The Insurance Information and Privacy Protection Model Act, also known as Model 670, is one of the several model laws developed by the National Association of Insurance Commissioners (NAIC) - a US-based non-profit standard-setting organization governed by the chief insurance regulators from the 50 states, the District of Columbia, and five US territories.
Several US states, including Arizona, California, Connecticut, Georgia, Illinois, Maine, Massachusetts, Nevada, and others have adopted the Model 670.
Model 670 contains guidelines for agents, insurance institutions, and insurance support organizations related to the collection, usage, storage, and disclosure of information gathered in connection with insurance transactions. These guidelines are designed to proffer the perfect balance between satisfying an insurance business’ needs for user information and guaranteeing appropriate protection for all insurance information.
Individuals are given appropriate rights related to transparency regarding their insurance transactions and the ability to limit who can gain access to such information.
Read on to learn more about whom the law applies to, what obligations it places on agents, insurance institutions, and insurance support organizations, the rights it grants to the public, and the best tools to leverage to gain compliance with the law.
Scope of Model 670
Who Needs to Comply
The law applies to all insurance institutions, agents, and support organizations that engage in the following activities on or after the effective date of the law in a state that has adopted the law (the state):
In the case of life, health and disability insurance
- Those who collect, receive, or maintain information related to insurance transactions concerning natural persons who are residents of the state; or
- Those who engage in insurance transactions with policyholders, applicants, and individuals who are residents of the state.
In the case of property or casualty insurance
- Those that collect, receive, or maintain information related to insurance transactions in connection with policies, contracts, or certificates of insurance that are delivered or are issued for delivery or renewed in the state; or
- Those engage in insurance transactions in connection with policies, contracts, or certificates of insurance that are delivered or issued for delivery or renewed in the state.
Protected Consumers
The rights provided under the law extend to:
In the case of life, health, and disability insurance
- Natural persons who have had their information collected, received, and maintained related to insurance transactions;
- Applicants, policyholders, and individuals seeking to engage in insurance transactions.
In the case of property or casualty insurance
- Natural persons who have had their information collected, received, and maintained in connection with policies, contracts, or certificates of insurance that are delivered or are issued for delivery or renewed in the state; or
- Applicants, policyholders, and individuals who engage in insurance transactions in connection with policies, contracts, or certificates of insurance that are delivered or are issued for delivery or renewed in the state.
An individual will be considered a state resident if their last known mailing address within the insurance institution, agent, or support’s records is located within the state.
Exemption
No provision of the law applies to information collected from the public records of a government body and maintained by an insurance institution or its representatives to insure the title to real property located in the state.
Definitions of Key Terms
Adverse Underwriting Decision
This can refer to the following actions concerning insurance transactions involving insurance coverage that is individually underwritten:
- A declination of insurance coverage;
- A termination of insurance coverage;
- Failure from an agent to apply for insurance coverage with a specific institution when requested by an application;
- For property or casualty insurance:
- Placement of risk with a residual market mechanism, unauthorized insurer, or specialized institution for substandard risks.
- Charging a high rate based on differing information from the applicant or policyholder.
- For life, health, or disability insurance:
- Offer to insure at rates higher than standard.
The following actions, while not adverse underwriting decisions, require the responsible institution or agent to provide specific reasons:
- Termination of an individual policy form on a class or statewide basis,
- Declination of coverage because it is unavailable on a class or statewide basis,
- Rescission of a policy.
Consumer Report
This refers to a form of written, oral, or other communication bearing a person’s creditworthiness, credit standing, credit capacity, character, general reputation, or personal characteristics.
Credit Reporting Agency
This refers to a person who:
- Regularly engages, in whole or in part, in the practice of assembling and preparing consumer reports for a monetary fee;
- Obtains information primarily from sources other than insurance institutions;
- Provides consumer reports to other individuals.
Insurance Institution
This refers to a corporation, association, partnership, reciprocal exchange, inter-insurer, Lloyd's insurer, fraternal benefit society, or other person engaged in the insurance business. This includes all health maintenance organizations and medical and hospital service plans, excluding agents or insurance support organizations.
Insurance Support Organization
This refers to any person who regularly assembles or collects information on individuals to forward such information to an insurance institution or agent for insurance transactions.
This includes:
- Providing consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction;
- A collection of personal information from insurance institutions, agents, or other insurance support organizations to detect or prevent fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity.
However, agents, government institutions, insurance institutions, and medical care institutions cannot be considered insurance support organizations.
Obligations for Organizations Under Model 670
An agent or insurance institution is required to provide a notice of information practices to any applicants and policyholders that may be impacted by the insurance transactions.
Timeline for provision of notice
An agent or insurance institution should provide the notice of information practices as per the following timeline:
- In the case of an application for insurance:
- The notice must not be provided later than the time of the delivery of the insurance policy when personal information was collected only from the applicant or public records;
- The notice must not be provided later than at the initiation of personal information collection, specifically when the information is collected from a source other than the applicant or public records.
- In case of a policy renewal, a notice must be given by the policy renewal date unless:
- Personal information collected belongs only to a policyholder or from public records;
- Â A notice meeting all relevant requirements was given in the preceding 24 months.
- In case of policy reinstatement or change in insurance benefits:
-
- A notice is required upon receiving a request for a policy reinstatement or change in insurance benefits received by the insurance institution unless personal information is solely collected from the policyholder or public records.
Content of the notice
The aforementioned notice must be in writing and must state:
- Whether personal information can be collected from other individuals than the individuals proposed for coverage.The types of personal information that may be collected, including their source and the techniques likely to be used in their collection.
- The notice must specify the types of disclosures in Section 13 and the circumstances under which such disclosures may be made without prior authorization. However, it is sufficient to describe only those circumstances that happen frequently.
- A description of all individual rights and how these rights may be exercised.
- Whether information obtained from a report prepared by an insurance support organization may be retained by the insurance support organization and disclosed to other individuals.
Abbreviated notice
Instead of the detailed notice specified above, unless requested by the applicant or policyholder, the insurance institution may provide a brief notice containing the following information:
- That the personal information can be collected from other individuals than the individuals proposed for coverage;
- That any information collected by an agent or insurance institution can be disclosed to third parties in certain circumstances without authorization;
- Information related to individuals’ right to access and correction about all such personal information.
All the aforementioned responsibilities and obligations placed upon an agent or insurance institution may be performed by another institution or agent acting on their behalf.
Surveys
If an insurance institution or agent wishes to conduct surveys related to marketing and research in connection with an insurance transaction, they must outline questions intended solely for marketing or research purposes when collecting information from an individual in relation to an insurance transaction.
An insurance institution, agent, or support organization must seek authorization from an individual before disclosing his/her personal or privileged information to a third party through a disclosure authorization form. The disclosure authorization form should be different from a form or statement used to seek authorization for disclosure of personal or privileged information to the insurance institution, agent, or support organization, and the form should:
- Be written in plain language;
- Be dated;
- Specify the personnel authorized to disclose such information;
- Specify the nature of the information authorized to be disclosed;
- Specify the name of the institution or agent authorized by the individual related to the disclosure of their information;
- Specify the purpose of the initial data collection;
- Specify the length of time the authorization will remain valid, which will not be longer than:
- In case the purpose of the collection was related to an application for an insurance policy, a policy reinstatement, or a request for a change in policy benefits:
- Thirty (30) months from the date of signing for life, health, or disability insurance applications or requests.;
- One (1) year from the date of signing for property or casualty insurance applications or requests.
- In case the purpose of the collection was related to a claim for benefits under an insurance policy:
- The term of the coverage of the policy if the claim is for a health insurance benefit;
- The duration of the claim if the claim is not for a health insurance benefit.
- Advise the individual or person authorized to act on behalf of the individual on how to receive a copy of the authorization form.
Investigative Consumer Reports
Prior to preparing or requesting an investigative consumer report about an individual related to an insurance transaction involving an application for insurance, policy renewal, a policy reinstatement, or a change in insurance benefits, the insurance institution, agent, or insurance support organization must inform the individual of the following:
- The individual may request to be interviewed in relation to the preparation of the investigative consumer report;
- The individual is entitled to receive a copy of the investigative consumer report upon request.
Reasons for Adverse Underwriting Decisions
In case of an adverse underwriting decision, the insurance institution or agent responsible must:
- Provide the applicant or policyholder with specific reasons for the decision in writing or advise such a person to make a request to receive specific reasons in writing;
- Provide the applicant or policyholder with a summary of their rights established under the law.
If the individual submits a written request within ninety (90) business days from the date of the adverse underwriting decision communication, the insurance institution or agent must do so within twenty-one (21) days of receiving the request:
- Furnish the specific reasons for the adverse underwriting decision in writing if such information was not initially provided;
- Provide specific items of information that support such reasons unless:
- The insurance institution or agent has appropriate information available for review by the Commissioner that the individual or policymaker has engaged in criminal activity, fraud, material misrepresentation, or material nondisclosure;
- The requested information contains certain items within the medical information supplied by a third-party medical care institution that would require a special request by the individual or policyholder to provide access to such information.
- Disclose the names and addresses of the institutional sources that supplied the specific items of information. Medical professionals' or institutions' identities may be disclosed to the individual or a designated medical professional based on the insurance entity's preference.
Such obligations can also be fulfilled by another insurance institution or agent acting on behalf of the insurance institution or agent from whom the request has been made. If an adverse underwriting decision occurs solely due to an oral request, the explanation of reasons and summary of rights can also be provided orally.
Disclosure Limitations and Conditions
An insurance institution, agent, or insurance support organization cannot disclose any information related to an individual collected about an insurance transaction except in the following situations.
a. Authorization from the Individual
There is a written authorization from the individual, provided:
- If such authorization is submitted by another insurance institution, agent, or insurance support organization, the authorization should meet all the requirements under this law.
- If such authorization is submitted by a person other than an insurance institution, agent, or insurance support organization, the authorization must be:
- Dated;
- Signed by the individual;
- Obtained one year or less before the date the disclosure has been sought.
b. Disclosure to Non-Insurance Entities
Disclosure to a person other than an insurance institution, agent, or insurance support organization is allowed when it is necessary for the following purposes:
- To allow such a person to conduct a business, professional, or other related insurance function for the insurance institution, agent, or insurance support organization in question, and the person agrees not to disclose the information further without the individual’s consent unless:
- The insurance institution, agent, or insurance support organization permits such a disclosure.
- Such a disclosure is necessary for the person to perform its functions for the insurance institution, agent, or insurance support organization in question.
- To enable such a person to provide further information to the insurance institution, agent, or insurance support organization to:
-
-
- Determine the individual’s eligibility for an insurance benefit.
- Detecting and preventing any potential criminal activity, fraud, material misrepresentation, or material nondisclosure related to the insurance transaction.
c. Limited Disclosure for Risk Management and Operational Functions
Disclosure is permissible to an insurance institution, agent, or insurance support organization, provided the information to be disclosed is limited to what is necessary to:
- detect and prevent any potential criminal activity, fraud, material misrepresentation, or material nondisclosure related to the insurance transaction;
- aid the insurance institution, agent, or insurance support organization in performing its functions related to the insurance transaction.
d. Permissible Disclosure for Medical Care Institution
Information disclosure to medical care institutions is allowed for the following purposes:
- To verify the insurance coverage or benefits.
- To inform an individual suffering from the medical problem in case they are unaware.
- To conduct operations or service audits to verify the individuals treated by a medical professional or medical care institution.
Disclosure of information is permissible when it is made to the following:
- An insurance regulatory authority
- A law enforcement or other authority to:
- Protect the interests of the insurance institution, agent, or insurance support organization in preventing or prosecuting those responsible for fraud.
- Take appropriate actions against individuals whom the insurance institution, agent, or insurance support organization has reasons to believe are involved in illegal activities.
f. To Comply with Legal Requirements and Judicial Orders
Disclosure of Information is allowed in the following situations:
- Permitted or required by law.
- In response to a judicial order such as a search warrant or subpoena.
g. For Actuarial or Research Studies
Personal information may be disclosed when necessary for actuarial or research studies, with the following conditions:
- No individual may be identified during the studies.
- Any material capable of identifying individuals is appropriately returned or destroyed once the study is finished.
- Requested by a body conducting the actuarial or research study agrees not to disclose such information unless permitted by law or by an insurance institution, agent, or insurance support organization.
h. Affiliate Use and Upon CRA Request
Information can be disclosed under the following circumstances:
- To an affiliate whose only use of the information will be in relation to an audit of the insurance institution, agent, or insurance support organization or the marketing of their services.
- Upon request by a consumer reporting agency, provided the disclosure is to a person other than the institution or agent itself.
i. Disclosure to Group Policyholder and Professional Peer Review Organizations
A disclosure of information can be made to:
- A group policyholder to report claims experience or conduct an audit of the insurance institution’s, agent’s, or insurance support organization’s services.
- A professional peer review organization for reviewing the service or conduct of a medical care institution or medical professional.
j. Government Authority for Health Benefits Eligibility
Disclosure may be made to a governmental authority to determine an individual’s eligibility for health benefits, for which the government authority may be liable.
k. Policyholder and Interested Party Inquiries
Information can be disclosed to:
- A certificate holder or policyholder to determine the status of an insurance transaction;
- A Lienholder, mortgagee, assignee, lessor, or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance, provided that:
- No medical information is disclosed unless permitted by the insurance institution, agent, or insurance support organization.
- Any information disclosed is reasonably necessary to protect the individual’s interests in such a policy.
- A representative of a party related to a proposed sale, transfer, merger, or consolidation of all or part of the business of the insurance institution, agent, or insurance support organization, provided that:
- Before the sale, transfer, merger, or consolidation of all or part of the business, only relevant information is disclosed when reasonably necessary to enable business decisions;
- The recipient of the disclosed information agrees not to disclose the information further unless permitted by the insurance institution, agent, or insurance support organization.
l. Marketing for a Product or Service
Information can be disclosed to a person whose only use of the disclosed information will be in connection with the marketing of a product or service provided:
- No medical, personal, or privileged information related to the individual’s character, personal habits, mode of living, or general reputation is disclosed, and no classification derived from such information is disclosed.
- The individual was given an appropriate opportunity to indicate their unwillingness to have their personal information disclosed for marketing purposes but has not responded to such a request.
- The person receiving such information agrees not to use such information for any purpose other than marketing the product or service.
Individual Consumer Rights
The rights granted to individuals under the law apply to all natural persons regarding information collected and maintained by an insurance institution, agent, or insurance support organization in connection with an insurance transaction. However, these rights do not extend to information related to or collected in anticipation of a claim or legal proceeding.
If an individual, after proper identification, submits a written request to an insurance institution, agent, or insurance support organization for access to reasonably described and retrievable recorded personal information about them, the entity must, within thirty (30) business days of receiving the request:
- Inform the individual of the nature and substance of their personal information via written, oral, or any other form of communication;
- Allow the individual to personally inspect and copy the recorded personal information or obtain a mailed copy, whichever the individual prefers. If the information is in coded form, provide an accurate translation in plain language in writing;
- Disclose the identity, if recorded, of persons to whom the information has been disclosed within the past two (2) years or, if not recorded, the names of entities to which such information is normally disclosed; and
- Provide the individual with a summary of the procedure for requesting correction, amendment, or deletion of recorded personal information.
Any personal information provided should identify the source if it is an institutional source.
In case the individual requests medical record information supplied by a third-party medical institution or professional, the insurance institution, agent, or insurance support organization must provide such information directly to the individual in addition to the identity of the institution or professional that supplied such personal information related to the individual. If such information is to be provided to a medical professional authorized by the individual, then the insurance institution, agent, or insurance support organization must also notify the individual at the time of the disclosure.
A third party may satisfy these obligations on behalf of an insurance institution, agent, or insurance support organization if such a third party has an appropriate agreement to copy and disclose such information when requested.
The insurance institution, agent, or insurance support organization responding to such requests for access to personal information may charge a reasonable fee to cover the costs of providing copies of such information.
Once an individual makes such a request, the insurance institution, agent, or insurance support organization has thirty business days from the date of the receipt of the request to correct, amend, or delete any recorded personal information within its possession. The insurance institution, agent, or insurance support organization must:
- Correct, amend, or delete the portion of the recorded personal information as requested; or
- Notify the individual about:
- Any refusals related to requested correction, amendment, or deletion requests;
- Reasons for such refusals;
- Rights of individuals related to challenging such refusals.
If the insurance institution, agent, or insurance support organization makes appropriate corrections, amendments, or deletions per the individual’s request, the individual must be notified in writing. Such notifications may be forwarded to:
- Anyone designated by the individual who received such information in the past two years,
- Relevant insurance support organizations that systematically received the information in the last seven years (unless no longer maintained), and
- Any support organization that originally provided the corrected, amended, or deleted information.
In case the individual’s request is denied, the individual can challenge this refusal by filling in the following documents with the insurance institution, agent, or insurance support organization:
- A concise statement highlighting all information the individual believes is correct, relevant, or fair;
- A concise statement of reasons why the individual disagrees with the decision of the insurance institution, agent, or insurance support organization’s refusal of their request.
Once the aforementioned statement has been filed, the insurance institution, agent, or insurance support organization must:
- File a counter-statement with the disputed personal information and provide a mechanism for any reviewing party to access it along with the individual’s statement related to it;
- Provide further information related to their refusal to grant the individual’s request for correction, amendment, or deletion of personal data along with a copy of the disputed personal information;
- Provide a statement to the individual in question and in the manner specified for communication of the personal information that has been corrected, amended, or deleted.
Individual Remedies
The law empowers individuals to seek equitable relief in state or other relevant courts if an insurance entity violates their rights related to adverse underwriting decisions. The entities in violation of the provisions of disclosure limitation and conditions may also be liable for damages not exceeding the actual harm suffered by the individual. The court may award costs and attorney's fees to the prevailing party in actions brought by the individuals.
An action for equitable relief must be initiated by an individual within two years of discovering the violation.
Regulatory Authority
Since insurance is a state-regulated area, the Insurance Commissioner (Commissioner) of the adopting state is the primary regulatory authority for the purposes of Model 670.
The Commissioner has the power to examine and conduct necessary investigations into the affairs of every insurance institution or agent operating in the state to determine whether the insurance institution or agent has engaged in any action that may violate the law.
Furthermore, the Commissioner has the power to conduct similar examinations and investigations into the affairs of insurance support organizations acting on behalf of an insurance institution or agent that transacts business within the state or affects a person within the state owing to a violation of the law.
If the Commissioner has reasonable suspicions that an insurance institution, agent, or insurance support organization has engaged in any behavior that violates the law, the Commissioner must issue a statement of charges and a notice of hearing along with other necessary details to the accused insurance institution, agent, or insurance support organization.
The insurance institution, agent, or insurance support organization subject to the statement of charges will have the opportunity to answer any charges leveled against them and present evidence in their favor.
The Commissioner, during the hearing, has the authority to administer oaths, subpoena witnesses, produce relevant documents to the hearing, and maintain a stenographic record on the party’s request or at its own discretion. Hearings follow state administrative proceedings' rules of evidence and procedure.
The Commissioner can authorize anyone to submit statements of charges, notices, orders, and other processes on its behalf. Such statements of charges, notices, orders, and other processes can be provided in person or via mail. In the latter's case, a verified return setting forth the manner of service or return postcard receipt in the case of registered mail shall be sufficient proof of service.
Penalties for Non-compliance
In case the Commissioner’s investigation finds the insurance institution, agent, or insurance support organization in violation of the law, the offending party will be subject to a monetary penalty of not more than $500 for each violation. However, this amount cannot exceed $10,000 in the event of multiple violations.
Additionally, the Commissioner may issue a cease and desist order. Any insurance institution, agent, or insurance support organization found violating such an order will be subject to further following penalties at the discretion of the Commissioner:
- A monetary fine of not more than $10,000 for each violation;
- A monetary fine of not more than $50,000 if the Commissioner finds that violations have occurred with such frequency as to constitute a general business practice;
- Suspension and subsequent revocation of the agent or institution’s license.
How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Additionally, it provides organizations access to critical solutions that can help in compliance with all major data regulations.
Its dedicated modules, such as assessment automation, vendor management, privacy notice management, and consent management solutions, among others, can help an organization comply with all its obligations per this law These solutions are designed to be effective and efficient, and their user-friendly user interface allows an incredible degree of ease of use.
Request a demo today and learn more about how Securiti can help your organization's compliance journey.