Wisconsin Legislature: Ins 25.70

Ins 25.55(2)(b)6. 6. In connection with any of the following:

Ins 25.55(2)(b)6.a. a. The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means.

Ins 25.55(2)(b)6.b. b. The transfer of receivables, accounts or interests therein.

Ins 25.55(2)(b)6.c. c. The audit of debit, credit or other payment information.

Ins 25.55 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01.

Ins 25.60 Ins 25.60 Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.

Ins 25.60(1) (1) Exceptions to opt out requirements. The requirements for initial notice to consumers in s. Ins 25.10 (1) (b), the opt out in ss. Ins 25.17 and 25.30, and service providers and joint marketing in s. Ins 25.50 do not apply when a licensee discloses nonpublic personal financial information under any of the following circumstances:

Ins 25.60(1)(a) (a) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.

Ins 25.60(1)(b) (b)

Ins 25.60(1)(b)1.1. To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product or transaction.

Ins 25.60(1)(b)2. 2. To protect against or prevent actual or potential fraud or unauthorized transactions.

Ins 25.60(1)(b)3. 3. For required institutional risk control or for resolving consumer disputes or inquiries.

Ins 25.60(1)(b)4. 4. To persons holding a legal or beneficial interest relating to the consumer.

Ins 25.60(1)(b)5. 5. To persons acting in a fiduciary or representative capacity on behalf of the consumer.

Ins 25.60(1)(c) (c) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee's compliance with industry standards, and the licensee's attorneys, accountants and auditors.

Ins 25.60(1)(d) (d) To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 USC 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety.

Ins 25.60(1)(e) (e)

Ins 25.60(1)(e)1.1. To a consumer-reporting agency in accordance with the federal Fair Credit Reporting Act (15 USC 1681 et seq.).

Ins 25.60(1)(e)2. 2. Disclosure from a consumer report reported by a consumer-reporting agency.

Ins 25.60(1)(f) (f) In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit.

Ins 25.60(1)(g) (g)

Ins 25.60(1)(g)1.1. To comply with federal, state or local laws, rules and other applicable legal requirements.

Ins 25.60(1)(g)2. 2. To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities.

Ins 25.60(1)(g)3. 3. To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.

Ins 25.60(1)(h) (h) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers' compensation policy.

Ins 25.60(2) (2) Example of revocation of consent. A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under s. Ins 25.17 (6).

Ins 25.60(3) (3) Receivership. This chapter does not apply to a receiver for an insurer subject to a delinquency proceeding under ch. 645, Stats.

Ins 25.60 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01; correction in (1) (intro.) made under s. 13.93 (2m) (b) 7., Stats., Register March 2004 No. 579.

subch. V of ch. Ins 25 Subchapter V — Health Information

Ins 25.70 Ins 25.70 When authorization required for disclosure of nonpublic personal health information.

Ins 25.70(1) (1) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed or unless disclosure of the health information is permitted under ss. 51.30, or 146.81 to 146.84, Stats., or otherwise authorized by law.

Ins 25.70(2) (2) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; rate-making and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers compensation policy or program; workers' compensation premium audits; workers' compensation first reports of injury; workers' compensation loss runs; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. department of health and human services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers. A licensee may apply for approval of, and the commissioner may approve additional specific insurance functions that are subject to this subsection if the commissioner finds inclusion is fair and reasonable to the interests of consumers.

Ins 25.70 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01.

Ins 25.73 Ins 25.73 Authorizations.

Ins 25.73(1)(1) A valid authorization to disclose nonpublic personal health information pursuant to this subchapter shall be in written or electronic form and shall contain all of the following:

Ins 25.73(1)(a) (a) The identity of the consumer or customer who is the subject of the nonpublic personal health information.

Ins 25.73(1)(b) (b) A general description of the types of nonpublic personal health information to be disclosed.

Ins 25.73(1)(c) (c) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used.

Ins 25.73(1)(d) (d) The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed.

Ins 25.73(1)(e) (e) Notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation.

Ins 25.73(2) (2) An authorization for the purposes of this subchapter shall specify a length of time for which the authorization shall remain valid, which in no event shall be for more than the period permitted if the authorization were subject to s. 610.70 (2) (b), Stats., or twenty-four months, whichever is longer.

Ins 25.73(3) (3) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to this subchapter at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation.

Ins 25.73(4) (4) A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information.

Ins 25.73 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01.

Ins 25.75 Ins 25.75 Authorization request delivery. A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt-out notice pursuant to s. Ins 25.25, provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or customer or included in any other notices unless the licensee intends to disclose protected health information pursuant to s. Ins 25.70 (1).

Ins 25.75 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01.

Ins 25.77 Ins 25.77 Relationship to federal rules. Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services, if a licensee complies with all requirements of that rule, regardless of whether it currently applies to the licensee, the licensee shall not be subject to the provisions of this subchapter.

Ins 25.77 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01.

Ins 25.80 Ins 25.80 Insurers and agents compliance with s. 610.70, Stats.

Ins 25.80(1)(1) An insurer that is subject to s. 610.70, Stats., or an intermediary acting solely as an agent of an insurer subject to s. 610.70, Stats., with respect to health information is not required to comply with this subchapter. An insurer is responsible for the acts or omissions of its agents that constitute violations of s. 610.70, Stats.

Ins 25.80(2) (2) For the purposes of s. 610.70 (1) (d), Stats., “insurance that is primarily for personal, family or household purposes" includes group or individual health insurance policies and personal automobile, homeowners, disability and life policies. It does not include workers' compensation or commercial property and casualty policies.

Ins 25.80(3) (3) Nothing in this chapter or s. 610.70, Stats., restricts disclosure of nonpublic personal health information permitted under s. 102.13, Stats.

Ins 25.80 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01.

subch. VI of ch. Ins 25 Subchapter VI — Additional Provisions

Ins 25.90 Ins 25.90 Nondiscrimination.

Ins 25.90(1)(1) A licensee shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this chapter.

Ins 25.90(2) (2) A licensee shall not unfairly discriminate against a consumer or customer because that consumer or customer has not granted authorization for the disclosure of his or her nonpublic personal health information pursuant to the provisions of this chapter.

Ins 25.90(3) (3) Failure to provide an insurance product or service based on usual and customary insurance underwriting practices and standards is not unfair discrimination under this section, even if such failure is the result of a consumer or customer's refusal to authorize the disclosure of his or her nonpublic personal information.

Ins 25.90 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01.

Ins 25.95 Ins 25.95 Effective date.

Ins 25.95(1) (1) Applicability. Enforcement under section 505 of the Gramm-Leach-Bliley Act (PL 102-106) is effective only on and after the effective date of this rule.

Ins 25.95(2) (2) Phase in.

Ins 25.95(2)(a)(a) Phased in notice requirement for consumers who are the licensee's customers on the compliance date. Beginning on the first day of the fourth month commencing after the after publication of this rule and by not later than June 30, 2002 a licensee shall provide an initial notice, as required by s. Ins 25.10, to consumers who are the licensee's customers on the first day of the fourth month commencing after the after publication of this rule.

Ins 25.95(2)(b) (b) Example. A licensee provides an initial notice to consumers who are its customers on the first day of the fourth month commencing after the after publication of this rule, if, by that date, the licensee has established a system for providing an initial notice to all new customers and if by June 30, 2002 the licensee has mailed the initial notice to all the licensee's existing customers.

Ins 25.95 History History: Cr. Register, June, 2001, No. 546, eff. 7-1-01; CR 03-083: r. (3) Register March 2004 No. 579, eff. 4-1-04.