Introduced Version






HOUSE BILL No. 1695

_____


DIGEST OF INTRODUCED BILL



Citations Affected: IC 27-4-1-4 ; IC 27-16.

Synopsis: Privacy of personal information. Defines "licensee" as a person who must be licensed, authorized, certified, or registered under the Indiana insurance law. Specifies the requirements for the initial and annual privacy notices that must be provided by a licensee to consumers and customers of the licensee regarding disclosure of the consumers' or customers' financial information. Specifies: (1) information that must be provided in a privacy notice and an opt out notice; (2) requirements for revisions to the privacy notice; (3) requirements for delivery of privacy notice and notice of the right to opt out; (4) nondiscrimination provisions; (5) limitations on disclosure and redisclosure of financial information; (6) limitations on disclosure of information for marketing purposes; and (7) exceptions to the notice and opt out requirements. Provides for privacy notice and disclosure requirements for disclosure of personal health information. Provides for violations of the notice and disclosure requirements. Makes a conforming amendment.

Effective: July 1, 2001.





Smith M




    January 17, 2001, read first time and referred to Committee on Insurance, Corporations and Small Business.







Introduced

First Regular Session 112th General Assembly (2001)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2000 General Assembly.

HOUSE BILL No. 1695



    A BILL FOR AN ACT to amend the Indiana Code concerning insurance.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 27-4-1-4; (01)IN1695.1.1. -->     SECTION 1. IC 27-4-1-4 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2001]: Sec. 4. The following are hereby defined as unfair methods of competition and unfair and deceptive acts and practices in the business of insurance:
        (1) Making, issuing, circulating, or causing to be made, issued, or circulated, any estimate, illustration, circular, or statement:
            (A) misrepresenting the terms of any policy issued or to be issued or the benefits or advantages promised thereby or the dividends or share of the surplus to be received thereon;
            (B) making any false or misleading statement as to the dividends or share of surplus previously paid on similar policies;
            (C) making any misleading representation or any misrepresentation as to the financial condition of any insurer, or as to the legal reserve system upon which any life insurer operates;
            (D) using any name or title of any policy or class of policies

misrepresenting the true nature thereof; or
            (E) making any misrepresentation to any policyholder insured in any company for the purpose of inducing or tending to induce such policyholder to lapse, forfeit, or surrender his insurance.
        (2) Making, publishing, disseminating, circulating, or placing before the public, or causing, directly or indirectly, to be made, published, disseminated, circulated, or placed before the public, in a newspaper, magazine, or other publication, or in the form of a notice, circular, pamphlet, letter, or poster, or over any radio or television station, or in any other way, an advertisement, announcement, or statement containing any assertion, representation, or statement with respect to any person in the conduct of his insurance business, which is untrue, deceptive, or misleading.
        (3) Making, publishing, disseminating, or circulating, directly or indirectly, or aiding, abetting, or encouraging the making, publishing, disseminating, or circulating of any oral or written statement or any pamphlet, circular, article, or literature which is false, or maliciously critical of or derogatory to the financial condition of an insurer, and which is calculated to injure any person engaged in the business of insurance.
        (4) Entering into any agreement to commit, or individually or by a concerted action committing any act of boycott, coercion, or intimidation resulting or tending to result in unreasonable restraint of, or a monopoly in, the business of insurance.
        (5) Filing with any supervisory or other public official, or making, publishing, disseminating, circulating, or delivering to any person, or placing before the public, or causing directly or indirectly, to be made, published, disseminated, circulated, delivered to any person, or placed before the public, any false statement of financial condition of an insurer with intent to deceive. Making any false entry in any book, report, or statement of any insurer with intent to deceive any agent or examiner lawfully appointed to examine into its condition or into any of its affairs, or any public official to which such insurer is required by law to report, or which has authority by law to examine into its condition or into any of its affairs, or, with like intent, willfully omitting to make a true entry of any material fact pertaining to the business of such insurer in any book, report, or statement of such insurer.
        (6) Issuing or delivering or permitting agents, officers, or employees to issue or deliver, agency company stock or other

capital stock, or benefit certificates or shares in any common law corporation, or securities or any special or advisory board contracts or other contracts of any kind promising returns and profits as an inducement to insurance.
        (7) Making or permitting any of the following:
            (A) Unfair discrimination between individuals of the same class and equal expectation of life in the rates or assessments charged for any contract of life insurance or of life annuity or in the dividends or other benefits payable thereon, or in any other of the terms and conditions of such contract; however, in determining the class, consideration may be given to the nature of the risk, plan of insurance, the actual or expected expense of conducting the business, or any other relevant factor.
            (B) Unfair discrimination between individuals of the same class involving essentially the same hazards in the amount of premium, policy fees, assessments, or rates charged or made for any policy or contract of accident or health insurance or in the benefits payable thereunder, or in any of the terms or conditions of such contract, or in any other manner whatever; however, in determining the class, consideration may be given to the nature of the risk, the plan of insurance, the actual or expected expense of conducting the business, or any other relevant factor.
            (C) Excessive or inadequate charges for premiums, policy fees, assessments, or rates, or making or permitting any unfair discrimination between persons of the same class involving essentially the same hazards, in the amount of premiums, policy fees, assessments, or rates charged or made for:
                (i) policies or contracts of reinsurance or joint reinsurance, or abstract and title insurance;
                (ii) policies or contracts of insurance against loss or damage to aircraft, or against liability arising out of the ownership, maintenance, or use of any aircraft, or of vessels or craft, their cargoes, marine builders' risks, marine protection and indemnity, or other risks commonly insured under marine, as distinguished from inland marine, insurance; or
                (iii) policies or contracts of any other kind or kinds of insurance whatsoever.
        However, nothing contained in clause (C) shall be construed to apply to any of the kinds of insurance referred to in clauses (A) and (B) nor to reinsurance in relation to such kinds of insurance.

Nothing in clause (A), (B), or (C) shall be construed as making or permitting any excessive, inadequate, or unfairly discriminatory charge or rate or any charge or rate determined by the department or commissioner to meet the requirements of any other insurance rate regulatory law of this state.
        (8) Except as otherwise expressly provided by law, knowingly permitting or offering to make or making any contract or policy of insurance of any kind or kinds whatsoever, including but not in limitation, life annuities, or agreement as to such contract or policy other than as plainly expressed in such contract or policy issued thereon, or paying or allowing, or giving or offering to pay, allow, or give, directly or indirectly, as inducement to such insurance, or annuity, any rebate of premiums payable on the contract, or any special favor or advantage in the dividends, savings, or other benefits thereon, or any valuable consideration or inducement whatever not specified in the contract or policy; or giving, or selling, or purchasing or offering to give, sell, or purchase as inducement to such insurance or annuity or in connection therewith, any stocks, bonds, or other securities of any insurance company or other corporation, association, limited liability company, or partnership, or any dividends, savings, or profits accrued thereon, or anything of value whatsoever not specified in the contract. Nothing in this subdivision and subdivision (7) shall be construed as including within the definition of discrimination or rebates any of the following practices:
            (A) Paying bonuses to policyholders or otherwise abating their premiums in whole or in part out of surplus accumulated from nonparticipating insurance, so long as any such bonuses or abatement of premiums are fair and equitable to policyholders and for the best interests of the company and its policyholders.
            (B) In the case of life insurance policies issued on the industrial debit plan, making allowance to policyholders who have continuously for a specified period made premium payments directly to an office of the insurer in an amount which fairly represents the saving in collection expense.
            (C) Readjustment of the rate of premium for a group insurance policy based on the loss or expense experience thereunder, at the end of the first year or of any subsequent year of insurance thereunder, which may be made retroactive only for such policy year.
            (D) Paying by an insurer or agent thereof duly licensed as such

under the laws of this state of money, commission, or brokerage, or giving or allowing by an insurer or such licensed agent thereof anything of value, for or on account of the solicitation or negotiation of policies or other contracts of any kind or kinds, to a broker, agent, or solicitor duly licensed under the laws of this state, but such broker, agent, or solicitor receiving such consideration shall not pay, give, or allow credit for such consideration as received in whole or in part, directly or indirectly, to the insured by way of rebate.
        (9) Requiring, as a condition precedent to loaning money upon the security of a mortgage upon real property, that the owner of the property to whom the money is to be loaned negotiate any policy of insurance covering such real property through a particular insurance agent or broker or brokers. However, this subdivision shall not prevent the exercise by any lender of its or his right to approve or disapprove of the insurance company selected by the borrower to underwrite the insurance.
        (10) Entering into any contract, combination in the form of a trust or otherwise, or conspiracy in restraint of commerce in the business of insurance.
        (11) Monopolizing or attempting to monopolize or combining or conspiring with any other person or persons to monopolize any part of commerce in the business of insurance. However, participation as a member, director, or officer in the activities of any nonprofit organization of agents or other workers in the insurance business shall not be interpreted, in itself, to constitute a combination in restraint of trade or as combining to create a monopoly as provided in this subdivision and subdivision (10). The enumeration in this chapter of specific unfair methods of competition and unfair or deceptive acts and practices in the business of insurance is not exclusive or restrictive or intended to limit the powers of the commissioner or department or of any court of review under section 8 of this chapter.
        (12) Requiring as a condition precedent to the sale of real or personal property under any contract of sale, conditional sales contract, or other similar instrument or upon the security of a chattel mortgage, that the buyer of such property negotiate any policy of insurance covering such property through a particular insurance company, agent, or broker or brokers. However, this subdivision shall not prevent the exercise by any seller of such property or the one making a loan thereon, of his, her, or its right to approve or disapprove of the insurance company selected by

the buyer to underwrite the insurance.
        (13) Issuing, offering, or participating in a plan to issue or offer, any policy or certificate of insurance of any kind or character as an inducement to the purchase of any property, real, personal, or mixed, or services of any kind, where a charge to the insured is not made for and on account of such policy or certificate of insurance. However, this subdivision shall not apply to any of the following:
            (A) Insurance issued to credit unions or members of credit unions in connection with the purchase of shares in such credit unions.
            (B) Insurance employed as a means of guaranteeing the performance of goods and designed to benefit the purchasers or users of such goods.
            (C) Title insurance.
            (D) Insurance written in connection with an indebtedness and intended as a means of repaying such indebtedness in the event of the death or disability of the insured.
            (E) Insurance provided by or through motorists service clubs or associations.
            (F) Insurance that is provided to the purchaser or holder of an air transportation ticket and that:
                (i) insures against death or nonfatal injury that occurs during the flight to which the ticket relates;
                (ii) insures against personal injury or property damage that occurs during travel to or from the airport in a common carrier immediately before or after the flight;
                (iii) insures against baggage loss during the flight to which the ticket relates; or
                (iv) insures against a flight cancellation to which the ticket relates.
        (14) Refusing, because of the for-profit status of a hospital or medical facility, to make payments otherwise required to be made under a contract or policy of insurance for charges incurred by an insured in such a for-profit hospital or other for-profit medical facility licensed by the state department of health.
        (15) Refusing to insure an individual, refusing to continue to issue insurance to an individual, limiting the amount, extent, or kind of coverage available to an individual, or charging an individual a different rate for the same coverage, solely because of that individual's blindness or partial blindness, except where the refusal, limitation, or rate differential is based on sound actuarial

principles or is related to actual or reasonably anticipated experience.
        (16) Committing or performing, with such frequency as to indicate a general practice, unfair claim settlement practices (as defined in section 4.5 of this chapter).
        (17) Between policy renewal dates, unilaterally canceling an individual's coverage under an individual or group health insurance policy solely because of the individual's medical or physical condition.
        (18) Using a policy form or rider that would permit a cancellation of coverage as described in subdivision (17).
        (19) Violating IC 27-1-22-25 or IC 27-1-22-26 concerning motor vehicle insurance rates.
        (20) Violating IC 27-8-21-2 concerning advertisements referring to interest rate guarantees.
        (21) Violating IC 27-8-24.3 concerning insurance and health plan coverage for victims of abuse.
        (22) Violating IC 27-1-15.5-3 (h).
        (23) Violating IC 27-8-26 concerning genetic screening or testing.
         (24) Violating IC 27-16 concerning privacy of personal information.

SOURCE: IC 27-16; (01)IN1695.1.2. -->     SECTION 2. IC 27-16 IS ADDED TO THE INDIANA CODE AS A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2001]:
    ARTICLE 16. PRIVACY OF PERSONAL INFORMATION
    Chapter 1. Definitions
    Sec. 1. The definitions in this chapter apply throughout this article.
    Sec. 2. "Affiliate" means a company that:
        (1) controls;
        (2) is controlled by; or
        (3) is under common control with;
another company.
    Sec. 3. "Agent" means an individual or entity that is licensed under IC 27-1-15.5.
    Sec. 4. "Clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
    Sec. 5. "Collect" means to obtain information that a licensee organizes or retrieves by means of:
        (1) the name of;
        (2) a number assigned to;
        (3) a symbol assigned to; or
        (4) another identifier assigned to;
an individual.
    Sec. 6. "Company" means a corporation, limited liability company, business trust, general partnership, limited partnership, association, sole proprietorship, or similar organization.
    Sec. 7. (a) "Consumer" means an individual, or an individual's legal representative, who seeks to obtain, obtains, or has obtained an insurance product or service in Indiana from a licensee for personal, family, or household purposes, and about whom the licensee has nonpublic personal information. The term includes the following:
        (1) An individual who provides nonpublic personal information to a licensee in connection with financial, insurance, investment, or economic advisory services.
        (2) An applicant for insurance coverage.
        (3) An individual who provides nonpublic personal information to a licensee to obtain a determination about whether the individual may qualify for a loan to be used primarily for personal, family, or household purposes.
    (b) "Consumer" does not include the following individuals:
        (1) A beneficiary of a trust for which a licensee is the trustee.
        (2) A third party liability claimant.
        (3) An individual who designates a licensee as trustee for a trust.
        (4) A consumer of another financial institution to which a licensee acts as agent for, or provides processing or other services.
        (5) A participant or a beneficiary of an employee benefit plan that a licensee administers or sponsors or for which a licensee acts as a trustee, insurer, or fiduciary.
        (6) An individual who is covered under a group or blanket insurance policy or group annuity contract issued by a licensee, if the licensee:
            (A) provides the initial, annual, and revised notices under IC 27-16-2 , IC 27-16-3 , and IC 27-16-4 to the plan sponsor, group or blanket insurance policyholder, group annuity contract holder, or worker's compensation plan participant; and
            (B) does not disclose to a nonaffiliated third party nonpublic personal financial information about the individual other than as permitted under IC 27-16-12 ,

IC 27-16-13 , or IC 27-16-14.
    Sec. 8. "Consumer reporting agency" has the meaning set forth in Section 603(f) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    Sec. 9. "Control" means the following:
        (1) Ownership, control, or power to vote at least twenty-five percent (25%) of the outstanding shares of any class of voting security of a company:
            (A) directly;
            (B) indirectly; or
            (C) by acting through at least one (1) other person.
        (2) Control in any manner over the election of a majority of the directors, trustees, or general partners of a company.
        (3) Power to exercise, directly or indirectly, a controlling influence over the management or policies of a company, as determined by the commissioner.
    Sec. 10. "Customer" means a consumer who has a customer relationship with a licensee. The term does not include a beneficiary or claimant under a policy of insurance solely because of the individual's status as a beneficiary or claimant.
    Sec. 11. "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides at least one (1) financial product or service to the consumer that is to be used primarily for personal, family, or household purposes, including a relationship in which the consumer:
        (1) is a current policyholder of an insurance product or other product obtained from or through the licensee;
        (2) holds an investment product obtained through the licensee; or
        (3) obtains financial, insurance, investment, or economic advisory services from the licensee for a fee.
    Sec. 12. "Financial institution" has the meaning set forth in section 509(3) of the federal Gramm, Leach, Bliley Financial Services Modernization Act of 1999 (P.L.106-102). The term includes an institution engaged in the business of financial activities as described in Section 4(k) of the federal Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.). However, the term does not include the following:
        (1) A person or entity with respect to any financial activity that is subject to the jurisdiction of the federal commodity futures trading commission under the federal Commodity

Exchange Act (7 U.S.C. 1 et seq.).
        (2) The Federal Agricultural Mortgage Corporation or an entity chartered and operating under the federal Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.).
        (3) An institution chartered by the United States Congress to engage in transactions described in Section 502(e)(1)(C) of the federal Gramm, Leach, Bliley Financial Services Modernization Act of 1999 (P.L.106-102), if the institution does not sell or transfer nonpublic personal information to a nonaffiliated third party.
    Sec. 13. "Financial product or service" means a product or service that is offered by a licensee under IC 27, including a licensee's evaluation or brokerage of information that the licensee collects in connection with a request or an application from a consumer for a financial product or service.
    Sec. 14. "Health information" means information or data, other than age or gender information, either oral or recorded in any form or medium, created by or derived from a health care provider or a consumer or customer, that relates to:
        (1) the past, present, or future physical, mental, or behavioral health or condition of a consumer of a member of the consumer's family;
        (2) the provision of health care services to a consumer; or
        (3) payment for the provision of health care services to a consumer.
    Sec. 15. "Licensee" means an individual or entity that must be licensed, authorized, certified, or registered under IC 27. The term includes an unauthorized insurer that places surplus lines insurance in Indiana through a surplus lines agent who is licensed under IC 27-1-15.5.
    Sec. 16. (a) "Nonaffiliated third party" means a company that is an affiliate solely because a licensee or the licensee's affiliate has direct or indirect ownership or control of the company, including a company that is conducting:
        (1) merchant banking or investment banking activities; or
        (2) insurance company investment activities;
as described in Section 4(k)(4)(H) of the federal Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.).
    (b) "Nonaffiliated third party":
        (1) does not include a:
            (A) licensee's affiliate; or
            (B) person employed jointly by a licensee and a company

that is not the licensee's affiliate; and
        (2) does include the other company that jointly, with a licensee, employs the person referred to in subdivision (1)(B).
    Sec. 17. (a) "Nonpublic personal financial information" includes:
        (1) personally identifiable financial information;
        (2) a list or description of consumers that is derived using personally identifiable financial information that is not publicly available; and
        (3) a list of individual names and addresses that is derived using personally identifiable financial information that is not publicly available, including policy or contract numbers.
    (b) "Nonpublic personal financial information" does not include:
        (1) health information;
        (2) publicly available information, except as included on a list under subdivision (4);
        (3) a list or description of consumers that is derived without using personally identifiable financial information that is not publicly available; or
        (4) a list of individual names and addresses that:
            (A) contains only publicly available information;
            (B) is not derived using personally identifiable information that is not publicly available; and
            (C) is not disclosed in a manner that indicates that an individual on the list is a consumer of a financial institution.
    Sec. 18. "Nonpublic personal health information" means health information:
        (1) that identifies an individual who is the subject of the information; or
        (2) with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
    Sec. 19. "Nonpublic personal information" means:
        (1) nonpublic personal financial information; and
        (2) nonpublic personal health information.
    Sec. 20. "Opt out" means a direction by a consumer that a licensee may not disclose nonpublic personal financial information about the consumer to a nonaffiliated third party except as permitted under IC 27-16-12 , IC 27-16-13 , and IC 27-16-14.
    Sec. 21. "Personally identifiable financial information" means financial information:


        (1) that a consumer provides to a licensee to obtain a financial product or service from the licensee;
        (2) about a consumer resulting from a transaction involving a financial product or service between a licensee and the consumer; or
        (3) that a licensee otherwise obtains about a consumer in connection with the provision of a financial product or service to the consumer.
    Sec. 22. "Personally identifiable health information" means health information:
        (1) that a consumer provides to a licensee to obtain a financial product or service from the licensee;
        (2) about a consumer resulting from a transaction involving a financial product or service between a licensee and the consumer;
        (3) that a licensee otherwise obtains about a consumer in connection with the provision of a financial product or service to the consumer; and
        (4) that identifies a consumer who is the subject of the information;
or with respect to which there is a reasonable basis to believe that the information could be used to identify a consumer. The term does not include personally identifiable nonmedical information such as name, address, Social Security number, age, or gender if the information is legally obtained by the licensee from a source other than the consumer's medical record, regardless of whether the information is also part of the consumer's medical record.
    Sec. 23. "Publicly available information" means information that a licensee has a reasonable basis to believe is lawfully available to the general public from:
        (1) federal, state, or local government records;
        (2) widely distributed media; or
        (3) disclosure to the general public that is required under federal, state, or local law.
    Sec. 24. "Reasonable basis" means a basis for which a licensee reasonably believes that information is lawfully available to the general public. The basis is gained by activities taken by the licensee to determine that:
        (1) the information is available to the general public; and
        (2) an individual can direct that the information not be made available to the general public, but the individual concerned has not done so.
    Chapter 2. Initial Privacy Notice
    Sec. 1. Subject to section 2 of this chapter, a licensee shall provide a clear and conspicuous initial notice that accurately reflects the licensee's privacy policy and practice to the following:
        (1) A customer of the licensee, not later than the time at which the licensee establishes a customer relationship, except as provided under section 5 of this chapter.
        (2) A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes the disclosure other than as authorized under IC 27-16-13 , IC 27-16-14 , and IC 27-16-15.
    Sec. 2. A licensee is not required to provide an initial notice to a consumer under section 1 of this chapter if:
        (1) the licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party other than as authorized under IC 27-16-13 , IC 27-16-14 , and IC 27-16-15 ;
        (2) the licensee does not have a customer relationship with the consumer; or
        (3) a notice:
            (A) that:
                (i) clearly identifies all licensees to whom the notice applies; or
                (ii) states that the notice applies to all affiliates of the named licensee; and
            (B) that is accurate with respect to the licensee and the affiliates of the licensee;
        has been provided by an affiliated licensee.
    Sec. 3. A licensee establishes a customer relationship at the time that the licensee and the consumer enter into a continuing relationship, other than solely as a beneficiary or claimant, including when the consumer:
        (1) becomes a policyholder at the time that an insurance policy or contract is delivered to the consumer; or
        (2) agrees to obtain financial, insurance, economic, or investment advisory services from the licensee for a fee.
    Sec. 4. When an existing customer obtains from a licensee a new financial product or service that is to be used primarily for personal, family, or household purposes, the licensee may satisfy the initial notice requirements under section 1 of this chapter if one (1) of the following applies:
        (1) The licensee provides a revised privacy notice under IC 27-16-6 that covers the customer's new financial product or service.
        (2) The initial, revised, or annual notice that the licensee most recently provided to the customer was accurate with respect to the new financial product or service.
    Sec. 5. A licensee may provide the initial notice required under section 1 of this chapter within a reasonable time after the licensee establishes a customer relationship, instead of before the customer relationship is established, if:
        (1) the customer relationship is not established at the customer's election, such as in the case of:
            (A) an acquisition by; or
            (B) an assignment to;
        the licensee of an insurance policy or related records from another financial institution or residual market mechanism when the customer does not have a choice about the acquisition or assignment; or
        (2) providing notice not later than the time at which the licensee establishes the customer relationship would substantially delay the customer's transaction, such as in the case of a telephone agreement between the licensee and the individual to enter into a customer relationship involving prompt delivery of the financial product or service under which the customer agrees to receive the notice at a later time.
    Sec. 6. If two (2) or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the requirements of section 1 of this chapter by providing one (1) initial notice to the consumers jointly.
    Sec. 7. If a licensee is required to deliver an initial privacy notice under this chapter, the licensee shall deliver the notice as provided in IC 27-16-7. If a licensee uses a short form initial notice for noncustomers under IC 27-16-4-3 , the licensee may deliver the privacy notice as provided in IC 27-16-4-3 (b)(3).
    Chapter 3. Annual Privacy Notice
    Sec. 1. A licensee shall provide a clear and conspicuous annual notice to a customer that accurately reflects the licensee's privacy policy and practice at least one (1) time in any period of twelve (12) consecutive months during the course of the customer relationship.
    Sec. 2. A licensee is not required to provide an annual notice described in section 1 of this chapter to a former customer when:
        (1) the former customer is not a current policyholder of an

insurance product or no longer obtains insurance services through the licensee;
        (2) the former customer has a policy that has lapsed, expired, or is otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of not less than twelve (12) consecutive months other than to provide annual privacy notices, materials required by law, or promotional materials;
        (3) according to the licensee's records, the former customer has a last known address that is determined to be invalid because:
            (A) mail sent to the address by the licensee is returned by postal authorities as undeliverable; and
            (B) subsequent attempts by the licensee to obtain a current valid address have been unsuccessful; or
        (4) with respect to the provision of real estate settlement services provided by the licensee:
            (A) the former customer has paid for real estate settlement services provided by the licensee connected with a real estate closing;
            (B) the former customer has completed execution of all documents related to a real estate closing; or
            (C) the licensee has completed the licensee's responsibilities with respect to the real estate settlement, including filing documents on the public record;
        whichever is later.
    Sec. 3. If a licensee is required to deliver an annual privacy notice under this chapter, the licensee shall deliver the notice as provided in IC 27-16-7.
    Sec. 4. An annual notice required under this chapter may be provided by an affiliated licensee if the notice:
        (1) clearly identifies all licensees to which the notice applies or states that the notice applies to all affiliates of the named licensee; and
        (2) is accurate with respect to the licensee and other institutions.
    Chapter 4. Information in Privacy Notices
    Sec. 1. The initial, annual, and revised privacy notices that a licensee provides under IC 27-16-2 , IC 27-16-3 , and IC 27-16-6 must set forth each of the following items of information that applies to the licensee or to the consumers to whom the licensee

sends a privacy notice:
        (1) Categories of nonpublic personal financial information that the licensee collects.
        (2) Categories of nonpublic personal financial information that the licensee discloses.
        (3) Categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under IC 27-16-13 and IC 27-16-14.
        (4) Categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses, and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers other than those parties to whom the licensee discloses information under IC 27-16-13 and IC 27-16-14.
        (5) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under IC 27-16-12 and no other exception applies to the disclosure, a separate statement of the categories of information the licensee discloses and the categories of nonaffiliated third parties with whom the licensee has contracted.
        (6) An explanation of the right under IC 27-16-9 to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties and the right under IC 27-16-15 to authorize the disclosure of personally identifiable health information for marketing purposes, including an explanation of the methods by which the consumer may exercise the rights.
        (7) Any disclosures that the licensee makes under 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)).
        (8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
        (9) A statement that the licensee makes disclosures under section 2 of this chapter, if such disclosures are made.
    Sec. 2. (a) If a licensee discloses nonpublic personal financial information about a consumer to nonaffiliated third parties only as authorized under IC 27-16-13 and IC 27-16-14 , the licensee is not required to list the exceptions provided for under IC 27-16-13 and IC 27-16-14 in the initial or annual privacy notice required

under IC 27-16-2 and IC 27-16-3.
    (b) When setting forth items of information in a privacy notice under section 1 of this chapter with respect to nonaffiliated third parties, a licensee is required only to state that it makes disclosures to other nonaffiliated third parties as permitted by law.
    Sec. 3. (a) A licensee may satisfy the initial notice requirements under IC 27-16-2 for a consumer who is not a customer by providing a short form initial notice at the time that the licensee delivers an opt out notice under IC 27-16-7 and, if appropriate, an authorization under IC 27-16-15.
    (b) A short form initial notice must:
        (1) be clear and conspicuous;
        (2) state that a licensee's privacy notice is available upon request;
        (3) describe a reasonable means by which the consumer may obtain the licensee's privacy notice, including:
            (A) a toll free telephone number that the consumer may call to request the notice; or
            (B) for a consumer who conducts business in person in the licensee's office, providing notice to the consumer immediately upon request; and
        (4) be delivered as provided under IC 27-16-7.
    (c) A licensee is not required to deliver the licensee's privacy notice with the licensee's short form initial notice.
    (d) If a consumer who receives the licensee's short form initial notice requests the licensee's privacy notice, the licensee shall deliver the privacy notice as provided under IC 27-16-7.
    Sec. 4. A licensee's privacy notice may include:
        (1) categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose; and
        (2) categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
    Chapter 5. Form and Methods of Opt Out Notice to Consumers
    Sec. 1. (a) If a licensee is required to provide an opt out notice under IC 27-16-9 , the licensee must provide a clear and conspicuous notice to each of the licensee's consumers that accurately explains the right to opt out. The notice must state:
        (1) that the licensee discloses or reserves the right to disclose nonpublic personal financial information about the licensee's

consumer to a nonaffiliated third party;
        (2) that the consumer has the right to opt out of the disclosure; and
        (3) a reasonable means by which the consumer may exercise the opt out right.
If the licensee requires a consumer to opt out by a specific means, the means must be reasonable for the consumer.
    (b) A licensee provides a reasonable means to exercise the right to opt out under subsection (a) if the licensee:
        (1) designates check off boxes in a prominent position on the relevant forms with the opt out notice;
        (2) includes a reply form with the opt out notice;
        (3) provides an electronic means to opt out, including:
            (A) a form that can be sent via electronic mail; or
            (B) a process on the licensee's web site;
        if the consumer agrees to electronic delivery of information;
        (4) provides a toll free telephone number that a consumer may call to opt out; or
        (5) provides the opt out notice with or on the same written or electronic form as the initial notice that the licensee provides under IC 27-16-2.
    Sec. 2. If a licensee provides the opt out notice required under this chapter after the time within which the initial notice must be provided under IC 27-16-2-5 , the licensee shall include with the opt out notice a copy of the initial notice in writing or, if the consumer agrees, electronically.
    Sec. 3. (a) If two (2) or more consumers jointly obtain a financial product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice must explain how the licensee will treat an opt out direction by a joint consumer as described in subsection (b).
    (b) A licensee may either:
        (1) treat an opt out direction by one (1) joint consumer as applying to all of the associated joint consumers; or
        (2) permit each joint consumer to opt out separately.
    (c) If a licensee permits each joint consumer to opt out separately, the licensee shall also permit one (1) of the joint consumers to opt out on behalf of all the joint consumers.
    (d) A licensee may not require all joint consumers to opt out before the licensee implements any opt out direction.
    Sec. 4. A licensee shall comply with a consumer's opt out direction as soon as reasonably practicable after the licensee

receives the opt out direction.
    Sec. 5. A consumer may exercise the right to opt out at any time.
    Sec. 6. (a) A consumer's direction to opt out under this chapter is effective until the consumer revokes the direction in writing or, if the consumer agrees, electronically.
    (b) When a customer relationship terminates, the customer's opt out direction continues to apply to the customer's nonpublic personal financial information collected by the licensee during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new customer relationship.
    Sec. 7. If a licensee is required to deliver an opt out notice under this chapter, the licensee shall deliver the opt out notice as provided under IC 27-16-7.
    Chapter 6. Revised Privacy Notice
    Sec. 1. Except as otherwise authorized in this article, a licensee shall not, directly or through any affiliate, disclose nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to the consumer under IC 27-16-2 unless:
        (1) the licensee has provided to the consumer a revised notice that accurately describes the licensee's policies and practices;
        (2) the licensee has provided to the consumer a new opt out notice ;
        (3) the licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to:
            (A) opt out of; or
            (B) if appropriate, authorize;
        the disclosure; and
        (4) the consumer:
            (A) does not opt out of; or
            (B) if appropriate, authorizes;
        the disclosure.
    Sec. 2. If a licensee is required to deliver a revised privacy notice under this chapter, the licensee shall deliver it as provided under IC 27-16-7.
    Chapter 7. Delivery of Privacy Notice and Opt Out Notice
    Sec. 1. (a) A licensee shall provide a privacy notice and opt out notice, including short form initial notices required under this article, so that each consumer may reasonably be expected to

receive actual notice in writing or, if the consumer agrees, electronically.
    (b) A licensee may reasonably expect that a consumer will receive actual notice if the licensee:
        (1) hand delivers a printed copy of a notice to the consumer;
        (2) mails a printed copy of a notice to the last known address of the consumer:
            (A) separately;
            (B) in a policy communication;
            (C) in a billing communication; or
            (D) in another written communication;
        (3) clearly and conspicuously posts an electronic notice on the licensee's Internet site for a consumer who regularly accesses the licensee's Internet site to conduct transactions; or
        (4) for an isolated transaction with the consumer, including a transaction in which the licensee:
            (A) provides an insurance quote; or
            (B) sells travel insurance to the consumer;
        requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.
    (c) A licensee may not reasonably expect that a consumer will receive actual notice of the licensee's privacy policies and practices if the licensee only:
        (1) posts a sign in the licensee's branch or office;
        (2) generally publishes advertisements of the licensee's privacy policies and practices; or
        (3) sends notice via electronic mail to a consumer who does not agree to receive notices electronically.
    Sec. 2. A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if the customer:
        (1) agrees to receive notices at the licensee's Internet site, and the licensee posts the licensee's current privacy notice continuously in a clear and conspicuous manner on the Internet site; or
        (2) has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
    Sec. 3. A licensee may not provide any notice required under this article solely by orally explaining the notice in person or over

the telephone.
    Sec. 4. A licensee shall provide to customers the initial notice, the annual notice, and the revised notice required under this article in a manner in which the customer may retain or obtain the notices at a later date in writing or, if the customer agrees, electronically, including:
        (1) hand delivery of a printed copy of the notice to the customer;
        (2) mailing a printed copy of the notice to the last known address of the customer upon request of the customer; or
        (3) making the licensee's current privacy notice available on an Internet site, or a link to another Internet site, for a customer who agrees to receive the notice at the Internet site.
    Sec. 5. A licensee may provide a joint notice from the licensee and one (1) or more:
        (1) of the licensee's affiliates;
        (2) other licensees; or
        (3) other financial institutions;
or on behalf of another financial institution if the notice is accurate with respect to the licensee and the other institutions.
    Sec. 6. If two (2) or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the initial and revised notice requirements of IC 27-16-2 , IC 27-16-3 , and IC 27-16-6 by providing one (1) notice to the consumers jointly.
    Chapter 8. Nondiscrimination
    Sec. 1. A licensee shall not unfairly discriminate against any customer or consumer on the basis of the customer's or consumer's exercise of the right to opt out of the disclosure of nonpublic personal information as provided under this article.
    Sec. 2. This article does not require a licensee to:
        (1) provide a benefit; or
        (2) commence or continue payment of a claim;
in the absence of personally identifiable health information or nonpublic personal financial information that is necessary to support or deny the claim.
    Sec. 3. This chapter does not prohibit a licensee from engaging in the licensee's usual, appropriate, or acceptable method of insurance underwriting.
    Chapter 9. Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties
    Sec. 1. (a) Except as otherwise authorized under this article, a

licensee may not, directly or through an affiliate, disclose nonpublic personal financial information regarding a consumer to a nonaffiliated third party unless:
        (1) the licensee has provided to the consumer an initial notice under IC 27-16-2 ;
        (2) the licensee has provided to the consumer an opt out notice under IC 27-16-5 ; and
        (3) the licensee has given the consumer a reasonable opportunity, before the licensee discloses information to a nonaffiliated third party, to opt out of the disclosure.
    (b) A licensee complies with the requirements of subsection (a) if:
        (1) the licensee mails the notice required under subsection (a)(1) to the consumer and allows the consumer to opt out by:
            (A) mailing a form;
            (B) calling a toll free telephone number; or
            (C) any other reasonable means;
        within thirty (30) days after the date on which the licensee mails the notice;
        (2) a customer:
            (A) opens an online account with the licensee; and
            (B) agrees to receive notice required under subsection (a)(1) electronically;
        and the licensee makes the notices available to the customer on the licensee's Internet site and allows the customer to opt out by any reasonable means within thirty (30) days after the date that the customer acknowledges receipt of the notice in conjunction with opening the account; or
        (3) for an isolated transaction, including providing the consumer with an insurance quote, the licensee:
            (A) provides the consumer with the notice required under subsection (a)(1) at the time of the transaction;
            (B) requests that the consumer decide, as a necessary act of the transaction, whether to opt out before completing the transaction; and
            (C) provides a reasonable opportunity to opt out; and
        the consumer does not opt out.
    Sec. 2. (a) A licensee shall comply with this chapter regardless of whether the licensee and the consumer have established a customer relationship.
    (b) If a licensee does not comply with this chapter, the licensee may not, directly or through an affiliate, disclose nonpublic

personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected the nonpublic personal financial information before or after receiving the direction to opt out from the consumer.
    Chapter 10. Limits on Redisclosure and Reuse of Information
    Sec. 1. If a licensee receives nonpublic personal information from a nonaffiliated financial institution through an exception under this article or through an authorization under IC 27-16-15 , the licensee's disclosure and use of the information is limited as follows:
        (1) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.
        (2) The licensee may disclose the information to the licensee's affiliates and agents, but the affiliates and agents may disclose and use the information only to the extent that the licensee may disclose and use the information.
        (3) The licensee may disclose and use the information through an exception in IC 27-16-13 or IC 27-16-14 in the ordinary course of business to carry out the activity covered under the exception through which the licensee received the information.
    Sec. 2. If a licensee receives nonpublic personal information from a nonaffiliated financial institution other than through an exception under this article or through an authorization under IC 27-16-15 , the licensee may disclose the information only:
        (1) to the affiliates of the financial institution from which the licensee received the information;
        (2) to the licensee's affiliates and agents, but the licensee's affiliates and agents may disclose the information only to the extent that the licensee can disclose the information; and
        (3) to any other person, if the disclosure would be lawful if made directly to the person by the financial institution from which the licensee received the information.
    Sec. 3. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party through an exception under IC 27-16-13 or IC 27-16-14 , the nonaffiliated third party may disclose and use the information only as follows:
        (1) The nonaffiliated third party may disclose the information to the licensee's affiliates.
        (2) The nonaffiliated third party may disclose the information to the nonaffiliated third party's affiliates, but the affiliates

may disclose and use the information only to the extent that the nonaffiliated third party may disclose and use the information.
        (3) The nonaffiliated third party may disclose and use the information through an exception under IC 27-16-13 or IC 27-16-14 in the ordinary course of business to carry out the activity covered by the exception through which the nonaffiliated third party received the information.
    Sec. 4. If a licensee discloses nonpublic personal information to a nonaffiliated third party other than through an exception under IC 27-16-13 or IC 27-16-14 , or through an authorization under IC 27-16-15 , the nonaffiliated third party may disclose the information only:
        (1) to the licensee's affiliates;
        (2) to the nonaffiliated third party's affiliates, but the nonaffiliated third party's affiliates may disclose the information only to the extent the nonaffiliated third party can disclose the information; and
        (3) to any other person if the disclosure would be lawful if the licensee made it directly to the person.
    Chapter 11. Limits on Disclosure of Policy or Contract Number Information for Marketing Purposes
    Sec. 1. A licensee may not, directly or through an affiliate, disclose, other than to a consumer reporting agency:
        (1) a policy or contract number; or
        (2) similar form of access number or access code;
for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or marketing through electronic mail to the consumer.
    Sec. 2. Section 1 of this chapter does not apply if a licensee discloses a policy or contract number or similar form of access number or access code:
        (1) to the licensee's agent or service provider solely in order to perform marketing for the licensee's products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account;
        (2) to a participant in a private label credit card program or an affinity or similar program, where the participants in the program are identified to the customer when the customer enters the program; or
        (3) to a licensee who is an agent solely in order to perform

marketing for the licensee's own products or services.
    Chapter 12. Exception to Opt Out Requirements for Service Providers and Joint Marketing
    Sec. 1. For purposes of this chapter, "joint agreement" means a written contract under which a licensee and one (1) or more financial institutions jointly offer, endorse, or sponsor a financial product or service.
    Sec. 2. The opt out requirements of this article do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for, or functions on behalf of, the licensee if the licensee:
        (1) provides the initial notice in compliance with this article; and
        (2) enters into a contractual agreement with the nonaffiliated third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use through an exception under IC 27-16-13 or IC 27-16-14 , in the ordinary course of business.
    Sec. 3. A licensee may use and disclose personally identifiable financial information to a person acting on behalf of or at the direction of the licensee to perform the licensee's insurance functions, including:
        (1) claims administration;
        (2) claims adjustment and management;
        (3) fraud investigation;
        (4) underwriting;
        (5) loss control;
        (6) rate making functions;
        (7) reinsurance;
        (8) risk management;
        (9) case management;
        (10) disease management;
        (11) quality assessment;
        (12) quality improvement;
        (13) provider credentialing verification;
        (14) utilization review;
        (15) peer review activities;
        (16) grievance procedures;
        (17) internal administration of compliance;
        (18) managerial and information systems;
        (19) policyholder service functions;


        (20) account administration;
        (21) processing premium payments;
        (22) processing insurance claims;
        (23) administering insurance benefits (including utilization review activities); and
        (24) participating in research projects;
and as otherwise required or specifically permitted by federal or state law.
    Sec. 4. The services performed for a licensee by a nonaffiliated third party under section 2 of this chapter may include:
        (1) marketing of the licensee's own products or services; or
        (2) marketing of financial products or services offered under a joint agreement between the licensee and one (1) or more financial institutions.
    Chapter 13. Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions
    Sec. 1. As used in this chapter, "necessary to effect, administer, or enforce a transaction" means that a disclosure is:
        (1) required or is one (1) of the lawful or appropriate methods to enforce the licensee's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
        (2) required or is a usual, an appropriate, or an acceptable method:
            (A) to carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain a consumer's account in the ordinary course of providing a financial service or financial product;
            (B) to administer, adjudicate, or service benefits or claims relating to a transaction or a product or service business of which the transaction is a part;
            (C) to provide a confirmation, a statement, or other record of a transaction, or information on the status or value of a financial service or financial product to a consumer or a consumer's agent or broker;
            (D) to accrue or recognize incentives or bonuses associated with a transaction that are provided by a licensee or any other party;
            (E) in connection with:
                (i) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of

amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or policy or contract number, or by other payment means;
                (ii) the transfer of receivables, accounts, or interests in receivables or accounts; or
                (iii) the audit of debit, credit, or other payment information; or
            (F) to underwrite insurance at a consumer's request or for reinsurance purposes, or for any of the following purposes, as they relate to a consumer's insurance account administration:
                (i) Reporting fraud or material misrepresentation.
                (ii) Investigating fraud or material misrepresentation.
                (iii) Preventing fraud or material misrepresentation.
                (iv) Processing premium payments.
                (v) Processing insurance claims.
                (vi) Administering insurance benefits (including utilization review activities).
                (vii) Participating in research projects.
                (viii) Other purposes that are required or specifically permitted under federal or state law.
    Sec. 2. The requirement of initial notice to consumers under IC 27-16-2-1 (2), the requirement to provide the opportunity to consumers and customers to opt out of a disclosure, and the application of this article to service providers and joint marketing do not apply if a licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with:
        (1) servicing or processing a financial product or service requested or authorized by the consumer, including financial products or services under consideration by the consumer;
        (2) maintaining or servicing the consumer's account with the licensee or with another entity;
        (3) transactions involving a person acting as an agent of the licensee, provided that the agent agrees not to disclose nonpublic personal financial information to additional nonaffiliated third parties; or
        (4) a proposed or actual securitization, a secondary market sale, including sales of servicing rights, or a similar transaction related to a transaction of the consumer.
    Sec. 3. The requirements of this article do not apply if a licensee

discloses nonpublic personal financial information or personally identifiable health information for any purpose related to effecting, administering, or replacing a group benefit plan, a group health plan, or a group welfare plan.
    Chapter 14. Other Exceptions to Notice and Opt Out Requirements
    Sec. 1. The requirements for initial notice to consumers under IC 27-16-2-1 (2), the opportunity to opt out, and the provisions applicable to service providers and joint marketing under this article do not apply when a licensee discloses nonpublic personal financial information in any of the following circumstances:
        (1) With the consent of or at the direction of the consumer, unless the consumer revokes the consent or direction.
        (2) One (1) of the following:
            (A) To protect the confidentiality or security of a licensee's records pertaining to the consumer, service, product, or transaction.
            (B) To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
            (C) For required institutional risk control or for resolving consumer disputes or inquiries.
            (D) To persons holding a legal or beneficial interest related to the consumer.
            (E) To persons acting in a fiduciary or representative capacity on behalf of the consumer.
        (3) To provide information to:
            (A) an insurance rate advisory organization;
            (B) a guaranty fund or agency;
            (C) an agency that rates the licensee;
            (D) a person that assesses the licensee's compliance with industry standards; and
            (E) the licensee's attorneys, accountants, and auditors.
        (4) To the extent specifically permitted or required under other provisions of law and under the federal Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies, including:
            (A) a federal functional regulator;
            (B) the United States Secretary of the Treasury with respect to 31 U.S.C. 53 II and 12 U.S.C. 21;
            (C) a state insurance authority with respect to a person that is engaged in providing insurance and is domiciled in the insurance authority's state; and


            (D) the Federal Trade Commission;
        to self-regulatory organizations, or for an investigation on a matter related to public safety.
        (5) One (1) of the following:
            (A) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) and the fair credit laws of Indiana.
            (B) From a consumer report reported by a consumer reporting agency.
        (6) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns only consumers of the business or operating unit.
        (7) One (1) of the following:
            (A) To comply with federal, state, or local laws, rules and other applicable legal requirements.
            (B) To comply with a properly authorized civil, criminal, or regulatory investigation, or a subpoena or summons by federal, state, or local authorities.
            (C) To respond to judicial process or government regulatory authorities that have jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law.
        (8) If necessary to provide ongoing health care treatment.
        (9) In connection with quality assessment evaluations or investigations.
        (10) To reveal a consumer's presence in a facility owned by a licensee and the consumer's general health condition.
        (11) To a reinsure, stop loss, or excess loss carrier for the purpose of underwriting, claims adjudication, and conducting claim file audits.
        (12) If needed for one (1) of the following purposes:
            (A) To identify a deceased individual.
            (B) To determine the cause and manner of death by a chief medical examiner or the medical examiner's designee.
            (C) To provide necessary protected health information about a deceased individual who is a donor of an anatomical gift.
        (13) To a state department of insurance that is performing an examination, investigation, or audit of the licensee.
        (14) Under a court order issued after the court's

determination that the public interest in disclosure outweighs the consumer's privacy interest and that the personally identifiable health information is not reasonably available by other means.
    Sec. 2. This article does not apply to information disclosures by a licensee in connection with the purchase of insurance coverage by the licensee or the arrangement of insurance coverage by the licensee for the licensee's employees.
    Chapter 15. Personally Identifiable Health Information Privacy Notice and Disclosure Authorization
    Sec. 1. A licensee shall, before making a disclosure, obtain an authorization to disclose personally identifiable health information if the purpose of the disclosure is for the marketing of services or goods for personal, family, or household purposes.
    Sec. 2. The request for authorization required under this chapter may be included in the initial notice required under IC 27-16-2 if the request for authorization complies with the following requirements:
        (1) The purpose of the disclosure of personally identifiable health information is stated in clear and simple terms and appears in a separate paragraph.
        (2) The request for authorization specifies that the authorization is valid for not more than twenty-four (24) months and may be revoked at any time.
        (3) The request for authorization specifies that the terms and conditions of an insurance policy will not be affected in any way by a refusal to give authorization, as provided in IC 27-16-8.
    Sec. 3. This article does not apply, and the authorization under this chapter is not required, if a licensee discloses nonpublic personal information or personally identifiable health information for a purpose related to effecting, administering, or replacing a group benefit plan, a group health plan, or a group welfare plan.
    Sec. 4. This chapter does not prohibit, restrict, or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of insurance functions by or on behalf of the licensee, including:
        (1) claims administration;
        (2) claims adjustment and management;
        (3) detection, investigation, or reporting of actual or potential fraud, misrepresentation, or criminal activity;
        (4) underwriting;


        (5) policy placement of issuance;
        (6) loss control;
        (7) ratemaking and guaranty fund functions;
        (8) reinsurance and excess loss insurance;
        (9) risk management;
        (10) case management;
        (11) disease management;
        (12) quality assurance;
        (13) quality improvement;
        (14) performance evaluation;
        (15) provider credentialing verification;
        (16) utilization review;
        (17) peer review activities;
        (18) actuarial, scientific, medical or public policy research;
        (19) grievance procedures;
        (20) internal administration of compliance, managerial, and information systems;
        (21) policyholder service functions;
        (22) auditing;
        (23) reporting;
        (24) data base security;
        (25) administration of consumer disputes and inquiries;
        (26) external accreditation standards;
        (27) the replacement of a group benefit plan or worker's compensation policy or program;
        (28) activities in connection with a sale, merger, transfer, or exchange of all or part of a business or operating unit;
        (29) any activity that permits disclosure without authorization under the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services;
        (30) disclosure that is required, or is one (1) of the lawful or appropriate methods, to enforce the licensee's rights or rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and
        (31) any activity otherwise permitted by law, required under governmental reporting authority, or to comply with legal process.
    Chapter 16. Relation to Other Laws
    Sec. 1. This article does not modify, limit, or supersede:
        (1) the operation of the federal Fair Credit Reporting Act (15

U.S.C. 1681 et seq.), and an inference shall not be drawn on the basis of the provisions of this article regarding whether information is transaction or experience information under Section 603 of the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
        (2) the operation of the fair credit law of Indiana;
        (3) Indiana law related to medical records, health, or insurance information privacy; and
        (4) the standards governing the privacy of individually identifiable health information promulgated by the United States Secretary of Health and Human Services under the authority of the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
    Chapter 17. Exceptions
    Sec. 1. A licensee that is an agent licensed under IC 27-1-15.5 is subject to all the requirements of this article except when the agent is acting as an agent for another licensee. When the agent acts as an agent for another licensee, the agent is exempt only from the notice requirements of this article if the agent does not disclose consumer information except as provided under IC 27-16-12 , IC 27-16-13 , and IC 27-16-14.
    Sec. 2. (a) As used in this section, "covered entity" means an insurer that:
        (1) does not have a certificate of authority to do the business of insurance in Indiana; and
        (2) sells surplus lines insurance in Indiana through a surplus lines agent licensed under IC 27-1-15.5.
    (b) This section applies to a covered entity only with respect to surplus lines insurance sold in Indiana.
    (c) A licensed surplus lines insurance agent that sells a surplus lines insurance policy that is underwritten by a covered entity is in compliance with the notice and opt out requirements for disclosure of nonpublic personal financial information under this article if:
        (1) the agent and the covered entity do not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under IC 27-16-12 , except as permitted under IC 27-16-13 and IC 27-16-14 ; and
        (2) when the customer relationship is established, a notice is delivered to the consumer on behalf of all licensed surplus lines insurance agents and covered entities that provide a financial product or service to a consumer or customer on

which a privacy notice specified under subsection (d) is printed in 16 point type.
    (d) The privacy notice required under subsection (c) must contain a provision as follows:
        "Neither the United States broker that handled this insurance nor the insurer that has underwritten this insurance will disclose nonpublic personal information concerning the buyer to nonaffiliates of the broker or insurer except as permitted by law.".
    Chapter 18. Authority of the Commissioner
    Sec. 1. The insurance commissioner may investigate alleged violations of this article and may impose any fines and other sanctions that apply under IC 27.
    Sec. 2. A licensee shall not knowingly or willfully violate the provisions of this article.
    Sec. 3. A violation of this article is an unfair or deceptive act or practice in the business of insurance under IC 27-4-1-4.
    Sec. 4. The department may adopt rules under IC 4-22-2 to implement this article.

SOURCE: ; (01)IN1695.1.3. -->     SECTION 3. [EFFECTIVE JULY 1, 2001] (a) As used in this SECTION:
        (1) "consumer" has the meaning set forth in IC 27-16-1-7 , as added by this act;
        (2) "customer" has the meaning set forth in IC 27-16-1-10 , as added by this act;
        (3) "licensee" has the meaning set forth in IC 27-16-1-15 , as added by this act; and
        (4) "nonaffiliated third party" has the meaning set forth in IC 27-16-1-16 , as added by this act.
    (b) If a licensee enters into a contract with a nonaffiliated third party before July 1, 2001, to perform services for the licensee or functions on the licensee's behalf, the contract is not required to satisfy the provisions of IC 27-16-12 , as added by this act, until December 31, 2002.
    (c) A licensee shall, not later than December 31, 2001, provide an initial notice as required under IC 27-16-2 , as added by this act, to a consumer who is a customer of the licensee on December 31, 2001.
    (d) This SECTION expires January 1, 2003.