|Date:||June 19, 2001|
|To:||All insurers licensed to do business in Wisconsin|
|From:||Connie L. O'Connell, Commissioner|
|Subject:||Ch. Ins 25, Wis. Adm. Code|
Privacy of Consumer Financial and Health Information
Ch. Ins 25, Wis. Adm. Code, is based on the National Association of Insurance Commissioners ("NAIC") Privacy of Consumer Financial and Health Information Model Regulation. That model was prepared by the NAIC to meet the requirements of Title V of the federal Gramm-Leach-Bliley Act ("GLB"). Under ch. Ins 25, Wis. Adm. Code, a licensee is required to provide written notice of its privacy policies and practices. The rule describes the conditions under which the licensee may disclose nonpublic personal financial information. Ch. Ins 25, Wis. Adm. Code, establishes requirements for privacy notices.
The rule also establishes restrictions on the sharing of health information. However these restrictions apply only to the extent the information is not already governed by current law. For example, a licensee must comply with s. 610.70, Wis. Stat., with respect to personal medical information related to insurance primarily for personal, family or household needs. Accordingly, the provisions of this rule, ch. Ins 25, Wis. Adm. Code, governing health information, apply primarily to health information relating to claimants against worker's compensation or commercial liability insurance policies.
Ch. Ins 25, Wis. Adm. Code, interprets and implements parts of ss. 600.01, 610.70, 633.17, and 628.34(12), Wis. Stat.
Ch. Ins 25, Wis. Adm. Code, becomes effective July 1, 2001.
In lieu of mailing copies of Ch. Ins 25, Wis. Adm. Code, to licensees, OCI has published the rule on its Internet site (opens in new window).
INSURERS AND OTHER LICENSEES SHOULD CAREFULLY REVIEW THE RULE SINCE IT AFFECTS LICENSEES WHO HANDLE NONPUBLIC PERSONAL FINANCIAL INFORMATION OR NONPUBLIC PERSONAL HEALTH INFORMATION.
If you do not have internet access and need a paper copy of the administrative rule, send a written request along with a stamped, self-addressed envelope to Florence DeLuca, Office of the Commissioner of Insurance, P.O. Box 7873, Madison, WI 53707-7873.
Licensees should refer to the complete rule and statutory cites to understand its definitions and requirements. It should be noted that the rule contains a number of examples to assist in describing its requirements. This bulletin serves to introduce the rule and outlines some of the processes that licensees may need to consider for its implementation.
Section 610.70, Wis. Stat., regulates the disclosure of personal medical information that is obtained from a health care provider, medical institution, individual, spouse, parent, or dependent that is used in an insurance transaction including the determination of eligibility for insurance coverage, benefits or claim payments or the servicing of an insurance application, policy contract or certificate. Insurers should review current authorization forms for disclosure of personal medical information to ensure compliance with s. 610.70 (2), Wis. Stat. Specifically, insurers should verify that release forms reflect proper time frames for which authorizations may be requested and maintained, and how and to whom information may be re-released to other entities or health care providers. Insurers should also verify that they have procedures in place to comply with s. 610.70 (3), Wis. Stat., that allow individuals access to their personal medical information in the possession of the insurer. Procedures are also necessary to implement the notice requirements informing individuals of the right to request a correction, amendment or deletion of personal medical information that is in the insurer's possession. All insurers must also comply with ss. 51.30 and 146.81 to 146.84, Wis. Stat., regarding access to and maintenance of patient health care records.
Ch. Ins 25, Wis. Adm. Code, governs how licensees will treat certain nonpublic personal information. It also requires most licensees to provide notice of their privacy policies to consumers with whom they do business.
The rule defines the notices and other processes that are required by the rule. Requirements for the type and frequency of notices differ depending upon the relationship the licensee has with the consumer and whether the licensee shares the type of information treated by the rule.
Licensees will need to develop procedures and processes to assure compliance with the requirements of the rule. OCI will be reviewing licensees' procedures for compliance with ch. Ins 25, Wis. Adm. Code, and s. 610.70, Wis. Stat., as part of its regulatory processes. Licensees should include establishing the following, in order to achieve compliance with the rule. (Assume below that the term "sharing" means disclosing information to third-parties that is not otherwise excepted by the rule):
- Procedures to provide the appropriate long-form, summary-form, or short-form notices to consumers,
- A method to allow consumers to opt-out of current or future sharing of nonpublic personal financial information,
- A method to limit disclosure of nonpublic personal health information without consent, and
- Security to maintain the privacy of information that is not shared because of company policy, a request to opt-out, or the lack of proper authority to share information.
Licensees should review ch. Ins 25, Wis. Adm. Code, to determine how the requirements apply to current or future activities, and changes in the licensee's privacy policies.
Once the licensee develops its notices, they are to be delivered to the appropriate consumers within the timeframes contained in the rule. Insurers should not file the privacy notices with OCI unless the notices are part of another form that must be filed. In those cases, the form that includes the privacy notice would need to be filed for approval, as would any form that has been changed.
Agents can rely on the notice procedures of the insurance companies they represent as long as the agent does not share the nonpublic personal information as provided by the rule. If the agent shares the information with third-parties in activities that are not excepted by the rule, the agent will be required to issue the same type of notices required of the insurer.
Property and casualty questions should be made of Philip Kress, Property and Casualty Section Chief, at email@example.com or 608-266-0430. Health or life questions should be made of Michael Honeck, Health and Life Section Chief, at firstname.lastname@example.org or 608-266-0097.