Cal. Ins. Code § 791.29

Current through the 2024 Legislative Session.
Section 791.29 - Steps by health insurer to protect confidentiality of insured's medical information

Notwithstanding any other law, and to the extent permitted by federal law, a health insurer shall take the following steps to protect the confidentiality of an insured's medical information:

(a)
(1) A health insurer shall not require a protected individual to obtain the policyholder's authorization to receive sensitive services or to submit a claim for sensitive services if the protected individual has the right to consent to care.
(2) A health insurer shall recognize the right of a protected individual to exclusively exercise rights granted under this section regarding medical information related to sensitive services that the protected individual has received.
(3) A health insurer shall direct all communications regarding a protected individual's receipt of sensitive health care services directly to the protected individual receiving care as follows:
(A) If the protected individual has designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health insurer shall send or make all communications related to the protected individual's receipt of sensitive services to the alternative mailing address, email address, or telephone number designated.
(B) If the protected individual has not designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health insurer shall send or make all communications related to the protected individual's receipt of sensitive services in the name of the protected individual at the address or telephone number on file.
(C) Communications subject to this paragraph shall include the following written, verbal, or electronic communications:
(i) Bills and attempts to collect payment.
(ii) A notice of adverse benefits determinations.
(iii) An explanation of benefits notice.
(iv) A health insurer's request for additional information regarding a claim.
(v) A notice of a contested claim.
(vi) The name and address of a provider, description of services provided, and other information related to a visit.
(vii) Any written, oral, or electronic communication from a health insurer that contains protected health information.
(4) A health insurer shall not disclose medical information related to sensitive health care services provided to a protected individual to the policyholder or any insureds other than the protected individual receiving care, absent an express written authorization of the protected individual receiving care.
(b)
(1) A health insurer shall permit an insured to request, and shall accommodate requests for, confidential communication in the form and format requested by the insured, if it is readily producible in the requested form and format, or at alternative locations.
(2) A health insurer may require the insured to make a request for a confidential communication described in paragraph (1) in writing or by electronic transmission.
(3) The confidential communication request shall apply to all communications that disclose medical information or provider name and address related to receipt of medical services by the individual requesting the confidential communication.
(4) The confidential communication request shall be valid until the insured submits a revocation of the request, or a new confidential communication request is submitted.
(5) For the purposes of this section, a confidential communications request shall be implemented by the health insurer within 7 calendar days of the receipt of an electronic transmission, telephonic request, or request submitted through the health insurer's internet website, or within 14 calendar days of receipt by first-class mail. The health insurer shall acknowledge receipt of the confidential communications request and advise the insured of the status of implementation of the request if an insured contacts the insurer.
(c)
(1) A health insurer shall notify insureds that they may request a confidential communication pursuant to subdivision (b) and how to make the request.
(2) The information required to be provided pursuant to this subdivision shall be provided to insureds with individual or group coverage upon initial enrollment and annually thereafter upon renewal. The information shall also be provided in the following manner:
(A) In a conspicuously visible location in the evidence of coverage.
(B) On the health insurer's internet website, accessible through a hyperlink on the internet website's home page and in a manner that allows insureds, prospective insureds, and members of the public to easily locate the information.
(d) Notwithstanding subdivision (b), a provider of health care may make arrangements with the insured for the payment of benefit cost sharing and communicate that arrangement with the insurer.
(e) A health insurer shall not condition coverage on the waiver of rights provided in this section.
(f) If the commissioner determines that an insurer has violated this section, the commissioner may, after appropriate notice and opportunity for hearing in accordance with the Administrative Procedure Act (Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code), by order, assess a civil penalty not to exceed five thousand dollars ($5,000) for each violation, or, if a violation was willful, a civil penalty not to exceed ten thousand dollars ($10,000) for each violation. The commissioner shall have the discretion to determine the acts or omissions that constitute a violation of this section.
(g) This section shall become operative on July 1, 2022.

Ca. Ins. Code § 791.29

Amended by Stats 2022 ch 628 (AB 2091),s 7, eff. 9/27/2022.
Added by Stats 2021 ch 190 (AB 1184),s 7, eff. 1/1/2022.