TDI Commissioner’s Bulletin B-0030-01 – Privacy Provisions

TO: ALL INSURANCE COMPANIES, CORPORATIONS, EXCHANGES, MUTUALS, RECIPROCALS, ASSOCIATIONS, LLOYDS, HEALTH MAINTENANCE ORGANIZATIONS AND OTHER ENTITIES REGULATED BY THE TEXAS DEPARTMENT OF INSURANCE AND AUTHORIZED OR ELIGIBLE TO DO BUSINESS IN TEXAS; AND TO THEIR AGENTS AND REPRESENTATIVES AND THE PUBLIC GENERALLY

Re: Implementation of Privacy Provisions Required by Texas & Federal Law

The purpose of this bulletin is to provide information about the proposed Texas Department of Insurance (the Department) implementation of privacy legislation enacted by the 77th Texas Legislature. A federal law, the Gramm Leach Bliley Act (GLBA), requires state insurance authorities to adopt standards relating to the disclosure of nonpublic personal financial information applicable to the insurance industry. It is up to a state to determine the date by which insurers, HMOs, agents and other entities subject to the regulation by that state’s insurance authority must be in compliance with the standards adopted by the state. GLBA does not impose such a date. In response to GLBA, two bills were enacted during the 77th Legislative Session: SB 712, which relates to privacy of personal financial information held by entities regulated by the Department, and SB 11, which relates to privacy of personal health information, including information held by an entity regulated by the Department.

• SB 712 requires insurers, HMOs, agents and other entities regulated by the Department to comply with the GLBA requirements relating to the disclosure of nonpublic personal financial information. The intent of the bill is that the Commissioner adopt rules based upon a model privacy regulation developed by the National Association of Insurance Commissioners (NAIC) to aid states in adopting consistent privacy requirements for regulated entities. These rules must be adopted within thirty days of the bill’s effective date, which was June 14, 2001. In order to ensure that this deadline can be met, SB 712 expressly authorizes the Commissioner to adopt these rules on an emergency basis.
• In response to SB 712, the Department plans to adopt emergency rules no later than July 13, 2001. These rules, which will be effective immediately, will be patterned after the NAIC model privacy rules and will relate to personal financial information held by insurers, HMOs, agents and other affected entities licensed by the Department. This means that as of the effective date, affected entities must immediately begin to implement privacy policies and procedures consistent with the rules. However, the Department anticipates that the B-0030-01 Page 2 of 2 rules will state that affected entities will not need to provide any required privacy notices until sixty days after the effective date of the rules. The emergency rules will be posted on the Department’s website and published in the Texas Register.
• Contemporaneously with the filing of these emergency rules, the Department will publish proposed rules for public comment prior to final adoption. Since both sets of rules serve the same purpose and will be based on the NAIC model, it is anticipated that the proposal will be substantially similar to the emergency rules.
• SB 11, which takes effect January 1, 2002, provides separate privacy and disclosure requirements for personal health information and directs the Commissioner to adopt health information privacy rules. Accordingly, the Department will propose rules for health information patterned after the NAIC model rule. These rules must also be consistent with federal Health Insurance Portability and Accessibility Act (HIPAA) privacy regulations which apply to health care plans, and other entities regulated by the Department that conduct business relating to health care plans. Although the HIPAA regulations became effective on April 13, 2001, enforcement of the regulations will not begin until April 13, 2003. It is anticipated that the HIPAA regulations may change somewhat prior to their enforcement date. The Department will monitor any new developments concerning the HIPAA privacy regulations and will incorporate the final requirements of these regulations into its rules implementing SB 11.

The Department’s goal is to carry out the privacy mandates of the Texas Legislature by implementing fair and effective regulatory and enforcement requirements that protect consumer privacy and facilitate cooperation and compliance on the part of entities subject to these requirements.

The Department will continue to provide updated and more detailed information on its web site as privacy implementation continues to progress. We recognize the industry’s need for timely and pertinent information and we appreciate your patience as we work through these highly complex and very important issues.

Sincerely,
José Montemayor, CPA
Commissioner of Insurance