Arkansas Administrative Code
Agency 054 - Arkansas Insurance Department
Rule 054.00.02-001 - Rule And Regulation #74 - Insurance Consumer Financial and Health Information Privacy
Current through Register Vol. 49, No. 2, February 2024
ARTICLE I. GENERAL PROVISIONS
This regulation is promulgated pursuant to the authority granted by Sections 23-61-108, 23-61-113, 23-61-303, and §§ 25-15-203 -204 of the Arkansas Code Annotated, and other applicable laws or rules.
The examples in this regulation and the sample clauses in Appendix A of this regulation are not exclusive. Compliance with an example or use of a sample clause, to the extent applicable, constitutes compliance with this regulation.
As used in this regulation, unless the context requires otherwise:
and
PRIVACY NOTICE
"NEITHER THE U.S. BROKERS THAT HANDLED THIS INSURANCE NOR THE INSURERS THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF THE BROKERS OR INSURERS EXCEPT AS PERMITTED BY LAW."
ARTICLE II. PRIVACY AND OPT OUT NOTICES FOR FINANCIAL INFORMATION
ARTICLE III. LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION
ARTICLE IV. EXCEPTIONS TO LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION
ARTICLE V. RULES FOR HEALTH INFORMATION
A request for authorization and an authorization form may be delivered to a consumer or a customer as part of an opt-out notice pursuant to Section 10, provided that the request and the authorization form are clear and conspicuous. An authorization form is not required to be delivered to the consumer or customer or included in any other notices unless the licensee intends to disclose protected health information pursuant to Section 17A.
Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services (codified at 45 C.F.R. Parts 160-164) (the "federal rule"), if a licensee complies with all requirements of the federal rule except for its effective date provision, the licensee shall not be subject to the provisions of this Article V.
Nothing in this article shall preempt or supersede existing state law related to medical records, health or insurance information privacy.
ARTICLE VI. ADDITIONAL PROVISIONS
Nothing in this regulation shall be construed to modify, limit or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this regulation regarding whether information is transaction or experience information under Section 603 of that Act.
A violation of this regulation may be deemed to be an unfair method of competition or an unfair or deceptive act and practice in this state, in violation of Ark. Code Ann. § 23-66-201, et seq.
If any section or portion of a section of this regulation or its applicability to any person or circumstance is held invalid by a court, the remainder of the regulation or the applicability of the provision to other persons or circumstances shall not be affected.
__________________
MIKE PICKENS
INSURANCE COMMISSIONER
Signed Feb. 10, 2002__________
DATE
APPENDIX A - SAMPLE CLAUSES
Licensees, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. (Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.)
A-1-Categories of information a licensee collects (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(1) to describe the categories of nonpublic personal information the licensee collects.
Sample Clause A-1:
We collect nonpublic personal information about you from the following sources:
* Information we receive from you on applications or other forms;
* Information about your transactions with us, our affiliates or others; and
* Information we receive from a consumer reporting agency.
A-2-Categories of information a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use one of these clauses, as applicable, to meet the requirement of Section 7A(2) to describe the categories of nonpublic personal information the licensee discloses. The licensee may use these clauses if it discloses nonpublic personal information other than as permitted by the exceptions in Sections 14, 15 and 16.
Sample Clause A-2, Alternative 1:
We may disclose the following kinds of nonpublic personal information about you:
* Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets, income, and beneficiaries"];
* Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your policy coverage, premiums, and payment history"]; and
* Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].
Sample Clause A-2, Alternative 2:
We may disclose all of the information that we collect, as described [describe location in the notice, such as "above" or "below"].
A-3-Categories of information a licensee discloses and parties to whom the licensee discloses (institutions that do not disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirements of Sections 7A(2), (3), and (4) to describe the categories of nonpublic personal information about customers and former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses. A licensee may use this clause if the licensee does not disclose nonpublic personal information to any party, other than as permitted by the exceptions in Sections 15 and 16.
Sample Clause A-3:
We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law.
A-4-Categories of parties to whom a licensee discloses (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(3) to describe the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information. This clause may be used if the licensee discloses nonpublic personal information other than as permitted by the exceptions in Sections 14, 15 and 16, as well as when permitted by the exceptions in Sections 15 and 16.
Sample Clause A-4:
We may disclose nonpublic personal information about you to the following types of third parties:
* Financial service providers, such as [provide illustrative examples, such as "life insurers, automobile insurers, mortgage bankers, securities broker-dealers, and insurance agents"];
* Non-financial companies, such as [provide illustrative examples, such as "retailers, direct marketers, airlines, and publishers"]; and
* Others, such as [provide illustrative examples, such as "non-profit organizations"].
We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law.
A-5-Service provider/joint marketing exception
A licensee may use one of these clauses, as applicable, to meet the requirements of Section 7A(5) related to the exception for service providers and joint marketers in Section 14. If a licensee discloses nonpublic personal information under this exception, the licensee shall describe the categories of nonpublic personal information the licensee discloses and the categories of third parties with which the licensee has contracted.
Sample Clause A-5, Alternative 1:
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:
* Information we receive from you on applications or other forms, such as [provide illustrative examples, such as "your name, address, social security number, assets, income, and beneficiaries"];
* Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as "your policy coverage, premium, and payment history"]; and
* Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as "your creditworthiness and credit history"].
Sample Clause A-5, Alternative 2:
We may disclose all of the information we collect, as described [describe location in the notice, such as "above" or "below"] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.
A-6-Explanation of opt out right (institutions that disclose outside of the exceptions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(6) to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. The licensee may use this clause if the licensee discloses nonpublic personal information other than as permitted by the exceptions in Sections 14, 15 and 16.
Sample Clause A-6:
If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as "call the following toll-free number: (insert number)].
A-7-Confidentiality and security (all institutions)
A licensee may use this clause, as applicable, to meet the requirement of Section 7A(8) to describe its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Sample Clause A-7:
We restrict access to nonpublic personal information about you to [provide an appropriate description, such as "those employees who need to know that information to provide products or services to you"]. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.