.

   (11)  Disease management and wellness programs.

   (12)  Quality assurance.

   (13)  Quality improvement.

   (14)  Performance evaluation.

   (15)  Provider training, accreditation or certification by a recognized accrediting or certifying body, license and credential verification.

   (16)  Utilization review.

   (17)  Peer review activities.

   (18)  Actuarial, scientific, medical or public policy research.

   (19)  Grievance and complaint procedures.

   (20)  Internal administration of compliance, managerial and information systems.

   (21)  Policyholder service functions.

   (22)  Auditing.

   (23)  Reporting (examples include reporting to medical index or consumer reporting bureaus and legally required reporting of disease, injury, vital statistics, child or adult abuse, neglect or domestic violence).

   (24)  Database security.

   (25)  Administration of consumer disputes and inquiries.

   (26)  External accreditation standards.

   (27)  The replacement of a group benefit plan or workers compensation policy or program.

   (28)  Activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit.

   (29)  An activity that permits disclosure without authorization under the Federal regulation.

   (30)  Disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes.

   (31)  An activity otherwise permitted by law, required under governmental regulatory or reporting authority, or to comply with legal process.

   (32)  Compliance with qualified medical child support Orders.

   (33)  Preventive service reminders that do not require disclosure of nonpublic personal health information that a consumer has not previously disclosed directly to the recipient of the information.

 (c)  Disclosure of nonpublic personal health information. Disclosure of nonpublic personal health information is necessary when the disclosure is required or when disclosure is usual, appropriate or acceptable for the purpose of performing an insurance function identified in subsection (b).

 (d)  Insurance functions performed by third parties on behalf of the licensee. A licensee may disclose nonpublic personal health information to a third party not licensed by the Department provided that the nonpublic personal health information is disclosed only for the purposes of carrying out one or more of the insurance functions identified in subsection (b). The Department may hold a licensee responsible for disclosures made by a third party that violate the requirements of this chapter.

 (e)  Additional insurance functions. Additional insurance functions may be added with the approval of the Commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.

Cross References

   This section cited in 31 Pa. Code §  146b.12 (relating to authorizations).

§ 146b.12. Authorizations.

 (a)  Valid authorization contents. A valid authorization to disclose nonpublic personal health information under §  146b.11(a) (relating to authorization required for disclosure of the nonpublic personal health information) shall be in written or electronic form and shall contain all of the following:

   (1)  The identity of the consumer who is the subject of the nonpublic personal health information.

   (2)  A general description of the types of nonpublic personal health information to be disclosed.

   (3)  General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used.

   (4)  The signature of the consumer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed.

   (5)  Notice of the length of time for which the authorization is valid and that the consumer may revoke the authorization at any time and the procedure for making a revocation.

 (b)  Duration of authorization. An authorization for the purposes of §  146b.11(a) shall specify a length of time for which the authorization shall remain valid, which may not be for more than 24 months.

 (c)  Revocation of authorization. A consumer who is the subject of nonpublic personal health information may revoke an authorization provided under this subchapter at any time, subject to the rights of an individual or licensee who acted in reliance on the authorization prior to notice of the revocation.

 (d)  Record of authorization. A licensee shall retain the authorization and a revocation of the authorization, or copies thereof, for 6 years in the record of the individual who is the subject of nonpublic personal health information.

§ 146b.13. Authorization request delivery.

 A request for authorization and an authorization form may be delivered to a consumer as part of a privacy notice delivered under Chapter 146a (relating to privacy of consumer financial information), provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or included in other notices unless the licensee intends to disclose nonpublic personal health information under §  146b.11(a) (relating to authorization required for disclosure of nonpublic personal health information).


No part of the information on this site may be reproduced for profit or sold for profit.


This material has been drawn directly from the official Pennsylvania Code full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.