Ins 25.60(1)(d)(d) To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 USC 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety. Ins 25.60(1)(e)2.2. Disclosure from a consumer report reported by a consumer-reporting agency. Ins 25.60(1)(f)(f) In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit. Ins 25.60(1)(g)1.1. To comply with federal, state or local laws, rules and other applicable legal requirements. Ins 25.60(1)(g)2.2. To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities. Ins 25.60(1)(g)3.3. To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law. Ins 25.60(1)(h)(h) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation policy. Ins 25.60(2)(2) Example of revocation of consent. A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under s. Ins 25.17 (6). Ins 25.60(3)(3) Receivership. This chapter does not apply to a receiver for an insurer subject to a delinquency proceeding under ch. 645, Stats. Ins 25.60 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01; correction in (1) (intro.) made under s. 13.93 (2m) (b) 7., Stats., Register March 2004 No. 579. Ins 25.70Ins 25.70 When authorization required for disclosure of nonpublic personal health information. Ins 25.70(1)(1) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed or unless disclosure of the health information is permitted under ss. 51.30, or 146.81 to 146.84, Stats., or otherwise authorized by law. Ins 25.70(2)(2) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; rate-making and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers compensation policy or program; workers’ compensation premium audits; workers’ compensation first reports of injury; workers’ compensation loss runs; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. department of health and human services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers. A licensee may apply for approval of, and the commissioner may approve additional specific insurance functions that are subject to this subsection if the commissioner finds inclusion is fair and reasonable to the interests of consumers. Ins 25.70 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.73(1)(1) A valid authorization to disclose nonpublic personal health information pursuant to this subchapter shall be in written or electronic form and shall contain all of the following: Ins 25.73(1)(a)(a) The identity of the consumer or customer who is the subject of the nonpublic personal health information. Ins 25.73(1)(b)(b) A general description of the types of nonpublic personal health information to be disclosed. Ins 25.73(1)(c)(c) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used. Ins 25.73(1)(d)(d) The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed. Ins 25.73(1)(e)(e) Notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation. Ins 25.73(2)(2) An authorization for the purposes of this subchapter shall specify a length of time for which the authorization shall remain valid, which in no event shall be for more than the period permitted if the authorization were subject to s. 610.70 (2) (b), Stats., or twenty-four months, whichever is longer. Ins 25.73(3)(3) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to this subchapter at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation. Ins 25.73(4)(4) A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information. Ins 25.73 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.75Ins 25.75 Authorization request delivery. A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt-out notice pursuant to s. Ins 25.25, provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or customer or included in any other notices unless the licensee intends to disclose protected health information pursuant to s. Ins 25.70 (1). Ins 25.75 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.77Ins 25.77 Relationship to federal rules. Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services, if a licensee complies with all requirements of that rule, regardless of whether it currently applies to the licensee, the licensee shall not be subject to the provisions of this subchapter. Ins 25.77 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.80Ins 25.80 Insurers and agents compliance with s. 610.70, Stats. Ins 25.80(1)(1) An insurer that is subject to s. 610.70, Stats., or an intermediary acting solely as an agent of an insurer subject to s. 610.70, Stats., with respect to health information is not required to comply with this subchapter. An insurer is responsible for the acts or omissions of its agents that constitute violations of s. 610.70, Stats. Ins 25.80(2)(2) For the purposes of s. 610.70 (1) (d), Stats., “insurance that is primarily for personal, family or household purposes” includes group or individual health insurance policies and personal automobile, homeowners, disability and life policies. It does not include workers’ compensation or commercial property and casualty policies. Ins 25.80(3)(3) Nothing in this chapter or s. 610.70, Stats., restricts disclosure of nonpublic personal health information permitted under s. 102.13, Stats. Ins 25.80 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.90(1)(1) A licensee shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this chapter. Ins 25.90(2)(2) A licensee shall not unfairly discriminate against a consumer or customer because that consumer or customer has not granted authorization for the disclosure of his or her nonpublic personal health information pursuant to the provisions of this chapter. Ins 25.90(3)(3) Failure to provide an insurance product or service based on usual and customary insurance underwriting practices and standards is not unfair discrimination under this section, even if such failure is the result of a consumer or customer’s refusal to authorize the disclosure of his or her nonpublic personal information. Ins 25.90 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.95(1)(1) Applicability. Enforcement under section 505 of the Gramm-Leach-Bliley Act (PL 102-106) is effective only on and after the effective date of this rule. Ins 25.95(2)(a)(a) Phased in notice requirement for consumers who are the licensee’s customers on the compliance date. Beginning on the first day of the fourth month commencing after the after publication of this rule and by not later than June 30, 2002 a licensee shall provide an initial notice, as required by s. Ins 25.10, to consumers who are the licensee’s customers on the first day of the fourth month commencing after the after publication of this rule. Ins 25.95(2)(b)(b) Example. A licensee provides an initial notice to consumers who are its customers on the first day of the fourth month commencing after the after publication of this rule, if, by that date, the licensee has established a system for providing an initial notice to all new customers and if by June 30, 2002 the licensee has mailed the initial notice to all the licensee’s existing customers. Ins 25.95 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01; CR 03-083: r. (3) Register March 2004 No. 579, eff. 4-1-04.
/exec_review/admin_code/ins/25
true
administrativecode
/exec_review/admin_code/ins/25/v/75
Office of the Commissioner of Insurance (Ins)
administrativecode/Ins 25.75
administrativecode/Ins 25.75
section
true