Subtitle 16 MISCELLANEOUS
31.16.08 Privacy of Consumer Financial and Health Information
Authority: Insurance
Article, §2-109(d),
Annotated Code of Maryland
Regulations .01 — .24
under a new chapter, COMAR 31.16.08 Privacy of Consumer Financial and Health
Information.
Statement
of Purpose
The purpose of this
action is to implement Insurance Article, §2-109(d), Annotated Code of
Maryland, which requires the Insurance Commissioner to adopt regulations that
establish standards governing the privacy of consumer financial and health
information pursuant to Title V of the federal Financial Services Modernization
Act of 1999 (Gramm-Leach-Bliley) and that are consistent with the provisions of
the model regulation adopted by the National Association of Insurance
Commissioners entitled "Privacy of Consumer Financial and Health
Information Regulation".
Comparison
to Federal Standards
In compliance with
Executive Order 01.01.1996.03, this proposed regulation is more restrictive or
stringent than corresponding federal standards as follows:
(1) Regulation
citation and manner in which it is more restrictive than the applicable federal
standard:
In addition to
establishing privacy standards for nonpublic personal financial information that
generally are consistent with federal standards, the regulations also establish
privacy standards for nonpublic personal health information. Regulation .17
prohibits a licensee from disclosing nonpublic personal health information about
a consumer or customer unless the licensee obtains an authorization from the
consumer or customer.
Pursuant to Section
507, Relation to State Laws of the Federal Financial Services Modernization Act
of 1999, otherwise known as Gramm-Leach-Bliley, a State statute, regulation,
order, or interpretation is not inconsistent with the provisions of
Gramm-Leach-Bliley if the protections the statute, regulation, order, or
interpretation affords any person is greater than the protections provided under
Gramm-Leach-Bliley.
As required by
Chapter 469, Acts of 2001, the regulations are consistent with the NAIC Privacy
Model Act of 2000. The NAIC Privacy Model Act of 2000 establishes privacy
standards for nonpublic personal financial information and nonpublic personal
health information.
(2) Benefit
to the public health, safety or welfare, or the environment:
The regulations give
consumers and customers the right to protect the privacy of their sensitive
health information and prevent a licensee from disclosing the information to an
affiliate or nonaffiliated third party. These additional protections are needed
in the case of licensees because licensees collect greater amounts of nonpublic
personal health information than other types of financial service providers that
are regulated under the federal law.
(3) Analysis
of additional burden or cost on the regulated person:
The privacy standard
for nonpublic personal health information will impose a minimal additional
burden on licensees. A licensee will be required to obtain an authorization from
a consumer or customer before the licensee can disclose nonpublic personal
health information about the customer or consumer to an affiliate or a
nonaffiliated third party. There are numerous exceptions, however, that allow a
licensee to disclose nonpublic personal health information without an
authorization for the purpose of performing insurance functions such as claims
administration, underwriting, rate making, utilization review, and grievance
procedures.
(4) Justification
for the need for more restrictive standards:
State law requires
the adoption of a more restrictive standard. The additional privacy standards
for nonpublic health information are needed due to the private and sensitive
nature of health information and the fact that licensees collect greater amounts
of nonpublic personal health information than other types of financial service
providers that are regulated under the federal law. Consumers and customers
should have the right to prevent disclosure of this information.
.01 Scope.
A. This
chapter applies to all licensees of the Maryland Insurance Administration who
possess nonpublic personal financial information or nonpublic personal health
information about consumers.
B. This
chapter does not apply to information about persons who obtain products or
services for business, commercial, or agricultural purposes.
.02 Purpose.
This
chapter:
A. Requires
a licensee to provide notice to individuals about its privacy policies and
practices;
B. Describes
the conditions under which a licensee may disclose nonpublic personal health
information and nonpublic personal financial information about individuals to
affiliates and nonaffiliated third parties; and
C. Provides
methods for individuals to prevent a licensee from disclosing nonpublic personal
financial information and nonpublic personal health information.
.03 Definitions.
A. In
this chapter, the following terms have the meanings indicated.
B. Terms
Defined.
(1) "Affiliate"
means a company that controls, is controlled by, or is under common control with
another company.
(2) "Clear
and conspicuous notice" means a notice that is:
(a) Reasonably
understandable; and
(b) Designed
to call attention to the nature and significance of the information in the
notice.
(3) "Collect"
means to obtain information that the licensee organizes or can retrieve by the
name of an individual or by identifying number, symbol, or other identifying
particular assigned to the individual, irrespective of the source of the
underlying information.
(4) "Commissioner"
means the Maryland Insurance Commissioner.
(5) "Company"
means a corporation, limited liability company, business trust, general or
limited partnership, association, sole proprietorship, or similar organization.
(6) "Consumer"
has the meaning stated in §C of this regulation.
(7)
"Consumer reporting agency" has the meaning stated in §603(f) of the
federal Fair Credit Reporting Act, 15 U.S.C. §1681a(f).
(8)
"Control" means:
(a) Ownership,
control, or power to vote 25 percent or more of the outstanding shares of any
class of voting security of the company, directly or indirectly, or acting
through one or more other persons;
(b) Control
in any manner over the election of a majority of the directors, trustees,
general partners, or individuals exercising similar functions of the company; or
(c) The
power to exercise, directly or indirectly, a controlling influence over the
management or policies of the company, as the Commissioner determines.
(9)
"Customer" means a consumer who has a customer relationship with a
licensee.
(10)
Customer Relationship.
(a) "Customer
relationship" means a continuing relationship between a consumer and a
licensee under which the licensee provides one or more insurance products or
insurance services to the consumer that are to be used primarily for personal,
family, or household purposes.
(b) "Customer
relationship" includes a relationship between a licensee and a consumer
who:
(i) Is
a current policyholder of an insurance product issued by or through the
licensee; or
(ii) Obtains
financial, investment, or economic advisory services relating to an insurance
product or insurance service from the licensee for a fee.
(c) "Customer
relationship" does not include a relationship between a licensee and:
(i) A
consumer who applies for insurance but does not purchase the insurance;
(ii) A
consumer who purchases from the licensee airline travel insurance in an isolated
transaction;
(iii) An
individual who is no longer a current policyholder of an insurance product or
who no longer obtains insurance services with or through the licensee;
(iv) A
consumer who is a beneficiary or claimant under a policy and who has submitted a
claim under a policy choosing a settlement option involving an ongoing
relationship with the licensee;
(v) A
consumer who is a beneficiary or a claimant under a policy and who has submitted
a claim under that policy choosing a lump sum settlement option;
(vi) A
customer whose policy is lapsed, expired, or otherwise inactive or dormant under
the licensee's business practices, if the licensee has not communicated with the
customer about the relationship for a period of 12 consecutive months, other
than annual privacy notices, material required by law or regulation,
communication at the direction of a state or federal authority, or promotional
materials;
(vii) An
individual who is an insured or an annuitant under an insurance policy or
annuity, respectively, but is not the policyholder or owner of the insurance
policy or annuity;
(viii) An
individual whose last-known address, according to the licensee's records, is
deemed invalid because mail sent by the licensee to that address has been
returned by the postal authorities as undeliverable and subsequent attempts by
the licensee to obtain a current valid address for the individual have been
unsuccessful;
(ix) An
individual solely because the individual is a participant or a beneficiary of an
employee benefit plan that the licensee administers or sponsors or for which the
licensee acts as a trustee, insurer, or fiduciary;
(x) An
individual solely because the individual is covered under a group or blanket
insurance policy or group annuity contract issued by the licensee; or
(xi) An
individual solely because the individual is a beneficiary in a workers'
compensation plan underwritten by the licensee.
(11)
Financial Institution.
(a) "Financial
institution" means any institution the business of which is engaging in
activities that are financial in nature or incidental to the financial
activities as described in §4(k) of the Bank Holding Company Act of 1956, 12
U.S.C. §1843(k).
(b) "Financial
institution" does not include:
(i) Any
person with respect to any financial activity that is subject to the
jurisdiction of the Commodity Futures Trading Commission under the Commodity
Exchange Act, 7 U.S.C. §1 et seq.;
(ii) The
Federal Agricultural Mortgage Corporation or any person charged and operating
under the Farm Credit Act of 1971, 12 U.S.C. §2001 et seq.; or
(iii) Institutions
chartered by Congress specifically to engage in securitizations, secondary
market sales (including sales of servicing rights), or similar transactions
related to a transaction of a consumer, as long as the institutions do not sell
or transfer nonpublic personal information to a nonaffiliated third party.
(12)
"Financial product" means a product that a financial holding company
could offer by engaging in an activity that is financial in nature or incidental
to a financial activity under §4(k) of the Bank Holding Company Act of 1956, 12
U.S.C. §1843(k).
(13)
Financial Service.
(a) "Financial
service" means a service that a financial holding company could offer by
engaging in an activity that is financial in nature or incidental to a financial
activity under §4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. §1843(k).
(b) "Financial
service" includes a financial institution's evaluation or brokerage of
information that the financial institution collects in connection with a request
or an application from a consumer for a financial product or financial service.
(14)
"Health care" means:
(a) Providing
preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative
care, services, procedures, tests, or counseling that:
(i) Relates
to the physical, mental, or behavioral condition of an individual; or
(ii) Affects
the structure or function of the human body or any part of the human body,
including the banking of blood, sperm, organs, or any other tissue; or
(b) Prescribing,
dispensing, or furnishing to an individual drugs or biologicals, or medical
devices or health care equipment and supplies.
(15)
Health Care Provider.
(a) "Health
care provider" means a health care facility, physician, or other health
care practitioner licensed, accredited, certified, or otherwise authorized to
perform specified health services consistent with state law.
(b) "Health
care provider" includes the agents, employees, officers, and directors of a
health care provider.
(16)
"Health information" means any information or data except age or
gender, whether oral or recorded in any form or medium, created by or derived
from a health care provider or the consumer that relates to:
(a) The
past, present, or future physical, mental, or behavioral health or condition of
an individual;
(b) The
provision of health care to an individual; or
(c) Payment
for the provision of health care to an individual.
(17)
"Insurance product" means any product that is offered by a licensee
pursuant to the insurance laws of this State.
(18)
Insurance Service.
(a) "Insurance
service" means any service that is offered by a licensee pursuant to the
insurance laws of this State.
(b) "Insurance
service" includes a licensee's evaluation, brokerage, or distribution of
information that the licensee collects in connection with a request or an
application from a consumer for an insurance product or insurance service.
(19)
Licensee.
(a) "Licensee"
means a person licensed or required to be licensed, registered or required to be
registered, or otherwise authorized or required to be authorized by the
Commissioner.
(b) "Licensee"
includes an unauthorized insurer that accepts business placed through a licensed
surplus lines broker in the State, but only in regard to the business placed
pursuant to Insurance Article, §3-306, Annotated Code of Maryland.
(20)
Nonaffiliated Third Party.
(a) "Nonaffiliated
third party" means any person except:
(i) A
licensee's affiliate; or
(ii) A
person employed jointly by a licensee and any company that is not the licensee's
affiliate.
(b) "Nonaffiliated
third party" includes:
(i) A
company that is not the licensee's affiliate that jointly employs a person with
the licensee; and
(ii) Any
company that is an affiliate solely by virtue of the direct or indirect
ownership or control of the company by the licensee or its affiliate in
conducting merchant banking or investment banking activities of the type
described in §4(k)(4)(H) or insurance company investment activities of the type
described in §4(k)(4)(I) of the federal Bank Holding Company Act, 12 U.S.C. §1843(k)(4)(H)
and (I).
(21)
"Nonpublic personal information" means nonpublic personal financial
information and nonpublic personal health information.
(22)
Nonpublic Personal Financial Information.
(a) "Nonpublic
personal financial information" means:
(i) Personally
identifiable financial information; and
(ii) Any
list, description, or other grouping of consumers and publicly available
information pertaining to them that is derived using any personally identifiable
financial information that is not publicly available.
(b) "Nonpublic
personal financial information" includes a list of individuals' names and
street addresses that is derived in whole or in part using personally
identifiable financial information that is not publicly available, such as
account numbers.
(c) "Nonpublic
personal financial information" does not include:
(i) Health
information;
(ii) Publicly
available information, except as included on a list described in §B(22)(a)(ii)
of this regulation;
(iii) Any
list, description, or other grouping of consumers and publicly available
information pertaining to them that is derived without using any personally
identifiable financial information that is not publicly available; or
(iv) A
list of individuals' names and addresses that contains only publicly available
information, is not derived in whole or in part using personally identifiable
financial information that is not publicly available, and is not disclosed in a
manner that indicates that any of the individuals on the list is a consumer of a
financial institution.
(23)
"Nonpublic personal health information" means health information:
(a) That
identifies an individual who is the subject of the information; or
(b) With
respect to which there is a reasonable basis to believe that the information
could be used to identify an individual.
(24)
"Opt out" means a direction by the consumer that the licensee not
disclose nonpublic personal financial information about that consumer to a
nonaffiliated third party, other than as permitted by Regulations .14, .15, and
.16 of this chapter.
(25)
Personally Identifiable Financial Information.
(a) "Personally
identifiable financial information" means any information:
(i) A
consumer provides to a licensee to obtain an insurance product or insurance
service from the licensee;
(ii) About
a consumer resulting from a transaction involving an insurance product or
insurance service between a licensee and a consumer; or
(iii) The
licensee otherwise obtains about a consumer in connection with providing an
insurance product or insurance service to that consumer.
(b) "Personally
identifiable financial information" includes:
(i) Information
a consumer provides to a licensee on an application to obtain an insurance
product or insurance service;
(ii) Account
balance information and payment history;
(iii) The
fact that an individual is or has been one of the licensee's customers or has
obtained an insurance product or insurance service from the licensee;
(iv) Any
information about the licensee's consumer if it is disclosed in a manner that
indicates that the individual is or has been the licensee's consumer;
(v) Any
information that a consumer provides to a licensee or that the licensee or its
agent otherwise obtains in connection with collecting on a loan or servicing a
loan;
(vi) Any
information the licensee collects through an Internet cookie (an
information-collecting device from a web server); and
(vii) Information
from a consumer report.
(c) "Personally
identifiable financial information" does not include:
(i) Health
information;
(ii) A
list of names and addresses of customers of an entity that is not a financial
institution; and
(iii) Information
that does not identify a consumer, such as aggregate information or blind data
that does not contain personal identifiers such as account numbers, names, or
addresses.
(26)
"Publicly available information" means any information that a
licensee:
(a) Has
a reasonable basis to believe is lawfully made available to the general public
from:
(i) Federal,
state, or local government records;
(ii) Widely
distributed media; or
(iii) Disclosures
to the general public that are required to be made by federal, state, or local
law; and
(b) Has
established the reasonable basis required by §B(26)(a) of this regulation by
taking steps to determine:
(i) That
the information is of the type that is available to the general public; and
(ii) Whether
an individual can direct that the information not be made available to the
general public and, if so, that the licensee's consumer has not done so.
C. "Consumer"
Defined.
(1) "Consumer"
means an individual:
(a) Who
seeks to obtain, obtains, or has obtained an insurance product or insurance
service from a licensee that is to be used primarily for personal, family, or
household purposes; and
(b) About
whom the licensee has nonpublic personal information.
(2) "Consumer"
includes:
(a) The
legal representative of a consumer;
(b) An
individual who provides nonpublic personal information to a licensee in
connection with obtaining or seeking to obtain financial, investment, or
economic advisory services relating to an insurance product or insurance service
regardless of whether the licensee establishes an ongoing advisory relationship;
(c) An
applicant for insurance before the inception of insurance coverage;
(d) If
a licensee discloses nonpublic personal financial information about the
individual to a nonaffiliated third party other than as permitted under
Regulations .14, .15, and .16 of this chapter, an individual who is:
(i) A
beneficiary of a life insurance policy underwritten by the licensee;
(ii) A
claimant under an insurance policy issued by the licensee;
(iii) An
insured or annuitant under an insurance policy or annuity issued by the
licensee; or
(iv) A
mortgagor under a mortgage insurance policy issued by the licensee;
(e) A
participant or a beneficiary of an employee benefit plan that a licensee
administers or sponsors or for which a licensee acts as a trustee, insurer, or
fiduciary if the licensee:
(i) Does
not provide the initial, annual, and revised notices under Regulations .05, .06,
and .09 of this chapter to the plan sponsor; or
(ii) Discloses
to a nonaffiliated third party nonpublic personal financial information other
than as permitted under Regulations .14, .15, and .16 of this chapter;
(f) An
individual who is covered under a group or blanket insurance policy or group
annuity contract issued by the licensee if the licensee:
(i) Does
not provide the initial, annual, and revised notices under Regulations .05, .06,
and .09 of this chapter to the group or blanket insurance policyholder or group
annuity contract holder; or
(ii) Discloses
to a nonaffiliated third party nonpublic personal financial information other
than as permitted under Regulations .14, .15, and .16 of this chapter; and
(g) An
individual who is a beneficiary in a workers' compensation plan underwritten by
the licensee if the licensee:
(i) Does
not provide the initial, annual, and revised notices under Regulations .05, .06,
and .09 of this chapter to the workers' compensation plan participant; or
(ii) Discloses
to a nonaffiliated third party nonpublic personal financial information other
than as permitted under Regulations .14, .15, and .16 of this chapter.
(3) "Consumer"
does not include:
(a) An
individual who is a consumer of another financial institution solely because the
licensee is acting as an agent for, or provides processing or other services to,
that financial institution;
(b) An
individual solely because the individual is a beneficiary of a trust for which a
licensee is a trustee;
(c) An
individual solely because the individual has designated a licensee as trustee
for a trust;
(d) An
individual solely because the individual is a participant or a beneficiary of an
employee benefit plan that a licensee administers or sponsors or for which a
licensee acts as a trustee, insurer, or fiduciary if the licensee:
(i) Provides
the initial, annual, and revised notices under Regulations .05, .06, and .09 of
this chapter to the plan sponsor; and
(ii) Does
not disclose to a nonaffiliated third party nonpublic personal financial
information about the individual other than as permitted under Regulations .14,
.15, and .16 of this chapter;
(e) An
individual solely because the individual is covered under a group or blanket
insurance policy or group annuity contract issued by a licensee if the licensee:
(i) Provides
the initial, annual, and revised notices under Regulations .05, .06, and .09 of
this chapter to the group or blanket insurance policyholder or group annuity
contract holder; and
(ii) Does
not disclose to a nonaffiliated third party nonpublic personal financial
information about the individual other than as permitted under Regulations .14,
.15, and .16 of this chapter; or
(f) An
individual solely because the individual is a beneficiary in a workers'
compensation plan underwritten by a licensee if the licensee:
(i) Provides
the initial, annual, and revised notices under Regulations .05, .06, and .09 of
this chapter to the workers' compensation plan participant; and
(ii) Does
not disclose to a nonaffiliated third party nonpublic personal financial
information about the individual other than as permitted under Regulations .14,
.15, and .16 of this chapter.
.04 Exemption
from Notice and Opt Out Requirements for Nonpublic Personal Financial
Information.
A. A
licensee is not subject to the notice and opt out requirements for nonpublic
personal financial information of this chapter if:
(1) The
licensee is an employee, agent, or other representative of another licensee;
(2) The
other licensee otherwise complies with, and provides the notices required by,
the provisions of this chapter; and
(3) The
licensee does not disclose any nonpublic personal information to any person
other than the other licensee or its affiliates in a manner permitted by this
chapter.
B. A
surplus lines broker or surplus lines insurer shall be deemed to be in
compliance with the notice and opt out requirements for nonpublic personal
financial information of this chapter if:
(1) The
broker or insurer does not disclose nonpublic personal information of a consumer
or a customer to nonaffiliated third parties for any purpose, including joint
servicing or marketing under Regulation .14 of this chapter, except as permitted
by Regulations .15 or .16 of this chapter; and
(2) The
broker or insurer delivers a notice to the consumer at the time a customer
relationship is established on which the following is printed in 16-point type:
"PRIVACY NOTICE
Neither the U.S.
brokers that handled this insurance nor the insurers that have underwritten this
insurance will disclose nonpublic personal information concerning the buyer to
nonaffiliates of the brokers or insurers except as permitted by law."
.05 Initial
Privacy Notice for Financial Information to Consumers Required.
A. A
licensee shall provide a clear and conspicuous notice that accurately reflects
its privacy policies and practices for nonpublic financial information to:
(1) An
individual who becomes the licensee's customer, not later than when the licensee
establishes a customer relationship, except as provided in §E of this
regulation; and
(2) A
consumer, before the licensee discloses any nonpublic personal financial
information about the consumer to any nonaffiliated third party, if the licensee
makes a disclosure other than as authorized by Regulations .15 and .16 of this
chapter.
B. A
licensee is not required to provide an initial notice to a consumer under §A(2)
of this regulation if:
(1) The
licensee does not:
(a) Disclose
any nonpublic personal financial information about the consumer to any
nonaffiliated third party, other than as authorized by Regulations .15 and .16
of this chapter; and
(b) Have
a customer relationship with the consumer; or
(2) An
affiliated licensee has provided a notice to the consumer that:
(a) Clearly
identifies all licensees to whom the notice applies; and
(b) Is
accurate with respect to the licensee and the other institutions.
C. When
Licensee Establishes Customer Relationship.
(1) A
licensee establishes a customer relationship at the time the licensee and the
consumer enter into a continuing relationship, including when the consumer:
(a) Becomes
a policyholder of a licensee; or
(b) Agrees
to obtain financial, economic, or investment advisory services relating to
insurance products or insurance services for a fee from the licensee.
(2) For
purposes of §C(1) of this regulation, a consumer becomes a policyholder of a
licensee:
(a) If
the licensee is an insurer, when the insurer delivers an insurance policy or
contract to the consumer; or
(b) If
the licensee is an insurance producer or insurance broker, when the consumer
obtains insurance through that licensee.
D. When
an existing customer obtains a new insurance product or insurance service from a
licensee that is to be used primarily for personal, family, or household
purposes, the licensee satisfies the initial notice requirements of §A of this
regulation as follows:
(1) The
licensee may provide a revised policy notice, under Regulation .09 of this
chapter, that covers the customer's new insurance product or insurance service;
or
(2) If
the initial, revised, or annual notice that the licensee most recently provided
to that customer was accurate with respect to the new insurance product or
insurance service, the licensee does not need to provide a new privacy notice
under §A of this regulation.
E. A
licensee may provide the initial notice required by §A(1) of this regulation
within a reasonable time after the licensee establishes a customer relationship
if:
(1) Establishing
the customer relationship is not at the customer's election; or
(2) Providing
notice not later than when the licensee establishes a customer relationship
would substantially delay the customer's transaction, and the customer agrees to
receive the notice at a later time.
F. Manner
of Delivery.
(1) Except
as provided in §F(2) of this regulation, a licensee subject to this regulation
shall deliver an initial privacy notice in accordance with Regulation .10 of
this chapter.
(2) A
licensee that uses a short-form initial notice provided for under Regulation
.07K of this chapter may deliver its privacy notice in accordance with
Regulation .07K(3) of this chapter.
.06 Annual
Privacy Notice for Financial Information to Customers Required.
A. In
General.
(1) A
licensee shall provide a clear and conspicuous notice to customers that
accurately reflects its privacy policies and practices for nonpublic financial
information at least once in each annual notice period during the continuation
of the customer relationship.
(2) A
licensee may define the annual notice period as:
(a) A
calendar year; or
(b) Any
period of 12 consecutive months.
(3) The
licensee shall apply the annual notice period as defined under §A(2) of this
regulation to a customer on a consistent basis.
B. A
licensee required by this regulation to deliver an annual privacy notice shall
deliver the privacy notice in accordance with Regulation .10 of this chapter.
C. A
licensee is not required to provide an annual notice to a former customer with
whom a licensee no longer has a continuing relationship.
.07 Information
To Be Included in Privacy Notices for Financial Information.
A. Privacy
notices required to be provided under Regulations .05, .06, and .09 of this
chapter shall include the following information:
(1) The
categories of nonpublic personal financial information that the licensee
collects;
(2) The
categories of nonpublic personal financial information that the licensee
discloses;
(3) The
categories of affiliates and nonaffiliated third parties to whom the licensee
discloses nonpublic personal financial information, other than those parties to
whom the licensee discloses information under Regulations .15 and .16 of this
chapter;
(4) The
categories of:
(a) Nonpublic
personal financial information about the licensee's former customers that the
licensee discloses; and
(b) Affiliates
and nonaffiliated third parties to whom the licensee discloses nonpublic
personal financial information about the licensee's former customers, other than
those parties to whom the licensee discloses information under Regulations .15
and .16 of this chapter;
(5) If
a licensee discloses nonpublic personal financial information to a nonaffiliated
third party under Regulation .14 of this chapter and no other exception in
Regulations .15 and .16 of this chapter applies to that disclosure, a separate
description of the categories of information the licensee discloses and the
categories of third parties with whom the licensee has contracted;
(6) An
explanation of the consumer's right under Regulation .11A of this chapter to opt
out of the disclosure of nonpublic personal financial information to
nonaffiliated third parties, including the methods by which the consumer may
exercise that right at that time;
(7) Any
disclosures that the licensee makes under §603(d)(2)(A)(iii) of the federal
Fair Credit Reporting Act, 15 U.S.C. §1681a(d)(2)(A)(iii) regarding the ability
to opt out of disclosures of information among affiliates;
(8) The
licensee's policies and practices with respect to protecting the confidentiality
and security of nonpublic personal financial information; and
(9) Any
disclosure that the licensee makes under §B of this regulation.
B. If
a licensee discloses nonpublic personal financial information as authorized
under Regulations .15 and .16 of this chapter:
(1) The
licensee is not required to list those exceptions in the initial or annual
privacy notices required by Regulations .05 and .06 of this chapter; and
(2) When
describing the categories of parties to whom disclosure is made, the licensee is
required to state only that it makes disclosures to other affiliated or
nonaffiliated third parties, as applicable, as permitted by law.
C. A
licensee satisfies the requirement to categorize the nonpublic personal
financial information that the licensee collects if the licensee categorizes the
information according to the source of the information, including:
(1) Information
from the consumer;
(2) Information
about the consumer's transactions with the licensee or its affiliates;
(3) Information
about the consumer's transactions with nonaffiliated third parties; and
(4) Information
from a consumer reporting agency.
D. A
licensee satisfies the requirement to categorize the nonpublic personal
financial information that the licensee discloses if the licensee:
(1) Categorizes
the information according to source, as described in §C of this regulation; and
(2) Provides
a few examples to illustrate the types of information in each category, such as:
(a) Information
from the consumer, including application information, such as assets and income
and identifying information, such as name, address, and Social Security number;
(b) Transaction
information, such as information about balances, payment history, and parties to
the transaction; and
(c) Information
from consumer reports, such as a consumer's creditworthiness and credit history.
E. A
licensee does not adequately categorize the information that it discloses if the
licensee uses only general terms, such as transaction information about the
consumer.
F. If
a licensee reserves the right to disclose all of the nonpublic personal
financial information about consumers that it collects, the licensee may simply
state that fact without describing the categories or examples of nonpublic
personal financial information that the licensee discloses.
G. Categories
of Affiliates and Nonaffiliated Third Parties to Whom the Licensee Discloses.
(1) A
licensee satisfies the requirement to categorize the affiliates and
nonaffiliated third parties to which the licensee discloses nonpublic personal
financial information about consumers if the licensee identifies the types of
businesses in which they engage.
(2) Types
of businesses may be described by general terms only if the licensee uses a few
illustrative examples of significant lines of business, including the use by a
licensee of the term financial products or services if the licensee includes
appropriate examples of significant lines of businesses, such as life insurer,
automobile insurer, consumer banking, or securities brokerage.
(3) A
licensee also may categorize the affiliates and nonaffiliated third parties to
which it discloses nonpublic personal financial information about consumers
using more detailed categories.
H. If
a licensee discloses nonpublic personal financial information under the
exception in Regulation .14 of this chapter to a nonaffiliated third party to
market products or services that it offers alone or jointly with another
financial institution, the licensee satisfies the disclosure requirement of §A(5)
of this regulation if it:
(1) Lists
the categories of nonpublic personal financial information it discloses, using
the same categories and examples the licensee used to meet the requirements of
§A(2) of this regulation, as applicable; and
(2) States
whether the third party is:
(a) A
service provider that performs marketing services on the licensee's behalf or on
behalf of the licensee and another financial institution; or
(b) A
financial institution with whom the licensee has a joint marketing agreement.
I. If
a licensee does not disclose, and does not wish to reserve the right to
disclose, nonpublic personal financial information about customers or former
customers to affiliates or nonaffiliated third parties except as authorized
under Regulations .15 and .16 of this chapter, the licensee may simply state
that fact, in addition to the information it must provide under §§A(1), (8),
and (9) and B of this regulation.
J. Policies
and Practices for Protection of Confidentiality and Security.
(1) A
licensee shall describe its policies and practices with respect to protecting
the confidentiality and security of nonpublic personal financial information.
(2) A
licensee may satisfy §J(1) of this regulation if the licensee:
(a) Describes
in general terms who is authorized to have access to the information; and
(b) States
whether the licensee has security practices and procedures in place to ensure
the confidentiality of the information in accordance with the licensee's policy.
(3) A
licensee is not required to describe technical information about the safeguards
it uses.
K. Short-Form
Initial Notice with Opt Out Notice for Noncustomers.
(1) A
licensee may satisfy the initial notice requirements in Regulations .05A(2) and
.08C of this chapter for a consumer who is not a customer by providing a
short-form initial notice at the same time the licensee delivers an opt out
notice as required in Regulation .08 of this chapter.
(2) A
short-form initial notice shall:
(a) Be
clear and conspicuous;
(b) State
that the licensee's privacy notice is available upon request; and
(c) Explain
a reasonable means by which the consumer may obtain that notice.
(3) Delivery
of Short-Form Initial Notice.
(a) A
licensee shall deliver its short-form initial notice in accordance with
Regulation .10 of this chapter.
(b) The
licensee is not required to deliver its privacy notice with its short-form
initial notice if the licensee provides the consumer a reasonable means to
obtain its privacy notice.
(c) The
licensee provides a reasonable means by which a consumer may obtain a copy of
its privacy notice if the licensee:
(i) Provides
a toll-free telephone number that the consumer may call to request the notice;
or
(ii) For
a consumer who conducts business in person at the licensee's office, maintains
copies of the notice on hand that the licensee provides to the consumer
immediately upon request.
(d) Upon
the request of a consumer, the licensee shall deliver its privacy notice
according to Regulation .10 of this chapter.
L. The
licensee's notice may include:
(1) Categories
of nonpublic personal financial information that the licensee reserves the right
to disclose in the future, but does not currently disclose; and
(2) Categories
of affiliates or nonaffiliated third parties to whom the licensee reserves the
right in the future to disclose, but to whom the licensee does not currently
disclose, nonpublic personal financial information.
.08 Form
of Opt Out Notice to Consumers and Opt Out Methods.
A. Opt
Out Notice Requirements.
(1) A
licensee required to provide an opt out notice under Regulation .11A of this
chapter shall provide a clear and conspicuous notice to each of the licensee's
consumers that accurately explains the right to opt out under that regulation.
(2) A
right to opt out notice required to be provided under §A(1) of this regulation
shall state:
(a) That
the licensee discloses or reserves the right to disclose nonpublic personal
financial information about its consumer to a nonaffiliated third party;
(b) That
the consumer has the right to opt out of that disclosure; and
(c) A
reasonable means by which the consumer may exercise the opt out right.
(3) A
licensee provides adequate notice that the consumer can opt out of the
disclosure of nonpublic personal financial information to a nonaffiliated third
party if the licensee:
(a) Identifies
all categories of nonpublic personal financial information that it discloses or
reserves the right to disclose;
(b) Identifies
all of the categories of nonaffiliated third parties to which the licensee
discloses the information as described in Regulation .07A(2) and (3) of this
chapter;
(c) States
that the consumer can opt out of the disclosure of the nonpublic personal
financial information; and
(d) Identifies
the insurance products or insurance services that the consumer obtains from the
licensee to which the opt out would apply.
(4) A
licensee provides a reasonable means to exercise an opt out right if the
licensee:
(a)
Designates
check-off boxes in a prominent position to on the relevant forms with the opt
out notice;
(b)
Includes
a reply form together with the opt out notice;
(c) Provides
an electronic means to opt out that includes the form required under §A(4)(b)
of this regulation that can be sent via electronic mail or a process at the
licensee's web site, if the consumer agrees to the electronic delivery of
information; or
(d) Provides
a toll-free telephone number that
consumers may call to opt out.
(5) A
licensee does not provide a reasonable means to exercise an opt out right if:
(a) The
only means of opting out is for the consumer to write the consumer's own letter
to exercise that opt out right; or
(b) The
only means of opting out as described in any notice subsequent to the initial
notice is to use a check-off box that the licensee provided with the initial
notice but did not include with the subsequent notice.
(6) A
licensee may require each consumer to opt out through a specific means, as long
as that means is reasonable for that consumer.
B. A
licensee may provide the opt out notice together with or on the same written or
electronic form as the initial notice the licensee provides in accordance with
Regulation .05 of this chapter.
C. A
licensee that provides the opt out notice later than required for the initial
notice in accordance with Regulation .05 of this chapter shall also include a
copy of the initial notice with the opt out notice in writing or, if the
consumer agrees, electronically.
D. Joint
Relationships.
(1) If
two or more consumers jointly obtain an insurance product or insurance service
from a licensee, the licensee may provide a single opt out notice. The
licensee's opt out notice shall explain how the licensee will treat an opt out
direction by a joint consumer.
(2) Any
of the joint consumers may exercise the right to opt out.
(3) The
licensee may either:
(a) Treat
an opt out direction by a joint consumer as applying to all of the associated
joint consumers; or
(b) Permit
each joint consumer to opt out separately.
(4) If
a licensee permits each joint consumer to opt out separately, the licensee shall
permit one of the joint consumers to opt out on behalf of all of the joint
consumers.
(5) A
licensee may not require all joint consumers to opt out before it implements any
opt out direction.
E. A
licensee shall comply with a consumer's opt out direction as soon as reasonably
practicable after the licensee receives it.
F. A
consumer may exercise the right to opt out at any time.
G. Duration
of Opt Out Direction.
(1) A
consumer's direction to opt out under this regulation is effective until the
consumer revokes it in writing or, if the consumer agrees, electronically.
(2) When
a customer relationship terminates, the customer's opt out direction continues
to apply to the nonpublic personal financial information that the licensee
collected during or related to that relationship.
(3) If
an individual subsequently establishes a new customer relationship with the
licensee, the opt out direction that applied to the former relationship does not
apply to the new relationship.
H. A
licensee required to deliver an opt out notice under this regulation shall
deliver it in accordance with Regulation .10 of this chapter.
.09 Revised
Privacy Notices for Financial Information.
A. Except
as otherwise authorized in this chapter, a licensee may not, directly or through
an affiliate, disclose any nonpublic personal financial information about a
consumer to a nonaffiliated third party other than as described in the initial
notice that the licensee provided to that consumer under Regulation .05 of this
chapter, unless:
(1) The
licensee has provided to the consumer a clear and conspicuous revised notice
that accurately describes its policies and practices;
(2) The
licensee has provided to the consumer a new opt out notice;
(3) The
licensee has given the consumer a reasonable opportunity, before the licensee
discloses the information to the nonaffiliated third party, to opt out of the
disclosure; and
(4) The
consumer does not opt out.
B. Revised
Notice.
(1) Except
as otherwise permitted by Regulations .14, .15, and .16 of this chapter, a
licensee shall provide a revised notice before it discloses:
(a) A
new category of nonpublic personal financial information to any nonaffiliated
third party;
(b) Nonpublic
personal financial information to a new category of nonaffiliated third party;
or
(c) Nonpublic
personal financial information about a former customer to a nonaffiliated third
party, if that former customer has not had the opportunity to exercise an opt
out right regarding that disclosure.
(2) A
revised notice is not required if the licensee discloses nonpublic personal
financial information to a new nonaffiliated third party that the licensee
adequately described in its prior notice.
C. A
licensee required to deliver a revised privacy notice under this regulation
shall deliver it in accordance with Regulation .10 of this chapter.
.10 Delivery
of Privacy Notices for Financial Information.
A. Manner
of Delivery.
(1) A
licensee required to provide a notice under this chapter shall provide any
notice required by this chapter so that each consumer can reasonably be expected
to receive actual notice in writing or, if the consumer agrees, electronically.
(2) A
licensee may reasonably expect that a consumer will receive actual notice if the
licensee:
(a) Hand-delivers
a printed copy of the notice to the consumer;
(b) Mails
a printed copy of the notice to the last-known address of the consumer
separately, or in a policy, billing, or other written communication;
(c) For
a consumer who conducts transactions electronically, posts the notice on the
electronic site and requires the consumer to acknowledge receipt of the notice
as a necessary step to obtaining a particular insurance product or insurance
service; or
(d) For
an isolated transaction with a consumer, such as the licensee providing an
insurance quote or selling the consumer travel insurance, posts the notice and
requires the consumer to acknowledge receipt of the notice as a necessary step
to obtaining the particular insurance product or insurance service.
(3) A
licensee fails to meet the requirements of §A(1) of this regulation if the
licensee:
(a) Only
posts a sign in its office or generally publishes advertisements of its privacy
policies and practices; or
(b) Sends
the notice via electronic mail to a consumer who does not obtain an insurance
product or insurance service from the licensee electronically.
B. A
licensee may reasonably expect that a customer will receive actual notice of the
licensee's annual privacy notice if the customer:
(1) Uses
the licensee's web site to access insurance products and insurance services
electronically, and agrees to receive notices at the web site and the licensee
posts its current privacy notice continuously in a clear and conspicuous manner
on the web site; or
(2) Has
requested that the licensee refrain from sending any information regarding the
customer relationship, and the licensee's current privacy notice remains
available to the customer upon request.
C. A
licensee may not provide any notice required by this chapter solely by orally
explaining the notice, either in person or over the telephone.
D. Notice
for Customers.
(1) For
customers only, a licensee shall provide the following privacy notices so that
the customer can retain the privacy notices or obtain the privacy notices later
in writing or, if the customer agrees, electronically:
(a) The
initial notice required by Regulation .05A(1) of this chapter;
(b) The
annual notice required by Regulation .06A of this chapter; and
(c) The
revised notice required by Regulation .09 of this chapter.
(2) A
licensee provides a privacy notice to the customer so that the customer can
retain it or obtain it later if the licensee:
(a) Hand-delivers
a printed copy of the notice to the customer;
(b) Mails
a printed copy of the notice to the last-known address of the customer; or
(c) Makes
its current privacy notice available on a web site for the customer who obtains
an insurance product or insurance service electronically and agrees to receive
the notice at the web site.
E. Joint
Notice.
(1) A
licensee may provide a joint notice from the licensee and one or more of its
affiliates or other financial institutions, as identified in the notice, as long
as the notice is accurate with respect to the licensee and the other
institutions.
(2) A
licensee also may provide a notice on behalf of another financial institution.
F. If
two or more consumers jointly obtain an insurance product or insurance service
from a licensee, the licensee may satisfy the requirements of Regulations .05A,
.06A, and .09A of this chapter by providing one notice to those consumers
jointly.
.11 Limits
on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third
Parties.
A. Except
as otherwise authorized in this chapter, a licensee may not, directly or through
an affiliate, disclose nonpublic personal financial information about a consumer
to a nonaffiliated third party unless:
(1) The
licensee has provided to the consumer an initial notice as required under
Regulation .05 of this chapter;
(2) The
licensee has provided to the consumer an opt out notice as required in
Regulation .08 of this chapter;
(3) The
licensee has given the consumer a reasonable opportunity, before it discloses
the information to the nonaffiliated third party, to opt out of the disclosure;
and
(4) The
consumer does not opt out.
B. A
licensee provides a consumer with a reasonable opportunity to opt out if:
(1) The
licensee mails the notices required in Regulations .05 and .08 of this chapter
to the consumer and allows the consumer to opt out by:
(a) Mailing
a form within 30 days from the date the licensee mailed the notices;
(b) Calling
a toll-free telephone number within 30 days from the date the licensee mailed
the notices; or
(c) Using
any other reasonable means within 30 days from the date the licensee mailed the
notices;
(2) The
following action is taken:
(a) A
customer opens an on-line account with a licensee and agrees to receive the
notices required in Regulations .05 and .08 of this chapter electronically; and
(b) The
licensee allows the customer to opt out by any reasonable means within 30 days
after the date that the customer acknowledges receipt of the notices in
conjunction with opening the account; or
(3) For
an isolated transaction such as providing the consumer with an insurance quote,
the licensee provides the notices required in Regulations .05 and .08 of this
chapter at the time of the transaction and requests that the consumer decide, as
a necessary part of the transaction, whether to opt out before completing the
transaction.
C. A
licensee shall comply with this regulation regardless of whether the licensee
and the consumer have established a customer relationship. Unless a licensee
complies with this regulation, the licensee may not, directly or through an
affiliate, disclose nonpublic personal financial information about a consumer
that the licensee has collected, regardless of whether the licensee collected it
before or after receiving the direction to opt out from the consumer.
D. A
licensee may allow a consumer to select certain nonpublic personal financial
information or certain nonaffiliated third parties with respect to which the
consumer wishes to opt out.
.12 Limits
on Redisclosure and Reuse of Nonpublic Personal Financial Information.
A. If
a licensee receives nonpublic personal financial information from a
nonaffiliated financial institution under an exception in Regulation .15 or .16
of this chapter, the licensee's disclosure and use of that information is
limited as follows:
(1) The
licensee may disclose the information to the affiliates of the financial
institution from which the licensee received the information;
(2) The
licensee may disclose the information to its affiliates, but the licensee's
affiliates may, in turn, disclose and use the information only to the extent
that the licensee may disclose and use the information; and
(3) The
licensee may disclose and use the information pursuant to an exception in
Regulation .15 or .16 of this chapter, in the ordinary course of business to
carry out the activity covered by the exception under which the licensee
received the information.
B. If
a licensee receives nonpublic personal financial information from a
nonaffiliated financial institution other than under an exception in Regulation
.15 or .16 of this chapter, the licensee may disclose the information only:
(1) To
the affiliates of the financial institution from which the licensee received the
information;
(2) To
its affiliates, but its affiliates may, in turn, disclose the information only
to the extent that the licensee may disclose the information; and
(3) To
any other person, if the disclosure would be lawful if made directly to that
person by the financial institution from which the licensee received the
information.
C. If
a licensee receives information from a nonaffiliated financial institution for
claims settlement purposes, the licensee may disclose the information for fraud
prevention or in response to a properly authorized subpoena.
D. If
a licensee receives information from a nonaffiliated financial institution for
claims settlement purposes, the licensee may not:
(1) Disclose
that information to a third party for marketing purposes; or
(2) Use
that information for its own marketing purposes.
.13 Limits
on Sharing Account Number Information for Marketing Purposes.
A. Scope.
This regulation does not apply to the disclosure of a policy number, or similar
form of access number or access code, that is in an encrypted form, as long as
the licensee does not provide the recipient with a means to decode the number or
code.
B. Policy
or Transaction Account Defined.
(1) In
this regulation, the following term has the meaning indicated.
(2) Term
Defined.
(a) "Policy
or transaction account" means an account other than a deposit account or a
credit card account.
(b) "Policy
or transaction account" does not include an account to which third parties
cannot initiate charges.
C. A
licensee may not, directly or through an affiliate, disclose, other than to a
consumer reporting agency, a policy number or similar form of access number or
access code for a consumer's policy or transaction account to a nonaffiliated
third party for use in telemarketing, direct mail marketing, or other marketing
through electronic mail to the consumer.
D. Section
C of this regulation does not apply if a licensee discloses a policy number or
similar form of access number or access code to:
(1) The
licensee's service provider solely in order to perform marketing for the
licensee's own products or services, as long as the service provider is not
authorized to directly initiate charges to the account;
(2) A
licensee who is a producer solely in order to perform marketing for the
licensee's own products or services; or
(3) A
participant in an affinity or similar program where the participants in the
program are identified to the customer when the customer enters into the
program.
.14 Exception
to Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information for Service Providers and Joint Marketing.
A. In
this regulation, "joint agreement" means a written contract pursuant
to which a licensee and one or more financial institutions jointly offer,
endorse, or sponsor a financial product or financial service.
B. The
opt out requirements in Regulations .08 and .11 of this chapter do not apply
when a licensee provides nonpublic personal financial information to a
nonaffiliated third party to perform services for the licensee or functions on
the licensee's behalf, if the licensee:
(1) Provides
the initial notice in accordance with Regulation .05 of this chapter; and
(2) Enters
into a contractual agreement with the third party that prohibits the third party
from disclosing or using the information other than to carry out the purposes
for which the licensee disclosed the information, including use under an
exception in Regulation .15 or .16 of this chapter in the ordinary course of
business to carry out those purposes.
C. The
services a nonaffiliated third party performs for a licensee under §B of this
regulation may include marketing of the licensee's own products or services or
marketing of financial products or financial services offered pursuant to joint
agreements between the licensee and one or more financial institutions.
.15 Exceptions
to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal
Financial Information for Processing and Servicing Transactions.
A. The
requirements for initial notice in Regulation .05A(2) of this chapter, the opt
out in Regulations .08 and .11 of this chapter, and service providers and joint
marketing in Regulation .14 of this chapter do not apply if the licensee
discloses nonpublic personal financial information as necessary to effect,
administer, or enforce a transaction that a consumer requests or authorizes, or
in connection with:
(1) Servicing
or processing an insurance product or insurance service that a consumer requests
or authorizes;
(2) Maintaining
or servicing the consumer's account with a licensee, or with another entity as
part of a private label credit card program or other extension of credit on
behalf of that entity;
(3) A
proposed or actual securitization, secondary market sale, sales of servicing
rights, or similar transaction related to a transaction of the consumer; or
(4) Reinsurance
or stop loss or excess loss insurance.
B. Disclosure
by a licensee is considered to be necessary to effect, administer, or enforce a
transaction if the disclosure is:
(1) Required,
or is one of the lawful or appropriate methods, to enforce the licensee's rights
or the rights of other persons engaged in carrying out the financial transaction
or providing the product or service; or
(2) Required,
or is a usual, appropriate, or acceptable method:
(a) To
carry out the transaction or the product or service business of which the
transaction is a part, and record, service, or maintain the consumer's account
in the ordinary course of providing the insurance product or insurance service;
(b) To
administer or service benefits or claims relating to the transaction or the
product or service business of which it is a part;
(c) To
provide a confirmation, statement, or other record of the transaction, or
information on the status or value of the insurance product or insurance service
to the consumer or the consumer's insurance producer;
(d) To
accrue or recognize incentives or bonuses associated with the transaction that
are provided by a licensee or any other party;
(e) To
underwrite insurance at the consumer's request or for any of the following
purposes as they relate to a consumer's insurance:
(i) Account
administration;
(ii) Reporting,
investigating, or preventing fraud or material misrepresentation;
(iii) Processing
premium payments;
(iv) Processing
insurance claims;
(v) Administering
insurance benefits including utilization review activities;
(vi) Participating
in research projects; or
(vii) As
otherwise required or specifically permitted by federal or state law; or
(f) In
connection with:
(i) The
authorization, settlement, billing, processing, clearing, transferring,
reconciling, or collection of amounts charged, debited, or otherwise paid using
a debit, credit, or other payment card, check, or account number, or by other
payment means;
(ii) The
transfer of receivables or accounts, or interests in the receivables or
accounts; or
(iii) The
audit of debit, credit, or other payment information.
.16 Other
Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information.
A. The
requirements for initial notice to consumers in Regulation .05A(2) of this
chapter, the opt out in Regulations .08 and .11 of this chapter, and service
providers and joint marketing in Regulation .14 of this chapter do not apply
when a licensee discloses nonpublic personal financial information:
(1) With
the consent or at the direction of the consumer, if the consumer has not revoked
the consent or direction;
(2) To
protect the confidentiality or security of a licensee's records pertaining to
the consumer, service, product, or transaction;
(3) To
protect against or prevent actual or potential fraud or unauthorized
transactions;
(4) For
required institutional risk control or for resolving consumer disputes or
inquiries;
(5) To
persons holding a legal or beneficial interest relating to the consumer; or
(6) To
persons acting in a fiduciary or representative capacity on behalf of the
consumer;
(7) To
provide information to:
(a) Insurance
rate advisory organizations;
(b) Guaranty
funds or agencies that are rating a licensee;
(c) Persons
that are assessing the licensee's compliance with industry standards; and
(d) The
licensee's attorneys, accountants, and auditors;
(8) To
the extent specifically permitted or required under other provisions of law and
in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C.
§3401 et seq.), to law enforcement agencies (including the Federal Reserve
Board, Office of the Comptroller of the Currency, Federal Deposit Insurance
Corporation, Office of Thrift Supervision, National Credit Union Administration,
the Securities and Exchange Commission, the Secretary of the Treasury, with
respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary
Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial
Recordkeeping), a state insurance authority, and the Federal Trade Commission),
self-regulatory organizations, or for an investigation on a matter related to
public safety;
(9) To a
consumer reporting agency in accordance with the federal Fair Credit Reporting
Act, 15 U.S.C. §1681 et seq.;
(10)
From a consumer report reported by a consumer reporting agency;
(11) In
connection with a proposed or actual sale, merger, transfer, or exchange of all
or a portion of a business or operating unit if the disclosure of nonpublic
personal financial information concerns solely consumers of the business or
unit;
(12) To
comply with federal, state, or local laws, rules, and other applicable legal
requirements;
(13) To
comply with a properly authorized civil, criminal, or regulatory investigation,
or subpoena or summons by federal, state, or local authorities;
(14) To
respond to judicial process or government regulatory authorities having
jurisdiction over a licensee for examination, compliance, or other purposes as
authorized by law; or
(15) For
purposes related to the replacement of a group benefit plan, a group health
plan, a group welfare plan, or a workers' compensation plan.
B. A
consumer may revoke consent by subsequently exercising the right to opt out of
future disclosures of nonpublic personal information as permitted under
Regulation .08F of this chapter.
C. The
Commissioner may exempt a licensee from any of the notice requirements of this
chapter if:
(1) The
licensee is in liquidation or receivership; and
(2) The
notice requirements could:
(a) Negatively
impact the ability of the liquidator or receiver to pay claims; and
(b) Impose
a financial burden on the licensee in liquidation or receivership.
.17 When
Authorization Required for Disclosure of Nonpublic Personal Health Information.
A. A
licensee may not disclose nonpublic personal health information about a consumer
or customer unless an authorization is obtained from the consumer or customer
whose nonpublic personal health information is sought to be disclosed.
B. This
regulation does not prohibit, restrict, or require an authorization for the
disclosure of nonpublic personal health information by a licensee for the
performance of the following insurance functions by or on behalf of the
licensee:
(1) Claims
administration;
(2) Claims
adjustment and management;
(3) Detection,
investigation, or reporting of actual or potential fraud, misrepresentation, or
criminal activity;
(4) Underwriting;
(5) Policy
placement or issuance;
(6) Loss
control;
(7)
Rate-making and guaranty fund functions;
(8)
Reinsurance and excess loss insurance;
(9) Risk
management;
(10)
Case management;
(11)
Disease management;
(12)
Quality assurance;
(13)
Quality improvement;
(14)
Performance evaluation;
(15)
Provider credentialing verification;
(16)
Utilization review;
(17)
Peer review activities;
(18)
Actuarial, scientific, medical, or public policy research;
(19)
Grievance procedures;
(20)
Internal administration of compliance, managerial, and information systems;
(21)
Policyholder service functions;
(22)
Auditing;
(23)
Reporting;
(24)
Database security;
(25)
Administration of consumer disputes and inquiries;
(26)
External accreditation standards;
(27) The
replacement of a group benefit plan or workers' compensation policy or program;
(28)
Activities in connection with a sale, merger, transfer, or exchange of all or
part of a business or operating unit;
(29) Any
activity that permits disclosure without authorization pursuant to the federal
Health Insurance Portability and Accountability Act privacy rules promulgated by
the U.S. Department of Health and Human Services;
(30)
Disclosure that is required, or is one of the lawful or appropriate methods, to
enforce the licensee's rights or the rights of other persons engaged in carrying
out a transaction or providing a product or service that a consumer requests or
authorizes;
(31) Any
activity otherwise permitted by law, required pursuant to governmental reporting
authority, or to comply with legal process; and
(32) Any
additional insurance functions determined by the Commissioner to the extent that
they are:
(a) Necessary
for appropriate performance of insurance functions; and
(b) Fair
and reasonable to the interest of consumers.
.18 Authorizations
for Disclosure of Health Information.
A. A
valid authorization to disclose nonpublic personal health information pursuant
to this regulation shall be in written or electronic form and shall contain all
of the following:
(1) The
identity of the consumer or customer who is the subject of the nonpublic
personal health information;
(2) A
general description of the types of nonpublic personal health information to be
disclosed;
(3) General
descriptions of the parties to whom the licensee discloses nonpublic personal
health information, the purpose of the disclosure, and how the information will
be used;
(4) The
signature of the consumer or customer who is the subject of the nonpublic
personal health information or the individual who is legally empowered to grant
authority and the date signed; and
(5) Notice
of the length of time for which the authorization is valid and that the consumer
or customer may revoke the authorization at any time and the procedure for
making a revocation.
B. An
authorization for the purposes of this regulation shall specify a length of time
for which the authorization shall remain valid, which may not be for more than
24 months.
C. A
consumer or customer who is the subject of nonpublic personal health information
may revoke an authorization provided pursuant to this regulation at any time,
subject to the rights of an individual who acted in reliance on the
authorization before notice of the revocation.
D. A
licensee shall retain the authorization or a copy of the authorization in the
record of the individual who is the subject of nonpublic personal health
information.
.19 Authorization
Request Delivery.
A. A
request for authorization and an authorization form may be delivered to a
consumer or a customer as part of an opt out notice pursuant to Regulation .10
of this chapter if the request and the authorization form are clear and
conspicuous.
B. An
authorization form is not required to be delivered to the consumer or customer
or included in any other notices unless the licensee intends to disclose
protected health information pursuant to Regulation .17A of this chapter.
.20 Relationship
to Federal Rules.
Irrespective
of whether a licensee is subject to the federal Health Insurance Portability and
Accountability Act privacy rule as promulgated by the U.S. Department of Health
and Human Services "Standards for the Privacy of Individually Identifiable
Health Information", if a licensee complies with all requirements of the
federal rule except for its effective date provision, the licensee is not
subject to the provisions of Regulations .17 — .19 of this chapter.
.21 Relationship
to Maryland Laws.
This
chapter does not preempt or supersede existing State law related to medical
records, health information privacy, or insurance information privacy.
.22 Protection
of Fair Credit Reporting Act.
This
chapter does not modify, limit, or supersede the operation of the federal Fair
Credit Reporting Act, 15 U.S.C. §1681 et seq., and no inference shall be drawn
on the basis of the provisions of this chapter regarding whether information is
transaction or experience information under 15 U.S.C. §1681a.
.23 Nondiscrimination.
A
licensee may not unfairly discriminate against any consumer or customer because
that consumer or customer:
A. Has
opted out from the disclosure of his or her nonpublic personal financial
information pursuant to the provisions of this chapter; or
B. Has
not granted authorization for the disclosure of his or her nonpublic personal
health information pursuant to the provisions of this chapter.
.24 Effective
Date.
A. By
April 1, 2002, a licensee shall provide an initial notice, as required by
Regulation .05 of this chapter, to consumers who are the licensee's customers on
January 1, 2002.
B. Until July 1, 2002, a contract that a licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf satisfies the provisions of Regulation .14B(2) of this chapter, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, as long as the licensee entered into the agreement on or before July 1, 2000.