(a) Except as
provided in (b) of this section or in
3
AAC 26.695(a), a licensee may not
disclose nonpublic personal health information about a consumer unless
authorization that complies with
3
AAC 26.685 is obtained from the consumer whose
nonpublic personal health information the licensee seeks to disclose.
(b) A licensee may disclose a consumer's
nonpublic personal health information without obtaining authorization from the
consumer if the disclosure is
(1) required by
federal or state law or regulation or is otherwise allowed by law;
(2) in response to an order issued by a
governmental regulatory authority with jurisdiction over a licensee for
examination, investigation, compliance, or other purposes authorized by
law;
(3) compelled by a subpoena,
search warrant, or other order issued by a court or administrative agency of
competent jurisdiction;
(4) for
detection, investigation, or reporting of fraud, misrepresentation, or another
violation of law;
(5) for the
performance of the following insurance functions by or on behalf of the
licensee:
(A) claims
administration;
(B) claims
adjustment or management;
(C)
underwriting;
(D) policy placement
or issuance;
(E) loss
control;
(F) rate
development;
(G) guaranty fund
functions;
(H) reinsurance,
stop-loss insurance, or excess loss insurance;
(I) risk management;
(J) case management;
(K) disease management;
(L) quality assurance or
improvement;
(M) performance
evaluation;
(N) verification of
provider credentials;
(O)
utilization review;
(P) peer review
activities;
(Q) actuarial,
scientific, medical, or public policy research;
(R) grievance procedures;
(S) internal administration of compliance,
managerial, and information systems;
(T) policyholder service functions;
(U) auditing;
(V) reporting;
(W) database security;
(X) administration of consumer disputes and
inquiries;
(Y) external
accreditation standards;
(Z)
replacement of a group benefit plan or workers' compensation policy or
program;
(AA) activities in
connection with the sale, merger, transfer, or exchange of all or part of a
business or operating unit;
(6) required to enforce the licensee's rights
or the rights of other licensees engaged in carrying out an insurance
transaction or providing an insurance product or service that a consumer or
customer requests or authorizes; or
(7) allowed without requiring authorization
under 45 C.F.R. Parts
160 and
164.