Nine months after the passage of sweeping financial services reform legislation, insurers are still in the dark about how they will be affected by consumer privacy provisions that are outlined in the law.The Gramm-Leach-Bliley Act contains a large section, called Title V, outlining how financial service holding companies can internally share customer information and restricts how customer information can be shared with another firm.
Under the law, federal agencies were required to set privacy standards by Nov. 12, 2000 for federally regulated banks and securities firms. Those guidelines were established in May, but federal agencies will not enforce the guidelines until July 1, 2001. Insurance companies, on the other hand, are hamstrung by state efforts to draft consumer privacy laws that some industry groups say are more stringent than the federal guidelines.
State action
This year, at least 14 states introduced legislation that would require consumers to give financial institutions permission to share their personal information with another company. This so-called "opt-in" provision differs from the traditional "opt-out" policy in which consumers request that their personal information is not shared.
Insurance groups are primarily concerned that state legislation containing opt-in provisions for health information would put carriers at a severe disadvantage with other financial services firms.
"Title V of Gramm-Leach-Bliley does not address health information, and Health and Human Services has not finalized HIPPA (Health Insurance Portability and Accountability Act)," explains Michael Lovendusky, assistant general council for the American Insurance Association, Washington, D.C. "That inspired a number of states to go forward and draft legislation that goes beyond privacy requirements outlined by federal regulators and by Gramm-Leach Bliley."
In June, the National Association of Insurance Commissioners issued a draft regulation on privacy of consumer financial and health information. The regulation is intended to satisfy the minimum privacy standards for financial information established by Title V, but it also addresses health information privacy.
Under the draft NAIC regulation, carriers are required to develop privacy policies for health information and provide privacy notices to all policyholders. The NAIC draft recommends that carriers get explicit authorization from policyholders prior to sharing any health information. The NAIC draft supports the "opt-out" provision for financial information.
However, several groups, including the AIA and the National Association of Independent Insurers, are opposed to the opt-in rule.
"We're concerned that the NAIC's proposal for health information goes beyond the privacy rules federal regulators established for financial information and goes above and beyond what is necessary to protect consumers' health information," says Robyn Rowen, senior counsel for the Des Plaines, Ill.-based NAII. "We want a proper balance between state and federal regulations."
Striking a balance
The NAIC's working group on privacy issues is attempting to iron-out the objections that other insurance groups have expressed concerning how health information is handled.
Kathleen Sebelius, chairman of the NAIC's Privacy Issues Working Group, reiterated the group's continued support for the "opt-in" provision for health information. However, she says the working group is "substantially revising" sections of the draft regulation that pertains to health information privacy.
Managing consumer information, particularly with the "opt-in" provision for privacy, could be a costly proposition for insurers.
For example, insurers will have to send out notices to all policyholders requesting whether or not their personal information can be shared. The NAII is concerned that the "opt-in" provision could prove to be costly, because it will force carriers to develop new information databases.
"Insurers will need a privacy officer to ensure that they are in compliance with the law," Rowen warns. "We need to strike a balance between safeguarding consumer privacy and enabling insurance companies to efficiently and effectively manage their operations."
