SECTION 365:35-1-40. When authorization required for disclosure of nonpublic personal health information  


Latest version.
  • (a)   A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
    (b)   Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee or an affiliate of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; communications with a licensee's consumer(s) or customer(s) regarding a licensee's own products, services or activities; legal services; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; entities providing private licensure of a not-for-profit hospital service or indemnity plan and their affiliates, a not-for-profit medical or indemnity plan and their affiliates, or a nonprofit dental service corporation and their affiliates; the replacement of a group benefit plan or workers compensation policy or program; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added by the Commissioner pursuant to the rulemaking provisions of the Oklahoma Administrative Procedures Act, 75 O.S. § 250, et seq.
[Source: Added at 18 Ok Reg 3645, eff 9-7-01 (emergency); Added at 19 Ok Reg 1326, eff 7-14-02]