Implementation of privacy provisions required by Texas & federal law
In 1999, Congress enacted the Gramm-Leach-Bliley Act (GLBA), which requires state insurance authorities to adopt requirements regarding the privacy and disclosure of nonpublic personal financial information applicable to the insurance industry. In an effort to aid the states in adopting consistent privacy requirements applicable to the insurance industry, the National Association of Insurance Commissioners (NAIC) developed and adopted a model privacy regulation. Additionally, in 2001, the 77th Texas Legislature enacted SB 712 (codified in Chapter 601 of the Texas Insurance Code), which requires the Commissioner of Insurance to adopt rules consistent with the federal requirements of GLBA. The Department's permanent consumer financial information privacy rules became effective December 17, 2001.
For more information, email LifeHealth@tdi.texas.gov.
Frequently Asked Questions about Financial Privacy Requirements under SB 712 (28 TAC §§22.1-22.26)
Please Note: These FAQs are intended to provide helpful guidance and information. They are not intended to replace or supplement the rules issued by the Department, nor are they intended to limit the applicability of the rules in any way.
Q. Why did the Department adopt these rules?
A. Title V of the Gramm-Leach-Bliley Act (GLBA) requires all state insurance authorities to adopt standards relating to the privacy and disclosure of nonpublic personal financial information applicable to the insurance industry. Additionally, SB 712, enacted during the 77th Legislative Session, requires the Commissioner of Insurance to adopt rules that are consistent with the requirements of GLBA.
Q. What is nonpublic personal financial information, as is referenced in the rules?
A. Nonpublic personal financial information includes personally identifiable financial information about an individual, as well as lists, descriptions, or other groupings of individuals that are derived using personally identifiable financial information that is not publicly available. Nonpublic personal financial information may include information that an entity obtains from an individual's application or information it collects as a result of certain transactions, such as claims submissions or other services. This term also includes information that an entity may obtain from consumer reports or from tracking the identities of individuals who have accessed its Internet site. Nonpublic personal financial information may also include income information, credit history, and premium payment history, and even certain phone numbers and addresses.
The rules, however, do provide for certain exceptions. Health information and information that is publicly available, such as in a phone book or a government record that is open to the public, is not nonpublic personal financial information.
Q. Who must comply with the rules?
A. The rules apply to "covered entities." "Covered entities" include any individual or entity that receives an authorization from the Department, including those entities described by §82.002 of the Texas Insurance Code.
The rules do not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes. Additionally, some covered entities may be exempted from the rules' requirements in certain circumstances. Many of these exceptions are explained herein.
Q. What do the rules require a covered entity to do?
A. In general, the rules require a covered entity to provide certain individuals with notice of its privacy policies and to describe the conditions under which the covered entity may disclose the individual's nonpublic personal financial information to non-affiliated third parties. The rules also require a covered entity to provide a method for certain individuals to prevent the covered entity from disclosing his or her personal financial information to non-affiliated third parties. This option is referred to as "opting out."
Additionally, the rules specify that only certain individuals must be provided with these privacy notices and methods of "opting out." The rules define which individuals must be provided with these privacy notices and methods of "opting out" by classifying the individuals as "consumers" or "customers."
Q. What does "opting out" mean?
A. "Opting out" is a term that refers to the general standards for the sharing of personal information. Under an "opt out" standard, information about an individual will be shared or disclosed unless the individual notifies the holder of the information that he or she does not want the information shared or disclosed. This is the standard adopted by the Department relating to the sharing and disclosure of nonpublic personal financial information.
Q. Once an individual "opts out," how long does that direction last?
A. An individual's "opt out" direction is effective until the individual revokes it in writing, or electronically, if the individual has agreed to conduct business with an entity through the Internet or through e-mail.
Q. What's an affiliate? What's a non-affiliate? How do the rules apply to these entities?
A. Generally, an "affiliate" is any company that controls, is controlled by, or is under common control with another company. Federal law allows banking, securities, and insurance companies to merge with one another in order to engage in new business activities outside their traditional areas of business. For example, by either affiliating with an existing bank or establishing a new bank, an insurance company may offer banking products such as loans, credit cards, and mutual funds in addition to its traditional insurance products. A banking division created in this fashion will be separate from the insurance company, but the two entities will be "affiliated," meaning that they are related to each other within a larger holding company structure. Under the rules, affiliated parties are permitted to share nonpublic personal financial information with one another without the permission of the individual about whom the information was collected.
In contrast, a "non-affiliate" is an entity that is not an affiliate of, or related to by common ownership or affiliated by corporate control with, the covered entity. The rules apply to the sharing and disclosure of nonpublic personal financial information to non-affiliated third parties.
Q. What must a notice look like?
A. Notices must be conspicuous and clearly written. For example, a notice cannot contain difficult-to-read type or be hidden on the back side of a page in the middle of a large mailing. Notices must also contain particular information, including:
- The types of information the covered entity (CE) collects about an individual;
- How the CE protects the confidentiality and security of the collected information;
- The types of information that the CE discloses;
- The types of entities to which the CE intends to disclose an individual's information (including affiliated and non-affiliated third parties);
- The types of information and the entities to which the CE intends to disclose information for joint marketing purposes; and
- An explanation of the individual's right to "opt out," including a description of how an individual may notify the CE not to disclose his or her nonpublic personal financial information to non-affiliated third parties.
The rules also contain sample notice forms that a covered entity may use, provided that the form accurately reflects the covered entity's actual privacy policies.
Q. If a covered entity does not share or disclose an individual's nonpublic personal financial information, do the rules still apply to that covered entity?
A. In cases involving a covered entity's consumers, the rules do not require a covered entity to take any action as long as the covered entity does not share or disclose the consumer's nonpublic personal financial information. In cases where a covered entity does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about its customers, the rules permit a covered entity to provide simplified notices. The rules also contain provisions relating to covered entities that do not have a consumer or customer relationship.
Q. Does a covered entity have to send a notice to every person the entity has ever had contact with?
A. No. The rules require a covered entity to send appropriate notices to its customers, with whom it had an existing, continuing relationship, as of September 10, 2001. From September 10, 2001, forward, the rules require a covered entity to provide appropriate notices to each new consumer and customer, in compliance with the rules.
Q. What happens if a covered entity does not provide a notice?
A. Failure to provide a required notice is a violation of the rules and is subject to enforcement action by the Department. In addition, enforcement action for unfair trade practices may also be pursued. An individual whose information has been shared in violation of the rules may also bring a civil action against the covered entity, regardless of any action taken by the Department.
Q. Are there times when a covered entity may share or disclose information without providing the notices required by the rules?
A. Yes. The rules generally do not require a covered entity to provide notices or obtain an individual's permission to share or disclose information in order to conduct its ordinary business activities, such as servicing an account, performing claims administration services, or issuing a policy. Information may also be disclosed or shared whenever the covered entity has a legal obligation to do so, such as reporting fraud or providing information in response to a request from the Department. Information may also be shared and disclosed to and with affiliated parties.
Q. What about health information?
A. Nonpublic personal health information is protected under Chapter 602 of the Texas Insurance Code and under the Federal Health Insurance Portability and Accountability Act of 1996. Learn more at CMS.gov.
Consumers, customers, beneficiaries, & claimants
Q. What is a consumer? What notice must a consumer receive under the rules?
A. A consumer is an individual (or an individual's representative) who seeks to obtain, obtains, or has obtained an insurance product or service from a covered entity. For example, an individual who has submitted an application for insurance is a consumer of the company to which he or she has applied, even if a policy is never issued. For purposes of the rules, the following individuals are also considered to be "consumers": a beneficiary of a life insurance policy underwritten by the covered entity; a claimant under an insurance policy issued by the covered entity; an insured under an insurance policy issued by a covered entity; an annuitant under an annuity issued by a covered entity; and a mortgagor of a mortgage covered under a mortgage insurance policy.
The rules require a covered entity to provide a notice to a consumer before the covered entity discloses any nonpublic personal financial information about the consumer to any non-affiliated third parties. The notice must include, among other items, the categories of information the covered entity collects, its policy for maintaining and sharing the information, and an explanation of the consumer's rights to "opt out" of any disclosures to non-affiliated parties.
Q. What is a customer? What notice must a customer receive under the rules?
A. A customer is a consumer who has a continuing or "customer" relationship with a covered entity. For example, once an insurer issues a policy to a consumer, an on-going relationship is established, and the consumer becomes a customer of the insurer.
The rules require a covered entity to provide a notice to a customer not later than when the covered entity establishes a customer relationship. The notice must include, among other items, the categories of information the covered entity collects, its policy for maintaining and sharing the information, and an explanation of the customer's rights to "opt out" of any disclosures to non-affiliated third parties. Additionally, a covered entity is required to provide an annual notice to a customer throughout the continuance of the customer relationship.
Q. How do the rules relate to a beneficiary or a person who has filed a claim against a policy issued by a covered entity (a claimant)?
A. Generally, a beneficiary or a claimant will be classified as the consumer of a covered entity, unless that beneficiary or claimant has established a separate customer relationship with the covered entity independent of his or her status as a consumer. Because beneficiaries and claimants are generally consumers of a covered entity, the rules require a covered entity that holds nonpublic personal financial information about a named beneficiary or claimant to provide the beneficiary or claimant with a notice, which includes an opportunity to "opt out," before disclosing their nonpublic personal financial information to non-affiliated third parties.
Q. Do the rules adopted pursuant to SB 712 apply to HMOs?
A. Yes. An HMO is a covered entity under the rules. As such, any nonpublic personal financial information that an HMO collects about an individual is subject to the provisions of the rules. Such information may include an individual's name, address, social security number, income information, credit history, or premium payment history.
URAs, TPAs and IROs
Q. Are utilization review agents (URAs), third party administrators (TPAs) and independent review organizations (IROs) required to send out notices under the rules?
A. The rules apply to all covered entities, which include entities that hold a license or authorization from the Department. However, the rules provide an exception for certain covered entities, including TPAs and URAs, if they are acting as an agent for, or are providing processing or other services to another financial institution, so long as those covered entities do not share or disclose any information they receive from the financial institution. See 28 TAC §22.4(b)(1). Under the rules, the definition of a financial institution may include covered entities, such as an insurer.
If a covered entity, such as a TPA or URA, does not provide notices to individuals in reliance on the exception described above, but subsequently shares or discloses any nonpublic personal financial information it receives about an individual from another financial institution, that disclosure will be deemed in violation of the rules.
Independent Review Organizations (IROs) don't generally provide personal, family, or household products or services to individuals and don't act on behalf of other covered entities. Additionally, IROs are prohibited from disclosing any personal financial information they receive about an individual whose care is subject to their review by both the Insurance Code and the IRO rules, located at 28 TAC Chapter 12. As such, IROs are not required to provide notices under the rules.
Agents and adjusters
Q. Do the rules apply to agents and adjusters?
A. The rules apply to all covered entities, which include entities that hold a license or authorization from the Department. However, an agent or adjuster does not have to comply with the rule requirements if the agent or adjuster discloses or shares nonpublic personal financial information only with the entity on whose behalf the information was collected, and that entity complies with the rules' requirements itself.
If the agent or adjuster shares or discloses any nonpublic personal financial information with anyone other than the entity on whose behalf the information was collected, the agent or adjuster must then comply with the rules' requirements and provide the appropriate notices required by the rules.
Q. How will an agent know which entities have complied with the rules' requirements so the agent doesn't have to comply with them separately?
A. It is the responsibility of the entity and the agent to determine who will provide the appropriate notices to an individual on behalf of the entity. The rules require an initial notice to be provided to an individual as soon as the individual becomes a covered entity's customer. Some entities may require the agent to provide the initial notice to the individual. Some entities may choose to provide the initial notice themselves. After the initial notice is provided to the individual, it is expected that most entities will maintain the responsibility for providing any annual and revised notices as required by the rule, but it is permitted for the agent to continue to provide any revised and annual notices to the individual on behalf of the entity, as well.
Q. What about independent agents that share or disclose information to several entities in order to obtain the best price quote for a client?
A. As stated previously, the rules apply to all covered entities, which include independent agents. However, the rules provide that an independent agent sharing or disclosing nonpublic personal financial information with multiple entities in order to obtain the best price quote for an individual need not provide notices to the individual. In this situation, it is the responsibility of each entity to comply with the notice requirements of the rule. Note that the individual is considered to be a consumer of each entity to whom the individual's information is provided and does not become the customer of any entity until the individual purchases coverage from one of the entities.
If the agent discloses the nonpublic personal financial information to any party other than the entities on whose behalf the information was collected, the agent must then provide that individual with all appropriate notices.
Farm and ranch
Q. Do the rules apply to Farm & Ranch policies?
A. The rules do not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes.