Health plans and clearinghouses are already subject to the privacy and security requirements of HIPAA, but under the Cybersecurity Bill of Rights adopted by a task force of the National Association of Insurance Commissioners (NAIC) on October 14, all insurance companies and agents and their contractors would be subject to expanded cybersecurity requirements similar to those in HIPAA.  NAIC President Monica Lindeen said in a statement, “Cybersecurity is one of the biggest challenges facing businesses today and this is one of our association’s key priorities.”

Under the Bill of Rights, consumers are entitled to know the types of personal information collected by an insurance company or agent or their contractors. Consumers would have the right to be notified within 60 days if an unauthorized person has seen, stolen or used such information and to receive at least one year’s identity theft protection, as currently required in Connecticut and California. Additionally, insurance companies and agents must have a publicly available privacy policy that includes, among other things, information on what consumers can do if the company doesn’t follow its privacy policy. The Bill of Rights also includes a recitation of the “rights” a person has under current federal law overseen by the Federal Trade Commission if his or her identity is stolen. 

Insurance industry participants have raised concerns that the Bill of Rights suggests requirements that go beyond what is currently required in many states. Such concerns will be continue to be raised as the Bill of Rights goes through the NAIC approval process to be included in model laws for adoption by states. Until a model law is adopted by a state, the Bill of Rights will have no force of law and the various interested parties, such as insurance companies, agents and their businesses, will be able to play a role in that adoption process