NAII Notes All States Have Addressed Privacy Legislation, While Handful Have Proposals Pending

February 11, 2003

Insurance companies with systems in place to meet state and Federal Privacy standards may need to do some “tweaking” down the road to assure continued regulatory compliance, according to the National Association of Independent Insurers (NAII).

Although passage of the Gramm-Leach-Bliley Act (GLBA) in 2000 resulted in all 50 states addressing the privacy issue to ensure compliance with the Act, seven states still have proposals pending. These proposed regulations or statutes could change the process for complying with privacy regulations for some insurance companies.

“Most of the adopted privacy regulations are based on the National
Association of Commissioners’ (NAIC) privacy models of 1982 or 2000,” NAII Insurance Services Counsel Kathleen Jensen said. “However, a handful of states have not adopted a regulation or statute. The language in some of the proposals does not necessarily follow the NAIC’s models and could impact the way privacy is handled by companies writing business in those states.”

Jensen added that most insurers are confident that their systems and processes are in compliance with GLBA.

However, companies need to keep a close eye on the remaining handful of states to ensure that their systems will meet the privacy compliance requirements adopted in these particular states, according to Jensen.

Seven States Still Considering Privacy
The following two states have recently proposed privacy insurance
regulations.

Alaska – In 2002, the Alaska Division of Insurance proposed an insurance privacy regulation. The proposed regulation does not contain an exemption for affiliate sharing and requires opt-in for non-affiliate sharing. The Division of Insurance has not made any subsequent changes to the proposed regulation, nor have they taken any additional actions to have this regulation adopted. NAII anticipates that a privacy regulation will be adopted in 2003.

Idaho – In 2002, the Idaho Department of Insurance proposed the NAIC model regulation. However, the proposal contains the notable omission of claimant and workers’ compensation from the definition of consumer and the omission of the section regarding the non-public personal health information. The rule is before the legislature for approval. Prior to this rule, the Idaho Department of Insurance had been operating under a temporary rule that was
based on the National Conference of Insurance Legislators’ (NCOIL) privacy model. NAII anticipates that the legislature will approve this regulation in 2003.

The following five states have privacy legislation that has been introduced in 2002 and carried over to 2003, or new legislation has been introduced in 2003.

California – In 2002, State Senator Jackie Speier introduced privacy legislation that eventually failed. In 2003 she reintroduced this legislation SB1. The legislation requires opt-out for affiliate sharing and opt-in for non-affiliate sharing. NAII anticipates some form of legislation to be signed by the governor in 2003. In 2002, the California Department of Insurance adopted a privacy regulation. The regulation is based on the NAIC Model regulation but contains the 1982 Statute exceptions. Additionally, the regulation applies to
all commercial lines. It becomes effective March 24, 2003. If the current legislative proposal is also adopted, companies writing business in California will have to comply with all adopted regulations and statutes.

Massachusetts – MAH295 was introduced Jan. 1, 2003. The bill contains an opt-in and allows the commissioner to establish regulations for policies and practices. Currently under the 1982 privacy statute, property/casualty insurers are exempt from complying with that statute (life and health insurers are not exempt).

Montana – House Bill 205 was pre-filed on December 27, 2002. This bill makes amendments to the existing privacy statute that was amended in 2001. The original statute was based upon the NAIC Privacy Model statute. Many of the amendments are applicable to individually identifiable health information section.

New Jersey – Two bills were introduced in 2002; NJA1091 in January 2002 and NJA2621 in June 2002. NJA2621 is an opt-in bill. The New Jersey legislature has a two-year session. The 1982 privacy statute is already in place in New Jersey.

North Dakota – Even though the insurance commissioner in North Dakota adopted the 2000 NAIC privacy model regulation, the legislature now has two bills that potentially could affect insurers, H1478 and H1038. Both bills apply to “financial institutions” defined in the bills as “any organization that is physically located in the state which is authorized to do business under state or federal laws relating to financial institutions, including, without limitation, a bank, including the Bank of North Dakota, a savings bank, a trust company,
a savings and loan association, or a credit union.” Insurance is not explicitly included, but both bills do say, “including but not limited to.” Additionally both bills change the definition of customer to mean “a resident of or is domiciled in this state and which has transacted or is transacting business with, or has use or is using the services of a financial institution…”

According to the NAII, if North Dakota passes this legislation which targets banking institutions, insurers may be inadvertently impacted.

Was this article valuable?

Here are more articles you may enjoy.