HB759: relative to personal health and financial information privacy.

HB 759 - AS INTRODUCED

2003 SESSION

03-0261

09/10

HOUSE BILL 759

AN ACT relative to personal health and financial information privacy.

SPONSORS: Rep. Kurk, Hills 48; Rep. M. Smith, Straf 72; Rep. Pilliod, Belk 31; Rep. Langley, Rock 88; Sen. Flanders, Dist 7; Sen. Martel, Dist 18; Sen. Below, Dist 5

COMMITTEE: Commerce

ANALYSIS

This bill requires an insurance licensee to obtain certain authorization before disclosing nonpublic personal health and financial information about consumers or customers. The bill grants the insurance commissioner rulemaking authority to administer the provisions of the bill.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

03-0261

09/10

STATE OF NEW HAMPSHIRE

In the Year of Our Lord Two Thousand Three

AN ACT relative to personal health and financial information privacy.

Be it Enacted by the Senate and House of Representatives in General Court convened:

1 New Chapter; Personal Health and Financial Information Privacy. Amend RSA by inserting after chapter 406-C the following new chapter:

CHAPTER 406-D

PERSONAL HEALTH AND FINANCIAL INFORMATION PRIVACY

406-D:1 Scope. This chapter governs the treatment of nonpublic personal health and financial information about individuals who seek to obtain or are claimants or beneficiaries of products or services primarily for personal, family, or household purposes from licensees. This chapter does not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes.

406-D:2 Definitions. In this chapter:

I. "Affiliate" means any company that controls, is controlled by, or under common control with another company.

II. "Clear and conspicuous" means that a notice is in plain English, reasonably understandable, and designed to call attention to the nature and significance of the information in the notice.

III. "Collect" means to obtain information that the licensee organizes or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

IV. "Commissioner" means the insurance commissioner.

V. "Company" means corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship, or similar organization.

VI. "Consumer" means an individual who in this state seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal health information, or that individual's legal representative.

VII. "Control" means the ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons, over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or the power to exercise, directly or indirectly, a controlling influence over the management of policies of the company, as the commissioner determines.

VIII. "Customer" means a consumer who has a customer relationship with a licensee.

IX. "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.

X. "Financial institution" means any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843 (k)).

XI. "Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843 (k)).

XII. "Insurance product or service" means any product or service that is offered by a licensee pursuant to the insurance laws of this state. Insurance services include a licensee's evaluation, brokerage, or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.

XIII. "Licensee" means all licensed insurers, producers and other persons licensed or required to be licensed or authorized or required to be authorized, or registered or required to be registered pursuant to the provisions of title XXXVII.

XIV. "Nonaffiliated third party" means any company that is an affiliate solely by virtue of the director or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) or insurance company investment activities of the type described in section 4(k)(4)(I) of the federal Banking Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I)).

XV. "Nonpublic personal financial information" means any nonpublic personal financial information, or any information regarding a customer that has been derived from a record of a financial institution or insurer concerning insurance premiums, the terms and conditions of insurance coverage, insurance expirations, insurance claims, insurance history, or personal financial information.

XVI. "Nonpublic personal health information" means any nonpublic personal health information regarding a customer that has been derived from a record of a financial institution or insurer concerning insurance premiums, the terms and conditions of insurance coverage, insurance expirations, insurance claims, insurance history, personal medical information, or personal health information.

XVII. "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public.

406-D:3 Disclosure of Information; Opt-in for Nonpublic Personal Health and Nonpublic Personal Financial Information.

I. A licensee shall not disclose nonpublic personal health and nonpublic personal financial information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health and nonpublic personal financial information is sought to be disclosed.

II. Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health and nonpublic personal financial information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers' compensation policy or program; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise required by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.

406-D:4 Authorization.

I. A valid authorization to disclose nonpublic personal health or nonpublic personal financial information pursuant to this chapter shall be in written or electronic form and shall contain the identity of the consumer or customer who is the subject of the nonpublic personal health or nonpublic personal financial information; a general description of the types of nonpublic personal health or nonpublic personal financial information to be disclosed; a general description of the parties to whom the licensee discloses nonpublic personal health or nonpublic personal financial information, the purpose of the disclosure and how the information will be used; the signature of the consumer or customer who is the subject of the nonpublic personal or nonpublic personal financial health information or the individual who is legally empowered to grant authority and the date signed; and a notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation.

II. An authorization for the purposes of this chapter shall specify a length of time for which the authorization shall remain valid, which in no event shall be for more than 24 months.

III. A consumer or customer who is the subject of nonpublic personal health or nonpublic personal financial information may revoke an authorization provided pursuant to this chapter at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation.

IV. A licensee that is subject to examination by this department shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health or nonpublic personal financial information for a period of 6 years from the date the authorization ends or until the examination is completed, whichever is greater.

V. A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt-in notice provided that the request and the authorization form are clear and conspicuous.

406-D:5 Redisclosure of Information. The redisclosure of nonpublic personal health or nonpublic personal financial information received by a licensee from any person or entity is limited to that person or entity, or the licensee's affiliates when the information is intended to be used in the ordinary course of business under which the information was originally obtained.

406-D:6 Fair Credit Reporting. Nothing in this chapter shall be construed to modify, limit, or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

406-D:7 Nondiscrimination. A licensee shall not discriminate against any consumer or customer because that consumer or customer has not authorized the disclosure of his or her nonpublic personal health or nonpublic personal financial information pursuant to the provisions of this chapter.

406-D:8 Rulemaking. The commissioner shall adopt rules, pursuant to RSA 541-A, relative to the administration of this chapter.

406-D:9 Violation. A violation of this chapter shall be deemed to be an unfair method of competition or an unfair or deceptive act and practice in this state, in violation of RSA 417.

2 Effective Date. This act shall take effect January 1, 2004.