The Push for Privacy.
As a result of the ease and speed with which personal information now may be disclosed via electronic means, privacy issues have been and will continue to be the focus of substantial legislative and regulatory action. The insurance industry is a particular target for regulation because of the sensitivity of personal health and other information insurers obtain from their customers. For insurers, compliance with privacy mandates will become a critical business issue.
Title V of the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 contains comprehensive federal privacy protections for consumers, and it impacts all financial institutions, including insurance companies. Insurers must substantially comply with the new requirements by July.
The act's privacy provisions establish new requirements applicable to "nonpublic personal information." The federal agencies implementing Gramm- Leach-Bliley believe that any information obtained by a financial institution in connection with providing a financial product or service is protected, even if the information is not typically considered to be financial in nature.
The act applies to all financial institutions. This term is broadly defined to include any company that is significantly engaged in financial activities, including "insuring, guaranteeing or indemnifying against loss, harm, damage, illness, disability or death, or providing or issuing annuities and acting as principal, agent or broker" for those activities. The act's privacy protections generally apply to "consumers," meaning individuals who obtain from a financial institution financial products or services to be used primarily for personal, family or household purposes.
To comply with Gramm-Leach Bliley, financial institutions must do the following:
* provide clear and conspicuous notice of the financial institution's information-sharing policies to customers when the customer relationship is established and annually thereafter;
* clearly provide consumers the right to opt out of having their person al information shared with nonaffiliated third parties;
* refrain from disclosing to any non affiliated third-party marketer, other than a consumer-reporting agency, an account number or similar form of access code to a consumer's credit card or deposit or transaction account; and
* abide by regulatory standards to protect the security and confidentiality of customer records and information.
These provisions do not pre-empt more stringent state law privacy protections. With respect to insurers, Gramm-Leach-Bliley mandates enforcement by the insurance authority of the state in which the insurer is domiciled. If a state fails to adopt regulations to enforce Gramm-Leach-Bliley, it will lose its authority to override certain federal insurance consumer protections.
The Role of the State
Congress instructed state insur ance departments to provide privacy safeguards, equivalent to those in Gramm-Leach-Bliley, for individuals in their dealings with the insurance industry. State authorities have responded principally by adopting significant portions of one of several model enactments, particularly the National Association of Insurance Commissioners' Privacy of Consumer Financial and Health Information Regulation and the Financial Information Privacy Protection Model Act, adopted by the National Conference of Insurance Legislators. Both generally track Gramm-Leach-Bliley, but they contain one significant variation: They distinguish "financial" information from "health" information.
Under the NAIC regulation, for example, a "licensee" (an insurer, producer or another party who is or should be licensed pursuant to state insurance laws) may disclose non-public personal financial information to nonaffiliated third parties, only if the consumer does not opt out. A licensee is prohibited from disclosing nonpublic personal health information without specific authorization (i.e., an "opt-in") from the customer or consumer whose information is sought to be disclosed. The exceptions to disclosure are so broad, how ever, that they effectively allow nearly unlimited operational use of covered health information, except for certain marketing issues.
In 1982, the NAIC issued the Insurance Information and Privacy Model Act to establish standards for the collection, use and disclosure of information gathered in connection with insurance transactions. Unlike the NAIC regulation, the 1982 act does not track the specific language of Gramm-Leach-Bliley's privacy provisions. It is, in some respects, more stringent. For example, Gramm-Leach-Bliley addresses only the disclosure of information, not its collection or use. In addition, the 1982 act adopts an opt-in regime for "personal information," which includes both financial and health information. Unlike the NAIC regulation, the 1982 act allows individuals to access and amend their personal information that is in the possession of an insurer. So far, 17 states have adopted the 1982 act. Those states may choose to rely on it, whether it is sufficient or not, to satisfy Gramm-Leach-Bliley's privacy mandate.
The U.S. Department of Health and Human Services recently issued its final rule implementing the privacy requirements of the Health Insurance Portability and Accountability Act of 1996. Covered entities generally must comply with the rule by April 14, 2003. Small health plans have an extra year to comply.
The rule applies to health plans (including "health insurance issuers," such as insurance companies and insurance services), health-care clearinghouses and health-care providers that transmit health information in electronic form. The rule generally covers uses and disclosures of "protected health information," defined as certain types of" individually identifiable health information." It requires health plans to provide individuals with written notice informing them of how protected information will be used and disclosed, as well as with a right of access to inspect, copy and amend protected health information maintained in designated record sets. It establishes restrictions on requests for, and use and disclosure of, protected health information--in most cases, to the minimum necessary to serve the purpose of the use, disclosure or request. It distinguishes between "con sent" and "authorization." Generally, providers must get consent from patients for routine disclosures of medical information and special patient authorization for nonroutine disclosures.
The rule also requires that covered entities enter contracts that extend privacy requirements to business associates of the covered entity. Covered entities generally are required to bind their business associates to comply with the rule and safeguard the information from unauthorized use or disclosure.
With respect to HIPAA's relation ship with other state and federal requirements, the rule does not supersede laws that provide greater protection to the privacy of health information. The rule, in effect, creates a floor with respect to such regulation. As to the interaction of the HIPAA rule and Gramm-Leach-Bliley, the preamble to the rule indicates that in states that adopt laws or regulations in response to Gramm-Leach-Bliley, health plans will need to evaluate these state laws under HIPAA's pre-emption analysis.
To comply with the HIPAA rule, covered entities will need to modify their current practices in a number of ways. These include designating a privacy officer who will be responsible for the development and implementation of the covered entity's privacy policies and procedures; revising consent and authorization forms; developing procedures for storing information to enable data tracking and access; entering into carefully drafted contracts with business associates; and training employees as to the rule's requirements. Covered entities also will need to provide a process for individuals to make complaints concerning the covered entity's privacy procedures and its compliance with such procedures.
In addition to U.S. requirements, each company should consider whether it needs to comply with the European Union's Directive on the protection of personal data. The EU Directive provides a framework for European data-protection law, and it is intended to set a floor for the protection of person al information among the 15 EU member states. The directive covers a broad range of activity, specifically the "processing" of "personal data." Subject to limited exceptions, data may not be processed without the specific consent of the data subject. If, for example, a company insures residents of an EU member state, transfers information to Europe for purposes of processing personal data, or receives information from a European affiliate, the company will need to determine how its practices are affected by the EU Directive and the related safe harbor principles of the U.S. Department of Commerce.
To comply with the looming deadlines imposed by Gramm-Leach-Bliley and the HIPAA rule, each insurance provider should consider implementing a multifaceted compliance program that contains both legal and business components. This compliance program should begin with a survey to determine which state's laws apply. Simultaneously, the company needs to conduct an assessment of its uses of personal information and prepare the necessary notices to its consumers and customers. Each company also will need to devise a method by which to track opt-outs so opt-out information is not illegally disclosed, and implement a system to respond to changes in its information-sharing practices. For Gramm-Leach-Bliley compliance, each company should ensure that, prior to the July 1 deadline, it provides consumers with a reasonable opportunity to opt out. Insurance providers should focus on developing sensible privacy policies that comply with applicable law and maintain customer and business-partner confidence, revenue and flexibility.
Lisa J. Sotto is the privacy regulatory practice leader and a partner with the international law firm of Hunton & Williams, New York.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||consumer protection law - financial institutions, insurers|
|Comment:||The Push for Privacy.(consumer protection law - financial institutions, insurers)|
|Author:||Sotto, Lisa J.|
|Date:||Jun 1, 2001|
|Previous Article:||The Need for Speed.|
|Next Article:||Claims on the Go.|