18.3 Privacy (HIPAA/GLBA), Fraud, and Consumer Protection
Key Takeaways
- GLBA protects nonpublic personal financial information and gives opt-out rights for sharing with nonaffiliated third parties; HIPAA protects PHI and limits pre-existing condition exclusions.
- GLBA opt-out does not apply to affiliate sharing or disclosures needed to service the policy/pay claims; FCRA requires notice on adverse underwriting decisions.
- Under 18 U.S.C. 1033, a felony involving dishonesty bars insurance work without a written 1033 waiver from the commissioner; penalties reach 10 years.
- Soft fraud is padding a real claim; hard fraud is staging or fabricating a loss entirely.
- Failing the 7-pay test makes a policy a MEC, triggering LIFO taxation on distributions plus a 10% pre-59 1/2 penalty.
Federal Privacy Framework
Two federal laws dominate insurance privacy on the national exam: GLBA (financial information) and HIPAA (health information). Know which law covers which type of data and what notice each requires.
GLBA (Gramm-Leach-Bliley Act, 1999)
GLBA governs nonpublic personal financial information (NPI). Insurers must:
- Provide an initial and annual privacy notice describing information-sharing practices.
- Give consumers the right to opt out of sharing NPI with nonaffiliated third parties (with limited exceptions).
- Maintain safeguards to protect the security of customer data.
HIPAA (Health Insurance Portability and Accountability Act, 1996)
HIPAA's Privacy Rule protects Protected Health Information (PHI). Key points tested:
| Provision | Effect |
|---|---|
| Privacy Rule | Limits use/disclosure of PHI; needs authorization for non-routine use |
| Portability | Limits pre-existing condition exclusions when changing group coverage |
| Guaranteed issue/renewability | Protects continuity of group health coverage |
| Minimum necessary | Disclose only the PHI needed for the purpose |
Three Privacy Notice Categories (Often Confused)
- Notice of Insurance Information Practices — explains how the insurer collects and uses personal information (Fair Information Practices / NAIC privacy model).
- GLBA Privacy Notice — financial privacy and opt-out rights for NPI.
- HIPAA Notice of Privacy Practices — how PHI is used and the consumer's health-data rights.
Trap: GLBA's opt-out applies to sharing with nonaffiliated third parties. Sharing among affiliates and disclosures necessary to service the policy or pay a claim generally do not require opt-out and are permitted.
GLBA also distinguishes a consumer (someone who obtains a financial product for personal use) from a customer (a consumer with a continuing relationship). A customer is entitled to the annual privacy notice; a one-time consumer generally receives only the initial notice. The annual-notice requirement is relaxed when an insurer has not changed its sharing practices and does not share NPI in ways that trigger opt-out, but candidates should still associate the initial-plus-annual notice pattern with GLBA.
The Fair Credit Reporting Act (FCRA) also appears: if an insurer obtains a consumer or investigative report, it must notify the applicant, and on an adverse underwriting decision must disclose the reason and the reporting agency so the consumer can dispute errors.
HIPAA Portability Mechanics
Beyond privacy, HIPAA's portability rules limited how long group health plans could exclude pre-existing conditions and required creditable-coverage credit when a worker changed jobs.
Many of these protections were later expanded by the ACA's ban on pre-existing condition exclusions, but the exam still tests HIPAA's framework: guaranteed issue for small groups, guaranteed renewability, and the prohibition on basing group eligibility on a single individual's health status.
The minimum necessary standard restricts disclosed PHI to what the task requires, and routine treatment, payment, and operations (TPO) disclosures do not need separate authorization. Non-routine uses, such as marketing or sharing PHI with an employer for employment decisions, do require the individual's written authorization.
Under GLBA, a consumer generally has the right to opt out when an insurer intends to share nonpublic personal financial information with:
Insurance Fraud and Federal Consumer Protections
Insurance fraud is a deliberate deception to obtain an unlawful gain. The Fraud and False Statements Act (18 U.S.C. 1033 / 1034) is heavily tested: a person convicted of a felony involving dishonesty or breach of trust may not engage in the business of insurance affecting interstate commerce without written consent (a 1033 waiver) from the state insurance commissioner. Violations carry fines and up to 10 years imprisonment.
Soft vs. Hard Fraud
| Type | Description |
|---|---|
| Soft fraud | Exaggerating a legitimate claim (padding) |
| Hard fraud | Deliberately staging or fabricating a loss |
Other Federal Consumer Protections
- Do-Not-Call Registry / TCPA — restricts unsolicited telemarketing calls.
- CAN-SPAM — governs commercial email.
- Military Personnel Financial Services Protection / suitability rules — protect service members from abusive sales.
- ERISA — federal oversight of employer-sponsored group plans.
- Fraud and False Statements (1033/1034) — felony bar and 1033 waiver requirement, with up to 10-year penalties.
Tax/MEC tie-in: A life policy that fails the 7-pay test becomes a Modified Endowment Contract (MEC). Distributions from a MEC (loans/withdrawals) are taxed LIFO (gain first, taxed as income) and a 10% penalty applies before age 59 1/2 — a key suitability disclosure when a policy is overfunded.
The MEC 7-Pay Test in Detail
The 7-pay test compares cumulative premiums paid in the first seven years against the premiums that would have been needed to pay the policy up in seven level annual payments. If the policyholder pays in faster than that limit, the contract becomes a MEC permanently — the status does not reverse even if later premiums slow down. By contrast, a non-MEC life policy enjoys FIFO withdrawal treatment (basis first, tax-free up to premiums paid) and tax-free policy loans, which is why over-funding for cash accumulation can backfire.
Quick Tax Comparison
| Feature | Non-MEC Life | MEC |
|---|---|---|
| Withdrawal order | FIFO (basis first) | LIFO (gain first) |
| Loans | Generally tax-free | Treated as taxable distributions |
| Pre-59 1/2 penalty | None on policy | 10% on the taxable gain |
| Death benefit | Income-tax-free | Income-tax-free |
Producers must disclose MEC risk before recommending heavy single-premium or rapid-funding strategies, because the client may expect tax-free access that the MEC rules eliminate. Failing to explain this is both a suitability and a potential misrepresentation issue, tying this topic back to the unfair-trade-practice rules in 18.1.
An applicant was convicted of embezzlement (a felony involving breach of trust). Under 18 U.S.C. 1033, this person may work in the business of insurance affecting interstate commerce only if they: