Session of 1998
                   
SENATE BILL No. 463
         
By Committee on Financial Institutions and Insurance
         
1-20
            9             AN ACT concerning insurance companies; regarding the privacy of med-
10             ical records; health information privacy act.
11            
12       Be it enacted by the Legislature of the State of Kansas:
13           Section 1. This act shall be know and may be cited as the health
14       information privacy act.
15           Sec.2. As used in this act:
16           (a) ``Carrier'' or ``insurance carrier'' means any corporation, associa-
17       tion, partnership, reciprocal exchange, inter-insurer, Lloyds insurer, fra-
18       ternal benefit society or other person engaged in the business of insurance
19       or subject to the insurance laws and regulations of this state or subject to
20       the jurisdiction of the commissioner including accident and sickness in-
21       surance companies, health maintenance organizations, nonprofit medical
22       and hospital service corporations or any other entity providing a plan of
23       health insurance, health benefits or health services.
24           (b) ``Commissioner'' means the commissioner of insurance of this
25       state.
26           (c) ``Covered person'' means a policyholder, subscriber, enrollee,
27       beneficiary, certificate holder or other person covered by a policy, con-
28       tract or agreement of insurance issued by a carrier.
29           (d) ``Disclose'' means to release, transfer, provide access to, or oth-
30       erwise divulge protected health information to any person other than to
31       an individual who is a covered person who is the subject of the infor-
32       mation. The term includes any subsequent release of protected health
33       information by a person to whom the protected health information was
34       initially disclosed.
35           (e) ``Facility'' means an institution providing health care services or a
36       health care setting including, but not limited to, hospitals and other li-
37       censed inpatient centers, ambulatory surgical or treatment centers, skilled
38       nursing centers, residental treatment centers, diagnostic, laboratory and
39       imaging centers, rehabilitation and other therapeutic health settings.
40           (f) ``Health care'' means:
41           (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance,
42       or palliative care, services, procedures or counseling, including appropri-
43       ate assistance with disease or symptom management and maintenance,

SB 463

2

  1       that:
  2           (A) Affects the physical or mental condition of an individual, includ-
  3       ing individual cells or their components;
  4           (B) affects the structure or function of the human body or any part
  5       of the human body; or
  6           (2) prescribing, dispensing or furnishing to an individual, drugs or
  7       biologicals, or medical devices or health care equipment and supplies.
  8           (h) ``Health care provider'' or ``provider'' means a health care profes-
  9       sional or facility.
10           (j) ``Health information'' means, with respect to the individual who is
11       the subject of the information, any information or data, whether oral or
12       recorded in any form or medium, and personal facts or information about
13       events or relationships disclosed by the individual, a member of the in-
14       dividual's family, or an authorized representative of such individual, that
15       relates to:
16           (1) Past, present or future physical or mental health or condition of
17       an individual, including individual cells and their components and genetic
18       information and the results of genetic tests;
19           (2) the provision of health care to an individual; or
20           (3) the payment for the provision of health care to an individual.
21           (k) ``Person'' means an individual, corporation, partnership, associa-
22       tion, joint venture, joint stock company, trust, unincorporated organiza-
23       tion or any similar entity or combination of the foregoing.
24           (l) ``Protected health information'' means health information that:
25           (1) Identifies an individual; or
26           (2) with respect to which there is a reasonable basis to believe that
27       the information could be used to identify an individual.
28           (m) ``Unauthorized'' means a use or disclosure of protected health
29       information made by a carrier without the authorization of the subject of
30       that information or that is not in compliance with this act.
31           Sec. 3. (a) A carrier shall develop and implement policies, standards
32       and procedures to protect the confidentiality, security, accuracy and in-
33       tegrity of health information. These procedures shall include:
34           (1) Nondisclosure and confidentiality policies and agreements that set
35       forth guidelines for access to and use of health information maintained
36       by the carrier;
37           (2) periodic training for all employees who have access to health in-
38       formation requirements of this act;
39           (3) disciplinary measures for violations of the confidentiality proce-
40       dures;
41           (4) identification by job title and job description of those positions
42       within the organization whose occupants have authorization to disclose
43       protected health information; and

SB 463

3

  1           (5) methods for handling, disclosing, storing and disposing of health
  2       information, including procedures for appropriate responses to court or-
  3       dered legal process from a governmental entity or legal process issued by
  4       an attorney.
  5           (b) The carrier shall:
  6           (1) Include a provision requiring compliance with the carrier's con-
  7       fidentiality procedures and all of the provisions of this act that address
  8       the confidentiality of health information in all its contractual arrange-
  9       ments with persons, who acting on behalf of or at the direction of the
10       carrier, may collect, use or disclose protected health information;
11           (2) conduct random audits periodically of all persons under contract
12       with the carrier to act on behalf of or at the direction of the carrier in a
13       manner sufficient for the carrier to determine compliance with this act
14       and to enforce its own policies and procedures; and
15           (3) monitor internal operations on an ongoing basis to determine and
16       enforce employee compliance with the carrier's policies and procedures.
17           Sec. 4. (a) A carrier shall file its confidentiality notice, policies and
18       procedures with the commissioner and provide upon request to a covered
19       person, in writing and in a clear and conspicuous manner, notice of the
20       carrier's confidentiality practices. The notice shall include:
21           (1) a description of a covered person's rights with respect to protected
22       health information;
23           (2) the uses and disclosures of protected health information author-
24       ized under this act;
25           (3) the procedures for authorizing disclosures of protected health in-
26       formation and for revoking authorizations;
27           (4) the procedures established by the carrier for the exercise of a
28       covered person's rights; and
29           (5) the right of a covered person to obtain a copy of the carrier's
30       confidentiality policies and procedures.
31           Sec. 5. (a) A carrier shall, no later than 20 working days after receipt
32       of a written request from a covered person to examine or receive a copy
33       of the requester's health information maintained by the carrier:
34           (1) Provide a copy of the information requested to the covered person
35       or permit the covered person to examine the information during regular
36       business hours;
37           (2) notify the covered person that the carrier does not have the in-
38       formation and, if known, inform the covered person of the name and
39       address of the person who has the information requested or, if the carrier
40       will be obtaining access to the requested information, when the infor-
41       mation will be available to the covered person; or
42           (3) deny the request in whole or in part if the carrier determines any
43       of the following:

SB 463

4

  1           (A) Knowledge of the information would reasonably be expected to
  2       identify a confidential source who provided the information in conjunc-
  3       tion with a lawfully conducted investigation, law enforcement investiga-
  4       tion or court proceeding; or
  5           (B) the information was created solely for litigation, law enforcement
  6       investigation, quality assurance or peer review purposes.
  7           (b) If a request to examine or copy health information is denied in
  8       whole or in part under this section, the carrier shall notify the covered
  9       person of the decision in writing.
10           (c) If a carrier does not maintain the information in the form re-
11       quested by the individual, the carrier is not required to create a new
12       record or reformulate an existing record in order to meet the request.
13           (d) The carrier may charge a reasonable fee for providing the health
14       care information requested and shall provide a detailed bill accounting
15       for the charges. No charge shall be made for reproduction of health care
16       information requested for the purpose of supporting a claim, supporting
17       an appeal or accessing any federal or state sponsored or operated health
18       benefits program.
19           Sec. 6. (a) A covered person may request in writing that a carrier
20       amend the covered person's health information to correct any inaccura-
21       cies as long as the amendment does not delete, erase or obliterate any of
22       the original information.
23           (b) Within 30 working days after receipt of a written request from a
24       covered person to amend health information, a carrier shall do one of the
25       following:
26           (1) Amend the information as requested, amend any errors docu-
27       mented or act to verify the accuracy of information identified as erroneous
28       by the covered person; or
29           (2) notify the covered person that the request has been denied, the
30       reason for the denial, and that the covered person may file a concise
31       statement of what the covered person believes to be the correct infor-
32       mation and the reasons why the covered person disagrees with the denial.
33       The carrier shall retain this statement filed by the covered person in the
34       health information.
35           (c) If the carrier amends the information as requested pursuant to
36       subsection (b)(1), the carrier shall furnish the amendment to:
37           (1) A person specifically designated by the covered person who may
38       have, within the preceding two years, received the recorded personal
39       information;
40           (2) an organization whose primary source of personal information is
41       insurance carriers, as long as the organization has systematically received
42       recorded personal information from the insurance carrier within the pre-
43       ceding seven years; the amendment need not be furnished if the organ-

SB 463

5

  1       ization no longer maintains health information about the covered person;
  2       and
  3           (3) any organization that furnished the health information that was
  4       amended pursuant to subsection (b)(1).
  5           (d) If the covered person files a statement pursuant to subsection
  6       (b)(1), the insurance carrier shall:
  7           (1) Clearly identify the matter or matters in dispute and include the
  8       statement in any subsequent disclosure of the health information; and
  9           (2) furnish the statement to the persons described in subsection (c).
10           Sec. 7. (a) Protected health information shall not be collected, used
11       or disclosed by a carrier expect as permitted under this act, or as otherwise
12       permitted or required by statute or court order.
13           (b) A carrier shall limit the collection, use or disclosure of protected
14       health information to the minimum amount necessary to accomplish a
15       lawful purpose related to the business of insurance and shall restrict ac-
16       cess to such information to only those persons needing the information
17       to perform a lawful function. Except as provided in section 8, a carrier
18       may not collect, use or disclose protected health information for market-
19       ing purposes.
20           (c) A carrier shall create a record of all disclosures made to any person
21       who is not an employee of the carrier. The record shall include the fol-
22       lowing:
23           (1) The name, address and institutional affiliation, if any, of the per-
24       son to whom the information is disclosed;
25           (2) the date and purpose of the disclosure;
26           (3) a description of the information disclosed; and
27           (4) the authorization or release from allowing the receipt or disclo-
28       sure of the information.
29           (d) A person to whom protected health information is disclosed shall
30       not use the information for any purpose other than the lawful purpose
31       for which it was disclosed.
32           (e) The provisions of this act do not affect other laws that restrict to
33       a greater extent the collection, use or disclosures of specific types of
34       health information to a person other than the covered person to whom
35       the information relates. No provision of this act shall affect any other state
36       or federal laws that expressly permit or require the collection, use or
37       disclosure of health information.
38           Sec. 8. (a) A carrier shall not collect, use or disclose protected health
39       information without a valid authorization by the covered person or claim-
40       ant who is the subject of the information, except as permitted by section
41       9 or as permitted or required by law or court order. A covered person or
42       claimant may provide specific authorization for the collection, use or dis-
43       closure of that covered person's or claimant's protected health informa-

SB 463

6

  1       tion for any purpose, provided that the authorization meets the require-
  2       ments of this section.
  3           (b) A carrier shall retain a covered person's or claimant's authoriza-
  4       tion in the covered person's or claimant's record.
  5           (c) An authorization shall be valid if it is in writing or in electronic
  6       form and contains all of the following:
  7           (1) The identity of the individual who is the subject of the informa-
  8       tion;
  9           (2) a description of the protected health information to be collected,
10       used or disclosed;
11           (3) the name and address of the person from whom the information
12       is to disclosed, except that an authorization provided to a carrier to sup-
13       port payment of a claim or benefit may generally describe the sources
14       from which information will be collected or to whom information will be
15       disclosed for claim settlement or health benefit purposes and is not re-
16       quired to include the names and address of employees of the insurance
17       carrier;
18           (4) the purpose of the authorization, including the intended use of
19       the information, and the scope of any disclosures that may be made in
20       carrying out the purpose for which the authorization is requested, pro-
21       vided those disclosures are not otherwise prohibited by law. If the pur-
22       pose of the disclosure is for the marketing of services or goods, or for
23       other commercial gain, the request for authorization for disclosure shall
24       be made separately from any other request for authorization and shall be
25       limited to that purpose only. The purpose of the disclosure shall appear
26       as a separate paragraph in bold type no smaller than twelve point. The
27       purpose shall be stated in clear and simple terms;
28           (5) the signature of the covered person or claimant and the date
29       signed, or if in electronic form, a unique identifier of the covered person
30       or claimant and the date on which the covered person or claimant au-
31       thenticated the electronic authorization; and
32           (6) a statement that the covered person or claimant may revoke the
33       authorization at any time, subject to the rights of any person who acted
34       in reliance on the authorization prior to revocation.
35           (d) An authorization shall specify a length of time for which the au-
36       thorization shall remain valid, which in no event shall be for more that
37       12 months, except an authorization signed for one of the following pur-
38       poses:
39           (1) To support payment of benefits under an insurance policy, in
40       which event the authorization shall remain valid during the entire term
41       of the policy;
42           (2) to support claims for benefits or compensation, in which event
43       the authorization shall remain valid during the pendency of the claim;

SB 463

7

  1           (3) to support an application for an insurance policy, a reinstatement
  2       of a policy, or a change in benefits under an existing policy, in which event
  3       the authorization shall expire in 24 months or whenever the application
  4       is denied, whichever occurs first; or
  5           (4) to support or facilitate ongoing management of a chronic condi-
  6       tion or illness or rehabilitation from injury.
  7           (e) A covered person or claimant may revoke an authorization at any
  8       time, subject to the rights of any person who acted in reliance on the
  9       authorization prior to revocation. A revocation of an authorization shall
10       be valid if it is in writing or electronic form and is dated an authenticated
11       as required in subsection (c)(5). A revocation of an authorization shall be
12       retained by the carrier in the covered person's or claimant's record.
13           (f) A carrier that has collected protected health information pursuant
14       to a valid authorization in accordance with this act, may use and disclose
15       the information to employees and any person acting on behalf or at the
16       direction of the carrier for the performance of insurance functions such
17       as claims adjustment and management, underwriting, loss control or re-
18       insurance. The information shall not be used or disclosed for any purpose
19       other than in the performance of the carrier's insurance function.
20           (g) An authorization to disclose protected health information pursu-
21       ant to this act or a production of protected health information pursuant
22       to a court order shall not be construed to constitute a covered person's
23       or claimant's waiver of any other privacy right provided by other federal
24       or state laws or common law or rules of evidence.
25           Sec. 9. (a) General rules:
26           (1) A carrier may disclose or use protected health information without
27       the authorization of the covered person or claimant in the following cir-
28       cumstances or as otherwise permitted by law:
29           (A) To conduct a scientific research project if such project:
30           (i) Contains adequate safeguards to assure that information in a re-
31       port of the research project does not identify, directly or indirectly
32       through reference to publicly available information, the individual subject
33       of the information; and
34           (ii) does not require direct contact with the covered person or claim-
35       ant who is the subject of the information unless that covered person or
36       claimant has been notified by the carrier that contact is possible and the
37       covered person or claimant has authorized the contact;
38           (B) between insurance carriers, provided that the carriers are adjust-
39       ing or settling related claims, and that both are using protected health
40       information to investigate, evaluate and settle claims pursuant to a valid
41       authorization or court order; or
42           (C) to the extent necessary to investigate, evaluate, settle or obtain
43       reinsurance for third party claims, if the claimant is the subject of the

SB 463

8

  1       protected health information and the information is used for no other
  2       purpose without personal authorization or statutory permission.
  3           (2) A carrier shall disclose protected health information in any of the
  4       following circumstances:
  5           (A) The disclosure is to the federal, state or local governmental au-
  6       thorities to the extent that the carrier disclosing the information is re-
  7       quired by law to report protected health information;
  8           (B) the disclosure is to federal, state or local governmental authorities
  9       for use only in the lawful investigation or prosecution of insurance fraud,
10       a violation of laws relating to the provision of health or the payment for
11       health care or a violation of this act. Information disclosed by a carrier
12       pursuant to this paragraph may not be used in any administrative, civil or
13       criminal action or investigation directed against the individual who is the
14       subject of the information unless the action or investigation involves the
15       subject of the information and arises from the provision of health care or
16       payment for health care and related benefits;
17           (C) the disclosure is based on a reasonable belief that the information
18       is needed for one of the following purposes:
19           (i) To identify a deceased individual;
20           (ii) to determine the cause and manner of death by a chief medical
21       examiner or the medical examiner's designee; or
22           (iii) to provide necessary protected health information about a de-
23       ceased person individual who is a donor of an anatomical gift;
24           (D) the disclosure is to state or federal governmental authorities for
25       the purpose of performing a federal audit, quality assurance review or
26       utilization review;
27           (E) the disclosure is pursuant to a court order issued after the court's
28       determination that the public interest outweighs the individual's confi-
29       dentiality rights provided by other federal or state laws or rules of evi-
30       dence of the common law.
31           (b) Rules relating to health insurance carriers:
32           (1) A health carrier may disclose protected health information with-
33       out the authorization of the covered person in the following circumstances
34       or as otherwise permitted by law:
35           (A) To a health care provider employed by the carrier who is fur-
36       nishing health care to the covered person or to a referring health care
37       provider who continues to furnish health care to the covered person if
38       the information is necessary to provide appropriate, ongoing health care
39       treatment, and if the disclosure has not been limited or prohibited by the
40       covered peers;
41           (B) to a person acting on behalf of or at the direction of the carrier
42       to perform insurance functions, such as risk management, quality assur-
43       ance, utilization review and peer review activities, and activities that sup-

SB 463

9

  1       port the processing and payment of health insurance claims;
  2           (C) to reveal a covered person's presence in a facility owned by the
  3       carrier and the covered person's general health condition, provided that
  4       the disclosure is limited to directory information, unless the covered per-
  5       son has restricted that disclosure or the disclosure is otherwise prohibited
  6       by law. For the purposes of this paragraph, directory information means
  7       information about the presence or general health condition of a particular
  8       covered person who is in an impatient facility or is receiving emergency
  9       health care in a health care facility. General health conditions means the
10       covered person's general health condition or status described as ``critical,''
11       ``poor,'' ``fair,'' ``good,'' ``excellent,'' or in terms that denote similar con-
12       ditions; and
13           (D) to a person engaged in peer review, utilization review or the
14       assessment, evaluation or investigation of the quality of health care fur-
15       nished by providers pursuant to statutory or regulatory standards or the
16       requirements of a private or public program authorized to provide for the
17       payment of health care.
18           (c) A workers compensation carrier may collect or disclose protected
19       health information without the authorization of the individual who is the
20       subject of the information where the information to be collected is dis-
21       closed is necessary or incidental to the performance of the workers com-
22       pensation carrier's obligations under any workers compensation or related
23       law or contract.
24           (d) A reinsurance carrier may disclose protected health information
25       without the authorization of the covered person or claimant in the fol-
26       lowing circumstances or as otherwise permitted by law:
27           (1) To a reinsurer for the purpose of underwriting; or
28           (2) to a reinsurer for the purpose of conducting claim file audits.
29           Sec. 10. A carrier shall make a good faith effort to notify the covered
30       person or claimant who is the subject of protected health information
31       prior to disclosure pursuant to legal process, including a court order,
32       subpoena, subpoena duces tecum or a discovery request unless otherwise
33       ordered by the court. A carrier or the covered person or claimant who is
34       the subject of protected health information or both, may object to disclo-
35       sure under this section by filing an objection or a request for a protective
36       order, in the appropriate forum.
37           Sec. 11. An unauthorized collection, use or disclosure of protected
38       health information by a carrier is prohibited and subject to the penalties
39       set forth in K.S.A. 1997 Supp. 40-2,125 and amendments thereto. An
40       unauthorized collection, use or disclosure includes, but is not limited to:
41           (a) Unauthorized publication of protected health information;
42           (b) unauthorized collection, use or disclosure of protected health in-
43       formation for personal or professional gain, including unauthorized health

SB 463

10

  1       research;
  2           (c) unauthorized sale of protected health information;
  3           (d) unauthorized manipulation of coded or encrypted health infor-
  4       mation that reveals protected health information;
  5           (e) use of deception, fraud or threat to procure authorization to col-
  6       lect, use or disclose protected health information; and
  7           (f) negligent or intentional failure to comply with requirement of this
  8       act.
  9           Sec. 12. Notwithstanding section 8 (c)(5), a minor who may lawfully
10       consent to health care without the consent of a parent or legal guardian
11       may exclusively exercise rights granted under this act regarding infor-
12       mation pertaining to the health care to which the minor has lawfully
13       consented.
14           Sec. 13. (a) An Executor or administrator of a deceased individual
15       may exercise all the rights of the deceased individual provided by this act,
16       subject to any written limitations or restrictions by the decedent that are
17       included in the health information.
18           (b) If there is no executor or administrator, the rights of a deceased
19       individual may be exercised by the following persons, in the following
20       order of priority:
21           (1) The surviving spouse; or
22           (2) any other person authorized by law to act for the deceased indi-
23       vidual.
24           Sec. 14. The commissioner may adopt rules and regulations to carry
25       out the provisions of this act.
26           Sec. 15. This act shall take effect and be in force from and after
27       January 1, 1999, and its publication in the statute book.
28