August 2017
New Connecticut Insurance Department Bulletin on Data Security Requirements

Connecticut Bulletin MC-23. The Connecticut Insurance Department issued Bulletin MC-23 on June 13, 2017. The Bulletin addresses certification and notice requirements for data security requirements applicable to TPAs and PBMs (among other entities) per Conn. Gen. Stat. § 38a-999b.

The Bulletin reminds the recipients about the requirement to implement a comprehensive information security program ("ISP") by October 1, 2017, in order to safeguard the personal information of insureds and enrollees. The Bulletin also reminds TPAs and PBMs that, beginning October 1, 2017, they must begin annually certifying to the Connecticut Insurance Department, under penalty of perjury, that they maintain an ISP in compliance with 38a-999b.

The Bulletin states that the certification shall be in the form as shown in the attachment to the Bulletin and signed by an officer of the certifying TPA or PBM. Note that pursuant to 38a-999b(d), the Connecticut Insurance Commissioner or Connecticut Attorney General may request a copy of such program to determine compliance. If either one determines the ISP is noncompliant, the ISP Entity must amend it to bring it into compliance to the Commissioner's or Attorney General's satisfaction.

To view the full alert, click here.

To learn more about Polsinelli's TPA Licensing and Compliance Services practice, click here.