P.R. Laws tit. 26, § 9241
(a) A health insurance organization or issuer may, without authorization, engage in the activities related to the payment of services and treatment, and the coordination thereof, as well as healthcare operations, as these terms are defined under HIPPA, including, but not limited to the following activities with regard to protected health information:
(1) Collect protected health information from or disclose protected health information to a health insurance organization or issuer, or a healthcare provider provided that the health insurance organization or issuer that is receiving the information:
(A) Is investigating, evaluating, adjusting, or settling a claim involving the individual who is the subject of the protected health information, or
(B) has become or is considering becoming liable under a policy insuring the individual who is the subject of the protected health information as a result of a merger, acquisition or other assumption of such liability.
(2) Collect, use, or disclose protected health information to the extent necessary to investigate, evaluate, subrogate, or settle claims, provided that the claimant is the subject of the protected health information and such information is used for no other purpose;
(3)
(A) Collect, use, or disclose protected health information to or from an insurance support organization, provided that:
(i) The insurance support organization has in place health information policies, standards, and procedures to ensure compliance with the requirements of this chapter; and
(ii) the protected health information is used only to settle claims, detect and prevent fraud, or detect and prevent material misrepresentation or material nondisclosure, or
(iii) the protected health information is collected and used internally only for ratemaking and ratemaking-related functions or cost analysis.
(4) If the protected health information is necessary to provide ongoing healthcare treatment, and if the disclosure has not been limited or prohibited by the individual who is the subject of the information, the health insurance organization or issuer may collect from or disclose protected health information to:
(A) A healthcare provider, employed by the health insurance organization or issuer, who is furnishing healthcare to a covered person or enrollee.
(B) A healthcare provider with whom the health insurance organization or issuer contracts to provide healthcare services to covered person or enrollee; or
(5) Disclose protected health information to a person engaged in the assessment, evaluation, or investigation of the quality of healthcare furnished by a provider pursuant to federal or Commonwealth statutory or regulatory standards or pursuant to the requirements of a private or public program authorized to provide payment of healthcare.
(6) Subject to the limits of § 9244(a) of this title, disclose protected health information to reveal a covered person or enrollee’s presence in a facility owned by the health insurance organization or issuer and the covered person or enrollee’s general health condition, provided that the disclosure is limited to “directory information”, unless the covered person or enrollee has restricted that disclosure or the disclosure is otherwise prohibited by law. For purposes of this clause, “directory information” means information about the presence or general health condition of a particular covered person or enrollee who is a patient or is receiving emergency healthcare in a healthcare facility. “General health condition” means the covered person or enrollee’s health condition or status described as “critical”, “poor”, “fair”, “good”, “excellent”, or in terms that denote similar conditions.
(7) Collect, use, or disclose protected health information when such information is necessary to the performance of the health insurance organization or issuer’s obligations under any workers’ compensation law.
(8) Collect protected health information from or disclose protected health information to a reinsurer for the purpose of underwriting reinsurance, adjudicating claims, and conducting claim file audits.
(9) Collect protected health information from the individual who is the subject thereof.
(10) Collect, use, or disclose protected health information when the protected health information is obtained from public sources such as the press, public agency reports, and law enforcement or public safety reports.
(b) A health insurance organization or issuer shall disclose protected health information in any of the following circumstances:
(1) To federal, Commonwealth, or local governmental authorities to the extent disclosing the information is required by law or for fraud reporting purposes;
(2) the protected health information is needed for one of the following purposes:
(A) To identify a deceased individual;
(B) to determine the cause and manner of death by a medical examiner or the medical examiner’s designee, or
(C) to provide necessary protected health information about a deceased individual who is a donor of an anatomical gift;
(3) to an insurance regulating entity that is performing an examination, investigation, or audit of the health insurance organization or issuer, or
(4) pursuant to a court order issued after the court’s determination:
(A) that the public interest in disclosure outweighs the covered person or enrollee’s privacy interest, and
(B) that the protected health information is not reasonably available by other means.
History —Aug. 29, 2011, No. 194, added as § 14.110 on Aug. 23, 2012, No. 203, § 1, eff. 90 days after Aug. 23, 2012.