Written policies, standards and procedures re medical record information - Conn. Gen. Stat. § 38a-999

Insurance institutions, agents, and insurance support organizations (“Insurers”) must implement policies, standards and procedures for managing, transferring, and securing medical record information. These policies, standards and procedures must: (1) limit medical record access to persons that need medical record information to fulfill their duties; (2) identify the “job titles of persons that are authorized to use or disclose medical record information;” (3) provide “appropriate training” to employees that necessitate access to medical record information; (4) establish “disciplinary measures” for persons that violate the policies, standards, and procedures; (5) contain “procedures for authorizing and restricting the collection, use, or disclosure of medical record information;” (6) establish “methods for handling, disclosing, storing, and disposing of medical record information;” (7) require “periodic monitoring” of compliance with the policies, standards, and procedures; and (8) establish “additional protection against unauthorized disclosure of sensitive health information” (e.g. STD status, HIV status, the occurrence and results of genetic testing, etc.).

Insurers must allow the Insurance Commissioner an opportunity to review their policies, standards, and procedures and must make such items available to enrollees.