211 CMR 36.06 - Carrier Confidentiality Requirements

(1) A carrier shall implement reasonable internal safeguards to protect the privacy of HIV-related information including any request that an individual submit to an HIV test, the carrier's basis for requesting such a test, any refusal or agreement to submit to a test, and any HIV test result. These internal confidentiality standards shall meet the following minimum requirements:

(a) the standards shall be in writing, and shall be available to the Division upon request;

(b) the carrier shall designate a specific person(s) to have responsibility for maintaining the confidentiality of HIV-related information;

(c) each employee, insurance producer or other person or entity authorized to act on behalf of the carrier who may have access to HIV-related information shall be informed in writing of the carrier's confidentiality standards to the extent reasonably necessary to protect the confidentiality of the HIV- related information;

(d) the standards shall specify that no person shall have access to HIV- related information except those persons designated in accordance with 211 CMR 36.00;

(e) the standards shall ensure that HIV-related information, whether stored in electronic or paper format, is protected by reasonable security safeguards; and

(f) the standards shall ensure that HIV-related information shall be accessible only to the minimum necessary number of those persons or entities designated to have access pursuant to 211 CMR 36.04(2)(a)4., 5. and (3)(c) and (d).

(2) Carriers shall be required to notify an individual of any disclosure of HIV-related information to any of the designated persons or entities other than the carrier, its employees, reinsurers, attorneys, and contractors solely on a need to know basis for use for underwriting, claims or another business purpose in connection with the insurance transaction, or any insurance support organization. This disclosure shall include the name and address of the person or entity receiving the information. Individuals should be informed of this policy pursuant to 211 CMR 36.04(3)(d).

(3) A carrier or insurance producer shall be required to notify an individual of any subpoena for the company's records relating to HIV-related information concerning that individual, which notice shall be given as soon as possible, and before responding to the subpoena with an opportunity for the individual to object to such disclosure.

(4) A carrier or insurance producer may be subject to sanctions by the Division in the event of any breach of confidentiality made by any person or entity acting on its behalf, including without limitation, any laboratory, contractor whose purpose is to provide underwriting or claims services in connection with the insurance transaction, insurance support organization, reinsurer or attorney.

Notes

211 CMR 36.06

Amended by Mass Register Issue 1268, eff. 8/29/2014.