Add to collection(s) Add to saved
  1. Business
  2. Finance

Frequently Asked Questions - Independent Insurance Agents of Illinois

The Independent Insurance Agents of America, Inc.
FREQUENTLY ASKED QUESTIONS
ABOUT THE CONSUMER PRIVACY REQUIREMENTS
MANDATED BY THE GRAMM-LEACH-BLILEY ACT
(Supplement to IIAA’s SUMMARY OF CONSUMER PRIVACY
REQUIREMENTS MANDATED BY THE GRAMM-LEACH-BLILEY ACT
dated April 16, 2001)
June 20, 2001
These Frequently Asked Questions are not intended to provide specific advice about individual legal, business or other
questions. They were prepared solely for use as a guide, and are not a recommendation that a particular course of
action be followed. If specific legal or other expert advice is required or desired, the services of an appropriate,
competent professional, such as an attorney, should be sought.
The information provided below is based on federal law. States may have adopted more specific requirements, which
IIAA members can learn about from their state association.
Frequently Asked Questions
1.
Q:
What are the GLBA privacy notice requirements for groups covered by
the same insurance policy?
A:
The GLBA privacy notice requirements for groups covered by the same
insurance policy vary from state to state, and depend on the type of insurance
product. An insurer providing workers’ compensation through a group plan is
only required to provide privacy and opt out notices to a beneficiary of the plan if
the insurer shares nonpublic personal information (NPI) for a non-excepted
purpose about that beneficiary with unaffiliated third parties. (In this case, the
beneficiary is the individual consumer.) If the insurer does not share NPI with
unaffiliated third parties, the insurer only needs to provide a copy of its privacy
notice to the plan sponsor, but it must do so on an annual basis. It is important to
note that state laws differ in their treatment of groups covered by the same
insurance policy. Consequently, agents must determine and comply with the
requirements of the states in which they do business.
Copyright 2001 ©
Independent Insurance Agents of America, Inc.
All rights reserved.
1
Ver. 062001
2.
Q:
In the context of group insurance, if the agency is not required to send a
privacy notice to the individual insured, does that individual ever receive a
privacy notice, and if so, from whom?
A:
An individual insured under a group policy is not required to receive a
privacy notice from the agency. The agency is only required to provide the
policyholder offering the group insurance with a privacy notice, and the
policyholder can choose to provide a copy of it to the insured, but is not required
to do so. If the individual insured is eligible to opt out of disclosure by the agency
to unaffiliated third parties, then the individual must be given an opt out notice by
the agency.
3.
Q:
When an agency writes policies in different states for the same
customer/policyholder, which state’s privacy laws govern?
A:
An agency must comply with the privacy laws of the state or states in
which the risk of loss is located. For example, if a New York agency has a
customer/policyholder with a primary residence located in New York and a
vacation home in New Jersey, the New York agency must comply with the
privacy laws of New York as to the policy on the primary residence and with the
privacy laws of New Jersey as to the vacation home. Agencies that conduct
business in multiple states may be able to create one privacy notice that complies
with the laws of each state in which the agency conducts business.
4.
Q:
How many privacy notices must an agency send to: (1) an individual
customer/policyholder with multiple personal lines policies; and (2) joint
customers/policyholders?
A.:
An agency is required to send only one privacy notice to each
customer’s/policyholder’s household, regardless of the number of policies written
for that customer/policyholder, provided that the privacy policy applies to all of
the customer’s/policyholder’s personal lines placed with the agency. Similarly,
an agency is required to send only one privacy notice to one of the joint
policyholders, unless any of the other joint policyholders request his/her own
separate notice, in which case, whoever requests a separate privacy notice should
be provided with one.
5.
Q:
How many opt out forms must an agency send to: (1) an individual
customer/policyholder with multiple personal lines policies; and (2) joint
customers/policyholders?
A:
An agency is required to send only one opt out form to each
customer’s/policyholder’s household, regardless of the number of personal lines
policies written for that customer/policyholder, provided that the opt out form
(and accompanying privacy notice) covers all of the customer’s/policyholder’s
Copyright 2001 ©
Independent Insurance Agents of America, Inc.
All rights reserved.
2
Ver. 062001
personal lines placed with the agency. Similarly, an agency is required to send
only a single opt out notice if two or more consumers have a joint policy, unless
any of the joint customers/policyholders request a separate opt out notice. If only
one opt out notice is sent to joint policyholders, the opt out notice must specify
how it treats all policyholders based on an opt out direction by any one of the joint
policyholders. For example, will the agency regard an opt out by one of the joint
policyholders as applying to all of the joint policyholders, or will the agency
regard such an opt out as applying only to that specific joint policyholder? The
agency must make a determination in advance as to how to treat the opt out
direction on jointly held policies when exercised by fewer than all of the
policyholders, and communicate that information in the opt out notice.
6.
Q:
To whom does an agency that writes life insurance policies send the
privacy notice and opt out form? How many notices are required to be sent to a
single household if there are several different policyholders who reside at the
same address? Does it make any difference if the policyholder is not the insured?
A:
For life insurance policies, the policyholder is the “customer” and thus is
entitled to the initial and annual privacy notices and opt out form (if applicable
because NPI will be shared with unaffiliated third parties for a non-excepted
purpose). The beneficiary is a “consumer”, and is only owed a privacy notice and
opt out if his/her NPI will be shared with nonaffiliated third parties for a nonexcepted purpose. In a household in which multiple policyholders reside, only
one privacy notice and opt out form need be sent (See FAQs 4 and 5, above). The
regulations, however, do not address the circumstance in which both the
policyholder and beneficiary are owed notices and share the same residence.
While it may be sufficient in this case to provide a single notice to both, the most
prudent course would be to provide separate notices to each.
7.
Q:
Is professional liability insurance written through an association excluded
from GLBA?
A:
Yes. GLBA only applies to insurance services or products to be used
primarily for personal, family or household purposes. Professional liability
insurance is obtained for a business purpose and thus, GLBA does not apply.
8.
Q:
How do GLBA’s privacy requirements apply to insurance agencies and
brokers handling surplus or excess lines?
A:
GLBA only applies to insurance to be used primarily for personal, family
or household purposes. If the surplus or excess lines insurance is for commercial
or business purposes, the privacy notice requirements do not apply.
Copyright 2001 ©
Independent Insurance Agents of America, Inc.
All rights reserved.
3
Ver. 062001
9.
Q:
How do GLBA’s privacy requirements apply to insurance agencies and
brokers handling health insurance?
A:
Since health insurance is regarded as a financial product under GLBA,
insurance agencies and brokers selling health insurance are considered financial
institutions and must comply with GLBA’s privacy provisions in the same way as
other agencies subject to GLBA requirements. There may be separate state laws
that impose additional privacy protections on consumer health information, so
agencies and brokers selling health insurance should familiarize themselves and
comply with applicable state laws. Agencies and brokers also may be required to
comply with additional Health Insurance Portability and Accountability Act
(HIPAA) privacy rules by April 2003, and IIAA intends to distribute a separate
memorandum addressing those requirements.
10.
Q:
What is the “agent exception” and how does it apply?
A:
The “agent exception” is a limited exception to GLBA’s privacy notice
requirements. This exception primarily benefits agents who do not share NPI
with anyone other than the insurance company (or its affiliates) that the agent
represents. In order for the agent exception to apply, the agent must represent
another insurance licensee (principal) and the principal must provide the
necessary privacy and opt out notices to consumers and customers. The exception
applies as long as the agent represents the principal with respect to that customer
and no NPI is shared. If the agent solicits competitive bids or renewals, then NPI
about that customer will be shared with other insurance companies, and the agent
exception is no longer applicable.
11.
Q:
What is required of a managing general agent under GLBA?
A:
GLBA does not impose separate privacy notice requirements on MGAs
because the customers of MGAs are the distributors of the insurance products and
not the insureds themselves. If, however, an independent agency discloses NPI
about a consumer to a MGA, the agency must include this fact in its privacy
notice to the consumer and the MGA may not use it for any non-policy related
purpose without providing an opt out notice to the consumer.
12.
Q:
Are third-party claimants and beneficiaries treated as consumers under
GLBA?
A:
Under GLBA, consumers include third-party claimants and beneficiaries
under life insurance policies and employee benefit plans. If the insurer discloses
NPI about the beneficiaries and/or third-party claimants for a non-excepted
purpose, the beneficiaries or third-party claimants must receive a privacy notice
and opportunity to opt out. If a beneficiary or third-party claimant submits a
claim and chooses a settlement option that involves an ongoing relationship with
Copyright 2001 ©
Independent Insurance Agents of America, Inc.
All rights reserved.
4
Ver. 062001
an insurer, these individuals become “customers” and also are owed an annual
privacy notice and opt out notice.
13.
Q:
When can the “short form” privacy notice be used?
A:
The federal rules permit agencies to provide a short form initial privacy
notice along with the opt out notice but only to consumers with whom the agency
does not have a customer relationship. The short form notice, along with the opt
out, must clearly and conspicuously state that the disclosure containing
information about the agency’s privacy policy is available upon request, with
directions on how the consumer can obtain a copy. Since state laws may differ
from the federal rules regarding the use of short form notices, it is important that
agencies understand what is required in the states in which they do business, and
if the state laws are more restrictive, comply with them.
14.
Q:
Must the consumer or customer sign the privacy notice?
A:
The federal rules do not require that the privacy notice be signed by
consumers or customers. If an agency wants to ensure that its preference for
resolving disputes through binding arbitration is followed, then the agency should
include an arbitration clause in its privacy notice, and the consumer or customer
must sign the privacy notice, if the notice is given in written form, and must
electronically agree to the privacy notice if it is given electronically.
15.
Q:
What are the various types of physical, electronic, and procedural
safeguards that may be used to protect the customers’ NPI?
Examples of physical safeguards include physical security of office space, and
locking file cabinets. Examples of procedural safeguards include restricting
access to files to employees with a need to know the information at issue in order
to perform their job duties, compliance audits, and employee training about
appropriate treatment of information about customers and consumers. Examples
of electronic safeguards include maintaining and protecting information through
security-enhancing software (such as intrusion detection software), password
protection on database access for employees, and establishment of backup and
recovery procedures.
16.
Q:
Is an agency agreement a “joint marketing agreement” that qualifies for an
exception to GLBA’s opt out requirements?
A:
An agency agreement can qualify as a joint marketing agreement but to do
so, it must contain language that requires the nonaffiliated third party to maintain
the confidentiality of the information that the agency discloses. Typical contract
clauses that would satisfy this requirement limit the third party’s disclosure or use
of NPI to the purpose for which the agency disclosed the information. This
limitation is designed to prevent recipients of information under this exception
Copyright 2001 ©
Independent Insurance Agents of America, Inc.
All rights reserved.
5
Ver. 062001
from sharing NPI pursuant to a chain of third party joint marketing agreements.
Because agency agreements impose varying degrees of restrictions on the use and
disclosure of NPI by insurance companies, typically through ownership of
expirations clauses, it is impossible to determine which agency agreements
qualify as joint marketing agreements. Therefore, the most prudent course is for
an agency to develop a privacy policy that includes an opt out. It should be noted
that for agencies with agency agreements that qualify as joint marketing
agreements, the agency must disclose in its privacy notice the categories of third
parties with which it shares NPI.
17.
Q:
What does an agency do if a consumer or customer decides to opt out?
A:
The agency must not disclose any of the consumer’s or customer’s NPI to
a nonaffiliated third party, except pursuant to an exception.
*****
Copyright 2001 ©
Independent Insurance Agents of America, Inc.
All rights reserved.
6
Ver. 062001
Related documents
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
New Patient Information Form
New Patient Information Form
Acknowledgement of Privacy Practices
Acknowledgement of Privacy Practices
Project Suggestions
Project Suggestions
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Databases Book Assignments
Databases Book Assignments
Download