56-7-124 - Release of information relating to physical or mental health of patient.
56-7-124. Release of information relating to physical or mental health of patient.
(a) (1) It is unlawful for an insurer or carrier that provides accident or health insurance, a nonprofit hospital or medical service corporation, a health, hospital or medical service corporation, a health maintenance organization, including any that participates in TennCare or any successor program, a Multiple Employer Welfare Arrangement (MEWA), a preferred provider organization, a pharmacy benefit management organization, or other network providing health benefits, to market or sell information that directly identifies the patient who is the subject of the information and that relates to the physical or mental health of that patient or to the provision of health care to that patient, unless the patient has authorized the release in written, electronic or other form that indicates the patient's consent.
(2) (A) This section does not apply to:
(i) The release of such information to an agent, contractor or corporate affiliate of the entity holding the information to perform a permitted function or use of the information; or
(ii) The release of information for which the patient, enrollee or insured has executed a voluntary waiver or release.
(B) This section does not apply to release of information that does not readily identify the patient for bona fide research or audit purposes. Nothing in this section shall prohibit:
(i) The transfer of information as part of arrangements to assure the delivery of health care, health care payment, health care management, disease state management, health care oversight;
(ii) The transfer of responsibility for identifiable health information to a successor in interest; or
(iii) The release of medical information, medical services utilization data and any other necessary patient identifying information by an insurer or carrier that provides accident or health insurance, a nonprofit hospital or medical service corporation, a health, hospital or medical service corporation, a health maintenance organization, including any that participates in TennCare or any successor program, a MEWA, or a pharmacy benefit management organization to the TennCare Bureau or its contractors or other appropriate state agencies, appropriate providers of medical services, outreach workers, researchers, outside vendors or contractors, universities or any other appropriate third parties for the purpose of performing case management, drug utilization review (DUR), disease management, quality reviews, health management, or outcomes research that is designed to monitor utilization patterns, improve the quality of health care and health care delivery, assure compliance, control fraud, waste and abuse or contain costs. Any third party vendor or contractor, as well as any other entity that gains access to this information to perform the analysis and intervention activities described in this subdivision (a)(2)(B)(iii), will be bound to comply with all applicable state and federal laws and regulations regarding vigilant protection of the confidential information.
(3) A violation of this subsection (a) shall be punished as a Class C misdemeanor.
(b) In lieu of, or in addition to, any other remedy that may be available under this title, the commissioner may assess a civil penalty against any entity violating this section in an amount not to exceed one thousand dollars ($1,000) for each separate violation, or the amount realized by the entity, whichever is greater. The civil penalty shall only be levied by the department after a hearing, conducted pursuant to the Uniform Administrative Procedures Act, compiled in title 4, chapter 5. In any civil action brought to enforce this subsection (b), costs for the prevailing party, including the department, shall include reasonable expenses, including attorney fees.
(c) The commissioner is authorized to promulgate rules and regulations pursuant to the Uniform Administrative Procedures Act, compiled in title 4, chapter 5, to enforce this section.
(d) Nothing in this section shall be construed to prohibit an insurer, a hospital and medical service corporation, a health maintenance organization or an employer from sharing or using consumer information with its affiliates, subsidiaries, agents or joint venture partners, for activities consistent with this title, including, but not limited to, data processing, utilization review, underwriting claims and anti-fraud purposes. An insurer shall be permitted to share personal information such as name, address and other non-medical specific data with subsidiaries, agents, or joint venture partners.
[Acts 2000, ch. 769, § 1.]