Current through Register Vol. 63, No. 12, December 1, 2024
(1) A licensee shall provide an initial
notice as provided in OAR
836-080-0620(1)
and also subsequently when further personal
financial information is collected in connection with a renewal or
reinstatement of a health insurance policy.
(2) A licensee is not required to provide an
initial notice to a consumer for purposes of OAR
836-080-0620 if any of the
following circumstances applies:
(a) If the
licensee does not disclose any nonpublic personal financial information about
the consumer to any nonaffiliated third party other than as authorized by OAR
836-080-0670 and
836-080-0675 and the licensee
does not have a customer relationship with the consumer.
(b) If the licensee has a customer
relationship with the consumer and the consumer consents to the licensee's
searching for health insurance coverage to replace existing coverage or to
perform another health insurance service for the consumer, and if disclosure of
personal financial information of the consumer meets the conditions specified
in OAR 836-080-0670.
(c) If a notice has been provided by an
affiliated licensee, as long as the notice clearly identifies all licensees to
whom the notice applies and is accurate with respect to the licensee and the
other institutions.
(3)
For the purpose of the notice requirement of OAR
836-080-0620, pursuant to which
a licensee shall provide notice of personal financial information practices to
a consumer who becomes a customer of the licensee not later than the date that
the licensee establishes a continuing relationship with the consumer, a
continuing relationship between a licensee and consumer is established when the
consumer, as shown in the following examples:
(a) Becomes a health insurance policyholder
of a licensee that is an insurer, when the insurer delivers a health insurance
policy or contract to the consumer, or in the case of a licensee that is an
insurance producer, obtains health insurance through that licensee;
or
(b) Agrees to obtain financial,
economic or investment advisory services relating to health insurance products
or services for a fee from the licensee.
(4) When an existing customer obtains a new
health insurance product or service from a licensee that is to be used
primarily for personal, family or household purposes, either of the following
provisions may apply to a licensee regarding the initial notice requirements of
OAR 836-080-0620 and:
(a) The licensee may provide a revised policy
notice as provided in OAR
836-080-0655; or
(b) If the initial, revised or annual notice
that the licensee most recently provided to that customer was accurate with
respect to the new health insurance product or service, the licensee does not
need to provide a new privacy notice under OAR
836-080-0620.
(5) A licensee may provide the
initial notice required by OAR
836-080-0620 within a reasonable
time after the licensee establishes a customer relationship if establishing the
customer relationship is not at the customer's election or if providing notice
not later than when the licensee establishes a customer relationship would
substantially delay the customer's transaction and the customer agrees to
receive the notice at a later time. The following are examples of exceptions
for purposes of this section:
(a) Not at the
customer's election: Establishing a customer relationship is not at the
customer's election if a licensee acquires or is assigned a customer's health
insurance policy from another financial institution or residual market
mechanism and the customer does not have a choice about the licensee's
acquisition or assignment.
(b)
Substantial delay of a customer's transaction: Providing notice not later than
when a licensee establishes a customer relationship would substantially delay
the customer's transaction when the licensee and the individual agree over the
telephone to enter into a customer relationship involving prompt delivery of
the health insurance product or service.
(c) No substantial delay of a customer's
transaction: Providing notice not later than when a licensee establishes a
customer relationship would not substantially delay the customer's transaction
when the relationship is initiated in person at the licensee's office or
through other means by which the customer may view the notice, such as on a
website.
(6) When a
licensee is required to deliver an initial privacy notice by OAR
836-080-0620, the licensee shall
deliver it according to
836-080-0660. If the licensee
uses an abbreviated notice according to
836-080-0620, the licensee may
deliver the privacy notice as provided in
836-080-0640(8).
(7) A licensee that uses a standard privacy
notice to comply with the requirements of the federal Gramm-Leach-Bliley Act of
1999 and its implementing regulations for its business as a financial
institution or that uses such a standard privacy notice for its health
insurance business in two or more states may comply with the initial privacy
notice requirement by using either of the following options:
(a) By using the standard privacy notice and
another supplementary privacy notice that includes the elements required by OAR
836-080-0615,
836-080-0620 and
836-080-0650 that are not
contained in the standard privacy notice. The supplementary privacy notice must
prominently and clearly state that any rights an individual may have as
described in that notice are not abridged or limited by the standard privacy
notice that the individual may receive separately.
(b) By using a single Oregon-specific privacy
notice that complies in its entirety with OAR
836-080-0615 and
836-080-0620, if allowed under
federal law.
Stat. Auth.: ORS
731.244 &
746.608
Stats. Implemented: ORS
746.600 &
746.607
