HBA-CBW H.B. 3328 77(R) BILL ANALYSIS Office of House Bill AnalysisH.B. 3328 By: Averitt Insurance 4/22/2001 Introduced BACKGROUND AND PURPOSE In November 1999, the United States Congress signed into law the Gramm-Leach-Bliley Act (GLBA), which updated federal financial services laws and broke down the barriers between commercial banks, securities firms, and insurance companies. Title III of GLBA declared that insurance activities would be functionally regulated by the states, which restated the applicability of the McCurran-Ferguson Act. Title V of GLBA provides that Congress' policy that financial institutions, including insurance companies, have an obligation to protect the privacy of customers' nonpublic personal health information. GLBA requires relevant federal regulatory authorities and state insurance authorities to adopt rules and regulations to protect the privacy of nonpublic personal health information. House Bill 3328 authorizes the commissioner of insurance to adopt rules and set forth regulations for compliance with GLBA. RULEMAKING AUTHORITY It is the opinion of the Office of House Bill Analysis that rulemaking authority is expressly delegated to the commissioner of insurance in SECTION 1 (Section 11, Article 21.74, Insurance Code) of this bill. ANALYSIS House Bill 3328 amends the Insurance Code to prohibit a licensee from disclosing nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed. The bill sets forth provisions regarding the disclosure of nonpublic personal health information by a licensee for the performance of certain insurance functions. The bill requires that a valid authorization to disclose nonpublic personal health information be in written or electronic form. The bill sets forth the required information that is to be included in the form. The bill requires that the authorization specify a length of time for which the authorization is required to remain valid, which is prohibited in any event from being for more than 24 months. The bill authorizes a consumer or customer who is the subject of nonpublic personal health information to revoke an authorization. The bill requires a licensee to retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information. The bill sets forth provisions regarding the delivery of an authorization request to a consumer or customer. The bill sets forth provisions regarding the applicability of these provisions with respect to federal rules, state law, and the Fair Credit Reporting Act. The bill prohibits a licensee from unfairly discriminating against a consumer or customer because that consumer or customer has not granted authorization for the disclosure of his or her nonpublic personal health information. The bill sets forth provisions regarding a violation and the severability of these provisions. The bill provides that these provisions take effect January 1, 2002, and authorizes the commissioner of insurance (commissioner) to extend the time for compliance by rule or regulation. The bill authorizes the commissioner to adopt rules to implement these provisions provided that such rules are prohibited from imposing requirements that are more stringent than privacy requirements in federal law. EFFECTIVE DATE On passage, or if the Act does not receive the necessary vote, the Act takes effect August 27, 2001.