Arrowsmlft.gif (338 bytes)Previous Table of Contents NextArrowsmrt.gif (337 bytes)

Privacy

Emergence of the Right of Privacy and Information Privacy

The concept of a legal right of privacy is a relatively new concept in American jurisprudence. It is generally agreed that the right of privacy was unknown under early common law. Before 1890, no English or American court granted relief expressly based upon the invasion of such right. However, in 1905, the Supreme Court of Georgia explicitly upheld the right of privacy as a right which stood on its own. From this beginning numerous right to privacy cases were decided during the first half of the 1900s. The dean of American scholars on the law of torts, William Prosser, brought order out of these cases when he concluded that the right of privacy encompassed the following four separate albeit partially overlapping rights.

 

Intrusion—The right of the individual to be protected against unreasonable
intrusions into his seclusion or into his private affairs.

Public Disclosure of Private Facts—The right of the individual to be
protected against unreasonable public disclosures of embarrassing private facts.

Appropriation—The right of an individual to prevent the appropriation, for
another’s advantage, of his name or likeness.

False Light in the Public Eye—The right of an individual to be protected
against publicity that places him in a false light in the public eye.

 

Actions undertaken by life insurers, among others, infringing upon these rights became actionable private litigation in most states under common law.

Widespread public interest over privacy rights started to emerge in the latter half of this century as greater and greater amounts of data about indiviuals began to be collected by both the government and the private sector and such information became readily usable once technological advances enabled such information to be held in computerized form. These developments gave impetus to efforts by individuals to control records of personal information concerning them. These emerging claims to privacy were described to include an individual’s right (1) to be protected against government snooping and secret gathering of personal information, (2) to be protected against the unduly broad collection and retention of personal information by both government and private business interests, (3) to prevent improper use of information appropriately obtained for a specific purpose, and (4) to a reasonable check on the accuracy of existing records. In essence, these claims assert that an individual retains an interest in and rights over information and the use of such information even after such information has ceased to be "private" in the Prosser sense.

With the increased concern over privacy has come expanded scope of what is considered to be encompassed by an individual’s right to privacy. Originally the scope of such right was defined by the judicial decisions setting forth the common law, such as that summarized by Prosser. More recently, aspects of the right of privacy have appeared in federal and state statutes, state constitutions and United States Supreme Court decisions finding the right of privacy implicit in various provisions of the United States Constitution.

In the context of life insurance, the right to privacy in the insurance relationship has come to encompass more than simply restrictions on insurer disclosure of the information collected about an individual. But rather, there is also involved the broader concept of fair information practices. It is said that there are four important information processes involved in the interrelationship between the individual (and information concerning him) and the insurer which need to be considered.

 

1. Information Collection—What types of information will be collected
about the individual? From what sources? Through what means?

2. Information Use—For what purposes is the insurer collecting the information? Will the information be used for other purposes later?

3. Information Maintenance—Where will the information be kept? Will it be kept secure?

4. Information Disclosure—To whom might the insurer disclose the information without the individual’s authorization? For what purpose?

 

Although the public has become increasingly concerned over threats to their personal privacy, both in general and with respect to their relationship with their insurers in particular, a majority would be upset if they were denied products and services that they desire which can only be made available if personal information about them is collected, disclosed and/or used. Consequently, the crucial issue with respect to privacy for individuals in a society which has become increasingly dependent on personal information records "is to seek a proper balance between the individual’s personal privacy interests and society’s information needs."

To establish and/or assure legal protection for privacy rights involving certain information related privacy practices, over the past two decades, many states and the federal government have enacted legislation setting forth standards of conduct and prohibiting certain disclosure practices. These include, for example, state medical confidentiality laws, federal statutes dealing with drug and alcohol abuse programs which provide privacy (confidentiality) safeguards concerning an individual’s records, the Federal Fair Credit Reporting Act, state fair credit reporting acts, financial privacy laws addressing concerns regarding the manner in which banks treat information relating to their customers, and telephone solicitation legislation. With these enactments, the contour of acceptable fair information practices, which seek to balance the rights of individuals with the ability of government and private interest to effectively function, has emerged.

Privacy Legislation and the Insurance Industry

When underwriting, a life insurer typically investigates factors bearing on the insurability of the applicant, especially when the amount of insurance applied for is substantial. Early examples of state legislation affecting the manner in which insurance companies obtain medical information for underwriting and claim purposes are laws which protect the confidentiality of medical information. While applicable to insurer operations, such laws typically are general in nature rather than specifically applying to insurance companies.

In 1970, Congress enacted the Fair Credit Reporting Act (FCRA) having the express purpose

 

to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information. . . . (Emphasis supplied.)

 

Responsibility for enforcement of the Act resides in the Federal Trade Commission. The FCRA expressly states that it does not preempt the application of state law requirements pertaining to the collection, disclosure or use of consumer information except to the extent such laws are inconsistent with the provisions of the FCRA.

The FCRA governs the permissible use of consumer reports. Consumer reports consist of communications of information bearing on a consumer’s credit worthiness, character, general reputation, personal characteristics or mode of living and which are to be used or collected with a view towards establishing the consumer’s eligibility for credit or insurance. To be deemed a consumer report under the Act, it must be prepared by a "consumer reporting agency," defined as an entity which "regularly engages" in the production of reports containing consumer information for the purpose of providing these reports to third parties. An investigative report is a consumer report, or portion thereof, based upon personal interviews with neighbors, friends or associates of the consumer.

Life insurers commonly contract with consumer reporting agencies to prepare investigative reports for underwriting purposes. However, insurers shall not cause an investigative report to be prepared unless the FCRA procedural requirements are complied with. First, the insurer must disclose in writing to the consumer that an investigative consumer report may be undertaken. Second, upon request of the consumer, the insurer shall make a complete and accurate disclosure of the nature and the scope of the investigation requested. Third, if the user of the consumer report, that is, an insurer, bases an adverse action on information contained therein, the insurer must so inform the consumer and supply the name of the agency making the report. Fourth, a consumer reporting agency is required to disclose the nature and the substance of all information (other than medical information) in its file to the individual upon request by that person. The FCRA provides for both civil and criminal penalties for violations. A user who willfully fails to comply with the Act’s requirements may be liable for actual damages, punitive damages, court costs and reasonable attorneys’ fees when the consumer’s action to enforce liability is successful. Liability for negligent noncompliance is not subject to punitive damages. A person who knowingly procures information about an individual under false pretenses is subject to a monetary fine and/or imprisonment as is an officer or employee of a consumer reporting agency who knowingly provides information to unauthorized persons.

As a result of the FCRA, insurers have changed the manner of ordering investigative reports in connection with underwriting new business. For example, insurers now commonly include in their application forms for insurance a notification advising the applicant of the possibility that an investigative report might be procured and of the applicant’s rights under the Act if such a report is in fact obtained.

Privacy concerns were further exacerbated by Watergate which led to congressional enactment of the Privacy Act of 1974. There was little disagreement over the need for enforceable individual rights as to personal information possessed by federal agencies. Consequently, the Act imposed restrictions on federal agency collection, use and disclosure of personally identifiable information as well as granting access to and correction of such information by the individual concerned.

There was also considerable debate as to whether such principles should be legislatively extended to private sector record keeping relationships. As a result, the Privacy Protection Study Commission was established to make recommendations with respect to privacy laws and regulations concerning the private sector. The final report of the Commission was transmitted to the President and Congress in 1977. It included one chapter devoted to insurance relationships. Like the Commission’s theme for other segments of the economy, the insurance recommendations revolved around the public objectives of (1) minimizing intrusiveness, (2) maximizing fairness and (3) creating an enforceable expectation of confidentiality.

Following the Privacy Commission’s report, federal privacy initiatives for insurance were being considered during President Carter’s administration and within Congress. However, through the NAIC, the states responded with the development and adoption of a model privacy act. By the summer of 1980, the federal insurance privacy initiatives faded away.

NAIC Model Privacy Act

The NAIC Model Insurance Information and Privacy Protection Model Act (sometimes referred to as the Model Privacy Act) was adopted by the NAIC in 1979 (followed by some immediate amendments through 1981). Although the Privacy Commission report served as a starting point, the NAIC task force considering the issue was more influenced by the philosophy of the Commission than the actual language contained in its 17 recommendations. Furthermore, while guided by the three overall objectives to minimize intrusiveness, maximize fairness and create an enforceable expectation of confidentiality, the NAIC concentrated on fairness. In addition to the competing general public policy interests, the NAIC also needed to balance the numerous competing interests encompassed within the insurance relationship itself. These included the purpose of insurance protection (commercial and personal), the specific line of insurance, the size of the insurer, the type of transaction (underwriting and claims), the type of insurance person (insurer, agent and support institution), status of the insured person (named insured, policyholder, beneficiary and third part claimant), the type of information (medical, sensitive personal and nonsensitive personal information), marketing method (direct writer, independent agent and exclusive agent), type of policy (group and individual), and the type of statutory enforcement mechanism (private right and administrative process). The NAIC sought to strike a reasonable balance between the legitimate needs of the insurance industry for information, on the one hand, and the public’s need for fairness in the insurance information practices and the protection of personal privacy, on the other. As of 1994 approximately 15 states had adopted some form of privacy regulation, most of which is patterned after the NAIC Model Act.

Scope

At the outset it should be noted that the Model Privacy Act applies to insurance transactions involving insurance for personal family and household needs rather than business or professional situations. Second, while the various notice requirements apply to transactions after the effective date of the Act, the Act does cover information collected both before and after such date (for example, accesses and correction sections as well as disclosure limitations). Furthermore, the obligations imposed by the Act apply to insurers, agents and/or insurance support organizations (such as the Medical Information Bureau discussed below) which collect, receive or maintain information in connection with insurance transactions pertaining to natural persons or which engage in insurance transactions with applicants, individuals or policyholders. The rights extend to natural persons who are subject to information collected, received or maintained in connection with insurance transactions and to applicants, individuals or policyholders who engage in insurance transactions.

Pretext Interviews

Insurers often seek considerable information about individuals during investigations conducted for underwriting and claims purposes. Much of such information is obtained by interviews with a variety of persons such as the applicant, the insured, the beneficiary, third-party claimants, friends, neighbors, business associates, etc. Of particular concern are pretext interviews, that is, attempts to obtain information by pretending to be someone the person is not, pretending to represent someone when such is not true, or misrepresenting the true purpose of the interview.

The Act imposes severe limits on the use of pretext interviews. They are prohibited except when utilized to investigate claims when there is a reasonable basis for suspecting fraud, material misrepresentation or material nondisclosure. Furthermore, the basis for the insurer’s suspicion is subject to review by the insurance commissioner, thereby providing additional protection against unwar-ranted pretext interviews.

Notice of Information Practices

Since individuals typically are uninformed as to insurance information practices, they are not well positioned to evaluate the benefits of obtaining the insurance vis-à-vis the potential for intrusions on their privacy. Consequently, the Act requires notification of the insurer’s information practices at a time that is both practical for the insurer or agent and timely for the applicant or the policyholder. The Act recognizes that timely notification varies depending upon the nature of the transaction involved and the manner in which the insurance is either solicited or sought.

To strike a balance between the cost burden placed on insurers and agents on the distribution of the notice of information practices and the need of the applicants and policyholders to know or find out the relevant information, the Act permits the use of an abbreviated notice containing basic information coupled with a statement that a more detailed notice is available upon request. The abbreviated notice must state that personal information may be collected from others, such information may be disclosed to third parties without authorization, a right of access to and correction of personal information exists, and a detailed notice of information practices is available upon request. The detailed notice must state whether personal information may be collected from third persons; the type of information, the sources and techniques which may be used; the types and circumstances of disclosure of such information which may be made without authorization; a description of the rights of access to and correction of information; and the fact that information in any report prepared by an insurance support organization may be retained by that organization and disclosed to other persons. If an insurer deems it suitable to its method of operation, the notice of information practices may be included in their application form for insurance or in the policy itself.

Marketing and Research Surveys

Although most persons assume that a question asked must be answered, insurers and agents not uncommonly collect information for marketing or research purposes as distinguished from claims and underwriting purposes. The Act requires that an individual must be advised when a request for information is solely for such purposes.

Disclosure Authorization

In the past, forms used by insurers to obtain authorization for the release of information were sometimes overly broad and vague with the result that the individual did not realize the scope of the information that others could obtain, the use to which such information could be put, and the period of time for which the authorization extended. Consequently, the Act establishes standards with which the disclosure authorization form must comply. The form must be written in plain language, be dated, specify the types of persons authorized to disclose information about the individual, specify the nature of the information authorized to be disclosed, identify to whom the individual is authorizing the information to be disclosed, and specify the purposes for which the information is collected. Furthermore, the Act requires that disclosure authorizations be specific as to the length of time they remain valid and establishes maximum statutory limits on such length.

Investigative Consumer Report

Insurers use investigative consumer reports to verify information supplied by individuals and to develop information as to the person’s character, general reputation, manner of living, etc. Such inquiry and evaluation of necessity involves subjective judgments. In the past, an individual possessed no means of control over the content or accuracy of the information obtained through an investigative consumer report until after the report was completed and delivered to the user. To address this problem, the Model Act requires that no insurer, agent or insurance support institution may prepare or obtain an investigative consumer report about an individual in connection with an application for insurance, a policy renewal or reinstatement, or a change in insurance benefits unless the insurance institution or agent informs the individual that (1) he or she may request to be interviewed in connection with the preparation of the report and (2) he or she is entitled to receive a copy of the report.

Access to and Correction of Personal Information

The insurers and their support organizations collect and exchange substantial amounts of personally identifiable information. Some of the information collected, retained and exchanged may be erroneous, out of date and/or may present an inaccurate picture of the individual’s health, life style and/or financial condition. Although the Federal Fair Credit Reporting and Information Act (FCRA) requires insurance support organizations to inform individuals of the nature and substance of information in consumer reports if the individual so requests, insurers and agents are not subject to this requirement. Furthermore, the FCRA does not require the disclosure of medical information to either the individual or the individual’s medical professional.

Under the Model Privacy Act, an individual may gain access to recorded personal information about him or her upon request. The Act specifies the procedures to be followed which, among other things, seek to preserve the confidentiality of the information and provide that the individual be informed of persons who have received information in the file. In addition, the individual is to be provided with a summary of the procedures by which he or she may request a correction or deletion of personal information. The Act establishes requirements governing these procedures. If the insurer refuses to amend, the individual is allowed to file a statement as to what he or she believes to be the correct, relevant or fair information. Such a statement must become part of the record maintained by the insurer, agent or support organization so that any person reviewing the disputed information is made aware of the statement and has access to it.

Adverse Underwriting Decisions

It is essential that underwriting decisions be made on the basis of accurate information. The NAIC concluded that, to better assure the achievement of this objective, the insurance institution should inform the individual of the reason(s) for an adverse underwriting decision and the specific items of information upon which such decision was made. This affords an opportunity to assure correct decisions and to correct errors, if any, in the file. Specifically, the Act requires that in the event of an adverse underwriting decision, the insurer or agent must either provide the specific reason(s) for the decision in writing or advise the person that he or she may request such and that he or she be notified of this right.

Previous Adverse Underwriting Decisions

Insurers have often asked applicants whether any other insurer has declined them for coverage, refused to renew a policy, or insured them at other than standard rates. There has been considerable suspicion that some insurers have declined applicants solely upon an affirmative response to such questions. Furthermore, life insurers utilize support organizations (such as the Medical Information Bureau) which facilitate the exchange of information concerning individuals. Here again, there have been indications that some insurers declined applicants solely based upon information obtained from such organizations. The NAIC has concluded, however, that a previous adverse underwriting decision or negative information by itself constitutes incomplete information and insufficient basis upon which to base a current decision. There may be numerous reasons why a person was declined coverage in the past which bear little relevance as to the individual’s current insurability.

Consequently, the Model Act provides that no insurer, agent or insurance support organization may seek information in connection with an insurance transaction concerning previous adverse underwriting decisions unless the inquiry also requests the reasons for such decision. Furthermore, neither an insurer nor agent may base an adverse underwriting decision on the fact of a previous adverse decision. This is not to say, however, that an adverse decision cannot be based on further information obtained from an insurer or agent responsible for such adverse decision.

Disclosure Limitations and Conditions

Within the environment of increased concerns over privacy in general, significant concern was also expressed as to the confidentiality of personal records maintained by insurers, agents and insurance support institutions. In response, as a general proposition, the Model Act prohibits an insurer, agent or insurance support organization from disclosing individually identifiable information without the authorization of the individual. However, disclosure is permitted if authorized by the individual provided the authorization meets the specified requirements.

In addition, there are certain exceptions to the general prohibition against disclosure without authorization. For example, these exceptions include disclosures (1) necessary to perform the business functions inherent in the insurance relationship; (2) needed to protect against an individual suspected of fraud, criminal activity, misrepresentation or material nondisclosure; (3) to medical professionals; (4) to government authorities such as the insurance commissioner, criminal enforcement agencies, and judicial officials; (5) for research purposes; (6) to a party involved in the sale, transfer or merger of all or part of the business; (7) in connection with the marketing of a product or service; (8) to affiliates; (9) to insurance support organizations subject to the federal FCRA; etc. With respect to some of these exceptions, certain conditions or limitations must be observed in order for the insurer, agent or insurance support organization to disclose information without authorization from the individual.

Enforcement

The NAIC Model Privacy Act imposes numerous obligations upon insurers, agents and insurance support institutions. Enforcement of these obligations rests primarily with the insurance commissioner. The nature of enforcement essentially parallels that available under the model Unfair Trade Practices Act. The commissioner is empowered to examine insurers, agents and support organizations to ascertain compliance with the Privacy Act, hold hearings, take testimony under oath, issue cease and desist orders and issue reports. Violations are subject to monetary penalties and/or revocation of an insurer’s or agent’s license.

In addition, enforcement authority is also vested in the person whose rights are violated. An aggrieved person may seek equitable relief if an insurer, agent or support organization fails to comply with provisions dealing with access to recorded personal information, correction of information and adverse underwriting decisions. Furthermore, he or she may recover monetary amounts for damages sustained as a result of information inappropriately disclosed by an insurer, agent or insurance support institution. Also, it is a crime punishable by fine and/or imprisonment for any person to knowingly and willfully obtain information about an individual from an insurer, agent or insurance support agency under false pretenses.

Medical Information Bureau and Privacy

The NAIC Model Information and Privacy Act covers not only insurers and agents, but also insurance support organizations. With respect to life insurance, this most importantly refers to the Medical Information Bureau (MIB). MIB has long existed to serve the life insurance industry through its facilitation of the exchange of principally medical information among its members for underwriting purposes. It is a nonprofit organization of approximately 800 insurance company members. The basic purpose of the MIB is to reduce the cost of insurance by assisting insurers detect (hence deter) efforts by applicants for insurance to conceal or misrepresent facts. In doing so, the MIB is deemed critical to the ability of life insurers to successfully underwrite.

Member insurers report to the MIB a brief coded resume of relevant information on individuals applying for insurance obtained during the underwriting process. The vast majority of the reported items concern medical conditions. Certain nonmedical information relevant to insurability is also reported, for example, information pertaining to hazardous sports, aviation, and adverse driving records provided that such information is confirmed either by the applicant or official records. As a consequence, MIB compiles and maintains vast amounts of coded information upon which its member insurers can draw when underwriting a particular individual.

In its underwriting process, upon receiving an application for insurance, a life insurer will generally request the MIB to check its records for information on the individual. If a code is found, it is sent to the inquiring insurer. A code does not constitute a medical history. It does not contain a medical professional’s records nor a health care institution’s reports. Thus, it is without context. By itself, the code is an incomplete and perhaps an inaccurate item of information. Instead, an MIB code is simply intended to serve only as an alert notice to the receiving insurer. MIB’s own rules state that an insurer may not base an adverse underwriting judgment on information obtained from the MIB, but rather it must either seek verification from the reporting member insurer or make an independent verification.

Also, before accessing MIB information, the insurer must provide notice of the MIB to the applicant for insurance. Such notice must clearly state the types of information the insurer seeks and who will have access to such information. A life insurer cannot ask for an MIB report without signed authorization of the applicant.

Importantly, an insurer may not use MIB information as the basis for denying insurance. While such information can be used as an alert to the possibility of the need for further investigation, the development of full underwriting information upon which the underwriting decision is made rests with the insurer.

To maintain reasonable confidentiality of MIB records, such information is not released to nonmember companies, to consumer reporting agencies or to government agencies which lack a court order or authorization from the applicant. Although considerable public concern has been voiced as to whether information in MIB files is available to employers as to current or potential employees, the only entities eligible for MIB membership and able to access MIB files are life insurers who comply with MIB mandates as to the confidentiality of information.

Furthermore, certain access and correction rights are afforded to the individuals. If a person questions the accuracy of any information, he or she may request a correction in accordance with the procedure set forth in the Federal Fair Credit Reporting Act. Thus, a person may ascertain information in the MIB files pertaining to such person with opportunity to correct errors.

Understandably, MIB activities have been frequently reviewed by both regulators and legislators. In its report the Privacy Commission summarized some of the controversial aspects of the MIB operation. In response, the MIB altered certain practices to allay such concerns. Also, pursuant to the FCRA, the Federal Trade Commission conducted an extensive examination of MIB. In 1983, the MIB entered into a consent agreement with the FTC under which the MIB voluntarily conformed certain of its practices to those required by the Act. More recently, an FTC/MIB letter of understanding clarifies that the MIB is a consumer reporting agency for purposes of the FCRA. In addition some states have enacted laws governing certain aspects of MIB’s operations.

Even where state and/or federal requirements do not exist, the MIB undertakes substantial efforts to preserve the confidentiality of its records. This is achieved primarily through agreements with each member company under which the insurer agrees to (1) implement procedures to assure that only authorized personnel have access to MIB reports for permissible purposes, (2) restrict access to MIB code books, (3) obtain written consent to access MIB only after providing the applicant with a description of MIB and correction procedures, and (4) perform annual self audits to ascertain whether in fact its procedures have maintained confidentiality. Furthermore, each insurer must submit to periodic audits of its confidentiality procedures by the MIB.

Renewed concern arose over MIB operations in the context of AIDS (Acquired Immune Deficiency Syndrome) when insurers transmitted information to MIB on applicants who tested positive for exposure to the AIDS virus. In particular, fears focused upon the existence of a central depository of information identifying AIDS patients. The concerns included the potential accessing of this information by government entities. After balancing the needs of insurers for MIB information and the needs of insurance applicants for confidentiality, the MIB amended its rules and deleted the specific code relating to AIDS. In lieu thereof, insurers use the general code signifying simply "abnormal blood" test for which there is no specific code. Since there are a number of tests for conditions other than AIDS which can be reported under this general code, MIB maintains no records specifically linking an individual to a positive AIDS blood test. Because of the substantial privacy concerns surrounding AIDS, this MIB rule on using a general code has found its way into statutory or regulatory expression in a number of states.

In summary, since the mid-1960s, public concern over privacy has mounted. In response there has been considerable privacy legislation and regulation. Beginning with the FCRA in 1970 and the NAIC Model Information and Privacy Act around 1980, and a number of state AIDS confidentiality laws, the life insurance industry has come under significant federal and state laws and regulations governing its information collection, use, maintenance and disclosure practices. Public concerns over privacy are not likely to decrease. As the technological breakthroughs of the last 20 years or so have enabled far more extensive and sophisticated use of consumer information by means of computers, fax machines and increased communication technologies, new applications of computerized information undoubtedly will continue. With such advances in collection, maintenance, dissemination and use of personal information, as well as the high-level continuing concern over AIDS and the emerging concerns over genetic testing, one can reasonably expect that the manner in which insurers treat sensitive personal information on applicants and policyholders will continue as an important public issue.

Arrowsmlft.gif (338 bytes)Previous TopArrowsm.gif (337 bytes) NextArrowsmrt.gif (337 bytes)