By Eiland H.B. No. 2555 77R3874 MXM-F A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to the privacy of certain information provided by 1-3 consumers to insurers and other related entities; providing 1-4 penalties. 1-5 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-6 SECTION 1. Title 1, Insurance Code, is amended by adding 1-7 Chapter 28A to read as follows: 1-8 CHAPTER 28A. PRIVACY OF INFORMATION COLLECTED BY 1-9 CERTAIN FINANCIAL INSTITUTIONS 1-10 SUBCHAPTER A. GENERAL PROVISIONS 1-11 Art. 28A.001. SHORT TITLE. This chapter may be cited as the 1-12 "Financial Information Privacy Protection Act." 1-13 Art. 28A.002. PURPOSE. This chapter shall be liberally 1-14 construed and applied to promote uniformity and functional 1-15 regulation by: 1-16 (1) implementing Title V, Gramm-Leach-Bliley Act (15 1-17 U.S.C. Section 6801 et seq.), which requires financial 1-18 institutions, including insurers, to respect the privacy of their 1-19 customers and to protect the security and confidentiality of those 1-20 customers' nonpublic personal financial information; 1-21 (2) establishing appropriate consumer privacy 1-22 standards for insurance providers to be administered by the 1-23 department; 1-24 (3) ensuring, under 15 U.S.C. Section 6805(c), that 2-1 this state is eligible to override, under Section 47(g)(2)(B)(iii), 2-2 Federal Deposit Insurance Act (12 U.S.C. Section 1831x), the 2-3 insurance customer protections prescribed by a federal banking 2-4 agency under 12 U.S.C. Section 1831v; 2-5 (4) requiring, under 15 U.S.C. Sections 6802 and 6803, 2-6 that: 2-7 (A) insurers maintain a privacy policy that is 2-8 clearly communicated to customers and, under certain circumstances, 2-9 to consumers; 2-10 (B) subject to appropriate exceptions, no 2-11 nonpublic personal financial information be disclosed to 2-12 nonaffiliated third parties unless a consumer has been given a 2-13 chance to opt out of having the consumer's information disclosed; 2-14 (C) disclosure is authorized in the case of 2-15 personally identifiable health information; and 2-16 (D) no specific account information be given to 2-17 direct marketing firms, as provided by 15 U.S.C. Section 6801; 2-18 (5) providing for the enforcement of this chapter by 2-19 the department; and 2-20 (6) authorizing the commissioner to adopt rules 2-21 necessary to effectuate the purposes of this chapter. 2-22 Art. 28A.003. SCOPE. (a) This chapter: 2-23 (1) requires a licensee to provide notice to customers 2-24 and, under certain circumstances, to consumers about the licensee's 2-25 privacy policies and practices; 2-26 (2) describes the conditions under which a licensee 2-27 may disclose nonpublic personal information about consumers and 3-1 customers to nonaffiliated third parties; 3-2 (3) provides a method for consumers and customers to 3-3 prevent a licensee from disclosing that information unless 3-4 otherwise exempted as routine business disclosures under Articles 3-5 28A.151, 28A.152, 28A.153, or 28A.201 of this chapter; 3-6 (4) establishes reasonable exceptions under Articles 3-7 28A.151, 28A.152, and 28A.153 of this chapter to the notice 3-8 requirements of licensees and the ability of consumers and 3-9 customers to opt out of or to authorize certain disclosures; and 3-10 (5) applies only to nonpublic personal information 3-11 about individuals who obtain financial products or services in this 3-12 state from an insurer for personal, family, or household purposes. 3-13 (b) This chapter does not apply to information about 3-14 companies or individuals who obtain financial products or services 3-15 for business, commercial, or agricultural purposes. In particular, 3-16 this chapter does not apply to commercial insurance policies issued 3-17 by a licensee. 3-18 Art. 28A.004. DEFINITIONS. In this chapter, unless the 3-19 context otherwise requires: 3-20 (1) "Affiliate" means any company that controls, is 3-21 controlled by, or is under common control with another company. 3-22 (2) "Agent" means an insurance agent. 3-23 (3) "Clear and conspicuous" means that a notice is 3-24 reasonably understandable and designed to call attention to the 3-25 nature and significance of the information in the notice. 3-26 (4) "Collect" means to obtain information that the 3-27 licensee organizes or can retrieve by the name of an individual or 4-1 by identifying number, symbol, or other identifying particular 4-2 assigned to the individual, irrespective of the source of the 4-3 underlying information. 4-4 (5) "Company" means a corporation, limited liability 4-5 company, business trust, general or limited partnership, 4-6 association, sole proprietorship, or similar organization. 4-7 (6)(A) "Consumer" means an individual, or the 4-8 individual's legal representative, who seeks to obtain, obtains, or 4-9 has obtained an insurance product or service in this state from a 4-10 licensee that is to be used primarily for personal, family, or 4-11 household purposes, and about whom the licensee has nonpublic 4-12 personal information, including: 4-13 (i) an individual who provides nonpublic 4-14 personal information to a licensee in connection with seeking to 4-15 obtain or obtaining financial, insurance, investment, or economic 4-16 advisory services regardless of whether the licensee establishes an 4-17 ongoing relationship; 4-18 (ii) an applicant for insurance before the 4-19 inception of insurance coverage; or 4-20 (iii) an individual who provides nonpublic 4-21 personal information to a licensee in order to obtain a 4-22 determination about whether the individual may qualify for a loan 4-23 to be used primarily for personal, family, or household purposes, 4-24 regardless of whether the loan is extended. 4-25 (B) An individual is not a licensee's consumer 4-26 solely because the individual: 4-27 (i) is a beneficiary of a trust for which 5-1 the licensee is a trustee; 5-2 (ii) is a third party liability claimant; 5-3 (iii) has designated the licensee as 5-4 trustee for a trust; 5-5 (iv) is a consumer of another financial 5-6 institution for which the licensee acts as agent or provides 5-7 processing or other services; 5-8 (v) is a participant or a beneficiary of 5-9 an employee benefit plan that the licensee administers or sponsors 5-10 or for which the licensee acts as a trustee, insurer, or fiduciary; 5-11 or 5-12 (vi) is covered under a group or blanket 5-13 insurance policy or group annuity contract issued by the licensee 5-14 if the licensee provides the initial, annual, and revised notices 5-15 under Articles 28A.051, 28A.052, and 28A.053 of this chapter to the 5-16 plan sponsor, group, or blanket insurance policyholder or group 5-17 annuity contractholder and the licensee does not disclose to a 5-18 nonaffiliated third party nonpublic personal financial information 5-19 about such an individual other than as permitted under Subchapter D 5-20 of this chapter. 5-21 (7) "Consumer reporting agency" has the meaning 5-22 designated by Section 603(f), Fair Credit Reporting Act (15 U.S.C. 5-23 Section 1681a(f)). 5-24 (8) "Control" means: 5-25 (A) ownership of, control over, or power to vote 5-26 25 percent or more of the outstanding shares of any class of voting 5-27 security of the company, directly or indirectly, or acting through 6-1 one or more other persons; 6-2 (B) control in any manner over the election of a 6-3 majority of the directors, trustees, or general partners, or 6-4 individuals exercising similar functions, of the company; or 6-5 (C) the power to exercise, directly or 6-6 indirectly, a controlling influence over the management or policies 6-7 of the company, as the commissioner determines. 6-8 (9) "Customer" means a consumer who has a customer 6-9 relationship with a licensee. The term does not include a 6-10 beneficiary or a claimant under a policy of insurance, solely by 6-11 virtue of that individual's status as a beneficiary or claimant. 6-12 (10) "Customer relationship" means a continuing 6-13 relationship between a consumer and a licensee under which the 6-14 licensee provides one or more financial products or services to the 6-15 consumer that are to be used primarily for personal, family, or 6-16 household purposes. The term includes a relationship in which the 6-17 consumer: 6-18 (A) is a current policyholder of an insurance 6-19 product or other product issued by or through a licensee; or 6-20 (B) obtains financial, investment, or economic 6-21 advisory services relating to an insurance product or service from 6-22 a licensee for a fee. 6-23 (11)(A) "Financial institution" has the meaning 6-24 assigned by 15 U.S.C. Section 6809(3), and generally means any 6-25 institution the business of which is engaging in financial 6-26 activities as described by Section 4(k), Bank Holding Company Act 6-27 of 1956 (12 U.S.C. Section 1843). 7-1 (B) The term does not include: 7-2 (i) any person or entity with respect to 7-3 any financial activity that is subject to the jurisdiction of the 7-4 Commodity Futures Trading Commission under the Commodity Exchange 7-5 Act (7 U.S.C. Section 1 et seq.); 7-6 (ii) the Federal Agricultural Mortgage 7-7 Corporation or any entity chartered and operating under the Farm 7-8 Credit Act of 1971 (12 U.S.C. Section 2001 et seq.); or 7-9 (iii) institutions chartered by congress 7-10 specifically to engage in transactions described by 15 U.S.C. 7-11 Section 6802(e)(1)(C) if the institutions do not sell or transfer 7-12 nonpublic personal information to a nonaffiliated third party. 7-13 (12) "Financial product or service" means any product 7-14 or service that is offered by a licensee under this code, including 7-15 a licensee's evaluation or brokerage of information that the 7-16 licensee collects in connection with a request or an application 7-17 from a consumer for a financial product or service. 7-18 (13) "Health information" means any information or 7-19 data regarding a consumer or a member of a consumer's family, other 7-20 than age or gender, whether oral or recorded in any form or medium, 7-21 that is created by or derived from a health care provider or the 7-22 consumer or customer and that relates to: 7-23 (A) the past, present, or future physical, 7-24 mental, or behavioral health or condition of the consumer or a 7-25 member of the consumer's family; 7-26 (B) the provision of health care to the 7-27 consumer; or 8-1 (C) payment for the provision of health care to 8-2 the consumer. 8-3 (14) "Licensee" means a person who holds or is 8-4 required to hold a license, registration, certificate of authority, 8-5 or other authority under this code. The term includes a health 8-6 maintenance organization regulated under Chapter 20A of this code 8-7 or another covered entity. 8-8 (15) "Nonaffiliated third party" means a person, 8-9 including a company that is an affiliate solely by virtue of the 8-10 licensee's or its affiliate's direct or indirect ownership or 8-11 control of the company and that conducts merchant banking or 8-12 investment banking activities of the type described by Section 8-13 4(k)(4)(H), Bank Holding Company Act of 1956 (12 U.S.C. Section 8-14 1843(k)(4)(H)), or insurance company investment activities of the 8-15 type described by Section 4(k)(4)(I), Bank Holding Company Act of 8-16 1956 (12 U.S.C. Section 1843(k)(4)(I)), other than the licensee's 8-17 affiliate or a person employed jointly by a licensee and a company 8-18 that is not the licensee's affiliate. The term includes the other 8-19 company that jointly employs the person. 8-20 (16) "Nonpublic personal information" means nonpublic 8-21 personal financial information and nonpublic personal health 8-22 information. 8-23 (17)(A) "Nonpublic personal financial information" 8-24 means: 8-25 (i) personally identifiable financial 8-26 information; 8-27 (ii) any list, description, or other 9-1 grouping of consumers and publicly available information relating 9-2 to those consumers derived by using any personally identifiable 9-3 financial information that is not publicly available; and 9-4 (iii) any list of the names and street 9-5 addresses of individuals derived in whole or in part by using 9-6 personally identifiable financial information that is not publicly 9-7 available, such as policy or contract numbers. 9-8 (B) "Nonpublic personal financial information" 9-9 does not include: 9-10 (i) health information; 9-11 (ii) publicly available information, 9-12 except as included on a list described in Subparagraph (iv) of this 9-13 paragraph; 9-14 (iii) any list, description, or other 9-15 grouping of consumers and publicly available information relating 9-16 to those consumers derived without using any personally 9-17 identifiable financial information that is not publicly available; 9-18 or 9-19 (iv) any list of names and addresses of 9-20 individuals that contains only publicly available information not 9-21 derived, in whole or in part, by using personally identifiable 9-22 information that is not publicly available and that is not 9-23 disclosed in a manner that indicates that any of the individuals on 9-24 the list is a consumer of a financial institution. 9-25 (18) "Nonpublic personal health information" means 9-26 health information: 9-27 (A) that identifies an individual who is the 10-1 subject of the information; or 10-2 (B) with respect to which there is a reasonable 10-3 basis to believe that the information could be used to identify an 10-4 individual. 10-5 (19) "Opt out" means a direction by the consumer that 10-6 a licensee not disclose nonpublic personal financial information 10-7 about that consumer to a nonaffiliated third party, other than as 10-8 permitted by Subchapter D of this chapter. 10-9 (20) "Personally identifiable financial information" 10-10 means financial information: 10-11 (A) a consumer provides to a licensee to obtain 10-12 a financial product or service from the licensee; 10-13 (B) about a consumer resulting from any 10-14 transaction involving a financial product or service between a 10-15 licensee and a consumer; or 10-16 (C) a licensee otherwise obtains about a 10-17 consumer in connection with providing a financial product or 10-18 service to that consumer. 10-19 (21)(A) "Personally identifiable health information" 10-20 means health information: 10-21 (i) a consumer provides to a licensee to 10-22 obtain a financial product or service from the licensee; 10-23 (ii) about a consumer resulting from any 10-24 transaction involving a financial product or service between a 10-25 licensee and a consumer; 10-26 (iii) the licensee otherwise obtains about 10-27 a consumer in connection with providing a financial product or 11-1 service to that consumer; 11-2 (iv) that identifies a consumer who is the 11-3 subject of the information; or 11-4 (v) with respect to which there is a 11-5 reasonable basis to believe that the information could be used to 11-6 identify a consumer. 11-7 (B) "Personally identifiable health information" 11-8 does not include personally identifiable, nonmedical information 11-9 such as a consumer's name, address, social security number, age, 11-10 gender, or other analogous information if legally obtained by the 11-11 licensee from a source other than the consumer's medical record, 11-12 even if the information is also part of the consumer's medical 11-13 record. 11-14 (22) "Publicly available information" means any 11-15 information that a licensee has a reasonable basis to believe is 11-16 lawfully made available to the public from: 11-17 (A) federal, state, or local government records; 11-18 (B) widely distributed media; or 11-19 (C) disclosures to the public that are required 11-20 to be made by federal, state, or local law. 11-21 (23) "Reasonable basis" means a licensee has a basis 11-22 to believe that information is lawfully made available to the 11-23 public because the licensee has taken steps to determine: 11-24 (A) that the information is of the type that is 11-25 available to the public; and 11-26 (B) whether an individual can direct that the 11-27 information not be made available to the public and, if so, that a 12-1 licensee's consumer has not done so. 12-2 Art. 28A.005. RULES. The commissioner shall adopt rules as 12-3 necessary to implement this chapter. 12-4 SUBCHAPTER B. PRIVACY AND OPT OUT NOTICE REQUIREMENTS 12-5 Art. 28A.051. PRIVACY NOTICE TO CONSUMERS REQUIRED; INITIAL 12-6 NOTICE. (a) A licensee must provide a clear and conspicuous notice 12-7 that accurately reflects the licensee's privacy policies and 12-8 practices to: 12-9 (1) an individual who becomes a licensee's customer, 12-10 not later than the date on which the licensee establishes a 12-11 customer relationship with the individual, except as provided by 12-12 Subsection (e) of this article; and 12-13 (2) a consumer, before a licensee discloses any 12-14 nonpublic personal financial information about the consumer to any 12-15 nonaffiliated third party, if a licensee makes such a disclosure 12-16 other than as authorized by Article 28A.152, 28A.153, or 28A.201 of 12-17 this chapter. 12-18 (b) A licensee is not required to provide an initial notice 12-19 to a consumer under Subsection (a) if: 12-20 (1) the licensee does not disclose any nonpublic 12-21 personal financial information about the consumer to any 12-22 nonaffiliated third party, other than as authorized by Article 12-23 28A.152, 28A.153, or 28A.201 of this chapter; 12-24 (2) the licensee does not have a customer relationship 12-25 with the consumer; or 12-26 (3) the notice has been provided by an affiliated 12-27 licensee, if the notice: 13-1 (A) clearly identifies all licensees to whom the 13-2 notice applies or states that it applies to all affiliates of the 13-3 named licensee; and 13-4 (B) is accurate with respect to the licensee and 13-5 the other institutions. 13-6 (c) For purposes of this article, a licensee establishes a 13-7 customer relationship at the time the licensee and the consumer 13-8 enter into a continuing relationship, other than solely as a 13-9 beneficiary or claimant. A licensee establishes a customer 13-10 relationship when an insurance policy or contract is delivered to 13-11 the consumer and the consumer becomes a policyholder and when the 13-12 consumer agrees to obtain financial, insurance, economic, or 13-13 investment advisory services from the licensee for a fee. 13-14 (d) If an existing customer obtains a new financial product 13-15 or service from a licensee that is to be used primarily for 13-16 personal, family, or household purposes, a licensee may satisfy the 13-17 initial notice requirements of Subsection (a) of this article by 13-18 providing a revised policy notice under Article 28A.055 of this 13-19 chapter that covers the customer's new financial product or 13-20 service. If the initial, revised, or annual notice that a licensee 13-21 most recently provided to that customer was accurate with respect 13-22 to the new financial product or service, a licensee is not 13-23 required to provide a new privacy notice under Subsection (a) of 13-24 this article. 13-25 (e) A licensee may provide the initial notice required by 13-26 Subsection (a)(1) of this article within a reasonable time after 13-27 the licensee establishes a customer relationship if: 14-1 (1) establishing the customer relationship is not at 14-2 the customer's election, including the circumstance in which the 14-3 licensee acquires or is assigned the insurance policy or related 14-4 records from another financial institution or residual market 14-5 mechanism and the customer does not have a choice about that 14-6 acquisition or assignment; or 14-7 (2) providing notice not later than the date on which 14-8 the licensee establishes the customer relationship would 14-9 substantially delay the customer's transaction, including a 14-10 circumstance in which the licensee and the individual agree by 14-11 telephone conversation to enter into a customer relationship 14-12 involving prompt delivery of the financial product or service, and 14-13 the customer agrees to receive the notice at a later time. 14-14 (f) If two or more consumers jointly obtain a financial 14-15 product or service from a licensee, the licensee may satisfy the 14-16 requirements of Subsection (a) of this article by providing one 14-17 initial notice to those consumers jointly. 14-18 (g) If a licensee is required by this article to deliver an 14-19 initial privacy notice, the licensee must deliver the notice as 14-20 provided by Article 28A.056 of this chapter. If a licensee uses a 14-21 short-form initial notice for noncustomers as provided by Article 14-22 28A.053(c) of this chapter, the licensee may deliver the privacy 14-23 notice as provided by Subsection (d) of that article. 14-24 Art. 28A.052. ANNUAL PRIVACY NOTICE TO CUSTOMERS REQUIRED. 14-25 (a) A licensee shall provide a clear and conspicuous notice to a 14-26 customer that accurately reflects the licensee's privacy policies 14-27 and practices at least annually during the continuation of the 15-1 customer relationship. For the purposes of this subsection, 15-2 "annually" means at least once in any period of 12 consecutive 15-3 months during which that relationship exists. The licensee may 15-4 establish the period, but must apply the period to the customer on 15-5 a consistent basis. 15-6 (b) A licensee is not required to provide an annual notice 15-7 to a former customer. For purposes of this subsection, a "former 15-8 customer" is an individual with whom a licensee no longer has a 15-9 continuing relationship because: 15-10 (1) the individual is no longer a current policyholder 15-11 of an insurance product or no longer obtains insurance services 15-12 with or through the licensee; 15-13 (2) the individual's policy is lapsed, expired, or 15-14 otherwise inactive or dormant under the licensee's business 15-15 practices, and the licensee has not communicated with the customer 15-16 about the relationship for a period of 12 consecutive months, other 15-17 than to provide annual privacy notices, materials required by law 15-18 or regulation, or promotional materials; 15-19 (3) the individual's last known address according to 15-20 the licensee's records is invalid, as determined by the fact that 15-21 mail sent to that address by the licensee has been returned by the 15-22 postal authorities as undeliverable and subsequent attempts by the 15-23 licensee to obtain a current valid address for the individual have 15-24 been unsuccessful; or 15-25 (4) in the case of providing real estate settlement 15-26 services, at the time the customer completes execution of all 15-27 documents related to the real estate closing, payment for those 16-1 services has been received, or the licensee has completed all of 16-2 its responsibilities with respect to the settlement, including 16-3 filing documents on the public record. 16-4 (c) If a licensee is required by this article to deliver an 16-5 annual privacy notice, the licensee must deliver the notice as 16-6 provided by Article 28A.056 of this chapter. 16-7 (d) The annual notice may be provided by an affiliated 16-8 licensee if the notice: 16-9 (1) clearly identifies all licensees to which the 16-10 notice applies or states that the notice applies to all affiliates 16-11 of the named licensee; and 16-12 (2) is accurate with respect to the licensee and other 16-13 institutions. 16-14 Art. 28A.053. INFORMATION TO BE INCLUDED IN PRIVACY NOTICES. 16-15 (a) In addition to any other information the licensee wishes to 16-16 provide, the initial, annual, and revised privacy notices that a 16-17 licensee provides under Articles 28A.051, 28A.052, and 28A.055 of 16-18 this chapter must include each of the following items of 16-19 information that applies to the licensee or to the consumers to 16-20 whom the licensee sends its privacy notice: 16-21 (1) the categories of nonpublic personal financial 16-22 information that the licensee collects; 16-23 (2) the categories of nonpublic personal financial 16-24 information that the licensee discloses; 16-25 (3) the categories of affiliates and nonaffiliated 16-26 third parties to whom the licensee discloses nonpublic personal 16-27 financial information, other than those parties to whom the 17-1 licensee discloses information under Articles 28A.152 and 28A.153 17-2 of this chapter; 17-3 (4) the categories of nonpublic personal financial 17-4 information about the licensee's former customers that it discloses 17-5 and the categories of affiliates and nonaffiliated third parties to 17-6 whom the licensee discloses nonpublic personal financial 17-7 information about its former customers, other than those parties to 17-8 whom it discloses information under Articles 28A.152 and 28A.153 of 17-9 this chapter; 17-10 (5) if a licensee discloses nonpublic personal 17-11 financial information to a nonaffiliated third party under Article 17-12 28A.151 of this chapter and another exception does not apply to 17-13 that disclosure, a separate statement of the categories of 17-14 information the licensee discloses and the categories of third 17-15 parties with whom the licensee has contracted; 17-16 (6) an explanation of the right under Article 28A.101 17-17 of this chapter to opt out of the disclosure of nonpublic personal 17-18 financial information to nonaffiliated third parties and under 17-19 Article 28A.201 of this chapter to authorize the disclosure of 17-20 personally identifiable health information for marketing purposes, 17-21 including the methods by which the consumer may exercise those 17-22 rights at that time; 17-23 (7) any disclosures that the licensee makes under 17-24 Section 603(d)(2)(A)(iii), Fair Credit Reporting Act (15 U.S.C. 17-25 Section 1681a(d)(2)(A)(iii)); 17-26 (8) the licensee's policies and practices with respect 17-27 to protecting the confidentiality and security of nonpublic 18-1 personal financial information; and 18-2 (9) if disclosures are made under Subsection (b) of 18-3 this article, a statement that the licensee makes those 18-4 disclosures. 18-5 (b) If a licensee discloses nonpublic personal financial 18-6 information about a consumer to third parties only as authorized 18-7 under Articles 28A.152 and 28A.153 of this chapter, the licensee is 18-8 not required to list those exceptions in the initial or annual 18-9 privacy notices required by this chapter. In describing the 18-10 categories with respect to those parties, a licensee is only 18-11 required to state that the licensee makes disclosures to other 18-12 nonaffiliated third parties as permitted by law. 18-13 (c) A licensee may satisfy the initial notice requirements 18-14 of this chapter for a consumer who is not a customer by providing a 18-15 short-form initial notice at the same time the licensee delivers an 18-16 opt out notice as required by Article 28A.056 of this chapter and, 18-17 if appropriate, an authorization as required by Article 28A.201 of 18-18 this chapter. A short-form initial notice must: 18-19 (1) be clear and conspicuous; 18-20 (2) state that a licensee's privacy notice is 18-21 available on request; and 18-22 (3) explain the means, which must be reasonable, by 18-23 which the consumer may obtain that notice, including provision of a 18-24 toll-free telephone number the consumer may call to request the 18-25 notice or, for a consumer who conducts business in person in the 18-26 licensee's office, providing notice to the consumer immediately on 18-27 request. 19-1 (d) A licensee must deliver the licensee's short-form notice 19-2 as provided by Article 28A.056 of this chapter. A licensee is not 19-3 required to deliver the licensee's privacy notice with the 19-4 licensee's short-form initial notice. A licensee may instead 19-5 provide the consumer with a reasonable means to obtain the 19-6 licensee's privacy notice. If a consumer who receives the 19-7 licensee's short-form notice requests the licensee's privacy 19-8 notice, the licensee shall deliver the privacy notice according to 19-9 Article 28A.056 of this chapter. 19-10 (e) A licensee's notice may include categories of: 19-11 (1) nonpublic personal financial information that the 19-12 licensee reserves the right to disclose in the future, but does not 19-13 currently disclose; and 19-14 (2) affiliates or nonaffiliated third parties to whom 19-15 the licensee reserves the right to disclose in the future, but to 19-16 whom it does not currently disclose nonpublic personal financial 19-17 information. 19-18 Art. 28A.054. FORM OF OPT OUT NOTICE TO CONSUMERS; OPT OUT 19-19 METHODS. (a) If a licensee is required to provide an opt out 19-20 notice under Article 28A.101 of this chapter, the licensee must 19-21 provide a clear and conspicuous notice to each of the licensee's 19-22 consumers that accurately explains the right to opt out under that 19-23 article. The notice must state that the licensee discloses or 19-24 reserves the right to disclose nonpublic personal financial 19-25 information about the consumer to a nonaffiliated third party and 19-26 that the consumer has the right to opt out of that disclosure. The 19-27 notice must provide a reasonable means by which the consumer may 20-1 exercise the right to opt out. The licensee may require that the 20-2 consumer opt out through a specific means, if the means is 20-3 reasonable for that consumer. 20-4 (b) A licensee provides a reasonable means to exercise the 20-5 right to opt out if the licensee: 20-6 (1) designates check off boxes in a prominent position 20-7 on the relevant forms with the opt out notice; 20-8 (2) includes a reply form with the opt out notice; 20-9 (3) provides an electronic means to opt out, such as a 20-10 form that can be sent via electronic mail or a process at the 20-11 licensee's Internet site, if the consumer agrees to the electronic 20-12 delivery of information; 20-13 (4) provides a toll-free telephone number consumers 20-14 may call to opt out; or 20-15 (5) provides the opt out notice with or on the same 20-16 written or electronic form as the initial notice the licensee 20-17 provides in accordance with Article 28A.051 of this chapter. 20-18 (c) If a licensee provides the opt out notice on a date 20-19 later than that required for the initial notice under Article 20-20 28A.051(e) of this chapter, the licensee must also include a copy 20-21 of the initial notice in writing or, if the consumer agrees, 20-22 electronically. 20-23 (d) If two or more consumers jointly obtain a financial 20-24 product or service from a licensee, the licensee may provide a 20-25 single opt out notice. The licensee's opt out notice must explain 20-26 how the licensee treats an opt out direction by a joint consumer. 20-27 Any of the joint consumers may exercise the right to opt out. The 21-1 licensee may treat an opt out direction by a joint consumer as 21-2 applying to all of the associated joint consumers, or permit each 21-3 joint consumer to opt out separately. If the licensee permits each 21-4 joint consumer to opt out separately, the licensee must permit one 21-5 of the joint consumers to opt out on behalf of all of the joint 21-6 consumers. A licensee may not require all joint consumers to opt 21-7 out before the licensee implements any opt out direction. 21-8 (e) A licensee must comply with a consumer's opt out 21-9 directive as soon as reasonably practicable after the licensee 21-10 receives the directive. 21-11 (f) A consumer may exercise the right to opt out at any 21-12 time. 21-13 (g) A consumer's directive to opt out under this article is 21-14 effective until the consumer revokes the directive in writing or, 21-15 if the consumer agrees, electronically. When a customer 21-16 relationship terminates, the customer's opt out directive continues 21-17 to apply to the nonpublic personal financial information the 21-18 licensee collected during, or related to, that relationship. If 21-19 the individual subsequently establishes a new customer relationship 21-20 with the licensee, the opt out directive that applied to the former 21-21 relationship does not apply to the new relationship. 21-22 (h) A licensee required by this article to deliver an opt 21-23 out notice shall deliver the notice as provided by Article 28A.056 21-24 of this chapter. 21-25 Art. 28A.055. REVISED PRIVACY NOTICES. (a) Except as 21-26 otherwise authorized by this chapter, a licensee may not, directly 21-27 or through an affiliate, disclose any nonpublic personal financial 22-1 information about a consumer to a nonaffiliated third party other 22-2 than as described in the initial notice that the licensee provided 22-3 to that consumer under Article 28A.051 of this chapter, unless: 22-4 (1) the licensee has provided to the consumer a 22-5 revised notice that accurately describes the licensee's policies 22-6 and practices; 22-7 (2) the licensee has provided to the consumer a new 22-8 opt out notice and, if appropriate, an authorization as required by 22-9 Article 28A.151 of this chapter; 22-10 (3) the licensee has given the consumer a reasonable 22-11 opportunity, before the licensee discloses the information to the 22-12 nonaffiliated third party, to opt out of, or, if appropriate, 22-13 authorize the disclosure; and 22-14 (4) the consumer does not opt out or, if appropriate, 22-15 the consumer authorizes the disclosure. 22-16 (b) A licensee required by this article to deliver a revised 22-17 privacy notice shall deliver the notice as provided by Article 22-18 28A.056 of this chapter. 22-19 Art. 28A.056. DELIVERING PRIVACY AND OPT OUT NOTICES. (a) A 22-20 licensee shall provide any privacy notices and opt out notices, 22-21 including short-form initial notices, that this chapter requires in 22-22 writing or, if the consumer agrees, electronically. 22-23 (b) A licensee may reasonably expect that a consumer will 22-24 receive actual notice if: 22-25 (1) the licensee: 22-26 (A) hand delivers a printed copy of the notice 22-27 to the consumer; 23-1 (B) mails a printed copy of the notice to the 23-2 last known address of the consumer separately, or in a policy, 23-3 billing, or other written communication; or 23-4 (C) clearly and conspicuously posts the notice 23-5 on the licensee's Internet site for the consumer who regularly 23-6 accesses the licensee's Internet site to conduct transactions; or 23-7 (2) for an isolated transaction with a consumer, such 23-8 as providing an insurance quote or selling the consumer travel 23-9 insurance, the licensee posts the notice and requires the consumer 23-10 to acknowledge receipt of the notice as a necessary step to 23-11 obtaining the particular financial product or service. 23-12 (c) A licensee may not reasonably expect that a consumer 23-13 will receive actual notice of the licensee's privacy policies and 23-14 practices if the licensee: 23-15 (1) only posts a sign in the licensee's branch or 23-16 office or generally publishes advertisements of the licensee's 23-17 privacy policies and practices; or 23-18 (2) sends the notice via electronic mail to a consumer 23-19 who does not obtain a financial product or service from the 23-20 licensee electronically. 23-21 (d) A licensee may reasonably expect that a customer will 23-22 receive actual notice of the licensee's annual privacy notice if 23-23 the customer: 23-24 (1) agrees to receive notices at the licensee's 23-25 Internet site, and the licensee posts its current privacy notice 23-26 continuously in a clear and conspicuous manner on the Internet 23-27 site; or 24-1 (2) has requested that the licensee refrain from 24-2 sending any information regarding the customer relationship, and 24-3 the licensee's current privacy notice remains available to the 24-4 customer on request. 24-5 (e) A licensee may not provide any notice required by this 24-6 chapter solely by orally explaining the notice, either in person or 24-7 by telephone conversation. 24-8 (f) For customers only, a licensee shall provide the initial 24-9 notice, the annual notice, and the revised notice required by this 24-10 chapter in such a manner that the customer can retain the notices 24-11 or obtain the notices later in writing or, if the customer agrees, 24-12 electronically. The licensee may provide the notices by: 24-13 (1) hand delivering a printed copy of the notice to 24-14 the customer; 24-15 (2) mailing a printed copy of the notice to the last 24-16 known address of the customer on the request of the customer; or 24-17 (3) for the customer who agrees to receive the notice 24-18 at the Internet site, making the licensee's current privacy notice 24-19 available on the licensee's Internet site or through a link to 24-20 another web site. 24-21 (g) A licensee may provide a joint notice from the licensee 24-22 and one or more of the licensee's affiliates, other licensees, or 24-23 other financial institutions, or on behalf of another financial 24-24 institution, if the notice is accurate with respect to the licensee 24-25 and the other institutions. 24-26 (h) If two or more consumers jointly obtain a financial 24-27 product or service from a licensee, the licensee may satisfy the 25-1 initial, annual, and revised notice requirements of Articles 25-2 28A.051, 28A.052, and 28A.055 of this chapter by providing one 25-3 notice to those consumers jointly. 25-4 Art. 28A.057. NONDISCRIMINATION. (a) A licensee may not 25-5 unfairly discriminate against a customer or consumer on the basis 25-6 of the customer's or consumer's exercise of the right to opt out of 25-7 the sharing of nonpublic personal information in the manner 25-8 provided by this chapter. This article does not prohibit licensees 25-9 from engaging in usual, appropriate, or acceptable methods for 25-10 insurance underwriting. 25-11 (b) This chapter does not require a licensee to provide a 25-12 benefit or commence or continue payment of a claim in the absence 25-13 of nonpublic personal health information or nonpublic personal 25-14 financial information necessary to support or deny the claim. 25-15 Art. 28A.058. APPLICATION TO CERTAIN EXCESS LINE BROKERS. 25-16 (a) In this article, "covered entity" includes an unauthorized 25-17 insurer who places business through licensed excess line brokers in 25-18 this state, but only as regards the excess line placements placed 25-19 under Article 1.14-2 of this code. 25-20 (b) A licensed excess line broker placing business 25-21 underwritten by a covered entity and that covered entity are 25-22 considered to be in compliance with the notice and opt out 25-23 requirements for nonpublic personal financial information 25-24 established under Subchapters A, B, C, D, and F of this chapter if: 25-25 (1) the licensed excess line broker and covered entity 25-26 do not disclose nonpublic personal information of a consumer or a 25-27 customer to a nonaffiliated third party for any purpose, including 26-1 joint servicing or marketing under Article 28A.151 of this chapter, 26-2 except as permitted by Article 28A.152 or 28A.153 of this chapter; 26-3 and 26-4 (2) at the time the customer relationship is 26-5 established, a single notice is delivered to the consumer on behalf 26-6 of all the licensed excess line brokers and covered entities 26-7 involved in the provision of the financial product or service to a 26-8 consumer or customer that meets the requirements of Subsection (c) 26-9 of this article. 26-10 (c) The notice required by Subsection (b) of this article 26-11 must be printed in 16-point type and include the following 26-12 statement: 26-13 PRIVACY NOTICE 26-14 "NEITHER THE U.S. BROKER(S) THAT HANDLED THIS INSURANCE NOR THE 26-15 INSURER(S) THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE 26-16 NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO 26-17 NONAFFILIATES OF SUCH BROKER(S) OR SUCH INSURER(S) EXCEPT AS 26-18 PERMITTED BY LAW." 26-19 Art. 28A.059. APPLICATION TO CERTAIN LICENSEES. A licensee 26-20 who is a producer or independent insurance agent is subject to all 26-21 the requirements of this chapter unless the producer or agent is 26-22 acting as agent for a licensee. A producer acting as agent for a 26-23 licensee is exempt only from the notice requirements, rather than 26-24 all requirements, of this chapter, and only if the producer does 26-25 not disclose consumer information other than as permitted by 26-26 Subchapter D of this chapter. 26-27 SUBCHAPTER C. LIMITS ON DISCLOSURE 27-1 Art. 28A.101. LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL 27-2 FINANCIAL INFORMATION TO NONAFFILIATED THIRD PARTIES. (a) Except 27-3 as otherwise authorized by this chapter, a licensee may not, 27-4 directly or through an affiliate, disclose any nonpublic personal 27-5 financial information about a consumer to a nonaffiliated third 27-6 party unless: 27-7 (1) the licensee has provided to the consumer an 27-8 initial notice as required by Article 28A.051 of this chapter; 27-9 (2) the licensee has provided to the consumer an opt 27-10 out notice as required by Article 28A.054 of this chapter; or 27-11 (3) the licensee has given the consumer a reasonable 27-12 opportunity, before the licensee discloses the information to the 27-13 nonaffiliated third party, to opt out of the disclosure and the 27-14 consumer does not opt out. 27-15 (b) A licensee may comply with Subsection (a)(3) of this 27-16 article by mailing the notices required by Subsection (a)(1) of 27-17 this article to the consumer and allowing the consumer to opt out 27-18 by mailing a form, calling a toll-free telephone number, or taking 27-19 any other reasonable means not later than the 30th day after the 27-20 date on which the licensee mailed the notices. A licensee may also 27-21 comply by allowing a customer to open an on-line account with the 27-22 licensee if the customer agrees to receive the notice required 27-23 under Subsection (a)(1) of this article electronically, and if the 27-24 licensee makes the notice available to the customer on its Internet 27-25 site and allows the customer to opt out by any reasonable means not 27-26 later than the 30th day after the date the customer acknowledges 27-27 receipt of the notices in conjunction with opening the account. 28-1 For an isolated transaction, such as providing a consumer with an 28-2 insurance quote, a licensee provides a reasonable opportunity to 28-3 opt out if the licensee provides the consumer the notice required 28-4 by Subsection (a)(1) of this article at the time of the transaction 28-5 and requests that the consumer decide, as a necessary act of the 28-6 transaction, whether to opt out before completing the transaction. 28-7 (c) A licensee must comply with this article regardless of 28-8 whether the licensee and the consumer have established a customer 28-9 relationship. Unless a licensee complies with this article, the 28-10 licensee may not, directly or through an affiliate, disclose any 28-11 nonpublic personal financial information about a consumer that it 28-12 has collected, regardless of whether the licensee collected it 28-13 before or after receiving the directive to opt out from the 28-14 consumer. 28-15 Art. 28A.102. LIMITS ON REDISCLOSURE AND REUSE OF 28-16 INFORMATION. (a) If a licensee receives nonpublic personal 28-17 information from a nonaffiliated financial institution under an 28-18 exception to this chapter or under an authorization made under 28-19 Article 28A.201 of this chapter, the licensee may disclose the 28-20 information: 28-21 (1) to the affiliates of the financial institution 28-22 from which the licensee received the information; 28-23 (2) to its affiliates and agents but the affiliates 28-24 and agents may disclose and use the information only to the extent 28-25 that the licensee may disclose and use the information; and 28-26 (3) under an exception to Article 28A.152 or 28A.153 28-27 of this chapter, and use the information in the ordinary course of 29-1 business to carry out the activity covered by the exception under 29-2 which the licensee received the information. 29-3 (b) If a licensee receives nonpublic personal information 29-4 from a nonaffiliated financial institution other than under an 29-5 exception to this chapter or under an authorization made under 29-6 Article 28A.201 of this chapter, the licensee may disclose the 29-7 information only to: 29-8 (1) the affiliates of the financial institution from 29-9 which the licensee received the information; 29-10 (2) the licensee's affiliates and agents but the 29-11 licensee's affiliates and agents may disclose the information only 29-12 to the extent that the licensee can disclose the information; and 29-13 (3) any other person if the disclosure would be lawful 29-14 if made directly to that person by the financial institution from 29-15 which the licensee received the information. 29-16 (c) If the licensee discloses nonpublic personal financial 29-17 information to a nonaffiliated third party under an exception to 29-18 Article 28A.152 or 28A.153 of this chapter, the third party may 29-19 disclose that information: 29-20 (1) to the licensee's affiliates; 29-21 (2) to the third party's affiliates but those 29-22 affiliates may disclose and use the information only to the extent 29-23 that the third party may disclose and use the information; and 29-24 (3) under an exception to Article 28A.152 or 28A.153 29-25 of this chapter, and use the information in the ordinary course of 29-26 business to carry out the activity covered by the exception under 29-27 which the third party received the information. 30-1 (d) If a licensee discloses nonpublic personal information 30-2 to a nonaffiliated third party other than under an exception to 30-3 Article 28A.152 or 28A.153 of this chapter or under an 30-4 authorization made under Article 28A.201 of this chapter, the third 30-5 party may disclose the information only to: 30-6 (1) the licensee's affiliates; 30-7 (2) the third party's affiliates but the third party's 30-8 affiliates may disclose the information only to the extent the 30-9 third party can disclose the information; and 30-10 (3) any other person if the disclosure would be lawful 30-11 if the licensee made it directly to that person. 30-12 Art. 28A.103. LIMITS ON SHARING POLICY OR CONTRACT NUMBER 30-13 INFORMATION FOR MARKETING PURPOSES. (a) A licensee may not, 30-14 directly or through an affiliate, disclose, other than to a 30-15 consumer reporting agency, a policy or contract number or similar 30-16 form of access number or access code for a consumer's credit card 30-17 account, deposit account, or transaction account to any 30-18 nonaffiliated third party for use in telemarketing, direct mail 30-19 marketing, or other marketing through electronic mail to the 30-20 consumer. 30-21 (b) Subsection (a) of this article does not apply if the 30-22 licensee discloses a policy or contract number or similar form of 30-23 access number or access code to: 30-24 (1) the licensee's agent or service provider solely to 30-25 perform marketing for the licensee's products or services if the 30-26 agent or service provider is not authorized to directly initiate 30-27 charges to the account; 31-1 (2) a participant in a private label credit card 31-2 program or an affinity or similar program in which the participants 31-3 in the program are identified to the customer when the customer 31-4 enters into the program; or 31-5 (3) a licensee who is a producer solely to perform 31-6 marketing for the licensee's own products or services. 31-7 SUBCHAPTER D. EXCEPTIONS 31-8 Art. 28A.151. EXCEPTION TO OPT OUT REQUIREMENTS FOR SERVICE 31-9 PROVIDERS AND JOINT MARKETING. (a) The opt out requirements of 31-10 this chapter do not apply when a licensee provides nonpublic 31-11 personal financial information to a nonaffiliated third party to 31-12 perform services for, or functions on behalf of, the licensee, if 31-13 the licensee: 31-14 (1) provides the initial notice in accordance with 31-15 this chapter; and 31-16 (2) enters into a contractual agreement with the third 31-17 party that prohibits the third party from disclosing or using the 31-18 information other than to implement the purposes for which the 31-19 licensee disclosed the information, including use under an 31-20 exception under Article 28A.152 or 28A.153 of this chapter, in the 31-21 ordinary course of business to implement those purposes. 31-22 (b) A licensee may use personally identifiable financial 31-23 information and disclose that information to a person acting on 31-24 behalf of, or at the direction of, the licensee to perform the 31-25 licensee's insurance functions, including: 31-26 (1) claims administration, adjustment, and management; 31-27 (2) fraud investigation; 32-1 (3) underwriting; 32-2 (4) loss control; 32-3 (5) rate-making functions; 32-4 (6) reinsurance; 32-5 (7) risk management; 32-6 (8) case management; 32-7 (9) quality assessment and improvement; 32-8 (10) provider credentialing verification; 32-9 (11) utilization review; 32-10 (12) peer review activities; 32-11 (13) grievance procedures; 32-12 (14) internal administration of compliance, 32-13 managerial, and information systems; 32-14 (15) policyholder service functions; 32-15 (16) account administration; 32-16 (17) processing premium payments; 32-17 (18) processing insurance claims; 32-18 (19) administering insurance benefits; 32-19 (20) participating in research projects; and 32-20 (21) as otherwise required or specifically permitted 32-21 by federal or state law. 32-22 (c) The services performed for a licensee by a nonaffiliated 32-23 third party under Subsection (a) of this article may include 32-24 marketing of the licensee's own products or services or marketing 32-25 of financial products or services offered under joint agreements 32-26 between the licensee and one or more financial institutions. For 32-27 purposes of this subsection, "joint agreement" means a written 33-1 contract under which a licensee and one or more financial 33-2 institutions jointly offer, endorse, or sponsor a financial product 33-3 or service. 33-4 Art. 28A.152. EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS 33-5 FOR PROCESSING AND SERVICING TRANSACTIONS. (a) The requirements 33-6 for initial notice to consumers under Article 28A.051(a)(2), 33-7 providing the opportunity for consumers and customers to opt out, 33-8 and the application of this chapter to service providers and joint 33-9 marketing do not apply if a licensee discloses nonpublic personal 33-10 financial information as necessary to effect, administer, or 33-11 enforce a transaction requested or authorized by the consumer or 33-12 made in connection with: 33-13 (1) servicing or processing a financial product or 33-14 service requested or authorized by the consumer, including the 33-15 products or services under consideration by a consumer; 33-16 (2) maintaining or servicing the consumer's account 33-17 with the licensee or with another entity; 33-18 (3) a transaction involving a person acting as an 33-19 agent of the licensee, if the agent agrees not to disclose the 33-20 nonpublic personal financial information to additional third 33-21 parties; or 33-22 (4) a proposed or actual securitization, secondary 33-23 market sale, including sales of servicing rights, or similar 33-24 transaction related to a transaction of the consumer. 33-25 (b) The requirements of this chapter do not apply if a 33-26 licensee discloses nonpublic personal financial information for any 33-27 purpose related to effecting, administering, or replacing a group 34-1 benefit plan, a group health plan, or a group welfare plan. 34-2 (c) For purposes of this article, a disclosure is necessary 34-3 to effect, administer, or enforce a transaction if the disclosure 34-4 is: 34-5 (1) required to enforce, or is one of the lawful or 34-6 appropriate methods of enforcing, the licensee's rights or the 34-7 rights of other persons engaged in implementing the financial 34-8 transaction or providing the product or service; or 34-9 (2) required, or is a usual, appropriate, or 34-10 acceptable method: 34-11 (A) to implement the transaction or the product 34-12 or service business of which the transaction is a part, and record, 34-13 service, or maintain the consumer's account in the ordinary course 34-14 of providing the financial service or financial product; 34-15 (B) to administer, adjudicate, or service 34-16 benefits or claims relating to the transaction or the product or 34-17 service business of which the transaction is a part; 34-18 (C) to provide a confirmation, statement, or 34-19 other record of the transaction, or information on the status or 34-20 value of the financial service or financial product, to the 34-21 consumer or the consumer's agent or broker; 34-22 (D) to accrue or recognize incentives or bonuses 34-23 associated with the transaction that are provided by the licensee 34-24 or any other party; 34-25 (E) to underwrite insurance at the consumer's 34-26 request or for reinsurance purposes, or for any of the following 34-27 purposes, as they relate to a consumer's insurance: 35-1 (i) account administration; 35-2 (ii) reporting; 35-3 (iii) investigating; 35-4 (iv) preventing fraud or material 35-5 misrepresentation; 35-6 (v) processing premium payments; 35-7 (vi) processing insurance claims; 35-8 (vii) administering insurance benefits, 35-9 including utilization review activities; 35-10 (viii) participating in research projects; 35-11 or 35-12 (ix) as otherwise required or specifically 35-13 permitted by federal or state law; or 35-14 (F) in connection with: 35-15 (i) the authorization, settlement, 35-16 processing, transferring, or collection of amounts charged, 35-17 debited, or otherwise paid using a debit, credit, or other payment 35-18 card, check, or policy or contract number, or by other payment 35-19 means; 35-20 (ii) the transfer of receivables, 35-21 accounts, or interests in receivables or accounts; or 35-22 (iii) the audit of debit, credit, or other 35-23 payment information. 35-24 Art. 28A.153. OTHER EXCEPTIONS TO NOTICE AND OPT OUT 35-25 REQUIREMENTS. (a) The requirements for initial notice to consumers 35-26 under Article 28A.051(a)(2), the opportunity to opt out, and the 35-27 provisions applicable to service providers and joint marketing in 36-1 this chapter do not apply when a licensee discloses nonpublic 36-2 personal financial information: 36-3 (1) with the consent of or at the direction of the 36-4 consumer if the consumer has not revoked the consent or direction; 36-5 (2) to protect the confidentiality or security of a 36-6 licensee's records relating to the consumer, service, product, or 36-7 transaction; 36-8 (3) to protect against or prevent actual or potential 36-9 fraud, unauthorized transactions or claims, or other liability; 36-10 (4) for required institutional risk control or for 36-11 resolving consumer disputes or inquiries; 36-12 (5) to persons holding a legal or beneficial interest 36-13 relating to the consumer; 36-14 (6) to persons acting in a fiduciary or representative 36-15 capacity on behalf of the consumer; 36-16 (7) to provide information to insurance rate advisory 36-17 organizations, guaranty funds or agencies, agencies that are rating 36-18 the licensee, persons that are assessing the licensee's compliance 36-19 with industry standards, and the licensee's attorneys, accountants, 36-20 and auditors; 36-21 (8) to the extent specifically permitted or required 36-22 under other provisions of law and in accordance with the Right to 36-23 Financial Privacy Act of 1978 (12 U.S.C. Section 3401 et seq.): 36-24 (A) to: 36-25 (i) law enforcement agencies, including a 36-26 federal functional regulator; 36-27 (ii) the United States Secretary of the 37-1 Treasury with respect to 31 U.S.C. Chapter 53, Subchapter II, and 37-2 12 U.S.C. Chapter 21; 37-3 (iii) a state insurance authority, with 37-4 respect to any person domiciled in that insurance authority's state 37-5 who is engaged in the business of insurance; 37-6 (iv) the Federal Trade Commission; or 37-7 (v) a self-regulatory organization; or 37-8 (B) for an investigation on a matter related to 37-9 public safety; 37-10 (9) to a consumer reporting agency in accordance with 37-11 the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and 37-12 the fair credit laws of this state or from a consumer report 37-13 reported by a consumer reporting agency; 37-14 (10) in connection with a proposed or actual sale, 37-15 merger, transfer, or exchange of all or a portion of a business or 37-16 operating unit if the disclosure of nonpublic personal financial 37-17 information concerns solely consumers of the business or unit; 37-18 (11) to comply with: 37-19 (A) federal, state, or local laws, rules, and 37-20 other applicable legal requirements; 37-21 (B) a properly authorized civil, criminal, or 37-22 regulatory investigation, or subpoena or summons by federal, state, 37-23 or local authorities; or 37-24 (C) judicial process or government regulatory 37-25 authorities that have jurisdiction over a licensee for examination, 37-26 compliance, or other purposes as authorized by law; 37-27 (12) as necessary to provide ongoing health care 38-1 treatment; 38-2 (13) in connection with quality assessment evaluations 38-3 or investigations; 38-4 (14) to reveal a consumer's presence in a facility 38-5 owned by the licensee and the consumer's general health condition; 38-6 (15) to a reinsurer, stop loss, or excess loss carrier 38-7 for underwriting, claims adjudication, or conducting claim file 38-8 audits; 38-9 (16) as necessary to: 38-10 (A) identify a deceased individual; 38-11 (B) determine the cause and manner of death by a 38-12 chief medical examiner or the medical examiner's designee; or 38-13 (C) provide necessary protected health 38-14 information about a deceased individual who is a donor of an 38-15 anatomical gift; 38-16 (17) to the department for use in an examination, 38-17 investigation, or audit of the licensee; or 38-18 (18) under a court order issued after the court's 38-19 determination that the public interest in the disclosure outweighs 38-20 the consumer's privacy interest and that the personally 38-21 identifiable health information is not reasonably available by 38-22 other means. 38-23 (b) This chapter may not be construed as applicable to 38-24 information disclosures by licensees in connection with the 38-25 purchase of insurance coverage by the licensee or the arrangement 38-26 of insurance coverage by the licensee for its employees. 38-27 SUBCHAPTER E. PERSONALLY IDENTIFIABLE HEALTH INFORMATION 39-1 Art. 28A.201. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: 39-2 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION; EXCEPTION. (a) A 39-3 licensee must obtain an authorization to disclose any personally 39-4 identifiable health information before making such a disclosure, if 39-5 the purpose of the disclosure is for the marketing of services or 39-6 goods for personal, family, or household purposes. 39-7 (b) The request for authorization required by this article 39-8 may be included in the notice required by Article 28A.051 of this 39-9 chapter. The request for authorization must: 39-10 (1) state the purpose of the disclosure in clear and 39-11 simple terms and in a separate paragraph; 39-12 (2) specify that the authorization remains valid for 39-13 not more than 24 months and may be revoked at any time; and 39-14 (3) specify that the terms and conditions of an 39-15 insurance policy are not affected in any way by a refusal to give 39-16 the authorization, as provided by Article 28A.057 of this chapter. 39-17 (c) This chapter does not apply and the authorization 39-18 described by this article is not required if a licensee discloses 39-19 nonpublic personal health information for any purpose related to 39-20 effecting, administering, or replacing a group benefit plan, a 39-21 group health plan, or a group welfare plan. 39-22 (d) This article does not prohibit, restrict, or require an 39-23 authorization for the disclosure of nonpublic personal health 39-24 information by a licensee when sharing the information with a 39-25 vendor who is acting on behalf of the licensee or for the 39-26 performance of insurance functions described by Article 28A.151 by 39-27 or on behalf of the licensee. 40-1 SUBCHAPTER F. RELATION TO OTHER LAWS; ENFORCEMENT 40-2 Art. 28A.251. PROTECTION OF FAIR CREDIT REPORTING ACTS. (a) 40-3 This chapter may not be construed to modify, limit, or supersede 40-4 the operation of the Fair Credit Reporting Act (15 U.S.C. Section 40-5 1681 et seq.) and an inference may not be drawn based on this 40-6 chapter regarding whether information is transaction or experience 40-7 information under Section 603 (15 U.S.C. Section 1681a). 40-8 (b) This chapter may not be construed to modify, limit, or 40-9 supersede the operation of any fair credit law of this state. 40-10 (c) This chapter does not preempt or supersede a state law 40-11 related to medical record, health, or insurance information privacy 40-12 that is in effect on July 1, 2002. 40-13 Art. 28A.252. HEALTH INSURANCE PORTABILITY AND 40-14 ACCOUNTABILITY ACT. This chapter does not limit, modify, or 40-15 supersede the standards governing the privacy of individually 40-16 identifiable health information adopted by the United States 40-17 Secretary of Health and Human Services under Section 262(a), Health 40-18 Insurance Portability and Accountability Act of 1996 (42 U.S.C. 40-19 Sections 1320d-1320d-8). 40-20 Art. 28A.253. VIOLATION; PENALTIES. (a) A licensee may not 40-21 knowingly or wilfully violate this chapter. 40-22 (b) The department may investigate any alleged violation of 40-23 this chapter and may impose fines and other sanctions as determined 40-24 to be appropriate in accordance with Chapters 82 and 84 of this 40-25 code and the other insurance laws of this state. 40-26 SECTION 2. (a) Except as provided by Subsections (b) and (c) 40-27 of this section, this Act takes effect September 1, 2001. 41-1 (b) An insurer or other licensee described by Chapter 28A, 41-2 Insurance Code, as added by this Act, is not required to comply 41-3 with that chapter until July 1, 2002. 41-4 (c) Article 28A.253, Insurance Code, as added by this Act, 41-5 takes effect July 1, 2002.