Virginia Code 38.2-613: Disclosure limitations and conditions.
A. An insurance institution, agent, or insurance-support organization shall not disclose any medical-record information or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure is with the written authorization of the individual, provided:
Terms Used In Virginia Code 38.2-613
- Accident and sickness insurance: means insurance against loss resulting from sickness, or from bodily injury or death by accident or accidental means, or from a combination of any or all of these perils. See Virginia Code 38.2-109
- Company: means any association, aggregate of individuals, business, corporation, individual, joint-stock company, Lloyds type of organization, organization, partnership, receiver, reciprocal or interinsurance exchange, trustee or society. See Virginia Code 38.2-100
- Consumer report: means any written, oral, or other communication of information bearing on a natural person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living that is used or expected to be used in connection with an insurance transaction. See Virginia Code 38.2-602
- Consumer reporting agency: means any person who:
1. See Virginia Code 38.2-602
- Contract: A legal written agreement that becomes binding when signed.
- Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
- Fair Credit Reporting Act: A federal law, established in 1971 and revised in 1997, that gives consumers the right to see their credit records and correct any mistakes. Source: OCC
- Fiduciary: A trustee, executor, or administrator.
- Financial information: means personal information other than medical record information or records of payment for the provision of health care to an individual. See Virginia Code 38.2-602
- Fraud: Intentional deception resulting in injury to another.
- Health services plan: means any arrangement for offering or administering health services or similar or related services by a corporation licensed under Virginia Code 38.2-100
- Individual: means any natural person who:
1. See Virginia Code 38.2-602
- Insurance institution: means any corporation, association, partnership, reciprocal exchange, inter-insurer, Lloyd's type of organization, fraternal benefit society, or other person engaged in the business of insurance, including health maintenance organizations, and health, legal, dental, and optometric service plans. See Virginia Code 38.2-602
- Insurance transaction: means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails:
1. See Virginia Code 38.2-602
- Insurance-support organization: means any person who regularly engages, in whole or in part, in the practice of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including (i) the furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction or (ii) the collection of personal information from insurance institutions, agents or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity. See Virginia Code 38.2-602
- Insurer: means an insurance company. See Virginia Code 38.2-100
- Joint marketing agreement: means a formal written contract pursuant to which an insurance institution jointly offers, endorses, or sponsors a financial product or service with another financial institution. See Virginia Code 38.2-602
- Medical professional: means any person licensed or certified to provide health care services to natural persons, including but not limited to, a physician, dentist, nurse, chiropractor, optometrist, physical or occupational therapist, social worker, clinical dietitian, clinical psychologist, licensed professional counselor, licensed marriage and family therapist, pharmacist, or speech therapist. See Virginia Code 38.2-602
- Medical-care institution: means any facility or institution that is licensed to provide health care services to natural persons, including but not limited to, hospitals, skilled nursing facilities, home-health agencies, medical clinics, rehabilitation agencies, and public-health agencies or health-maintenance organizations. See Virginia Code 38.2-602
- Medical-record information: means personal information that:
1. See Virginia Code 38.2-602
- Mortgagee: The person to whom property is mortgaged and who has loaned the money.
- Nonaffiliated third party: means any person who is not an affiliate of an insurance institution but does not mean (i) an agent who is selling or servicing a product on behalf of the insurance institution or (ii) a person who is employed jointly by the insurance institution and the company that is not an affiliate. See Virginia Code 38.2-602
- Person: means any association, aggregate of individuals, business, company, corporation, individual, joint-stock company, Lloyds type of organization, organization, partnership, receiver, reciprocal or interinsurance exchange, trustee or society. See Virginia Code 38.2-100
- Personal information: includes an individual's name and address and medical-record information, but does not include (i) privileged information or (ii) any information that is publicly available. See Virginia Code 38.2-602
- Policyholder: means any person who:
1. See Virginia Code 38.2-602
- Privileged information: means any individually identifiable information that (i) relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual, and (ii) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. See Virginia Code 38.2-602
- Subpoena: A command to a witness to appear and give testimony.
- United States: includes the 50 states, the District of Columbia the Commonwealth of Puerto Rico, Guam, the Northern Mariana Islands and the United States Virgin Islands. See Virginia Code 1-255
1. If the authorization is submitted by another insurance institution, agent, or insurance-support organization, the authorization meets the requirements of § 38.2-606; or
2. If the authorization is submitted by a person other than an insurance institution, agent, or insurance-support organization, the authorization is:
a. Dated,
b. Signed by the individual, and
c. Obtained two years or less prior to the date a disclosure is sought pursuant to this subdivision.
B. Notwithstanding the provisions of subsection A, an insurance institution, agent, or insurance-support organization may disclose personal or privileged information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:
1. To a person other than an insurance institution, agent, or insurance-support organization, provided the disclosure is reasonably necessary:
a. To enable that person to perform a business, professional or insurance function for the disclosing insurance institution, agent, or insurance-support organization and that person agrees not to disclose the information further without the individual’s written authorization unless the further disclosure:
(1) Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or
(2) Is reasonably necessary for that person to perform its function for the disclosing insurance institution, agent, or insurance-support organization; or
b. To enable that person to provide information to the disclosing insurance institution, agent, or insurance-support organization for the purpose of:
(1) Determining an individual’s eligibility for an insurance benefit or payment; or
(2) Detecting or preventing criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with an insurance transaction; or
2. To an insurance institution, agent, or insurance-support organization, or self-insurer, provided the information disclosed is limited to that which is reasonably necessary:
a. To detect or prevent criminal activity, fraud, material misrepresentation, or material nondisclosure in connection with insurance transactions; or
b. For either the disclosing or receiving insurance institution, agent or insurance-support organization to perform its function in connection with an insurance transaction involving the individual; or
3. To a medical-care institution or medical professional for the purpose of (i) verifying insurance coverage or benefits, (ii) informing an individual of a medical problem of which the individual may not be aware or (iii) conducting an operations or services audit, provided only that information is disclosed as is reasonably necessary to accomplish the foregoing purposes; or
4. To an insurance regulatory authority; or
5. To a law-enforcement or other government authority:
a. To protect the interests of the insurance institution, agent or insurance-support organization in preventing or prosecuting the perpetration of fraud upon it; or
b. If the insurance institution, agent, or insurance-support organization reasonably believes that illegal activities have been conducted by the individual; or
c. Upon written request of any law-enforcement agency, for all insured or claimant information in the possession of an insurance institution, agent, or insurance-support organization which relates an ongoing criminal investigation. Such insurance institution, agent, or insurance-support organization shall release such information, including, but not limited to, policy information, premium payment records, record of prior claims by the insured or by another claimant, and information collected in connection with an insurance company‘s investigation of an application or claim. Any information released to a law-enforcement agency pursuant to such request shall be treated as confidential criminal investigation information and not be disclosed further except as provided by law. Notwithstanding any provision in this article, no insurance institution, agent, or insurance-support organization shall notify any insured or claimant that information has been requested or supplied pursuant to this section prior to notification from the requesting law-enforcement agency that its criminal investigation is completed. Within ninety days following the completion of any such criminal investigation, the law-enforcement agency making such a request for information shall notify any insurance institution, agent, or insurance-support organization from whom information was requested that the criminal investigation has been completed; or
6. Otherwise permitted or required by law; or
7. In response to a facially valid administrative or judicial order, including a search warrant or subpoena; or
8. Made for the purpose of conducting actuarial or research studies, provided:
a. No individual may be identified in any actuarial or research report, and
b. Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed, and
c. The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or
9. To a party or a representative of a party to a proposed or consummated sale, transfer, merger, or consolidation of all or part of the business of the insurance institution, agent, or insurance-support organization, provided:
a. Prior to the consummation of the sale, transfer, merger, or consolidation only such information is disclosed as is reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or consolidation, and
b. The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support organization; or
10. To a nonaffiliated third party whose only use of such information will be in connection with the marketing of a nonfinancial product or service, provided:
a. No medical-record information, privileged information, or personal information relating to an individual’s character, personal habits, mode of living, or general reputation is disclosed, and no classification derived from the information is disclosed,
b. The individual has been given an opportunity, in accordance with the provisions of subsection A of § 38.2-612.1, to indicate that he does not want financial information disclosed for marketing purposes and has given no indication that he does not want the information disclosed, and
c. The nonaffiliated third party receiving such information agrees not to use it except in connection with the marketing of the product or service; or
11. (i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) or (ii) from a consumer report reported by a consumer reporting agency; or
12. To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution’s or agent’s operations or services, provided the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit; or
13. To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care institution or medical professional; or
14. To a governmental authority for the purpose of determining the individual’s eligibility for health benefits for which the governmental authority may be liable; or
15. To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction; or
16. To a lienholder, mortgagee, assignee, lessor or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance, or to persons acting in a fiduciary or representative capacity on behalf of the individual, provided that:
a. No medical record information is disclosed unless the disclosure would be permitted by this section; and
b. The information disclosed is limited to that which is reasonably necessary to permit such person to protect his interest in the policy; or
17. Necessary to effect, administer, or enforce a transaction requested or authorized by the individual, or in connection with servicing or processing an insurance product or service requested or authorized by the individual, or necessary for reinsurance purposes, or for stop loss or excess loss agreements provided for in subsection B of § 38.2-109; or
18. Pursuant to any federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services.
C. An insurance institution, agent, or insurance-support organization may disclose information about an individual collected or received in connection with an insurance transaction, without written authorization, if the disclosure is:
1. To a nonaffiliated third party whose only use of such information will be to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution’s product or service or the marketing of products or services offered pursuant to a joint marketing agreement, provided:
a. No medical-record information or privileged information is disclosed without the individual’s written authorization unless such disclosure is otherwise permitted by subsection B,
b. With respect to financial information, the individual has been given the notice required by subsection B of § 38.2-604.1, and
c. The person receiving such financial information agrees, by contract, (i) not to use it except to perform services for or functions on behalf of the insurance institution in connection with the marketing of the insurance institution’s product or service or the marketing of products or services offered pursuant to a joint marketing agreement, or as permitted under subsection B and (ii) to maintain the confidentiality of such information and not disclose it to any other nonaffiliated third party unless such disclosure would otherwise be permitted by this section if made by the insurance institution, agent, or insurance-support organization;
2. To an affiliate, provided:
a. No medical-record information or privileged information is disclosed without the individual’s written authorization unless such disclosure is otherwise permitted by subsection B, and
b. The affiliate receiving the information does not disclose the information except as would otherwise be permitted by this section if such disclosure were made by the insurance institution, agent, or insurance-support organization.
D. 1. No person proposing to issue, re-issue, or renew any policy, contract, or plan of accident and sickness insurance defined in § 38.2-109, but excluding disability income insurance, issued by any (i) insurer providing hospital, medical and surgical or major medical coverage on an expense incurred basis, (ii) corporation providing a health services plan, or (iii) health maintenance organization providing a health care plan for health care services shall disclose any genetic information about an individual or a member of such individual’s family collected or received in connection with any insurance transaction unless the disclosure is made with the written authorization of the individual.
2. For the purpose of this subsection, “genetic information” means information about genes, gene products, or inherited characteristics that may derive from an individual or a family member.
3. Agents and insurance support organizations shall be subject to the provisions of this subsection to the extent of their participation in the issue, re-issue, or renewal of any policy, contract, or plan of accident and sickness insurance defined in § 38.2-109, but excluding disability income insurance.
E. Any notices, disclosures, or authorizations required by this section may be provided electronically if the individual agrees.
F. Any privileged information about an individual that is disclosed in violation of this section shall be available to that individual in accordance with the provisions of §§ 38.2-608 and 38.2-609.
G. Except in the case of disclosures made pursuant to subdivision B 10, the requirements of subsection A of § 38.2-612.1 shall not apply when information is disclosed pursuant to this section.
1981, c. 389, § 38.1-57.16; 1986, c. 562; 1987, c. 325; 1996, c. 704; 2001, c. 371; 2020, c. 264.