Chapter 87 Oregon Laws 2003
AN ACT
HB 2306
Relating to personal information; creating new provisions; amending ORS 735.650, 743.801, 743.804, 743.811, 743.827, 746.600, 746.605, 746.610, 746.615, 746.620, 746.625, 746.630, 746.640, 746.650, 746.665, 746.668, 746.670, 746.680, 750.055 and 750.333; repealing ORS 743.809 and section 27a, chapter 377, Oregon Laws 2001; and declaring an emergency.
Be It Enacted by the People of the State of
Oregon:
SECTION 1. Sections 2, 3, 4, 5 and 18a of this 2003 Act are added to and made a part of ORS 746.600 to 746.690.
SECTION
2. Sections 3 and 4 of this 2003
Act establish standards for health insurers that are subject to the information
privacy provisions of both the federal Health Insurance Portability and Accountability
Act of 1996 (P.L. 104-191) and the federal Gramm-Leach-Bliley Act (P.L.
106-102). These standards address:
(1)
Use and disclosure of personal information;
(2)
Access of individuals to personal information;
(3)
Notice of privacy practices for personal information;
(4)
Amendment of personal information; and
(5) Accounting of disclosures of personal information.
SECTION
3. A health insurer:
(1)
May use or disclose personal information of an individual in a manner that is
consistent with an authorization provided by the individual or a personal
representative of the individual.
(2)
May use or disclose protected health information of an individual without
obtaining an authorization from the individual or a personal representative of
the individual:
(a)
For its own treatment, payment or health care operations; or
(b)
As otherwise permitted or required by state or federal law or by order of the
court.
(3)
May disclose, subject to any requirements established by rule under section 4
of this 2003 Act and consistent with federal law, protected health information
of an individual without obtaining an authorization from the individual or a
personal representative of the individual:
(a)
To another covered entity for health care operations activities of the entity
that receives the information if:
(A)
Each entity has or had a relationship with the individual who is the subject of
the protected health information; and
(B)
The protected health information pertains to the relationship and the
disclosure is for the purpose of:
(i)
Health care operations listed in ORS 746.600 (13)(a) or (b); or
(ii)
Health care fraud and abuse detection or compliance;
(b)
To another covered entity or any other health care provider for treatment
activities of a health care provider; or
(c)
To another covered entity or any other health care provider for the payment
activities of the entity that receives the information.
(4)
May use or disclose personal financial information of an individual:
(a)
To perform a business, professional or insurance function, subject to any
requirements established by rule under section 4 of this 2003 Act for an
authorization by an individual or a personal representative of an individual;
or
(b)
Without obtaining an authorization by the individual or the personal
representative of the individual as otherwise permitted or required by state or
federal law or by order of the court.
(5)
May charge a reasonable, cost-based fee, provided that the fee includes only
the cost of:
(a)
Copying personal information requested by an individual or a personal
representative of the individual, including the cost of supplies for and labor
of copying;
(b)
Postage, when an individual or a personal representative of the individual has
requested that copies of personal information or an explanation or summary of
protected health information be mailed; or
(c)
Preparing an explanation or summary of personal information if requested by an
individual or a personal representative of the individual.
(6)
Shall provide adequate notice of the uses and disclosures of personal
information that may be made by the health insurer and of the individual’s
rights and the health insurer’s legal duties with respect to personal
information.
(7)
Shall permit an individual or a personal representative of an individual to
request:
(a)
Access to inspect or obtain a copy of the individual’s personal financial
information or protected health information that is maintained in a designated
record set about the individual; or
(b) That the health insurer correct, amend or delete personal information.
SECTION
4. (1) The Director of the
Department of Consumer and Business Services shall adopt rules implementing
section 3 of this 2003 Act. In adopting rules under this section, the director
shall consider the information privacy provisions of the federal Health Insurance
Portability and Accountability Act of 1996 (P.L. 104-191) and the federal
Gramm-Leach-Bliley Act (P.L. 106-102).
(2)
The rules adopted under subsection (1) of this section shall include but are
not limited to:
(a)
Permitted uses and disclosures of:
(A)
Personal financial information for business, professional or insurance
purposes; and
(B)
Protected health information for treatment, payment and health care operations.
(b) Requirements for notice of privacy practices for protected health information and notice of information practices for personal financial information.
SECTION 5. ORS 746.620, 746.630, 746.640, 746.645 and 746.665 do not apply to health insurers.
SECTION 6. ORS 746.600 is amended to read:
746.600. As used in ORS 746.600 to 746.690 [and 750.055]:
(1)(a) “Adverse underwriting decision” means[, except as provided in subsection (2) of this section,] any of the following actions with respect to insurance transactions involving insurance coverage [which] that is individually underwritten:
[(a)] (A) A declination of insurance coverage.
[(b)] (B) A termination of insurance coverage.
[(c)] (C) Failure of an agent to apply for insurance coverage with a specific insurer [which] that the agent represents and [which] that is requested by an applicant.
[(d)] (D) In the case of life or health insurance coverage, an offer to insure at higher than standard rates.
[(e)] (E) In the case of other kinds of insurance coverage:
[(A)] (i) Placement by an insurer or agent of a risk with a residual market mechanism, an unauthorized insurer or an insurer which specializes in substandard risks.
[(B)] (ii) The charging of a higher rate on the basis of information which differs from that which the applicant or policyholder furnished.
[(2)] (b) “Adverse underwriting decision” does not [include] mean any of the following actions, but the insurer or agent responsible for the occurrence of the action [shall] must nevertheless provide the applicant or policyholder with the specific reason or reasons for the occurrence:
[(a)] (A) The termination of an individual policy form on a class or statewide basis.
[(b)] (B) A declination of insurance coverage solely because the coverage is not available on a class or statewide basis.
[(c)] (C) The rescission of a policy.
[(3)] (2) “Affiliate of” a specified person or “person affiliated with” a specified person means a person who directly, or indirectly, through one or more intermediaries, controls, or is controlled by, or is under common control with, the person specified.
[(4)] (3) “Agent” means a person licensed by the Director of the Department of Consumer and Business Services as a resident or nonresident insurance agent.
[(5)] (4) “Applicant” means a person who seeks to contract for insurance coverage, other than a person seeking group insurance coverage [which] that is not individually underwritten.
(5) “Consumer” means an individual, or the personal representative of the individual, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has personal information.
(6) “Consumer report” means any written, oral or other communication of information bearing on a natural person’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living [which] that is used or expected to be used in connection with an insurance transaction.
(7) “Consumer reporting agency” means a person [who] that:
(a) Regularly engages, in whole or in part, in assembling or preparing consumer reports for a monetary fee;
(b) Obtains information primarily from sources other than insurers; and
(c) Furnishes consumer reports to other persons.
(8) “Control” means, and the terms “controlled by” or “under common control with” refer to, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power of the person is the result of a corporate office held in, or an official position held with, the controlled person.
(9)
“Covered entity” means:
(a)
A health insurer;
(b)
A health care provider that transmits any health information in electronic form
to carry out financial or administrative activities in connection with a
transaction covered by section 3 of this 2003 Act or by rules adopted under
section 4 of this 2003 Act; or
(c)
A health care clearinghouse.
(10) “Customer” means a consumer that has a continuing relationship with a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes.
[(9)] (11) “Declination of insurance coverage” means a denial, in whole or in part, by an insurer or agent of requested insurance coverage.
(12)
“Health care” means care, services or supplies related to the health of an
individual.
(13)
“Health care operations” includes but is not limited to:
(a)
Quality assessment, accreditation, auditing and improvement activities;
(b)
Case management and care coordination;
(c)
Reviewing the competence, qualifications or performance of health care
providers or health insurers;
(d)
Underwriting activities;
(e)
Arranging for legal services;
(f)
Business planning;
(g)
Customer services;
(h)
Resolving internal grievances;
(i)
Creating de-identified information; and
(j)
Fundraising.
(14)
“Health care provider” includes but is not limited to:
(a)
A psychologist, occupational therapist, clinical social worker, professional
counselor or marriage and family therapist licensed under ORS chapter 675 or an
employee of the psychologist, occupational therapist, clinical social worker,
professional counselor or marriage and family therapist;
(b)
A physician, podiatric physician and surgeon, physician assistant or
acupuncturist licensed under ORS chapter 677 or an employee of the physician,
podiatric physician and surgeon, physician assistant or acupuncturist;
(c)
A nurse or nursing home administrator licensed under ORS chapter 678 or an
employee of the nurse or nursing home administrator;
(d)
A dentist licensed under ORS chapter 679 or an employee of the dentist;
(e)
A dental hygienist or denturist licensed under ORS chapter 680 or an employee
of the dental hygienist or denturist;
(f)
A speech-language pathologist or audiologist licensed under ORS chapter 681 or
an employee of the speech-language pathologist or audiologist;
(g)
An emergency medical technician certified under ORS chapter 682;
(h)
An optometrist licensed under ORS chapter 683 or an employee of the
optometrist;
(i)
A chiropractic physician licensed under ORS chapter 684 or an employee of the
chiropractic physician;
(j)
A naturopathic physician licensed under ORS chapter 685 or an employee of the
naturopathic physician;
(k)
A massage therapist licensed under ORS 687.011 to 687.250 or an employee of the
massage therapist;
(L)
A direct entry midwife licensed under ORS 687.405 to 687.495 or an employee of
the direct entry midwife;
(m)
A physical therapist licensed under ORS 688.010 to 688.220 or an employee of
the physical therapist;
(n)
A radiologic technologist licensed under ORS 688.405 to 688.605 or an employee
of the radiologic technologist;
(o)
A respiratory care practitioner licensed under ORS 688.800 to 688.840 or an
employee of the respiratory care practitioner;
(p)
A pharmacist licensed under ORS chapter 689 or an employee of the pharmacist;
(q)
A dietitian licensed under ORS 691.405 to 691.585 or an employee of the
dietitian;
(r)
A funeral service practitioner licensed under ORS chapter 692 or an employee of
the funeral service practitioner;
(s)
A health care facility as defined in ORS 442.015;
(t)
A home health agency as defined in ORS 443.005;
(u)
A hospice program as defined in ORS 443.850;
(v)
A clinical laboratory as defined in ORS 438.010;
(w)
A pharmacy as defined in ORS 689.005;
(x)
A diabetes self-management program as defined in ORS 743.694; and
(y)
Any other person or entity that furnishes, bills for or is paid for health care
in the normal course of business.
(15)
“Health information” means any oral or written information in any form or
medium that:
(a)
Is created or received by a covered entity, a public health authority, a life
insurer, a school, a university or a health care provider that is not a covered
entity; and
(b)
Relates to:
(A)
The past, present or future physical or mental health or condition of an
individual;
(B)
The provision of health care to an individual; or
(C)
The past, present or future payment for the provision of health care to an
individual.
(16)
“Health insurer” means:
(a)
An insurer who offers:
(A)
A health benefit plan as defined in ORS 743.730;
(B)
A short term health insurance policy, the duration of which does not exceed six
months including renewals;
(C)
A student health insurance policy;
(D)
A medicare supplemental policy; or
(E)
A dental only policy.
(b) The Oregon Medical Insurance Pool operated by the Oregon Medical Insurance Pool Board under ORS 735.600 to 735.650.
[(10)] (17) “Individual” means[:]
[(a) Means, for purposes of ORS 746.600 to 746.690 and 750.055, except as provided in paragraph (b) of this subsection,] a natural person who:
[(A)] (a) In the case of life or health insurance, is a past, present or proposed principal insured or certificate holder;
[(B)] (b) In the case of other kinds of insurance, is a past, present or proposed named insured or certificate holder;
[(C)] (c) Is a past, present or proposed policyowner;
[(D)] (d) Is a past or present applicant;
[(E)] (e) Is a past or present claimant; or
[(F)] (f) Derived, derives or is proposed to derive insurance coverage under an insurance policy or certificate [which] that is subject to ORS 746.600 to 746.690 [and 750.055].
[(b) Comprises, for purposes of ORS 746.620, 746.630 and 746.665, and for purposes of terms defined in this section as those terms are used in ORS 746.620, 746.630 and 746.665, The following categories of natural persons:]
[(A) “Consumer,” which means an individual, or the individual’s representative, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has personal information.]
[(B) “Customer,” which means a consumer who has a continuing relationship with a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes.]
(18)
“Individually identifiable health information” means any oral or written health
information that is:
(a)
Created or received by a covered entity or a health care provider that is not a
covered entity; and
(b)
Identifiable to an individual, including demographic information that
identifies the individual, or for which there is a reasonable basis to believe
the information can be used to identify an individual, and that relates to:
(A)
The past, present or future physical or mental health or condition of an
individual;
(B)
The provision of health care to an individual; or
(C) The past, present or future payment for the provision of health care to an individual.
[(11)] (19) “Institutional source” means a person or governmental entity [which] that provides information about an individual to an insurer, agent or insurance-support organization, other than:
(a) An agent;
(b) The individual who is the subject of the information; or
(c) A natural person acting in a personal capacity rather than in a business or professional capacity.
[(12)] (20)(a) “Insurance-support organization” means[, except as provided in subsection (13) of this section,] a person who regularly engages, in whole or in part, in assembling or collecting information about natural persons for the primary purpose of providing the information to an insurer or agent for insurance transactions, including:
[(a)] (A) The furnishing of consumer reports to an insurer or agent for use in connection with insurance transactions; and
[(b)] (B) The collection of personal information from insurers, agents or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity.
[(13)] (b) “Insurance-support organization” does not [include] mean insurers, agents, governmental institutions[, medical care institutions or medical professionals] or health care providers.
[(14)] (21) “Insurance transaction” means any transaction involving insurance primarily for personal, family or household needs rather than business or professional needs and [which] that entails:
(a) The determination of an individual’s eligibility for an insurance coverage, benefit or payment; or
(b) The servicing of an insurance application, policy or certificate.
[(15)] (22) “Insurer,” [as defined in ORS 731.106, includes every person engaged in the business of entering into policies of insurance] has the meaning given that term in ORS 731.106.
[(16)] (23) “Investigative consumer report” means a consumer report, or portion of a consumer report, for which information about a natural person’s character, general reputation, personal characteristics or mode of living is obtained through personal interviews with the person’s neighbors, friends, associates, acquaintances or others who may have knowledge concerning such items of information.
[(17)] (24) “Licensee” means an insurer, agent or other person authorized or required to be authorized, or licensed or required to be licensed, pursuant to the Insurance Code.
[(18) “Medical care institution” means a facility or institution which is licensed to provide health care services to natural persons, and includes but is not limited to health maintenance organizations, home health agencies, hospitals, medical clinics, public health agencies, rehabilitation agencies and skilled nursing facilities.]
[(19) “Medical professional” means a person licensed or certified to provide health care services to natural persons, and includes but is not limited to chiropractors, clinical dieticians, clinical psychologists, dentists, naturopaths, nurses, occupational therapists, optometrists, pharmacists, physical therapists, physicians, podiatrists, psychiatric social workers and speech therapists.]
[(20) “Medical record information” means personal information except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:]
[(a) The past, present or future physical, mental or behavioral health or condition of an individual;]
[(b) The provision of health care to an individual; or]
[(c) Payment for the provision of health care to an individual.]
[(21)] (25) “Nonaffiliated third party” means any person except:
(a) An affiliate of a licensee;
(b) A person that is employed jointly by a licensee and by a person that is not an affiliate of the licensee; and
(c) As designated by the director by rule.
(26)
“Payment” includes but is not limited to:
(a)
Efforts to obtain premiums or reimbursement;
(b)
Determining eligibility or coverage;
(c)
Billing activities;
(d)
Claims management;
(e)
Reviewing health care to determine medical necessity;
(f)
Utilization review; and
(g) Disclosures to consumer reporting agencies.
[(22)] (27)(a) “Personal financial information” means:
(A) Information [which] that is identifiable with an individual, [which is] gathered in connection with an insurance transaction [and] from which [information] judgments can be made about the individual’s character, habits, avocations, finances, occupations, general reputation, credit[, health] or any other personal characteristics;[. “Personal information” includes] or
(B) An individual’s name, [and] address[, an individual’s] and policy number or similar form of access code for the individual’s policy. [and “medical record information” but does not include “privileged information” except for privileged information which has been disclosed in violation of ORS 746.665.]
(b) “Personal financial information” does not [include] mean information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state or local government records, widely distributed media or disclosures to the public that are required by federal, state or local law.
(28)
“Personal information” means:
(a)
Personal financial information;
(b)
Individually identifiable health information; or
(c)
Protected health information.
(29)
“Personal representative” includes but is not limited to:
(a)
A person appointed as a guardian under ORS 125.305, 419B.370, 419C.481 or
419C.555 with authority to make medical and health care decisions;
(b)
A person appointed as a health care representative under ORS 127.505 to 127.660
or 127.700 to 127.737 to make health care decisions or mental health treatment
decisions; and
(c) A person appointed as a personal representative under ORS chapter 113.
[(23)] (30) “Policyholder” means a person who:
(a) In the case of individual policies of life or health insurance, is a current policyowner;
(b) In the case of individual policies of other kinds of insurance, is currently a named insured; or
(c) In the case of group policies of insurance under which coverage is individually underwritten, is a current certificate holder.
[(24)] (31) “Pretext interview” means an interview wherein the interviewer, in an attempt to obtain personal information about a natural person, does one or more of the following:
(a) Pretends to be someone the interviewer is not.
(b) Pretends to represent a person the interviewer is not in fact representing.
(c) Misrepresents the true purpose of the interview.
(d) Refuses upon request to identify the interviewer.
[(25)] (32) “Privileged information” means information [which] that is identifiable with an individual and [which] that:
(a) Relates to a claim for insurance benefits or a civil or criminal proceeding involving the individual; and
(b) Is collected in connection with or in reasonable anticipation of a claim for insurance benefits or a civil or criminal proceeding involving the individual.
(33)(a)
“Protected health information” means individually identifiable health
information that is transmitted or maintained in any form of electronic or
other medium by a covered entity.
(b)
“Protected health information” does not mean individually identifiable health
information in:
(A)
Education records covered by the federal Family Educational Rights and Privacy
Act (20 U.S.C. 1232g);
(B)
Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); or
(C) Employment records held by a covered entity in its role as employer.
[(26)] (34) “Residual market mechanism” means an association, organization or other entity involved in the insuring of risks under ORS 735.005 to 735.145, 737.312 or other provisions of the Insurance Code relating to insurance applicants who are unable to procure insurance through normal insurance markets.
[(27)] (35) “Termination of insurance coverage” or “termination of an insurance policy” means either a cancellation or a nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure of a premium to be paid as required by the policy.
(36)
“Treatment” includes but is not limited to:
(a)
The provision, coordination or management of health care; and
(b) Consultations and referrals between health care providers.
SECTION 7. ORS 746.605 is amended to read:
746.605. The purpose of ORS 746.600 to 746.690 [and 750.055] is to:
(1) Establish standards for the collection, use and disclosure of personal information gathered in connection with insurance transactions by insurers, agents or insurance-support organizations;
(2) Maintain a balance between the need for personal information by those conducting the business of insurance and the public’s need for fairness in insurance information practices, including the need to minimize intrusiveness;
(3) Establish a regulatory mechanism to enable natural persons to ascertain what personal information is being or has been collected about them in connection with insurance transactions and to have access to this personal information for the purpose of verifying or disputing its accuracy;
(4) Limit the disclosure of personal information collected in connection with insurance transactions; and
(5) Enable insurance applicants and policyholders to obtain the reasons for any adverse underwriting decision.
SECTION 8. ORS 746.610 is amended to read:
746.610. (1) Except as otherwise provided in sections 2, 3, 4 and 5 of this 2003 Act, the obligations imposed by ORS 746.600 to 746.690 [and 750.055] apply to those insurers, agents and insurance-support organizations [which] that[, on or after January 1, 1983]:
(a) In the case of life or health insurance:
(A) Collect, receive or maintain personal information, in connection with insurance transactions, [which] that pertains to natural persons who are residents of this state; or
(B) Engage in insurance transactions with applicants, individuals or policyholders who are residents of this state.
(b) In the case of other kinds of insurance:
(A) Collect, receive or maintain personal information in connection with insurance transactions involving policies or certificates of insurance delivered, issued for delivery or renewed in this state; or
(B) Engage in insurance transactions involving policies or certificates of insurance delivered, issued for delivery or renewed in this state.
(2) The rights granted by ORS 746.600 to 746.690 [and 750.055] extend to:
(a) In the case of life or health insurance, the following persons who are residents of this state:
(A) Natural persons who are the subject of personal information collected, received or maintained in connection with insurance transactions; and
(B) Applicants, individuals or policyholders who engage in or seek to engage in insurance transactions.
(b) In the case of other kinds of insurance, the following persons:
(A) Natural persons who are the subject of personal information collected, received or maintained in connection with insurance transactions involving policies or certificates of insurance delivered, issued for delivery or renewed in this state; and
(B) Applicants, individuals or policyholders who engage in or seek to engage in insurance transactions involving policies or certificates of insurance delivered, issued for delivery or renewed in this state.
(3) For purposes of this section, a person is considered a resident of this state if the person’s last-known mailing address, as shown in the records of the insurer, agent or insurance-support organization, is located in this state.
(4) Notwithstanding subsections (1) and (2) of this section, ORS 746.600 to 746.690 [and 750.055] do not apply to personal information collected from the public records of a governmental authority and maintained by an insurer or its representatives for the purpose of insuring the title to real property located in this state.
SECTION 9. ORS 746.615 is amended to read:
746.615. [No] An insurer, agent or insurance-support organization [shall] may not use or authorize the use of pretext interviews to obtain personal information in connection with an insurance transaction. However, a pretext interview may be undertaken to obtain information from a person or institution [which] that does not have a generally recognized or statutorily recognized privileged relationship with the person about whom the information relates, for the purpose of investigating a claim where, based upon specific information available for review by the Director of the Department of Consumer and Business Services, there is a reasonable basis for suspecting criminal activity, fraud, material misrepresentation or material nondisclosure in connection with the claim.
SECTION 10. ORS 746.620 is amended to read:
746.620. (1) A licensee shall provide a clear and conspicuous notice of personal information practices to individuals in connection with insurance transactions under the circumstances and at the times as follows:
(a) Except as provided in this paragraph, to a consumer who becomes a customer of the licensee, not later than the date that the licensee establishes a continuing relationship under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes. A licensee may provide the notice within a reasonable time after the date the licensee establishes a customer relationship if:
(A) Establishing the customer relationship is not at the customer’s election; or
(B) Providing notice not later than the date that the licensee establishes a customer relationship would substantially delay the customer’s transaction and the customer agrees to receive the notice at a later time.
(b) To a consumer other than as described in paragraph (a) of this subsection, before the licensee discloses any personal information about the consumer pursuant to the requirements of ORS 746.665, unless the disclosure meets one or more of the conditions specified in ORS 746.665.
(2) A licensee shall provide a clear and conspicuous notice to a customer that accurately reflects the privacy policies and practices not less than annually during the continuation of the relationship described in subsection (1)(a) of this section. For the purpose of this subsection, a notice is given annually if it is given at least once in any period of 12 consecutive months during which the relationship exists. A licensee may define the period of 12 consecutive months, but the licensee must apply the period to the customer on a consistent basis.
(3) The privacy notice required by subsections (1) and (2) of this section shall be in writing and clear and conspicuous. The notice may be provided in electronic form if the recipient agrees. In addition to any other personal information the licensee wishes to provide, the notice shall include the following items of personal information that apply to the licensee and to the individuals to whom the licensee sends the notice:
(a) The categories of personal information that the licensee collects.
(b) The categories of personal information that the licensee discloses.
(c) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses personal information other than persons to whom the licensee discloses information under ORS 746.665.
(d) The categories of personal information about former customers of the licensee that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses personal information about the licensee’s former customers, other than persons to whom the licensee discloses personal information under ORS 746.665.
(e) If a licensee discloses personal information to a nonaffiliated third party under ORS 746.665, a separate description of the categories of personal information the licensee discloses and the categories of nonaffiliated third parties with whom the licensee has contracted.
(f) An explanation of the individual’s right under ORS 746.630 to authorize disclosure of personal information, including the methods by which the individual may exercise that right.
(g) Any disclosure that the licensee makes under section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) regarding the ability to opt out of disclosures of personal information among affiliates.
(h) The policies and practices of the licensee with respect to protecting the confidentiality and security of personal information.
(i) Any disclosure that the licensee makes under subsection (4) of this section.
(j) A description of the rights established under ORS 746.640 and 746.645 and the manner in which such rights may be exercised.
(4) If a licensee discloses personal information as authorized under ORS 746.665, the licensee [need not] is not required to list those exceptions in the privacy notices required by this section. When describing the categories of parties to whom disclosure is made, the licensee must state only that the licensee makes disclosures to other affiliated parties or nonaffiliated third parties, as applicable, as authorized by law.
(5) In lieu of the notice [prescribed] required in subsection (3) of this section, the licensee may provide to a consumer an abbreviated notice, in writing or in electronic form if the consumer agrees, informing the consumer that:
(a) Personal information may be collected from persons other than the consumer proposed for coverage;
(b) Such information as well as other personal or privileged information subsequently collected by the licensee may in certain circumstances be disclosed to third parties without authorization;
(c) A right of access and correction exists with respect to all personal information collected; and
(d) The notice prescribed in subsection (3) of this section [will] shall be furnished to the consumer upon request.
(6) The Director of the Department of Consumer and Business Services by rule may apply the categories of consumer and customer as [described] defined in ORS 746.600 for the purpose of establishing specific requirements for notice of personal information practices, authorization for disclosure of personal information, conditions for disclosure of personal information under this section and ORS 746.630 and 746.665, and exceptions. The director shall consider applicable definitions and terms used in the federal Gramm-Leach-Bliley Act (P.L. 106-102), applicable definitions and requirements used in the model “Privacy of Consumer Financial and Health Information Regulation” adopted by the National Association of Insurance Commissioners and other sources as may be needed so that the terms defined in ORS 746.600 and applicable to this section and ORS 746.630 and 746.665:
(a) Facilitate compliance with requirements in federal law and the laws of other states that establish protections of nonpublic personal information; and
(b) Establish separate and discrete requirements relating to the privacy notice and its contents and delivery for customers and consumers, so that the requirements provide reasonable notice and facilitate compliance with requirements in federal law and in the laws of other states.
(7) The director shall determine by rule:
(a) When a privacy notice must be provided to a certificate holder or beneficiary of a group policy and to a third-party claimant.
(b) When the obligation to provide annual notice ceases.
(c) Requirements for revision of the notice by a licensee.
(8) An agent is not subject to the requirements of this section when the insurer on whose behalf the agent acts otherwise complies with the requirements of this section and the agent does not disclose any personal information to any person other than the insurer or its affiliate, or as otherwise authorized by law.
(9) A licensee may provide a joint notice from the licensee and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee may also provide a notice on behalf of a financial institution.
(10) The obligations imposed by this section upon a licensee may be satisfied by another licensee authorized to act on behalf of the first licensee.
(11) For purposes of this section and ORS 746.630 and 746.665, an individual is not the consumer of a licensee solely because the individual is covered under a group life [or health] insurance policy issued by the licensee or is a participant or beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary, if:
(a) The licensee provides to the policyholder the initial, annual and revised notices under this section; and
(b) The licensee does not disclose to a nonaffiliated third party personal information about the individual other than as permitted by ORS 746.665.
(12) When an individual becomes a consumer of a licensee under subsection (11) of this section, this section and ORS 746.630 and 746.665 apply to the licensee with respect to the individual.
SECTION 11. ORS 746.625 is amended to read:
746.625. An insurer or agent shall clearly [so] identify those questions [which] that are designed to obtain personal information solely for marketing or research purposes from an individual in connection with an insurance transaction.
SECTION 12. ORS 746.630 is amended to read:
746.630. (1) Notwithstanding any other law of this state, a licensee or insurance-support organization may not [utilize] use as its disclosure authorization form in connection with insurance transactions a form or statement [which] that authorizes the disclosure of personal or privileged information about an individual to the licensee or insurance-support organization unless the form or statement is clear and conspicuous, and contains all of the following:
(a) The identity of the individual who is the subject of the personal information.
(b) A general description of the categories of personal information to be disclosed.
(c) General descriptions of the parties to whom the licensee discloses personal information, the purpose of the disclosure and how the personal information [will] may be used.
(d) The signature of the individual who is the subject of the personal information or the individual who is legally empowered to grant authority and the date signed.
(e) Notice of the length of time for which the authorization is valid, that the individual may revoke the authorization at any time and the procedure for making a revocation.
(2) An authorization [may not remain] is not valid for more than 24 months.
(3) An individual who is the subject of personal information may revoke an authorization provided pursuant to this section at any time, subject to the rights of any individual who acted in reliance on the authorization prior to notice of the revocation.
(4) A licensee [shall] must retain the authorization of an individual or a copy thereof in the record of the individual who is the subject of the personal information.
(5) A disclosure authorization obtained by an insurer, agent or insurance-support organization from an individual prior to January 1, 1983, [shall be] is considered to be in compliance with this section.
SECTION 13. ORS 746.640 is amended to read:
746.640. (1) If any individual, after proper identification, submits a written request to an insurer, agent or insurance-support organization for access to recorded personal information about the individual [which] that is reasonably described by the individual and reasonably locatable and retrievable by the insurer, agent or insurance-support organization, the insurer, agent or insurance-support organization within 30 business days from the date the request is received shall:
(a) Inform the individual of the nature and substance of the recorded personal information in writing, by telephone or by other oral communication, whichever the insurer, agent or insurance-support organization prefers;
(b) Permit the individual to see and copy, in person, the recorded personal information or to obtain a copy of the recorded personal information by mail, whichever the individual prefers, unless the recorded personal information is in coded form, in which case an accurate translation in plain language shall be provided in writing;
(c) Disclose to the individual the identity, if recorded, of the persons to whom the insurer, agent or insurance-support organization has disclosed the recorded personal information within two years prior to the request, and if such identity is not recorded, the names of the insurers, agents, insurance-support organizations and other persons to whom such information is normally disclosed; and
(d) Provide the individual with a summary of the procedures by which the individual may request correction, amendment or deletion of recorded personal information.
(2) Any personal information provided pursuant to this section [shall] must identify the source of the information if the source is an institutional source.
(3) [Medical record information supplied by a medical care institution or medical professional and requested under this section, together with the identity of the medical professional or medical care institution which provided the information, shall be supplied] If an individual requests individually identifiable health information supplied by a health care provider, the insurer, agent or insurance-support organization shall provide the information, including the identity of the health care provider either directly to the individual or to a [medical professional] health care provider designated by the individual and licensed to provide [medical] health care with respect to the condition to which the information relates, whichever the insurer, agent or insurance-support organization prefers. If [it] the insurer, agent or insurance-support organization elects to disclose the information to a [medical professional] health care provider designated by the individual, the insurer, agent or insurance-support organization shall notify the individual, at the time of the disclosure, that [it] the insurer, agent or insurance-support organization has provided the information to the [medical professional] health care provider.
(4) Except for personal information provided under ORS 746.650, an insurer, agent or insurance-support organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal information to an individual.
(5) The obligations imposed by this section upon an insurer or agent may be satisfied by another insurer or agent authorized to act on its behalf. With respect to the copying and disclosure of recorded personal information pursuant to a request under this section, an insurer, agent or insurance-support organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy and disclose recorded personal information on its behalf.
(6) The rights granted to individuals by this section shall extend to all natural persons to the extent personal information about them is collected and maintained by an insurer, agent or insurance-support organization in connection with an insurance transaction. The rights granted to all natural persons by this subsection shall not extend to personal information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or a civil or criminal proceeding involving them.
(7) For purposes of this section, the term “insurance-support organization” does not include “consumer reporting agency.”
SECTION 14. ORS 746.665 is amended to read:
746.665. (1) A licensee or insurance-support organization [shall] may not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure meets one or more of the following conditions:
(a) Is with the written authorization of the individual, and:
(A) If the authorization is submitted by another licensee or insurance-support organization, the authorization meets the requirements of ORS 746.630; or
(B) If the authorization is submitted by a person other than a licensee or insurance-support organization, the authorization is:
(i) Dated;
(ii) Signed by the individual; and
(iii) Obtained one year or less prior to the date a disclosure is sought pursuant to this subsection.
(b) Is to a person other than a licensee or insurance-support organization, if the disclosure is reasonably necessary to enable the person to:
(A) Perform a business, professional or insurance function for the disclosing licensee or insurance-support organization and the person agrees not to disclose the information further without the individual’s written authorization unless the further disclosure:
(i) Would otherwise be permitted by this section if made by a licensee or insurance-support organization; or
(ii) Is reasonably necessary for the person to perform its function for the disclosing licensee or insurance-support organization; or
(B) Provide information to the disclosing licensee or insurance-support organization for the purpose of:
(i) Determining an individual’s eligibility for an insurance benefit or payment; or
(ii) Detecting or preventing criminal activity, fraud, material misrepresentation or material nondisclosure in connection with an insurance transaction.
(c) Is to a licensee, insurance-support organization or self-insurer, if the information disclosed is limited to that which is reasonably necessary:
(A) To detect or prevent criminal activity, fraud, material misrepresentation or material nondisclosure in connection with insurance transactions; or
(B) For either the disclosing or receiving licensee or insurance-support organization to perform its function in connection with an insurance transaction involving the individual.
(d) Is to a [medical care institution or medical professional] health care provider and discloses only such information as is reasonably necessary to accomplish one or more of the following purposes:
(A) Verifying insurance coverage or benefits.
(B) Informing an individual of a medical problem of which the individual may not be aware.
(C) Conducting an operations or services audit.
(e) Is to an insurance regulatory authority.
(f) Is to a law enforcement or other governmental authority:
(A) To protect the interests of the licensee or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or
(B) If the licensee or insurance-support organization reasonably believes that illegal activities have been conducted by the individual.
(g) Is otherwise permitted or required by law.
(h) Is in response to a facially valid administrative or judicial order, including a search warrant or subpoena.
(i) Is made for the purpose of conducting actuarial or research studies, if:
(A) No individual may be identified in any resulting actuarial or research report;
(B) Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed; and
(C) The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by a licensee or insurance-support organization.
(j) Is to a party or a representative of a party to a proposed or consummated sale, transfer, merger or consolidation of all or part of the business of the licensee or insurance-support organization, if:
(A) Prior to the consummation of the sale, transfer, merger or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger or consolidation; and
(B) The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by a licensee or insurance-support organization.
(k) Is to a nonaffiliated third party whose only use of the information will be in connection with the marketing of a product or service, if all of the following conditions are met:
(A) No [medical record information,] privileged information or personal information [relating to an individual’s character, personal habits, mode of living or general reputation] is disclosed, and no classification derived from such information may be disclosed.
(B) The individual must have been given the notice described in ORS 746.620 and an opportunity to indicate that the individual does not want personal information disclosed for marketing purposes and must have given no indication that the individual does not want the information disclosed. The individual need not have been given the opportunity described in this subparagraph if the disclosure is made pursuant to a joint marketing agreement. As used in this subparagraph, “joint marketing agreement” means a formal written contract pursuant to which an insurer jointly offers, endorses or sponsors a financial product or service with a financial institution. When the opportunity is required, the statement that offers the opportunity must state that the insurer may disclose personal information to nonaffiliates and that the individual has a right to indicate that the individual does not want personal information disclosed for marketing purposes, and must describe the method for exercising that right. The statement must be in writing but may be in an electronic form if the individual agrees. The individual who is given the opportunity must be provided a reasonable time to exercise the opportunity. An individual may exercise the opportunity at any time. A statement by an individual barring disclosure of personal information remains effective until the individual who made the statement revokes the statement in writing or, if the individual agrees, in electronic form.
(C) The person receiving the information must agree not to use it except in connection with the marketing of a product or service.
(L) Is to an affiliate whose only use of the information will be in connection with an audit of the licensee or the marketing of a financial product or service, and the affiliate agrees not to disclose the information for any other purpose or to unaffiliated persons. This paragraph does not apply to the disclosure of [medical record information] individually identifiable health information for the purpose of marketing a financial product or service.
(m) Is by a consumer reporting agency, and the disclosure is to a person other than a licensee.
(n) Is to a group policyholder for the purpose of reporting claims experience or conducting an audit of the licensee’s operations or services, and the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit.
(o) Is to a professional peer review organization for the purpose of reviewing the service or conduct of a [medical care institution or medical professional] health care provider.
(p) Is to a governmental authority for the purpose of determining the individual’s eligibility for health benefits for which the governmental authority may be liable.
(q) Is to a policyholder or certificate holder for the purpose of providing information regarding the status of an insurance transaction.
(2) Personal or privileged information may be acquired by a group practice prepayment health care service contractor from providers which contract with the contractor and may be transferred among providers which contract with the contractor for the purpose of administering plans offered by the contractor. The information may not be disclosed otherwise by the contractor except in accordance with ORS 746.600 to 746.690 [and 750.055].
SECTION 15. ORS 746.650 is amended to read:
746.650. (1) In the event of an adverse underwriting decision the insurer or agent responsible for the decision shall:
(a) Either provide the applicant, policyholder or individual proposed for coverage with the specific reason or reasons for the adverse underwriting decision in writing or advise the person that upon written request the person may receive the specific reason or reasons in writing; and
(b) Provide the applicant, policyholder or individual proposed for coverage with a summary of the rights established under subsection (2) of this section and ORS 746.640 and 746.645.
(2) Upon receipt of a written request within 90 business days from the date of the mailing of notice or other communication of an adverse underwriting decision to an applicant, policyholder or individual proposed for coverage, the insurer or agent shall furnish to the person within 21 business days from the date of receipt of the written request:
(a) The specific reason or reasons for the adverse underwriting decision, in writing, if this information was not initially furnished in writing pursuant to subsection (1) of this section;
(b) The specific items of personal information and privileged information that support these reasons, subject, however, to the following:
(A) The insurer or agent [shall not be] is not required to furnish specific items of privileged information if it has a reasonable suspicion, based upon specific information available for review by the Director of the Department of Consumer and Business Services, that the applicant, policyholder or individual proposed for coverage has engaged in criminal activity, fraud, material misrepresentation or material nondisclosure.
(B) Specific items of [medical record information] individually identifiable health information supplied by a [medical care institution or medical professional] health care provider shall be disclosed either directly to the individual about whom the information relates or to a [medical professional] health care provider designated by the individual and licensed to provide [medical] health care with respect to the condition to which the information relates, whichever the insurer or agent prefers; and
(c) The names and addresses of the institutional sources [which] that supplied the specific items of information described in paragraph (b) of this subsection. However, the identity of any [medical care institution or medical professional shall] health care provider must be disclosed either directly to the individual or to the designated [medical professional] health care provider, whichever the insurer or agent prefers.
(3) The obligations imposed by this section upon an insurer or agent may be satisfied by another insurer or agent authorized to act on its behalf.
(4) When an adverse underwriting decision results solely from an oral request or inquiry, the explanation of reasons and summary of rights required by subsection (1) of this section may be given orally.
SECTION 16. ORS 746.668 is amended to read:
746.668. Nothing in ORS 746.620, 746.630 or 746.665 may be construed to modify, limit or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) and no inference may be drawn on the basis of ORS 746.620, 746.630 or 746.665 regarding whether personal information is transaction information or experience information under section 603 of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
SECTION 17. ORS 746.670 is amended to read:
746.670. (1) The Director of the Department of Consumer and Business Services [shall have the power to] may examine and investigate into the affairs of any insurer or agent transacting insurance in this state to determine whether it has been or is engaged in any conduct in violation of ORS 746.600 to 746.690 [and 750.055].
(2) The director [shall have the power to] may examine and investigate into the affairs of any insurance-support organization acting on behalf of an insurer or agent which either transacts insurance in this state or transacts insurance outside this state which has an effect on a person residing in this state, in order to determine whether the insurance-support organization has been or is engaged in any conduct in violation of ORS 746.600 to 746.690 [and 750.055].
SECTION 18. ORS 746.680 is amended to read:
746.680. (1) [If any insurer, agent or insurance-support organization fails to comply with ORS 746.640, 746.645 or 746.650, any] A person whose rights granted under [those sections] ORS 746.640, 746.645 or 746.650 or section 3 (7) of this 2003 Act are violated may apply to the circuit court for the county in which the person resides, or any other court of competent jurisdiction, for appropriate equitable relief if an insurer, agent or insurance-support organization fails to comply with ORS 746.640, 746.645 or 746.650 or section 3 (7) of this 2003 Act.
(2) A licensee or insurance-support organization that discloses information in violation of ORS 746.665 or a health insurer that uses or discloses information in violation of section 3 (1) or (2) of this 2003 Act [shall be] is liable for damages sustained by the individual about whom the information relates. However, [no] an individual [shall be] is not entitled to a monetary award that exceeds the actual damages sustained by the individual as a result of the violation of ORS 746.665 or section 3 (1) or (2) of this 2003 Act.
(3) In any action brought pursuant to this section, the court may award the cost of the action and reasonable attorney fees to the prevailing party.
(4) An action under this section must be brought within two years from the date the alleged violation is or should have been discovered.
(5) Except as specifically provided in this section, there shall be no remedy or recovery available to individuals, in law or in equity, for occurrences constituting a violation of any provision of ORS 746.600 to 746.690 [and 750.055].
SECTION 18a. Nothing in section 3 of this 2003 Act may be construed to create a new private right of action against a health insurer.
SECTION 19. ORS 750.055 is amended to read:
750.055. (1) The following provisions of the Insurance Code shall apply to health care service contractors to the extent so applicable and not inconsistent with the express provisions of ORS 750.005 to 750.095:
(a) ORS 705.137, 705.139, 731.004 to 731.150, 731.162, 731.216 to 731.362, 731.382, 731.385, 731.386, 731.390, 731.398 to 731.430, 731.428, 731.450, 731.454, 731.488, 731.504, 731.508, 731.509, 731.510, 731.511, 731.512, 731.574 to 731.620, 731.592, 731.594, 731.640 to 731.652, 731.730, 731.731, 731.735, 731.737, 731.750, 731.752, 731.804 and 731.844 to 731.992.
(b) ORS 732.215, 732.220, 732.230, 732.245, 732.250, 732.320, 732.325 and 732.517 to 732.592, not including ORS 732.549 and 732.574 to 732.592.
(c)(A) ORS 733.010 to 733.050, 733.080, 733.140 to 733.170, 733.210, 733.510 to 733.620, 733.635 to 733.680 and 733.695 to 733.780 apply to not-for-profit health care service contractors.
(B) ORS chapter 733, not including ORS 733.630, applies to for-profit health care service contractors.
(d) ORS chapter 734.
(e) ORS 742.001 to 742.009, 742.013, 742.061, 742.065, 742.150 to 742.162, 742.400, 742.520 to 742.540, 743.010, 743.013, 743.018 to 743.030, 743.050, 743.100 to 743.109, 743.402, 743.412, 743.472, 743.492, 743.495, 743.498, 743.522, 743.523, 743.524, 743.526, 743.527, 743.528, 743.529, 743.549 to 743.555, 743.556, 743.560, 743.600 to 743.610, 743.650 to 743.656, 743.693, 743.694, 743.697, 743.699, 743.701, 743.706 to 743.712, 743.721, 743.722, 743.726, 743.727, 743.728, 743.729, 743.804, 743.807, 743.808, [743.809,] 743.814 to 743.839, 743.842, 743.845, 743.847, 743.854, 743.856, 743.857, 743.858, 743.859, 743.861, 743.862, 743.863, 743.864, 743.866 and 743.868.
(f) The provisions of ORS chapter 744 relating to the regulation of agents.
(g) ORS 746.005 to 746.140, 746.160, 746.180, 746.220 to 746.370, [and] 746.600, [to 746.690] 746.605, 746.610, 746.615, 746.625, 746.635, 746.650, 746.655, 746.660, 746.668, 746.670, 746.675, 746.680 and 746.690 and sections 3 and 4 of this 2003 Act.
(h) ORS 743.714, except in the case of group practice health maintenance organizations that are federally qualified pursuant to Title XIII of the Public Health Service Act unless the patient is referred by a physician associated with a group practice health maintenance organization.
(i) ORS 735.600 to 735.650.
(j) ORS 743.680 to 743.689.
(k) ORS 744.700 to 744.740.
(L) ORS 743.730 to 743.773.
(m) ORS 731.485, except in the case of a group practice health maintenance organization that is federally qualified pursuant to Title XIII of the Public Health Service Act and that wholly owns and operates an in-house drug outlet.
(2) For the purposes of this section only, health care service contractors shall be deemed insurers.
(3) Any for-profit health care service contractor organized under the laws of any other state which is not governed by the insurance laws of such state, will be subject to all requirements of ORS chapter 732.
(4) The Director of the Department of Consumer and Business Services may, after notice and hearing, adopt reasonable rules not inconsistent with this section and ORS 750.003, 750.005, 750.025 and 750.045 that are deemed necessary for the proper administration of these provisions.
SECTION 20. ORS 735.650 is amended to read:
735.650. (1) The following provisions of the Insurance Code shall apply to the pool to the extent applicable and not inconsistent with the express provisions of ORS 735.600 to 735.650: ORS 731.004 to 731.022, 731.052 to 731.146, 731.162, 731.216 to 731.328, 742.023, 742.028, 742.046, 742.051, 742.056, 743.024, 743.027, 743.028, 743.041, 743.050, 743.100 to 743.106, 743.402, 743.707, 743.721, 743.801, 743.803, 743.804, 743.806, 743.807, 743.808, [743.809,] 743.811, 743.814, 743.817, 743.819, 743.821, 743.823, 743.827, 743.829, 743.834, 743.837, 743.839, 743.845, 746.005 to 746.370, [and] 746.600, [to 746.690] 746.605, 746.610, 746.615, 746.625, 746.635, 746.650, 746.655, 746.660, 746.668, 746.670, 746.675, 746.680 and 746.690 and sections 3 and 4 of this 2003 Act.
(2) For the purposes of this section only, the pool shall be deemed an insurer, pool coverage shall be deemed individual health insurance and pool coverage contracts shall be deemed policies.
SECTION 21. ORS 743.801 is amended to read:
743.801. As used in ORS 743.699, 743.801, 743.803, 743.804, 743.806, 743.807, 743.808, [743.809,] 743.811, 743.814, 743.817, 743.819, 743.821, 743.823, 743.827, 743.829, 743.831, 743.834, 743.837, 743.839, 743.854, 743.856, 743.857, 743.858, 743.859, 743.861, 743.862, 743.863, 743.864, 743.866 and 743.868:
(1) “Emergency medical condition” means a medical condition that manifests itself by symptoms of sufficient severity that a prudent layperson possessing an average knowledge of health and medicine would reasonably expect that failure to receive immediate medical attention would place the health of a person, or a fetus in the case of a pregnant woman, in serious jeopardy.
(2) “Emergency medical screening exam” means the medical history, examination, ancillary tests and medical determinations required to ascertain the nature and extent of an emergency medical condition.
(3) “Emergency services” means those health care items and services furnished in an emergency department and all ancillary services routinely available to an emergency department to the extent they are required for the stabilization of a patient.
(4) “Enrollee” has the meaning given that term in ORS 743.730.
(5) “Grievance” means a written complaint submitted by or on behalf of an enrollee regarding the:
(a) Availability, delivery or quality of health care services, including a complaint regarding an adverse determination made pursuant to utilization review;
(b) Claims payment, handling or reimbursement for health care services; or
(c) Matters pertaining to the contractual relationship between an enrollee and an insurer.
(6) “Health benefit plan” has the meaning provided for that term in ORS 743.730.
(7) “Independent practice association” means a corporation wholly owned by providers, or whose membership consists entirely of providers, formed for the sole purpose of contracting with insurers for the provision of health care services to enrollees, or with employers for the provision of health care services to employees, or with a group, as described in ORS 743.522, to provide health care services to group members.
(8) “Insurer” has the meaning provided for that term in ORS 731.106. For purposes of ORS 743.699, 743.801, 743.803, 743.804, 743.806, 743.807, 743.808, [743.809,] 743.811, 743.814, 743.817, 743.819, 743.821, 743.823, 743.827, 743.829, 743.831, 743.834, 743.837, 743.839, 743.854, 743.856, 743.857, 743.858, 743.859, 743.861, 743.862, 743.863, 743.864, 743.866, 743.868, 750.055 and 750.333, “insurer” also includes a health care service contractor as defined in ORS 750.005.
(9) “Managed health insurance” means any health benefit plan that:
(a) Requires an enrollee to use a specified network or networks of providers managed, owned, under contract with or employed by the insurer in order to receive benefits under the plan, except for emergency or other specified limited service; or
(b) In addition to the requirements of paragraph (a) of this subsection, offers a point-of-service provision that allows an enrollee to use providers outside of the specified network or networks at the option of the enrollee and receive a reduced level of benefits.
(10) “Medical services contract” means a contract between an insurer and an independent practice association, between an insurer and a provider, between an independent practice association and a provider or organization of providers, between medical or mental health clinics, and between a medical or mental health clinic and a provider to provide medical or mental health services. “Medical services contract” does not include a contract of employment or a contract creating legal entities and ownership thereof that are authorized under ORS chapter 58, 60 or 70, or other similar professional organizations permitted by statute.
(11)(a) “Preferred provider organization insurance” means any health benefit plan that:
(A) Specifies a preferred network of providers managed, owned or under contract with or employed by an insurer;
(B) Does not require an enrollee to use the preferred network of providers in order to receive benefits under the plan; and
(C) Creates financial incentives for an enrollee to use the preferred network of providers by providing an increased level of benefits.
(b) “Preferred provider organization insurance” does not mean a health benefit plan that has as its sole financial incentive a hold harmless provision under which providers in the preferred network agree to accept as payment in full the maximum allowable amounts that are specified in the medical services contracts.
(12) “Prior authorization” means a determination by an insurer prior to provision of services that the insurer will provide reimbursement for the services. “Prior authorization” does not include referral approval for evaluation and management services between providers.
(13) “Provider” means a person licensed, certified or otherwise authorized or permitted by laws of this state to administer medical or mental health services in the ordinary course of business or practice of a profession.
(14) “Stabilization” means that, within reasonable medical probability, no material deterioration of an emergency medical condition is likely to occur.
(15) “Utilization review” means a set of formal techniques used by an insurer or delegated by the insurer designed to monitor the use of or evaluate the medical necessity, appropriateness, efficacy or efficiency of health care services, procedures or settings.
SECTION 22. ORS 743.804 is amended to read:
743.804. All insurers offering a health benefit plan in this state shall:
(1) Have a written policy that recognizes the rights of enrollees:
(a) To voice grievances about the organization or health care provided;
(b) To be provided with information about the organization, its services and the providers providing care;
(c) To participate in decision making regarding their health care; and
(d) To be treated with respect and recognition of their dignity and need for privacy.
(2) Provide a summary of policies on enrollees’ rights and responsibilities to all participating providers upon request and to all enrollees either directly or, in the case of group coverage, to the employer or other policyholder for distribution to enrollees.
(3) Have a timely and organized system for resolving grievances and appeals. The system shall include:
(a) A systematic method for recording all grievances and appeals, including the nature of the grievances, and significant actions taken;
(b) Written procedures explaining the grievance and appeal process, including a procedure to assist enrollees in filing written grievances;
(c) Written decisions in plain language justifying grievance determinations, including appropriate references to relevant policies, procedures and contract terms;
(d) Standards for timeliness in responding to grievances or appeals that accommodate the clinical urgency of the situation;
(e) Notice in all written decisions prepared pursuant to this subsection that the enrollee may file a complaint with the Director of the Department of Consumer and Business Services; and
(f) An appeal process for grievances that includes at least the following:
(A) Three levels of review, the second of which shall be by persons not previously involved in the dispute and the third of which shall provide external review pursuant to an external review program meeting the requirements of ORS 743.857, 743.859 and 743.861;
(B) Opportunity for enrollees and any representatives of the enrollees to appear before a review panel at either the first or second level of review. Representatives may include health care providers or any other persons chosen by the enrollee. The enrollee and insurer shall each provide advance notification of the number of representatives who will appear before the panel and the relationship of the representatives to the enrollee or insurer; and
(C) Written decisions in plain language justifying appeal determinations, including specific references to relevant provisions of the health benefit plan and related written corporate practices.
(4) If the insurer has a prescription drug formulary, have:
(a) A written procedure by which a provider with authority to prescribe drugs and medications may prescribe drugs and medications not included in the formulary. The procedure shall include the circumstances when a drug or medication not included in the formulary will be considered a covered benefit; and
(b) A written procedure to provide full disclosure to enrollees of any cost sharing or other requirements to obtain drugs and medications not included in the formulary.
(5) Furnish to all enrollees either directly or, in the case of a group policy, to the employer or other policyholder for distribution to enrollees written general information informing enrollees about services provided, access to services, charges and scheduling applicable to each enrollee’s coverage, including:
(a) Benefits and services included and how to obtain them, including any restrictions that apply to services obtained outside the insurer’s network or outside the insurer’s service area, and the availability of continuity of care as required by ORS 743.854;
(b) Provisions for referrals, if any, for specialty care, behavioral health services and hospital services and how enrollees may obtain the care or services;
(c) Provisions for after-hours and emergency care and how enrollees may obtain that care, including the insurer’s policy, if any, on when enrollees should directly access emergency care and use 9-1-1 services;
(d) Charges to enrollees, if applicable, including any policy on cost sharing for which the enrollee is responsible;
(e) Procedures for notifying enrollees of:
(A) A change in or termination of any benefit;
(B) If applicable, termination of a primary care delivery office or site; and
(C) If applicable, assistance available to enrollees affected by the termination of a primary care delivery office or site in selecting a new primary care delivery office or site;
(f) Procedures for appealing decisions adversely affecting the enrollee’s benefits or enrollment status;
(g) Procedures, if any, for changing providers;
(h) Procedures for voicing grievances, including the option of obtaining external review under the insurer’s program established pursuant to ORS 743.857, 743.859 and 743.861;
(i) A description of the procedures, if any, by which enrollees and their representatives may participate in the development of the insurer’s corporate policies and practices;
(j) Summary information on how the insurer makes decisions regarding coverage and payment for treatment or services, including a general description of any prior authorization and utilization review requirements that affect coverage or payment;
(k) A summary of criteria used to determine if a service or drug is considered experimental or investigational;
(L) Information about provider, clinic and hospital networks, if any, including a list of network providers and information about how the enrollee may obtain current information about the availability of individual providers, the hours the providers are available and a description of any limitations on the ability of enrollees to select primary and specialty care providers;
(m) A general disclosure of any risk-sharing arrangements the insurer has with physicians and other providers;
(n) A summary of the insurer’s procedures for protecting the confidentiality of medical records and other enrollee information[, including the provision required in ORS 743.809];
(o) A description of any assistance provided to non-English-speaking enrollees;
(p) A summary of the insurer’s policies, if any, on drug prescriptions, including any drug formularies, cost sharing differentials or other restrictions that affect coverage of drug prescriptions;
(q) Notice of the enrollee’s right to file a complaint or seek other assistance from the Director of the Department of Consumer and Business Services; and
(r) Notice of the information that is available upon request pursuant to subsection (6) of this section and information that is available from the Department of Consumer and Business Services pursuant to ORS 743.804, 743.807, 743.814 and 743.817.
(6) Provide the following information upon the request of an enrollee or prospective enrollee:
(a) Rules related to the insurer’s drug formulary, if any, including information on whether a particular drug is included or excluded from the formulary;
(b) Provisions for referrals, if any, for specialty care, behavioral health services and hospital services and how enrollees may obtain the care or services;
(c) A copy of the insurer’s annual report on grievances and appeals as submitted to the department under subsection (9) of this section;
(d) A description of the insurer’s risk-sharing arrangements with physicians and other providers consistent with risk-sharing information required by the federal Health Care Financing Administration pursuant to 42 C.F.R. 417.124 (3)(b) as in effect on June 18, 1997;
(e) A description of the insurer’s efforts, if any, to monitor and improve the quality of health services;
(f) Information about any insurer procedures for credentialing network providers and how to obtain the names, qualifications and titles of the providers responsible for an enrollee’s care; and
(g) A description of the insurer’s external review program established pursuant to ORS 743.857, 743.859 and 743.861.
(7) Except as otherwise provided in this subsection, provide to enrollees, upon request, a written summary of information that the insurer may consider in its utilization review of a particular condition or disease to the extent the insurer maintains such criteria. Nothing in this section shall require an insurer to advise an enrollee how the insurer would cover or treat that particular enrollee’s disease or condition. Utilization review criteria that is proprietary shall be subject to verbal disclosure only.
(8) Provide the following information to an enrollee when the enrollee has filed a grievance:
(a) Detailed information on the insurer’s grievance and appeal procedures and how to use them;
(b) Information on how to access the complaint line of the Department of Consumer and Business Services; and
(c) Information explaining how an enrollee applies for external review of the insurer’s actions under the external review program established by the insurer pursuant to ORS 743.857.
(9) Provide annual summaries to the Department of Consumer and Business Services of the insurer’s aggregate data regarding grievances, appeals and applications for external review in a format prescribed by the department to ensure consistent reporting on the number, nature and disposition of grievances, appeals and applications for external review.
(10) Ensure that the confidentiality of specified patient information and records is protected, and to that end:
(a) Adopt and implement written confidentiality policies and procedures;
(b) State the insurer’s expectations about the confidentiality of enrollee information and records in medical service contracts; and
(c) Afford enrollees the opportunity to approve or deny the release of identifiable medical personal information by the insurer, except as otherwise permitted or required by law.
(11) Notify an enrollee of the enrollee’s rights under the health benefit plan at the time that the insurer notifies the enrollee of an adverse decision. The notification shall include:
(a) Notice of the right of the enrollee to apply for internal and external review of the adverse decision;
(b) A statement whether a decision by an independent review organization is binding on the insurer and enrollee;
(c) A statement that if the decision is not binding on the insurer and if the insurer does not comply with the decision, the enrollee may sue the insurer as provided in ORS 743.864; and
(d) Information on filing a complaint with the Director of the Department of Consumer and Business Services.
SECTION 23. ORS 743.811 is amended to read:
743.811. The provisions of ORS 743.801, 743.803, 743.806[,] and 743.808 [and 743.809] do not apply to medical services contracts for services to be provided under ORS chapter 656.
SECTION 24. ORS 743.827 is amended to read:
743.827. The Director of the Department of Consumer and Business Services shall appoint a Health Care Consumer Protection Advisory Committee with fair representation of health care consumers, providers and insurers. The committee shall advise the director regarding the implementation of ORS 743.699, 743.801, 743.803, 743.804, 743.806, 743.807, 743.808, [743.809,] 743.811, 743.814, 743.817, 743.819, 743.821, 743.823, 743.827, 743.829, 743.831, 743.834, 743.837 and 743.839 and other issues related to health care consumer protection.
SECTION 25. ORS 750.333 is amended to read:
750.333. (1) The following provisions of the Insurance Code apply to trusts carrying out a multiple employer welfare arrangement:
(a) ORS 731.004 to 731.150, 731.162, 731.216 to 731.268, 731.296 to 731.316, 731.324, 731.328, 731.378, 731.386, 731.390, 731.398, 731.406, 731.410, 731.414, 731.418 to 731.434, 731.454, 731.484, 731.486, 731.488, 731.512, 731.574 to 731.620, 731.640 to 731.652, 731.804 to 731.992.
(b) ORS 733.010 to 733.050, 733.140 to 733.170, 733.210, 733.510 to 733.680 and 733.695 to 733.780.
(c) ORS chapter 734.
(d) ORS 742.001 to 742.009, 742.013, 742.061 and 742.400.
(e) ORS 743.028, 743.053, 743.524, 743.526, 743.527, 743.528, 743.529, 743.530, 743.560, 743.562, 743.600, 743.601, 743.602, 743.610, 743.693, 743.694, 743.699, 743.727, 743.728, 743.730 to 743.773 (except 743.760 to 743.773), 743.801, 743.804, 743.807, 743.808, [743.809,] 743.814 to 743.839, 743.842, 743.845, 743.847, 743.854, 743.856, 743.857, 743.858, 743.859, 743.861, 743.862, 743.863 and 743.864.
(f) ORS 743.556, 743.701, 743.703, 743.706, 743.707, 743.709, 743.710, 743.712, 743.713, 743.714, 743.717, 743.718, 743.719, 743.721, 743.722, 743.725 and 743.726. Multiple employer welfare arrangements to which ORS 743.730 to 743.773 apply are subject to the sections referred to in this paragraph only as provided in ORS 743.730 to 743.773.
(g) Provisions of ORS chapter 744 relating to the regulation of agents and insurance consultants, and ORS 744.700 to 744.740.
(h) ORS 746.005 to 746.140, 746.160, 746.180 and 746.220 to 746.370.
(i) ORS 731.592 and 731.594.
(2) For the purposes of this section:
(a) A trust carrying out a multiple employer welfare arrangement shall be considered an insurer.
(b) References to certificates of authority shall be considered references to certificates of multiple employer welfare arrangement.
(c) Contributions shall be considered premiums.
(3) The provision of health benefits under ORS 750.301 to 750.341 shall be considered to be the transaction of health insurance.
SECTION 26. ORS 743.809 and section 27a, chapter 377, Oregon Laws 2001, are repealed.
SECTION 27. Sections 2 to 5 and 18a of this 2003 Act, the amendments to ORS 735.650, 746.600, 746.605, 746.610, 746.615, 746.620, 746.625, 746.630, 746.640, 746.650, 746.665, 746.668, 746.670, 746.680 and 750.055 by sections 6 to 18, 19 and 20 of this 2003 Act and the repeal of ORS 743.809 and section 27a, chapter 377, Oregon Laws 2001, by section 26 of this 2003 Act apply to insurance policies issued or renewed by an insurer on or after the effective date of this 2003 Act.
SECTION 28. This 2003 Act being necessary for the immediate preservation of the public peace, health and safety, an emergency is declared to exist, and this 2003 Act takes effect on its passage.
Approved by the Governor May 24, 2003
Filed in the office of Secretary of State May 27, 2003
Effective date May 24, 2003
__________