Connecticut and Nevada TPA Requirements
New Connecticut Insurance Department Bulletin on Data Security Requirements
Connecticut Bulletin MC-23. The Connecticut Insurance Department issued Bulletin MC-23 on June 13, 2017. The Bulletin addresses certification and notice requirements for data security requirements applicable to TPAs and PBMs (among other entities) per Conn. Gen. Stat. § 38a-999b.
The Bulletin reminds the recipients about the requirement to implement a comprehensive information security program ("ISP") by October 1, 2017, in order to safeguard the personal information of insureds and enrollees. The Bulletin also reminds TPAs and PBMs that, beginning October 1, 2017, they must begin annually certifying to the Connecticut Insurance Department, under penalty of perjury, that they maintain an ISP in compliance with 38a-999b.
The Bulletin states that the certification shall be in the form as shown in the attachment to the Bulletin and signed by an officer of the certifying TPA or PBM. Note that pursuant to 38a-999b(d), the Connecticut Insurance Commissioner or Connecticut Attorney General may request a copy of such program to determine compliance. If either one determines the ISP is noncompliant, the ISP Entity must amend it to bring it into compliance to the Commissioner's or Attorney General's satisfaction.
Failure to Timely File Written Agreements in Nevada
NAC 683A.125(s) requires TPAs to provide to the Nevada Insurance Commissioner a copy of each written agreement that the administrator enters into with an insurer or other entity within 90 days after the TPA enters into the agreement.
Recently, the Nevada Insurance Division has entered into a number of Administrative Fine and Consent to Fine settlement agreements involving the failure of these TPAs to provide the Division with a copy of each agreement that the TPA entered into with an insurer or other entity within 90 days of entering into the agreement in violation of NAC 683A.125(2).
Pursuant to NRS 683A.0892(1)(e), the Nevada Insurance Commissioner may, in addition to or in lieu of the suspension or revocation of the certificate of registration of the administrator, impose a fine of $2,000 for each act or violation.
TPAs not wishing to enter into a Consent to Fine with the Division for failing to timely submit their written agreements with the Division may submit a written application requesting a hearing to the Division's Legal Department.