Home

Commissioner

Divisions

News Releases

Newsletters

Annual Reports

Related Links

Contact Us

Gramm-Leach-Bliley Frequently Asked Privacy Questions

Click here to download PDF file

 

The following frequently asked questions are provided as a service from the National Association of Insurance Commissioners (NAIC) and does not address specific privacy guidelines that may be addressed by individual states.

 

NAIC Privacy of Consumer 
Financial and Health Information Model Regulation

Overview

The NAIC adopted the Privacy of Consumer Financial and Health Information Model Regulation on September 26, 2000. The model regulation was drafted in response to requirements set forth in Title V of the Gramm-Leach-Bliley Act (P.L. 106-102) (GLBA), which was signed into law by President Clinton on November 12, 1999. GLBA calls on the state insurance regulators to issue regulations protecting the privacy of insurance consumers' personal information. 

The model regulation provides protection for financial and health information about consumers held by insurance companies, agents, and other entities engaged in insurance activities. In general, the model regulation requires insurers to:

(1) notify consumers about their privacy policies;

(2) give consumers the opportunity to prohibit the sharing of their protected financial information with non-affiliated third parties; and 

(3) obtain affirmative consent from consumers before sharing protected health information with any other parties, affiliates and non-affiliates alike. 


The model regulation is now under consideration in the states. Some state insurance regulators may need to secure authorization from their state legislatures before they can promulgate the regulation; others may proceed without state legislative activity. Most states expect to have final privacy regulations promulgated by July 1, 2001.

The following frequently asked questions and answers have been prepared by NAIC staff in order to give some guidance to those interested in learning about how the model regulation works. The answers to these questions are only applicable to the model regulation. They do not represent the views of any particular state insurance regulator. The answers contained herein do not have the force of law and are not meant to supersede any guidance that might be provided by the individual states when they issue their regulations. 


Glossary of Terms

The following terms are used throughout this document: 

"Affiliate" is a company that controls, is controlled by, or is under common control with another company. Under the Gramm-Leach-Bliley Act (GLBA), insurers and banks can become affiliates. 

"Consumers" are individuals who are seeking to obtain, obtaining, or have obtained a product or service from an insurer. For example, an individual who has submitted an application for insurance is a consumer of the company to which he or she has applied, as is an individual whose policy with the company has expired.

"Customers" are consumers with whom insurers have on-going relationships. Policyholders are customers, for example.

"Insurers" are insurance companies, insurance agents, or other entities that are required to comply with the privacy regulation. 

"Nonaffiliated third party" means a company that is not affiliated with an insurer.

"Opt in" means granting affirmative consent to the disclosure of protected information by an insurer. It only applies to health information. An insurer can share protected health information with other entities - including its affiliates or third parties - only if the customer or consumer opts in.

"Opt out" means prohibiting the disclosure of protected information by an insurer. It only applies to financial information. An individual can opt out of the disclosure of his or her protected financial information to third parties.



CONSUMER ISSUES

New Law Governing Insurers Protects Your Privacy

  1. I understand there's a new law that lets banks, securities companies and insurance companies sell each other's products. What does this mean in terms of my own insurance coverage?

    The new law, entitled the Gramm-Leach-Bliley Act (GLBA) after its congressional sponsors, breaks down the regulatory barriers between the banking, securities and insurance industries, allowing these types of companies to merge with each other and to engage in new business activities outside their traditional areas. Your insurance coverage should not be affected by the law, although your insurance company or agent might someday merge with a bank or expand its offerings to include banking products and services, such as loans, credit cards and mutual funds.
  2. I just learned that my insurance company has changed to become a "financial holding company." What does this mean and how does it affect me?

    This means that your insurance company is now permitted by law to start offering bank products such as loans, credit cards and mutual funds. It has either affiliated with an existing bank or is establishing a brand new bank. The bank division will actually be a separate company from the insurance company, but they will be related to each other within a larger holding company structure. Once they are affiliated, the companies are free to share all your personal financial information with each other without your permission. 
  3. Do I need to be worried that my own personal information is being shared or sold without my knowledge or permission by my insurance company or insurance agent?

    Under the GLBA privacy provisions, your insurer cannot share your personal information without your knowledge, but they can disclose your information to certain parties without your permission.

    Knowledge: GLBA and the model regulation require insurance companies, insurance agents, and other financial institutions such as banks to tell you about their policies for disclosing your personal financial information. Insurers are required to provide these privacy notices to you prior to disclosing any of your personal financial information.

    Permission: Insurers are required to give you the opportunity to prohibit the sharing of certain financial information with unrelated companies, called "nonaffiliated third parties," but you may not prohibit the sharing of such information with your insurer's affiliates. In addition, you may not prohibit the disclosure of your personal information to third parties for things like claims processing, fraud investigations, and certain marketing efforts.

    Importantly, the NAIC model privacy regulation also includes special protections for health information. The regulation requires insurance companies and agents to get your affirmative consent before sharing health information with any other entity. 
  4. Given the Internet and the information age, isn't this kind of personal information already public? Why are these new consumer privacy protection rules important? What do they mean for my family and me?

    You are correct that there is a great deal of our personal information "out there" and these new privacy protections are important for that very reason. Financial institutions have ever-increasing amounts of information about their customers, and new technologies are enabling them to utilize this information in new and creative ways. With enactment of GLBA and the integration of banking, securities and insurance, there is concern that consumers could lose even more control over their personal information, and that this information could be used in ways in which consumers do not approve. 

    Of course, most companies value the trust and confidence of their customers, and treat personal information with respect. But even these companies might disclose your information in ways that you do not approve of - selling lists to marketers, for example. 

    For these reasons, Congress included consumer privacy protections in GLBA that set some basic standards that all financial institutions - including insurance companies and agents - must meet. These protections give you some control over the personal information that your financial institutions hold. In addition, by requiring financial institutions to tell you how they are going to disclose your information, Congress intended that you have enough information so that you can take your business elsewhere if you disagree with their disclosure policies.

    The GLBA privacy provisions are embodied in regulations that will be issued by your state insurance commissioner. These regulations will govern how insurance companies and agents will protect your personal information in compliance with GLBA's privacy provisions. The NAIC has drafted a model regulation that will serve as the basis for the privacy regulations issued in most states.

  5. How can an insurer access my personal financial and health information? Do they have to get it from me, or can they get the information through some other means?

    Personal information protected under GLBA and the NAIC model regulation includes information that the company gets from you through your application, as well as information it collects as a result of your dealings with the company through transactions, submitting claims, etc. It also includes information the company gets from consumer reports and by tracking people who have used their Internet site.
  6. What does this information have to do with my insurance policies?

    Insurance companies hold this information because they need it to determine your insurance coverages and premiums and to pay your claims. The information could also be valuable to an insurer's ability to design and sell all sorts of products.

    What Information is Protected under the New Law and Regulation?
  7. Do these new protections apply to all my insurance policies - life, health, automobile, homeowners?

    Generally, these protections apply to all types of insurance policies where the ultimate benefit goes to an individual (as opposed to a commercial entity). The following information is covered by these new protections: 

    * the information held by your car insurer; 
    * the information held by your homeowners insurer; 
    * the information held by your employer's group health plan; 
    * the information held by your life insurer; 
    * the information held by the insurer against which you made a claim related to a car accident; 
    * the information held by the life insurer for a life policy that names you as a beneficiary; 
    * the information held by your employer's workers' compensation insurer.
  8. What information is protected by these privacy rules?

    "Nonpublic personal financial information" and "nonpublic personal health information" are the general categories of information that are protected under the NAIC model regulation. 
  9. What does the term "non-public personal financial information" mean?

    "Non-public personal financial information" is:

    * information that you provide to your insurance company to obtain an insurance product or service (like income, credit history, name and address); 

    * information about you that the insurance company has as a result of a transaction with you involving an insurance product or service between the company and you (like premium payment history, how much your life insurance policy is worth, and the value of personal property insured); and 

    * all other information about you that the insurance company gets in connection with providing a product or service to you.

    It also includes any list that is derived using such information. For example, a list that includes the names and income of an insurer's customers would be protected information.

    Non-public personal information does not include publicly available information. Publicly available information is information that a company can get from a public source, such as a phone book, government records (including mortgage records), and the Internet.
  10. What are some examples of my "non-public personal financial information"?

    Examples of "non-public personal financial information" include:

    * Information you provide in an application, such as your income and assets;
    * Your name, address and telephone number (to the extent such information is not available from a public source);
    * Your name, if it is included in a list of the company's customers;
    * Details regarding your insurance coverage, including the premium you pay, the amount of coverage, etc.;
    * Your premium payment history;
    * Credit information, such as your credit history, that the company obtains from a consumer report.
  11. Does this mean my insurer cannot sell my name, address and telephone number?

    Your name, address and telephone number may or may not be protected depending on the context in which it is disclosed. 

    * If they are included in a list with other customers of the insurer, then they are protected information because it indicates that you are a customer of that insurer. 
    * If they are simply a random list of individuals whose information the insurer collected from public sources, then they are not protected, even if the list includes some of the insurer's customers. 
    * They would likely be considered protected information if they are included with other information such as your income, the amount of your insurance coverage, and your premium payments.
  12. What does the term "non-public personal health information" mean?

    Generally, "non-public personal health information" is any information that identifies you in some way, and includes information about your health, including your past and present physical and mental health, details about your health care, and payment for health care. 
  13. What are some examples of my "non-public personal health information"?

    "Non-public personal health information" would include any document that gives enough information for the reader to identify you and includes information such as:

    * Your medical records, which would have information regarding your general health (if you have a heart condition, asthma, cancer, AIDS, etc.);
    * Information regarding your mental health; and
    * Payment records, which could tell a great deal about your health by indicating, for example, the types of doctors you see, the types of medications you take, and the types of treatments you receive. 

    What are my Rights Under the New Law and Regulation?

  14. What are the rules governing my financial information?

    In general, insurers must: 

    * give you a copy of their privacy policy; and 
    * give you the opportunity to prohibit the sharing of non-public personal information with third parties. 

    Sharing information with affiliated companies is not prohibited, and the regulation contains extensive exceptions permitting the sharing of information for business purposes (like claims management), legal purposes (to comply with regulations and fight fraud, for example), and for certain marketing purposes.

    The timing of your receipt of the privacy and opt out notices will differ depending on your relationship with your insurance companies and agents. 

    * If you are a "consumer" - for example, if you are in the process of applying for insurance - you will only receive the notices if the insurer wishes to disclose your personal financial information to a third party. 
    * At the time you become a "customer" - when an insurance policy is delivered to you, for example - the insurer must provide you with its privacy and opt out notices. Customers are entitled to receive privacy notices annually. 

    The insurer must give consumers and customers 30 days to respond to the opt out notice before sharing information with third parties.
  15. What are the rules governing my health information? 

    Insurers must get your permission prior to disclosing your non-public personal health information to any other party. As with the financial information rules, there are exceptions that permit disclosure for business reasons (such as claims management and underwriting), and for legal reasons (like complying with regulations and fighting fraud).
  16. Why do the rules governing health information differ from the financial information rules? 

    The health rules differ from the financial rules because state insurance regulators believe your health information is more sensitive than financial information and needs greater protections. That's why there is an affirmative consent requirement ("opt in") for health information as opposed to the "opt out" requirement for financial information. And consent is required before an insurer discloses health information to any other party - including affiliates and non-affiliated third parties. The "opt out" for financial information only applies to disclosures to non-affiliated third parties.
  17. Even if I opt out, doesn't the company still need to share my information for certain purposes?

    Yes, insurers will need to share some of your personal information and are permitted to do so whether or not you exercise your opt out and opt in rights. For example, your insurer can share your protected information to set underwriting rates, settle a claim made against your policy, investigate fraud, or comply with a legal order.



    Privacy Notices and Opt Out Notices
  18. When does my insurance company have to tell me about their privacy policy? Should I be worried if I don't receive something soon? 

    Your insurance company is required to inform you of its privacy policy, and give you an opportunity to opt out of the disclosure of your personal financial information to third parties, by July 1, 2001 (or the compliance date set by your state). After that date, your insurance company is required to send you a copy of its privacy policy every year. 

    In addition, if you become a consumer of a different insurance company after the compliance date - by submitting an application to that company, for example - that company must provide you with its privacy notice and an opportunity to opt out prior to disclosing any protected financial information to third parties.

    Finally, although no privacy notices are required regarding health information, starting on the compliance date, insurers must get your permission before disclosing personal health information. 
  19. Do these new rules mean that I have to be given notice about an insurance company's privacy policy before they can sell me an insurance product?

    Generally, insurers will have to provide you with their privacy and opt out notices prior to sharing your personal financial information. However, the exact timing of the delivery of the privacy and opt out notices may differ depending upon your relationship with the company. For example, when you are in the application process, you are entitled to receive the privacy and opt out notices only if the company wishes to share your information. In contrast, once you purchase the policy and it is delivered to you, the company must give you the notices.

    Again, no privacy notices are required regarding health information, but starting on the compliance date insurers must get your permission before disclosing personal health information.
  20. I'm in the process of applying for insurance. If my prospective insurance company is not required to give me a copy of its privacy policy because they don't intend to disclose the information, do I still have a right to request a copy of the policy? Is the company required to provide me a copy upon request?

    You may request a copy of your insurer's privacy policy at any time, but the insurer is not obligated to provide it to you. Insurers are only required to give you their privacy policies under the following circumstances:

    * If you are a consumer, they must provide you a copy prior to disclosing your protected financial information;
    * If you are a customer, they must provide you a copy at the time that you become a customer, and annually thereafter.
  21. I have my life insurance policy with one company, and my auto and homeowners' policies with another company. Will I receive a separate privacy notice for each policy? Will all privacy notices look the same? 

    What should I be looking for when I receive the notice?

    You will receive separate notices from each of the different insurance companies with which you do business, unless the companies are affiliated with each other in a large corporation. In that case, you might only receive one notice for all the policies held by those affiliated companies. The notice must clearly state to which companies and policies it applies.

    Privacy notices will differ from company to company. However, there will be similar elements. First, they must be written so that they are noticeable and so you can read them clearly. For example, they cannot be in small type, hidden on the back side of a page in the middle of a large mailing. Second, they must contain similar information, including:

    the types of information the insurer collects about you; 
    * the types of information that the insurer discloses; 
    * the types of entities to which the insurer intends to give your information (including affiliates and third parties); 
    * the types of information and the entities to which the insurer intends to give your information for joint marketing purposes; 
    * how the insurer protects the confidentiality and security of your information; and 
    * an explanation of your right to opt out, including how you go about telling the insurer that you do not want your information shared with third parties.
  22. I just received a privacy notice from my insurance company and it's very confusing. What do I do?

    Your insurer should be able to explain to you exactly what their privacy policies mean and exactly what they intend to do with your personal information. In addition, your state insurance regulator can also help you to understand what privacy policies mean, and what protections you can expect under the law. 
  23. I just received a privacy notice from my insurer and initially thought it was junk mail. Isn't there a requirement to separate important information like privacy notices from other mailings?

    Insurers are permitted to include privacy notices with other mailings. However, the privacy information must be written so that it is noticeable and so you can read it clearly. The notices cannot be in small type, hidden on the back side of a page in the middle of a large mailing, for example.
  24. I just received a privacy notice from my insurance company that said they won't disclose any information about me except as permitted by law. This sounds good, but I've got no idea what's permitted by law. Does the law require them to disclose my information?

    Insurers are permitted by law to disclose your information without your permission in a number of situations:

    * They can share personal financial information with affiliated companies without restriction. 
    * They can share protected financial and health information for certain business reasons, including underwriting, settling claims, and investigating fraud. 
    * They could be required by law to disclose your personal financial or health information to an insurance regulator, court, or law enforcement official. 
    * They are permitted to disclose protected financial information without your permission pursuant to joint marketing or servicing agreements. This means that they can enter into agreements with third parties to share your financial information for (1) marketing certain products or services; or (2) hiring the third party to provide services for the insurer, like accounting and claims management.
  25. What happens if I forget to send the opt out form to my insurer within the 30-day time period?

    You may opt out at any time. However, if you fail to return an opt out form to your insurer within the initial 30-day time period, your insurer is permitted to share information with third parties. For example, if you send your insurer an opt out form 6 months after receiving the opt out notice, the insurer must stop disclosing your protected financial information to third parties as soon as the notice is received. But by that time, some of your protected information has probably been disclosed because the insurer has already had 5 months to share your information with third parties.


    Beneficiaries and Claimants
  26. My life insurance policy includes information about my spouse and children because they are my beneficiaries. Is their personal information protected?

    Yes, if an insurer holds protected financial information about a named beneficiary of a life insurance policy and wishes to disclose that information to third parties, the insurer must provide the beneficiary with its privacy policy and the opportunity to opt out. If an insurer holds health information about a named beneficiary of a life insurance policy, the insurer must get the individual's consent prior to sharing that information with any other party.
  27. I was in a car accident and my claim was paid by the other driver's insurer. That company now has information about me that I do not want disclosed. Can I do anything about that?

    Financial Information: As a claimant under the other driver's policy, the other driver's insurance company may not disclose your financial information to third parties without giving you its privacy policy and an opportunity to prohibit such disclosure. The insurer may disclose financial information to its affiliates, however. 

    Health Information: The company may not disclose your health information to any party without your affirmative consent (except as permitted under one or more of the exceptions set out in the regulation).

    Discrimination Prohibited; Reporting Illegal Disclosures
  28. I am fearful of what might happen if I don't want my information shared. Can my insurance company raise my rates or drop my coverage if I opt out and stop the sharing of my financial information? Or if I don't allow the sharing of my health information by refusing to opt in?

    Your insurer cannot discriminate against you for prohibiting the disclosure of your protected personal financial and health information by raising your rates or dropping your coverage. However, you might miss out on some of the benefits that other consumers receive as a result of allowing their personal information to be shared, such as special offers for various products and services.

  29. What should I do if I think my information has been shared inappropriately? Who can help me find out what has happened?

    If your insurance company or agent shares information in violation of their own insurance policy or in violation of the law, you should tell the company or agent and immediately report the violation to your state insurance commissioner. The commissioner has a variety of options under the law to stop illegal sharing of information and punish violations appropriately.

  30. How do I contact my state insurance commissioner?

    The name, address and phone number of every state insurance commissioner is available on the NAIC's website, which is located at www.naic.org. Click on "Insurance Regulators" and then on "Map of Insurance Regulators." Then click on your state, and you will be connected to your state insurance department's website. 


    Agent-Consumer Relationship
  31. I never deal directly with an insurance company. I always go through my agent. Can I still do this? 

    Yes. These new privacy protections have no impact on your ability to work through your agent to obtain insurance coverage.
  32. Do insurance agents have to follow the same rules as companies with respect to my information? 

    Yes, agents are required to comply with the law, just like insurance companies. So if your agent wishes to share your personal financial information with a third party (other than the insurance companies to which you are applying for coverage), the agent must give you a notice and the opportunity to opt out. If the agent wishes to share your health information with other parties (again, excluding insurance companies to which you are applying for coverage), the agent must obtain your consent.

    Note that agents are not required to provide privacy and opt out notices for financial information, or obtain your consent for health information, if they are simply sharing information with insurance