

 
REPORT TITLE:
Health Information


DESCRIPTION:
Provides for administration of protected health information that
is used, maintained, collected, and disclosed by property and
casualty insurers.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        2002 
HOUSE OF REPRESENTATIVES                H.B. NO.           
TWENTIETH LEGISLATURE, 2000                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                   A  BILL  FOR  AN  ACT

RELATING TO PROTECTION OF HEALTH INFORMATION BY PROPERTY AND
   CASUALTY INSURERS.
 


BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The purpose of this Act is to set standards to
 
 2 safeguard protected health information from unauthorized
 
 3 collection, use, and disclosure by requiring property and
 
 4 casualty insurers to establish procedures for the treatment of
 
 5 all protected health information.
 
 6      SECTION 2.  Chapter 431, Hawaii Revised Statutes, is amended
 
 7 by adding a new part to article 10 to be appropriately designated
 
 8 and to read as follows:
 
 9           "PART    . PROTECTION OF HEALTH INFORMATION
 
10      �431:10-A  Definitions.  As used in this part, except as
 
11 otherwise specifically provided:
 
12      "Commissioner" means the insurance commissioner of this
 
13 State.
 
14      "Department" means the department of commerce and consumer
 
15 affairs.
 
16      "Disclose" means to release or transfer protected health
 
17 information to any person other than to the protected individual
 
18 who is the subject of the protected health information.
 

 
Page 2                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1      "Facility" means an institution providing health care
 
 2 services or a health care setting, including hospitals and other
 
 3 licensed inpatient centers, ambulatory surgical or treatment
 
 4 centers, skilled nursing centers, residential treatment centers,
 
 5 diagnostic, laboratory and imaging centers, and rehabilitation
 
 6 and other therapeutic health settings.
 
 7      "Health care" means:
 
 8      (1)  Preventive, diagnostic, therapeutic, rehabilitative,
 
 9           maintenance, or palliative care, services, procedures,
 
10           tests, or counseling that:
 
11           (A)  Relates to the physical, mental, or behavioral
 
12                condition of an individual; or
 
13           (B)  Affects the structure or function of the human
 
14                body or any part of the human body; or
 
15      (2)  Prescribing, dispensing, or furnishing to an individual
 
16           drugs or biologicals, or medical devices or health care
 
17           equipment and supplies.
 
18      "Health care professional" means a physician or other health
 
19 care practitioner licensed, accredited, or certified to perform
 
20 specified health services consistent with state law.
 
21      "Health care provider" or "provider" means a health care
 
22 professional or facility.
 

 
 
 
Page 3                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1      "Health information" means any information or data that
 
 2 states personal facts or information that relates to a protected
 
 3 individual's past, present, or future health care including
 
 4 invoices or billing records that identify a protected
 
 5 individual's treatment, condition, or diagnosis; provided,
 
 6 however, that health information does not include non-medical
 
 7 information collected by an insurer in anticipation of or in
 
 8 connection with an injury or illness claim.
 
 9      "Insurance support organization" means a person that
 
10 regularly engages, in whole or in part, in the practice of
 
11 assembling or collecting information from insurers, agents, or
 
12 other organizations for the purpose of ratemaking or ratemaking-
 
13 related functions, regulatory or legislative cost analysis,
 
14 detecting or preventing fraud, material misrepresentation, or
 
15 material nondisclosure in connection with insurance underwriting,
 
16 or insurance claim activity.
 
17      "Insured" means the person identified by name in a policy
 
18 that falls under this part.
 
19      "Insurer" means any property and casualty insurer within the
 
20 definition of section 431:1-206, 431:1-207, 431:1-208, 431:1-209,
 
21 431:1-210, or 431:1-211 and is licensed under article 3, but
 
22 shall not include monoline mortgage guaranty insurers, financial
 

 
 
 
Page 4                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1 guaranty insurers, title insurers, disability insurers, or
 
 2 accident or sickness insurers.
 
 3      "Person" means any person within the definition of section
 
 4 431:1-212.
 
 5      "Protected health information" means health information:
 
 6      (1)  That identifies a protected individual; or
 
 7      (2)  With respect to which there is a reasonable basis to
 
 8           believe that the information could be used to identify
 
 9           a protected individual.
 
10      "Protected individual" means an individual who is the
 
11 subject of the protected health information.
 
12      "Unauthorized" means a collection, use, or disclosure of
 
13 protected health information made by an insurer without the
 
14 authorization of the protected individual or that is not in
 
15 compliance with this part, unless collection, use, or disclosure
 
16 without an authorization is permitted by this part or another
 
17 state or federal law.
 
18      �431:10-B  Applicability and scope.  This part applies to
 
19 all insurers and governs the management of protected health
 
20 information, including the collection, use, and disclosure of
 
21 protected health information by insurers.
 
22      �431:10-C  Protected health information policies, standards,
 

 


 

Page 5                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1 and procedures.(a)  An insurer shall develop and implement
 
 2 written policies, standards, and procedures for the management of
 
 3 protected health information, including policies, standards, and
 
 4 procedures to guard against the unauthorized collection, use, or
 
 5 disclosure of protected health information by the insurer.
 
 6      (b)  In any contractual arrangement between an insurer and a
 
 7 person other than a protected individual or health care provider
 
 8 where the person collects or uses protected health information on
 
 9 behalf of the insurer, or where the insurer discloses protected
 
10 health information to the person, an insurer shall inform the
 
11 person of its obligation to comply with any applicable state and
 
12 federal statutory and regulatory requirements governing the
 
13 collection, use, or disclosure of protected health information.
 
14      (c)  An insurer shall make the protected health information
 
15 policies, standards, and procedures developed pursuant to this
 
16 section available for review by the commissioner.
 
17      �431:10-D  Notice of protected health information policies,
 
18 standards, and procedures.(a)  The insurer shall prominently
 
19 post or provide a notice of its confidentiality practices.
 
20 Regardless of the form used, it shall be in clear type, and, if
 
21 transmitted electronically, reasonably capable of being
 
22 reproduced in clear type.  In order to assure uniformity and
 

 
Page 6                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1 compliance with legislative policy regarding the sufficiency of
 
 2 the notice, it shall contain the following language:
 
 3              "DRAFT NOTICE PROVISION FOR PART   ,
 
 4                    ARTICLE 10 OF CHAPTER 431:
 
 5                 PROTECTION OF HEALTH INFORMATION
 
 6      IMPORTANT:  THIS NOTICE DEALS WITH THE SHARING OF
 
 7 INFORMATION FROM YOUR MEDICAL RECORDS.  PLEASE READ IT CAREFULLY.
 
 8 This Notice provides a general description of your
 
 9 confidentiality rights as they relate to information from your
 
10 medical records and an explanation of the circumstances under
 
11 which information from your medical records may be shared with
 
12 others.  You are receiving this Notice because it is required by
 
13 Hawaii insurance law.  If you wish to have complete information
 
14 on the Hawaii Protection of Health Information Act, please ask
 
15 for a copy of Part ___, Article 10 of Chapter 431, Hawaii Revised
 
16 Statutes.  This is a part of the Hawaii Insurance Code.
 
17      YOUR RIGHTS WITH RESPECT TO INFORMATION FROM YOUR MEDICAL
 
18 RECORDS.  Your medical records contain "health information",
 
19 which is information or data that states personal facts or
 
20 information about events or relationships that relate to your
 
21 past, present, or future health care, or that relate to invoices
 
22 or billing records that identify your treatment, condition, or
 

 
 
 
Page 7                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1 diagnosis.  Health information does not include non-medical
 
 2 information collected by an insurer in anticipation of or in
 
 3 connection with an injury or illness claim.  "Protected health
 
 4 information" is health information that identifies you, or for
 
 5 which there is a reasonable basis to believe that the information
 
 6 could be used to identify you.
 
 7      Your right to receive a record of disclosures of protected
 
 8 health information.  If you make a request, an insurer must
 
 9 provide the details concerning the disclosure of your protected
 
10 health information.  These details must include the date,
 
11 purpose, recipient and relevant authorization or basis for the
 
12 disclosure.  The insurer may charge you a reasonable fee for
 
13 providing this information.  However, an insurer is not required
 
14 to provide you with details regarding any disclosures of
 
15 protected health information that were compiled in preparation
 
16 for litigation, law enforcement, or fraud investigation.
 
17      AUTHORIZATION FOR COLLECTION, USE, OR DISCLOSURE OF YOUR
 
18 PROTECTED HEALTH INFORMATION.  An insurer must not collect, use,
 
19 or disclose your protected health information without a valid
 
20 authorization from you, except for specific activities as
 
21 permitted or required by law or court order.  These circumstances
 
22 are described in the next section of this Notice.
 

 
 
 
Page 8                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1      An insurer may obtain from you a written authorization for
 
 2 the disclosure of protected health information for any purpose.
 
 3 However, the authorization must contain the following details:
 
 4      (1)  Your identity;
 
 5      (2)  A general description of the types of protected health
 
 6           information to be collected, used, or disclosed;
 
 7      (3)  A general description of the sources from which
 
 8           protected health information will be collected;
 
 9      (4)  The name and address of the person to whom the
 
10           protected health information is to be disclosed.
 
11           However, this specific information does not need to be
 
12           shown where the insurer is collecting protected health
 
13           information to support certain insurance functions.  In
 
14           those cases, the authorization may generally describe
 
15           the persons to whom the protected health information
 
16           may be disclosed;
 
17      (5)  The purpose of the authorization, including the reason
 
18           for the collection, the intended use of the protected
 
19           health information, and the scope of any disclosures
 
20           that may be made in carrying out the purpose for which
 
21           the authorization is requested; provided those
 
22           disclosures are not otherwise prohibited by law;
 

 
 
 
Page 9                                                     2002 
                                     H.B. NO.           
                                                        
                                                        


 1      (6)  Your signature, or the signature of the individual who
 
 2           is legally empowered to grant authority for you and the
 
 3           date signed; and
 
 4      (7)  A statement regarding your right to revoke the
 
 5           authorization at any time, and the limitations on that
 
 6           right.
 
 7      An insurer must obtain from you a separate authorization if
 
 8 it wishes to disclose protected health information to your
 
 9 employer, including the employer's designated risk manager.  This
 
10 is not required, however, if the protected health information is:
 
11      (1)  Disclosed pursuant to your employer's workers'
 
12           compensation program, to the extent necessary for the
 
13           performance of your employer's and the insurer's rights
 
14           and duties under state laws governing workers'
 
15           compensation;
 
16      (2)  Disclosed pursuant to your employer's administration of
 
17           a health and welfare benefit plan; or
 
18      (3)  Necessary to the administration of claims pursuant to a
 
19           commercial lines policy.
 
20      An insurer that has collected protected health information
 
21 prior to the effective date of the law is not required to obtain
 
22 an authorization for the information.  However, the information
 

 
 
 
Page 10                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1 the insurer collected may only be used or disclosed in accordance
 
 2 with the law.
 
 3      Procedures for revoking your authorization and effects upon
 
 4 benefits or claims in the absence of protected health
 
 5 information.  You may revoke your authorization at any time.  The
 
 6 revocation must be in writing, and you must sign and date it.
 
 7 However, an insurer is not required to provide a benefit, or
 
 8 commence or continue to pay a claim, in the absence of protected
 
 9 health information to support or deny the benefit or claim.  This
 
10 means that if you revoke an authorization and the insurer cannot
 
11 obtain information it determines it needs to support your claim,
 
12 it may choose to deny you benefits.
 
13      Limitations on use and disclosure.  A person who receives
 
14 protected health information from an insurer is prohibited by law
 
15 from using or disclosing such information for any purpose other
 
16 than the lawful purpose for which it was disclosed.
 
17      An authorization is not a waiver.  Your authorization for an
 
18 insurer to collect, use, or disclose protected health
 
19 information, or a production of protected health information
 
20 pursuant to a court order, does not mean you are waiving any
 
21 other privacy right provided to you by other federal or state
 
22 laws, common law, or rules of evidence.
 

 
 
 
Page 11                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1      COLLECTION, USE, OR DISCLOSURE OF PROTECTED HEALTH
 
 2 INFORMATION WITHOUT YOUR AUTHORIZATION.  An insurer may engage in
 
 3 specific activities permitted by the law with regard to protected
 
 4 health information without your authorization.  The following is
 
 5 a general description of some of the activities that are
 
 6 permitted by law:
 
 7      (1)  The collection of protected health information from or
 
 8           disclosure of protected health information to an
 
 9           insurer; provided that the insurer that is receiving
 
10           the information is investigating, evaluating,
 
11           adjusting, or settling a claim involving you; or has
 
12           become or may become liable under a policy insuring you
 
13           as a result of a merger, acquisition, or other
 
14           assumption of such liability;
 
15      (2)  The collection, use, or disclosure of protected health
 
16           information to the extent necessary to investigate,
 
17           evaluate, subrogate, or settle third-party claims
 
18           (generally, third-party claims are claims that do not
 
19           involve you or the insured); provided that you are the
 
20           claimant and the information is used for no other
 
21           purpose without a valid authorization or the use is
 
22           otherwise permitted under federal or state law;
 

 
 
 
Page 12                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1      (3)  The collection, use, or disclosure of protected health
 
 2           information to or from an insurance support
 
 3           organization; provided that the information is used
 
 4           only to perform the insurance functions of claims
 
 5           settlement, detection, and prevention of fraud, or
 
 6           detection and prevention of material misrepresentation
 
 7           or material nondisclosure; or collected and used
 
 8           internally only to perform specific insurance functions
 
 9           permitted by law;
 
10      (4)  If the protected health information is necessary to
 
11           provide ongoing health care treatment, and if the
 
12           disclosure has not been limited or prohibited by you,
 
13           the collection of protected health information from or
 
14           the disclosure of the information to:
 
15           (A)  A health care provider, employed by the insurer,
 
16                who is furnishing health care to you;
 
17           (B)  A health care provider with whom the insurer
 
18                contracts to provide health care services to you;
 
19                or
 
20           (C)  A referring health care provider who continues to
 
21                furnish health care to you;
 
22      (5)  The disclosure of protected health information to a
 

 
 
 
Page 13                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1           person engaged in the assessment, evaluation or
 
 2           investigation of the quality of health care furnished
 
 3           by a provider pursuant to statutory or regulatory
 
 4           standards or pursuant to the requirements of a private
 
 5           or public program authorized to provide for the payment
 
 6           of health care;
 
 7      (6)  The collection, use, or disclosure of protected health
 
 8           information when the information is necessary for the
 
 9           performance of the insurer's obligations under any
 
10           property and casualty insurance law or contract;
 
11      (7)  The collection of protected health information from
 
12           you; and
 
13      (8)  The collection, use, or disclosure of protected health
 
14           information when the information is obtained from
 
15           public sources such as newspapers, public agency
 
16           reports, and law enforcement or public safety reports.
 
17      Unless otherwise restricted by the law, an insurer who has
 
18 collected protected health information without your authorization
 
19 pursuant to one of the circumstances listed above may use and
 
20 disclose the information to a person acting on behalf of or at
 
21 the direction of the insurer to perform any of the insurer's
 
22 insurance functions.
 

 
 
 
Page 14                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1      An insurer must disclose protected health information
 
 2 without your authorization when the insurer is required to do so
 
 3 under federal, state, or county law."
 
 4      (b)  The insurer shall provide the notice to:
 
 5      (1)  The protected individuals when requesting an
 
 6           authorization;
 
 7      (2)  Any other person upon request; and
 
 8      (3)  Insureds at the time the policy is first issued or
 
 9           renewed on or after the effective date of this part.
 
10           No further notice shall be required for any renewal or
 
11           replacement policy issued thereafter.
 
12      (c)  The notice may be provided by mail or other practicable
 
13 means.  The signature of the recipient, certificate of mailing,
 
14 or return receipt is not required.
 
15      �431:10-E  Record of disclosures of protected health
 
16 information.(a)  An insurer shall provide, upon request by a
 
17 protected individual, details regarding disclosure of that
 
18 individual's protected health information.  This information
 
19 shall include the date, purpose, recipient, and relevant
 
20 authorization or basis for the disclosure.  The insurer may
 
21 charge a reasonable fee for providing the information regarding
 
22 the disclosures of information.
 

 
 
 
Page 15                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1      (b)  An insurer is not required to provide any disclosures
 
 2 of protected health information that were compiled in preparation
 
 3 for litigation, law enforcement, fraud investigation, or in the
 
 4 course of a claim investigation.
 
 5      �431:10-F  Authorization for collection, use, or disclosure
 
 6 of protected health information.(a)  An insurer shall not
 
 7 collect, use, or disclose protected health information without a
 
 8 valid authorization from the protected individual, except as
 
 9 permitted by section 431:10-G, or as permitted or required by law
 
10 or court order.  Authorization for the disclosure of protected
 
11 health information may be obtained for any purpose; provided that
 
12 the authorization meets the requirements of this section.
 
13      (b)  An insurer shall retain the authorization or a copy
 
14 thereof in the record of the protected individual for a minimum
 
15 of three years.
 
16      (c)  A valid authorization shall be in writing and cover the
 
17 following:
 
18      (1)  The identity of the protected individual;
 
19      (2)  A general description of the types of protected health
 
20           information to be collected, used, or disclosed;
 
21      (3)  A general description of the sources from which
 
22           protected health information will be collected;
 

 
 
 
Page 16                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1      (4)  The name and address of the person to whom the
 
 2           protected health information is to be disclosed, except
 
 3           that an authorization provided to an insurer for
 
 4           collection of protected health information to support
 
 5           insurance functions listed in subsection (f) may
 
 6           generally describe the persons to whom protected health
 
 7           information may be disclosed;
 
 8      (5)  The purpose of the authorization, including the reason
 
 9           for the collection, the intended use of the protected
 
10           health information, and the scope of any disclosures
 
11           that may be made in carrying out the purpose for which
 
12           the authorization is requested; provided those
 
13           disclosures are not otherwise prohibited by law;
 
14      (6)  The signature of the protected individual, or the
 
15           individual who is legally empowered to grant authority
 
16           for the protected individual, and the date signed; and
 
17      (7)  A statement regarding the protected individual's right
 
18           to revoke the authorization and the limitations to
 
19           those revocation rights.
 
20      (d)  An insurer shall obtain a separate authorization to
 
21 disclose protected health information to an individual's
 
22 employer, including the employer's designated risk manager,
 

 
 
 
Page 17                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1 unless:
 
 2      (1)  The protected health information is disclosed pursuant
 
 3           to the employer's workers' compensation program, to the
 
 4           extent necessary for the performance of the employer's
 
 5           and insurer's rights and duties under state laws
 
 6           governing workers' compensation;
 
 7      (2)  The protected health information is disclosed pursuant
 
 8           to the employer's administration of a health and
 
 9           welfare benefit plan; or
 
10      (3)  The protected health information is necessary to the
 
11           administration of claims pursuant to a commercial lines
 
12           policy.
 
13      (e)  A protected individual may revoke an authorization at
 
14 any time, subject to the rights of any person who acted in
 
15 reliance on the authorization prior to notice of revocation and
 
16 subject to subsection (i).  A revocation of an authorization
 
17 shall be in writing, dated and signed by the protected
 
18 individual.  A revocation of an authorization shall be retained
 
19 by the insurer in the record of the protected individual for a
 
20 minimum of three years.  An insurer shall give prompt notice of
 
21 the revocation to all persons to whom the insurer has disclosed
 
22 protected health information in reliance on the initial
 

 
 
 
Page 18                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1 authorization.
 
 2      (f)  An insurer that has collected protected health
 
 3 information pursuant to a valid authorization in accordance with
 
 4 this part may use and disclose the protected health information
 
 5 to a person acting on behalf of or at the direction of the
 
 6 insurer for the performance of the insurer's insurance functions
 
 7 including:  claims administration, claims adjustment and
 
 8 management, fraud investigation, underwriting, loss control,
 
 9 ratemaking functions, reinsurance, risk management, case
 
10 management, disease management, quality assessment, quality
 
11 improvement, provider credentialing verification, utilization
 
12 review, peer review activities, grievance procedures, internal
 
13 audit or administration of compliance, managerial information
 
14 systems, and policyholder service functions.  The protected
 
15 health information shall not be used or disclosed for any purpose
 
16 other than in the performance of the insurer's insurance
 
17 functions, except as otherwise permitted in this part.
 
18      (g)  An authorization to collect, use, or disclose protected
 
19 health information pursuant to this part, or a production of
 
20 protected health information pursuant to a court order, shall not
 
21 be construed to constitute a waiver of any other privacy right
 
22 provided to a protected individual by other federal or state
 

 
 
 
Page 19                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1 laws, common law, or rules of evidence.
 
 2      (h)  A person who receives protected health information from
 
 3 an insurer shall not use or disclose the protected health
 
 4 information for any purpose other than the lawful purpose for
 
 5 which it was disclosed.
 
 6      (i)  Nothing in this part shall be interpreted as requiring
 
 7 an insurer to provide a benefit or commence or continue payment
 
 8 of a claim, including workers' compensation claims, in the
 
 9 absence of protected health information to support or deny the
 
10 benefit or claim.
 
11      (j)  An insurer that has collected protected health
 
12 information prior to the effective date of this part is not
 
13 required to obtain an authorization for the information; however,
 
14 the information may only be used or disclosed in accordance with
 
15 this part after the effective date of this Act.
 
16      �431:10-G  Collection, use, or disclosure of protected
 
17 health information without authorization:  generally.(a)  An
 
18 insurer may engage in the following activities with regard to
 
19 protected health information without authorization in the
 
20 following circumstances or as otherwise permitted by law:
 
21      (1)  Collect protected health information from or disclose
 
22           protected health information to an insurer; provided
 

 
 
 
Page 20                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1           that the insurer that is receiving the information:
 
 2           (A)  Is investigating, evaluating, adjusting, or
 
 3                settling a claim involving the protected
 
 4                individual; or
 
 5           (B)  Has become or may become liable under a policy
 
 6                insuring the protected individual as a result of a
 
 7                merger, acquisition, or other assumption of that
 
 8                liability;
 
 9      (2)  Collect, use, or disclose protected health information
 
10           to the extent necessary to investigate, evaluate,
 
11           subrogate, or settle third-party claims; provided that
 
12           the claimant is the protected individual and the
 
13           protected health information is used for no other
 
14           purpose without a valid authorization or the use is
 
15           otherwise permitted under federal or state law;
 
16      (3)  (A)  Collect, use, or disclose protected health
 
17                information to or from an insurance support
 
18                organization provided that:
 
19                (i)  The protected health information is used only
 
20                     to perform the insurance functions of claims
 
21                     settlement, detection and prevention of
 
22                     fraud, or detection and prevention of
 

 
 
 
Page 21                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1                     material misrepresentation or material
 
 2                     nondisclosure; or
 
 3               (ii)  The protected health information is collected
 
 4                     and used internally only to perform the
 
 5                     insurance functions of ratemaking and
 
 6                     ratemaking-related functions, underwriting or
 
 7                     underwriting-related functions, or regulatory
 
 8                     or legislative cost analysis;
 
 9           (B)  Additional insurance functions may be added to
 
10                paragraph (3)(A)(i) and (ii) with prior approval
 
11                of the commissioner;
 
12      (4)  If the protected health information is necessary to
 
13           provide ongoing health care treatment, and if the
 
14           disclosure has not been limited or prohibited by the
 
15           protected individual, collect protected health
 
16           information from or disclose protected health
 
17           information to:
 
18           (A)  A health care provider, employed by the insurer,
 
19                who is furnishing health care to a protected
 
20                individual;
 
21           (B)  A health care provider with whom the insurer
 
22                contracts to provide health care services to a
 

 
 
 
Page 22                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1                protected individual; or
 
 2           (C)  A referring health care provider who continues to
 
 3                furnish health care to a protected individual;
 
 4      (5)  Disclose protected health information to a person
 
 5           engaged in the assessment, evaluation, or investigation
 
 6           of the quality of health care furnished by a provider
 
 7           pursuant to statutory or regulatory standards or
 
 8           pursuant to the requirements of a private or public
 
 9           program authorized to provide for the payment of health
 
10           care;
 
11      (6)  Collect, use, or disclose protected health information
 
12           when the protected health information is necessary for
 
13           the performance of the insurer's obligations under any
 
14           property and casualty insurance law or contract;
 
15      (7)  Collect protected health information from or disclose
 
16           protected health information to a reinsurer, stop-loss
 
17           or excess-loss insurer for the purpose of underwriting,
 
18           claims adjudication and conducting claim file audits;
 
19      (8)  Collect protected health information from the protected
 
20           individual; and
 
21      (9)  Collect, use, or disclose protected health information
 
22           when the protected health information is obtained from
 

 
 
 
Page 23                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1           public sources such as newspapers, public agency
 
 2           reports, and law enforcement or public safety reports.
 
 3      (b)  Unless otherwise restricted by this section, an insurer
 
 4 that has collected protected health information without an
 
 5 authorization pursuant to subsection (a), may use and disclose
 
 6 the information to a person acting on behalf of or at the
 
 7 direction of the insurer to perform the insurance functions
 
 8 listed in section 431:10-F(f).
 
 9      (c)  An insurer shall disclose protected health information
 
10 in any of the following circumstances:
 
11      (1)  To federal, state, or local governmental authorities to
 
12           the extent the insurer disclosing the protected health
 
13           information is required by law to report protected
 
14           health information or for fraud reporting purposes;
 
15      (2)  The protected health information is needed for one of
 
16           the following purposes:
 
17           (A)  To identify a deceased individual;
 
18           (B)  To determine the cause and manner of death by a
 
19                chief medical examiner or the medical examiner's
 
20                designee; or
 
21           (C)  To provide necessary protected health information
 
22                about a deceased individual who is a donor of an
 

 
 
 
Page 24                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1                anatomical gift;
 
 2      (3)  To a state department of insurance that is performing
 
 3           an examination, investigation, or audit of the insurer;
 
 4           or
 
 5      (4)  Pursuant to a court order issued after the court's
 
 6           determination that the public interest in disclosure
 
 7           outweighs the protected individual's privacy interest
 
 8           and that the protected health information is not
 
 9           reasonably available by other means.
 
10      �431:10-H  Unauthorized collection, use, or disclosure of
 
11 protected health information.  An unauthorized collection, use,
 
12 or disclosure of protected health information by an insurer is
 
13 prohibited and subject to the penalties set forth in section
 
14 431:10-J.  An unauthorized collection, use, or disclosure
 
15 includes:
 
16      (1)  Unauthorized publication of protected health
 
17           information;
 
18      (2)  Unauthorized collection, use, or disclosure of
 
19           protected health information for personal or
 
20           professional gain;
 
21      (3)  Unauthorized sale of protected health information;
 
22      (4)  Unauthorized manipulation of coded or encrypted health
 

 
 
 
Page 25                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1           information that reveals protected health information;
 
 2           and
 
 3      (5)  Use of deception, fraud, or threat to procure
 
 4           authorization to collect, use, or disclose protected
 
 5           health information.
 
 6      �431:10-I  Signatures and forms.(a)  Any provision of this
 
 7 part or its corresponding rules that requires a written signature
 
 8 may be satisfied by:
 
 9      (1)  The use of electronic authentication, including
 
10           electronic signatures, digital signatures, biometric
 
11           signatures, or recorded oral authorizations; or
 
12      (2)  The use of any symbol or method of authentication that
 
13           becomes part of or logically associated with an
 
14           electronic record that indicates an intent to be bound.
 
15      (b)  Any provision of this part or its corresponding
 
16 regulations that require a form or document to be in writing may
 
17 be satisfied by the use of an electronic or computer-based
 
18 format.
 
19      �431:10-J  Sanctions.(a)  Civil penalties.
 
20      (1)  Whenever the department has reason to believe that a
 
21           person has committed gross negligence in violation of a
 
22           material provision of this part and that an action
 

 
 
 
Page 26                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1           under this section is in the public interest, the
 
 2           department may bring an action to enjoin violations of
 
 3           this part.  An injunction issued under this section
 
 4           shall be issued without bond.
 
 5      (2)  In addition to the relief available pursuant to
 
 6           paragraph (1), the department may request and the court
 
 7           may order any other temporary or permanent relief as
 
 8           may be in the public interest, including any of the
 
 9           following, or any combination of the following:
 
10           (A)  A civil penalty of not more than $500 for each
 
11                violation, not to exceed $5,000 in the aggregate
 
12                for multiple violations;
 
13           (B)  A civil penalty of not more than $25,000 if the
 
14                court finds that violations of this part have
 
15                occurred with sufficient frequency to constitute a
 
16                general business practice as defined in section
 
17                431:1-216; and
 
18           (C)  Reasonable attorney fees, investigation, and court
 
19                costs.
 
20      (b)  In any claim made under this section relating to an
 
21 unauthorized disclosure in which an insurer is being sued under a
 
22 theory of vicarious liability for the actions or omissions of the
 

 
 
 
Page 27                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1 insurer's employees, it shall be an affirmative defense that the
 
 2 insurer substantially complied with the requirements of section
 
 3 431:10-C.
 
 4      (c)  An individual may not maintain an action against an
 
 5 insurer that disclosed protected health information in good faith
 
 6 reliance on the individual's authorization, if that authorization
 
 7 meets the requirements of section 431:10-F and if the disclosure
 
 8 was made in compliance with the requirements of this part.
 
 9      �431:10-L  Rules.  The commissioner shall prescribe rules
 
10 subject to chapter 91 to carry out this part."
 
11      SECTION 3.  Chapter 323C, Hawaii Revised Statutes, is
 
12 amended by adding a new section to be appropriately designated
 
13 and to read as follows:
 
14      "�323C-    Applicability to property and casualty insurers.
 
15 Issues provided in this chapter as they relate to property and
 
16 casualty insurers shall be administered by the insurance
 
17 commissioner as provided in chapter 431, article 10, part     ."
 
18      SECTION 4.  In codifying the new sections added by section 2
 
19 of this Act, the revisor of statutes shall substitute appropriate
 
20 section numbers for the letters used in designating the new
 
21 sections in this Act.
 
22      SECTION 5.  New statutory material is underscored.
 

 
 
 
Page 28                                                    2002 
                                     H.B. NO.           
                                                        
                                                        


 1      SECTION 6.  Section 431:10-L of section 2 of this Act shall
 
 2 take effect upon approval.  Section 1, all other provisions of
 
 3 section 2, and sections 3, 4, and 5  shall take effect upon its
 
 4 approval; provided that these provisions shall not become
 
 5 operative until:
 
 6      (1)  January 1, 2002; or
 
 7      (2)  One hundred eighty days after the effective date of
 
 8           rules authorized under section 431:10-L;
 
 9 whichever is later.
 
10 
 
11                           INTRODUCED BY:  _______________________