Ins 25.50(1)(a)2.2. A nonaffiliated third party for the purpose of marketing goods or services under the brand name of a licensee under ch. Ins 15, or an affiliate of such a licensee, if the licensee complies with all of the following: Ins 25.50(1)(a)2.b.b. The licensee or its affiliate enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee or its affiliate disclosed the information, including use under an exception in s. Ins 25.55 or 25.60 in the ordinary course of business to carry out those purposes. Ins 25.50(1)(a)2.c.c. The licensee or its affiliate contractually requires the third party to comply with the licensee’s or its affiliate’s standards that are reasonably designed to ensure the quality of the goods or services, and customer services. Ins 25.50(1)(a)2.d.d. The licensee or affiliate enters into a contractual agreement with the third party that requires the third party to implement reasonable safeguards to protect the security and confidentiality of its nonpublic personal financial information and take action that is necessary to enforce those safeguards. Ins 25.50(1)(am)(am) Solicitations. Nothing in this section shall be construed or otherwise permit telephone solicitation which would otherwise be prohibited under s. 100.52, Stats., or subch. V of ch. ATCP 127. Ins 25.50(1)(b)(b) Example. If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee’s contractual agreement with that institution meets the requirements of par. (b) if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in s. Ins 25.55 or 25.60 in the ordinary course of business to carry out that joint marketing. Ins 25.50(2)(2) Service may include joint marketing. The services a nonaffiliated third party performs for a licensee under sub. (1) may include marketing of the licensee’s own products or services or marketing of financial products or services offered pursuant to joint agreements between the licensee and one or more financial institutions. Ins 25.50(3)(3) Definition of “joint agreement”. For purposes of this section, “joint agreement” means a written contract pursuant to which a licensee and one or more financial institutions jointly offer, endorse or sponsor a financial product or service. Ins 25.50 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01; CR: 03-083: am. (1) (a), cr. (1) (am) Register March 2004 No. 579, eff. 4-1-04. Ins 25.55Ins 25.55 Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions. Ins 25.55(1)(1) Exceptions for processing transactions at a consumer’s request. The requirements for initial notice in s. Ins 25.10 (1) (b), the opt out in ss. Ins 25.17 and 25.30, and service providers and joint marketing in s. Ins 25.50 do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following: Ins 25.55(1)(a)(a) Servicing or processing an insurance product or service that a consumer requests or authorizes. Ins 25.55(1)(b)(b) Maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity. Ins 25.55(1)(c)(c) A proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer. Ins 25.55(1)(d)(d) Reinsurance or stop loss or excess loss insurance, including, but not limited to, for the purpose of placing, replacing or making a claim under reinsurance or stop-loss or excess loss insurance. Ins 25.55(2)(2) Processing transaction. “Necessary to effect, administer or enforce a transaction” means that the disclosure is any of the following: Ins 25.55(2)(a)(a) Required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service. Ins 25.55(2)(b)(b) Required, or is a usual, appropriate or acceptable method to accomplish any of the following: Ins 25.55(2)(b)1.1. To carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer’s account in the ordinary course of providing the insurance product or service. Ins 25.55(2)(b)2.2. To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part. Ins 25.55(2)(b)3.3. To provide a confirmation, statement or other record of the transaction, or information on the status or value of the insurance product or service to the consumer or the consumer’s agent or broker. Ins 25.55(2)(b)4.4. To accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party. Ins 25.55(2)(b)5.5. To underwrite insurance at the consumer’s request or for any of the following purposes as they relate to a consumer’s insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits including utilization review activities, participating in research projects, workers compensation premium audits, workers’ compensation first reports of injury, workers’ compensation loss runs or as otherwise required or specifically permitted by federal or state law. Ins 25.55(2)(b)6.a.a. The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means. Ins 25.55 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.60Ins 25.60 Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information. Ins 25.60(1)(1) Exceptions to opt out requirements. The requirements for initial notice to consumers in s. Ins 25.10 (1) (b), the opt out in ss. Ins 25.17 and 25.30, and service providers and joint marketing in s. Ins 25.50 do not apply when a licensee discloses nonpublic personal financial information under any of the following circumstances: Ins 25.60(1)(a)(a) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction. Ins 25.60(1)(b)1.1. To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction. Ins 25.60(1)(b)2.2. To protect against or prevent actual or potential fraud or unauthorized transactions. Ins 25.60(1)(b)3.3. For required institutional risk control or for resolving consumer disputes or inquiries. Ins 25.60(1)(b)4.4. To persons holding a legal or beneficial interest relating to the consumer. Ins 25.60(1)(b)5.5. To persons acting in a fiduciary or representative capacity on behalf of the consumer. Ins 25.60(1)(c)(c) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors. Ins 25.60(1)(d)(d) To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 USC 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety. Ins 25.60(1)(e)2.2. Disclosure from a consumer report reported by a consumer-reporting agency. Ins 25.60(1)(f)(f) In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit. Ins 25.60(1)(g)1.1. To comply with federal, state or local laws, rules and other applicable legal requirements. Ins 25.60(1)(g)2.2. To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities. Ins 25.60(1)(g)3.3. To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law. Ins 25.60(1)(h)(h) For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation policy. Ins 25.60(2)(2) Example of revocation of consent. A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under s. Ins 25.17 (6). Ins 25.60(3)(3) Receivership. This chapter does not apply to a receiver for an insurer subject to a delinquency proceeding under ch. 645, Stats. Ins 25.60 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01; correction in (1) (intro.) made under s. 13.93 (2m) (b) 7., Stats., Register March 2004 No. 579. Ins 25.70Ins 25.70 When authorization required for disclosure of nonpublic personal health information. Ins 25.70(1)(1) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed or unless disclosure of the health information is permitted under ss. 51.30, or 146.81 to 146.84, Stats., or otherwise authorized by law. Ins 25.70(2)(2) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; rate-making and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers compensation policy or program; workers’ compensation premium audits; workers’ compensation first reports of injury; workers’ compensation loss runs; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. department of health and human services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers. A licensee may apply for approval of, and the commissioner may approve additional specific insurance functions that are subject to this subsection if the commissioner finds inclusion is fair and reasonable to the interests of consumers. Ins 25.70 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.73(1)(1) A valid authorization to disclose nonpublic personal health information pursuant to this subchapter shall be in written or electronic form and shall contain all of the following: Ins 25.73(1)(a)(a) The identity of the consumer or customer who is the subject of the nonpublic personal health information. Ins 25.73(1)(b)(b) A general description of the types of nonpublic personal health information to be disclosed. Ins 25.73(1)(c)(c) General descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure and how the information will be used. Ins 25.73(1)(d)(d) The signature of the consumer or customer who is the subject of the nonpublic personal health information or the individual who is legally empowered to grant authority and the date signed. Ins 25.73(1)(e)(e) Notice of the length of time for which the authorization is valid and that the consumer or customer may revoke the authorization at any time and the procedure for making a revocation. Ins 25.73(2)(2) An authorization for the purposes of this subchapter shall specify a length of time for which the authorization shall remain valid, which in no event shall be for more than the period permitted if the authorization were subject to s. 610.70 (2) (b), Stats., or twenty-four months, whichever is longer. Ins 25.73(3)(3) A consumer or customer who is the subject of nonpublic personal health information may revoke an authorization provided pursuant to this subchapter at any time, subject to the rights of an individual who acted in reliance on the authorization prior to notice of the revocation. Ins 25.73(4)(4) A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information. Ins 25.73 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.75Ins 25.75 Authorization request delivery. A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt-out notice pursuant to s. Ins 25.25, provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or customer or included in any other notices unless the licensee intends to disclose protected health information pursuant to s. Ins 25.70 (1). Ins 25.75 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.77Ins 25.77 Relationship to federal rules. Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services, if a licensee complies with all requirements of that rule, regardless of whether it currently applies to the licensee, the licensee shall not be subject to the provisions of this subchapter. Ins 25.77 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.80Ins 25.80 Insurers and agents compliance with s. 610.70, Stats. Ins 25.80(1)(1) An insurer that is subject to s. 610.70, Stats., or an intermediary acting solely as an agent of an insurer subject to s. 610.70, Stats., with respect to health information is not required to comply with this subchapter. An insurer is responsible for the acts or omissions of its agents that constitute violations of s. 610.70, Stats. Ins 25.80(2)(2) For the purposes of s. 610.70 (1) (d), Stats., “insurance that is primarily for personal, family or household purposes” includes group or individual health insurance policies and personal automobile, homeowners, disability and life policies. It does not include workers’ compensation or commercial property and casualty policies. Ins 25.80(3)(3) Nothing in this chapter or s. 610.70, Stats., restricts disclosure of nonpublic personal health information permitted under s. 102.13, Stats. Ins 25.80 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.90(1)(1) A licensee shall not unfairly discriminate against any consumer or customer because that consumer or customer has opted out from the disclosure of his or her nonpublic personal financial information pursuant to the provisions of this chapter. Ins 25.90(2)(2) A licensee shall not unfairly discriminate against a consumer or customer because that consumer or customer has not granted authorization for the disclosure of his or her nonpublic personal health information pursuant to the provisions of this chapter. Ins 25.90(3)(3) Failure to provide an insurance product or service based on usual and customary insurance underwriting practices and standards is not unfair discrimination under this section, even if such failure is the result of a consumer or customer’s refusal to authorize the disclosure of his or her nonpublic personal information. Ins 25.90 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01. Ins 25.95(1)(1) Applicability. Enforcement under section 505 of the Gramm-Leach-Bliley Act (PL 102-106) is effective only on and after the effective date of this rule. Ins 25.95(2)(a)(a) Phased in notice requirement for consumers who are the licensee’s customers on the compliance date. Beginning on the first day of the fourth month commencing after the after publication of this rule and by not later than June 30, 2002 a licensee shall provide an initial notice, as required by s. Ins 25.10, to consumers who are the licensee’s customers on the first day of the fourth month commencing after the after publication of this rule. Ins 25.95(2)(b)(b) Example. A licensee provides an initial notice to consumers who are its customers on the first day of the fourth month commencing after the after publication of this rule, if, by that date, the licensee has established a system for providing an initial notice to all new customers and if by June 30, 2002 the licensee has mailed the initial notice to all the licensee’s existing customers. Ins 25.95 HistoryHistory: Cr. Register, June, 2001, No. 546, eff. 7-1-01; CR 03-083: r. (3) Register March 2004 No. 579, eff. 4-1-04.
/code/admin_code/ins/25
true
administrativecode
/code/admin_code/ins/25/iv/60
Office of the Commissioner of Insurance (Ins)
administrativecode/Ins 25.60
administrativecode/Ins 25.60
section
true