Information privacy and security are high profile, serious concerns in today's society.1 Incidents of identity theft have been well publicized, and public sensitivity to this problem has increased dramatically in recent years. For the insurance industry, because insurers and producers collect, use and store financial, health and medical information of insureds, information privacy and security is a particularly vital concern, and an area to which the industry (as well as its regulators and customers) has devoted significant energy and resources. This article addresses the applicability of information privacy and security requirements to the insurance industry.2
For insurers and producers, there are three sources of concern regarding information privacy and security: legal, regulatory and business. Legal concerns related to information privacy and security were established by the Gramm-Leach-Bliley Act of 1999 ("GLBA") and the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These statutes address the privacy and security of personal financial information and personal health information, respectively. States have taken an interest as well, enacting privacy and confidentiality statutes of their own that supplement these laws. Regulatory concerns stem from the keen interest in information privacy and security taken by regulatory authorities as part of their normal examinations, and in their review of applications for approval of mergers, acquisitions and other transactions. Business issues include the customer and public relations concerns that arise in the area of privacy and information security, even for companies and activities that might not be subject to the technical requirements imposed by GLBA, HIPAA, state privacy laws, and the regulatory environment. A loss of trust in the ability of an insurer, agent or broker to protect and safeguard the information of its customers could have significant ramifications for the company's prospects in a competitive marketplace.
Implications for Insurance Companies, Agents and Brokers
Information privacy and security requirements have different implications for each segment of the insurance industry. Insurance companies have clear responsibilities under GLBA and, if they issue health products, HIPAA. Agents may be able to rely on the privacy notices and policies of the companies they represent. Brokers typically work with commercial customers and products, and generally do not view themselves as subject to the requirements of GLBA, HIPAA or corollary state requirements.
A. Insurance Companies
Under GLBA, insurance companies engaged in the sale of financial products, such as annuities and certain life insurance products, have to establish GLBA compliant policies and procedures for the collection, safeguarding, accessibility, use and transmittal of consumers' personal financial information. They have to provide privacy notices to consumers, as well as the opportunity for them to opt out of certain information sharing with other entities. GLBA requirements generally are triggered by consumer transactions. However, careful analysis must be done before any insurance company decides it is not subject to these requirements because the insurance company issues only commercial products to commercial customers. Even commercial products can involve the collection of personal financial and health information. For example, where a small business is purchasing insurance, such information may be collected with respect to its principals.
For those insurance companies that issue health products, HIPAA privacy obligations must also be satisfied.3 HIPAA privacy regulations were designed to govern certain entities (termed "covered entities") that routinely handle patient medical records. Thus, covered entities include "health plans," broadly defined to include any individual or group plan that provides or pays for the cost of health care. Under HIPAA, health plans must use secure systems for storing and transmitting protected health information; notify covered individuals about their privacy rights and how their information can be used; adopt and implement specific privacy procedures; train employees in those procedures; and designate an individual to be responsible for seeing that the privacy procedures are adopted and followed. In addition, before disclosing protected health information to certain subcontractors, a health plan must first obtain a "Business Associate Agreement" with that subcontractor (who is termed a "Business Associate" under HIPAA regulations), under which the Business Associate agrees to observe similar privacy and confidentiality standards.
As noted above, agents typically rely on the policies and notices of their appointing carriers, and are not independently obligated to develop privacy and security policies, or to send notices. However, the exemption in GLBA under which agents may rely on the appointing carriers only applies to the extent that agents are collecting personal financial and health information in their capacity as agent for an insurer. If an agent, for example offers other services and collects such information in connection with such other services, the agent may independently be required to satisfy the requirements of GLBA. In addition, if they work with health products, they may be considered Business Associates under HIPAA. Further, agents are considered an integral part of the privacy and security programs of their appointing insurers. Even absent their own, independent obligations, agents must comply with the policies and procedures of their carriers.
Typically, insurance brokers represent commercial customers on commercial products. However, as indicated above, for insurance companies offering such products, careful analysis must be undertaken to consider whether a broker might, for example, be offering products to small businesses that might involve the collection of personal financial or health information of the principals of the insured, or whether they might also offer products to cover such individuals as an ancillary activity. These activities could subject the broker to the requirements of GLBA and the HIPAA Business Associate rules.
D. Off-Shore and Near-Shore Transfers of Information
An area of increasing concern to the insurance industry is the ability to transmit personal financial and health information for data processing, claims, billing and other functions to facilities off-shore (such as Asia) and near-shore (such as Canada and the Caribbean). As with many industries, the insurance industry has increasingly used the services of such facilities to perform an expanding array of functions. In doing so, insurance companies must be concerned that their obligations to protect the privacy and security of their customers' personal financial and health information under U.S. law are being satisfied. The contracts pursuant to which insurance companies engage, and transmit information to off-shore and near-shore services, must take into account the requirements imposed on the U.S. insurers by their privacy and information security policies and by applicable U.S. federal and state laws.
In addition, many U.S. insurance companies receive data, including personal financial and health information, from overseas operations or affiliates, including such information related to insureds and to employees of the insurer itself and its affiliates. In these cases, the handling of such information must comply both with the U.S. information privacy and security regimen and the requirements of the foreign country or countries from which the information originated.