White paper:

Legislation & regulation

Fraud fighters from all parts of the United States met at the National Insurance Fraud Forum in Washington, D.C., June 5-7, 2000 to set a fraud-fighting agenda for the next five years. Their accomplishments included identifying key fraud fighting goals in dealing with legislation and regulation at the state and federal levels and proposing a list of specific developments on which to focus.

Proposed new statutes and regulations frequently threaten the industry's fraud fighting programs and the ability of fraud fighters to access information necessary to pursue insurance fraud offenders. A fundamental shift is occurring in government's approach to management and oversight of claims and investigative data. Traditionally, the business of insurance has been regulated by state governments. Insurance crimes, for the most part, have been state crimes. Accordingly, privacy protections and other restrictions on access to and use of data have been found in state laws and industry self-regulation.

Then came 1999 — and a new federal government preoccupation with privacy. The general approach has been to create new federal limitations, not to replace state limitations, but to set a nationwide floor of privacy protection. Several states are now trying to outdo each other in cutting off access to information about their citizens.

On the federal privacy front, there were three noteworthy developments in 1999.

First, Congress considered, but did not pass, extremely broad and extremely stringent new limitations on the use of personally identifiable information related to health care. Several of the bills introduced in Congress by Sen. Ted Kennedy (D-MA) and others would generally have prohibited use or disclosure of such basic fraud-fighting data as the fact that Joe Smith submitted claims for treatment by the XYZ Neck Pain Clinic. None of those bills passed. New federal regulations have been proposed, but not yet adopted.

Second, Congress enacted the Gramm-Leach-Bliley Act, also known as the financial services reform bill. A dispute over data access nearly derailed the bill. Congress established a general rule that insurance companies may not make customer information available to non-affiliates without first giving the customer the right to "opt out" of any such information sharing. Regulations to implement the new law, published May 24, 2000, allow information to be shared for fraud fighting.

The third development involved use of motor vehicle and driver license records. A Senate subcommittee approved legislation flatly prohibiting any state from giving any such information to NICB for any purpose, but NICB succeeded in carving out an exception for anti-fraud activities before the bill was signed into law.

Discussion Topics

The discussion group on legislation and regulation covered the following three major subjects in detail:

(1) Current federal privacy legislation & regulations affecting insurance industry access to and use of personally identifiable data.

(a) Restrictions on access to and use of health-related information.

The Kassebaum-Kennedy Act was passed in 1996 in part because Congress knew it could not cut Medicare & Medicaid fraud using paper records; it was clear that electronic data is essential.

Privacy advocates recognized that illegitimate use of medical records also is easier when the data is stored in electronic format.

Congress couldn't decide exactly what to do about privacy, so it gave HHS authority to implement privacy regulations.

HHS' statutory authority over health insurers and health care providers is clear, but it has no direct authority over property/casualty insurers — and admits it.

The proposed regulations cover almost any kind of information related to medical treatment: "Health information means any information . . . (that) relates . . . to . . . the provision of health care . . . ."

Patients will be allowed to "request broad restrictions on further . . . disclosures to particular persons."

Disclosure is allowed for "law enforcement purposes" only if "pursuant to process," "for identifying purposes," when "about a victim of crime or abuse," for "national security" or "health care fraud."

There is no specific exemption for covered entities to disclose information for use in fighting insurance fraud other than health care fraud.

The proposed rule may leave the mistaken impression that insurance claimants seeking reimbursement for medical expenses and payment for pain and suffering may try to prevent insurance company use of individually identifiable information to detect and deter insurance fraud.

NICB has proposed a one-sentence addition to the list of circumstances for which disclosure is permitted, which would avoid confusion and ensure that unscrupulous individuals do not seek to misuse the privacy standards.

HHS plans to finalize privacy regulations for health-related information later this year.

(b) Financial privacy provisions in the financial services reform bill.

New law allows banks to merge with insurers and other types of financial institutions, but Congress perceived a conflict between financial modernization and customers' personal privacy.

Congress included new federal restrictions on access to financial data — established an "opt-out" system.

Final Federal Trade Commission regulations interpreting and implementing the privacy/data access provisions were published May 24, 2000.

The final FTC regulations adopted exemptions NICB supported to allow continued use of information to fight fraud.

(c) Restrictions on state disclosure of motor vehicle and driver records.

Congress included a provision in the Driver Privacy Protection Act of 1994 allowing every state to make driver records available to NICB, insurers and others to fight insurance fraud.

Congress amended the DPPA in 1999 to ban states from making driver records available for certain purposes unless the driver has first given permission — an opt-in system.

NICB successfully lobbied to keep vehicle and driver records available for fraud fighting.

The U.S. Supreme Court rejected state claims that the DPPA unconstitutionally infringed on state authority.

(2) Future role of NAIC and the states in establishing and enforcing restrictions on insurance industry access to and use of data.

Seventeen states have adopted the NAIC's Insurance Information Privacy Protection Model Act.

Federal privacy legislation generally allows the states to adopt more stringent restrictions.

The states' financial privacy regulations will provide an indication of how strongly they desire uniformity.

(3) Prospects for adoption of additional privacy protection at the state and federal level.

Health-related information: new legislation to extend the HHS regulations to property/casualty carriers?

Financial information: unduly restrictive amendments to the Gramm-Leach-Bliley Act?

Motor vehicle records: new legislation eliminating exemptions from the prohibition on disclosure?

Privacy Commission: a comprehensive and detailed effort to overhaul state and federal privacy laws and industry practices?

Future Focus

As a result of those discussions, the Fraud Forum identified the following 10 areas on which to focus during the next five years:

(1) Globalization

The internet has opened new opportunities for fraud. Other nations have online privacy restrictions ranging from nothing to extremely strict (e.g., European Community standards). Regardless of how the state vs. federal issues (discussed below) settle out, the U.S. needs to avoid being governed by the world's least common denominator (e.g., EC privacy restrictions).

(2) State vs. Federal Law

Which level of government is regulating what? Will the business of insurance soon fall under federal regulation (abrogation of McCarran-Ferguson)? Does the NAIC's Insurance Information Privacy Protection Model Act have a future? Will the states agree on the desirability of uniformity in enforcement and implementation of the FTC/financial privacy regs, the HHS health information standards and the DPPA?

(3) Industry Consolidation

New abilities to share information among affiliated companies was a key reason to update the statutes governing the securities industry and other financial services laws. The insurance industry needs to draw a hard line against the Shelby/Clinton efforts to restrict sharing among affiliated companies.

(4) Integrated Products

If insurers lose the ability to share information across product lines, they also may lose the ability to offer integrated products — once again, in conflict with the basic purposes of the GLBA.

(5) Professional Organizations

If states restrict the ability to fight fraud, they should also insist that doctors and lawyers be regulated more closely; the industry can in the meantime raise public awareness about what a failure professional self-regulation has been in insurance fraud.

(6) Privacy Advocates

Insurance industry needs to build bridges to the privacy advocacy groups that are driving developments in Congress.

(7) Congress

Members of Congress need to be educated about how fraud works and why data access is essential to fight it; the grassroots network — especially local law enforcement — needs to be primed and ready to go on a moment's notice.

(8) State Legislators

State legislators need to be educated about how fraud works and why data access is essential to fight it; the grassroots network — especially local law enforcement — needs to be primed and ready to go on a moment's notice.

(9) Immunity

Need to monitor status and effectiveness of state immunity statutes and consider federal immunity provision.

(10) Unique Property Identifiers

Find better ways to track stolen property (HINs for vessels, more VINs on stolen automobile parts).