The Commission's approach to the problems described in this chapter has been to focus on strengthening and balancing the relationship between the individual insurance applicant, policyholder, or claimant and the insurance institution with whom he deals. As indicated at the outset, the Commission's recommendations have three objectives:
(1) to create a proper balance between what an individual is expected to divulge about himself to a record-keeping organization and what he seeks in return (to minimize intrusiveness);
(2) to open up record-keeping operations in ways that will minimize the extent to which recorded information about an individual is itself a source of unfairness in any decision about him made on the basis of such information (to maximize fairness); and
(3) to create and define obligations with respect to the uses and disclosures that will be made of recorded personal information (to create a legitimate, enforceable expectation of confidentiality.)
In the insurance area, as in others it has studied, the Commission also believes that giving an individual certain rights without placing corresponding obligations on the institution with whom he has the primary record-keeping relationship is not likely to bring about adequate remedial action. Thus, the Commission believes that insurance institutions and insurance-support organizations must assume greater responsibility for their personal-data record-keeping practices. In some cases, this can be accomplished by bringing the forces of the marketplace to bear on record-keeping policy and practice, through voluntary adoption of standards set forth in this report, or through court action by individuals to enforce their rights. In others, government agencies should also be called upon to play monitoring and corrective roles. The Commission believes that both parties will benefit from this approach. The individual's position with respect to the records the insurance relationship generates about him will be strengthened, while insurers and insurance-support organizations will be assured of obtaining the kind of information that promotes fair and efficient operations. Greater confidence in insurance institutions and their role in society should result from opening up the process in this way.
One of the major reasons legislation is needed is that the individual is currently at a disadvantage in the insurance relationship. Some of the Commission's recommendations have attempted to protect the applicant, policyholder, or claimant by placing certain restraints on the insurer-limiting certain collection techniques, creating standards for the authorization forms used, and requiring reasonable procedures in the collection, use, and disclosure of information about an individual. The Commission's aim, however, is not so much to constrain insurance institutions and support organizations as it is to enhance the position of the individual so that he can protect his own privacy interests. To this end, the Commission has concluded that the insurer should inform the individual of the scope of its underwriting inquiry by a clear notice and an adequate authorization form; that the subject of an investigative report should be interviewed if he so desires; and that a mechanism should be created whereby the individual can question the propriety of a specific type of inquiry made in connection with an insurance decision about him. These recommendations are designed to give the individual a central role in the record-keeping practices (including information collection) of the insurance industry.
The ability of the individual to protect himself depends upon the knowledge he has of the records that are made about him. Thus, an individual should have access to a record about himself and a mechanism should exist whereby disputes concerning the accuracy of such a record can be settled. Access and correction rights are also needed to enable the individual to protect himself from investigations which exceed the scope of the notice he is given at the time he seeks to establish a relationship with an insurer, and to assure that the records maintained about him are accurate, timely, and complete. In addition, the individual should be informed of the reasons for an adverse decision about him and the specific information which supports those reasons, so that he can protect himself from unfair treatment resulting from the use of inaccurate, obsolete, or incomplete information.
This approach is not simply intended to be a procedural one. Rather, it is intended that the dynamics of the relationship between the insurer and the individual, rather than action by a legislature or regulator, will create certain standards governing the collection, maintenance, use, and disclosure of information by insurance institutions and support organizations. The Commission believes that notice, access, dispute, and an enforceable expectation of confidentiality are the tools an individual must have if he is to play an effective role in preventing the record-keeping practices of insurance institutions and support organizations from trespassing on his privacy interests. Armed with them, he can exert constructive pressure upon an insurer or agent. Even where the abuse concerns an insurance-support organization, pressure will be most effective on the insurer or agent, because the individual has a direct relationship with them, and because the prospect of adverse publicity that could affect the insurer's position in the marketplace provides the insurer with more incentive to be responsive than the support organization.
Overall, the Commission believes that the strategy it proposes for implementing these recommendations is a reasonable and practical one in that it:
- uses existing regulatory and legislative mechanisms to the maximum extent possible;
- keeps the cost of administration and compliance at acceptable levels;
- provides inducements to comply willingly so that disputes over compliance can be kept to a minimum; and
- provides reasonable protection against liability for unintentional failure to comply, coupled with appropriate penalties for willful failure to comply.
As previously noted, because insurance is regulated primarily by State Insurance Departments, the Commission believes that the responsibility for implementing some of its recommendations should be properly lodged at the State level. In addition, the personal-data record-keeping practices of insurance institutions are also regulated to some extent by the Federal Fair Credit Reporting Act which the Commission believes is the proper vehicle for implementing recommendations that aim to strengthen the insurance relationship by eliminating artificial distinctions between the record-keeping practices of insurance institutions and the record-keeping practices of their support organizations. Finally, for reasons that are fully elaborated in Chapter 9 on government access to records about individuals maintained by organizations in the private sector, the Commission has concluded that the enforceable expectation of confidentiality it recommends must be implemented by Federal statute.
It should be noted, moreover, that the recommendations to be implemented by Federal statute, including those that would be implemented by amending the Fair Credit Reporting Act, give the individual actionable rights against insurance institutions and support organizations. The Commission has explicitly rejected the establishment of a Federal regulatory structure that could be quite costly both to the taxpayer and to the insurance industry. Instead, by making those who do not comply civilly liable for their failure to do so, and by making it comparatively easy for such actions to be brought, the Commission believes that a strong incentive for systemic reform will be created without subjecting those who favor reform to unnecessarily costly government regulation. The burden will fall on those who by their actions willfully and repeatedly disregard their responsibilities rather than on those who make a good faith effort to comply fully. In short, the implementation of the Commission's recommendations is designed to place an increasing financial burden on those companies who encourage costly disputes by resisting openness, or who fail to adopt reasonable procedures to control the collection, use, or disclosure of records about individuals.
Finally, insurance institutions should not be unduly exposed to liability which arises only because of the openness of the process. The objective of the Commission's recommendations is to cleanse the system of decisions based on inaccurate or incomplete information; not to create windfall recoveries for bad information or practices of the past.
Definitions for some of the terms used in the recommendations and discussion which follow may be found in the glossary at the end of this chapter.
The Commission's first three recommendations address the scope and character of the inquiry to which an insurer may require an individual to submit as a condition of establishing or maintaining an insurance relationship. Because insurance is concerned with the protection of individuals or personal property, the process of granting insurance coverage necessarily involves intrusions on personal privacy. The question is simply (or perhaps not so simply) how much of an intrusion and by what methods.
For some years now, controversies over the propriety of asking certain kinds of questions of an individual have generally centered on the relevance of the information sought to the decision to be made. For example, the Privacy Act of 1974 requires each Federal agency to limit its collection, maintenance, use and dissemination of information about individuals to that which "is relevant and necessary" to a purpose the agency is required to perform by statute or Executive Order.89 The California Insurance Department, relying on its authority to prevent unfairly discriminatory practices, investigates the relevance of certain items of information used by insurers doing business in the State and may prohibit the use of any item whose relevance to underwriting decisions or pricing cannot be demonstrated to the Department's satisfaction.
A related, and in many respects more difficult, question concerns inquiries which, while demonstrably relevant, are objectionable on other grounds. Legislatures may prohibit, and have prohibited, the use of certain items of information on fairness grounds. Race, for example, has been excluded as an eligibility or rating criterion for life underwriting even though its relevance to life expectancy can be demonstrated.90 On the other hand, the Privacy Act of 1974 strives, not very successfully, to ban the collection and use of information pertaining to an individual's exercise of his First Amendment rights on the grounds that such inquiries by government agencies constitute an unwarranted invasion of personal privacy, i.e., that they fail the test not of relevance or fairness, but of propriety 91
Thus far, there have been few instances in which items of personal information have been proscribed on grounds of impropriety, i.e., unwarranted intrusiveness. In the insurance area, California has come close in proscribing the collection and use of information concerning "moral lifestyle."92 The California approach is almost unique among State insurance regulatory authorities and all the California Department's other investigations, except for "moral life-style," have turned on other issues, such as fairness. In some cases regulation has not been necessary because the impropriety of certain types of inquiries is universally recognized. An example would be collection of information about an individual from his priest, minister, or rabbi.
It should be noted, moreover, that fairness and propriety issues usually cannot be dealt with in the same way. As briefly discussed in Chapter 2, when. fairness is the overriding concern, such as in the Equal Credit Opportunity Act as amended, [15 U.S.C. 1691 et seq.], continued collection of certain information may be necessary to demonstrate that it is no longer being used to make decisions about individuals. For example, one cannot show that sex and race are not being systematically used to make credit decisions unless one can show that credit has been extended to women and minorities in proportion to their relative numbers in the credit grantor's market. And the most practical way to do that may well be to have the credit grantor record the sex and race of all applicants. This, however, is much different from situations where impropriety is the reason for proscribing information. There, the first act must be to prohibit collection, since the problem lies primarily in the asking of the question. Use may also be prohibited in such a situation but only to make sure that the information is totally excluded from the decision-making process.
The Commission believes that, in the future, society may have to cope with objections to the collection of certain information about an individual on the grounds that it is "nobody's business but his own." In some cases, these propriety issues may be resolved by prohibiting an inquiry on the grounds that it is irrelevant, but in others, where relevance can be demonstrated, proscription may be necessary on propriety grounds alone. In the Commission's view, questions of this nature are best resolved on a caseby-case basis. One must be concerned about undue government interference in such controversies. The Commission believes, moreover, that all such determinations must be prospective, so as to avoid retroactive punishment for behavior which at the time was wholly consistent with prevailing societal expectations and norms. However, the Commission also believes that institutional mechanisms are needed so that such questions can be raised and resolved.
Insurers have historically enjoyed considerable latitude in determining what information is and is not necessary to a given decision about an individual. Underwriting is far from an exact science. Moreover, industry spokesmen argue that the cost of collecting information is a powerful enough incentive to collect only relevant information. Yet others claim that insurance institutions collect a great deal of information whose relevance is questionable. Indeed, the industry has been criticized for not taking advantage of its actuarial and computer expertise to refine its relevance criteria.
To a large extent, the relevance-propriety issue in insurance stems from some insurers' belief that they should insure only those of "high moral character," and should shun those whose mode of living differs from what society considers normal. In a society as diverse as ours, however, determining what "society considers normal" is no easy task, and relying on the independent judgment of underwriters to make this determination has led to considerable difficulties.
The Commission is mindful of the complexities that lie beneath the surface of the relevance-propriety issue in the insurance area. It is aware that a few States have taken an interest in certain insurance-related inquiries. Most, however, have not. The Commission, moreover, is not fully persuaded that the problem can be handled exclusively through market mechanisms. Although Recommendation (5) (see below) seeks to set corrective market forces in motion, the necessity of insurance in today's society may make it difficult for individuals to make their objections felt. Furthermore, should there be sentiment in favor of banning a particular category of inquiry, irrespective of its relevance, some way will have to be found for society to estimate and consider the cost involved in such an action and the way in which the cost will be distributed. Thus, in light of all these considerations, and out of its desire to eliminate unreasonable invasions of personal privacy, the Commission recommends:
That governmental mechanisms should exist for individuals to question the propriety of information collected or used by insurance institutions, and to bring such objections to the appropriate bodies which establish public policy. Legislation specifically prohibiting the use, or collection and use, of a specific item of information may result; or an existing agency or regulatory body may be given authority, or use its currently delegated authority, to make such a determination with respect to the reasonableness of future use, or collection and use, of a specific item of information.
To implement this proposal, the Commission recommends that each State Insurance Commissioner collect individuals' complaints and questions concerning the propriety of particular types of inquiries, prepare periodic summary reports on the number of questions and complaints by category, and make them available to legislative bodies. If already authorized by the legislature, the Commissioner may take action. In California, for example, the legislature empowered the Commissioner to promulgate rules and regulations under the unfair trade practices article of the State insurance laws and the Commissioner then used that authority to declare discrimination based on sex, marital status, or sexual orientation a prohibited practice.93[§790.03 and 790.10 of the California Insurance Code]. The rules the Commissioner adopts may prohibit the use of certain information in one line of insurance but not in another. Furthermore, within a given line of insurance, the Commissioner might allow certain information to be used as the basis for rating or determining risk, but not unless it has an impact on one or the other. For example, inquiry into the fact of cohabitation might be relevant in determining use of a vehicle, a valid rating criterion, but the mere fact of cohabitation, unrelated to vehicle use, could not be the basis of an underwriting or rating decision.
Currently, most Insurance Commissioners could address the use of irrelevant information under their general authority to hold hearings and issue cease and desist orders in connection with undefined unfair trade practices. The Commission believes, however, that the rule-making technique is fairer and more effective than looking one at a time at possible violations of a general prohibition against unfair trade practices. Not only will more insurers than the one offender have a say in the wisdom of the Commissioner's proposed prohibition, but the Commissioner's decision will only be subject to the narrow judicial review generally applied to rulemaking decisions. The Federal Insurance Administrator could also collect the reports compiled by the State Insurance Commissioners and periodically report on them to the Congress.
An alternate and not mutually exclusive suggestion is that the Federal Insurance Administrator, or another appropriate Federal entity, collect complaints concerning the propriety of insurance inquiries directly from individual consumers and from time to time report and make recommendations on them to the Congress. It is not recommended, however, that the Federal Insurance Administrator have the rule-making authority urged for State Insurance Commissioners, since regulation of information practices within the insurance industry is currently a State function.
As indicated earlier, Factual Service Bureau obtained some of its information through pretext interviews or other false or misleading representations.94 A pretext interview is one in which the inquirer (1) pretends to be someone he is not; (2) pretends to represent someone he does not; or (3) misrepresents the true purpose of the interview. Mere silence on any or all of these points would not normally constitute a pretext interview. Indeed, an investigator could refuse to identify himself, his client, or the purpose of the inquiry, letting the person of whom the inquiry is being made infer whatever he wishes from such behavior. Nonetheless, an investigator dressed in a white lab coat making inquiries of a clerk in a hospital medical records room would be conducting a pretext interview if he allowed the clerk to assume he was a properly credentialed medical professional.
As pointed out in several chapters of this report, the Commission believes that some investigative practices are unreasonably intrusive, or at least have a high potential for depriving an individual of even a modicum of control over the disclosure of information about himself. An investigator conducting a pretext interview clearly raises that prospect. Thus, out of its desire to prevent unreasonable invasions of privacy resulting from the techniques used to collect information about individuals, the Commission recommends:
That the Federal Fair Credit Reporting Act be amended to provide that no insurance institution or insurance-support organization may attempt to obtain information about an individual through pretext interviews or other false or misleading representations that seek to conceal the actual purpose(s) of the inquiry or investigation, or the identity or representative capacity of the inquirer or investigator.
This recommendation would apply to all insurance inquiries-whether for underwriting or first- or third-party claims. The prohibition would be enforceable by the Federal Trade Commission (FTC) against organizations that collect information by means of pretext interviews. An organization would be able to defend itself against an FTC action on the basis that it had k, taken reasonable steps and instituted reasonable procedures to prevent such activity. The use of pretext interviews should be made a civil offense, punishable by fines and cease and desist orders.
REASONABLE CARE IN THE USE OF SUPPORT ORGANIZATIONS
The reported practices of Factual Service Bureau also raise a legitimate concern about the care with which insurance institutions select and use the services of support organizations. An institution should not be totally unaccountable for the activities of others who perform services for it. The Commission believes that an insurance institution should have an affirmative obligation to check into the modus operandi of any support organizations it uses or proposes to use; and that if an insurance institution does not use reasonable care in selecting or using such organizations, it should not be wholly absolved of responsibility for their actions. Moreover, a like obligation should obtain where one support organization uses the services of another.
Currently, the responsibility of an insurance institution for the acts of a support organization depends upon the degree of control the insurance institution exercises over the support organization. Most insurance-support organizations are independent contractors who traditionally reserve the authority to determine and assure compliance with the terms of their contract. Thus, under the laws of agency, an insurer may be absolved of any liability for the illegal acts of a support organization if those acts are not required by the terms of the contract 95 In the Commission's opinion, the Factual Service Bureau case illustrates why this is not desirable. Accordingly, to deal with the responsibility of the institution that uses others to gather information about individuals for its own use, the Commission recommends:
That the Federal Fair Credit Reporting Act be amended to provide that each insurance institution and insurance-support organization must exercise reasonable care in the selection and use of insurance-support organizations, so as to assure that the collection, maintenance, use, and disclosure practices of such organizations comply with the Commission's recommendations.
If it could be shown that an insurance institution had hired or used a support organization with knowledge, either actual or constructive, that the organization was engaging in improper collection practices, such as pretext interviews, an individual or the Federal Trade Commission could initiate action against both the insurance institution and the support organization and hold them jointly liable for the support organization's actions.
THE REASONABLE PROCEDURES OBJECTIVE
As a general objective guiding the personal-data record-keeping practices of insurance institutions and their support organizations, the Commission recommends:
That each insurance institution and insurance-support organization, in order to maximize fairness in its decision-making processes, have reasonable procedures to assure the accuracy, completeness, and timeliness of information it collects, maintains, or discloses about an individual.
Subsection 3(e)(5) of the Privacy Act of 1974 requires each Federal agency to
collect, maintain, use and discloses 96 all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.
This provision is a requirement on management wholly independent of the rights the Act gives an individual. For a Federal agency whose administrative procedures are subject to congressional oversight, it s an appropriate requirement.97 The same, however, cannot be said of its applicability to the private sector.
As pointed out in Chapter 1, the Commission believes that the mix of rights and obligations its private-sector recommendations would establish are in themselves incentive enough to foster the kind of management attention to personal data record-keeping policy and practice that subsection 3(e)(5) of the Privacy Act requires. Thus, the Commission does not recommend that Recommendation (4) be incorporated in statute or regulation. Rather it envisages Recommendation (4) being implemented automatically as a consequence of the adoption of the other recommendations in this section, particularly Recommendations (10), (11), (12), (13), and (16), on access, correction, adverse decisions, disclosure of information from proper medical sources, and Recommendations (5), (6), and (17), on notice and disclosure.
The adoption of these recommendations will promote the maintenance of reasonable procedures by insurance institutions to assure the accuracy, completeness, and timeliness of information and provide a means whereby information collected, maintained, or disclosed may be corrected or updated by the individual.
FAIRNESS IN COLLECTION
NOTICE REGARDING COLLECTION FROM THIRD PARTIES
As indicated in the discussion of Recommendation (1), the Commission believes that the type of governmental mechanism called for should be used mainly in instances where the forces of the marketplace are not strong enough to induce the elimination of objectionable items from the insurer's scope of inquiry-for example, items that are demonstrably relevant but nonetheless objectionable on the grounds of propriety. To make market forces work to the advantage of the insurance purchaser, however, he must know the type of information that may be developed and considered in the decision-making process for an insurance transaction. Otherwise, he has no way of judging whether to take his business elsewhere. The application form itself serves to apprise the individual of some of the information that will be gathered about him, but as previously pointed out, the application normally gives at best only faint clues as to the type of inquiry that may be made of sources other than the individual himself.
Thus, to minimize the need for public-policy determinations as to the propriety of an insurer's inquiries about an individual, as well as inform the individual of the disclosures that must be made in order to obtain a favorable decision on his insurance application, the Commission recommends:
That an insurance institution, prior to collecting information about an applicant or principal insured from another person in connection with an insurance transaction, notify him as to:
(a) the types of information expected to be collected about him from third parties and that are not collected on the application, and, as to information regarding character, general reputation, and mode of living, each area of inquiry;
(b) the techniques that may be used to collect such types of information;
(c) the types of sources that are expected to be asked to provide each type of information about him;
(d) the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed;
(e) the procedures established by statute by which the individual may gain access to any resulting record about himself;
(f) the procedures whereby the individual may correct, amend, delete, or dispute any resulting record about himself;
(g) the fact that information in any report prepared by a consumer-reporting agency (as defined by the Fair Credit Reporting Act) may be retained by that organization and subsequently disclosed by it to others.
Recommendation (5) would not apply to information collected for first- or third-party claims or for marketing purposes where the information is collected prior to the initial application. in all other cases, however, it would provide the individual with information about the scope of inquiry to which he is agreeing: the manner in which the inquiry will be conducted (e.g.,through interviews of neighbors and associates) and the disclosures other institutions may possibly make in response to an inquiry from the insurer or an insurance-support organization. Most importantly, it would apprise the individual of the types of uses that may later be made of information without his authorization-for example, of medical-record information acquired by the insurer, or of "adverse information" acquired and retained by an investigative-reporting agency-while at the same time anticipating his need or desire to see and copy, or correct, information developed in the course of the inquiry. Thus, the recommendation would provide the individual with a detailed map of the information flows attendant upon the relationship he proposes to establish with the insurer.
It should be noted, moreover, that the subsection (a) requirement to notify as to "each area of inquiry" when information regarding character, general reputation, and mode of living is to be collected from a third party anticipates a level of specificity finer than currently considered acceptable under the Fair Credit Reporting Act. Furthermore, while the recommendation does not apply to information collected in connection with first- or third-party claims or for marketing purposes prior to the time the individual submits his application, the subsection (d) requirement to notify the individual of those parties to whom the information may be disclosed without his authorization would include notice of the fact that information on first-party property and liability claimants is sometimes disclosed to the loss indexes and the Insurance Crime Prevention Institute.
While unanimously agreeing that the type of notice called for in Recommendation (5) is necessary to solve the problems it addresses, the Commission was concerned about its practicality. One insurer, however, drafted an example which showed that the requirements of Recommendation (5) could be met by a notice that is neither unreasonably lengthy nor unreasonably complex.
As to implementation, while the Fair Credit Reporting Act governs notice requirements to some extent, Insurance Commissioners can also independently monitor industry compliance through their hearing authority under unfair trade practices laws as well as their authority to approve certain application forms. Finally, Recommendation (5) may be self-enforcing because Recommendations (11) and (12), it' adopted, will give the individual a right to have information beyond the scope of the notice given him deleted from any resulting underwriting or support-organization record about him.
NOTICE AS THE COLLECTION LIMITATION
The notice given pursuant to Recommendation (5) will be useless if the insurer's inquiry goes beyond what the notice anticipates. Furthermore, as indicated in the discussion of Recommendation (3) on reasonable care in the selection of support organizations, one of the problems with the insurance relationship is the degree to which it is attenuated by the insurer's frequent reliance on independent contractors in gathering information about individuals.
Thus, to assure that there will be consistency between the scope, techniques, and sources described in the Recommendation (5) notice and the actual inquiry that takes place, the Commission recommends:
That an insurance institution limit:
(a) its own information collection and disclosure practices to those specified in the notice called for in Recommendation (5); and
(b) its request to any organization it asks to collect information on its behalf to information, techniques, and sources specified in the notice called for in Recommendation (5).
Like the notice recommendation itself, this recommendation does not apply to information collected in connection with first- or third-party claims or for marketing purposes where the information is collected prior to the initial application. Compliance with Recommendation (6) could be verified through the correction procedures called for in Recommendations (11) and (12) as well as Insurance Department examinations. If an individual finds that the insurer has information beyond that specified in the notice, the individual should be able to have it deleted from his record.
INFORMATION FOR MARKETING AND RESEARCH
Subsection 3(e)(3) of the Privacy Act of 1974 requires agencies to advise individuals whether the divulgence of particular items of information is mandatory or voluntary and the consequences of refusing to divulge them. The mandatory and voluntary concepts, however, have little meaning in the private sector, inasmuch as an individual's divulgences are all "voluntary" and an insurance institution can make "mandatory" anything it wishes. As a practical matter, an individual may have little choice but to comply with whatever requests for information are made of him. An example of the trepidation this can cause will be found in the discussion of the Blue Cross-Blue Shield psychiatric claims form in Chapter 7, on the medical-care relationship. Since this is so, insurance institutions should at least indicate on their application forms any requested information which is unnecessary for insurance coverage determination purposes but which is sought for marketing, research, or other purposes. Otherwise individuals will have no way of knowing whether such inquiries are necessary, and thus whether they should bring pressure on the insurer to make the inquiries truly voluntary. Accordingly, the Commission recommends:
That any insurance institution or insurance-support organization clearly specify to an individual those items of inquiry desired for marketing, research, or other purposes not directly related to establishing the individual's eligibility for an insurance benefit or service being sought and which may be used for such purposes in individually identifiable form.
This recommendation, which would not apply to third-party claim transactions, should be voluntarily complied with by insurers and support organizations. While the determination of what is required to establish eligibility is left to the individual company and will undoubtedly vary to some degree, fairness to the individual requires that he be apprised of those items of information desired, but not required by the company to determine acceptability or price.
The authorization forms used by the insurance industry determine what information insurance institutions and their support organizations can obtain from those with whom an individual has a confidential relationship. Many authorization forms now in use are so broad as to constitute an invitation to abuse. Many do not indicate that they will be used by investigative-reporting agency representatives to develop inspection reports or acquire medical-record information to be transmitted to the insurer. Many do not indicate that they will be used to get credit reports, or information from banks and other organizations.
Although today, banks, employers, and some other types of record-keeping organizations may be willing to disclose certain information about an individual without his authorization, the Commission's recommendations with respect to those types of organizations would make obtaining the individual's prior authorization necessary. When that happens, as well as in those situations where record keepers have confidential relationships with individuals today, such as in the medical-care relationship, the record keeper on whom the duty of confidentiality rests will be the final arbiter of what constitutes a valid authorization. As a practical matter, however, such a record keeper may be hard-pressed to refuse to honor a broadly worded authorization if the result is grave inconvenience to the individual or refusal to reimburse the record keeper for services already rendered to the individual. Thus, to set the standards whereby those who have a duty of confidentiality to an individual may properly be asked to disclose information about him to others, the Commission recommends:
That no insurance institution or insurance-support organization ask, require, or otherwise induce an individual, or someone authorized to act on his behalf, to sign any statement authorizing any individual or institution to disclose information about him, or about any other individual, unless the statementis:
(a) in plain language;
(c) specific as to the individuals and institutions he is authorizing to disclose information about him who are known at the time the authorization is signed, and general as to others whose specific identity is not known at the time the authorization is signed;
(d) specific as to the nature of the information he is authorizing to be disclosed;
(e) specific as to the individuals or institutions to whom he is authorizing information to be disclosed;
(f) specific as to the purpose(s) for which the information may be used by any of the parties named in (e), both at the time of the disclosure and at any time in the future;
(g) specific as to its expiration date which should be for a reasonable period of time not to exceed one year, and in the case of life insurance or noncancelable or guaranteed renewable health insurance, two years after the date of the policy.
The requirements of Recommendation (8) are not as severe as they may seem. Life and health insurance institutions regularly obtain authorizations as a part of their applications. Because of the individual's need for insurance, he exercises little bargaining power over the terms of the authorization. If a claim is involved, the authorization is obtained as a condition to considering the claim. It does the claimant little good to refuse to sign the authorization, for then he must go through the burden of suing the insurer, and even then much of the information will be available during discovery. Because insurers can basically dictate the terms of the authorization, the Commission concluded that the terms of the authorization needed to be specified so that the individual would know what he was agreeing to have disclosed, and so that those who held information of a confidential nature would know that they had received a valid authorization from the individual to release information to others.
Subsection (f) is especially important because it provides the individual with a description of the uses that may subsequently be made of information obtained about him pursuant to authorization. One particular example is that an individual would have to be told that information obtained from a medical-care provider in connection with underwriting may later be used for claim purposes.
Subsection (c) requires the authorization to be as specific as possible. It must specifically name those individuals and organizations authorized to release information about him who are known at the time the authorization is obtained. But if, for instance, an insurer subsequently learns of an attending physician whom the individual has not revealed, then the more general language of the authorization can be used with regard to that physician. Returning to the individual every time an insurer learned of a new source would be expensive and, in some cases, distressing to the individual, since it could delay processing of his application. Moreover, the subsequently identified source, a physician, for example, would still only be asked to disclose information of the sort described pursuant to subsection (d) and for the purpose specified pursuant to subsection (f). In addition, the individual would ultimately be able to identify every record-keeper contact by exercising the access rights Commission Recommendations (10) and (13), below, would give him.
Subsection (g) limits the validity of the authorization to a reasonable period of time not to exceed one year. The only exceptions to this are for life insurance and noncancelable or guaranteed renewable health insurance where an authorization signed in connection with an application would be valid for two years from the date of the policy. Those types of policies, it will be remembered, are contestable for two years after they are issued and during that period an insurer needs to be able to protect itself from fraud or misrepresentation at the time of application.
Recommendation (8) would be implemented through the refusal of a holder of confidential information to release it unless presented with a valid authorization. It has also been suggested to the Commission that the National Association of Insurance Commissioners or the Commission on Uniform State laws might well develop standard authorization forms to achieve and facilitate the desired uniformity. Further, it should be noted that the necessary generality permitted by parts of Recommendation (8) need not apply to an insurance institution that obtains an authorization from an applicant, insured, or claimant permitting it to release confidential information to others. In that case, the authorization form can and should be specific as to what information, to whom, and for what purpose.
As a general policy, the Commission believes that record-keeping institutions should strive as much as possible to collect information about an individual from the individual himself, rather than rely primarily on third-party sources. Furthermore, where an investigative report is being prepared, such a practice should not just be encouraged; it should be required if the individual so wishes.
Although inaccuracies in investigative reports prepared by inspection bureaus were a major stimulus to enactment of the Fair Credit Reporting Act, it has not been possible to determine whether the Act has substantially reduced the error rate. The major purposes of an investigative report are to: (1) verify information supplied by the applicant or his agent; and (2) develop information about the applicant's character, general reputation, and mode of living-lines of inquiry which must perforce involve a certain amount of subjective evaluation. Moreover, as Chapter 8 points out, it has been alleged that some reports get prepared without the investigator ever contacting anyone at all. Whatever the merits of that controversy, requiring an interview with the subject of a report as an affirmative requirement will help to resolve it and, if industry spokesmen are correct about the usefulness of interviews with report subjects, such interviews will improve the quality of the information inspection bureaus transmit to their insurer clients.
Thus, the Commission recommends:
That the Federal Fair Credit Reporting Act be amended to provide that any insurance institution that may obtain an investigative report on an applicant or insured inform him that he may, upon request, be interviewed in connection with the preparation of the investigative report. The insurance institution and investigative agency must institute reasonable procedures to assure that such interviews are performed if requested. When an individual requests an interview and cannot reasonably be contacted, the obligation of the institution preparing the investigative report can be discharged by mailing a copy of the report, when prepared, to the individual.
This recommendation would not apply to any investigative report about an individual made in reasonable anticipation of civil or criminal action, or for use in defense or settlement of an insurance claim. Nor would it require an interview in every instance, since the individual would have to request it and presumably would make himself available for the interview. Not all individuals will seek such an opportunity. When an individual requests an interview and cannot be contacted using reasonable procedures, the requirement for an interview can be discharged by mailing a copy of the report to him.
The Commission considered having the interview occur just prior to sending the report off to the insurer, on the theory that the individual would then be in a position to review the information which had been gathered and, if necessary, to correct, amend, or dispute it. However, the Commission concluded that the difficulties involved in making a personal contact at a specific time could work to the disadvantage of the individual anxious to get his insurance application processed. Furthermore, the report is often not prepared until the investigator returns to his office. An alternative, also considered and rejected, would have required that a copy of the report be sent to the individual at the same time it is sent to the insurer. This was rejected because of the cost involved (a copy of every report prepared would have to be sent, regardless of whether the report resulted in an adverse decision) and because the adoption of Recommendations (10) and (13), below, would make the report available to the individual on a see and copy basis from either the insurer or the investigative-reporting agency.
In incorporating this requirement into the Fair Credit Reporting Act, it should be made clear that the interview requirement applies to underwriting investigations undertaken by insurers themselves as well as by inspection bureaus.
FAIRNESS IN USE
ACCESS TO RECORDS
Access to records, as a general concept of fair record-keeping practice, should be extended to insurance records. Allowing an individual to see and copy a record kept about him can be advantageous to the insurance institution as well as to the individual. As suggested earlier, the records an insurance institution maintains about individuals are numerous and can serve a variety of functions. Except for medical records (information from which insurers also maintain), an insurance institution's records may contain information on more dimensions of an individual's life than almost any other type of record the Commission has examined. Moreover, several of the Commission's other recommendations depend on the individual being able to have access to insurance records about himself at times other than when an adverse underwriting decision has been made about him. For example, the notice requirement proposed in Recommendation (5), and the limitation on collection practices in Recommendation (6), depend on the individual being able to find out what information has been collected about him. And, as in other areas, the authorization statement an individual is asked to sign allowing an insurer to disclose information about him will be a meaningless piece of paper if he cannot learn what he has authorized to be disclosed.
Currently, an individual does not have a legal right to see or even learn the nature and substance of information maintained about him by an insurer, or by any insurance-support organization not subject to the Fair Credit Reporting Act. Moreover, the FCRA only requires an investigative-reporting agency to disclose to an individual the "nature and substance" of information in a report it has prepared about him. [15 U.S.C. 1681g(a)(1)] The Medical Information Bureau voluntarily gives an individual access to the summary data it maintains on him, if he so requests, but the individual has no legal right of access to anything held by an insurer, and thus, may not be able to figure out why the MIB record says what it does, or get the insurer that caused the MIB record to be created to correct errors in it.
To overcome these deficiencies, the Commission recommends:
That the Federal Fair Credit Reporting Act be amended to provide:
(a) That, upon request by an individual, an insurance institution or insurance-support organization must:
(i) inform the individual, after verifying his identity, whether it has any recorded information pertaining to him; and
(ii) permit the individual to see and copy any such recorded information, either in person or by mail; or
(iii) apprise the individual of the nature and substance of any such recorded information by telephone; and
(iv) permit the individual to use one or the other of the methods of access provided in (a)(ii) and (iii), or both if he prefers.
The insurance institution or insurance-support organization may charge a reasonable copying fee for any copies provided to the individual. Any such recorded information should be made available to the individual, but need not contain the name or other identifying particulars of any source (other than an institutional source) of information in the record who has provided such information on the condition that his identity not be revealed, and need not reveal a confidential numerical code.
(b) That notwithstanding part (a), with respect to medical-record information maintained by an insurance institution or an insurance-support organization, an individual has a right of access to that information, either directly or through a licensed medical professional designated by the individual, whichever the insurance institution or support organization prefers.
As far as insurance institutions are concerned, it is the Commission's intention that this right of access be to any reasonably described information about the individual. In the case of an applicant, for example, commonly used identifiers such as name and address, coverage requested, and possibly date of application, ought to be enough to identify the record requested. The fact that information on one individual is contained in a record on another would not preclude the first from being able to see and copy it so long as he can provide the requisite identifier. Also, an individual should be able to see and copy information about other people in a record pertaining to himself Wit is pertinent to his relationship with the insurer. For example, a husband who has art automobile policy that insures both him and his wife should be able to review his entire file, including any information in it about his wife. Conversely, as an insured, the wife should be able to see anything in the file on either herself or her husband.
The proposed right of access would extend to all records about an individual that are reasonably retrievable. Thus, it would include all information in a credit or investigative report, except that the identity of a non-institutional source (for instance, a neighbor or associate) need not be revealed where such a source provided information on the condition that his identity not be revealed. The individual, however, would have full access to all information such a source provided.
This, it will be noted, is a major departure from current practice wherein an insurer is customarily constrained from disclosing the contents of an investigative report to the individual by provisions in its contract with the inspection bureau. In the future, if the Commission's recommendations are adopted, such contractual constraints will not be possible. Moreover, neither the insurer nor the inspection bureau will be able to withhold the identity of any institutional sources.
The proposed right of access would also extend to medical-record information held by an insurer or insurance-support organization, although either organization would have the option of disclosing information to the individual through a licensed medical professional designated by the individual. The medical professional would be obligated to allow the individual to see and copy it upon request by the individual.
Finally, to make his access right convenient to exercise, the recommendation would allow an individual or a licensed medical professional designated by him pursuant to subsection (b). to see and copy records in person or by mail, or to have their nature and substance disclosed by telephone. This, too, is a departure from current practice inasmuch as the recommendation applies to support organizations as well as insurers, and the Fair Credit Reporting Act does not currently require an inspection bureau to provide the individual with a copy of an investigative report.
It should be noted that this recommendation would not apply to any record about an individual compiled in reasonable anticipation of a civil or criminal action, or for use in settling a claim while the claim remains unsettled. After the claim is settled the recommendation would not apply to any record compiled in relation to a third-party claimant (i.e., a claimant who is not a principal insured or policy owner) except as to any portion of such a record which is disseminated or used for a purpose unrelated to processing the claim. The exception for records compiled in reasonable anticipation of civil or criminal litigation would apply regardless of whether the insurance institution or support organization envisions being a plaintiff or defendant (in a civil action) or a complainant in a criminal proceeding. For example, an insurance institution or support organization may be compiling information to prove arson on the part of a first-party claimant. The insurer may have already paid the claim but is considering prosecution. When such an action is no longer reasonably contemplated, the first-party claimant's access right would be established.
When information is compiled in connection with the settlement of a first-party claim, and negotiations are in progress or contemplated, allowing access prior to settlement would unbalance the existing legal rights of both parties. However, once the first-party claim has been settled, the Commission believes that there is no sound justification for continuing to deny access.
The Commission does see the need to distinguish between first- and third-party claimants. Recommendation (10) creates a very limited right of access for a third-party claimant. Whereas the first-party claimant has a contractual relationship with the insurer, the third-party claimant, by definition, occupies an adversary role and has not entered into a relationship with the insurer. Only where information compiled in the course of a third-party settlement is used for a purpose other than settling the claim should the claimant be allowed access to such information. The principle involved is that non-claim decisions should not be made about an individual on the basis of records whose contents he cannot know. However, where the individual claimant is in an adversary negotiation with the record keeper, and existing law creates certain rights of access in the course of litigation, an exception to the general right of access recommended by the Commission can be justified. Information can be given to loss indexes and others solely for claim purposes without violating this exception to access by the individual.
Since Recommendation (10) would be implemented by amending the Fair Credit Reporting Act, an individual would be able to compel production of a record by an insurance institution or support organization through litigation brought in Federal court or another appropriate court. The right would be similar to the one given a citizen by the Federal Freedom of Information Act. The plaintiff would have to prove that he requested and was denied reasonably described records about himself in the possession of the insurance institution or support organization, and the burden would be on the institution or support organization to present any reason why the statute would not be applicable. Courts would have the power to order the insurance institution or support organization to disclose the particular record or records sought and to award reasonable attorney's fees and other litigation costs to any plaintiff who substantially prevailed.
Systematic denials of access by an insurance institution or support organization could be subject to Federal Trade Commission enforcement, in which the remedy would be an order directing the institution or support organization to produce records upon request by individuals. Once the Federal Trade Commission issued such an order, the insurance institution or support organization would then be subject to the usual enforcement mechanisms available to the FTC to secure compliance with its orders.
An alternative to this approach, in the case of insurance institutions, is to encourage the States to enact amendments to the unfair trade practices sections of their insurance laws to give State Insurance Commissioners the authority to enforce the requirements of this recommendation, and of the correction and adverse decision rights that Recommendations (11) and (13) would create. If a State failed to enact such legislation, the Federal Trade Commission would then be able to exercise its enforcement proceedings, using its normal enforcement mechanism with respect to systematic failures in that particular State.
An individual would have no right to money damages based solely upon a denial of his access right under Recommendation (10). The burden would be on the individual to reasonably describe the document sought and the insurance institution or support organization could defend on the basis that it cannot reasonably locate or identify the records sought by the plaintiff. For example, the individual could sue for any document developed as the result of an application for insurance if the individual could identify the date and nature of the application. If, however, an individual requested any information that relates to him in a file, but could not, with some specificity, identify the circumstances pursuant to which such a file would have been developed, the insurance institution would not be under an affirmative obligation to search manually through each and every document to locate a possible passing reference to the individual.
The Fair Credit Reporting Act currently creates the following limitation of liability protection:
Except as provided in Sections 1681n and 1681o of this title, no consumer may bring any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information against any consumer reporting agency, any user of information, or any person who furnishes information to a consumer reporting agency, based on information disclosed pursuant to 1681h or 1681m of this title, except as to false information furnished with malice or willful intent to injure such customer. [15 U.S.C.1681 h(e)]
The Commission believes that this type of protection should be extended to insurance institutions and support organizations in connection with recorded information furnished pursuant to either Recommendation (10) or Recommendation (13) concerning adverse underwriting decisions. In addition, because insurers, unlike their support organizations, make decisions about individuals, the Commission believes that they should not be liable to suit for retroactive coverage where an adverse underwriting decision is made on the basis of information which proves to be incorrect. Thus, an insurance institution or support organization should have no liability, including liability for defamation, invasion of privacy or negligence, with respect to information which had been disclosed to an individual, regardless of whether or not that information was created or furnished by the insurance institution or insurance-support organization, unless false information was furnished to third parties with malice or willful intent to injure the individual.
CORRECTION OF RECORDS
Giving an individual the right to see and copy a record created for the purpose of making a decision about him is of little value if it is not accompanied by a right to get erroneous information in the record corrected. Both the Privacy Act and the Fair Credit Reporting Act establish procedures whereby an individual can correct, amend, or dispute inaccurate, obsolete, or incomplete information in a record about himself. The insurance business stands to gain, moreover, from improving the quality of information about individuals available to it. When an individual s denied insurance on the basis of an inaccurate record about himself, the insurer also suffers through the loss of premium income. Finally, given the observed need to strengthen and balance the respective roles of insurer and individual within the context of the insurance relationship, and given the fact that there is information interchange among insurers (particularly as facilitated by inspection bureaus, the Medical Information Bureau, and the loss indexes), it is unrealistic to expect the individual to chase an error through every insurance-related record-keeping organization to which it may have been transmitted. The insurer, the primary record keeper, must assume its fair share of responsibility for that task.
Accordingly, to make the individual's right of access to an insurance record worthwhile, and to improve the quality of recorded information available to underwriters and others who make decisions about applicants and insureds, the Commission recommends:
That the Federal Fair Credit Reporting Act be amended to provide that each insurance institution and insurance-support organization permit an individual to request correction, amendment, or deletion of a record pertaining to him; and
(a) within a reasonable period of time:
(i) correct or amend (including supplement) any portion thereof which the individual reasonably believes is not accurate, timely, or complete; and
(ii) delete any portion thereof which is not within the scope of information the individual was originally told would be collected about him; and
(b) furnish the correction, amendment, or fact of deletion to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically, to any insurance-support organization whose primary source of information on individuals is insurance institutions when the support organization has systematically received any such information from the insurance institution within the preceding seven years, unless the support organization no longer maintains the information, in which case, furnishing the correction, amendment, or fact of deletion is not required; and automatically to any insurance support organization that furnished the information corrected, amended, or deleted; or
(c) inform the individual of its refusal to correct or amend the record in accordance with his request and of the reason(s) for the refusal; and
(i) permit an individual who disagrees with the refusal to correct or amend the record to have placed on or with the record a concise statement setting forth the reasons for his disagreement; and
(ii) in any subsequent disclosure outside the insurance institution or support organization containing information about which the individual has filed a statement of dispute, clearly note any portion of the record which is disputed, and provide a copy of the statement along with the information being disclosed; and
(iii) furnish the statement of dispute to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically, to an insurance-support organization whose primary source of information on individuals is insurance institutions when the support organization has received any such information from the insurance institution within the preceding seven years, unless the support organization no longer maintains the information, in which case, furnishing the statement is not required; and, automatically, to any insurance-support organization that furnished the disputed information;
(d) limit its reinvestigation of disputed information to those record items in dispute.
That notwithstanding Recommendation (11)(a)(i), if an individual who is the subject of medical-record information maintained by an insurance institution or insurance-support organization requests correction or amendment of such information, the insurance institu-tion or insurance-support organization be required to:
(a) disclose to the individual, or to a medical professional designated by him, the identity of the medical-care provider who was the source of the medical-record information; and
(b) make the correction or amendment requested within a reasonable period of time, if the medical-care provider who was the source of the information agrees that it is inaccurate or incomplete; and
(c) establish a procedure whereby an individual who is the subject of medical-record information maintained by an insurance institution or insurance-support organization, and who believes that the information is incorrect or incomplete, would be provided an opportunity to present supplemental information of a limited nature for inclusion in the medical-record information maintained by the insurance institution or support organization, provided that the source of the supplemental information is also included.
Although Recommendations (11) and (12) appear complex, they contain only two key requirements:
- that an individual have a way of correcting, amending, deleting, or disputing information in a record about himself, regardless of whether the record is held by an insurance institution or by a support organization; and
- that the insurance institution or support organization to whom the request for correction, amendment, or deletion is made, shall have an obligation to propagate the correction, amendment, deletion, or statement of dispute in any subsequent disclosure it makes of the information to possible recipients within the previous two years whom the individual designates; and to any insurance-support organization which within the previous seven years has been a regular recipient of the type of information, or which was the source of the information.
Regular recipients would include support organizations such as the Medical Information Bureau, the Impairment Bureau, or the loss indexes. Sources would mainly be investigative-reporting agencies (inspection bureaus).
The obvious objective of the second set of requirements is to allow for a thorough cleansing of industry record systems when inaccurate information is discovered and, in the case of amended or corrected information, to provide measures of the completeness and validity of information used in making decisions about an individual, thereby reducing the number of adverse decisions made on the basis of inaccurate or incomplete information. Furthermore, Recommendations (11) and (12) also provide two important vehicles for enforcing compliance with Recommendations (5) and (6) on pre-notice and limits on collection practices.
The requirement to delete information that falls outside the boundaries set by the notice called for in Recommendation (5), not only from the insurer's records but also from the records of any support organization that has collected it, or to which it has been disclosed, not only gives the individual a means of holding the insurer to its declarations regarding the scope of the inquiry to be made about him, but also enhances the insurer's control over the record-keeping practices of its contractors. In addition, by closely wedding the scope of a support organization's inquiry on behalf of each of its clients to each client's specified needs, the net effect of this requirement should be to allow an insurer that spends money on refining its relevance criteria and information collection techniques to avoid subsidizing other insurers that have not done so. At the present time, the relationship between insurer and investigative-reporting agency, for example, is loose enough to allow the reporting agency to use an inquiry on behalf of one insurer to gather information that can be marketed to others. Today, apparently, this is not a serious problem, because there are broad similarities among the kinds of reports insurers order. If Recommendation (5) succeeds in making privacy protection policy an element in insurers' competition for customers, however, fairness demands that the more socially responsible insurers not have to subsidize the practices of their less conscientious competitors.
In addition, subsection (d) limits the reinvestigation of disputed information to the items in dispute. The purpose of this provision is to prevent the dispute mechanism from becoming an occasion for a wholly new intrusion merely because of the questioned accuracy of one item.
As to Recommendation (12), the rationale and explanation for it will be found in the discussion of Recommendation (8) in Chapter 7 on the medical-care relationship.
Like Recommendation (10), neither Recommendation (11) nor Recommendation (12) would apply to any record about an individual compiled in reasonable anticipation of a civil or criminal action, or for use in settling a claim while the claim remains unsettled. After the claim is settled, moreover, these recommendations would not apply to any record compiled in relation to a claimant who is not an insured or policy owner, except as to any portion of such a record which is disseminated or used for a purpose unrelated to processing the claim. Nor are these recommendations intended to replace entirely the current Fair Credit Reporting Act reinvestigation and dispute requirements. Although Recommendation (11) would extend the current six-month limitation on an inspection bureau's obligation to propagate corrections, amendments, and disputes, it is not intended that this recommendation supplant existing Fair Credit Reporting Act requirements to reinvestigate and record the current status of information (unless the complaint is frivolous) or to delete information which can no longer be verified.
The Fair Credit Reporting Act should be amended to allow an individual to sue to force compliance with Recommendations (11) and (12) and be entitled to reasonable attorney's fees and other litigation costs if he substantially prevails. This would be the sole remedy in the event an insurance institution or support organization fails to comply with the requirements of Recommendations (11) and (12), except that an intentional or willful refusal to comply could result in up to $1,000 in damages. The alternatives for Federal Trade Commission or State regulatory enforcement when there are repeated violations have been discussed above in conjunction with Recommendation (10) on access and apply equally here.
ADVERSE UNDERWRITING DECISIONS
An underwriting decision cannot be fair if it is made on the basis of inaccurate information. Both the individual and the insurance institution have a common objective in this regard. Currently, however, an insurer that makes an adverse underwriting decision about an individual is not required, in most cases, to give any clues as to the information that supported it. If the information came from an investigative-reporting agency or a credit bureau, the insurer must identify the agency or bureau and furnish its address but nothing more. Furthermore, as explained earlier, being able to find out from a support organization the "nature and substance" of information it reported to the insurer is no guarantee that the individual will be able to relate what he learns to the decision that was made on the basis of it. The "nature and substance" of an investigative report may sound harmless to a rejected applicant. How is he to know that something in it, if explained in greater detail, might have caused the adverse decision to come out the other way? Or if something in the report is inaccurate, how is he to know whether it was that particular item that caused the adverse decision and thus the one that needs to be followed up?
Because the investigative-reporting agency's sources (including institutional sources) need not be disclosed to the individual, he also has no way of knowing to which sources he should go to get an inaccuracy corrected in a manner which will persuade the insurance institution that information the support organization reported was erroneous. Nor is the insurer under any obligation to disclose its own independent sources, such as the Medical Information Bureau, or the Impairment Bureau, or a source identified through the Medical Information Bureau. Finally, if the individual is venturesome enough to try to get inaccurate information corrected, he is expected to make the decision to do so without necessarily knowing what his rights are under the Fair Credit Reporting Act.
Thus, in order to bring insurance practices in line with current or recommended practice in other areas the Commission has examined, the Commission recommends:
That the Federal Fair Credit Reporting Act be amended to provide that an insurance institution must:
(a) disclose in writing to an individual who is the subject of an adverse underwriting decision:
(i) the specific reason(s) for the adverse decision;
(ii) the specific item(s) of information that support(s) the reason(s) given pursuant to (a)(i), except that medical record information may be disclosed either directly or through a licensed medical professional designated by the individual, whichever the insurance institution prefers;
(iii) the name(s) and address(es) of the institutional source(s) of the item(s) given pursuant to (a)(ii); and
(iv) the individual's right to see and copy, upon request, all recorded information concerning the individual used to make the adverse decision, to the extent recorded information exists;
(b) permit the individual to see and copy, upon request, all recorded information pertaining to him used to make the adverse decision, to the extent recorded information exists, except that (i) such information need not contain the name or other identifying particulars of any source (other than an institutional source) who has provided such information on the condition that his or her identity not be revealed, and (ii) an individual may be permitted to see and copy medical-record information either directly or through a licensed medical professional designated by the individual, whichever the insurance institution prefers. The insurance institution should be allowed to charge a reasonable copying fee for any copies provided to the individual;
(c) inform the individual of:
(i) the procedures whereby he can correct, amend, delete, or file a statement of dispute with respect to any information disclosed pursuant to (a) and (b); and
(ii) the individual's rights provided by the Fair Credit Reporting Act, when the decision is based in whole or in part on information obtained from a consumer-reporting agency (as defined by the Fair Credit Reporting Act);
(d) establish reasonable procedures to assure the implementation of the above.
Recommendation (13) is similar to the recommendation regarding adverse credit decisions in Chapter 2. It is, however, even more of a departure from current practice in that insurers generally have not had to disclose the specific reasons for their adverse underwriting decisions. On the other hand, Recommendation (13) differs from its counterpart in the credit area in that, like Recommendation (10), above, it takes account of the fact that not all sources of information used to make an insurance decision about an individual are institutional ones and further, that some adverse insurance decisions may be made on the basis of medical-record information. It is linked to Recommendations (11) and (12) through subsection (c), which requires that the insurer apprise the individual of its own correction, amendment, deletion, and dispute procedures, and to Recommendation (4) in requiring that the insurer establish reasonable implementation procedures.
It should be noted that Recommendation (13) applies only to adverse underwriting decisions, which the Commission has defined as follows:
- With respect to life and health insurance, a denial of requested insurance coverage (except claims) in whole or in part or an offer to insure at other than standard rates; and with respect to all other kinds of insurance, a denial of requested insurance coverage (except claims) in whole or in part, or a rating which is based on information which differs from that which the individual furnished; or
- a refusal to renew insurance coverage in whole or in part; or
- a cancellation of any insurance coverage in whole or in part.
Since Recommendation (13) would be implemented by amending the Fair Credit Reporting Act, an individual would be able to obtain a court order from a Federal court or other court of competent jurisdiction to force an insurance institution to perform any one of the duties called for if he could prove that the insurance institution had failed to do so. This would include incomplete disclosure of the specific reasons and underlying information. The court would have the power to order the insurance institution to comply and to award attorney's fees to any plaintiff who substantially prevailed. Such an action would be the individual's sole remedy, except that the court should also have the power to award up to $1,000 to the plaintiff if it is shown that the institution intentionally or willfully denied the individual any of the rights Recommendation (13) would give him.
As noted in the discussion of Recommendation (10), the Commission believes that a limitation of liability similar to that now provided by the Fair Credit Reporting Act should be extended to insurance institutions as well as insurance-support organizations. The implementation of Recommendation (10) would create no liability on the part of an insurance institution or support organization, including liability for negligence, defamation or invasion of privacy, unless the institution or support organization acted with malice or willful intent to harm the individual.
Like Recommendations (10), (11), and (12), Recommendation (13) depends primarily for its enforcement upon the individual's assertion of his rights. As noted above, however, the Commission proposes two alternate means of government enforcement where an insurance institution repeatedly or systematically denies the rights granted by Recommendations (10), (11), (12), and (13). One alternative is that the Federal Trade Commission would have the authority to bring enforcement proceedings, using its normal enforcement mechanisms. The other would be for the States to be encouraged to enact amendments to the unfair trade practices sections of their insurance laws which would give State Insurance Commissioners the authority to enforce the requirements of these four recommendations. Should a State enact such legislation, the Federal Trade Commission would then be precluded from exercising its enforcement proceedings with respect to systematic failures in that particular State.
DECISIONS BASED ON PREVIOUS ADVERSE DECISIONS
In the following chapter, on record keeping in the employer-employee relationship, there are several examples of the harm that can result when actions taken against an individual by one record-keeping organization become the basis for decision making by another. The problem, however, is a general one and stems from the tendency of record-keeping organizations to make unwarranted assumptions about the validity and currency of information generated by other record-keeping organizations. Questions are seldom asked about how recorded information came to be and the caveats knowledge of those processes should evoke.
As explained earlier, insurers often ask an applicant whether any other insurer has ever declined him, refused to renew a policy, or insured him at other than standard rates. While life insurers seem to use this information as a guide to finding out more about an applicant, automobile insurers often decline applicants solely on the basis of an affirmative response to the question. In the Commission's opinion, this is grossly unfair. The bare fact of an adverse underwriting decision is an incomplete item of information; the reason for the decision is the important item and it is missing. Indeed, using the mere fact of a previous adverse decision as the basis for rejecting an insurance applicant is one of the clearest examples the Commission found of information itself being the cause of unfairness in a decision made on the basis of it. Thus, the Commission recommends:
That no insurance institution or insurance-support organization:
(a) make inquiry as to:
(i) any previous adverse underwriting decision on an individual, or
(ii) whether an individual has obtained insurance through the substandard (residual) insurance market, unless the inquiry requests the reasons for such treatment; or
(b) make any adverse underwriting decision based, in whole or in part, on the mere fact of:
(i) a previous adverse underwriting decision, or
(ii) an individual having obtained insurance through the substandard (residual) market.
An insurance institution may, however, base an adverse underwriting decision on further information obtained from the source, including other insurance institutions.
It will be remembered that in the explanation of Recommendation (1), it was noted that when the fairness, as opposed to the propriety, of an item of information is at issue, one might both prohibit its use and require its collection. In Recommendation (14), however, the Commission proposes that an insurer both cease to inquire and cease to use, the reason being that compliance will be principally monitored through the individual's exercise of his rights pursuant to Recommendation (13) on adverse underwriting decisions. State Insurance Commissioners should use their unfair trade practices authority, and their authority to review certain application forms to assure that adverse insurance decisions are no longer based on the mere fact of a previous adverse decision. They should also require that insurers collect information about prior declinations only when the reasons for the declination are also collected. The Commission hopes, however, that once the previous adverse decision problem is well enough and widely enough understood, voluntary measures, facilitated by exercise of the statutory rights proposed in Recommendation (13), will assure universal compliance.
UNDERWRITING DECISIONS BASED ON INFORMATION FROM INDUSTRY DATA EXCHANGES
The Commission found that in life and health underwriting, there is less than perfect adherence to the industry's own rules regarding the use of information obtained from the Medical Information Bureau. According to MIB rules, no adverse underwriting decision is ever supposed to be ma'':, solely on the basis of an MIB "flag," but the record clearly indicates that efforts to achieve this have been weak and superficial.98
The problem here, of course, is the same one Recommendation (9) addresses, except for the fact that in this case the items of information in question are being obtained from an industry data exchange rather than from the individual himself, thereby multiplying by two the points at which errors could be made. Either the insurer that reports an item to the exchange, or the exchange in reporting it to still another company, could report it incorrectly. Because the item is only a flag, moreover, it is by its very nature without context; that is, it is an incomplete item of information. Accordingly, the Commission recommends:
That no insurance institution base an adverse underwriting decision, in whole or in part, on information about an individual it obtains from an insurance-support organization whose primary source of information is insurance institutions or insurance-support organizations; however, the insurance institution may base an adverse underwriting decision on further information obtained from the original source, including another insurance institution.
This recommendation would apply to the Medical Information Bureau and the Impairment Bureau, but not to the loss indexes, since they do not supply information for use in underwriting decisions. In addition, the recommendation refers only to information about a particular individual and, therefore, would not govern the use of information obtained, for example, from a rating organization.
As with Recommendation (14), voluntary compliance with this recommendation will be facilitated by exercise of the statutory rights proposed in Recommendation (13), and also by any action taken by State Insurance Commissioners pursuant to their unfair trade practices authority referred to in the discussion of Recommendation (14).
FAIRNESS IN DISCLOSURE
DISCLOSURES TO INDUSTRY DATA EXCHANGES
Life insurance companies have had a longstanding practice of reporting to the Medical Information Bureau or the Impairment Bureau information about an individual's health, which they have obtained from sources other than a licensed medical-care provider, or the individual to whom the information pertains. The same has been true of property and liability reporting on claimants to the loss indexes. In the case of the MIB and the Impairment Bureau, agents' reports and reports compiled by inspection bureaus, in part on the basis of interviews with neighbors and associates, have been a major source of such information. In the Medical Information Bureau this material was coded as "medical information" that because of source does not meet the requirements of the Fair Credit Reporting Act, and "medical information received from a consumer report, not confirmed by the proposed insured or a medical facility."99
As discussed earlier, this is an area in which the MIB Executive Committee took action following the Commission's hearings on the record-keeping practices of insurance institutions and insurance-support organizations. The MIB's action, however, does not affect the existing flow of "health status information" into the Impairment Bureau and the loss indexes. Moreover, as indicated in its discussion of Recommendation (11), the Commission believes that the responsibility for the content of records maintained by industry data exchanges is properly placed on the reporting insurance institutions, since it is they who control the record-keeping policies of the data exchanges.
The chief problem with health status information is its unreliability. It is bad enough to be labeled as a pariah by those society considers qualified to do so, but it violates all canons of fairness to allow such labels to be attached by anyone, regardless of his qualifications. Accordingly, the Commission recommends:
That Federal law be enacted to provide that no insurance institution or insurance-support organization may disclose to another insurance institution or insurance-support organization information pertaining to an individual's medical history, diagnosis, condition, treatment, or evaluation, even with the explicit authorization of the individual, unless the information was obtained directly from a medical-care provider, the individual himself, his parent, spouse, or guardian.
This recommendation should be implemented in connection with Recommendation (17) concerning the confidential relationship between an individual and an insurance institution or support organization. It would become part of the duty of confidentiality owed to an individual by an insurer or support organization. Although support organizations like the loss indexes have little practical control over the source of medical information sent to them, it is expected that insurance institutions, in order to protect their own interests in not disclosing medical information in violation of subsection (b)(iv) of Recommendation (17), will establish procedures to assure that only medical information obtained from a qualified source is communicated to a support organization or to another insurance institution.
Expectation of Confidentiality
The Commission's third policy objective is to establish and define the nature of the confidential relationship between an individual and the record-keeping institutions with which he can be said to have a relationship. A confidential relationship is one in which there is both an explicit limitation on the extent to which information generated by the relationship can be disclosed to others, and a prior mutual understanding by the parties involved as to what that limitation shall be.
Certain relationships (e.g., doctor-patient, attorney-client) have traditionally carried with them legally enforceable expectations of confidentiality, at least in particular types of circumstances.100These protections, moreover, have sprung from the breadth of inquiry and observation on which the success of the relationship depends. If one type of relationship requires more divulgence and probing than another, the latter, so the argument goes, should not be permitted to feed off the former at will. To allow that to happen is not only fundamentally unfair; it is also a violation of the ethics of the first relationship.
One sees this problem vividly today in the record-keeping dimensions of the doctor-patient relationship. It is present, however, in every area of personal-data record keeping where an individual must submit to the collection and recording of intimate details about himself in order to obtain some benefit or service. Furthermore, as the Commission argues in Chapter 9, if society is to solve the problems inherent in the compulsory disclosure of information about an individual from one record-keeping relationship to another, it must limit the circumstances in which voluntary disclosures are permitted at the discretion of the record keeper. Otherwise, there is no point in restricting the circumstances under which a government agency, for example, may compel a record keeper to produce information it holds in its records on an individual. To make such restrictions sensible, as well as to assure the individual a role in determining when and to what extent they will be suspended, one must first impose a duty of confidentiality on the holder of the records.
With these considerations in mind, the Commission has concluded that each insurance institution and insurance-support organization should owe a duty of confidentiality to the individual on whom it maintains records. The amount, diversity, and character of the information gathered to establish and facilitate the insurance relationship is such as to warrant establishing such a duty of confidentiality. The insurance relationship, moreover, is extraordinarily important to society. Like the credit, depository, and medical-care relationships considered in other chapters of this report, it is one that is increasingly difficult for an individual to avoid. Yet the relationship cannot be maintained successfully if it is perceived as being inherently unfair or as disregarding the legitimate interests of the individuals who enter into it.
Currently, insurance institutions and their support organizations voluntarily assume some ethical responsibility for the confidentiality of the information they maintain on individuals. However, they do not uniformly respect the individual's legitimate desire to limit the disclosures they make about him, nor are they able to defend the integrity of their record-keeping relationships with individuals against certain demands made on them by extraneous parties. Thus, to create and define obligations with respect to the uses and disclosures that may be made of records about individuals, legitimate patterns of information-sharing within the industry and threshold conditions for the disclosure of such records to outsiders must be established.
Accordingly, the Commission recommends:
That Federal law be enacted to provide that each insurance institution and insurance-support organization be considered to owe a duty of confidentiality to any individual about whom it collects or receives information in connection with an insurance transaction, and that therefore, no insurance institution or support organization should disclose, or be required to disclose, in individually identifiable form, any information about any such individual without the individual's explicit authorization, unless the disclosure would be:
(a) to a physician for the purpose of informing the individual of amedical problem of which the individual may not be aware;
(b) from an insurance institution to a reinsurer or co-insurer, or toan agent or contractor of the insurance institution, including a sales person, independent claims adjuster, or insurance investigator, or to an insurance-support organization whose sole source of information is insurance institutions, or to any other party-in-interest to the insurance transaction, provided:
(i) that only such information is disclosed as is necessary for such reinsurer, co-insurer, agent, contractor, insurance-support organization, or other party-in-interest to perform its function with regard to the individual or the insurance transaction;
(ii) that such reinsurer, co-insurer, agent, contractor, insur-ance-support organization or other party-in-interest is prohibited from redisclosing the information without the authorization of the individual except, in the case of insurance institutions and insurance-support organiza-tions, as otherwise provided in this recommendation; and
(iii) that the individual, if other than a third-party claimant, is notified at least initially concurrent with the application that such disclosure may be made and can find out if in fact it has been made; and
(iv) that in no instance shall information pertaining to an individual's medical history, diagnosis, condition, treat-ment, or evaluation be disclosed, even with the explicit authorization of the individual, unless the information was obtained directly from a medical-care provider, the individual himself, or his parent, spouse, or guardian;
(c) from an insurance-support organization whose sole source of information is insurance institutions or self-insurers to an insurance institution or self-insurer, provided:
(i) that the sole function of the insurance-support organization is the detection or prevention of insurance fraud in connection with claim settlements;
(ii) that, if disclosed to a self-insurer, the self-insurer assumes the same duty of confidentiality with regard to that information which is required of insurance institutions and insurance-support organizations; and
(iii) that any insurance institution or self-insurer that receives information from any such insurance-support organization is prohibited from using such information for other than claim purposes;
(d) to the insurance regulator of a State or its agent or contractor, for an insurance regulatory purpose statutorily authorized by the State;
(e) to a law enforcement authority:
(i) to protect the legal interest of the insurer, reinsurer, co-insurer, agent, contractor, or other party-in-interest to prevent and to prosecute the perpetration of fraud upon them; or
(ii) when the insurance institution or insurance-support organization has a reasonable belief of illegal activities on the part of the individual;
(f) pursuant to a Federal, State, or local compulsory reporting statute or regulation;
(g) in response to a lawfully issued administrative summons or judicial order, including a search warrant or subpoena.
In contrast to the corresponding recommendations with respect to credit grantors and depository institutions, wherein interpretative responsibilities would be assigned to existing regulatory authorities, the Commission recommends that the responsibility for enforcing the confidentiality duties of insurance institutions and support organizations be left exclusively to the aggrieved individual. The information flows in and out of the insurance industry, while extensive in some areas, appear less dynamic and thus less prone to change than those in, them credit area, for example. As a result, there is less need for flexibility in establishing their legitimacy; that is, there is no need for an interpretative rule-making function.
The provisions of the recommended statute, however, should be explicitly drawn to allow an individual to sue an insurance institution or support organization and to obtain actual damages for negligent disclosures that violate the duty of confidentiality, even if there is no showing of an intentional or willful violation. Where an intentional or willful violation of the duty of confidentiality is established, the individual should, in addition to actual damages and court costs, including reasonable attorney's fees, be entitled to general damages of a minimum of $1,000 and a maximum of $10,000. A defense available to the defendant charged with negligent disclosure would be that it had established reasonable procedures and exercised reasonable care to implement and enforce those procedures in attempting to protect the interests of the individual. Where it could not meet such a test, the insurance institution or support organization would then be subject to actual damages and court costs, including legal fees, for any violations.
The statute should also make clear that subsection (b)(iii) would not apply to any record about an individual compiled in reasonable anticipation of a civil or criminal action, or for use in settling a claim while the claim remains unsettled. After the claim is settled, moreover, subsection (b)(iii) would not apply to any record compiled in relation to a claimant who is not an insured or policyowner (i.e., a third-party claimant), except as to any portion of such record that is disseminated or used for a purpose unrelated to processing the claim.
The first premise of the proposed statutory duty is that no record should be disclosed by an insurance institution or support organization without the authorization of the individual to whom it pertains. The Commission would expect, moreover, that the authorization statement used would be specific as to the information proposed to be furnished, to whom, and for what purpose. Nonetheless, as in other areas, the Commission has recognized the need to allow certain types of disclosures to occur without the individual's authorization. These exceptions can be divided into three categories:
- disclosures to protect the individual;
- disclosures the insurance institution or support organization must make in order to perform duties inherent in the insurance relationship or to protect itself from failure by the individual to meet the terms of the relationship; and
- disclosures to governmental authorities.
Subsection (a) of the recommendation falls into the first category. It permits disclosure without authorization to a physician for the purpose of informing the individual of a medical problem about which he may be unaware, and which an insurance institution or support organization may be reluctant to disclose to him directly. Making an exception for such situations seems justified by the benefit to the individual and by the minimal risk to personal privacy it involves, since the physician also stands in a confidential relationship to the individual.
The second category of exceptions concerns disclosures consistent with the insurer's rights and duties in its relationship with the insurance consumer. The duty of confidentiality, primarily for the benefit of the latter, should not unfairly burden the insurer's ability to fulfill its part of the bargain or to protect its own interests. By the mere fact of applying for insurance, maintaining a policy, or presenting a claim, the individual authorizes the insurer to perform certain functions. Thus, under subsection (b) of the Commission's recommendation, no authorization is required for disclosures to reinsurers, co-insurers, agents, contractors, insurance-support organizations, or any other party-in-interest, when disclosure is necessary for that person to perform a function concerned with the insurer's relationship with the insured. The insured should nonetheless be notified (see Recommendation (5)) that such disclosures may be made and should be able to find out whether or not they have, in fact, been made (see Recommendation (10)).
In many cases, individually identifiable information is provided by an insurer to one or more other insurers who act as reinsurers of the first. The individual whose insurance policy is reinsured has no legal relationship with the reinsurer. The only party who has a contractual relationship with the insured is the insurer from whom the individual purchased the policy. Reinsurance is common within the insurance industry, and sometimes involves the transfer of individually identifiable information. Currently, however, the individual has no knowledge of this type of disclosure.
It would serve no purpose to require an applicant to expressly authorize the dissemination of information about him to a reinsurer. The individual who refused to authorize the disclosure would simply be denied the insurance. The reinsurer, moreover, would have the same duty of confidentiality as the original insurer and be subject to the same requirements for holding information in confidence.
The reinsurance situation is similar to other party-in-interest situations in which the Commission believes individual authorization should not be required for information disclosure. For example, the amount of one insurer's claim payment may be related to another's payment. In this case, where a pro-rata liability or other coordination of benefits clause exists, each insurer must be considered a co-insurer and should, therefore, be allowed to share necessary information, subject to the same restrictions as to notice and confidentiality outlined above. Other exceptions based on the party-in-interest concept would include cases involving subrogation,101 as well as cases involving insurers who were potentially being defrauded by the same person.
All parties-in-interest referred to in subsection (b) would either already be bound by or would assume the same duty of confidentiality as the provider of the information-that is, they would not be permitted to redisclose the information without the individual's authorization, unless, in the case of any party-in-interest that is an insurance institution or insurance-support organization, the disclosure would be otherwise authorized under this recommendation. Only information necessary for the recipient to perform its function should be disclosed. Thus, for example, an independent claims adjuster should only be given the information needed to properly settle a claim. As already noted, subsection (b)(iii), which requires notice and a way for an individual to find out whether a particular disclosure had been made, would not apply to cases expected to involve litigation or to claims situations. Subsection (b)(iv) incorporates Recommendation (16) as the Commission urged that it should, above.
One special concern of insurance institutions and insurance-support organizations is to detect and deter fraud. Privacy requirements should not be used to restrict an insurer's capacity to protect its interests, especially where fraud may be involved. Thus, no authorization is required under subsection (b) for the disclosure of information to the Insurance Crime Prevention Institute or other support organizations that operate as surrogates of the insurer in seeking to prevent fraud. Authorization is also not needed for disclosure to one of the loss indexes or other insurers when the purpose is to deter and detect insurance fraud. Conversely, subsection (c) could allow the loss indexes to continue to disseminate information to their subscribers without individual authorization. To require otherwise would be tantamount to destroying the loss indexes, since those intent on fraud would naturally refuse to agree to the disclosure.
Currently, "self-insurers" may subscribe to the loss indexes. These subscribers are neither insurance institutions nor insurance-support organizations within the Commission's or insurance regulatory officials' definitions. They are companies and governments that have chosen to retain some or all of their exposure to loss rather than to transfer it to an insurer. Since they are not insurance institutions or insurance-support organizations, they are not subject to the Commission's recommendations on such organizations. Nevertheless, the information from the loss indexes may continue to flow to self-insurers and should, therefore, be subject to a duty of confidentiality as provided in subsection (c)(ii).
The third category of exceptions concerns disclosures to government. The Commission is aware that, for public policy reasons, information must be disclosed by insurance industry parties to law enforcement officials under certain circumstances. Such disclosures would be permitted, provided they comply with the Commission's recommendations regarding government access to private-sector records, explained in Chapter 9.
One voluntary disclosure that is permitted without an authorization is to law enforcement officials when an insurance institution or insurance-support organization reasonably concludes, from information generated in its relationship with him, that an individual has violated the law or is suspected of fraud in connection with the insurance coverage. Certainly in this instance, the insurer should not be required to get the authorization of the individual.
Furthermore, insurance institutions are required to release information to State insurance departments which regulate the insurance industry. Insurance institutions and insurance-support organizations must also respond to Federal, State, and local compulsory reporting statutes and regulations. They have no choice but to disclose information when required by government under these circumstances. A requirement of authorization by the individual would be meaningless. The Commission recognizes, however, that insurance institutions, like other record keepers, should have some obligation to inform an individual that information will be routinely reported to government. Finally, insurance institutions and support organizations must respond to a lawfully issued administrative summons or udicial order, such as a subpoena or search warrant. While they have no choice but to comply with such legal process, and while the primary obligation to assure protection of an individual's rights should rest with government, as explored in Chapter 9, the insurance record keeper has certain responsibilities-primarily to assure the facial validity of the particular form of compulsory process served on it, and to limit its compliance to the specific terms of the order. If, for example, a subpoena requires disclosure of information on a certain date, an insurance institution or support organization should not disclose until that date. Restricted response of this type will permit the individual whose records were sought to exercise those rights the Commission recommends be granted in the context of government access.
Insurance protection is vital to most Americans. Much personal information is provided or developed through the process of providing needed insurance protection, properly pricing it, and in servicing insurance contracts, including the investigation and settlement of claims. The Commission believes that the recommendations in this chapter respect this need for information and strengthen the relationship between insured and insurer while promoting its three public-policy objectives.