Privacy, Security & Confidentiality Compliance Manual
OVERVIEW
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. The GLB Act includes the Financial Privacy Rule, the Model Form Rule, the Safeguards Rule, and provisions that prohibit pretexting.
Health Insurance Portability & Accountability Act
Title II of HIPAA defines numerous offenses relating to health care, and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the health care system. However, the most significant provisions of Title II are its “Administrative Simplification” rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.
These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.
Health Information Technology for Economic & Clinical Health Act
The American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009, included provisions called the Health Information Technology for Economic and Clinical Health (HITECH) Act that revised certain parts of HIPAA's Privacy Rule and Security Rule. Among other things, the original Health Insurance Portability and Accountability Act (HIPAA) required insurers selling LTC insurance to enter into a “Business Associate Agreement” (contract) with all insurance agencies, insurance brokerage entities, and other individuals under contractual authority to solicit LTC insurance policies and life insurance products with LTC insurance riders.
The HITECH Act extended certain HIPAA rules to “Business Associates”. This meant that HIPAA's requirements for administrative, physical, and technical safeguards and the need to have written policies, procedures and documentation, now applied directly to HIPAA Business Associates in the same manner that such sections applied to the insurer (which is a Covered Entity under the law).
Omnibus Rule
The first major update to HIPAA since its enaction fifteen years prior, the Omnibus Rule was enacted in 2013 and contained a variety of measures designed to strengthen the protections and enforcement under HIPAA and HITECH.
Included were new limits on information sharing for marketing and fundraising purposes and a prohibition against the sale of an individuals’ health information without her permission. The Omnibus Rule also clarified that genetic information is protected under HIPAA and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The requirement to protect non-public health information was extended beyond Business Associates to their vendors (“contractors” and “subcontractors”), while penalties were increased for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
Market Conduct Manual – Principles of Ethical Conduct
With respect to our principles of ethical market conduct in all matters affecting the sale of individually-sold or group long-term care insurance and linked-benefit products, LTCA pledges:
ONE
To conduct business according to high standards of honesty and fairness and to render that service to our customers which, in the same circumstances, we would apply to or demand for ourselves.
TWO
To provide competent and customer-focused sales and service.
THREE
To engage in active and fair competition.
FOUR
To provide advertising and sales materials that are clear as to purpose, honest and fair as to content.
FIVE
To provide for fair and expeditious resolution of customer complaints and disputes.
SIX
To maintain a system of supervision and review that is reasonably designed to achieve compliance with these Principles of Ethical Market Conduct. LTCA requires that all representatives appointed to solicit, sell and/or service LTCA’s long-term care insurance products also comply with these principles, as explained further in this document.
HONESTY AND FAIRNESS—PRINCIPLE 1
To conduct business according to high standards of honesty and fairness and to render that service to our customers which, in the same circumstances, we would apply to or demand for ourselves.
Code of Conduct
- Insofar as individual products or those marketed on an individual basis are concerned, we will make reasonable efforts to determine the insurable needs or financial objectives of each customer, based upon relevant information obtained from the customer. We will enter into transactions which assist the customer in meeting his or her insurable needs or financial objectives.
- We will implement policies and procedures to maintain compliance with all applicable statutes and regulations by which our Company is bound.
- We will affirmatively seek, in cooperation with customers, regulators, and others, to improve the practices for sales and marketing of long-term care insurance products.
- We abide by the NAIC Long-Term Care Insurance model law and regulations, which require that all prospective applicants be provided with a Shopper’s Guide and Policy Outline of Coverage. In addition, to help determine the suitability of a long-term care insurance product for customers, representatives should endeavor to have their customers complete the Long-Term Care Insurance Personal Worksheet.
CUSTOMER FOCUS—PRINCIPLE 2
To provide competent and customer-focused sales and service.
Code of Conduct
- We will take actions reasonably designed to determine the good character, business repute, qualifications, and experience of our affiliated representatives.
- We will take such actions reasonably designed to provide that our representatives have successfully completed state examination requirements and are duly licensed or otherwise qualified under state law.
- We will provide that our representatives are adequately trained to focus on customers’ needs and objectives.
- We will take such actions reasonably designed to provide that our representatives are knowledgeable of our products and the operation of those products.
- We will take such actions reasonably designed to provide that our representatives are trained and receive continuing education relating to compliance with applicable state insurance laws and regulations relating to the concepts of the Principles of Ethical Market Conduct.
FAIR COMPETITION—PRINCIPLE 3
To engage in active and fair competition.
Code of Conduct
- We believe that fair competition is the most effective and efficient means of providing products and services to customers and also is the most efficient regulator of activities.
- We will implement policies and procedures to maintain compliance with applicable state and federal statutes fostering competition, such as those related to anti-trust matters.
- We will not replace an existing long-term care insurance policy unless such replacement is in the best interest of the customer and without first communicating to the customer the information that he or she needs in order to ascertain whether such replacement of existing policies or contracts may or may not be appropriate.
- We will refrain from disparaging competitors. The sale of LTCA’s products should be made on the strengths of our products and services.
ADVERTISING AND SALES MATERIAL—PRINCIPLE 4
To provide advertising and sales materials that are clear as to purpose, honest and fair as to content.
Code of Conduct
- We will present materials designed to lead to sales or solicitation of long-term care insurance products in a manner intended to be consistent with the needs of the customer. All such sales or solicitation communications will be based upon the principles for fair dealing and good faith and will have a sound basis in fact.
- We will develop materials that are intended to be understandable for the consumer in light of the complexity of the product being sold.
- We will implement policies and procedures to maintain compliance with all applicable state laws and regulations related to advertising, unfair trade practices, sales illustrations, and other similar provisions.
- We will provide for illustrations of prices and benefits that are accurate and fair.
CUSTOMER COMPLAINTS—PRINCIPLE 5
To provide for fair and expeditious resolution of customer complaints and disputes.
Code of Conduct
- We will establish and maintain a system for identifying, evaluating, and resolving complaints, which complies with applicable state law and regulations related to consumer complaint handling.
- A complaint is broadly defined as any communication, oral or written, received from any source (policyowner, insured, beneficiary, attorney, insurance department, etc.) that primarily expresses a grievance.
- A grievance suggests unfair treatment or alleges inappropriate action, examples of which include (but are not limited to): misrepresentation, lack of disclosure, misunderstanding of product, unsuitability of product, poor service, forgery, theft, fraud, rescission, failure to respond, misleading or aggressive sales, delays, rate increases, denial of claim, and inappropriate replacement of policy.
- Complaints must be identified, acknowledged and responded to in a timely manner. This may include notification of the appropriate insurance company (eg Consumer Affairs Division or Compliance Department), state Insurance Department, and/or Errors & Omissions liability insurer.
- Documentation should include (and records kept) of name of the complainant, address, telephone number, name of the insured, policy number, and summary of the complaint.
COMPLIANCE REVIEW—PRINCIPLE 6
To maintain a system of supervision and review that is reasonably designed to achieve compliance with these Principles of Ethical Market Conduct.
Code of Conduct
- We will establish, maintain, and enforce policies and procedures to provide compliance with these principles and all applicable laws and regulations related to long-term care insurance product sales, advertising, and market practices.
- We will establish a system of supervision and periodic review of the market activities of sales representatives
- to monitor their compliance with these principles and applicable laws and regulations.
- We will conduct periodic training sessions appropriate to our distribution systems, and make available training on compliance procedure requirements.
- We will establish and maintain a system for internal auditing and monitoring of information related to sale practices.
COMPLIANCE WITH PRIVACY LAWS, THE PATRIOT ACT, AND THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)—PRINCIPLE 7
A. Compliance with Privacy Laws and The Patriot Act
In accordance with the various privacy requirements under Title V of the Gramm-Leach-Bliley Act (15 U.S.C § 6081 et seq.) (“GLB”) and other related regulations, LTCA is required to respect the privacy of the non-public personal information of our clients.
LTCA’s Privacy Policy states that non-public personal information about its applicants and/or customers will not be sold or shared for marketing purposes with any third-parties not directly related to the services we are contracted to perform. Non-public personal information is broadly defined to include any identifying information, such as name and address, as well as information like Social Security numbers and medical data (collectively, “Client Data”).
To comply with this Policy, it is important to remember that Client Data is not disclosed to a third-party service provider without a written agreement prohibiting the use and disclosure of said Client Data for any purpose other than to execute the service requested, nor is Client Data used or disclosed for any purpose other than to perform a service requested by the Client. LTCA’s standard is to disclose only the minimum necessary Client Data.
In addition, all LTCA representatives must establish effective security measures to protect Client Data, and shall provide both assurances that measures are in place and access to audit such measures.
LTCA and any representatives soliciting cash-value financial instruments also comply with all applicable anti-money-laundering laws, regulations, rules and government guidance, including the reporting, recordkeeping and compliance requirements of the Bank Secrecy Act (“BSA”), as amended by the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2002, Title III of the USA Patriot Act (“the Act”), its implementing regulations, and related rules. This includes compliance with the economic sanctions programs administered by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”).
B. Compliance with The Health Insurance Portability and Accountability Act (HIPAA)
One of the components of the Health Insurance Portability and Accountability Act, or HIPAA, is the requirement to protect individually identifiable health information. These privacy and security requirements are set forth in regulations promulgated by the Department of Health and Human Services at 45 CFR Parts 160, 162 and 164, as amended, and they are in addition to any confidentiality provisions in LTCA’s Agreements by and between our Affinity Partners, our Representatives, and/or our Third-Party Marketers.
These privacy and security requirements apply to protected health information that we collect, use or disclose in connection with long-term care insurance and linked-benefit leads, applications, or policies, including long-term care insurance riders with life insurance.
Protected Health Information
Protected Health Information means “any individually identifiable information about patients of healthcare providers or customers of health/LTC insurers”, including demographic information, that relates to:
- the past, present or future physical, mental, or behavioral health or condition of an individual;
- the provision of health care to an individual; or
- the payment for the provision of health care to an individual.
It is limited to the information LTCA either receives from our insurance carriers, or creates or receives on behalf of our insurance carriers. For example, any health information we obtain from an individual while applying for a long-term care insurance policy would be considered protected health information.
Permitted Uses and Disclosures
LTCA is permitted to use or disclose protected health information to perform functions, activities, or services for, or on behalf of, our insurance carriers as specified in our Agreements with them. Typically, we may not use or disclose protected health information for any other purpose unless we have obtained the individual’s written authorization to do so, or as permitted by law (known as the “Privacy Rule”).
Our Obligations with Respect to PHI
LTCA may not request, use or further disclose protected health information other than as permitted or required by these provisions, or as required by law. Reasonable effort must be taken on our part to request, use or disclosure protected health information to the minimum necessary needed to accomplish the intended purpose. Where possible, LTCA requests, uses or discloses information without personal identifiers.
LTCA employs appropriate administrative, physical, and technical safeguards to prevent any use or disclosure of protected health information other than as provided for by these provisions. We implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information created, received, maintained or transmitted by between ourselves and our insurance carriers.
To send and receive PHI, LTCA has chosen ZixMail, the leading solution for government, finance and healthcare. ZixMail can be sent and received by anyone, supports hundreds of attachments, and can only be opened by the recipient. LTCA’s ZixPortal can be found here for securely and conveniently sending and receiving encrypted email.
LTCA is obligated to mitigate, to the extent practicable, any harmful effect of our use or disclosure of protected health information in violation of these provisions. This includes promptly reporting any use or disclosure of protected health information not allowed by these provisions. This includes any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
LTCA ensures—annually or more frequently—that our Representatives are both familiar with our Privacy Policy and Code of Conduct, as well as compliant with HIPAA, HITECH, and GLB requirements, and ensures that they implement reasonable and appropriate safeguards to protect electronic protected health information.
LTCA assists our insurance carrier partners in complying with their obligation to provide individuals with a right of access to their protected health information, by providing them with access to protected health information we may have if they request it. Likewise, if requested by an individual through an insurance carrier, LTCA is obligated to make an amendment to protected health information in our possession.
LTCA must make our internal practices, books, and records relating to our use and disclosure of protected health information available to our insurance carrier partners or, at their request, to the United States Secretary of Health and Human Services, for purposes of the Secretary determining their compliance with the Privacy Regulation.
Responsibility to “DRoP” Information (Destroy, Return, or Protect)
It is the obligation of our insurance carrier partners to provide LTCA notice of any changes in, or revocation of, permission given by an individual to use or disclose protected health information, if such changes affect our permitted or required uses and disclosures. Likewise, we must be notified of any new restrictions placed on the use or disclosure of protected health information that our insurance carriers may have agreed to in accordance with the Privacy Regulation.
Whether or not LTCA’s Agreements with our Insurance Carriers, Representatives, or Third-Party Marketers terminate, our obligations in regards to non-public personal health information do not end. Rather, these requirements do not terminate until all of the protected health information once in our possession is destroyed, returned, or, if it is infeasible to return or destroy protected health information, provide protections to such information, as described below.
LTCA’s Agreements with our insurance carriers require that, upon termination, we either return or destroy all protected health information received from them, or created or received on behalf of them, during the course of our business relationship. We are not permitted to retain any copies of the protected health information except to the extent required by our internal file retention policies. Likewise, our Agreements with our Affinity Partners generally stipulate non-public PHI must be destroyed or returned upon termination of our Agreements, except as required to maintain policyholder service functions.
Where LTCA determines that returning or destroying protected health information is infeasible, we extend the protections of these provisions above to such protected health information, and limit further uses and disclosures of it to those purposes that make the return or destruction infeasible, for so long as we maintain such protected health information.
In general, LTCA employs physical, electronic, and technological safeguards as promulgated by the Federal Trade Commission in their guide, “Protecting Personal Information: Five Steps for Business”. These five principles employed therein are 1) Take Stock, 2) Scale Down, 3) Lock It, 4) Pitch It, and 5) Plan Ahead.
Client Files
Client files are a necessary aspect of conducting business. These files are critical to understanding the client, the coverages he or she has, the background on why particular products were sold, how they were sold, subsequent changes on products sold, and service requests. They represent a tracking tool or monitoring device, which allows LTCA and our Representatives to profile our clients and their potential needs. Thorough recordkeeping can protect both parties from liability.
It must be recognized that our client files will contain records on the policies from many Insurance Carriers and many Affinity Groups. Regulations require that client files are to be kept indefinitely. In order to protect ourselves, client files may contain some or all of the following: copies of sales presentations made, marketing materials used, suitability or fact-finding forms, illustrations, correspondence, acknowledgement receipts for replacement forms, policy acknowledgement receipts, application copies, and any complaints.
LTCA no longer stores any physical records of client files. When electronic files are maintained as described above, they are password-protected.
Intersection with GLB and NCUA
As provided for in LTCA’s Affinity Marketing Agreement(s), we have indicated we do not share any “Confidential Information”, as defined by NCUA Part 716 “Privacy of Consumer Financial Information”, except as required and necessary to perform said Agreement(s). Section 716 can be found in its entirety on the NCUA website here.
Cookies
"Cookies" are the small files stored on your computer's hard drive as you use a website. We use both session ID cookies and persistent cookies. A session ID cookie terminates once a user closes their browser. A persistent cookie is a small text file stored on the user's hard drive for an extended period, and must be removed by the user.
Our website uses cookies to make your online experience more convenient, and you can control acceptance of cookies by modifying your internet browser preferences. We do not collect any personal information from cookies and none of the information can be linked back to your personal information.
Use of this website is limited to persons residing in the United States. No part of this website is intended for use outside the U.S., and any information received from an identifiable non-U.S. resident will be disregarded.