33-19-105. Exemption based on federal standards for privacy of individually identifiable health information -- notice to commissioner required -- rules. (1) The obligations imposed under this chapter do not apply to a licensee that is a covered entity under the provisions of federal regulations that are part of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR, parts 160 and 164, standards for privacy of individually identifiable health information or security standards for the protection of electronic health information as to any use or disclosure of personal information that is covered under the HIPAA privacy and security regulations, except for the following provisions:

(a) A notice of insurance information practices described as a notice of privacy practices for protected health information under HIPAA privacy regulations must be delivered as provided for in 33-19-202(1).

(b) To the extent that an insurer collects, discloses, or uses personal information that is not covered under the HIPAA notice of privacy practices, a separate Montana specific notice must be delivered pursuant to the provisions of 33-19-202.

(c) A disclosure authorization remains valid for a period that does not exceed 24 months, as provided for in 33-19-206(2).

(d) The reasons for an adverse underwriting decision must be specified, as provided for in 33-19-303.

(e) Disclosure of underwriting information is required, as provided for in 33-19-308.

(2) The commissioner may adopt rules regarding the exceptions from the exemption provisions described in subsection (1), including additional exceptions that embody substantive provisions of this chapter but would not be preempted by HIPAA privacy regulations.

(3) If a licensee considers itself exempt from a provision of this chapter for the reason provided in subsection (1), the licensee shall give written notice to the commissioner of that exemption and a brief statement describing why the licensee is a HIPAA-covered entity.

(4) A licensee may claim an exemption only for those lines of business that are subject to HIPAA privacy regulations. All other lines of business are subject to this chapter.

(5) A business associate, as defined in the HIPAA privacy regulations, 45 CFR 160.103, that is a party to a valid business associate agreement required by HIPAA privacy regulations is exempt from the provisions of this chapter, but only as to the scope of that particular agreement. Any activity of the business associate that falls outside of the scope of that agreement is subject to the provisions of this chapter.

(6) The commissioner retains the authority to conduct complete market conduct examinations of the licensee as to the privacy policies and practices that are subject to state privacy laws.

(7) Beginning July 1, 2011:

(a) if a licensee is subject to and in compliance with a federal regulation that is part of the federal health insurance portability and accountability privacy and security regulations, 45 CFR, parts 160 and 164, and the federal regulation with which the licensee complies is inconsistent with a provision of this chapter and not less protective of consumer privacy, the licensee is exempt from compliance with the inconsistent provision of this chapter;

(b) if a licensee considers itself exempt from a provision of this chapter for the reason provided in subsection (7)(a), the licensee shall give written notice to the commissioner of that exemption unless the requirements of this subsection (7) are preempted by HIPAA privacy regulations. The notice must include a statement of the reason for the claimed exemption.

History: En. Sec. 3, Ch. 341, L. 2001; amd. Sec. 2, Ch. 385, L. 2003; amd. Sec. 22, Ch. 469, L. 2005; amd. Sec. 10, Ch. 399, L. 2007; amd. Sec. 18, Ch. 271, L. 2009; amd. Sec. 22, Ch. 151, L. 2017.