(a) An insurance institution, agent or insurance support organization that regularly collects, uses or discloses medical record information, as defined in § 38a-976, shall develop and implement written policies, standards and procedures for the management, transfer and security of medical record information, including policies, standards and procedures to guard against the unauthorized collection, use or disclosure of medical record information by the insurance institution, agent or insurance support organization or any employee or agent thereof. Such policies, standards and procedures shall include:

Terms Used In Connecticut General Statutes 38a-999

  • Commissioner: means the Insurance Commissioner. See Connecticut General Statutes 38a-1
  • Insurance: means any agreement to pay a sum of money, provide services or any other thing of value on the happening of a particular event or contingency or to provide indemnity for loss in respect to a specified subject by specified perils in return for a consideration. See Connecticut General Statutes 38a-1

(1) Limitation on access to medical record information by only those persons who need to use the medical record information in order to perform their jobs;

(2) Appropriate training for all employees identified in subdivision (4) of this subsection;

(3) Disciplinary measures for violations of the medical record information policies, standards and procedures;

(4) Identification of the job titles of persons that are authorized to use or disclose medical record information;

(5) Procedures for authorizing and restricting the collection, use or disclosure of medical record information;

(6) Methods for handling, disclosing, storing and disposing of medical record information;

(7) Periodic monitoring of the employees’ compliance with the policies, standards and procedures in a manner sufficient for the insurance institution, agent or insurance support organization to determine compliance with this section and to enforce its policies, standards and procedures; and

(8) Additional protection against unauthorized disclosure of sensitive health information, which shall include information regarding: Sexually transmitted diseases; mental health; substance abuse; the human immunodeficiency virus and acquired immune deficiency syndrome; and genetic testing, including the fact that an individual has undergone a genetic test.

(b) An insurance institution, agent or insurance support organization shall make the medical record information policies, standards and procedures developed pursuant to this section available for review by the Insurance Commissioner.

(c) A summary of such policies, standards and procedures shall be made available to enrollees upon enrollment and upon request.