33-19-202. Notice of insurance information practices -- delivery of notice.


     33-19-202. Notice of insurance information practices -- delivery of notice. A licensee shall provide a clear and conspicuous notice of information practices that accurately reflects its privacy policies and practices to individuals about whom personal information is collected and disclosed by the licensee in connection with insurance transactions as follows:
     (1) (a) Except as provided in subsection (2), in the case of a policyholder or certificate holder, a notice must be delivered by an insurance institution:
     (i) in the case of policies issued after July 1, 2001, no later than at the time of the delivery of the insurance policy or certificate, unless the notice delivered to the policyholder or certificate holder pursuant to subsection (5)(a) when the policyholder or certificate holder was an applicant is still accurate;
     (ii) at least annually, the 12-month period for which may be defined by the insurance institution and must be used consistently. The notice to certificate holders required in this subsection (1)(a)(ii) is not required if the insurance institution has not had any communication, including receiving a claim, from a certificate holder since the initial or last annual notice provided to the certificate holder.
     (iii) in the case of a policy renewed after July 1, 2001, no later than the policy renewal date, except that notice is not required in connection with a policy renewal if a notice meeting the requirements of this section has been given within the previous 12 months.
     (b) When a policyholder or certificate holder obtains a new insurance product or service or when a policy is reinstated and any notices already provided are no longer accurate with respect to the new product, service, or reinstatement, a new or revised and accurate notice must be delivered to the policyholder or certificate holder no later than the time that the product or service is provided by the licensee or at the time of reinstatement.
     (2) (a) An insurance institution is not required to meet the requirements of this section with respect to certificate holders until the insurance institution has personally identifiable information regarding the certificate holder.
     (b) Until the notice requirements of subsection (1) are met, a third-party administrator or other agent or representative of an insurance institution may not disclose personal information, except as allowed in 33-19-306(2).
     (3) The notice required in subsection (1) must be in writing and must state:
     (a) the categories of personal information that may be collected from persons other than the individual or individuals covered;
     (b) if a licensee discloses personal or privileged information to a third party without an authorization pursuant to an exception in 33-19-306 or 33-19-307, a separate description of the categories of information and the categories of third parties to whom the licensee discloses personal information;
     (c) the categories of personal information about a former policyholder or certificate holder that the licensee discloses pursuant to 33-19-306 and 33-19-307 and the categories of persons to whom the disclosure may be made;
     (d) any disclosure that the licensee makes pursuant to section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act, 15 U.S.C. 1681, et seq.; and
     (e) the licensee's policies and practices with respect to protecting the confidentiality and security of personal and privileged information.
     (4) The following information must be contained in the initial notice delivered at the time of application and in any subsequent annual notice if the policy renews periodically:
     (a) a description of the rights established under 33-19-301 and 33-19-302 and the manner in which those rights may be exercised;
     (b) that information obtained from a report prepared by an insurance-support organization may be retained by the insurance-support organization and disclosed to other persons if the licensee collects or uses information from or discloses personal information to an insurance-support organization; and
     (c) that an individual is entitled to receive, upon written request to the licensee, a record of any subsequent disclosures of medical record information, as described in 33-19-301, made by the licensee pursuant to 33-19-306 and 33-19-307.
     (5) In the case of individuals who are not policyholders or certificate holders:
     (a) except as provided in subsection (8), in the case of an applicant, an insurance institution shall provide a notice as described in subsection (3) when the applicant submits an application;
     (b) for all other individuals, a notice must be given when a licensee seeks an authorization pursuant to 33-19-306(2) to make a disclosure that is not allowed by a disclosure exception provided for in 33-19-306(3) through (24) or 33-19-307. A notice given pursuant to this subsection (5)(b) may be in an abbreviated form and must state that:
     (i) personal information may be collected from persons other than the individual or individuals proposed for coverage;
     (ii) the information as well as other personal or privileged information subsequently collected by the insurance institution or insurance producer may in certain circumstances be disclosed to third parties without authorization;
     (iii) a right of access and correction exists with respect to all personal information collected; and
     (iv) the notice prescribed in subsection (3) must be furnished upon request. The abbreviated notice provided for in this subsection (5)(b) must explain a reasonable means by which an individual may obtain that notice.
     (6) The obligations imposed by this section upon a licensee may be satisfied:
     (a) by another licensee authorized to act on its behalf;
     (b) by sending a notice to the primary policyholder of an individual policy or to the primary certificate holder.
     (7) A licensee shall provide a notice required by this section so that an intended recipient can reasonably be expected to receive actual notice in writing or, if the intended recipient agrees, electronically, as follows:
     (a) by hand-delivering a printed copy of the notice to the intended recipient;
     (b) by mailing a printed copy of the notice to the last-known address of the individual separately or in a policy, billing, or other written communication; or
     (c) for an individual who has agreed to conduct transactions electronically, as provided in applicable law, by posting the notice on the electronic site and requiring the individual to acknowledge receipt of the notice as a necessary step to obtaining a particular insurance product or service.
     (8) An insurance institution may provide the notice required in subsection (5)(a) telephonically if an application is submitted by telephone. A telephone notice under this subsection may be in abbreviated form as provided for in subsections (5)(b)(i) through (5)(b)(iv).
     (9) A licensee may satisfy the notice requirements in this section through the use of combined or separate notices. If more than one notice form is used, the licensee shall refer the individual to state specific notice forms that may be used. Any national notice form must give individuals clear and conspicuous notice that when state law is more protective of individuals than federal privacy law, the licensee will protect information in accordance with state law.

     History: En. Sec. 6, Ch. 580, L. 1981; amd. Sec. 1, Ch. 713, L. 1989; amd. Sec. 2, Ch. 212, L. 1999; amd. Sec. 5, Ch. 341, L. 2001; amd. Sec. 3, Ch. 385, L. 2003.