PROPOSED RULEMAKING
INSURANCE DEPARTMENT
[31 PA. CODE CH. 146b]
Privacy of Consumer Health Information
[32 Pa.B. 1406] The Insurance Department (Department) proposes to adopt Chapter 146b (relating to privacy of consumer health information) to read as set forth in Annex A. The proposed rulemaking is made under the general rulemaking authority of sections 205, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P. S. §§ 66, 186, 411 and 412) and under the guidance of section 648 of the Insurance Department Act of 1921 (40 P. S. § 288) (Act 40). Likewise, the proposed rulemaking is made under the Department's rulemaking authority under the Unfair Insurance Practices Act (act) (40 P. S. §§ 1171.1--1171.14) (the authority is further explained in PALU v. Insurance Department, 371 A.2d 564 (Pa. Cmwlth. 1977)), because the Insurance Commissioner has determined that the improper disclosure or marketing, or both, of nonpublic personal health information by members of the insurance industry constitutes an unfair method of competition and an unfair or deceptive act or practice.
Purpose
The purpose of this proposed rulemaking is to adopt Chapter 146b to implement the privacy requirements for nonpublic health information in the National Association of Insurance Commissioners Model Privacy of Consumer Financial and Health Information Regulation (NAIC Model). The privacy requirements for nonpublic financial information in the NAIC Model were promulgated in final-form at 31 Pa.B. 4426 (August 11, 2001) to comply with the requirements in Title V of the act of November 12, 1999 (Pub. L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C.A. §§ 6801--6827).
Background
This proposed rulemaking is modeled from the health information privacy sections of the NAIC Model. For purposes of this proposed rulemaking, the Department will make available a copy of the NAIC Model to the Standing Committees of the Senate and the House and to the Independent Regulatory Review Commission (IRRC). Otherwise, this material is copyrighted and is available from the NAIC upon request. For further information, see the NAIC website at http://www.naic.org. In general, the NAIC Model requires that insurance entities obtain the authorization of a consumer before disclosing nonpublic personal health information relating to that consumer. The Department has chosen to implement the NAIC Model to achieve a level of uniformity among the states because a majority of the states have committed to implementing the NAIC Model, including its health information privacy provisions.
For these reasons, the Department has attempted to implement the health information privacy provisions of the NAIC Model as closely as possible. However, because the Department is promulgating the health information privacy provisions in the NAIC Model separately from the financial privacy requirements and because the Department believed that additional consumer protections were necessary, this proposed rulemaking includes several variations from the NAIC Model. For example, in § 146b.2 (relating to definitions), the Department has modified the definition of ''consumer'' to include persons that meet the definition of either a ''consumer'' or a ''customer'' in the NAIC Model. The NAIC Model distinguishes between these two types of person because each is treated differently with respect to the privacy of their nonpublic personal financial information. However, because there is no distinction between a ''consumer'' and a ''customer'' in the NAIC Model's health privacy provisions, and because the Department is promulgating the NAIC Model's health privacy provisions separately from the financial privacy provisions, the distinction is no longer necessary.
The Department has also made two substantive additions to the NAIC Model's health privacy provisions to provide additional protection to consumers' nonpublic personal health information. For example, the Department has limited the disclosure of nonpublic personal health information for the purpose of carrying out one of the ''insurance function exceptions'' in § 146b.11(b) (relating to authorization required for disclosure of nonpublic personal health information) only ''to the extent that the disclosure of nonpublic personal health information is necessary for the performance'' of the insurance function. This language is not found in the NAIC Model. Finally, the Department also included in § 146b.11(c) a requirement that licensees enter into an agreement with a third party to whom the licensee discloses nonpublic personal health information for the purpose of performing one of the insurance function exceptions to preserve the confidentiality of the information.
In addition, this proposed rulemaking is being promulgated to address several segments of the insurance industry that are not subject to the Federal Health Insurance Portability and Accountability Act (Pub. L. No. 104-191, 110 Stat. 1936) privacy regulation (Federal HIPAA privacy regulation) as promulgated by the United States Department of Health and Human Services (HHS) at 45 CFR Parts 160--164. Although certain licensees such as health insurers will be subject to the Federal HIPAA privacy regulation, other licensees such as life insurers and automobile insurance carriers will not be subject to those regulations. Therefore, this proposed rulemaking is needed to provide privacy protections to all insurance consumers of this Commonwealth. Also, this proposed rulemaking is not intended to constitute duplicative regulation of health information privacy for those licensees that are subject to the Federal HIPAA privacy regulation, as evidenced in the ''self-preemption'' provision in § 146b.21(a) (relating to relationship with other laws). This subsection provides an exemption from the purview of this proposed rulemaking for any licensee that otherwise is compliant with the entire Federal HIPAA privacy regulation.
Preproposal Comments
On August 28, 2001, the Department held an outreach meeting with various trade groups and members of this Commonwealth's insurance industry that could be affected by this proposed rulemaking. The purpose of the meeting was to discuss an initial draft of the Department's health information privacy regulation, which included the deviations from the NAIC Model. In conjunction with that meeting, the Department also permitted the meeting attendees to submit written comments relating to the Department's initial draft of the health information privacy regulation. Written comments were submitted by the following entities and, where applicable, were considered during the design of this proposed rulemaking: the Insurance Federation of Pennsylvania, the Pennsylvania Association of Mutual Insurers, American Family Life Assurance Company of Columbus, Keystone Health Plan Central, Capital Blue Cross, Lucas & McClain, LLP, the Managed Care Association of Pennsylvania, the American Insurance Association, Independence Blue Cross, Highmark, Inc., Pennsylvania Association of Health Underwriters and Alliance of American Insurers. Also, a joint comment was submitted by the Independent Insurance Agents of Pennsylvania and the Pennsylvania Association of Insurance and Financial Advisors.
Copies of the written preproposal comments submitted by these groups are available upon request. The Department has taken these preproposal comments into consideration and, where applicable, the Department made several revisions to its initial draft of the proposed rulemaking based upon those comments for the purpose of this proposed rulemaking.
Explanation of Regulatory Changes
Subchapter A. General provisions.
Section 146b.1 (relating to purpose) contains the purpose and compliance requirements needed to govern the treatment of nonpublic personal health information about individuals in this Commonwealth by all licensees of the Department.
Section 146b.2 contains the definitions of terms that are used in this chapter.
Subchapter B. Rules for disclosure of nonpublic personal health information.
Section 146b.11 contains the requirement that an authorization from the consumer is required before a licensee may disclose a consumer's nonpublic personal health information.
Section 146b.12 (relating to authorizations) contains the general requirements for the contents of the authorizations that are required in § 146a.11.
Section 146b.13 (relating to authorization request delivery) describes the appropriate methods for delivery of a request for authorization by a licensee to a consumer
Subchapter C. Additional provisions.
Section 146b.21 describes the interaction of this proposed rulemaking with other laws of the Commonwealth and the Federal government.
Section 146b.22 (relating to nondiscrimination) provides that a licensee may not unfairly discriminate against a consumer because that consumer has not granted an authorization for the disclosure of nonpublic personal health information.
Section 146b.23 (relating to violation) provides that a contravention of this proposed rulemaking shall be deemed to be an unfair or deceptive act and practice in the conduct of the business of insurance and shall be deemed a violation of the act.
Section 146b.24 (relating to compliance dates) provides that this proposed rulemaking will become effective upon final-form publication in the Pennsylvania Bulletin, and the compliance dates mirror those in the Federal HIPAA privacy regulation.
Fiscal Impact
There will be a fiscal impact as a result of the proposed rulemaking. However, this proposed rulemaking merely fills in any gaps in the insurance industry that are not covered by the Federal HIPAA privacy regulation. Therefore, the adoption of this proposed rulemaking should not have a significant cost impact over what is currently being required by the Federal HIPAA privacy regulation.
Paperwork
Unless specifically executed under the definition of ''licensee'' in § 146b.2, the proposed rulemaking will affect all licensees doing the business of insurance in this Commonwealth by imposing additional paperwork requirements pertaining to the delivery and treating of opt out notices.
Effectiveness/Sunset Date
The proposed rulemaking will become effective upon final-form publication in the Pennsylvania Bulletin, and the compliance dates mirror those in the Federal HIPAA privacy regulation.
Contact Person
Questions or comments regarding this proposed rulemaking may be addressed in writing to Peter J. Salvatore, Regulatory Coordinator, Insurance Department, 1326 Strawberry Square, Harrisburg, PA 17120, within 30 days following the publication of this notice in the Pennsylvania Bulletin. Questions and comments may also be e-mailed to psalvatore@state.pa.us or faxed to (717) 772-1969.
Regulatory Review
Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), on March 4, 2002, the Department submitted a copy of this proposed rulemaking to IRRC and the Chairpersons of the Senate Banking and Insurance Committee and the House Insurance Committee. In addition to submitting the proposed rulemaking, the Department has provided IRRC and the Committees with a copy of a detailed Regulatory Analysis Form prepared by the Department in compliance with Executive Order 1996-1, ''Regulatory Review and Promulgation.'' A copy of this material is available to the public upon request.
Under section 5(g) of the Regulatory Review Act, if IRRC has objections to any portion of the proposed rulemaking, it will notify the Department within 10 days of the close of the Committees' review period. The notification shall specify the regulatory review criteria that have not been met by the portion of the proposed rulemaking to which an objection is made. The Regulatory Review Act specifies detailed procedures for review, prior to final publication of the rulemaking, by the Department, the General Assembly and the Governor of objections raised.
M. DIANE KOKEN,
Insurance CommissionerFiscal Note: 11-209. No fiscal impact; (8) recommends adoption.
Annex A
TITLE 31. INSURANCE
PART VIII. MISCELLANEOUS PROVISIONS
CHAPTER 146b. PRIVACY OF CONSUMER HEALTH INFORMATION Subch.
A. GENERAL PROVISIONS
B. RULES FOR DISCLOSURE OF NONPUBLIC PERSONAL HEALTH INFORMATION
C. ADDITIONAL PROVISIONS
Subchapter A. GENERAL PROVISIONS Sec.
146b.1. Purpose. 146b.2. Definitions. § 146b.1. Purpose.
(a) Purpose. This chapter:
(1) Governs the treatment of all nonpublic personal health information about individuals by various licensees of the Department.
(2) Describes the conditions under which a licensee may disclose nonpublic personal health information about consumers to a third party.
(3) Requires licensees to obtain the affirmative consent of consumers prior to disclosing nonpublic personal health information.
(b) Compliance. A licensee domiciled in this Commonwealth that is in compliance with this chapter and Chapter 146a (relating to privacy of consumer financial information) in a state that has not enacted laws or regulations that meet the requirements of Title V of the act of November 12, 1999 (Pub. L. No. 106-102, 113 Stat. 1338) known as the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) (15 U.S.C.A. §§ 6801--827) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in the other state.
(c) Examples. The examples provided in this chapter are for illustrative purposes only and do not otherwise limit or restrict the scope of this chapter.
§ 146b.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context requires otherwise:
Act--The Insurance Department Act of 1921 (40 P. S. §§ 1--321).
Commissioner--The Insurance Commissioner of the Commonwealth.
Company--A corporation, limited liability company, business trust, general or limited partnership, association, sole proprietorship or similar organization.
Consumer--
(i) An individual, or that individual's legal representative, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal health information. Examples include:
(A) An individual who provides nonpublic personal health information to a licensee in connection with obtaining or seeking to obtain financial, investment or economic advisory services relating to an insurance product or service, regardless of whether the licensee establishes an ongoing advisory relationship.
(B) An applicant for insurance prior to the inception of insurance coverage.
(C) A beneficiary of a life insurance policy underwritten by the licensee.
(D) A claimant under an insurance policy issued by the licensee.
(E) An insured under an insurance policy or an annuitant under an annuity issued by the licensee.
(F) A mortgagor of a mortgage covered under a mortgage insurance policy.
(G) A participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary.
(H) An individual covered under a group or blanket insurance policy or group annuity contract issued by the licensee.
(I) A claimant in a workers' compensation plan.
(ii) Examples of persons who are not consumers are as follows:
(A) An individual is not a consumer solely because the individual is a beneficiary of a trust for which the licensee is a trustee.
(B) An individual is not a consumer solely because the individual has designated the licensee as trustee for a trust.
(C) An individual who is a consumer of another financial institution is not a licensee's consumer solely because the licensee is acting as agent for, or provides processing or other services to, that financial institution.
Department--The Insurance Department of the Commonwealth.
Federal regulation--The Federal Health Insurance Portability and Accountability Act (HIPAA) privacy regulation as promulgated by the United States Department of Health and Human Services at 45 CFR Parts 160--164.
Financial institution--
(i) An institution the business of which is engaging in activities that are financial in nature or incidental to the financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.A. § 1843(k)).
(ii) The term does not include the following:
(A) A person or entity with respect to a financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C.A. §§ 1--25).
(B) The Federal Agricultural Mortgage Corporation or an entity charged and operating under the Farm Credit Act of 1971 (12 U.S.C.A. §§ 2001--2279cc).
(C) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
Health care--
(i) Preventative, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, procedures, tests or counseling that either:
(A) Relates to the physical, mental or behavioral condition of an individual.
(B) Affects the structure or function of the human body or a part of the human body, including the banking of blood, sperm, organs or other tissue.
(ii) Prescribing, dispensing or furnishing to an individual drugs or biologicals, or medical devices or health care equipment and supplies.
Health care provider--A physician or other health care practitioner licensed, accredited or certified to perform specified health services consistent with the laws of the Commonwealth, or a health care facility.
Health information--Information or data except age, gender or nonpublic personal financial information, whether oral or recorded in a form or medium, created by or derived from a health care provider or the consumer that relates to one or more of the following:
(i) The past, present or future physical, mental or behavioral health or condition of an individual.
(ii) The provision of health care to an individual.
(iii) Payment for the provision of health care to an individual.
Insurance product or service--A product or service that is offered by a licensee under the insurance laws of the Commonwealth. Insurance service includes a licensee's evaluation, brokerage or distribution of information that the licensee collects in connection with a request or an application from a consumer for an insurance product or service.
Licensee--
(i) A licensed insurer, as defined in section 201-A of the act (40 P. S. § 65.1-A), a producer and other persons or entities licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered under the act or The Insurance Company Law of 1921 (40 P. S. §§ 361--991.2361), including health maintenance organizations holding a certificate of authority under section 201 of the Health Care Facilities Act (35 P. S. § 448.201).
(ii) The term does not include:
(A) Bail bondsmen as defined in 42 Pa.C.S. § 5741 (relating to definitions).
(B) Motor vehicle physical damage appraisers as defined in section 2 of the Motor Vehicle Physical Damage Appraiser Act (63 P. S. § 852) and § 62.1 (relating to definitions).
(iii) Subject to subparagraph (iv), the term does not include governmental health insurance programs such as the following:
(A) The Children's Health Insurance Program as provided for in the Children's Health Care Act (40 P. S. §§ 991.2301--991.2361).
(B) The Medicaid program as provided for in sections 441.1--453 of the Public Welfare Code (62 P. S. §§ 441.1--453).
(C) The Medicare+Choice program as provided for in the Balanced Budget Act of 1997, sections 1851--1859, Medicare Part C under Title XVIII of the Social Security Act (42 U.S.C.A. §§ 1395w-21--1395w-29).
(D) The Adult Basic Care program as provided for in Act 77 of 2001 (June 26, 2001). See section 1303 of the Tobacco Settlement Act (35 P. S. § 5701.1303).
(iv) The term includes a licensee that enrolls, insures or otherwise provides an insurance related service to participants that procure health insurance through a governmental health insurance program exempted under subparagraph (iii).
(v) Subject to subparagraph (ii), the term ''licensee'' shall also include a nonadmitted insurer that accepts business placed through a surplus lines licensee (as defined in section 1602 of The Insurance Company Law of 1921 (40 P. S. § 991.1602) (relating to definition of surplus lines licensee)) in this Commonwealth, but only in regard to the surplus lines placements placed under Article XVI of The Insurance Company Law (40 P. S. §§ 991.1601--991.1625).
Nonpublic personal financial information--As defined in § 146a.2 (relating to definitions).
Nonpublic personal health information--
(i) The term means health information that either:
(A) Identifies an individual who is the subject of the information.
(B) There is a reasonable basis to believe could be used to identify an individual.
(ii) The term does not include nonpublic personal financial information.
Producer--An insurance agent or broker licensed or required to be licensed by the Department under the act.
Subchapter B. RULES FOR DISCLOSURE OF NONPUBLIC PERSONAL HEALTH INFORMATION Sec.
146b.11. Authorization required for disclosure of nonpublic personal health information. 146b.12. Authorizations. 146b.13. Authorization request delivery. § 146b.11. Authorization required for disclosure of nonpublic personal health information.
(a) Authorization required. A licensee may not disclose nonpublic personal health information about a consumer unless an authorization is obtained from the consumer whose nonpublic personal health information is sought to be disclosed.
(b) Insurance function exception. Nothing in this section prohibits, restricts or requires an authorization for the disclosure of nonpublic personal health information by a licensee to the extent that the disclosure of nonpublic personal health information is necessary for the performance of one or more of the following insurance functions by or on behalf of the licensee:
(1) Claims administration, including coordination of benefits and subrogation.
(2) Claims adjustment and management.
(3) Detection, prevention, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity.
(4) Underwriting.
(5) Policy placement or issuance.
(6) Loss control.
(7) Ratemaking and guaranty fund functions.
(8) Reinsurance and excess loss insurance.
(9) Risk management.
(10) Case management.
(11) Disease management.
(12) Quality assurance.
(13) Quality improvement.
(14) Performance evaluation.
(15) Provider credentialing verification.
(16) Utilization review.
(17) Peer review activities.
(18) Actuarial, scientific, medical or public policy research.
(19) Grievance and complaint procedures.
(20) Internal administration of compliance, managerial and information systems.
(21) Policyholder service functions.
(22) Auditing.
(23) Reporting.
(24) Database security.
(25) Administration of consumer disputes and inquiries.
(26) External accreditation standards.
(27) The replacement of a group benefit plan or workers compensation policy or program.
(28) Activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit.
(29) An activity that permits disclosure without authorization under the Federal regulation.
(30) Disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes.
(31) An activity otherwise permitted by law, required under governmental regulatory or reporting authority, or to comply with a court ordered warrant, a subpoena or summons issued by a judicial officer, administrative judge, referee, hearing officer or a grand jury subpoena.
(32) Compliance with qualified medical child support Orders.
(33) Preventive service reminders that do not require disclosure of nonpublic personal health information that a consumer has not previously disclosed directly to the recipient of the information.
(c) Insurance functions performed by third parties on behalf of the licensee. A licensee may disclose nonpublic personal health information to a third party not licensed by the Department provided that the licensee enters into an agreement with the third party that prohibits the third party from disclosing or using the nonpublic personal health information for a purpose other than to carry out one or more of the insurance functions identified in subsection (b).
(d) Additional insurance functions. Additional insurance functions may be added with the approval of the Commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers. The addition of insurance functions may be done by publication of a notice identifying the additional insurance functions in the Pennsylvania Bulletin.
§ 146b.12. Authorizations.
(a) Valid authorization contents. A valid authorization to disclose nonpublic personal health information under § 146b.11(a) (relating to authorization required for disclosure of the nonpublic personal health information) shall be in written or electronic form and shall contain all of the following:
(1) The identity of the consumer who is the subject of the nonpublic personal health information.
(2) A general description of the types of nonpublic personal health information to be disclosed.
(3) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used.
(4) The signature of the consumer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed.
(5) Notice of the length of time for which the authorization is valid and that the consumer may revoke the authorization at any time and the procedure for making a revocation.
(b) Duration of authorization. An authorization for the purposes of § 146b.11(a) shall specify a length of time for which the authorization shall remain valid, which may not be for more than 24 months.
(c) Revocation of authorization. A consumer who is the subject of nonpublic personal health information may revoke an authorization provided under this subchapter at any time, subject to the rights of an individual or licensee who acted in reliance on the authorization prior to notice of the revocation.
(d) Record of authorization. A licensee shall retain the authorization and a revocation of the authorization, or copies thereof, for 6 years in the record of the individual who is the subject of nonpublic personal health information.
§ 146b.13. Authorization request delivery.
A request for authorization and an authorization form may be delivered to a consumer as part of a privacy notice delivered under Chapter 146a (relating to privacy of consumer financial information), provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or included in other notices unless the licensee intends to disclose nonpublic personal health information under § 146b.11(a) (relating to authorization required for disclosure of nonpublic personal health information).
Subchapter C. ADDITIONAL PROVISIONS Sec.
146b.21. Relationship with other laws. 146b.22. Nondiscrimination. 146b.23. Violation. 146b.24. Compliance dates. § 146b.21. Relationship with other laws.
(a) Relationship with the Federal regulation. Irrespective of whether a licensee is subject to the Federal regulation, if a licensee complies with the requirements of the Federal regulation, the licensee will not be subject to this chapter.
(b) Relationship with other state law or regulation. Nothing in this chapter preempts or supersedes existing laws or regulations of the Commonwealth that relate to medical records, health or insurance information privacy.
(c) Relationship with the Fair Credit Reporting Act. This chapter will not be construed to modify, limit or supersede the operation of the Federal Fair Credit Reporting Act (15 U.S.C.A. §§ 1681--1681u), and no inference may be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under section 603 of that act (15 U.S.C.A. § 1681a).
(d) Relationship with section 648 of the act (40 P. S. § 288) (relating to customer privacy). This chapter will not be construed to modify, limit or supersede the operation of section 648 of the act (40 P. S. § 288) (relating to customer privacy).
§ 146b.22. Nondiscrimination.
A licensee may not unfairly discriminate against a consumer because that consumer has not granted authorization for the disclosure of nonpublic personal health information under this chapter.
§ 146b.23. Violation.
Violations of this chapter are deemed and defined by the Commissioner to be an unfair method of competition and an unfair or deceptive act or practice and shall be subject to applicable penalties or remedies contained in the Unfair Insurance Practices Act (40 P. S. §§ 1171.1--1171.15).
§ 146b.24. Compliance dates.
(a) Licensees with $5 million or more in annual receipts shall comply with the applicable requirements of this chapter by April 14, 2003.
(b) Licensees with $5 million or less in annual receipts shall comply with the applicable requirements of this chapter by April 14, 2004.
[Pa.B. Doc. No. 02-421. Filed for public inspection March 15, 2002, 9:00 a.m.]
No part of the information on this site may be reproduced for profit or sold for profit.This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.
