OAR 836-080-0670
Authorization Exemptions


(1)

A licensee or insurance-support organization may disclose personal or privileged information about an individual collected or received in connection with a health insurance transaction without obtaining the written authorization required by OAR 836-080-0665 (Authorization) if the disclosure meets one or more of the following conditions, in which a disclosure:

(a)

Is reasonably necessary to enable a person other than the licensee or insurance support organization to:

(A)

Perform a business, professional or insurance function for the disclosing licensee or insurance-support organization and the person agrees not to disclose the information further without the individual’s written authorization unless the further disclosure:
(i)
Would otherwise be permitted by this rule if made by a licensee or insurance-support organization; or
(ii)
Is reasonably necessary for the person to perform its function for the disclosing licensee or insurance-support organization.

(B)

Provide information to the disclosing licensee or insurance-support organization for the purpose of:
(i)
Determining an individual’s eligibility for a health insurance benefit or payment; or
(ii)
Detecting or preventing criminal activity, fraud, material misrepresentation or material nondisclosure in connection with a health insurance transaction.

(b)

Is to a licensee, insurance-support organization or self-insurer, if the information disclosed is limited to that which is reasonably necessary:

(A)

To detect or prevent criminal activity, fraud, material misrepresentation or material nondisclosure in connection with an insurance transaction; or

(B)

For either the disclosing or receiving licensee or insurance-support organization to perform its function in connection with an insurance transaction involving the individual.

(c)

Is to a medical care institution or medical professional and discloses only such information as is reasonably necessary to accomplish one or more of the following purposes:

(A)

Verifying insurance coverage or benefits.

(B)

Informing an individual of a medical problem of the individual, of which the individual may not be aware.

(C)

Conducting an operations or services audit.

(d)

Is required or authorized for compliance with federal, state or local laws, rules or other applicable legal requirements.

(e)

Is required for compliance with a properly authorized civil, criminal or regulatory investigation or a subpoena or summons by a federal, state or local authority.

(f)

Is required for response to judicial process or a government regulatory authority having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.

(g)

Is required for protection of the confidentiality or security of a licensee’s records pertaining to the individual, service, product or transaction.

(h)

Is required for institutional risk control or for resolving disputes or inquiries relating to the individual.

(i)

Is to a person holding a legal or beneficial interest relating to the individual.

(j)

Is to a person acting in a fiduciary or representative capacity on behalf of the individual.

(k)

Is to provide information to an insurance rate advisory organization, a guaranty fund or agency, an agency that is rating a licensee, a person that is assessing the licensee’s compliance with industry standards, or the licensee’s attorneys, accountants and auditors.

(l)

Is allowed or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.) to law enforcement agencies, but only to the extent that disclosure is specifically allowed or required, including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. (Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and transactions) and 12 U.S.C. Chapter 21 (Financial record-keeping), a state insurance authority, and the federal Trade Commission), a self-regulatory organization or for an investigation on a matter related to public safety, or is otherwise specifically permitted or required by law.

(m)

Meets any of the following conditions:

(A)

It is necessary to effect, administer or enforce a transaction that an individual requests or authorizes, in that the disclosure is required or is a usual, appropriate or acceptable method of handling the transaction. The condition in this subparagraph has the meaning given in section 509 of the federal Gramm-Leach-Bliley Act (P.L. 106-102).

(B)

It is in connection with treatment, payment or health care operations.

(C)

It is in connection with servicing or processing an insurance product or service that an individual requests or authorizes.

(D)

It is in connection with maintaining or servicing an individual’s account with the licensee, a proposed or actual securitization, secondary market sale or similar transaction related a transaction of the individual.

(n)

Is made for the purpose of conducting actuarial or research studies, if:

(A)

No individual may be identified in any resulting actuarial or research report;

(B)

Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed; and

(C)

The actuarial or research organization agrees not to disclose the information unless the disclosure would otherwise be permitted by this section if made by a licensee or insurance-support organization.

(o)

Is to a party or a representative of a party to a proposed or consummated sale, transfer, merger or consolidation of all or part of the business of the licensee or insurance-support organization.

(p)

Is to an affiliate whose only use of the information will be in connection with an audit of the licensee.

(q)

Is to a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) or from a consumer report prepared by a consumer reporting agency.

(r)

Is to a group policyholder for the purpose of reporting claims experience or conducting an audit of the licensee’s operations or services, and the information disclosed is reasonably necessary for the group policyholder to conduct the review or audit.

(s)

Is to a licensee for purposes related to replacement of a group benefit plan, a group health plan or a group welfare plan.

(t)

Is to a professional peer review organization for the purpose of reviewing the service or conduct of a medical care institution or medical professional.

(u)

Is to a governmental authority for the purpose of determining the individual’s eligibility for health benefits for which the governmental authority may be liable.
(v)
Is to a policyholder or certificate holder, or an agent or other representative thereof, for the purpose of providing information regarding the status of a health insurance transaction.

(2)

A licensee may disclose personal or privileged information to an affiliate in connection with the marketing of a financial product or service if the affiliate agrees not to disclose the information for any other purpose or to an unaffiliated persons except as authorized in section (1) of this rule. If a disclosure under this section is made for marketing a product or service other than the product or service of the disclosing licensee, individually identifiable health information may not be disclosed without the authorization required by OAR 836-080-0665 (Authorization).

(3)

A licensee may disclose personal or privileged information to a nonaffiliated third party whose only use of the information will be pursuant to a joint marketing agreement for marketing of a product or service. As used in this subsection, “joint marketing agreement” means a formal written contract pursuant to which an insurer jointly offers, endorses or sponsors a financial product or service with a financial institution. Information that may be disclosed under this subsection does not include individually identifiable health information, privileged information or personal information relating to an individual’s character, personal habits, mode of living or general reputation, or any classification derived from such information, except as authorized in section (1) of this rule.

(4)

A licensee or insurance support organization shall not disclose an access number or access code for an individual’s policy or transaction account, whether directly or through an affiliate, to any nonaffiliate for use in telemarketing, direct mail marketing or other marketing through electronic mail to an individual, other than to a consumer reporting agency. This section does not apply if a licensee or insurance support organization discloses an access number or access code:

(a)

To its service provider solely in order to perform marketing for its own products or services, as long as the service provider is not authorized to directly initiate charges to the account;

(b)

To an insurance producer solely in order to perform marketing for its own products or services; or

(c)

To a participant in an affinity or similar program where the participants in the program are identified to the individual when the individual enters into the program. An access number or access code does not include a number or code in an encrypted form, as long as the licensee or insurance support organization does not provide the recipient with a means to decode the number or code. For purposes of this subsection, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.

(5)

Personal or privileged information may be acquired by a group practice prepayment health care service contractor from providers that contract with the health care service contractor and may be transferred among providers that contract with the health care service contractor for the purpose of administering plans offered by the health care service contractor. The information may not be disclosed otherwise by the health care service contractor except in accordance with OAR 836-080-0670 (Authorization Exemptions) or 836-080-0675 (Disclosure Without Authorization).

(6)

This rule does not authorize the disclosure of personal or privileged information that is also individually identifiable health information when disclosure of the individually identifiable health information is prohibited or is otherwise regulated under the federal Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191).

Source: Rule 836-080-0670 — Authorization Exemptions, https://secure.­sos.­state.­or.­us/oard/view.­action?ruleNumber=836-080-0670.

836‑080‑0001
Statutory Authority
836‑080‑0005
Definitions
836‑080‑0014
Duties of Agent
836‑080‑0022
Duties of Insurers that Use Agents Insurance Producers
836‑080‑0029
Duties of Replacing Insurers that Use Agents
836‑080‑0034
Duties of the Existing Insurer
836‑080‑0039
Duties of Insurers with Respect to Direct Response Solicitations
836‑080‑0043
Violations and Penalties
836‑080‑0050
Authority
836‑080‑0055
Unfair Discrimination Identified
836‑080‑0080
Definition, Claims Handling Services
836‑080‑0085
Annual Report
836‑080‑0090
Suitability in the Sale of Life Insurance
836‑080‑0105
Statutory Authority
836‑080‑0110
Applicability
836‑080‑0115
Definitions
836‑080‑0120
Statement as to Participation Required Upon Request Before Delivery of Policy
836‑080‑0125
Prohibited Representations Regarding Participation Rights
836‑080‑0130
Dividend Statement Permitted
836‑080‑0135
Dividend Rights Accrue Upon Declaration of Dividends
836‑080‑0140
Unfair Discrimination in Allocation of Dividends Prohibited
836‑080‑0145
Unfair Forfeiture of Dividend for Failure to Renew Prohibited
836‑080‑0150
Policyholder Dividend Rights of Group Members and Dividend Group Policyholders
836‑080‑0155
False or Deceptive Publications by Insurer Prohibited
836‑080‑0160
Use of Special Certifications and Professional Designations by Insurance Producers
836‑080‑0165
Notice of Insurance Division Assistance
836‑080‑0170
Statutory Authority
836‑080‑0172
Applicability
836‑080‑0175
Exemptions
836‑080‑0178
Definitions
836‑080‑0180
Duties of Insurers and of Insurance Producers
836‑080‑0183
Insurance Producer Training
836‑080‑0185
Compliance Mitigation
836‑080‑0188
Recordkeeping
836‑080‑0190
Annuity Sales
836‑080‑0193
Effective Date and Operative Date
836‑080‑0200
Electronic Payment of Claims
836‑080‑0205
Statutory Authority, Purpose, and Applicability
836‑080‑0210
Definitions
836‑080‑0215
Claim Files
836‑080‑0220
Misrepresentation and Other Prohibited Claim Practices
836‑080‑0225
Required Claim Communication Practices
836‑080‑0230
Standard for Prompt Claim Investigation
836‑080‑0235
Standards for Prompt and Fair Settlements — Generally
836‑080‑0240
Standards for Prompt and Fair Total Loss Settlements — Automobile Insurance
836‑080‑0250
Workers’ Compensation Insurance Unfair Claim Settlement Practices Standards
836‑080‑0305
Statutory Authority
836‑080‑0310
Definitions
836‑080‑0315
Providing Things of Value to Intermediaries Generally Prohibited
836‑080‑0320
Miscellaneous Things of Value
836‑080‑0325
Business Development Activities
836‑080‑0335
Gifts
836‑080‑0337
Real Property Information
836‑080‑0340
Assistance in Qualifying a Subdivision
836‑080‑0345
Automatic Change in Monetary Limits
836‑080‑0355
Title Insurer Responsible for Violations by Agent
836‑080‑0360
Use by Title Company of an Intermediary’s Office
836‑080‑0365
Filing Escrow Rates Required
836‑080‑0370
Instruction of Title Company Employees About Rules Required
836‑080‑0425
Applicability
836‑080‑0430
Disclosure of Use of Credit History or Insurance Scores
836‑080‑0435
Policies Governing Credit Histories and Insurance Scores
836‑080‑0436
Absence of or Inability to Determine Credit History
836‑080‑0438
Definition of Adverse Underwriting Decision
836‑080‑0440
Unfair Insurance Trade Practice
836‑080‑0501
Authority
836‑080‑0506
Definitions and Examples
836‑080‑0511
Application of Notice Requirements
836‑080‑0516
Initial Notice to Consumers
836‑080‑0519
Information to be Included in Initial Privacy Notice
836‑080‑0523
Annual Notice
836‑080‑0526
Information to be Included in Annual Notice
836‑080‑0531
Revised Privacy Notices
836‑080‑0536
Delivery
836‑080‑0541
Opt in Notice
836‑080‑0546
Limits on Sharing Account Number Information for Marketing Purposes
836‑080‑0551
Authorization Request Delivery
836‑080‑0600
Authority
836‑080‑0610
Definitions and Examples
836‑080‑0615
Personal Information Notice
836‑080‑0620
Notice of Personal Financial Information Practices
836‑080‑0625
Alternative Procedures
836‑080‑0630
Application of Notice Requirements
836‑080‑0635
Initial Notice to Consumers
836‑080‑0640
Information to Be Included in Initial Privacy Notice
836‑080‑0645
Annual Notice
836‑080‑0650
Information to Be Included in Annual Notice
836‑080‑0655
Revised Privacy Notices
836‑080‑0660
Delivery
836‑080‑0665
Authorization
836‑080‑0670
Authorization Exemptions
836‑080‑0675
Disclosure Without Authorization
836‑080‑0680
Opt in Notice
836‑080‑0685
Limits on Sharing Account Number Information for Marketing Purposes
836‑080‑0690
Authorization Request Delivery
836‑080‑0695
Access to Recorded Personal Information
836‑080‑0700
Correction, Amendment or Deletion of Recorded Personal Information
836‑080‑0750
Purpose
836‑080‑0755
Application of OAR 836-080-0750 to 836-080-0775
836‑080‑0760
Definitions for OAR 836-080-0750 to 836-080-0775
836‑080‑0765
Practices Declared False, Misleading, Deceptive or Unfair on a Military Installation
836‑080‑0770
Practices Declared False, Misleading, Deceptive or Unfair, Regardless of Location
836‑080‑0775
Severability
836‑080‑0800
Definitions
836‑080‑0805
Statutory Authority, Purpose, and Applicability
836‑080‑0810
Provision of Commercial Loss Runs
Last Updated

Jun. 8, 2021

Rule 836-080-0670’s source at or​.us