The Push for Privacy.With the first compliance deadline set for July 1, privacy laws as well as regulations that are already in effect will have significant impact on the insurance industry. As a result of the ease and speed with which personal information now may be disclosed via electronic means, privacy issues have been and will continue to be the focus of substantial legislative and regulatory action. The insurance industry is a particular target for regulation because of the sensitivity of personal health and other information insurers obtain from their customers. For insurers, compliance with privacy mandates will become a critical business issue. Gramm-Leach-Bliley Title V of the Gramm-Leach-Bliley Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Modernization modernization Transformation of a society from a rural and agrarian condition to a secular, urban, and industrial one. It is closely linked with industrialization. As societies modernize, the individual becomes increasingly important, gradually replacing the family, Act of 1999 contains comprehensive federal privacy protections for consumers, and it impacts all financial institutions, including insurance companies. Insurers must substantially comply with the new requirements by July. The act's privacy provisions establish new requirements applicable to "nonpublic personal information." The federal agencies implementing Gramm- Leach-Bliley believe that any information obtained by a financial institution in connection with providing a financial product or service is protected, even if the information is not typically considered to be financial in nature. The act applies to all financial institutions. This term is broadly defined to include any company that is significantly engaged in financial activities, including "insuring, guaranteeing or indemnifying against loss, harm, damage, illness, disability or death, or providing or issuing annuities and acting as principal, agent or broker" for those activities. The act's privacy protections generally apply to "consumers," meaning individuals who obtain from a financial institution financial products or services to be used primarily for personal, family or household purposes. To comply with Gramm-Leach Bliley, financial institutions must do the following: * provide clear and conspicuous con·spic·u·ous adj. 1. Easy to notice; obvious. 2. Attracting attention, as by being unusual or remarkable; noticeable. See Synonyms at noticeable. notice of the financial institution's information-sharing policies to customers when the customer relationship is established and annually thereafter; * clearly provide consumers the right to opt out of having their person al information shared with nonaffiliated third parties; * refrain from disclosing to any non affiliated third-party marketer, other than a consumer-reporting agency, an account number or similar form of access code to a consumer's credit card or deposit or transaction account; and * abide by regulatory standards to protect the security and confidentiality of customer records and information. These provisions do not pre-empt pre·empt or pre-empt v. pre·empt·ed, pre·empt·ing, pre·empts v.tr. 1. To appropriate, seize, or take for oneself before others. See Synonyms at appropriate. 2. a. more stringent state law privacy protections. With respect to insurers, Gramm-Leach-Bliley mandates enforcement by the insurance authority of the state in which the insurer An individual or company who, through a contractual agreement, undertakes to compensate specified losses, liability, or damages incurred by another individual. An insurer is frequently an insurance company and is also known as an underwriter. is domiciled dom·i·cile n. 1. A residence; a home. 2. One's legal residence. v. dom·i·ciled, dom·i·cil·ing, dom·i·ciles v.tr. 1. . If a state fails to adopt regulations to enforce Gramm-Leach-Bliley, it will lose its authority to override An arrangement whereby commissions are made by sales managers based upon the sales made by their subordinate sales representatives. A term found in an agreement between a real estate agent and a property owner whereby the agent keeps the right to receive a commission for the sale of certain federal insurance consumer protections. The Role of the State Congress instructed state insur ance departments to provide privacy safeguards, equivalent to those in Gramm-Leach-Bliley, for individuals in their dealings with the insurance industry. State authorities have responded principally by adopting significant portions of one of several model enactments, particularly the National Association of Insurance Commissioners' Privacy of Consumer Financial and Health Information Regulation and the Financial Information Privacy Protection Model Act, adopted by the National Conference of Insurance Legislators. Both generally track Gramm-Leach-Bliley, but they contain one significant variation: They distinguish "financial" information from "health" information. Under the NAIC NAIC See National Association of Investors Corporation (NAIC). regulation, for example, a "licensee licensee n. a person given a license by government or under private agreement. (See: license, licensor) LICENSEE. One to whom a license has been given. 1 M. Q. & S. 699 n. " (an insurer, producer or another party who is or should be licensed pursuant to state insurance laws) may disclose non-public personal financial information to nonaffiliated third parties, only if the consumer does not opt out. A licensee is prohibited pro·hib·it tr.v. pro·hib·it·ed, pro·hib·it·ing, pro·hib·its 1. To forbid by authority: Smoking is prohibited in most theaters. See Synonyms at forbid. 2. from disclosing nonpublic personal health information without specific authorization The right or permission to use a system resource; the process of granting access. See access control. (i.e., an "opt-in") from the customer or consumer whose information is sought to be disclosed. The exceptions to disclosure are so broad, how ever, that they effectively allow nearly unlimited operational use of covered health information, except for certain marketing issues. In 1982, the NAIC issued the Insurance Information and Privacy Model Act to establish standards for the collection, use and disclosure of information gathered in connection with insurance transactions. Unlike the NAIC regulation, the 1982 act does not track the specific language of Gramm-Leach-Bliley's privacy provisions. It is, in some respects, more stringent. For example, Gramm-Leach-Bliley addresses only the disclosure of information, not its collection or use. In addition, the 1982 act adopts an opt-in regime for "personal information," which includes both financial and health information. Unlike the NAIC regulation, the 1982 act allows individuals to access and amend their personal information that is in the possession of an insurer. So far, 17 states have adopted the 1982 act. Those states may choose to rely on it, whether it is sufficient or not, to satisfy Gramm-Leach-Bliley's privacy mandate. HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, Regulations The U.S. Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS recently issued its final rule implementing the privacy requirements of the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1996. Covered entities generally must comply with the rule by April 14, 2003. Small health plans have an extra year to comply. The rule applies to health plans (including "health insurance issuers," such as insurance companies and insurance services), health-care clearinghouses and health-care providers that transmit health information in electronic form. The rule generally covers uses and disclosures of "protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the ," defined as certain types of" individually identifiable health information." It requires health plans to provide individuals with written notice informing them of how protected information will be used and disclosed, as well as with a right of access to inspect, copy and amend protected health information maintained in designated record sets. It establishes restrictions on requests for, and use and disclosure of, protected health information--in most cases, to the minimum necessary to serve the purpose of the use, disclosure or request. It distinguishes between "con sent" and "authorization." Generally, providers must get consent from patients for routine disclosures of medical information and special patient authorization for nonroutine disclosures. The rule also requires that covered entities enter contracts that extend privacy requirements to business associates of the covered entity. Covered entities generally are required to bind their business associates to comply with the rule and safeguard the information from unauthorized use or disclosure. With respect to HIPAA's relation ship with other state and federal requirements, the rule does not supersede To obliterate, replace, make void, or useless. Supersede means to take the place of, as by reason of superior worth or right. A recently enacted statute that repeals an older law is said to supersede the prior legislation. laws that provide greater protection to the privacy of health information. The rule, in effect, creates a floor with respect to such regulation. As to the interaction of the HIPAA rule and Gramm-Leach-Bliley, the preamble A clause at the beginning of a constitution or statute explaining the reasons for its enactment and the objectives it seeks to attain. Generally a preamble is a declaration by the legislature of the reasons for the passage of the statute, and it aids in the interpretation of to the rule indicates that in states that adopt laws or regulations in response to Gramm-Leach-Bliley, health plans will need to evaluate these state laws under HIPAA's pre-emption PRE-EMPTION, intern. law. The right of preemption is the right of a nation to detain the merchandise of strangers passing through her territories or seas, in order to afford to her subjects the preference of purchase. 1 Chit. Com. Law, 103; 1 Bl. Com. 287. 2. analysis. To comply with the HIPAA rule, covered entities will need to modify their current practices in a number of ways. These include designating a privacy officer who will be responsible for the development and implementation of the covered entity's privacy policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental ; revising consent and authorization forms; developing procedures for storing information to enable data tracking and access; entering into carefully drafted contracts with business associates; and training employees as to the rule's requirements. Covered entities also will need to provide a process for individuals to make complaints concerning the covered entity's privacy procedures and its compliance with such procedures. EU Directive (European Union Directive) A set of privacy requirements that took effect in 1998 and ordered European member nations to enact compliant legislation. It deals with the establishment of Data Protection Authorities, people's rights to personal information and enforcement. In addition to U.S. requirements, each company should consider whether it needs to comply with the European Union's Directive on the protection of personal data. The EU Directive provides a framework for European data-protection law, and it is intended to set a floor for the protection of person al information among the 15 EU member states. The directive covers a broad range of activity, specifically the "processing" of "personal data." Subject to limited exceptions, data may not be processed without the specific consent of the data subject. If, for example, a company insures residents of an EU member state, transfers information to Europe for purposes of processing personal data, or receives information from a European affiliate, the company will need to determine how its practices are affected by the EU Directive and the related safe harbor principles The US Safe Harbor Arrangement is a streamlined process for US companies to comply with EU Directive 95/46/EC on the protection of personal data, developed by the US Department of Commerce in consultation with EU. of the U.S. Department of Commerce. To comply with the looming looming: see mirage. deadlines imposed by Gramm-Leach-Bliley and the HIPAA rule, each insurance provider should consider implementing a multifaceted mul·ti·fac·et·ed adj. Having many facets or aspects. See Synonyms at versatile. Adj. 1. multifaceted - having many aspects; "a many-sided subject"; "a multifaceted undertaking"; "multifarious interests"; "the multifarious compliance program that contains both legal and business components. This compliance program should begin with a survey to determine which state's laws apply. Simultaneously, the company needs to conduct an assessment of its uses of personal information and prepare the necessary notices to its consumers and customers. Each company also will need to devise a method by which to track opt-outs so opt-out information is not illegally disclosed, and implement a system to respond to changes in its information-sharing practices. For Gramm-Leach-Bliley compliance, each company should ensure that, prior to the July 1 deadline, it provides consumers with a reasonable opportunity to opt out. Insurance providers should focus on developing sensible privacy policies that comply with applicable law and maintain customer and business-partner confidence, revenue and flexibility. Lisa J. Sotto is the privacy regulatory practice leader and a partner with the international law firm of Hunton & Williams, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of . |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion