Consumer Privacy Rights and Information Gathering by Insurance Companies and HMO's

Insurance companies and HMO’s often gather information about a consumer’s health, medical history, personal habits or finances. The companies need to see this kind of personal information when they decide whether to issue a policy or pay a claim. Consumers need to know that Connecticut law recognizes the private nature of this information.

The Connecticut Insurance Information and Privacy Protection Act limits disclosure of personal information to third parties, requires companies to give consumers notice of possible uses of personal information, and allows consumers to inspect and correct information about themselves that is held by insurers or HMO’s.

The law also provides that the Insurance Commissioner may impose monetary penalties for company violations, and allows consumers to obtain equitable relief and recover actual damages in cases where they are harmed by a prohibited disclosure of personal information.

Medical Information. Effective July 1, 2000, the Insurance Information and Privacy Protection Act has been expanded significantly as it applies to an individual’s medical records or information concerning their physical, mental or behavioral health condition, medical history or medical treatment.

Insurers, HMO’s and other companies in the insurance industry that regularly collect or use medical information must develop and implement written policies, standards and procedures to guard against unauthorized collection or use of this information. All companies must identify and train the employees who are authorized to handle medical record information and limit access to this information to these employees.

Companies must provide additional protection against unauthorized disclosure of sensitive health information including information regarding sexually transmitted diseases, mental health and substance abuse, HIV and Aids, and genetic testing. There must be periodic monitoring of employee compliance, and established disciplinary measures for violations of the procedures for handling, storing and disposing of medical information.

Other changes apply to medical record information that can be directly identified with a particular person. The sale of this information is prohibited. This information may also not be disclosed for marketing purposes unless the person to whom the information pertains has given prior written consent for disclosure.

Any person who is harmed by a sale of individually identifiable medical information or its unauthorized disclosure for marketing purposes may sue for equitable relief, double damages, costs and attorney fees. In addition, the Insurance Commissioner may impose monetary penalties in cases of prohibited sales or unauthorized disclosure of individually identifiable medical information.

Disclosure of individually identifiable medical record information with malicious intent to damage an individual’s reputation or character is prohibited. Persons violating this prohibition may be fined up to $500 or imprisoned for not more than three months or both for a first offense. Each subsequent offense may occasion a fine of up to $2000 or imprisonment for not more than a year or both.

In addition to these new protections, medical information given to insurers continues to be subject to the Privacy Act’s rules that give consumers the right to access and correct any personal information about themselves that may be on file with insurance companies or HMO’s.

Access to Recorded Personal Information. Companies must inform consumers of the nature and substance of personal information concerning themselves within 30 business days after receiving a written request for access from the consumer. The consumer, or a medical professional they designate, may obtain a copy of the recorded information. The company will also identify any persons to whom the information has been disclosed in the previous two years, and tell the consumer how to ask that the information be corrected, amended or deleted in any way.

Correcting Recorded Personal Information. A consumer may ask a company in writing at any time to correct, amend or delete recorded personal information about the consumer. Within 30 business days after receiving such a request, the company shall either 1) make the change the consumer has requested or 2) notify the consumer that it refuses to do so, stating its reasons for refusal and informing the consumer of their right to file a statement summarizing the reasons why a change should be made.

If the company does make a correction, amendment or deletion, it must give notice of this to any person designated by the consumer who received the recorded personal information being corrected within the last two years. If the company has refused to make the requested change, the company must provide the consumer’s statement disagreeing with this refusal to anyone reviewing the disputed personal information, and shall also provide copies of the statement to anyone the consumer names who has received the information within the last two years.

A consumer should contact their insurer or HMO directly to ask about personal information or to request a change in information that the company has on file about them.

Questions about this process, or complaints regarding company compliance with the Insurance Information and Privacy Protection Act, should be directed to the Consumer Affairs Unit of the Insurance Department. They can be reached by calling 1-800-203-3447. The mailing address is P0 Box 816, Hartford CT 06142-0816. E-mail may be addressed to