Disclosure limitations and conditions - Conn. Gen. Stat. § 38a-988

Insurance institutions, agents, and organization (“Insurers”) may only disclose personal or privileged information obtained during an insurance transaction in the following circumstances:

• Upon an individual’s written authorization. Insurers may rely on authorization obtained by another Insurer so long as the form of the authorization complies with the § 38a-981 authorization form content requirements or authorization obtained by a non-insurer so long as the individual signed and dated the form within a year before the disclosure date.
• To an Insurer’s agent so that the agent can perform their duties. Agents may not further disclose information they receive unless “reasonably necessary” to perform their duties or, in similar circumstances, the Insurer would otherwise have authority to disclose.
• To persons that will use the information to help the Insurer determine an individual’s payment or benefit eligibility or help the Insurer detect fraud or other criminal activity.
• To another Insurer for the purpose of detecting fraud or other criminal activity or in relation to an insurance transaction.
• To medical-care institutions or medical professionals in relation to authenticating insurance coverage, alerting an individual about a medical condition, or an audit of operations or services.
• To “an insurance regulatory authority.”
• To law enforcement or government officials as a means of protecting against fraud or if the Insurer believes that an individual has committed a crime in accordance with the law.
• To persons specified in a valid court order.
• To persons “conducting actuarial or research studies” so long as the researcher agrees not to disclose or publish identifying information and destroys the identifying information upon completing the study.
• To a party involved in a sale, merger, consolidation, or transfer of the Insurer’s business to the extent that the party reasonably needs the identifying information to make a business decision.
• To persons that will use the information for marketing purposes. Individuals must have an opportunity to opt out of such disclosure and Insurers may not disclose medical-record information for marketing purposes.
• To a consumer reporting agency.
• To a group policyholder as a means of “reporting claims experience or conducting an audit” of operations or services.
• To professional peer review organizations in relation to a medical review.
• To a government agency in relation to an individual’s eligibility for government benefits.
• To “a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction.”
• To persons that have a legal interest in the policy (e.g. lienholder, lessor) if the person reasonably needs the information to protect their interest. Medical-record information may only be disclosed as provided elsewhere in this section.
• When reporting health insurance fraud to the Insurance Commissioner as provided in § 53-445.
• To the Department of Public Health in relation to a health care provider investigation.