Montana Code 33-19-105. Exemption based on federal standards for privacy of individually identifiable health information — notice to commissioner required — rules
33-19-105. Exemption based on federal standards for privacy of individually identifiable health information — notice to commissioner required — rules. (1) The obligations imposed under this chapter do not apply to a licensee that is a covered entity under the provisions of federal regulations that are part of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR, parts 160 and 164, standards for privacy of individually identifiable health information or security standards for the protection of electronic health information as to any use or disclosure of personal information that is covered under the HIPAA privacy and security regulations, except for the following provisions:
Terms Used In Montana Code 33-19-105
- Adverse underwriting decision: means any of the following actions with respect to insurance transactions involving insurance coverage that are individually underwritten:
(i)a declination of insurance coverage;
(ii)a termination of insurance coverage;
(iii)failure of an insurance producer to apply for insurance coverage with a specific insurance institution that the insurance producer represents and that is requested by an applicant;
(iv)in the case of a property or casualty insurance coverage:
(A)placement by an insurance institution or insurance producer of a risk with a residual market mechanism, an unauthorized insurer, or an insurance institution that specializes in substandard risks; or
(B)the charging of a higher rate on the basis of information that differs from that which the applicant or policyholder furnished;
(v)in the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates. See Montana Code 33-19-104
- Licensee: means :
(a)an insurance institution, insurance producer, or other person who is licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered pursuant to this title; or
(b)a surplus lines insurer. See Montana Code 33-19-104
- Personal information: means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. See Montana Code 33-19-104
- State: when applied to the different parts of the United States, includes the District of Columbia and the territories. See Montana Code 1-1-201
(a)A notice of insurance information practices described as a notice of privacy practices for protected health information under HIPAA privacy regulations must be delivered as provided for in 33-19-202(1).
(b)To the extent that an insurer collects, discloses, or uses personal information that is not covered under the HIPAA notice of privacy practices, a separate Montana specific notice must be delivered pursuant to the provisions of 33-19-202.
(c)A disclosure authorization remains valid for a period that does not exceed 24 months, as provided for in 33-19-206(2).
(d)The reasons for an adverse underwriting decision must be specified, as provided for in 33-19-303.
(e)Disclosure of underwriting information is required, as provided for in 33-19-308.
(2)The commissioner may adopt rules regarding the exceptions from the exemption provisions described in subsection (1), including additional exceptions that embody substantive provisions of this chapter but would not be preempted by HIPAA privacy regulations.
(3)If a licensee considers itself exempt from a provision of this chapter for the reason provided in subsection (1), the licensee shall give written notice to the commissioner of that exemption and a brief statement describing why the licensee is a HIPAA-covered entity.
(4)A licensee may claim an exemption only for those lines of business that are subject to HIPAA privacy regulations. All other lines of business are subject to this chapter.
(5)A business associate, as defined in the HIPAA privacy regulations, 45 C.F.R. § 160.103, that is a party to a valid business associate agreement required by HIPAA privacy regulations is exempt from the provisions of this chapter, but only as to the scope of that particular agreement. Any activity of the business associate that falls outside of the scope of that agreement is subject to the provisions of this chapter.
(6)The commissioner retains the authority to conduct complete market conduct examinations of the licensee as to the privacy policies and practices that are subject to state privacy laws.
(7)Beginning July 1, 2011:
(a)if a licensee is subject to and in compliance with a federal regulation that is part of the federal health insurance portability and accountability privacy and security regulations, 45 CFR, parts 160 and 164, and the federal regulation with which the licensee complies is inconsistent with a provision of this chapter and not less protective of consumer privacy, the licensee is exempt from compliance with the inconsistent provision of this chapter;
(b)if a licensee considers itself exempt from a provision of this chapter for the reason provided in subsection (7)(a), the licensee shall give written notice to the commissioner of that exemption unless the requirements of this subsection (7) are preempted by HIPAA privacy regulations. The notice must include a statement of the reason for the claimed exemption.