In November, 2000, the New York State Insurance Department enacted the Privacy of Consumer Financial and Health Information Rule (Regulation 169). Regulation 169 was promulgated as required by the federal Gramm-Leach-Bliley Financial Modernization Act, which, in part, protects consumer financial information.

Regulation 169 came down shortly before the U.S. Department of Health and Human Services issued the final version of the HIPAA privacy rule. Regulation 169 covers the disclosure by insurance companies of health information, as well as financial information, and so, in the first article of this two-part series, we summarized Regulation 169 and compared it with the proposed HIPAA privacy rule.

In this article, we compare Regulation 169 with the legislation that spawned it: the Gramm-Leach-Bliley Act. We will go through the principal requirements of the privacy Title (Title V) of Gramm-Leach-Bliley and explain how the New York State Insurance Department fulfilled them.

The main points and requirements in the privacy Title of Gramm-Leach-Bliley are as follows:

• Disclosure by all financial institutions of their privacy policies regarding the sharing of non-public personal information with both affiliates and third parties.

• The timing and frequency of disclosure of financial institutions' privacy policies (at outset of customer relationship and annually thereafter).

• Notice to consumers of and an opportunity to opt out of sharing of non-public personal information with nonaffiliated third parties, with an exception for joint marketing arrangements (intended to address the imbalance between large and small financial institutions).

• Safeguards (administrative, technical and physical) to protect the security and confidentiality of customer records and information.

• Remedies for violations.

• Enforcement of the privacy Title by the States, as well as by federal agencies.

The last of these points is the first one of interest, since it explains why a State agency like the New York State Insurance Department is making regulations to enforce a federal statute. The section empowering, indeed requiring, the States to enforce the Act by regulation says that the state insurance authorities shall enforce the Act as to any person engaged in providing insurance; state insurance authorities are directed to implement the standards set forth in the Act "by rule." Let us look at how Regulation 169 carries out the principal Gramm-Leach-Bliley requirements.

The privacy Title of Gramm-Leach-Bliley is relatively short and general in its provisions. The New York State Insurance Department has largely filled in details. What is most interesting is where Regulation 169 adds restrictions on information disclosure and other rules that Gramm-Leach-Bliley does not contain, and in one instance, fails to regulate what Gramm-Leach-Bliley seems to require.

Information protected. First and foremost, Regulation 169 covers not only non-public personal financial information, but also non-public personal health information. This expansion of Gramm-Leach-Bliley affects every part of Regulation 169. Not only is health information covered by Regulation 169, but Regulation 169 accords health information greater protection than financial information. Health information may only be disclosed if a consumer or customer opts in to third party disclosures (except for disclosures made in order to perform a list of functions, which are substantially all ordinary insurance functions, like claim adjustment, claim administration, risk management, and the like). This contrasts with the opt-out procedure (which is all that Gramm-Leach-Bliley requires) in Regulation 169 for third-party disclosure of financial information.

Persons Protected. Gramm-Leach-Bliley protects "consumers," who are defined substantially as persons who obtain financial products or services. Regulation 169 plugs a loophole by including in "consumers" those who seek to obtain insurance products or services, as well as those who obtain them, thereby protecting applicants who never become customers of affected entities.

Notice of privacy policies. Regulation 169 essentially repeats the requirements of Gramm-Leach-Bliley regarding notice of privacy policies. What it adds is detailed requirements for the content of the notice; it takes the Gramm-Leach-Bliley categories of information required to be disclosed, and specifies the details that the consumer or customer is to receive. If the insurance company discloses what Regulation 169 specifies, its notice is ipso facto sufficient - this is a safe harbor provision. Likewise, requirements and corresponding safe harbors are provided for the timing of when privacy policy notices must be distributed.

Notice and "opt-out" option regarding sharing of information with nonaffiliated third parties. As with privacy policy disclosures, Regulation 169 follows Gramm-Leach-Bliley by specifying what is sufficient detail and content in an opt-out notice. Regulation 169 goes beyond Gramm-Leach-Bliley, however, in limiting what insurance companies can make their consumers do to exercise the option to opt out. While Gramm-Leach-Bliley requires only that consumers be told how to exercise their opt-out right, Regulation 169 prohibits insurance companies from requiring consumers to go beyond what it calls "reasonable means" to exercise their opt-out right. Examples of "reasonable means" of exercise are given in the Regulation. Also given are examples of "unreasonable" means, which include requiring consumers to write their own opt-out letters or to use a form not supplied at the time of giving notice of the opt-out right.

Security and Confidentiality Safeguards. This subject receives surprisingly little attention in Regulation 169. Although Gramm-Leach-Bliley requires agencies to establish standards for security and confidentiality safeguards, Regulation 169 requires disclosure of the insurance companies' policies, but does not specify what those policies must contain or what safeguards must be implemented. We are advised by the State Insurance Department that they are in the process of drafting regulations to address this issue but that such regulations have not yet been published and are not available for public review or comment.

Remedies. While Gramm-Leach-Bliley requires the States to enforce the law, it does not specify what remedies they must provide. As noted in the first article in this series, Regulation 169 enforces its rules by making violations unfair methods of competition, which are prohibited by existing sections of the New York Insurance Law. What is key about those sections is that only the Superintendent of Insurance can seek penalties under them; they provide no private right of action to aggrieved consumers or customers.

In summary, Regulation 169 protects non-public personal financial information in accordance with the requirements of Gramm-Leach-Bliley, fleshing out details left unspecified by the Act and expanding coverage in some instances, while leaving security and confidentiality thus far unregulated.