Skip to Content

Private Insurance Data Requirements in Connecticut

Private Insurance Data Requirements

Connecticut establishes the following rules for Insurers, Managed Care Organizations, and Health plans:

· Private insurers must implement policies, standards and procedures for managing, transferring, and securing medical record information.1

· Insurers must establish a grievance procedure and provide enrollees with notice of this procedure.2

· Insurers may disclose de-identified claims information to certain employers.3

· Health plans may not deny coverage based on a history of breast cancer if the applicant has been in remission for five years.4

· Insurers must provide applicants and policyholders with “notice of information practices” at the time a person applies for insurance, renews their policy, or requests a reinstatement of their policy.5

· Insurers must obtain authorization to disclose personal information on forms that meet Connecticut’s form criteria (e.g. uses plain language, specifies disclosed information).6

· Insurers must provide individuals with information regarding an adverse underwriting decision.7

· Insurers may disclose personal information in limited circumstances (e.g. with an individual’s authorization).8

· Insurers may not sell individually identifiable medical information, but may disclose such information for marketing purposes so long as they obtain the individual’s consent.9

· Managed Care Organizations must annually report quality information to the Insurance Commissioner.10

· Insurers that disclose individually identifiable information from medical records with the intent to harm an individual face fines and/or imprisonment.11

Connecticut requires the Insurance Commissioner to annually distribute Managed Care Organization consumer report cards.12

Connecticut consumers may request access to personal information maintained by an Insurer13 and may request that the Insurer correct, amend, or delete such information.14



  • 1. C.G.S.A. § 38a-999.
  • 2. C.G.S.A. § 38a-478m.
  • 3. C.G.S.A. § 38a-513f.
  • 4. C.G.S.A. § 38a-503a.
  • 5. C.G.S.A. § 38a-979.
  • 6. C.G.S.A. § 38a-981.
  • 7. C.G.S.A. § 38a-985.
  • 8. C.G.S.A. § 38a-988.
  • 9. C.G.S.A. § 38a-988a.
  • 10. C.G.S.A. § 38a-478c.
  • 11. C.G.S.A. § 38a-999a.
  • 12. C.G.S.A. § 38a-478l.
  • 13. C.G.S.A. § 38a-983.
  • 14. C.G.S.A. § 38a-984. 


Private Insurance Data Requirements in Connecticut

Subtopic Statute/Regulation Description
Private Insurance Data Requirements Access to recorded personal information - Conn. Gen. Stat. § 38a-983 Individuals may request access to personal information maintained by an insurance institution, agent, or organization (“Insurers”)....
Claims information to be provided to certain employers. Restrictions. Subpoenas - Conn. Gen. Stat. § 38a-513f Insurers or other entities that deliver group health insurance must disclose utilization data, claims data, monthly premium information, and the...
Consumer report card required. Content - Conn. Gen. Stat. § 38a-478l The Insurance Commissioner must distribute Managed Care Organization consumer report cards by October 15th of every year. The report cards must...
Content of disclosure authorization forms. Disclosure of health benefits to exclusive bargaining agent or subgroup of a multi-bargaining-unit group - Conn. Gen. Stat. § 38a-981 Forms used by Insurance institutions, agents, and organizations to obtain authorization to disclose personal information must: (1) be written in...
Correction, amendment or deletion of recorded personal information - Conn. Gen. Stat. § 38a-984 Individuals may request that insurance institutions, agents, and organizations (“Insurers”) correct, amend, or delete personal...
Disclosure limitations and conditions - Conn. Gen. Stat. § 38a-988 Insurance institutions, agents, and organization (“Insurers”) may only disclose personal or privileged information obtained during an...
Disclosure of individually identifiable medical record information with malicious intent prohibited. Penalty - Conn. Gen. Stat. § 38a-999a Connecticut prohibits persons from disclosing individually identifiable medical records information “with the malicious intent to damage an...
Insurer to provide its reasons for adverse underwriting decisions - Conn. Gen. Stat. § 38a-985 Insurance institutions or agents (“Insurers”) that issue an adverse underwriting decision must either (1) provide the individual with a...
Internal grievance procedure. Notice re procedure and final resolution. Penalties. Fines allocated to Office of the Healthcare Advocate - Conn. Gen. Stat. § 38a-478m Managed Care Organizations and Health Insurers (“Insurer”) must maintain an internal grievance procedure that allows enrollees to obtain...
Managed care organization's report to the commissioner: Data, reports and information required - Conn. Gen. Stat. § 38a-478c Managed Care Organizations must report the following information to the Insurance Commissioner by May 1st of every year: A quality assurance plan...
Mandatory coverage for breast cancer survivors - Conn. Gen. Stat. § 38a-503a Individual health insurance plans and insurance arrangements may not deny coverage to an applicant due to their breast cancer history so long as the...
Notice of insurance information practices - Conn. Gen. Stat. § 38a-979 Insurance institutions and agents (“Insurer”) must provide applicants and policyholders with “notice of information practices...
Sale of individually identifiable medical record in formation prohibited. Written consent re disclosure for marketing purposes. Exceptions. Cause of action for violations - Conn. Gen. Stat. § 38a-988a Connecticut prohibits persons from selling or offering to sell individually identifiable medical information. Persons may disclose individually...
Written policies, standards and procedures re medical record information - Conn. Gen. Stat. § 38a-999 Insurance institutions, agents, and insurance support organizations (“Insurers”) must implement policies, standards and procedures for...