18.3 Privacy (HIPAA/GLBA), Fraud, and Consumer Protection

Privacy protections: GLBA and HIPAA

Two federal privacy frameworks dominate the national exam. The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions, including insurers, handle nonpublic personal information (NPI). GLBA requires insurers to give consumers a privacy notice at the start of the relationship and annually, describing what information is collected and shared, and to provide an opt-out before sharing NPI with non-affiliated third parties. NPI includes financial information such as account balances and application data.

The Health Insurance Portability and Accountability Act (HIPAA) protects protected health information (PHI) and standardizes health-coverage rules. Its Privacy Rule limits use and disclosure of PHI to treatment, payment, and health-care operations without authorization. HIPAA also created portability protections, limiting how pre-existing condition exclusions can be applied and guaranteeing certain renewability — concepts that overlap with the health-insurance chapters.

GLBA distinguishes between sharing within affiliated companies (broadly permitted) and sharing with non-affiliated third parties (which triggers the opt-out). Certain disclosures are exempt from the opt-out entirely — for example, sharing needed to process a transaction the consumer requested, to service the account, or as required by law. HIPAA likewise allows PHI disclosure without authorization for treatment, payment, and operations, but routine marketing or sale of PHI requires explicit written authorization from the individual.

Privacy notices at a glance

The NAIC Privacy of Consumer Financial and Health Information Regulation implements GLBA at the state level for insurers and distinguishes between a consumer (one transaction) and a customer (ongoing relationship); customers receive the recurring annual notice.

A data breach triggers separate breach-notification duties under most state laws: the insurer must notify affected individuals (and often the department and credit bureaus) within a defined window when unencrypted personal information is compromised. The exam may test the who-receives-which-notice distinction, so anchor it: privacy notices go out routinely to consumers and customers, while breach notices go out only after a security incident exposes protected data.

Insurance fraud and federal anti-fraud law

Insurance fraud is the knowing misrepresentation of material facts to obtain a benefit or payment not otherwise due. It can be committed by applicants, insureds, producers, or insurers. The Fraud and False Statements provision (18 U.S.C. 1033/1034) makes it a federal crime for anyone engaged in the business of insurance affecting interstate commerce to willfully make false statements, embezzle funds, or otherwise commit fraud.

A critical exam fact: a person convicted of a felony involving dishonesty or breach of trust is prohibited from working in the business of insurance unless they obtain written consent (a 1033 waiver) from the state insurance commissioner. Violations carry fines and imprisonment (up to 10–15 years depending on the offense). This rule applies even to back-office employees, not just licensed producers.

Common fraud schemes the exam expects you to recognize include application fraud (concealing a material health condition), premium diversion (a producer pocketing premiums instead of remitting them — a fiduciary crime as well as fraud), fictitious or staged claims, and fake or unauthorized insurers selling coverage that does not exist. The material misrepresentation standard is central: a misstatement is material if the insurer would have acted differently — declining the risk or charging more — had it known the truth. Innocent, immaterial errors generally do not void a policy after the contestable period.

Consumer protection: FCRA, replacement, and advertising

• Fair Credit Reporting Act (FCRA) — governs use of consumer/credit reports in underwriting. If an insurer obtains an investigative consumer report (interviews about character, reputation, lifestyle), it must notify the applicant in writing within 3 days of the request and disclose the right to request the nature and scope of the investigation. Adverse decisions based on a report require notice naming the reporting agency.
• Replacement regulation — requires disclosure forms, notice to the existing insurer, and an extended free-look so the consumer can compare old and new coverage; protects against twisting and churning.
• Advertising rules — ads must not be deceptive; testimonials must be genuine and current; the full company name must be identifiable.
• USA PATRIOT Act / anti-money-laundering (AML) — insurers selling cash-value products must maintain AML programs and file Suspicious Activity Reports; producers receive AML training and watch for red flags such as large cash premium payments followed by early surrender.
• Buyer's Guide and policy summary — many states require delivery of an NAIC Buyer's Guide and a policy summary at or before delivery so the consumer can make an informed comparison.

Trap

The FCRA pre-notice timing is 3 days for investigative reports; do not confuse it with policy free-look (10 days) or HIPAA notice rules. Also remember a 1033 waiver permits employment despite a disqualifying felony — without it, employment in insurance is barred.