By Eiland H.B. No. 2555
77R3874 MXM-F
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to the privacy of certain information provided by
1-3 consumers to insurers and other related entities; providing
1-4 penalties.
1-5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-6 SECTION 1. Title 1, Insurance Code, is amended by adding
1-7 Chapter 28A to read as follows:
1-8 CHAPTER 28A. PRIVACY OF INFORMATION COLLECTED BY
1-9 CERTAIN FINANCIAL INSTITUTIONS
1-10 SUBCHAPTER A. GENERAL PROVISIONS
1-11 Art. 28A.001. SHORT TITLE. This chapter may be cited as the
1-12 "Financial Information Privacy Protection Act."
1-13 Art. 28A.002. PURPOSE. This chapter shall be liberally
1-14 construed and applied to promote uniformity and functional
1-15 regulation by:
1-16 (1) implementing Title V, Gramm-Leach-Bliley Act (15
1-17 U.S.C. Section 6801 et seq.), which requires financial
1-18 institutions, including insurers, to respect the privacy of their
1-19 customers and to protect the security and confidentiality of those
1-20 customers' nonpublic personal financial information;
1-21 (2) establishing appropriate consumer privacy
1-22 standards for insurance providers to be administered by the
1-23 department;
1-24 (3) ensuring, under 15 U.S.C. Section 6805(c), that
2-1 this state is eligible to override, under Section 47(g)(2)(B)(iii),
2-2 Federal Deposit Insurance Act (12 U.S.C. Section 1831x), the
2-3 insurance customer protections prescribed by a federal banking
2-4 agency under 12 U.S.C. Section 1831v;
2-5 (4) requiring, under 15 U.S.C. Sections 6802 and 6803,
2-6 that:
2-7 (A) insurers maintain a privacy policy that is
2-8 clearly communicated to customers and, under certain circumstances,
2-9 to consumers;
2-10 (B) subject to appropriate exceptions, no
2-11 nonpublic personal financial information be disclosed to
2-12 nonaffiliated third parties unless a consumer has been given a
2-13 chance to opt out of having the consumer's information disclosed;
2-14 (C) disclosure is authorized in the case of
2-15 personally identifiable health information; and
2-16 (D) no specific account information be given to
2-17 direct marketing firms, as provided by 15 U.S.C. Section 6801;
2-18 (5) providing for the enforcement of this chapter by
2-19 the department; and
2-20 (6) authorizing the commissioner to adopt rules
2-21 necessary to effectuate the purposes of this chapter.
2-22 Art. 28A.003. SCOPE. (a) This chapter:
2-23 (1) requires a licensee to provide notice to customers
2-24 and, under certain circumstances, to consumers about the licensee's
2-25 privacy policies and practices;
2-26 (2) describes the conditions under which a licensee
2-27 may disclose nonpublic personal information about consumers and
3-1 customers to nonaffiliated third parties;
3-2 (3) provides a method for consumers and customers to
3-3 prevent a licensee from disclosing that information unless
3-4 otherwise exempted as routine business disclosures under Articles
3-5 28A.151, 28A.152, 28A.153, or 28A.201 of this chapter;
3-6 (4) establishes reasonable exceptions under Articles
3-7 28A.151, 28A.152, and 28A.153 of this chapter to the notice
3-8 requirements of licensees and the ability of consumers and
3-9 customers to opt out of or to authorize certain disclosures; and
3-10 (5) applies only to nonpublic personal information
3-11 about individuals who obtain financial products or services in this
3-12 state from an insurer for personal, family, or household purposes.
3-13 (b) This chapter does not apply to information about
3-14 companies or individuals who obtain financial products or services
3-15 for business, commercial, or agricultural purposes. In particular,
3-16 this chapter does not apply to commercial insurance policies issued
3-17 by a licensee.
3-18 Art. 28A.004. DEFINITIONS. In this chapter, unless the
3-19 context otherwise requires:
3-20 (1) "Affiliate" means any company that controls, is
3-21 controlled by, or is under common control with another company.
3-22 (2) "Agent" means an insurance agent.
3-23 (3) "Clear and conspicuous" means that a notice is
3-24 reasonably understandable and designed to call attention to the
3-25 nature and significance of the information in the notice.
3-26 (4) "Collect" means to obtain information that the
3-27 licensee organizes or can retrieve by the name of an individual or
4-1 by identifying number, symbol, or other identifying particular
4-2 assigned to the individual, irrespective of the source of the
4-3 underlying information.
4-4 (5) "Company" means a corporation, limited liability
4-5 company, business trust, general or limited partnership,
4-6 association, sole proprietorship, or similar organization.
4-7 (6)(A) "Consumer" means an individual, or the
4-8 individual's legal representative, who seeks to obtain, obtains, or
4-9 has obtained an insurance product or service in this state from a
4-10 licensee that is to be used primarily for personal, family, or
4-11 household purposes, and about whom the licensee has nonpublic
4-12 personal information, including:
4-13 (i) an individual who provides nonpublic
4-14 personal information to a licensee in connection with seeking to
4-15 obtain or obtaining financial, insurance, investment, or economic
4-16 advisory services regardless of whether the licensee establishes an
4-17 ongoing relationship;
4-18 (ii) an applicant for insurance before the
4-19 inception of insurance coverage; or
4-20 (iii) an individual who provides nonpublic
4-21 personal information to a licensee in order to obtain a
4-22 determination about whether the individual may qualify for a loan
4-23 to be used primarily for personal, family, or household purposes,
4-24 regardless of whether the loan is extended.
4-25 (B) An individual is not a licensee's consumer
4-26 solely because the individual:
4-27 (i) is a beneficiary of a trust for which
5-1 the licensee is a trustee;
5-2 (ii) is a third party liability claimant;
5-3 (iii) has designated the licensee as
5-4 trustee for a trust;
5-5 (iv) is a consumer of another financial
5-6 institution for which the licensee acts as agent or provides
5-7 processing or other services;
5-8 (v) is a participant or a beneficiary of
5-9 an employee benefit plan that the licensee administers or sponsors
5-10 or for which the licensee acts as a trustee, insurer, or fiduciary;
5-11 or
5-12 (vi) is covered under a group or blanket
5-13 insurance policy or group annuity contract issued by the licensee
5-14 if the licensee provides the initial, annual, and revised notices
5-15 under Articles 28A.051, 28A.052, and 28A.053 of this chapter to the
5-16 plan sponsor, group, or blanket insurance policyholder or group
5-17 annuity contractholder and the licensee does not disclose to a
5-18 nonaffiliated third party nonpublic personal financial information
5-19 about such an individual other than as permitted under Subchapter D
5-20 of this chapter.
5-21 (7) "Consumer reporting agency" has the meaning
5-22 designated by Section 603(f), Fair Credit Reporting Act (15 U.S.C.
5-23 Section 1681a(f)).
5-24 (8) "Control" means:
5-25 (A) ownership of, control over, or power to vote
5-26 25 percent or more of the outstanding shares of any class of voting
5-27 security of the company, directly or indirectly, or acting through
6-1 one or more other persons;
6-2 (B) control in any manner over the election of a
6-3 majority of the directors, trustees, or general partners, or
6-4 individuals exercising similar functions, of the company; or
6-5 (C) the power to exercise, directly or
6-6 indirectly, a controlling influence over the management or policies
6-7 of the company, as the commissioner determines.
6-8 (9) "Customer" means a consumer who has a customer
6-9 relationship with a licensee. The term does not include a
6-10 beneficiary or a claimant under a policy of insurance, solely by
6-11 virtue of that individual's status as a beneficiary or claimant.
6-12 (10) "Customer relationship" means a continuing
6-13 relationship between a consumer and a licensee under which the
6-14 licensee provides one or more financial products or services to the
6-15 consumer that are to be used primarily for personal, family, or
6-16 household purposes. The term includes a relationship in which the
6-17 consumer:
6-18 (A) is a current policyholder of an insurance
6-19 product or other product issued by or through a licensee; or
6-20 (B) obtains financial, investment, or economic
6-21 advisory services relating to an insurance product or service from
6-22 a licensee for a fee.
6-23 (11)(A) "Financial institution" has the meaning
6-24 assigned by 15 U.S.C. Section 6809(3), and generally means any
6-25 institution the business of which is engaging in financial
6-26 activities as described by Section 4(k), Bank Holding Company Act
6-27 of 1956 (12 U.S.C. Section 1843).
7-1 (B) The term does not include:
7-2 (i) any person or entity with respect to
7-3 any financial activity that is subject to the jurisdiction of the
7-4 Commodity Futures Trading Commission under the Commodity Exchange
7-5 Act (7 U.S.C. Section 1 et seq.);
7-6 (ii) the Federal Agricultural Mortgage
7-7 Corporation or any entity chartered and operating under the Farm
7-8 Credit Act of 1971 (12 U.S.C. Section 2001 et seq.); or
7-9 (iii) institutions chartered by congress
7-10 specifically to engage in transactions described by 15 U.S.C.
7-11 Section 6802(e)(1)(C) if the institutions do not sell or transfer
7-12 nonpublic personal information to a nonaffiliated third party.
7-13 (12) "Financial product or service" means any product
7-14 or service that is offered by a licensee under this code, including
7-15 a licensee's evaluation or brokerage of information that the
7-16 licensee collects in connection with a request or an application
7-17 from a consumer for a financial product or service.
7-18 (13) "Health information" means any information or
7-19 data regarding a consumer or a member of a consumer's family, other
7-20 than age or gender, whether oral or recorded in any form or medium,
7-21 that is created by or derived from a health care provider or the
7-22 consumer or customer and that relates to:
7-23 (A) the past, present, or future physical,
7-24 mental, or behavioral health or condition of the consumer or a
7-25 member of the consumer's family;
7-26 (B) the provision of health care to the
7-27 consumer; or
8-1 (C) payment for the provision of health care to
8-2 the consumer.
8-3 (14) "Licensee" means a person who holds or is
8-4 required to hold a license, registration, certificate of authority,
8-5 or other authority under this code. The term includes a health
8-6 maintenance organization regulated under Chapter 20A of this code
8-7 or another covered entity.
8-8 (15) "Nonaffiliated third party" means a person,
8-9 including a company that is an affiliate solely by virtue of the
8-10 licensee's or its affiliate's direct or indirect ownership or
8-11 control of the company and that conducts merchant banking or
8-12 investment banking activities of the type described by Section
8-13 4(k)(4)(H), Bank Holding Company Act of 1956 (12 U.S.C. Section
8-14 1843(k)(4)(H)), or insurance company investment activities of the
8-15 type described by Section 4(k)(4)(I), Bank Holding Company Act of
8-16 1956 (12 U.S.C. Section 1843(k)(4)(I)), other than the licensee's
8-17 affiliate or a person employed jointly by a licensee and a company
8-18 that is not the licensee's affiliate. The term includes the other
8-19 company that jointly employs the person.
8-20 (16) "Nonpublic personal information" means nonpublic
8-21 personal financial information and nonpublic personal health
8-22 information.
8-23 (17)(A) "Nonpublic personal financial information"
8-24 means:
8-25 (i) personally identifiable financial
8-26 information;
8-27 (ii) any list, description, or other
9-1 grouping of consumers and publicly available information relating
9-2 to those consumers derived by using any personally identifiable
9-3 financial information that is not publicly available; and
9-4 (iii) any list of the names and street
9-5 addresses of individuals derived in whole or in part by using
9-6 personally identifiable financial information that is not publicly
9-7 available, such as policy or contract numbers.
9-8 (B) "Nonpublic personal financial information"
9-9 does not include:
9-10 (i) health information;
9-11 (ii) publicly available information,
9-12 except as included on a list described in Subparagraph (iv) of this
9-13 paragraph;
9-14 (iii) any list, description, or other
9-15 grouping of consumers and publicly available information relating
9-16 to those consumers derived without using any personally
9-17 identifiable financial information that is not publicly available;
9-18 or
9-19 (iv) any list of names and addresses of
9-20 individuals that contains only publicly available information not
9-21 derived, in whole or in part, by using personally identifiable
9-22 information that is not publicly available and that is not
9-23 disclosed in a manner that indicates that any of the individuals on
9-24 the list is a consumer of a financial institution.
9-25 (18) "Nonpublic personal health information" means
9-26 health information:
9-27 (A) that identifies an individual who is the
10-1 subject of the information; or
10-2 (B) with respect to which there is a reasonable
10-3 basis to believe that the information could be used to identify an
10-4 individual.
10-5 (19) "Opt out" means a direction by the consumer that
10-6 a licensee not disclose nonpublic personal financial information
10-7 about that consumer to a nonaffiliated third party, other than as
10-8 permitted by Subchapter D of this chapter.
10-9 (20) "Personally identifiable financial information"
10-10 means financial information:
10-11 (A) a consumer provides to a licensee to obtain
10-12 a financial product or service from the licensee;
10-13 (B) about a consumer resulting from any
10-14 transaction involving a financial product or service between a
10-15 licensee and a consumer; or
10-16 (C) a licensee otherwise obtains about a
10-17 consumer in connection with providing a financial product or
10-18 service to that consumer.
10-19 (21)(A) "Personally identifiable health information"
10-20 means health information:
10-21 (i) a consumer provides to a licensee to
10-22 obtain a financial product or service from the licensee;
10-23 (ii) about a consumer resulting from any
10-24 transaction involving a financial product or service between a
10-25 licensee and a consumer;
10-26 (iii) the licensee otherwise obtains about
10-27 a consumer in connection with providing a financial product or
11-1 service to that consumer;
11-2 (iv) that identifies a consumer who is the
11-3 subject of the information; or
11-4 (v) with respect to which there is a
11-5 reasonable basis to believe that the information could be used to
11-6 identify a consumer.
11-7 (B) "Personally identifiable health information"
11-8 does not include personally identifiable, nonmedical information
11-9 such as a consumer's name, address, social security number, age,
11-10 gender, or other analogous information if legally obtained by the
11-11 licensee from a source other than the consumer's medical record,
11-12 even if the information is also part of the consumer's medical
11-13 record.
11-14 (22) "Publicly available information" means any
11-15 information that a licensee has a reasonable basis to believe is
11-16 lawfully made available to the public from:
11-17 (A) federal, state, or local government records;
11-18 (B) widely distributed media; or
11-19 (C) disclosures to the public that are required
11-20 to be made by federal, state, or local law.
11-21 (23) "Reasonable basis" means a licensee has a basis
11-22 to believe that information is lawfully made available to the
11-23 public because the licensee has taken steps to determine:
11-24 (A) that the information is of the type that is
11-25 available to the public; and
11-26 (B) whether an individual can direct that the
11-27 information not be made available to the public and, if so, that a
12-1 licensee's consumer has not done so.
12-2 Art. 28A.005. RULES. The commissioner shall adopt rules as
12-3 necessary to implement this chapter.
12-4 SUBCHAPTER B. PRIVACY AND OPT OUT NOTICE REQUIREMENTS
12-5 Art. 28A.051. PRIVACY NOTICE TO CONSUMERS REQUIRED; INITIAL
12-6 NOTICE. (a) A licensee must provide a clear and conspicuous notice
12-7 that accurately reflects the licensee's privacy policies and
12-8 practices to:
12-9 (1) an individual who becomes a licensee's customer,
12-10 not later than the date on which the licensee establishes a
12-11 customer relationship with the individual, except as provided by
12-12 Subsection (e) of this article; and
12-13 (2) a consumer, before a licensee discloses any
12-14 nonpublic personal financial information about the consumer to any
12-15 nonaffiliated third party, if a licensee makes such a disclosure
12-16 other than as authorized by Article 28A.152, 28A.153, or 28A.201 of
12-17 this chapter.
12-18 (b) A licensee is not required to provide an initial notice
12-19 to a consumer under Subsection (a) if:
12-20 (1) the licensee does not disclose any nonpublic
12-21 personal financial information about the consumer to any
12-22 nonaffiliated third party, other than as authorized by Article
12-23 28A.152, 28A.153, or 28A.201 of this chapter;
12-24 (2) the licensee does not have a customer relationship
12-25 with the consumer; or
12-26 (3) the notice has been provided by an affiliated
12-27 licensee, if the notice:
13-1 (A) clearly identifies all licensees to whom the
13-2 notice applies or states that it applies to all affiliates of the
13-3 named licensee; and
13-4 (B) is accurate with respect to the licensee and
13-5 the other institutions.
13-6 (c) For purposes of this article, a licensee establishes a
13-7 customer relationship at the time the licensee and the consumer
13-8 enter into a continuing relationship, other than solely as a
13-9 beneficiary or claimant. A licensee establishes a customer
13-10 relationship when an insurance policy or contract is delivered to
13-11 the consumer and the consumer becomes a policyholder and when the
13-12 consumer agrees to obtain financial, insurance, economic, or
13-13 investment advisory services from the licensee for a fee.
13-14 (d) If an existing customer obtains a new financial product
13-15 or service from a licensee that is to be used primarily for
13-16 personal, family, or household purposes, a licensee may satisfy the
13-17 initial notice requirements of Subsection (a) of this article by
13-18 providing a revised policy notice under Article 28A.055 of this
13-19 chapter that covers the customer's new financial product or
13-20 service. If the initial, revised, or annual notice that a licensee
13-21 most recently provided to that customer was accurate with respect
13-22 to the new financial product or service, a licensee is not
13-23 required to provide a new privacy notice under Subsection (a) of
13-24 this article.
13-25 (e) A licensee may provide the initial notice required by
13-26 Subsection (a)(1) of this article within a reasonable time after
13-27 the licensee establishes a customer relationship if:
14-1 (1) establishing the customer relationship is not at
14-2 the customer's election, including the circumstance in which the
14-3 licensee acquires or is assigned the insurance policy or related
14-4 records from another financial institution or residual market
14-5 mechanism and the customer does not have a choice about that
14-6 acquisition or assignment; or
14-7 (2) providing notice not later than the date on which
14-8 the licensee establishes the customer relationship would
14-9 substantially delay the customer's transaction, including a
14-10 circumstance in which the licensee and the individual agree by
14-11 telephone conversation to enter into a customer relationship
14-12 involving prompt delivery of the financial product or service, and
14-13 the customer agrees to receive the notice at a later time.
14-14 (f) If two or more consumers jointly obtain a financial
14-15 product or service from a licensee, the licensee may satisfy the
14-16 requirements of Subsection (a) of this article by providing one
14-17 initial notice to those consumers jointly.
14-18 (g) If a licensee is required by this article to deliver an
14-19 initial privacy notice, the licensee must deliver the notice as
14-20 provided by Article 28A.056 of this chapter. If a licensee uses a
14-21 short-form initial notice for noncustomers as provided by Article
14-22 28A.053(c) of this chapter, the licensee may deliver the privacy
14-23 notice as provided by Subsection (d) of that article.
14-24 Art. 28A.052. ANNUAL PRIVACY NOTICE TO CUSTOMERS REQUIRED.
14-25 (a) A licensee shall provide a clear and conspicuous notice to a
14-26 customer that accurately reflects the licensee's privacy policies
14-27 and practices at least annually during the continuation of the
15-1 customer relationship. For the purposes of this subsection,
15-2 "annually" means at least once in any period of 12 consecutive
15-3 months during which that relationship exists. The licensee may
15-4 establish the period, but must apply the period to the customer on
15-5 a consistent basis.
15-6 (b) A licensee is not required to provide an annual notice
15-7 to a former customer. For purposes of this subsection, a "former
15-8 customer" is an individual with whom a licensee no longer has a
15-9 continuing relationship because:
15-10 (1) the individual is no longer a current policyholder
15-11 of an insurance product or no longer obtains insurance services
15-12 with or through the licensee;
15-13 (2) the individual's policy is lapsed, expired, or
15-14 otherwise inactive or dormant under the licensee's business
15-15 practices, and the licensee has not communicated with the customer
15-16 about the relationship for a period of 12 consecutive months, other
15-17 than to provide annual privacy notices, materials required by law
15-18 or regulation, or promotional materials;
15-19 (3) the individual's last known address according to
15-20 the licensee's records is invalid, as determined by the fact that
15-21 mail sent to that address by the licensee has been returned by the
15-22 postal authorities as undeliverable and subsequent attempts by the
15-23 licensee to obtain a current valid address for the individual have
15-24 been unsuccessful; or
15-25 (4) in the case of providing real estate settlement
15-26 services, at the time the customer completes execution of all
15-27 documents related to the real estate closing, payment for those
16-1 services has been received, or the licensee has completed all of
16-2 its responsibilities with respect to the settlement, including
16-3 filing documents on the public record.
16-4 (c) If a licensee is required by this article to deliver an
16-5 annual privacy notice, the licensee must deliver the notice as
16-6 provided by Article 28A.056 of this chapter.
16-7 (d) The annual notice may be provided by an affiliated
16-8 licensee if the notice:
16-9 (1) clearly identifies all licensees to which the
16-10 notice applies or states that the notice applies to all affiliates
16-11 of the named licensee; and
16-12 (2) is accurate with respect to the licensee and other
16-13 institutions.
16-14 Art. 28A.053. INFORMATION TO BE INCLUDED IN PRIVACY NOTICES.
16-15 (a) In addition to any other information the licensee wishes to
16-16 provide, the initial, annual, and revised privacy notices that a
16-17 licensee provides under Articles 28A.051, 28A.052, and 28A.055 of
16-18 this chapter must include each of the following items of
16-19 information that applies to the licensee or to the consumers to
16-20 whom the licensee sends its privacy notice:
16-21 (1) the categories of nonpublic personal financial
16-22 information that the licensee collects;
16-23 (2) the categories of nonpublic personal financial
16-24 information that the licensee discloses;
16-25 (3) the categories of affiliates and nonaffiliated
16-26 third parties to whom the licensee discloses nonpublic personal
16-27 financial information, other than those parties to whom the
17-1 licensee discloses information under Articles 28A.152 and 28A.153
17-2 of this chapter;
17-3 (4) the categories of nonpublic personal financial
17-4 information about the licensee's former customers that it discloses
17-5 and the categories of affiliates and nonaffiliated third parties to
17-6 whom the licensee discloses nonpublic personal financial
17-7 information about its former customers, other than those parties to
17-8 whom it discloses information under Articles 28A.152 and 28A.153 of
17-9 this chapter;
17-10 (5) if a licensee discloses nonpublic personal
17-11 financial information to a nonaffiliated third party under Article
17-12 28A.151 of this chapter and another exception does not apply to
17-13 that disclosure, a separate statement of the categories of
17-14 information the licensee discloses and the categories of third
17-15 parties with whom the licensee has contracted;
17-16 (6) an explanation of the right under Article 28A.101
17-17 of this chapter to opt out of the disclosure of nonpublic personal
17-18 financial information to nonaffiliated third parties and under
17-19 Article 28A.201 of this chapter to authorize the disclosure of
17-20 personally identifiable health information for marketing purposes,
17-21 including the methods by which the consumer may exercise those
17-22 rights at that time;
17-23 (7) any disclosures that the licensee makes under
17-24 Section 603(d)(2)(A)(iii), Fair Credit Reporting Act (15 U.S.C.
17-25 Section 1681a(d)(2)(A)(iii));
17-26 (8) the licensee's policies and practices with respect
17-27 to protecting the confidentiality and security of nonpublic
18-1 personal financial information; and
18-2 (9) if disclosures are made under Subsection (b) of
18-3 this article, a statement that the licensee makes those
18-4 disclosures.
18-5 (b) If a licensee discloses nonpublic personal financial
18-6 information about a consumer to third parties only as authorized
18-7 under Articles 28A.152 and 28A.153 of this chapter, the licensee is
18-8 not required to list those exceptions in the initial or annual
18-9 privacy notices required by this chapter. In describing the
18-10 categories with respect to those parties, a licensee is only
18-11 required to state that the licensee makes disclosures to other
18-12 nonaffiliated third parties as permitted by law.
18-13 (c) A licensee may satisfy the initial notice requirements
18-14 of this chapter for a consumer who is not a customer by providing a
18-15 short-form initial notice at the same time the licensee delivers an
18-16 opt out notice as required by Article 28A.056 of this chapter and,
18-17 if appropriate, an authorization as required by Article 28A.201 of
18-18 this chapter. A short-form initial notice must:
18-19 (1) be clear and conspicuous;
18-20 (2) state that a licensee's privacy notice is
18-21 available on request; and
18-22 (3) explain the means, which must be reasonable, by
18-23 which the consumer may obtain that notice, including provision of a
18-24 toll-free telephone number the consumer may call to request the
18-25 notice or, for a consumer who conducts business in person in the
18-26 licensee's office, providing notice to the consumer immediately on
18-27 request.
19-1 (d) A licensee must deliver the licensee's short-form notice
19-2 as provided by Article 28A.056 of this chapter. A licensee is not
19-3 required to deliver the licensee's privacy notice with the
19-4 licensee's short-form initial notice. A licensee may instead
19-5 provide the consumer with a reasonable means to obtain the
19-6 licensee's privacy notice. If a consumer who receives the
19-7 licensee's short-form notice requests the licensee's privacy
19-8 notice, the licensee shall deliver the privacy notice according to
19-9 Article 28A.056 of this chapter.
19-10 (e) A licensee's notice may include categories of:
19-11 (1) nonpublic personal financial information that the
19-12 licensee reserves the right to disclose in the future, but does not
19-13 currently disclose; and
19-14 (2) affiliates or nonaffiliated third parties to whom
19-15 the licensee reserves the right to disclose in the future, but to
19-16 whom it does not currently disclose nonpublic personal financial
19-17 information.
19-18 Art. 28A.054. FORM OF OPT OUT NOTICE TO CONSUMERS; OPT OUT
19-19 METHODS. (a) If a licensee is required to provide an opt out
19-20 notice under Article 28A.101 of this chapter, the licensee must
19-21 provide a clear and conspicuous notice to each of the licensee's
19-22 consumers that accurately explains the right to opt out under that
19-23 article. The notice must state that the licensee discloses or
19-24 reserves the right to disclose nonpublic personal financial
19-25 information about the consumer to a nonaffiliated third party and
19-26 that the consumer has the right to opt out of that disclosure. The
19-27 notice must provide a reasonable means by which the consumer may
20-1 exercise the right to opt out. The licensee may require that the
20-2 consumer opt out through a specific means, if the means is
20-3 reasonable for that consumer.
20-4 (b) A licensee provides a reasonable means to exercise the
20-5 right to opt out if the licensee:
20-6 (1) designates check off boxes in a prominent position
20-7 on the relevant forms with the opt out notice;
20-8 (2) includes a reply form with the opt out notice;
20-9 (3) provides an electronic means to opt out, such as a
20-10 form that can be sent via electronic mail or a process at the
20-11 licensee's Internet site, if the consumer agrees to the electronic
20-12 delivery of information;
20-13 (4) provides a toll-free telephone number consumers
20-14 may call to opt out; or
20-15 (5) provides the opt out notice with or on the same
20-16 written or electronic form as the initial notice the licensee
20-17 provides in accordance with Article 28A.051 of this chapter.
20-18 (c) If a licensee provides the opt out notice on a date
20-19 later than that required for the initial notice under Article
20-20 28A.051(e) of this chapter, the licensee must also include a copy
20-21 of the initial notice in writing or, if the consumer agrees,
20-22 electronically.
20-23 (d) If two or more consumers jointly obtain a financial
20-24 product or service from a licensee, the licensee may provide a
20-25 single opt out notice. The licensee's opt out notice must explain
20-26 how the licensee treats an opt out direction by a joint consumer.
20-27 Any of the joint consumers may exercise the right to opt out. The
21-1 licensee may treat an opt out direction by a joint consumer as
21-2 applying to all of the associated joint consumers, or permit each
21-3 joint consumer to opt out separately. If the licensee permits each
21-4 joint consumer to opt out separately, the licensee must permit one
21-5 of the joint consumers to opt out on behalf of all of the joint
21-6 consumers. A licensee may not require all joint consumers to opt
21-7 out before the licensee implements any opt out direction.
21-8 (e) A licensee must comply with a consumer's opt out
21-9 directive as soon as reasonably practicable after the licensee
21-10 receives the directive.
21-11 (f) A consumer may exercise the right to opt out at any
21-12 time.
21-13 (g) A consumer's directive to opt out under this article is
21-14 effective until the consumer revokes the directive in writing or,
21-15 if the consumer agrees, electronically. When a customer
21-16 relationship terminates, the customer's opt out directive continues
21-17 to apply to the nonpublic personal financial information the
21-18 licensee collected during, or related to, that relationship. If
21-19 the individual subsequently establishes a new customer relationship
21-20 with the licensee, the opt out directive that applied to the former
21-21 relationship does not apply to the new relationship.
21-22 (h) A licensee required by this article to deliver an opt
21-23 out notice shall deliver the notice as provided by Article 28A.056
21-24 of this chapter.
21-25 Art. 28A.055. REVISED PRIVACY NOTICES. (a) Except as
21-26 otherwise authorized by this chapter, a licensee may not, directly
21-27 or through an affiliate, disclose any nonpublic personal financial
22-1 information about a consumer to a nonaffiliated third party other
22-2 than as described in the initial notice that the licensee provided
22-3 to that consumer under Article 28A.051 of this chapter, unless:
22-4 (1) the licensee has provided to the consumer a
22-5 revised notice that accurately describes the licensee's policies
22-6 and practices;
22-7 (2) the licensee has provided to the consumer a new
22-8 opt out notice and, if appropriate, an authorization as required by
22-9 Article 28A.151 of this chapter;
22-10 (3) the licensee has given the consumer a reasonable
22-11 opportunity, before the licensee discloses the information to the
22-12 nonaffiliated third party, to opt out of, or, if appropriate,
22-13 authorize the disclosure; and
22-14 (4) the consumer does not opt out or, if appropriate,
22-15 the consumer authorizes the disclosure.
22-16 (b) A licensee required by this article to deliver a revised
22-17 privacy notice shall deliver the notice as provided by Article
22-18 28A.056 of this chapter.
22-19 Art. 28A.056. DELIVERING PRIVACY AND OPT OUT NOTICES. (a) A
22-20 licensee shall provide any privacy notices and opt out notices,
22-21 including short-form initial notices, that this chapter requires in
22-22 writing or, if the consumer agrees, electronically.
22-23 (b) A licensee may reasonably expect that a consumer will
22-24 receive actual notice if:
22-25 (1) the licensee:
22-26 (A) hand delivers a printed copy of the notice
22-27 to the consumer;
23-1 (B) mails a printed copy of the notice to the
23-2 last known address of the consumer separately, or in a policy,
23-3 billing, or other written communication; or
23-4 (C) clearly and conspicuously posts the notice
23-5 on the licensee's Internet site for the consumer who regularly
23-6 accesses the licensee's Internet site to conduct transactions; or
23-7 (2) for an isolated transaction with a consumer, such
23-8 as providing an insurance quote or selling the consumer travel
23-9 insurance, the licensee posts the notice and requires the consumer
23-10 to acknowledge receipt of the notice as a necessary step to
23-11 obtaining the particular financial product or service.
23-12 (c) A licensee may not reasonably expect that a consumer
23-13 will receive actual notice of the licensee's privacy policies and
23-14 practices if the licensee:
23-15 (1) only posts a sign in the licensee's branch or
23-16 office or generally publishes advertisements of the licensee's
23-17 privacy policies and practices; or
23-18 (2) sends the notice via electronic mail to a consumer
23-19 who does not obtain a financial product or service from the
23-20 licensee electronically.
23-21 (d) A licensee may reasonably expect that a customer will
23-22 receive actual notice of the licensee's annual privacy notice if
23-23 the customer:
23-24 (1) agrees to receive notices at the licensee's
23-25 Internet site, and the licensee posts its current privacy notice
23-26 continuously in a clear and conspicuous manner on the Internet
23-27 site; or
24-1 (2) has requested that the licensee refrain from
24-2 sending any information regarding the customer relationship, and
24-3 the licensee's current privacy notice remains available to the
24-4 customer on request.
24-5 (e) A licensee may not provide any notice required by this
24-6 chapter solely by orally explaining the notice, either in person or
24-7 by telephone conversation.
24-8 (f) For customers only, a licensee shall provide the initial
24-9 notice, the annual notice, and the revised notice required by this
24-10 chapter in such a manner that the customer can retain the notices
24-11 or obtain the notices later in writing or, if the customer agrees,
24-12 electronically. The licensee may provide the notices by:
24-13 (1) hand delivering a printed copy of the notice to
24-14 the customer;
24-15 (2) mailing a printed copy of the notice to the last
24-16 known address of the customer on the request of the customer; or
24-17 (3) for the customer who agrees to receive the notice
24-18 at the Internet site, making the licensee's current privacy notice
24-19 available on the licensee's Internet site or through a link to
24-20 another web site.
24-21 (g) A licensee may provide a joint notice from the licensee
24-22 and one or more of the licensee's affiliates, other licensees, or
24-23 other financial institutions, or on behalf of another financial
24-24 institution, if the notice is accurate with respect to the licensee
24-25 and the other institutions.
24-26 (h) If two or more consumers jointly obtain a financial
24-27 product or service from a licensee, the licensee may satisfy the
25-1 initial, annual, and revised notice requirements of Articles
25-2 28A.051, 28A.052, and 28A.055 of this chapter by providing one
25-3 notice to those consumers jointly.
25-4 Art. 28A.057. NONDISCRIMINATION. (a) A licensee may not
25-5 unfairly discriminate against a customer or consumer on the basis
25-6 of the customer's or consumer's exercise of the right to opt out of
25-7 the sharing of nonpublic personal information in the manner
25-8 provided by this chapter. This article does not prohibit licensees
25-9 from engaging in usual, appropriate, or acceptable methods for
25-10 insurance underwriting.
25-11 (b) This chapter does not require a licensee to provide a
25-12 benefit or commence or continue payment of a claim in the absence
25-13 of nonpublic personal health information or nonpublic personal
25-14 financial information necessary to support or deny the claim.
25-15 Art. 28A.058. APPLICATION TO CERTAIN EXCESS LINE BROKERS.
25-16 (a) In this article, "covered entity" includes an unauthorized
25-17 insurer who places business through licensed excess line brokers in
25-18 this state, but only as regards the excess line placements placed
25-19 under Article 1.14-2 of this code.
25-20 (b) A licensed excess line broker placing business
25-21 underwritten by a covered entity and that covered entity are
25-22 considered to be in compliance with the notice and opt out
25-23 requirements for nonpublic personal financial information
25-24 established under Subchapters A, B, C, D, and F of this chapter if:
25-25 (1) the licensed excess line broker and covered entity
25-26 do not disclose nonpublic personal information of a consumer or a
25-27 customer to a nonaffiliated third party for any purpose, including
26-1 joint servicing or marketing under Article 28A.151 of this chapter,
26-2 except as permitted by Article 28A.152 or 28A.153 of this chapter;
26-3 and
26-4 (2) at the time the customer relationship is
26-5 established, a single notice is delivered to the consumer on behalf
26-6 of all the licensed excess line brokers and covered entities
26-7 involved in the provision of the financial product or service to a
26-8 consumer or customer that meets the requirements of Subsection (c)
26-9 of this article.
26-10 (c) The notice required by Subsection (b) of this article
26-11 must be printed in 16-point type and include the following
26-12 statement:
26-13 PRIVACY NOTICE
26-14 "NEITHER THE U.S. BROKER(S) THAT HANDLED THIS INSURANCE NOR THE
26-15 INSURER(S) THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE
26-16 NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO
26-17 NONAFFILIATES OF SUCH BROKER(S) OR SUCH INSURER(S) EXCEPT AS
26-18 PERMITTED BY LAW."
26-19 Art. 28A.059. APPLICATION TO CERTAIN LICENSEES. A licensee
26-20 who is a producer or independent insurance agent is subject to all
26-21 the requirements of this chapter unless the producer or agent is
26-22 acting as agent for a licensee. A producer acting as agent for a
26-23 licensee is exempt only from the notice requirements, rather than
26-24 all requirements, of this chapter, and only if the producer does
26-25 not disclose consumer information other than as permitted by
26-26 Subchapter D of this chapter.
26-27 SUBCHAPTER C. LIMITS ON DISCLOSURE
27-1 Art. 28A.101. LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL
27-2 FINANCIAL INFORMATION TO NONAFFILIATED THIRD PARTIES. (a) Except
27-3 as otherwise authorized by this chapter, a licensee may not,
27-4 directly or through an affiliate, disclose any nonpublic personal
27-5 financial information about a consumer to a nonaffiliated third
27-6 party unless:
27-7 (1) the licensee has provided to the consumer an
27-8 initial notice as required by Article 28A.051 of this chapter;
27-9 (2) the licensee has provided to the consumer an opt
27-10 out notice as required by Article 28A.054 of this chapter; or
27-11 (3) the licensee has given the consumer a reasonable
27-12 opportunity, before the licensee discloses the information to the
27-13 nonaffiliated third party, to opt out of the disclosure and the
27-14 consumer does not opt out.
27-15 (b) A licensee may comply with Subsection (a)(3) of this
27-16 article by mailing the notices required by Subsection (a)(1) of
27-17 this article to the consumer and allowing the consumer to opt out
27-18 by mailing a form, calling a toll-free telephone number, or taking
27-19 any other reasonable means not later than the 30th day after the
27-20 date on which the licensee mailed the notices. A licensee may also
27-21 comply by allowing a customer to open an on-line account with the
27-22 licensee if the customer agrees to receive the notice required
27-23 under Subsection (a)(1) of this article electronically, and if the
27-24 licensee makes the notice available to the customer on its Internet
27-25 site and allows the customer to opt out by any reasonable means not
27-26 later than the 30th day after the date the customer acknowledges
27-27 receipt of the notices in conjunction with opening the account.
28-1 For an isolated transaction, such as providing a consumer with an
28-2 insurance quote, a licensee provides a reasonable opportunity to
28-3 opt out if the licensee provides the consumer the notice required
28-4 by Subsection (a)(1) of this article at the time of the transaction
28-5 and requests that the consumer decide, as a necessary act of the
28-6 transaction, whether to opt out before completing the transaction.
28-7 (c) A licensee must comply with this article regardless of
28-8 whether the licensee and the consumer have established a customer
28-9 relationship. Unless a licensee complies with this article, the
28-10 licensee may not, directly or through an affiliate, disclose any
28-11 nonpublic personal financial information about a consumer that it
28-12 has collected, regardless of whether the licensee collected it
28-13 before or after receiving the directive to opt out from the
28-14 consumer.
28-15 Art. 28A.102. LIMITS ON REDISCLOSURE AND REUSE OF
28-16 INFORMATION. (a) If a licensee receives nonpublic personal
28-17 information from a nonaffiliated financial institution under an
28-18 exception to this chapter or under an authorization made under
28-19 Article 28A.201 of this chapter, the licensee may disclose the
28-20 information:
28-21 (1) to the affiliates of the financial institution
28-22 from which the licensee received the information;
28-23 (2) to its affiliates and agents but the affiliates
28-24 and agents may disclose and use the information only to the extent
28-25 that the licensee may disclose and use the information; and
28-26 (3) under an exception to Article 28A.152 or 28A.153
28-27 of this chapter, and use the information in the ordinary course of
29-1 business to carry out the activity covered by the exception under
29-2 which the licensee received the information.
29-3 (b) If a licensee receives nonpublic personal information
29-4 from a nonaffiliated financial institution other than under an
29-5 exception to this chapter or under an authorization made under
29-6 Article 28A.201 of this chapter, the licensee may disclose the
29-7 information only to:
29-8 (1) the affiliates of the financial institution from
29-9 which the licensee received the information;
29-10 (2) the licensee's affiliates and agents but the
29-11 licensee's affiliates and agents may disclose the information only
29-12 to the extent that the licensee can disclose the information; and
29-13 (3) any other person if the disclosure would be lawful
29-14 if made directly to that person by the financial institution from
29-15 which the licensee received the information.
29-16 (c) If the licensee discloses nonpublic personal financial
29-17 information to a nonaffiliated third party under an exception to
29-18 Article 28A.152 or 28A.153 of this chapter, the third party may
29-19 disclose that information:
29-20 (1) to the licensee's affiliates;
29-21 (2) to the third party's affiliates but those
29-22 affiliates may disclose and use the information only to the extent
29-23 that the third party may disclose and use the information; and
29-24 (3) under an exception to Article 28A.152 or 28A.153
29-25 of this chapter, and use the information in the ordinary course of
29-26 business to carry out the activity covered by the exception under
29-27 which the third party received the information.
30-1 (d) If a licensee discloses nonpublic personal information
30-2 to a nonaffiliated third party other than under an exception to
30-3 Article 28A.152 or 28A.153 of this chapter or under an
30-4 authorization made under Article 28A.201 of this chapter, the third
30-5 party may disclose the information only to:
30-6 (1) the licensee's affiliates;
30-7 (2) the third party's affiliates but the third party's
30-8 affiliates may disclose the information only to the extent the
30-9 third party can disclose the information; and
30-10 (3) any other person if the disclosure would be lawful
30-11 if the licensee made it directly to that person.
30-12 Art. 28A.103. LIMITS ON SHARING POLICY OR CONTRACT NUMBER
30-13 INFORMATION FOR MARKETING PURPOSES. (a) A licensee may not,
30-14 directly or through an affiliate, disclose, other than to a
30-15 consumer reporting agency, a policy or contract number or similar
30-16 form of access number or access code for a consumer's credit card
30-17 account, deposit account, or transaction account to any
30-18 nonaffiliated third party for use in telemarketing, direct mail
30-19 marketing, or other marketing through electronic mail to the
30-20 consumer.
30-21 (b) Subsection (a) of this article does not apply if the
30-22 licensee discloses a policy or contract number or similar form of
30-23 access number or access code to:
30-24 (1) the licensee's agent or service provider solely to
30-25 perform marketing for the licensee's products or services if the
30-26 agent or service provider is not authorized to directly initiate
30-27 charges to the account;
31-1 (2) a participant in a private label credit card
31-2 program or an affinity or similar program in which the participants
31-3 in the program are identified to the customer when the customer
31-4 enters into the program; or
31-5 (3) a licensee who is a producer solely to perform
31-6 marketing for the licensee's own products or services.
31-7 SUBCHAPTER D. EXCEPTIONS
31-8 Art. 28A.151. EXCEPTION TO OPT OUT REQUIREMENTS FOR SERVICE
31-9 PROVIDERS AND JOINT MARKETING. (a) The opt out requirements of
31-10 this chapter do not apply when a licensee provides nonpublic
31-11 personal financial information to a nonaffiliated third party to
31-12 perform services for, or functions on behalf of, the licensee, if
31-13 the licensee:
31-14 (1) provides the initial notice in accordance with
31-15 this chapter; and
31-16 (2) enters into a contractual agreement with the third
31-17 party that prohibits the third party from disclosing or using the
31-18 information other than to implement the purposes for which the
31-19 licensee disclosed the information, including use under an
31-20 exception under Article 28A.152 or 28A.153 of this chapter, in the
31-21 ordinary course of business to implement those purposes.
31-22 (b) A licensee may use personally identifiable financial
31-23 information and disclose that information to a person acting on
31-24 behalf of, or at the direction of, the licensee to perform the
31-25 licensee's insurance functions, including:
31-26 (1) claims administration, adjustment, and management;
31-27 (2) fraud investigation;
32-1 (3) underwriting;
32-2 (4) loss control;
32-3 (5) rate-making functions;
32-4 (6) reinsurance;
32-5 (7) risk management;
32-6 (8) case management;
32-7 (9) quality assessment and improvement;
32-8 (10) provider credentialing verification;
32-9 (11) utilization review;
32-10 (12) peer review activities;
32-11 (13) grievance procedures;
32-12 (14) internal administration of compliance,
32-13 managerial, and information systems;
32-14 (15) policyholder service functions;
32-15 (16) account administration;
32-16 (17) processing premium payments;
32-17 (18) processing insurance claims;
32-18 (19) administering insurance benefits;
32-19 (20) participating in research projects; and
32-20 (21) as otherwise required or specifically permitted
32-21 by federal or state law.
32-22 (c) The services performed for a licensee by a nonaffiliated
32-23 third party under Subsection (a) of this article may include
32-24 marketing of the licensee's own products or services or marketing
32-25 of financial products or services offered under joint agreements
32-26 between the licensee and one or more financial institutions. For
32-27 purposes of this subsection, "joint agreement" means a written
33-1 contract under which a licensee and one or more financial
33-2 institutions jointly offer, endorse, or sponsor a financial product
33-3 or service.
33-4 Art. 28A.152. EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS
33-5 FOR PROCESSING AND SERVICING TRANSACTIONS. (a) The requirements
33-6 for initial notice to consumers under Article 28A.051(a)(2),
33-7 providing the opportunity for consumers and customers to opt out,
33-8 and the application of this chapter to service providers and joint
33-9 marketing do not apply if a licensee discloses nonpublic personal
33-10 financial information as necessary to effect, administer, or
33-11 enforce a transaction requested or authorized by the consumer or
33-12 made in connection with:
33-13 (1) servicing or processing a financial product or
33-14 service requested or authorized by the consumer, including the
33-15 products or services under consideration by a consumer;
33-16 (2) maintaining or servicing the consumer's account
33-17 with the licensee or with another entity;
33-18 (3) a transaction involving a person acting as an
33-19 agent of the licensee, if the agent agrees not to disclose the
33-20 nonpublic personal financial information to additional third
33-21 parties; or
33-22 (4) a proposed or actual securitization, secondary
33-23 market sale, including sales of servicing rights, or similar
33-24 transaction related to a transaction of the consumer.
33-25 (b) The requirements of this chapter do not apply if a
33-26 licensee discloses nonpublic personal financial information for any
33-27 purpose related to effecting, administering, or replacing a group
34-1 benefit plan, a group health plan, or a group welfare plan.
34-2 (c) For purposes of this article, a disclosure is necessary
34-3 to effect, administer, or enforce a transaction if the disclosure
34-4 is:
34-5 (1) required to enforce, or is one of the lawful or
34-6 appropriate methods of enforcing, the licensee's rights or the
34-7 rights of other persons engaged in implementing the financial
34-8 transaction or providing the product or service; or
34-9 (2) required, or is a usual, appropriate, or
34-10 acceptable method:
34-11 (A) to implement the transaction or the product
34-12 or service business of which the transaction is a part, and record,
34-13 service, or maintain the consumer's account in the ordinary course
34-14 of providing the financial service or financial product;
34-15 (B) to administer, adjudicate, or service
34-16 benefits or claims relating to the transaction or the product or
34-17 service business of which the transaction is a part;
34-18 (C) to provide a confirmation, statement, or
34-19 other record of the transaction, or information on the status or
34-20 value of the financial service or financial product, to the
34-21 consumer or the consumer's agent or broker;
34-22 (D) to accrue or recognize incentives or bonuses
34-23 associated with the transaction that are provided by the licensee
34-24 or any other party;
34-25 (E) to underwrite insurance at the consumer's
34-26 request or for reinsurance purposes, or for any of the following
34-27 purposes, as they relate to a consumer's insurance:
35-1 (i) account administration;
35-2 (ii) reporting;
35-3 (iii) investigating;
35-4 (iv) preventing fraud or material
35-5 misrepresentation;
35-6 (v) processing premium payments;
35-7 (vi) processing insurance claims;
35-8 (vii) administering insurance benefits,
35-9 including utilization review activities;
35-10 (viii) participating in research projects;
35-11 or
35-12 (ix) as otherwise required or specifically
35-13 permitted by federal or state law; or
35-14 (F) in connection with:
35-15 (i) the authorization, settlement,
35-16 processing, transferring, or collection of amounts charged,
35-17 debited, or otherwise paid using a debit, credit, or other payment
35-18 card, check, or policy or contract number, or by other payment
35-19 means;
35-20 (ii) the transfer of receivables,
35-21 accounts, or interests in receivables or accounts; or
35-22 (iii) the audit of debit, credit, or other
35-23 payment information.
35-24 Art. 28A.153. OTHER EXCEPTIONS TO NOTICE AND OPT OUT
35-25 REQUIREMENTS. (a) The requirements for initial notice to consumers
35-26 under Article 28A.051(a)(2), the opportunity to opt out, and the
35-27 provisions applicable to service providers and joint marketing in
36-1 this chapter do not apply when a licensee discloses nonpublic
36-2 personal financial information:
36-3 (1) with the consent of or at the direction of the
36-4 consumer if the consumer has not revoked the consent or direction;
36-5 (2) to protect the confidentiality or security of a
36-6 licensee's records relating to the consumer, service, product, or
36-7 transaction;
36-8 (3) to protect against or prevent actual or potential
36-9 fraud, unauthorized transactions or claims, or other liability;
36-10 (4) for required institutional risk control or for
36-11 resolving consumer disputes or inquiries;
36-12 (5) to persons holding a legal or beneficial interest
36-13 relating to the consumer;
36-14 (6) to persons acting in a fiduciary or representative
36-15 capacity on behalf of the consumer;
36-16 (7) to provide information to insurance rate advisory
36-17 organizations, guaranty funds or agencies, agencies that are rating
36-18 the licensee, persons that are assessing the licensee's compliance
36-19 with industry standards, and the licensee's attorneys, accountants,
36-20 and auditors;
36-21 (8) to the extent specifically permitted or required
36-22 under other provisions of law and in accordance with the Right to
36-23 Financial Privacy Act of 1978 (12 U.S.C. Section 3401 et seq.):
36-24 (A) to:
36-25 (i) law enforcement agencies, including a
36-26 federal functional regulator;
36-27 (ii) the United States Secretary of the
37-1 Treasury with respect to 31 U.S.C. Chapter 53, Subchapter II, and
37-2 12 U.S.C. Chapter 21;
37-3 (iii) a state insurance authority, with
37-4 respect to any person domiciled in that insurance authority's state
37-5 who is engaged in the business of insurance;
37-6 (iv) the Federal Trade Commission; or
37-7 (v) a self-regulatory organization; or
37-8 (B) for an investigation on a matter related to
37-9 public safety;
37-10 (9) to a consumer reporting agency in accordance with
37-11 the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and
37-12 the fair credit laws of this state or from a consumer report
37-13 reported by a consumer reporting agency;
37-14 (10) in connection with a proposed or actual sale,
37-15 merger, transfer, or exchange of all or a portion of a business or
37-16 operating unit if the disclosure of nonpublic personal financial
37-17 information concerns solely consumers of the business or unit;
37-18 (11) to comply with:
37-19 (A) federal, state, or local laws, rules, and
37-20 other applicable legal requirements;
37-21 (B) a properly authorized civil, criminal, or
37-22 regulatory investigation, or subpoena or summons by federal, state,
37-23 or local authorities; or
37-24 (C) judicial process or government regulatory
37-25 authorities that have jurisdiction over a licensee for examination,
37-26 compliance, or other purposes as authorized by law;
37-27 (12) as necessary to provide ongoing health care
38-1 treatment;
38-2 (13) in connection with quality assessment evaluations
38-3 or investigations;
38-4 (14) to reveal a consumer's presence in a facility
38-5 owned by the licensee and the consumer's general health condition;
38-6 (15) to a reinsurer, stop loss, or excess loss carrier
38-7 for underwriting, claims adjudication, or conducting claim file
38-8 audits;
38-9 (16) as necessary to:
38-10 (A) identify a deceased individual;
38-11 (B) determine the cause and manner of death by a
38-12 chief medical examiner or the medical examiner's designee; or
38-13 (C) provide necessary protected health
38-14 information about a deceased individual who is a donor of an
38-15 anatomical gift;
38-16 (17) to the department for use in an examination,
38-17 investigation, or audit of the licensee; or
38-18 (18) under a court order issued after the court's
38-19 determination that the public interest in the disclosure outweighs
38-20 the consumer's privacy interest and that the personally
38-21 identifiable health information is not reasonably available by
38-22 other means.
38-23 (b) This chapter may not be construed as applicable to
38-24 information disclosures by licensees in connection with the
38-25 purchase of insurance coverage by the licensee or the arrangement
38-26 of insurance coverage by the licensee for its employees.
38-27 SUBCHAPTER E. PERSONALLY IDENTIFIABLE HEALTH INFORMATION
39-1 Art. 28A.201. PERSONALLY IDENTIFIABLE HEALTH INFORMATION:
39-2 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION; EXCEPTION. (a) A
39-3 licensee must obtain an authorization to disclose any personally
39-4 identifiable health information before making such a disclosure, if
39-5 the purpose of the disclosure is for the marketing of services or
39-6 goods for personal, family, or household purposes.
39-7 (b) The request for authorization required by this article
39-8 may be included in the notice required by Article 28A.051 of this
39-9 chapter. The request for authorization must:
39-10 (1) state the purpose of the disclosure in clear and
39-11 simple terms and in a separate paragraph;
39-12 (2) specify that the authorization remains valid for
39-13 not more than 24 months and may be revoked at any time; and
39-14 (3) specify that the terms and conditions of an
39-15 insurance policy are not affected in any way by a refusal to give
39-16 the authorization, as provided by Article 28A.057 of this chapter.
39-17 (c) This chapter does not apply and the authorization
39-18 described by this article is not required if a licensee discloses
39-19 nonpublic personal health information for any purpose related to
39-20 effecting, administering, or replacing a group benefit plan, a
39-21 group health plan, or a group welfare plan.
39-22 (d) This article does not prohibit, restrict, or require an
39-23 authorization for the disclosure of nonpublic personal health
39-24 information by a licensee when sharing the information with a
39-25 vendor who is acting on behalf of the licensee or for the
39-26 performance of insurance functions described by Article 28A.151 by
39-27 or on behalf of the licensee.
40-1 SUBCHAPTER F. RELATION TO OTHER LAWS; ENFORCEMENT
40-2 Art. 28A.251. PROTECTION OF FAIR CREDIT REPORTING ACTS. (a)
40-3 This chapter may not be construed to modify, limit, or supersede
40-4 the operation of the Fair Credit Reporting Act (15 U.S.C. Section
40-5 1681 et seq.) and an inference may not be drawn based on this
40-6 chapter regarding whether information is transaction or experience
40-7 information under Section 603 (15 U.S.C. Section 1681a).
40-8 (b) This chapter may not be construed to modify, limit, or
40-9 supersede the operation of any fair credit law of this state.
40-10 (c) This chapter does not preempt or supersede a state law
40-11 related to medical record, health, or insurance information privacy
40-12 that is in effect on July 1, 2002.
40-13 Art. 28A.252. HEALTH INSURANCE PORTABILITY AND
40-14 ACCOUNTABILITY ACT. This chapter does not limit, modify, or
40-15 supersede the standards governing the privacy of individually
40-16 identifiable health information adopted by the United States
40-17 Secretary of Health and Human Services under Section 262(a), Health
40-18 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
40-19 Sections 1320d-1320d-8).
40-20 Art. 28A.253. VIOLATION; PENALTIES. (a) A licensee may not
40-21 knowingly or wilfully violate this chapter.
40-22 (b) The department may investigate any alleged violation of
40-23 this chapter and may impose fines and other sanctions as determined
40-24 to be appropriate in accordance with Chapters 82 and 84 of this
40-25 code and the other insurance laws of this state.
40-26 SECTION 2. (a) Except as provided by Subsections (b) and (c)
40-27 of this section, this Act takes effect September 1, 2001.
41-1 (b) An insurer or other licensee described by Chapter 28A,
41-2 Insurance Code, as added by this Act, is not required to comply
41-3 with that chapter until July 1, 2002.
41-4 (c) Article 28A.253, Insurance Code, as added by this Act,
41-5 takes effect July 1, 2002.