This rule was filed as 13 NMAC 7.5.
TITLE 13 INSURANCE
CHAPTER 7 INSURANCE
TRADE PRACTICES AND FRAUDS
PART 5 CONFIDENTIAL
ABUSE INFORMATION
13.7.5.1 ISSUING AGENCY: New Mexico State Corporation Commission [Public Regulation Commission], Department of Insurance, Post Office Box 1269, Santa Fe, NM 87504-1269.
[1/1/99; Recompiled 11/30/01]
13.7.5.2 SCOPE:
A. This rule applies to those insurers and insurance support organizations which receive or maintain confidential abuse information in connection with insurance actions which pertain to persons who are residents of this state or involve policies delivered, issued for delivery, or renewed in this state.
B. This rule does not apply to the following lines of insurance:
(1) fidelity or surety bonds, or any other bonding obligations;
(2) warranties or service contracts;
(3) title insurance;
(4) marine and transportation insurance;
(5) boiler and machinery insurance.
[1/1/99; Recompiled 11/30/01]
13.7.5.3 STATUTORY AUTHORITY: Sections 59A-16B-6 and 59A-16B-7, NMSA 1978.
[1/1/99; Recompiled 11/30/01]
13.7.5.4 DURATION: Permanent.
[1/1/99; Recompiled 11/30/01]
13.7.5.5 EFFECTIVE DATE: January 1, 1999, unless a later date is cited at the end of a section or paragraph.
[1/1/99; Recompiled 11/30/01]
[Compiler’s note: The words or paragraph, above, are no longer applicable. Later dates are now cited only at the end of sections, in the history notes appearing in brackets.]
13.7.5.6 OBJECTIVE: The purpose of this rule is to implement the Domestic Abuse Insurance Protection Act, Sections 59A-16B-1 et seq., NMSA 1978 by establishing requirements for the protection of, and procedures for the transfer and disclosure of, confidential abuse information received by insurers or insurance support organizations in connection with insurance actions.
[1/1/99; Recompiled 11/30/01]
13.7.5.7 DEFINITIONS: In addition to the definitions provided in Section 59A-16B-3, NMSA 1978, as used in this rule:
A. “Applicant” means a person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.
B. “Insurance support organization” means any person who regularly engages, in whole or in part, in the practice of assembling or collecting information about protected persons for the primary purpose of providing the information to an insurer for insurance actions.
C. “Insurance action” means any action involving insurance which entails:
(1) the determination of a protected person's eligibility for an insurance coverage, benefit or payment;
(2) the renewal, reinstatement, change of location information endorsement, or change in insurance benefits of a policy.
(3) a claim for benefits.
D. “Location information” means the address and telephone number of the residence, place of employment, school or other location of a protected person.
E. “Protected person” means:
(1) a victim of domestic abuse who has notified an insurer that he or she is or has been a victim of domestic abuse and who:
(a) in the case of property or casualty insurance, is a present or proposed named insured or certificate-holder;
(b) in the case of life, health, or disability insurance, is a present or proposed principal insured or certificate-holder;
(c) is a present or proposed policy-owner;
(d) is a present applicant;
(e) is a present claimant;
(f) derives or is proposed to derive insurance coverage under an insurance policy subject to this rule; or
(2) an individual or entity that provides shelter, advocacy, counseling, or protection to victims of domestic abuse.
[1/1/99; Recompiled 11/30/01]
13.7.5.8 NOTICE OF CONFIDENTIAL ABUSE INFORMATION PRACTICES: An insurer shall provide a separate notice of confidential abuse information practices in connection with the insurance actions set forth in 13 nmac 7.5.11 [now 13.7.5.11 NMAC]. The notice shall be written in plain language and shall:
A. state that confidential abuse information may be received in the course of collecting information from persons other than the protected person;
B. state the types of confidential abuse information that may be received and the types of sources and investigative techniques that may be used to collect information;
C. state that the insurer is prohibited by law from using confidential abuse status as a basis for denying, refusing to issue, renew or reissue or canceling or otherwise terminating a policy, restricting or excluding coverage or benefits of a policy or charging a higher premium for a policy;
D. state the types of disclosures identified in Section 59A-16B-4 NMSA 1978 and the circumstances under which such disclosures may be made without prior authorization;
E. state that confidential abuse information used by an insurance support organization to prepare its report to the insurer may be retained by the insurance support organization but may not be disclosed to other persons without the written consent of the protected person except as otherwise permitted by Section 59A-16B-4 NMSA 1978]
F. describe the rights established in 13 nmac 7.5.14 , 7.5.15 and 7.5.17 [now 13.7.5.14 NMAC, 13.7.5.15 NMAC and 13.5.7.17 NMAC] and the manner in which such rights may be exercised;
G. describe the insurer's location information confidentiality program and instructions for applying to participate in the program;
H. provide a convenient means of notifying the insurer that the person wishes to be a protected person.
[1/1/99; Recompiled 11/30/01]
13.7.5.9 ABBREVIATED NOTICE PERMITTED: In lieu of the notice prescribed in 13 nmac 7.5.8 [now 13.7.5.8 NMAC], the insurer may provide an abbreviated notice which shall:
A. state that confidential abuse information may be received from persons other than the protected person;
B. state that the insurer is prohibited by law from using confidential abuse status as a basis for denying, refusing to issue, renew or reissue or canceling or otherwise terminating a policy, restricting or excluding coverage or benefits of a policy or charging a higher premium for a policy;
C. state that a right of access and correction exists with respect to all confidential abuse information received;
D. state that the full notice prescribed in 13 nmac 7.5.8 [now 13.7.5.8 NMAC] will be furnished upon request;
E. provide a convenient means of notifying the insurer that the person wishes to be a protected person.
[1/1/99; Recompiled 11/30/01]
13.7.5.10 ALTERNATIVE NOTICE PERMITTED: In lieu of the notices prescribed in 13 nmac 7.5.8 and 7.5.9 [now 13.7.5.8 NMAC and 13.7.5.9 NMAC], an insurer may provide the notice required by Section 4 of the NAIC Insurance Information and Privacy Protection Model Act (1980 proceedings of the NAIC, as amended) if the notice is modified to make specific reference to confidential abuse information and to provide a convenient means of notifying the insurer that the person wishes to be a protected person.
[1/1/99; Recompiled 11/30/01]
13.7.5.11 WHEN NOTICE TO BE GIVEN: The notice of confidential abuse information practices shall be provided to:
A. all persons who submit applications for insurance or claims for benefits on or after the effective date of this rule as follows:
(1) in the case of an application for insurance, a notice shall be provided at the time the applicant is asked to execute a record release authorization form;
(2) in the case of a claim for benefits, if a claimant is asked to execute a record release authorization form before the claim can be processed, a notice shall be provided at the same time.
B. all protected persons within one year of the effective date of this rule as follows:
(1) in the case of a policy renewal, a notice shall be provided no later than the policy renewal date if:
(a) confidential abuse information has been received from a source other than the protected person or from public records; or
(b) a notice meeting the requirements of this section has not been given within the previous twenty-four (24) months;
(2) in the case of a policy reinstatement, change in location information endorsement, or change in insurance benefits, a notice shall be provided when the insurer sends a notice or confirmation of a policy reinstatement, change in location information endorsement, or change in insurance benefits if:
(a) confidential abuse information has been received from a source other than the protected person or from public records; or
(b) a notice meeting the requirements of this section has not been given within the previous twenty-four (24) months.
[1/1/99; Recompiled 11/30/01]
13.7.5.12 CONTENT OF RECORD RELEASE AUTHORIZATION FORMS: Whenever a record release authorization form is used by an insurer or insurance support organization to obtain a protected person's authorization for the types of persons specified in the form to release records which may contain confidential abuse information about the protected person to the insurer or insurance support organization, the record release authorization form must:
A. be written in plain language;
B. be dated;
C. specify the types of persons authorized to release records which may contain confidential abuse information about the protected person;
D. name the insurer and identify by generic reference representatives of the insurer to whom the protected person is authorizing information to be released;
E. specify the purposes for which the released information is being collected;
F. specify the length of time such authorization shall remain valid, which shall be no longer than:
(1) in the case of authorizations signed for the purpose of collecting information in connection with an application for an insurance policy, a policy reinstatement or a request for change in policy benefits:
(a) thirty (30) months from the date the authorization is signed if the application or request involves life, health or disability insurance;
(b) one (1) year from the date the authorization is signed if the application or request involves property or casualty insurance;
(2) in the case of authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy:
(a) the term of coverage of the policy if the claim is for a health insurance benefit;
(b) the duration of the claim if the claim is not for a health insurance benefit.
G. advise the protected person that he or she is entitled to:
(1) receive a copy of the record release authorization form; [and]
(2) revoke the record release authorization in writing, r5effective ten days after receipt by the insurer, but that doing so may result in an application or claim being denied or may otherwise adversely affect a pending insurance action.
[1/1/99; Recompiled 11/30/01]
13.7.5.13 CONFIDENTIAL ABUSE INFORMATION POLICIES AND PROCEDURES:
A. Employees: An insurer shall, by the effective date of this rule, develop, make available for inspection by the superintendent, and implement written policies and procedures to protect against any collection, use, disclosure or transfer of confidential abuse information by the insurer which would violate the Domestic Abuse Insurance Protection Act or this rule. These policies and procedures shall include:
(1) limiting access to confidential abuse information to only those persons who reasonably need access to the information in order to perform their jobs;
(2) appropriate training for all employees with access to confidential abuse information who work in New Mexico or serve New Mexico applicants, insureds, or claimants;
(3) disciplinary measures for violations of the confidential abuse information policies and procedures;
(4) methods for handling, disclosing, storing and disposing of confidential abuse information; [and]
(5) periodic monitoring of employees who have access to confidential abuse information to ensure they are complying with the insurer's confidential abuse information policies and procedures.
B. Contractual arrangements: With respect to contractual arrangements between an insurer and a person in which the disclosure or transfer of confidential abuse information may occur, an insurer shall include a provision in the contract by which the recipient of confidential abuse information agrees to be bound by the provisions of the Domestic Abuse Insurance Protection Act in all respects and to be subject to enforcement of that act in the courts of this state.
[1/1/99; Recompiled 11/30/01]
13.7.5.14 ACCESS TO CONFIDENTIAL ABUSE INFORMATION:
A. If any protected person, after proper identification, submits a written request to an insurer or insurance support organization for access to confidential abuse information about the protected person which is reasonably described by the protected person and reasonably locatable and retrievable by the insurer or insurance support organization, the insurer or insurance support organization shall within thirty (30) business days from the date such request is received:
(1) inform the protected person of the nature and substance of such confidential abuse information in writing, by telephone or by other oral communication, whichever the insurer or insurance support organization prefers;
(2) permit the protected person to see and copy, in person, such confidential abuse information pertaining to him or her or to obtain a copy of such confidential abuse information by mail, whichever the protected person prefers, unless such confidential abuse information is in coded form, in which case an accurate translation in plain language shall be provided in writing;
(3) disclose to the protected person the identity, if recorded, of those persons to whom the insurer or insurance support organization has disclosed such confidential abuse information within two (2) years prior to such request, and if the identity is not recorded, the names of those insurers and insurance support organizations or other persons to whom such information is normally disclosed; and
(4) provide the protected person with a summary of the procedures by which he or she may request correction, amendment or deletion of confidential abuse information.
B. Any confidential abuse information provided pursuant to 13 NMAC 7.5.14.1 [now Subsection A of 13.7.5.14 NMAC] shall identify the person or governmental entity that provided it unless the person who provided it is an agent; the protected person who is the subject of the information; or a natural person acting in a personal capacity rather than in a business or professional capacity.
C. An insurer or insurance support organization may charge a reasonable fee to cover the costs incurred in providing a copy of confidential abuse information to persons.
D. The obligations imposed by this section upon an insurer may be satisfied by another insurer authorized to act on its behalf. With respect to the copying and disclosure of confidential abuse information pursuant to a request under 13 NMAC 7.5.14.1 [now Subsection A of 13.7.5.14 NMAC], an insurer or insurance support organization may make arrangements with an insurance support organization to copy and disclose confidential abuse information on its behalf.
E. The rights granted to protected persons in this section shall extend to all persons to the extent confidential abuse information about them is received and maintained by an insurer or insurance support organization in connection with an insurance action. The rights granted to all persons by this subsection shall not extend to information about them that relates to and is received in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.
[1/1/99; Recompiled 11/30/01]
13.7.5.15 CORRECTION, AMENDMENT OR DELETION OF CONFIDENTIAL ABUSE INFORMATION:
A. Within thirty (30) business days from the date of receipt of a written request from a protected person to correct, amend or delete any confidential abuse information about the protected person within its possession, an insurer or insurance support organization shall either:
(1) correct, amend or delete the portion of the confidential abuse information in dispute; or
(2) notify the protected person of:
(a) its refusal to make such correction, amendment or deletion;
(b) the reasons for the refusal; and
(c) the protected person's right to file a statement as provided in 13 NMAC 7.5.15.3 [now Subsection C of 13.7.5.15 NMAC].
B. If the insurer or insurance support organization corrects, amends or deletes confidential abuse information in accordance with 13 NMAC 7.5.15.1.1 [now Paragraph (1) of Subsection A of 13.7.5.15 NMAC], the insurer or insurance support organization shall so notify the protected person in writing and furnish the correction, amendment or fact of deletion to:
(1) any person specifically designated by the protected person who may have, within the preceding two (2) years, received such confidential abuse information;
(2) any insurance support organization whose primary source of confidential abuse information is insurers if the insurance support organization has systematically received such confidential abuse information from the insurer within the preceding three (3) years; provided, however, that the correction, amendment or fact of deletion need not be furnished if the insurance support organization no longer maintains confidential abuse information about the protected person; and
(3) any insurance support organization that furnished the confidential abuse information that has been corrected, amended or deleted.
C. Whenever a protected person disagrees with an insurer's or insurance support organization's refusal to correct, amend or delete confidential abuse information, the protected person shall be permitted to file with the insurer or insurance support organization:
(1) a concise statement setting forth what the protected person thinks is the correct, relevant or fair confidential abuse information; and
(2) a concise statement of the reasons why the protected person disagrees with the insurance institution's, agent's or insurance support organization's refusal to correct, amend or delete confidential abuse information.
D. In the event a protected person files either of the statements described in 13 NMAC 7.5.15.3 [now Subsection C of 13.7.5.15 NMAC], the insurer or insurance support organizations shall:
(1) file the statement with the disputed confidential abuse information and provide a means by which anyone reviewing the disputed confidential abuse information will be made aware of the protected person's statement and have access to it; and
(2) in any subsequent disclosure by the insurer or insurance support organization of the confidential abuse information that is the subject of disagreement, clearly identify the matter in dispute and provide the protected person's statement along with the confidential abuse information being disclosed; and
(3) furnish the statement to the persons and in the manner specified in 13 NMAC 7.5.15.2 [now Subsection B of 13.7.5.15 NMAC].
E. The rights granted to protected persons in this section shall extend to all persons to the extent confidential abuse information about them is collected and maintained by an insurer or insurance support organization in connection with an insurance action. The rights granted to all persons by this subsection shall not extend to information about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal proceeding involving them.
[1/1/99; Recompiled 11/30/01]
13.7.5.16 RECORD OF CONFIDENTIAL ABUSE INFORMATION DISCLOSED BY INSURER: An insurer shall maintain a record of all disclosures of confidential abuse information, except those disclosures permitted by paragraph 4A(3) of the Domestic Abuse Insurance Protection Act, made to any person who is not an employee or agent of the insurer. The record shall include:
A. the name and address or location of the person to whom the information is disclosed; if the information is disclosed to an institution, a contact person shall be named;
B. the date and purpose of the disclosure;
C. a description of the information disclosed;
D. the authorization or release form allowing the disclosure of the information, if required.
[1/1/99; Recompiled 11/30/01]
13.7.5.17 MAINTAINING CONFIDENTIALITY OF LOCATION INFORMATION:
A. Insurer program required: Each insurer shall develop by the effective date of this rule a location information confidentiality program to be followed by all persons who have access to the location information of protected persons. The program shall include:
(1) a reasonable procedure by which a protected person can request participation in the insurer's location information confidentiality program;
(2) a system of internal control procedures for maintaining the confidentiality of the location information of a protected person, including provisions for regular internal review; and
(3) procedures to be followed when any action is taken with respect to an application, policy, claim, or other material involving a protected person, including procedures for the designation of a mailing address to be used by the insurer.
B. Notice to protected person of disclosure of location information:
(1) If the insurer is required, pursuant to an order of the superintendent or a court of competent jurisdiction or as otherwise required by law, to disclose the location information of a protected person, the insurer shall:
(a) give the protected person notice of receipt of the order within ten (10) days of receipt of the order;
(b) advise the person issuing the order that the protected person's location information is confidential and protected by the Domestic Abuse Insurance Protection Act, Chapter 59A, Article 16B NMSA 1978, and by the Confidential Abuse Information rule, 13 NMAC 7.5 [now 13.7.5 NMAC];
(c) continue to otherwise maintain the confidentiality of the location information.
(2) If the insurer elects to file suit against the person who committed domestic abuse against a protected person, the insurer shall:
(a) give the protected person notice of intent to file suit at least thirty (30) days prior to the date suit is filed;
(b) advise the court in which suit is filed that the protected person's location information is confidential and protected by the Domestic Abuse Insurance Protection Act, Chapter 59A, Article 16B NMSA 1978, and by the Confidential Abuse Information Rule, 13 NMAC 7.5 [now 13.7.5 NMAC];
(c) continue to otherwise maintain the confidentiality of the location information.
C. Prohibition against disclosure:
(1) No insurer or insurance support organization may sell or otherwise disclose the location information of a protected person, except as permitted by paragraph 4A(3) of the Domestic Abuse Insurance Protection Act, without having first obtained the written consent of the protected person.
(2) Written consent is not required if the use or disclosure of the location information of the protected person is internal or to an affiliate of the insurer and the only use of the location information will be in connection with the marketing of insurance products, provided the affiliate agrees not to disclose the location information of the protected person for any other purpose or to unaffiliated persons. With respect to the marketing of insurance products, the protected person must be given an opportunity to indicate that he or she does not want his or her location information used for such marketing purposes and has given no indication that he or she does not want his or her location information used for such purposes.
(3) This prohibition shall not apply to location information disclosed to or utilized by insurance support organizations, including, but not limited to, index, fraud, and medical information bureaus, which assist insurers or insurance support organizations with underwriting, claims settlement, detection or prevention of fraud, or detection or prevention of material misrepresentation or material nondisclosure.
[1/1/99; Recompiled 11/30/01]
HISTORY OF 13.7.5 NMAC: [RESERVED]