Personal Privacy in an Information Society. The Insurance Relationship

The activities of the nation's 4,700 insurance companies touch the lives of all Americans in a variety of ways. Two out of three Americans have life insurance protection;¹ 90 percent of the civilian population under age 65 is covered by individual or group health insurance policies;² and 15 million are covered by the pension plans that life insurers offer.³ It is estimated that almost 90 percent of the registered automobiles in the country are insured,⁴ and few homes are without insurance coverage. In 1975, the premiums Americans paid for life, health, and pension coverage amounted to $58.6 billions ⁵ and property and liability insurance premiums amounted to another $50 billion.⁶ The companies, for their part, paid out an estimated $75 billion in claims and policyholder benefits.⁷

The central function of insurance is to spread the economic burden of unforeseen financial losses by using the premiums paid by many insureds to pay for the losses sustained by a few. Some forms of insurance protection are mandated by law or business practice. For example, a number of States require car owners to carry auto insurance. Mortgage lenders require borrowers to carry fire insurance. Contractors are required to provide surety bonds to protect their clients against failures to perform and some fields of employment require fidelity bonds. Other forms of insurance, such as life, health, malpractice, and product and other liability coverages, are virtually mandatory in the minds of many people. Indeed, the cost and availability of insurance influence the character of society as well as the economy. It affects personal lives, life-styles, and even living standards.

Because the chief functions of an insurer-underwriting and rating risks and paying claims-are decision-making processes that involve evaluations of people and their property, the insurance industry is among society's largest gatherers and users of information about individuals. This chapter reports the results of the Commission's inquiry into the personal-data record-keeping 'practices of insurance companies and the support organizations that provide them with various services, including record keeping.

The chapter begins with a short description of the industry, its sources of information about individuals, and the role that support organizations play in gathering and disseminating such information. This is followed by an examination of the way records about an individual affect his place in the insurance relationship today, and of the problems industry record-keeping practices pose from a privacy protection viewpoint. Finally, after summarizing current legal restraints on the record-keeping practices of insurance institutions and support organizations, the Commission, in the last section, presents and explains its specific recommendations for change. As in other chapters of this report the Commission's recommendations are arranged in terms of its three recommended public-policy objectives: (1) to minimize intrusiveness; (2) to maximize fairness; and (3) to create a legitimate, enforceable expectation of confidentiality.

• Insurance Institutions and Support Organizations

  • There are essentially two types of insurance companies: stock companies owned by shareholders and mutual companies owned by policyholders. (Blue Cross and Blue Shield are nonprofit associations which policyholders join.) Although the largest life insurance companies are of the mutual type, the total amount of life insurance protection in force is about equally divided between stock and mutual companies. In the property and liability insurance business, the largest company is also a mutual company, but stock companies account for over 70 percent of premium volume.

    Multiple-line insurance institutions are those with affiliate companies writing both life and health and property and liability coverages. The largest property and liability insurers are affiliates of multiple-line institutions, as are the largest life insurers since the expansion of some mutual companies into property and liability lines.

    Companies sell insurance in four ways: by direct mail; through an exclusive agent; through an independent agent; or through a broker. While the exclusive agent represents only one company, the independent agent may have agreements with several companies, and the broker is a legal representative of his clients rather than the companies with which he places business. Agents are paid commissions or fees by companies rather than by clients. For simplicity of discussion, however, all will here be referred to as agents.

    From a privacy protection viewpoint, insurers differ more significantly in terms of product line than they do in terms of ownership and company structure. The application form for the simpler types of life and health insurance sold by direct mail typically asks for little information. Name, address, age, sex, occupation, a statement certifying that the applicant has not had certain illnesses within a stated period of time and is currently in good health, and the beneficiary's name usually suffice. This is possible because policies sold by direct mail are relatively small ones, the population buying them is comparatively large, and they tend to be for limited coverages. Thus, the spread of risk of illness and death on which the premium rates are predicated is maintained.

    In contrast, insurance sold through agents typically requires more information from and about the applicant and other insureds. Such coverages tend to be broader, more varied, and often need to be tailored to the particular needs of the applicant. Of all insurance sold through agents, the type requiring the least personal information is group insurance, which is underwritten on an aggregate rather than an individual basis, i.e., over time the premium rate is determined by the illness and death experience of the entire group.

    Because the experience of large groups is statistically more reliable, the experience of many small groups may often be combined in determining premium rates. Doing so, however, demands more care in offering group insurance to smaller firms than in offering it to larger ones, lest the people in low-risk groups inadvertently subsidize those in high-risk ones. Care is also exercised in soliciting large accounts, but only as to the aggregate mix of occupations or other gross characteristics of the members of the group. Thus, while group insurance by its nature is markedly less dependent on information about the individual than on any other types of insurance, the amount of detail that can be dispensed with will depend on the size of the group involved.

    As to individual life, health, and property and liability insurance that is sold through agents, the amount of information collected about individual applicants and insureds can be extensive. Moreover, the way it is collected, used, and disclosed is somewhat different in life and health underwriting than in property and liability underwriting. These differences, and the privacy protection problems they create, are principal themes of this chapter.

• Recommendations

  • The Commission's approach to the problems described in this chapter has been to focus on strengthening and balancing the relationship between the individual insurance applicant, policyholder, or claimant and the insurance institution with whom he deals. As indicated at the outset, the Commission's recommendations have three objectives:

    (1) to create a proper balance between what an individual is expected to divulge about himself to a record-keeping organization and what he seeks in return (to minimize intrusiveness);

    (2) to open up record-keeping operations in ways that will minimize the extent to which recorded information about an individual is itself a source of unfairness in any decision about him made on the basis of such information (to maximize fairness); and

    (3) to create and define obligations with respect to the uses and disclosures that will be made of recorded personal information (to create a legitimate, enforceable expectation of confidentiality.)

    In the insurance area, as in others it has studied, the Commission also believes that giving an individual certain rights without placing corresponding obligations on the institution with whom he has the primary record-keeping relationship is not likely to bring about adequate remedial action. Thus, the Commission believes that insurance institutions and insurance-support organizations must assume greater responsibility for their personal-data record-keeping practices. In some cases, this can be accomplished by bringing the forces of the marketplace to bear on record-keeping policy and practice, through voluntary adoption of standards set forth in this report, or through court action by individuals to enforce their rights. In others, government agencies should also be called upon to play monitoring and corrective roles. The Commission believes that both parties will benefit from this approach. The individual's position with respect to the records the insurance relationship generates about him will be strengthened, while insurers and insurance-support organizations will be assured of obtaining the kind of information that promotes fair and efficient operations. Greater confidence in insurance institutions and their role in society should result from opening up the process in this way.

    One of the major reasons legislation is needed is that the individual is currently at a disadvantage in the insurance relationship. Some of the Commission's recommendations have attempted to protect the applicant, policyholder, or claimant by placing certain restraints on the insurer-limiting certain collection techniques, creating standards for the authorization forms used, and requiring reasonable procedures in the collection, use, and disclosure of information about an individual. The Commission's aim, however, is not so much to constrain insurance institutions and support organizations as it is to enhance the position of the individual so that he can protect his own privacy interests. To this end, the Commission has concluded that the insurer should inform the individual of the scope of its underwriting inquiry by a clear notice and an adequate authorization form; that the subject of an investigative report should be interviewed if he so desires; and that a mechanism should be created whereby the individual can question the propriety of a specific type of inquiry made in connection with an insurance decision about him. These recommendations are designed to give the individual a central role in the record-keeping practices (including information collection) of the insurance industry.

    The ability of the individual to protect himself depends upon the knowledge he has of the records that are made about him. Thus, an individual should have access to a record about himself and a mechanism should exist whereby disputes concerning the accuracy of such a record can be settled. Access and correction rights are also needed to enable the individual to protect himself from investigations which exceed the scope of the notice he is given at the time he seeks to establish a relationship with an insurer, and to assure that the records maintained about him are accurate, timely, and complete. In addition, the individual should be informed of the reasons for an adverse decision about him and the specific information which supports those reasons, so that he can protect himself from unfair treatment resulting from the use of inaccurate, obsolete, or incomplete information.

    This approach is not simply intended to be a procedural one. Rather, it is intended that the dynamics of the relationship between the insurer and the individual, rather than action by a legislature or regulator, will create certain standards governing the collection, maintenance, use, and disclosure of information by insurance institutions and support organizations. The Commission believes that notice, access, dispute, and an enforceable expectation of confidentiality are the tools an individual must have if he is to play an effective role in preventing the record-keeping practices of insurance institutions and support organizations from trespassing on his privacy interests. Armed with them, he can exert constructive pressure upon an insurer or agent. Even where the abuse concerns an insurance-support organization, pressure will be most effective on the insurer or agent, because the individual has a direct relationship with them, and because the prospect of adverse publicity that could affect the insurer's position in the marketplace provides the insurer with more incentive to be responsive than the support organization.

    Overall, the Commission believes that the strategy it proposes for implementing these recommendations is a reasonable and practical one in that it:

    • uses existing regulatory and legislative mechanisms to the maximum extent possible;
    • keeps the cost of administration and compliance at acceptable levels;
    • provides inducements to comply willingly so that disputes over compliance can be kept to a minimum; and
    • provides reasonable protection against liability for unintentional failure to comply, coupled with appropriate penalties for willful failure to comply.

    As previously noted, because insurance is regulated primarily by State Insurance Departments, the Commission believes that the responsibility for implementing some of its recommendations should be properly lodged at the State level. In addition, the personal-data record-keeping practices of insurance institutions are also regulated to some extent by the Federal Fair Credit Reporting Act which the Commission believes is the proper vehicle for implementing recommendations that aim to strengthen the insurance relationship by eliminating artificial distinctions between the record-keeping practices of insurance institutions and the record-keeping practices of their support organizations. Finally, for reasons that are fully elaborated in Chapter 9 on government access to records about individuals maintained by organizations in the private sector, the Commission has concluded that the enforceable expectation of confidentiality it recommends must be implemented by Federal statute.

    It should be noted, moreover, that the recommendations to be implemented by Federal statute, including those that would be implemented by amending the Fair Credit Reporting Act, give the individual actionable rights against insurance institutions and support organizations. The Commission has explicitly rejected the establishment of a Federal regulatory structure that could be quite costly both to the taxpayer and to the insurance industry. Instead, by making those who do not comply civilly liable for their failure to do so, and by making it comparatively easy for such actions to be brought, the Commission believes that a strong incentive for systemic reform will be created without subjecting those who favor reform to unnecessarily costly government regulation. The burden will fall on those who by their actions willfully and repeatedly disregard their responsibilities rather than on those who make a good faith effort to comply fully. In short, the implementation of the Commission's recommendations is designed to place an increasing financial burden on those companies who encourage costly disputes by resisting openness, or who fail to adopt reasonable procedures to control the collection, use, or disclosure of records about individuals.

    Finally, insurance institutions should not be unduly exposed to liability which arises only because of the openness of the process. The objective of the Commission's recommendations is to cleanse the system of decisions based on inaccurate or incomplete information; not to create windfall recoveries for bad information or practices of the past.

    Definitions for some of the terms used in the recommendations and discussion which follow may be found in the glossary at the end of this chapter.

    Intrusiveness

    The Commission's first three recommendations address the scope and character of the inquiry to which an insurer may require an individual to submit as a condition of establishing or maintaining an insurance relationship. Because insurance is concerned with the protection of individuals or personal property, the process of granting insurance coverage necessarily involves intrusions on personal privacy. The question is simply (or perhaps not so simply) how much of an intrusion and by what methods.

    GOVERNMENTAL MECHANISMS

    For some years now, controversies over the propriety of asking certain kinds of questions of an individual have generally centered on the relevance of the information sought to the decision to be made. For example, the Privacy Act of 1974 requires each Federal agency to limit its collection, maintenance, use and dissemination of information about individuals to that which "is relevant and necessary" to a purpose the agency is required to perform by statute or Executive Order.⁸⁹ The California Insurance Department, relying on its authority to prevent unfairly discriminatory practices, investigates the relevance of certain items of information used by insurers doing business in the State and may prohibit the use of any item whose relevance to underwriting decisions or pricing cannot be demonstrated to the Department's satisfaction.

    A related, and in many respects more difficult, question concerns inquiries which, while demonstrably relevant, are objectionable on other grounds. Legislatures may prohibit, and have prohibited, the use of certain items of information on fairness grounds. Race, for example, has been excluded as an eligibility or rating criterion for life underwriting even though its relevance to life expectancy can be demonstrated.⁹⁰ On the other hand, the Privacy Act of 1974 strives, not very successfully, to ban the collection and use of information pertaining to an individual's exercise of his First Amendment rights on the grounds that such inquiries by government agencies constitute an unwarranted invasion of personal privacy, i.e., that they fail the test not of relevance or fairness, but of propriety ⁹¹

    Thus far, there have been few instances in which items of personal information have been proscribed on grounds of impropriety, i.e., unwarranted intrusiveness. In the insurance area, California has come close in proscribing the collection and use of information concerning "moral lifestyle."92 The California approach is almost unique among State insurance regulatory authorities and all the California Department's other investigations, except for "moral life-style," have turned on other issues, such as fairness. In some cases regulation has not been necessary because the impropriety of certain types of inquiries is universally recognized. An example would be collection of information about an individual from his priest, minister, or rabbi.

    It should be noted, moreover, that fairness and propriety issues usually cannot be dealt with in the same way. As briefly discussed in Chapter 2, when. fairness is the overriding concern, such as in the Equal Credit Opportunity Act as amended, [15 U.S.C. 1691 et seq.], continued collection of certain information may be necessary to demonstrate that it is no longer being used to make decisions about individuals. For example, one cannot show that sex and race are not being systematically used to make credit decisions unless one can show that credit has been extended to women and minorities in proportion to their relative numbers in the credit grantor's market. And the most practical way to do that may well be to have the credit grantor record the sex and race of all applicants. This, however, is much different from situations where impropriety is the reason for proscribing information. There, the first act must be to prohibit collection, since the problem lies primarily in the asking of the question. Use may also be prohibited in such a situation but only to make sure that the information is totally excluded from the decision-making process.

    The Commission believes that, in the future, society may have to cope with objections to the collection of certain information about an individual on the grounds that it is "nobody's business but his own." In some cases, these propriety issues may be resolved by prohibiting an inquiry on the grounds that it is irrelevant, but in others, where relevance can be demonstrated, proscription may be necessary on propriety grounds alone. In the Commission's view, questions of this nature are best resolved on a caseby-case basis. One must be concerned about undue government interference in such controversies. The Commission believes, moreover, that all such determinations must be prospective, so as to avoid retroactive punishment for behavior which at the time was wholly consistent with prevailing societal expectations and norms. However, the Commission also believes that institutional mechanisms are needed so that such questions can be raised and resolved.

    Insurers have historically enjoyed considerable latitude in determining what information is and is not necessary to a given decision about an individual. Underwriting is far from an exact science. Moreover, industry spokesmen argue that the cost of collecting information is a powerful enough incentive to collect only relevant information. Yet others claim that insurance institutions collect a great deal of information whose relevance is questionable. Indeed, the industry has been criticized for not taking advantage of its actuarial and computer expertise to refine its relevance criteria.

    To a large extent, the relevance-propriety issue in insurance stems from some insurers' belief that they should insure only those of "high moral character," and should shun those whose mode of living differs from what society considers normal. In a society as diverse as ours, however, determining what "society considers normal" is no easy task, and relying on the independent judgment of underwriters to make this determination has led to considerable difficulties.

    The Commission is mindful of the complexities that lie beneath the surface of the relevance-propriety issue in the insurance area. It is aware that a few States have taken an interest in certain insurance-related inquiries. Most, however, have not. The Commission, moreover, is not fully persuaded that the problem can be handled exclusively through market mechanisms. Although Recommendation (5) (see below) seeks to set corrective market forces in motion, the necessity of insurance in today's society may make it difficult for individuals to make their objections felt. Furthermore, should there be sentiment in favor of banning a particular category of inquiry, irrespective of its relevance, some way will have to be found for society to estimate and consider the cost involved in such an action and the way in which the cost will be distributed. Thus, in light of all these considerations, and out of its desire to eliminate unreasonable invasions of personal privacy, the Commission recommends:

    Recommendation (1):

    That governmental mechanisms should exist for individuals to question the propriety of information collected or used by insurance institutions, and to bring such objections to the appropriate bodies which establish public policy. Legislation specifically prohibiting the use, or collection and use, of a specific item of information may result; or an existing agency or regulatory body may be given authority, or use its currently delegated authority, to make such a determination with respect to the reasonableness of future use, or collection and use, of a specific item of information.

    To implement this proposal, the Commission recommends that each State Insurance Commissioner collect individuals' complaints and questions concerning the propriety of particular types of inquiries, prepare periodic summary reports on the number of questions and complaints by category, and make them available to legislative bodies. If already authorized by the legislature, the Commissioner may take action. In California, for example, the legislature empowered the Commissioner to promulgate rules and regulations under the unfair trade practices article of the State insurance laws and the Commissioner then used that authority to declare discrimination based on sex, marital status, or sexual orientation a prohibited practice.⁹³[§790.03 and 790.10 of the California Insurance Code]. The rules the Commissioner adopts may prohibit the use of certain information in one line of insurance but not in another. Furthermore, within a given line of insurance, the Commissioner might allow certain information to be used as the basis for rating or determining risk, but not unless it has an impact on one or the other. For example, inquiry into the fact of cohabitation might be relevant in determining use of a vehicle, a valid rating criterion, but the mere fact of cohabitation, unrelated to vehicle use, could not be the basis of an underwriting or rating decision.

    Currently, most Insurance Commissioners could address the use of irrelevant information under their general authority to hold hearings and issue cease and desist orders in connection with undefined unfair trade practices. The Commission believes, however, that the rule-making technique is fairer and more effective than looking one at a time at possible violations of a general prohibition against unfair trade practices. Not only will more insurers than the one offender have a say in the wisdom of the Commissioner's proposed prohibition, but the Commissioner's decision will only be subject to the narrow judicial review generally applied to rulemaking decisions. The Federal Insurance Administrator could also collect the reports compiled by the State Insurance Commissioners and periodically report on them to the Congress.

    An alternate and not mutually exclusive suggestion is that the Federal Insurance Administrator, or another appropriate Federal entity, collect complaints concerning the propriety of insurance inquiries directly from individual consumers and from time to time report and make recommendations on them to the Congress. It is not recommended, however, that the Federal Insurance Administrator have the rule-making authority urged for State Insurance Commissioners, since regulation of information practices within the insurance industry is currently a State function.

    PRETEXT INTERVIEWS

    As indicated earlier, Factual Service Bureau obtained some of its information through pretext interviews or other false or misleading representations.⁹⁴ A pretext interview is one in which the inquirer (1) pretends to be someone he is not; (2) pretends to represent someone he does not; or (3) misrepresents the true purpose of the interview. Mere silence on any or all of these points would not normally constitute a pretext interview. Indeed, an investigator could refuse to identify himself, his client, or the purpose of the inquiry, letting the person of whom the inquiry is being made infer whatever he wishes from such behavior. Nonetheless, an investigator dressed in a white lab coat making inquiries of a clerk in a hospital medical records room would be conducting a pretext interview if he allowed the clerk to assume he was a properly credentialed medical professional.

    As pointed out in several chapters of this report, the Commission believes that some investigative practices are unreasonably intrusive, or at least have a high potential for depriving an individual of even a modicum of control over the disclosure of information about himself. An investigator conducting a pretext interview clearly raises that prospect. Thus, out of its desire to prevent unreasonable invasions of privacy resulting from the techniques used to collect information about individuals, the Commission recommends:

    Recommendation (2):

    That the Federal Fair Credit Reporting Act be amended to provide that no insurance institution or insurance-support organization may attempt to obtain information about an individual through pretext interviews or other false or misleading representations that seek to conceal the actual purpose(s) of the inquiry or investigation, or the identity or representative capacity of the inquirer or investigator.

    This recommendation would apply to all insurance inquiries-whether for underwriting or first- or third-party claims. The prohibition would be enforceable by the Federal Trade Commission (FTC) against organizations that collect information by means of pretext interviews. An organization would be able to defend itself against an FTC action on the basis that it had k, taken reasonable steps and instituted reasonable procedures to prevent such activity. The use of pretext interviews should be made a civil offense, punishable by fines and cease and desist orders.

    REASONABLE CARE IN THE USE OF SUPPORT ORGANIZATIONS

    The reported practices of Factual Service Bureau also raise a legitimate concern about the care with which insurance institutions select and use the services of support organizations. An institution should not be totally unaccountable for the activities of others who perform services for it. The Commission believes that an insurance institution should have an affirmative obligation to check into the modus operandi of any support organizations it uses or proposes to use; and that if an insurance institution does not use reasonable care in selecting or using such organizations, it should not be wholly absolved of responsibility for their actions. Moreover, a like obligation should obtain where one support organization uses the services of another.

    Currently, the responsibility of an insurance institution for the acts of a support organization depends upon the degree of control the insurance institution exercises over the support organization. Most insurance-support organizations are independent contractors who traditionally reserve the authority to determine and assure compliance with the terms of their contract. Thus, under the laws of agency, an insurer may be absolved of any liability for the illegal acts of a support organization if those acts are not required by the terms of the contract ⁹⁵ In the Commission's opinion, the Factual Service Bureau case illustrates why this is not desirable. Accordingly, to deal with the responsibility of the institution that uses others to gather information about individuals for its own use, the Commission recommends:

    Recommendation (3):

    That the Federal Fair Credit Reporting Act be amended to provide that each insurance institution and insurance-support organization must exercise reasonable care in the selection and use of insurance-support organizations, so as to assure that the collection, maintenance, use, and disclosure practices of such organizations comply with the Commission's recommendations.

    If it could be shown that an insurance institution had hired or used a support organization with knowledge, either actual or constructive, that the organization was engaging in improper collection practices, such as pretext interviews, an individual or the Federal Trade Commission could initiate action against both the insurance institution and the support organization and hold them jointly liable for the support organization's actions.

    Fairness

    THE REASONABLE PROCEDURES OBJECTIVE

    As a general objective guiding the personal-data record-keeping practices of insurance institutions and their support organizations, the Commission recommends:

    Recommendation (4):

    That each insurance institution and insurance-support organization, in order to maximize fairness in its decision-making processes, have reasonable procedures to assure the accuracy, completeness, and timeliness of information it collects, maintains, or discloses about an individual.

    Subsection 3(e)(5) of the Privacy Act of 1974 requires each Federal agency to

    collect, maintain, use and discloses ⁹⁶ all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.

    This provision is a requirement on management wholly independent of the rights the Act gives an individual. For a Federal agency whose administrative procedures are subject to congressional oversight, it s an appropriate requirement.⁹⁷ The same, however, cannot be said of its applicability to the private sector.

    As pointed out in Chapter 1, the Commission believes that the mix of rights and obligations its private-sector recommendations would establish are in themselves incentive enough to foster the kind of management attention to personal data record-keeping policy and practice that subsection 3(e)(5) of the Privacy Act requires. Thus, the Commission does not recommend that Recommendation (4) be incorporated in statute or regulation. Rather it envisages Recommendation (4) being implemented automatically as a consequence of the adoption of the other recommendations in this section, particularly Recommendations (10), (11), (12), (13), and (16), on access, correction, adverse decisions, disclosure of information from proper medical sources, and Recommendations (5), (6), and (17), on notice and disclosure.

    The adoption of these recommendations will promote the maintenance of reasonable procedures by insurance institutions to assure the accuracy, completeness, and timeliness of information and provide a means whereby information collected, maintained, or disclosed may be corrected or updated by the individual.

• Life and Health Insurers

  • Life and health insurers and their agents have different reasons for collecting and using information about individuals than property and liability insurers. In the first place, people often have to be persuaded to buy life insurance, whereas there is a ready market for property and liability coverage. Moreover, because life insurance is often sold as part of a package of financial planning services offered by agents, a life insurance prospect may be asked to divulge much information about himself even before the application is completed. For example, when insurance is used in estate building or estate conservation, the agent collects detailed information about the prospect's net worth, income, career prospects, and personal goals. When business life insurance ⁸ is being considered, extensive information about the financial condition of the firm or its principals is required. As a result, some life insurance agents have more comprehensive knowledge about a client's financial affairs than perhaps anyone else.

    Most importantly, life insurance is a contract which binds a company to pay claims or benefits unless the policyholder fails to pay premiums when due, or unless the company can prove fraud or material misrepresentation during a limited "contestable period," generally two years after which a claim must be paid even if the application turns out to have been fraudulent. Thus, before entering into such a contract, the insurer wants an accurate health history, often supplemented by a medical examination to determine current health status, financial status information to protect against overinsurance, and enough information about personal habits to judge whether they might shorten the applicant's life. If the applicant has a significant health impairment, he is subjected to an extensive underwriting investigation to determine whether insurance can be issued to him, and if so, at what rate.

    With most individual health insurance, there is less pressure to gather information about the applicant than in life insurance. Unless an individual health policy is the type that is not cancelable, the company can protect itself by increasing the price or declining to renew coverage at expiration. (Some health policies are guaranteed renewable but with the understanding that the company may increase the price at the time of renewal.) Nonetheless, detailed medical-record information is gathered in order to decide whether to accept the risk in the first instance, and how much to charge. Medical-record information is also an obvious consideration in writing disability insurance. Because these coverages are more susceptible than life insurance to abuse by insureds, companies want information concerning an applicant's character and his propensity for a disabling accident or illness. Occupation is also an important consideration-the loss of a finger is more disabling for a surgeon than a businessman-and the amount of disability income protection provided needs to be related to earned income.

    The applicant and agent are the primary sources of information in underwriting life and health insurance. Because each has a financial interest in seeing the sale completed, however, investigative-reporting agencies (inspection bureaus) and other outside sources are often used to check the accuracy and completeness of the information applicants and agents provide. The types of inquiries these investigations typically involve and the manner in which inspection bureaus conduct them are described in Chapter 8. Here it is enough to point out that they can involve contacts with neighbors, employers, associates, bankers, and creditors; reviews of medical records obtained from doctors or hospitals; and checks of public records for evidence of financial or legal difficulties.

    Life and health insurers and investigative-reporting agencies acting on their behalf often contact third-party sources that have a confidential relationship with the applicant or insured, such as doctors, accountants, or lawyers, and thus an authorization is required before the information can be released. Typically, an applicant is required to sign such an authorization as a condition of having his application considered; is informed, as required by the Fair Credit Reporting Act (FCRA),⁹ that an investigative report may be obtained; and is notified that information may be reported to the Medical Information Bureau (see below).

    Normally, life insurance and medical expense claims are paid when a death certificate or medical bills are submitted. Claims for disability-income benefits are verified with the claimant's physician and employer and may be investigated more thoroughly if the claim appears questionable. The insurer's need for medical-record information in processing claims and the issues it raises for public policy on the confidentiality of the medical-care relationship are discussed in Chapter 7.

    The Medical Information Bureau (MIB)

    Like credit grantors, life and health insurers have organizations whose record-keeping services allow them to learn something about an applicant's previous contacts with other companies in the industry. The Medical Information Bureau (MIB) is an unincorporated, nonprofit trade association set up to facilitate the exchange of medical-record information among life insurers. Nearly 700 U.S. and Canadian life insurers subscribe to it and use it as an important source of information in underwriting life and health policies and in processing life and health claims.¹⁰

    Each member company agrees to send the MIB a code anytime it develops information on an individual concerning certain medical and other conditions of some underwriting significance, except that companies are no longer supposed to report information developed in processing a claim. These codes are maintained by the MIB for seven years. Typically, a member company, on receiving an application, asks the MIB to check its files for information on the individual. If a code is found, it is sent to the inquiring company, which may then seek further details from the company that originally reported it, provided, however, that the inquiring company has first conducted its own investigation (e.g., a medical examination) to verify the reported condition. These "requests for details," which must be channeled through the MIB, are limited to 15 percent of the number of reports each company has submitted within the past year.¹¹ In 1975, there were 75,000 of them out of a possible 300,000.¹²

    The MIB does not investigate on its own, nor does it attempt to verify any information reported to it.¹³ MIB Rule 9 specifies that member companies must report information regardless of the manner or form in which they acquire it_.¹⁴ Because many life insurers are also health insurers, information discovered in the course of health as well as life underwriting may thus be reported to the Bureau.

    About 95 percent of the coded information contained in the MIB files is considered to be "medical." Only five percent is classified as nonmedical information, such as "reckless driving," "aviation," or "hazardous sport."¹⁵ Currently, the MIB maintains information on 11 million individuals. Approximately three percent of all life applicants are uninsurable while six percent are "ratable."¹⁶ In 1975, member companies submitted 2.45 million reports to the MIB,¹⁷ and 17.5 million requests for information, while the MIB sent out 3.6 million responses.¹⁸

    The Medical Information Bureau has been a controversial organization ever since its existence came to public attention in the mid-1960's. One of the most controversial aspects has been its use of the so-called nonmedical codes. In testimony before the Commission, the Bureau's Executive Director and General Counsel identified five: (1) reckless driving confirmed by the proposed insured or by official State or provincial (Canadian) motor vehicle bureau reports; (2) aviation with the proposed insured only as the source; (3) hazardous sport with the proposed insured only as the source; (4) nonmedical information where the source is not a consumer report (i.e., an inspection bureau report); and (5) nonmedical information received from a consumer report and not confirmed by the proposed insured.¹⁹ He told the Commission that the fifth nonmedical code (nonmedical information received from a consumer report) could only refer to reckless driving, aviation, and hazardous sport and would not give life-style information.²⁰ In a letter sent to the Commission later, however, he states that "further review of MIB>coding instructions shows that these nonspecific codes may also be used to report other types of nonmedical information, such as `age,' `environment,' `foreign residence or travel,' `occupation,' and 'finances.'" ²¹

    Another object of controversy has been a code for reporting information about an individual's health, which, because of source, does not conform to the definition of medical-record information in the Fair Credit Reporting Act, i.e., information obtained from licensed physicians or medical practitioners, hospitals, clinics, or other medical or medically related facilities. [15 U.S.C. 1681a(i)] Such information could be reported in one of two ways. First, it could be reported by noting the specific code for the condition involved together with an additional symbol indicating that the information does not come within the FCRA definition.²² Or second, as indicated in Executive Director Day's letter, it could be reported by using a code for "medical information received from a consumer report, not confirmed by the proposed insured or medical facility. .. ."²³

    On October 28, 1976, some months after the discussion of these matters in the Commission's hearings, the MIB informed the Commission that it was proposing the following changes to its code list. First, it was deleting three codes: (1) nonmedical information where the source is not a consumer report; (2) nonmedical information received from a. consumer report not confirmed by the proposed insured; and (3) medical information received from a consumer report not confirmed by the proposed insured or a medical facility. The MIB assured the Commission that in the future "medical impairments may be reported only if information or records are received from the applicant or from licensed physicians, hospitals, clinics, or other medical or medically related facilities." It further stated that the three eliminated codes "will no longer be transmitted to member companies and will be purged or subjected to a `no report order."'²⁴

    Second, the remaining nonmedical codes (reckless driving, aviation, and hazardous sport confirmed by the proposed insured) may now only be reported to the MIB if such activity has occurred within the three years preceding the application at hand.²⁵ This was in response to the complaint that very old information could get into MIB files; that the practice of purging information reported more than seven years ago does not mean that all events or conditions coded in MIB records occurred within the previous seven years. For example, a reckless driving conviction that occurred 20 years ago could be noted in MIB records if a company reported it within the previous seven years.

    Finally, the MIB also proposed to change the code which reports medical information obtained from a Federal agency to read "medical information obtained from a Federal medical source."²⁶

    A further source of controversy has been that codes dropped in the past, as far as reporting requirements were concerned, are nonetheless still in the MIB file and thus can still be reported to MIB members. In reaction to this criticism, the MIB informed the Commission that the following discontinued codes will be purged or subjected to a "no report order": "`information obtained through a disability or health claim,' `nonconformity,' `age,' `environment,' `foreign residence or travel,' `occupation,' 'insurance hazard,' and `finances,"' and, of course, the three nonmedical codes mentioned above.²⁷

    Finally, the entire MIB system is predicated on the rule that the receiving company may not base an adverse underwriting decision on the information received from the MIB, but must make its own independent investigation.²⁸ Rule 14 reads:

    The information received through the Bureau shall not be used in whole or in part for the purpose of serving as a factor in establishing an applicant's eligibility for insurance.

    The application of this rule means that: (a) an application for insurance shall never be denied nor shall any charge therefore be increased wholly or partly because of information received through the Bureau and (b) all information received through the Bureau shall only be used as an alert signal.²⁹

    MIB's Executive Director told the Commission that "... Rule 14 is strictly adhered to by members who are regularly visited under the Company Visit Program."³⁰ When questioned, however, he agreed that the requirement to conduct an independent investigation may mean simply going to an investigative agency and getting old information that was once before the basis for an MIB report.³¹ (Presumably this problem will be alleviated by the proposed elimination of inspection bureaus as authorized sources of certain types of information.) As to the Company Visit Program, moreover, it became apparent that Rule 14 may not be as strictly observed as the MIB would like to believe.

    From time to time MIB staff members visit member companies to make certain that underwriters understand the Bureau's rules and to check on compliance with them.³² A typical visit includes a check and review of the member's security arrangements and an "audit" of 20 randomly selected files.³³ Two major kinds of violations are looked for: (1) requests for details on MIB codes that have been submitted without first conducting the required independent investigation; and (2) adverse underwriting decisions that have been made solely on the basis of an MIB code (i.e., violations of Rule 14).³⁴ In a letter following his hearing testimony, the Executive Director told the Commission that in 1975, "161 member companies were visited and 3,200 underwriting files were examined ...," but that "in fact only fifteen violations [of Rule 14]" were discovered.³⁵ Since the MIB sends out 3.5 million positive responses to company queries each year this means, if the sampling procedures permit such extrapolation, that overall there were approximately 15,000 violations of Rule 14 in 1975.

    The efficacy of the investigation procedure was also questioned by the Commission. Each year the Company Visit Program looks at about 3,000 files (three companies per week, 150 companies per year, 20 files per company).³⁶ Because companies may have several regional offices, however, and because at the rate of 150 companies per year it would take five years to cover all the members, a considerable amount of slippage could go undetected.

    Thus, in response to the Commission's expression of concern, the MIB has proposed the following changes. Each MIB member will now be required to adopt formal procedures to protect the confidentiality of MIB information. In addition, starting in 1977, each member must conduct at least annually "a self-audit program to determine whether it has complied with MIB's constitution and rules and whether its internal procedures have protected the . . . confidentiality of MIB information." In addition, the MIB investigation program, "will be expanded during the course of 1977 to include review of the results of members' self-audits." Such a review will include an on-premise inspection of internal procedures instituted by companies to implement certain aspects of MIB policy.³⁷

    Whether this voluntary program will be effective remains to be seen. The Commission, however, took the proposed changes into account in making its recommendations regarding insurance institutions and support organizations and believes that it has also found several ways of reinforcing the MIB initiative.

    The Impairment Bureau

    The Impairment Bureau, a service of the National Insurance Association, is another support organization that exists solely to facilitate communication among life and health insurers. The Impairment Bureau, however,differs from the Medical Information Bureau in several important respects.

    In the first place, the Impairment Bureau's membership is muchsmaller and while all of its member companies may forward information toit, only five do so on a regular basis. Second, information about anindividual is only sent to the Impairment Bureau when his application hasbeen declined. Third, each member regularly receives a report on every declination reported to the Bureau without having to ask for information on any particular individual. The Bureau compiles the information it receives on sheets which contain approximately 60 entries per page. Each entry contains the name of the applicant, his date and place of birth, the date of the rejection, a coded entry representing the cause of the declination, a coded entry representing the name of the reporting company, and the city and State where the applicant resides. This information, on approximately 2,000 declined applicants a year, is sent every other month to all member companies.

    Like MIB records, Impairment Bureau records contain some information on conditions other than medical ones. Unlike the MIB, however, the Impairment Bureau does not have any specific rules to govern the use of the information it disseminates to member companies or the functioning of the Impairment Bureau itself. Each company may use the declination information as it sees fit and could, for instance, decline an applicant on the basis of the previous declination alone. On the other hand, the Impairment Bureau does not retain copies of the information submitted to it and has not done so since 1964. It merely compiles and distributes information to its members on the basis of the reports it gets from them. Once it has performed this function, the incoming reports are destroyed.³⁸

• Property and Liability Insurers

  • In contrast to most life insurers, a property and liability insurance company has a ready market among people concerned about the replacement cost of tangible assets or about protecting themselves against liability claims brought by others. A property and liability company, moreover, can increase the price charged a policyholder or effectively cancel the risk by declining to renew coverage at the expiration of each contract period, Yet, as in the case of life and health insurance, detailed information s needed to decide whether to accept the risk in the first instance and how much to charge.

    With property insurance, the items to be insured need to be identified accurately and valued, and the degree of care taken to protect them against fire, theft, or loss established. Since these coverages are also susceptible to abuse and fraud, the company wants to know enough about an applicant to make a reasonably confident estimate of his probable loss characteristics. Because liability insurance protects a policyholder against legal damages he may incur through negligence, underwriters consider it important to know, in the case of homeowners coverage, whether his home is well maintained and reasonably free of hazards, or to know, in the case of automobile insurance, whether he and others regularly using the car are responsible drivers. Although the applicant and agent are again primary sources of such information, a company often checks the information they provide through an inspection bureau report or other sources considered more impartial.

    The types of information needed to underwrite automobile insurance include name, address, date of birth, marital status, sex, occupation, driver's license number, use of vehicle, any physical impairments, how long licensed (if less than three years), and information regarding any accident or moving traffic violations in the past three years. State motor vehicle department records are often checked to verify the driving record of the applicant and members of his family. Some companies also require a physician's statement for elderly or physically impaired drivers. Finally, automobile underwriters sometimes order an investigative report on an applicant to find out whether his character, mode of living, and reputation in the community, may, in the judgment of the underwriter, influence the frequency of claims or the applicant's "defendability" in court. In other words, these reports are used by an auto insurer to determine whether the premium at which a policy may be issued is the correct one, but also, if highly derogatory information s uncovered, whether the policy should be issued, or if it has already been issued, whether it should be renewed.

    For underwriting other forms of personal property and liability insurance, such as homeowners' policies, personal property floaters, fire policies, and boat policies, information requirements vary widely. To prepare and issue homeowners and fire policies, for example, the information required would include type of construction, age of dwelling, and distance to the nearest fire hydrant and fire department. For certain properties, an appraisal of their value may be required.

    Information is, of course, also sought in the settlement of property and liability claims. Usually, this involves no other contact beyond the insured, the police or fire authorities, and the repair concerns involved in placing the property back in its original condition. Where the policy covers bodily injuries, however, contact may be made with the attending physician, the hospital, or other providers of medical services regarding the nature and extent of the injuries and the reasonableness of fees charged for services. In those few situations involving suspected fraud, the investigative activity may involve more extensive interviewing which can include witnesses, discussions with local law enforcement officials, and securing other background information that may be necessary to prepare for an effective defense if the claim is denied.

    The investigation of claims or losses to determine the policyholder's liability to others (i.e., "third-party claims") will generally result in greater information gathering. A very detailed and complete investigation will frequently be made to determine the insured's responsibility for injury or damage and the degree or extent of such injury or damage. The role of inspection bureaus and private investigative agencies in the settlement of property and liability claims is briefly described in Chapter 8.

• The Loss Indexes

  • In the processing of claims, the indexes of the American Insurance Association (AIA) may be checked to determine whether the claimant has had a series of prior losses or is submitting claims for the same loss to other companies. These indexes -cover fire, burglary and theft, and fine arts losses, as well as third-party personal or bodily injury claims arising under automobile, homeowners, malpractice, and worker's compensation policies.³⁹ Many property and liability companies in the industry subscribe to the loss indexes. When a claim is filed, the insurer reports basic information on the claim to the proper index and, in return, receives from the index a copy of any previously filed reports on the claimant. In addition, the insurer, on the basis of such a report, can go to the company that filed it for further information.

    The Fire Marshal Reporting Service

    The Fire Marshal Reporting Service (FMRS) reports to fire marshals in 27 States on fire claims its members have paid. In addition, the FMRS maintains an index on reported fire losses in every State which any member can use to determine the prior loss record of a claimant as a check, for example, on arson. Membership in the Service is available to all interested insurance companies in the United States. At present 189 belong.⁴⁰

    Unlike reports made to the other indexes, reports made to the Fire Marshal Reporting Service are made after the claim has been paid. Reports are mandatory in those 27 States where the Fire Marshal must be notified of all losses above a minimum amount ranging from $10 to $250. Otherwise, the Service accepts reports of losses in amounts of $250 or more. Currently, there are 1,067,000 loss reports on file, all of them generated within the previous six years.⁴¹

    Like Index System records (see below), Fire Marshal Reporting Service records are obtainable solely for the purpose of processing claims. "For a subscriber's authorized reporting office to initiate a search, the office must be handling and report a claim under the lines of coverage serviced . ... ⁴² The requirement that records be used only for claims purposes is enforced by requiring an index card from the inquiring subscriber before making any search or giving out any information.

    The Burglary and Theft Loss Index

    The Burglary and Theft Loss Index is maintained separately from the Fire Marshal Reporting Service, but membership in the FMRS entitles a company to receive reports from both systems. By using the Burglary and Theft Index, a member may detect simultaneous claims on the same item or a claim on a loss for which the claimant has previously been reimbursed. Part of the Burglary and Theft Loss Index is the Fine Arts Loss Index whose function is to expose fraudulent claims involving art objects and to help locate missing ones that have been the subject of prior claims.⁴³

    The National Automobile Theft Bureau

    The National Automobile Theft Bureau is a service organization sponsored, operated, and supported by approximately 500 insurance companies writing automobile, fire and theft insurance. The primary objectives of the Bureau are to assist in the recovery of stolen automobiles, to investigate automobile fire and theft losses which may be fraudulent, and to promote programs designed to prevent or reduce such losses. The Bureau operates as a national clearinghouse for stolen car information. Member companies report automobile thefts to the Bureau and the Bureau notifies member companies of recoveries, which are made primarily from police tow-away pounds.

    According to its operations manual, the Bureau maintains the following record systems:

    • National Stolen Vehicle File. This contains all Bureau members' reports on stolen vehicles and is used to detect fraudulent theft claims when several companies provide theft coverage on the same vehicle. Subfiles include information on impounded vehicles and stolen parts.
    • National Salvage File. Records in this system indicate the disposition of all late model vehicles sold for salvage by member companies. Each entry of a salvage record creates an automatic inquiry against the master file by vehicle identification number, State license number, named insured, and salvage purchaser. Inquiries to the system may detect dual insurance coverage, multiple losses by a named insured, fraudulent claims based on the use of salvage documents or counterfeit documents on nonexistent vehicles.
    • Manufacturers' Production Records. These are used in verifying that a vehicle was actually produced, and may also be used to find the dealer to whom a particular vehicle was originally sold. Each of the major U.S. manufacturers provides them to the Theft Bureau on microfilm.

    The Index System

    The Index System accumulates and makes available to its subscribers records concerning third-party personal and bodily injury claims. The Index System is maintained solely for use in claims processing. Ten branch offices serve all 50 States, the District of Columbia, the Commonwealth of Puerto Rico, and the Virgin Islands.⁴⁴ Subscribers report claims to the office servicing the territory where the incident occurred. Receipt of a properly completed index card from a subscriber triggers a search of the Index. If the search turns up prior submissions on the claimant, the subscriber will be sent a photocopy of all of them.

    The Index System is decentralized. Searches are normally limited to the records of the receiving branch office. Where the submitted index card shows that the claimant lives or once lived in the geographic area of another office, however, the inquiry is automatically referred to that other office for further checking and disclosure directly to the inquiring company of any record found.⁴⁵ The Index System "Instructions for Subscribers" says that "each subscriber is expected to cooperate by furnishing information contained in its claims files to other subscribers ...,"⁴⁶ and also permit the insurer who has been asked for information to ask, in turn, for information from the inquirer. This allows two insurers who are in the act of settling claims by the same individual to communicate with each other.

    There are two limits to these exchanges of claims information directly between insurers. First, ."the exchange of information on [auto-related] medical payment, death and disability claims is at the discretion of the subscriber."⁴⁷ Second, "the Inquiry Form is to be used only in cases where substantial claims are involved to relieve subscribers of unnecessary work in procuring and examining closed files."⁴⁸ (Italics in the original.)

    Reports to the Index System must be limited to claims of the following types: automobile liability (including uninsured motorists); automobile accident reparation (or personal injury protection); liability other than automobile, including liability claims under homeowners, commercial, multiple peril, yacht, pleasure craft, and aircraft policies; claims based on false arrest, assault and battery; malpractice claims; and worker's compensation claims. Worker's compensation claims are supposed to be reported only when they involve: (1) disability due to amputation, back injury, disfigurement, dislocation, eye injury, fracture, head injury, hernia, loss of hearing; (2) injuries with possible lost time payments of $500; (3) occupational diseases with possible medical and lost time payments of $1,000; (4) lost time claims by longshoremen and construction workers; or (5) a suspicion of fraud. A report must be made on any claim falling in these areas, except that reports on auto-related medical, death and disability claims are discretionary.⁴⁹

    Subscription to the Index System is open to "all insurance companies writing bodily injury liability coverages without regard to membership in the American Insurance Association."⁵⁰ To belong to the System, one must either be a liability insurer where liability claims are made against an insured, or a self-insurer (such as an employer) which may have liability claims made directly against it.⁵¹ About 26 percent of the Index System subscribers are selfinsurers, but they represent a very small percentage of those that report.⁵² In total, the Index System currently has 1,183 subscribing insurers and self-insurers and maintains records on approximately 28 million bodily injury claims reported during the System's six-year report retention period.⁵³

    A witness from the Index System offered some anecdotal evidence of its efficacy in uncovering fraud. One story tells of an elderly woman who constantly sustained minor injury to ;per mouth because of glass in a sandwich.

    In appearance, she resembled the classical image of . . . [a] grandmother-unassuming, nondemanding, doing a public service by calling attention to a deficiency in an insured's kitchen with no intent of making a fuss. From the viewpoint of the insurance carrier, liability was there; the demand was modest. The settlement was simple and uncomplicated. In fact . . . the insurance company almost had to force payment upon the claimant to accept any compensation for her inconvenience and minor injury.

    The sad truth was that "grandma" was a professional claimant. In her purse, she carried glass fragments which she would place in her mouth to cause a laceration. She would, then, call the waiter, display the physical evidence of the glass bit and the bloody napkin. Her manner would be mild and full of concern for other diners who might not be so fortunate in sustaining only a minor injury. She was literally in the claim business.

    Fortunately, in her travels, she did establish a pattern of reports involving subscribers [to the Index System] which led to an investigation of her activities and ... agreement to divert her activities to more constructive lines.⁵⁴

• Type or paste your content here

  • Both life and health and property and liability insurers routinely disclose information about an applicant or insured to the agent, to the extent necessary to service the policy; to reinsurers (when a company underwriting a large policy wants to reduce its exposure to loss); to an insured's physician; to inspection bureaus to facilitate the preparation of an investigative report; and to other types of investigators asked to prepare such reports. Because insurance is often required to buy a house, operate a car, pursue a career, or conduct a business, they may also disclose information about an individual to loan institutions and employers.

    Further, life and health insurers, as indicated in the preceding sections, also disclose information to the Medical Information Bureau or the Impairment Bureau, and may provide details to another member insurer when requested to do so. Property and liability insurers, for their part, routinely notify the loss indexes of certain claims, and, in some cases, may notify the Insurance Crime Prevention Institute (see below).

    Some potential insureds are judged to be so likely to produce adverse claim experience that they cannot obtain insurance in the normal manner. The driver with a poor record poses two problems. The first is meeting his own acute need for financial protection and perhaps his ability to qualify legally as a registered vehicle owner. The second is protecting society from the harm which an unsafe driver is likely to inflict on others. State "assigned-risk" insurance plans were formed to provide coverage to a driver whom companies consider an unacceptable risk and thus can require information about him to be disclosed to the administrators of the plan as well as to the insurance company to which his application is assigned.

    Both life and health and property and liability insurers may release information about individuals to State insurance department officials in response to inquiries or complaints, and in the course of periodic examinations of company underwriting practices and procedures by such officials. Independent auditors employed by an insurance company make similar checks for the same purpose. In addition, because insurance companies are repositories of detailed information about individuals, their records are often requested by Federal as well as State government agencies and law enforcement authorities.

    Finally, to make it possible for residents and property owners in high risk locations to purchase insurance against losses due to crime, civil disorders, and floods, partnerships have been formed between insurers and government agencies which make it necessary for insurers to disclose information about individuals to the agencies participating in such programs.

• Information Flows from Support Organizations

  • The extensive flow of information about individuals into and out of organizations that conduct underwriting and claims investigations for insurers is described in Chapter 8. Medical Information Bureau rules, however, require a court order before information about an individual may be disclosed to anyone other than a member insurance company and while the property and liability loss indexes will be satisfied with a subpoena, rather than a court order,⁵⁵ they normally disclose information in their records only to a subscribing insurer submitting a properly prepared index card in connection with a current claim. The exceptions to this policy are the disclosures the Index System makes to the Marine Index Bureau and the disclosures any of the indexes may make to the Insurance Crime Prevention Institute (ICPI).

    As indicated earlier, subscribers to the Index System are told to report lost-time claims filed by longshoremen. One reason for this is to make such information available to the Marine Index Bureau, whose subscribers are vessel owners. The owner of a vessel is responsible for its seaworthiness, which includes the quality of the crew.⁵⁶

    In addition, an index may disclose information about an individual to the Insurance Crime Prevention Institute. As one witness from the indexes told the Commission: "We are an indicator. If the reports from the index system discern a pattern that might be of interest to the carrier or the ICPI ... it is referred to them."⁵⁷ According to the testimony, however, an index would not send unsolicited reports to the ICPI unless it receives "four within a relatively short period of time of the same nature," or unless, in a two-claim situation, "the accident occurred on the same date with different insurers or at a different place with the same injury." Alternatively, the ICPI may come to an index and ask for a search, in which case it is treated in the same manner as any subscriber.⁵⁸

    The Insurance Crime Prevention Institute

    The Insurance Crime Prevention Institute is a nonprofit corporation which operates as a trade association to uncover insurance fraud for property and liability insurers. The ICPI has its headquarters in Westport, Connecticut, maintains regional offices in New York City, Chicago, and Los Angeles, and has investigators stationed in major cities throughout the country.⁵⁹ Membership is open to property and liability insurance companies licensed in any of the 50 States.⁶⁰ Currently its membership is made up of 312 companies that underwrite 70 percent of the casualty and property insurance business.⁶¹

    ICPI's purpose is to prevent and detect fraudulent insurance claims. Its focus is solely on criminal fraud, and the Institute's bylaws specifically prohibit it from assisting companies in claims settlement or civil actions incident to settlements ^.62 Typically, an Institute investigation begins when a member sends information on a claim which the company suspects may involve criminal fraud. Other investigations are initiated by the ICPI based on information it receives from various sources, such as law enforcement agencies, "inside tipsters,"⁶³ or the loss indexes. In either case, however, the ICPI has complete control over its investigative activities, and may decline or initiate investigations as it sees fit.

    If an ICPI investigation produces reasonable evidence of fraud, the matter will be "reported to a public law enforcement agency for whatever action it deems to be appropriate."⁶⁴ The ICPI investigator may go to insurance companies or an index for information. Going to an index will, of course, lead the investigator back to the insurers that have had claims filed by the individual under investigation. The investigation may consist of interviewing the claimant, verifying medical statements, verifying lost-wage statements, or searching police or court records ⁶⁵

    The Director of the ICPI testified that the Institute

    exercises extreme care in referring its investigative findings to law enforcement agencies . . .. Each case is checked for completeness of investigation and sufficiency of evidence before the investigator is authorized to present his report to a law enforcement agency. Aside from considerations of fairness to the subject of the investigation, civil tort law provides adequate incentive for caution.⁶⁶

    Where there is evidence of professional misconduct, such as where a physician inflates a bodily injury insurance claim, the ICPI can also make its file available to licensing authorities.⁶⁷

    ICPI characterized its relationship with the law enforcement community in its testimony as that of a "citizen coming forward with evidence of a crime."⁶⁸ The Institute will sign criminal complaints to initiate prosecution in instances where an insurance company has been the victim of a fraud and, when it does so, will voluntarily give a copy of its file to law enforcement officials. As the ICPI Director testified:

    It is a generally recognized exception to the principle of confidentiality that an insurance company, finding itself to be the victim of a fraudulent claim, may voluntarily release the pertinent records of that transaction to the police to obtain criminal justice . . . . The Institute, in effect, does no more than to perform this hay: 'or the insurance company . ⁶⁹

    Occasionally, law enforcement officials will come tie ICPI for information:

    If there is a large arson in the Bronx on Sunday night, on Monday morning we are going to get a call to ask if we have a, file on the owner . . . . If it is a legal and valid investigation, we will assist them in getting the information.⁷⁰

    The ICPI employs approximately 70 full-time investigators, most with law enforcement backgrounds, and is licensed as a private detective agency in those jurisdictions which require licensing.⁷¹ It investigates about 6,000 cases each year. In 1976, this resulted in the indictment of about 600 people. According to the testimony, it concentrates on two main areas of criminal fraud. The first is the ambulance-chasing attorney or the doctor who exaggerates claims, and the second is organized crime.⁷²

• The Individual in the Insurance Relationship

  • As is evident from the preceding sections, the insurance industry is highly dependent upon recorded information about individuals. This dependence creates a number of privacy protection problems, some of which are inherent in the insurance system, but can be controlled, and some of which present real or potential abuses that need to be eliminated.

• The Intrusiveness of Certain Collection Practices

  • Insurance underwriting involves two separate decisions: (1) whether the insurer wants to insure the applicant at all (selection); and if so, (2) at what price and terms (classification). The need to make these two judgments dictates the kind and quality of information an insurance institution collects and maintains about an individual applicant or policyholder.

    In making these two types of decisions insurers look to physical hazards-medical hazards in life and health underwriting and in property and liability underwriting, the condition of the property, its use, and its surroundings. Underwriters also look to what is termed moral hazard. Evaluation of moral hazard is made by examining attributes of the applicant which suggest a greater than average likelihood of a loss occurring or the potential for unusual severity of loss-either an absence of a desire on the part of the individual to safeguard himself or his property from loss or a positive willingness to create a loss or to deliberately inflate a claim.

    Thus, it is not surprising that the evaluation of moral hazards, particularly in property and liability underwriting, is the area where the greatest number of objections to insurers' information collection practices have been raised. An inquiry may cover drinking habits, drug use, personal and business associates, reputation in the community, credit worthiness, occupational stability, deportment, housekeeping practices, criminal history, and activities that deviate from conventional standards of morality, such as living arrangements and sexual habits and preferences. Because the relevance of many of these particulars can be hard to demonstrate, and because the judgment as to their relevance is often left to the underwriter handling a particular case, their propriety has become subject to question.

    From the standpoint of many applicants and insureds, the dichotomy between the individual's privacy interest and the insurer's interest in evaluating risk is probably not as great as it seems at first glance. The low-risk applicant benefits from an underwriting evaluation that results in unusual risks being eliminated or written at a higher premium because that keeps the cost of his insurance down. The Commission was continually reminded that it is in the interest of the applicant to have complete and accurate information on which this judgment can be based so that he can be insured at the proper rate; that the insurer must be able to evaluate the risk it is being asked to assume if premium charges are to bear a reasonable relationship to expected losses and expenses for all insureds within a similar classification.

    Economic forces may, however, work against a given individual. Because insurers compete against each other for the better risks, they do not have much incentive to look behind some of the criteria they use to sort the good risks from the bad. If their experience suggests, for example, that slovenly housekeepers make poor automobile insurance risks, they tend to be wary of all slovenly housekeepers. The problem, in other words, is not that the category of information lacks predictive value in all instances, but rather that it is applied too broadly.

    Another source of concern in the area of intrusive collection practices stems from the use of so-called pretext interviews and other false or misleading information-gathering techniques. This concern was brought into sharp focus by recent publicity concerning Factual Service Bureau, Inn. (now Inner-Facts, Inn.), an investigative-support organization whose services were used by insurers in a number of cities throughout the country. Factual Service Bureau employees regularly misrepresented their identity and purpose in order to obtain medical-record information from hospitals and other medical-care providers without authorization. The insurers that used Factual Service Bureau should have known that it employed such intrusive techniques and generally engaged in questionable methods of information collection. Factual Service Bureau openly advertised its ability to procure confidential information about an individual without his authorization.⁷³ Thus, even the insurers who had no actual knowledge of the techniques being used by Factual Service Bureau on their behalf may be said to have condoned its activities by their silence or failure to investigate more fully the practices and techniques used.

    The Factual Service Bureau case also illustrates a broader problem which results from the apparent lank of restraint exercised by insurers over the support organizations they use to collect information about individual applicants, insureds, and claimants. In the claims area particularly, where a great deal of money may be at stake or where the suspicion of fraud may be high, many insurance companies have tended to look the other way while hiring support organizations that use questionable information collection practices and techniques.

• Unfair Collection, Use, and Disclosure Practices

  • Because of their acknowledged dependence upon information about individuals, insurance institutions are reluctant to deprive themselves of inexpensive access to it. There are few restrictions within the industry on the sharing of personally identifiable information or on obtaining it from sources outside the industry. This is true of insurance institutions and support organizations alike, and can lead to some highly questionable collection, use, and disclosure practices.

    As indicated earlier, the Medical Information Bureau, until recently, retained claims information even though it no longer allowed it to be reported, and inserted a "failure to find impairment previously reported" code rather than deleting the impairment reference. To maximize the utility of information already collected, insurance institutions also piggyback on the information collection and use practices of other insurance institutions and support organizations. This dependence adds . to the widespread exchange of information throughout the industry, not only by organizations like the Medical Information Bureau and the Impairment Bureau but by investigative-reporting agencies (inspection bureaus) and other insurance-support organizations that save and reuse the information they collect. Thus, once a mistake enters the system, its adverse effects are likely to proliferate, resulting in repeated unfairness to the individual.

    The competition among insurance institutions has generally militated against adequate sensitivity to the fairness issue in record keeping. To be sure, this situation has been changing as particular companies have promulgated privacy protection principles to be followed in the conduct of their business. Except for the support organizations subject to the Fair Credit Reporting Act, however, record-keeping practices still remain by and large discretionary within the industry.

    Insurance institutions and their support organizations have been concerned about certain types of disclosures to third parties and about data security problems. The admitted purpose of these safeguards, however, is to protect the business privilege as a limited defense to common law actions of defamation. Thus, they do little to constrain exchanges of information about individuals within the industry or to control the quality of the information used.

    The lack of attention to fairness issues in record keeping about individuals has resulted in the structuring of information flows and uses so that neither the insurance institution nor the individual applicant, insured, or claimant is responsible for the quality of the information used. The individual is at a disadvantage because record-keeping practices within the industry are opaque from his point of view. He currently enters into an insurance transaction without being aware of the relationship's implications for his personal privacy because he does not understand how extensive or intrusive information gathering may be. Nor does he know the consequences of the notices on his application-for example, that the Medical Information Bureau notice means information about him may be reported to the Bureau not only from the application itself, but also as a consequence of the underwriting investigation the insurer may conduct. Because he lacks adequate knowledge of the practices followed, the individual cannot make the forces of the marketplace work for him. He is not given an opportunity to weigh the relative benefits which might be obtained through the insurance transaction against the personal cost of revealing and having others reveal information about him.

    Nor does the individual always know why the insurer is collecting information about him, or when it is being collected for purposes unrelated to establishing his eligibility for an insurance benefit or service. Insurers frequently collect marketing and actuarial information through the application. When a claim is filed, they may collect information for the purpose of reviewing the propriety of a treating doctor's fees or procedures as well as the eligibility of the particular claimant or the particulars of the specific claim. They may collect additional information to determine the advisability of continuing to market a particular kind of insurance. Yet, they do not normally advise the individual that this is being done.

    The individual is also placed at a disadvantage when he is asked to sign a form authorizing the release of recorded information about himself, because he is not specifically apprised of what he is consenting to. The commonly used blanket authorization form, in essence, authorizes the release of all information about the individual in the hands of anyone. Moreover, the type of authorization form currently used by insurance institutions typically has no stated purpose or expiration date, and may not be limited either as to the scope of the investigation or as to the sources of information. This again reflects the natural reluctance of insurance institutions to deprive themselves of easy access to any potentially useful information, or to decide in advance what information is needed for what purpose.

    As far as fair use is concerned, the relationship between the individual and an insurer is often unnecessarily and undesirably attenuated. Information he provides about himself is only partly the basis for the decision made about him, and the decision is made by someone he does not know and with whom he normally has no direct interaction. In addition, records maintained by a variety of institutions within and without the industry may be brought to bear on the decision about him, while he believes he is only dealing with one such institution. That one institution, moreover, assumes no obligation to give him access to the information compiled about him or to afford him the opportunity to correct or amend information he believes to be inaccurate.

    Under the existing system, the individual cannot adequately protect himself against the use of poor quality information in making underwriting decisions about him. Frequently, the individual is not told the reason for an adverse insurance decision. The insurance laws and regulations of many States require insurers to disclose to the individual (in some cases, only on request) the general reasons for cancelling or refusing to renew a personal automobile insurance policy. Few States, however, require insurance institutions to give individuals the reasons for a declination or a rating.⁷⁴ If the reason and supporting information for an adverse underwriting or rating decision do not arise out of a report prepared by a support organization subject to the disclosure provisions of the Fair Credit Reporting Act, the individual may be unable to find out why the decision was made, or whether inaccurate or incomplete information was at fault.

    Life and health insurance institutions generally advise an applicant of the information that led to an adverse underwriting or rating decision only if they consider the information harmless (e.g., hazardous occupation, obvious health impairment). Typically, however, the specific items of information and their source are not revealed unless they came from a support organization subject to the Fair Credit Reporting Act, or from the applicant himself. When an individual requests a specific explanation for an adverse decision and the basis was medical-record information, most life insurers will divulge the information, but only to the applicant's personal physician. However, they virtually never tell the individual the specific reasons and supporting information for an adverse decision when the information concerns his character, morals, or life-style.

    In property and liability insurance, an adverse decision may or may not lead to the insurer divulging the reasons and supporting information to the applicant. As in the life and health area, whether the insurer considers the information to be harmless will be a factor. With the exception of the State automobile insurance laws and regulations mentioned above, however, the consumer has no legal right to be told the reasons or information supporting an adverse insurance decision.

    When an individual contacts the Medical Information Bureau, he or his physician, in the case of medical-record information, only learns the summary data that has been reported about him.⁷⁵ He does not learn how the reporting insurance company translated the underlying information into a code, and while he is told where the underlying information is, he, unlike another insurer, cannot get it automatically from the reporting company.

    If the adverse decision was based on information in a report prepared by an inspection bureau, the Fair Credit Reporting Act only requires the insurer to tell the individual the organization's name and address. [15 U.S.C. 1681m] The individual has the right to learn the "nature and substance" of the information about him in the inspection bureau's files, but this is no assurance that he will be able to identify the reason for the adverse decision or the particular items of information on which it was based. To go to the inspection bureau is time-consuming for the individual and may effectively prevent him from getting on firm enough ground to ask for reconsideration of the decision if it turns out that there was erroneous information in the report. To have a real voice in the quality of information on which decisions are based, the individual needs to know the reasons for the adverse action and the specific items of information that support the reasons.

    The Commission is also concerned that the mere fact of a previous adverse underwriting decision may unfairly stigmatize an individual who applies later for comparable insurance. Without knowing the reasons for it, some insurers use the mere fact of a previous declination or other adverse decision by another insurer as the basis for rejecting an applicant.⁷⁶ Yet a previous declination may have nothing to do with the individual's qualifications where, for instance, the insurer that declined him did so only because it had decided to restrict its underwriting in a certain area. Thus, when an insurer acts on the fact of a previous adverse decision alone, it may reject an individual whom it would otherwise have accepted if accurate and complete information were developed. Stigma may also result when an individual has previously purchased insurance from a "substandard" insurer or through an "assigned-risk" plan, even though the reasons for such previous action may not involve the individual or his eligibility directly.⁷⁷

    The Commission has not found that this problem exists in life and health insurance underwriting to the degree that it clearly does in personal property and liability insurance. Property and liability insurance applications often ask the individual whether he has previously been declined or rated, but rarely ask the reason for the rejection, presumably because, under the current system, the applicant will seldom know. A high percentage of the reasons may, in fact, relate to adverse characteristics possessed by the individual applicant or insured, as opposed to a general market condition unrelated to the individual's characteristics. Present practice, however, fails to distinguish between the two types of rejections.

    Accepting from lay sources information that only a professional is competent to report is another questionable practice that stems from an insurer's reluctance to deprive itself of any information that may turn out to be useful. Medical-record information is crucial to life and health insurance underwriting and to claims processing. Collection of such technical information from anyone other than the individual himself, a medical source, or a close family member invites inaccuracies. Nevertheless, some insurers not only seek information concerning an individual's health from agents, or from the individual's neighbors, friends, and associates, but also use it as the basis for declining his application. Such information may also be communicated to other insurers. Until recently, the Medical Information Bureau accepted medical information obtained from lay sources, and the Impairment Bureau and the property and casualty loss indexes still do.⁷⁸

    Although support organizations such as the Medical Information Bureau have rules with respect to the type and quality of information reported to them, the rules are difficult to implement and enforce. The MIB, for example, has no way of knowing, except through periodic audits of member companies, whether medical or other information reported to it has come orginally from an authorized source. Thus, it cannot effectively control the quality of information in its files. Nor does the Bureau keep a complete accounting of all the disclosures,⁷⁹ the result being that it cannot always propagate corrections when inaccuracies are discovered. The property and liability loss indexes also have no way of knowing whether a subscriber has falsely filed an index card without having a real claim, or whether, once received by an insurance institution, the index information is used for other purposes, such as underwriting, or making a personnel decision.⁸⁰

    Perhaps the best example of the inability of support organizations to regulate the use of the information they provide is the Medical Information Bureau's rule which prohibits the use of a Bureau report, intended only as an alert, as the basis for declining an applicant.⁸¹ Compliance with this rule has not been carefully audited in the past, and testimony before the Commission by the MIB indicates that as a result of the MIB's own audits there is evidence that some life insurers do render adverse decisions based solely on Medical Information Bureau codes.⁸² Furthermore, the reinvestigation requirement the MIB imposes on its members can be satisfied by going to an inspection bureau and getting information on file there-the same information which another insurer may have used to decline the applicant.

    To some extent these problems are endemic to data exchanges, like the MIB, that are controlled by their users. Being wholly dependent, they cannot be expected to enforce their rules against those who sustain them. The end result, however, is that poor quality information can, in a variety of ways, cause an individual to be denied an insurance benefit or privilege for which he would otherwise be eligible. The insurer may lose too, by forfeiting a customer or by having its relationship with an existing policyholder deteriorate. Obsolete, inaccurate, or incomplete information serves no one.

• The Absence of a Strict Duty of Confidentiality

  • There is an understandable public concern about the confidentiality of records about individuals that insurance institutions and their support  organizations maintain. As previously noted, the collection of information about an individual without his full knowledge of the scope of the inquiry and its consequences may weaken the relationship between the insurer and the individual. The individual may be deterred from applying or may mistrust the insurer when he does apply. The Commission heard testimony that some people do not buy insurance for fear that the resulting information flow will come back to haunt them, either in a subsequent insurance decision or through disclosure to their employer.⁸³ Others do not use their benefits-for instance, psychiatric coverage-for fear claims information will not be held in strictest confidence.⁸⁴ In addition, the individual may he more likely to lie about information which he feels may go beyond the insurer. Confidentiality has become such a concern that some who maintain records about individuals, such as doctors and psychologists, are increasingly reluctant or unwilling to disclose the information in them, even when authorized to do so by the individual.⁸⁵ Other sources, such as neighbors and associates, may also refuse to provide information or may provide inaccurate information.

    Although insurance institutions and support organizations now assume some responsibility for the confidentiality of the information they collect and maintain on individuals, earlier parts of this chapter show the extent to which personally identifiable information is disclosed by numerous insurance industry organizations. Within the industry, information sharing occurs on a routine basis. Moreover, information may be disclosed to those outside the industry without the individual's knowledge.⁸⁶ The Commission believes that the key to solving this important problem is to create an enforceable expectation of confidentiality which clearly delineates the circumstances under which an insurance institution or support organization may disclose information about art individual without his authorization.

• Current Legal Restraints on Record-keeping Practices. State Insurance Regulation

  • The primary regulatory mechanisms for overseeing the activities of insurance institutions are at the State level. State regulation has developed around two basic aims: (1) maintaining the solvency of individual insurance companies; and, (2) assuring fair business practices and pricing. Although interest in the record-keeping practices of insurance institutions has increased in the last few years, few States have focused significant attention on the privacy protection problems the Commission has identified. No State, to the Commission's knowledge, has enacted privacy protection legislation which would affect insurance record-keeping practices. More-over, regulation of insurance record-keeping practices at the State level is limited because State Insurance Departments do not have regulatory authority over most insurance-support organizations.

    There are, however, existing regulatory mechanisms at the State level which could be used to implement some of the Commission's insurance recommendations. These include the unfair trade practices provisions of State insurance laws, and the authority State Insurance Commissioners have been given over the contents of those application forms which are considered part of the policy.

    Most States have passed a version of the Model Unfair Trade Practices Act.⁸⁷ These laws are applicable to all types of insurance and are designed to protect the insurance consumer by prohibiting insurance institutions from engaging in a wide range of practices specifically defined by the Act to be unfair. The Act includes prohibitions against false advertising, defamation of competitors, boycotts, fraudulent financial statements, rebates, and unfair discrimination. Many States have added to this statute an Unfair Claims Practices Act which protects claimants by forbidding unreasonable claim settlement practices, including misrepresentation, delays in claim payments, and claim settlement offers which are so low as to compel claimants to institute litigation to collect their claims.

    The Model Act provides the State Insurance Commissioner with several mechanisms to enforce the prohibition against defined unfair trade practices. The Commissioner has the authority to promulgate regulations identifying the methods of competition or practices which come under the specific prohibitions enumerated in the Act. In addition, the Commissioner may hold a hearing and issue a cease and desist order whenever he believes an insurer is engaging in one of the unfair practices. Monetary penalties or suspension or revocation of a company's license may also be imposed for a violation of the defined unfair trade practices where the insurer knew or should have known that it was in violation of the Act.

    In addition to the Commissioner's powers to enforce defined unfair trade practices, the Model Act also provides that he may hold hearings on any act or practice which he believes is unfair, even though the practice is not specifically defined in the Act. If, after a hearing, an undefined act or practice is found to be unfair, the Commissioner may issue a cease and desist order. The Model Act, however, does not empower the Commissioner to add by regulation new acts to the defined unfair trade practices, or to impose monetary penalties for engaging in undefined unfair trade practices.

    Some States already make use of the Unfair Trade Practices Act prohibition against unfair discrimination to regulate record-keeping practices. The regulations, however, are limited in scope and, in almost all instances, are concerned with the use of infor mation in the underwriting process rather than its actual collection. For instance, the Privacy Commission heard testimony on the regulation of the relevance of information used in the underwriting process from a representative of the California Insurance Department. California has used its regulatory authority under its unfair trade practices laws to prohibit unfairly discriminatory practices on account of sex, marital status, unconventional life-styles, and sexual orientations differing from the norm. The California Department normally does not attempt to prohibit collection; rather, it acts on an ad hoc basis to prohibit the use of certain criteria in underwriting decisions upon the receipt of complaints from insurance consumers.⁸⁸

    Because the Model Unfair Trade Practices Act is applicable to all lines of insurance and contains strong enforcement provisions, it can serve as an appropriate regulatory mechanism for several of the Commission's recommendations. It will, however, be necessary to amend the Act to define certain unfair record-keeping practices as unfair trade practices. These unfair practices would then be subject to the full range of regulatory and enforcement authority granted Insurance Commissioners under the Model Act, including the power to hold hearings and issue cease and desist orders, and to impose monetary penalties.

    Many State Insurance Commissioners have an additional power which could assist in the implementation of certain of the Commission's recommendations. In many States, Commissioners have the authority to approve policy forms. In the case of life and health policies, application forms are considered a part of the policy, so they would be subject to the Commissioner's approval. Thus, Insurance Commissioners in a number of States would be in a position to monitor and enforce the Commission's notification, authorization, and previous adverse decision recommendations insofar as life and health insurance are concerned.

• Federal Regulation

  • The Federal government has only one law which affects the record-keeping practices of the insurance industry-the Fair Credit Reporting Act. The FCRA governs the use of inspection bureau reports prepared by support organizations in connection with underwriting decisions by insurers, and thus its effect on insurance institutions is limited to their role as users of such reports. There are also a few State fair credit reporting statutes similar to the Federal one. The Commission believes that amending the Fair Credit Reporting Act is a good mechanism to implement many of its recommendations that are beyond the scope of the present Act, including some of its insurance recommendations. The scope of the Act could be broadened, and its title and enforcement framework could be altered to reflect the new scope presented by some of the Commission's recommendations. In addition, the oversight functions presently given to the Federal Trade Commission could be expanded, thus avoiding the necessity of creating a new Federal agency to oversee implementation of those Commission recommendations which are proposed for adoption by amendment of the FCRA.

• The Common Law

  • The final constraint upon record-keeping practices in the insurance industry is provided by the common law actions of defamation and privacy. Defamation provides liability for damage to reputation caused by the publication of untrue information about an individual. The tort of invasion of privacy provides liability under certain circumstances for, among other things, public airing of private information about an individual. Insurance institutions and support organizations may be able to raise a qualified privilege in defense of such actions.

    In recognition of the need for a free flow of information in commercial transactions, most States have recognized a qualified business privilege which provides a defense for otherwise defamatory statements when made to the proper parties, in a proper manner, and for a valid business purpose, except if the statement is false and made with malicious intent to injure the individual to whom it refers. Similarly, there is a qualified privilege for invasion of privacy actions. These limits on common law actions enable insurance institutions and support organizations to exchange information for legitimate purposes relatively free of legal restraints. As noted earlier, however, the privilege is available only when information is disclosed to someone deemed to have an interest in it. It is for this reason that insurance institutions and their support organizations are careful to guard against the disclosure of information to anyone outside of the industry.

• Recommendations

  • The Commission's approach to the problems described in this chapter has been to focus on strengthening and balancing the relationship between the individual insurance applicant, policyholder, or claimant and the insurance institution with whom he deals. As indicated at the outset, the Commission's recommendations have three objectives:

    (1) to create a proper balance between what an individual is expected to divulge about himself to a record-keeping organization and what he seeks in return (to minimize intrusiveness);

    (2) to open up record-keeping operations in ways that will minimize the extent to which recorded information about an individual is itself a source of unfairness in any decision about him made on the basis of such information (to maximize fairness); and

    (3) to create and define obligations with respect to the uses and disclosures that will be made of recorded personal information (to create a legitimate, enforceable expectation of confidentiality.)

    In the insurance area, as in others it has studied, the Commission also believes that giving an individual certain rights without placing corresponding obligations on the institution with whom he has the primary record-keeping relationship is not likely to bring about adequate remedial action. Thus, the Commission believes that insurance institutions and insurance-support organizations must assume greater responsibility for their personal-data record-keeping practices. In some cases, this can be accomplished by bringing the forces of the marketplace to bear on record-keeping policy and practice, through voluntary adoption of standards set forth in this report, or through court action by individuals to enforce their rights. In others, government agencies should also be called upon to play monitoring and corrective roles. The Commission believes that both parties will benefit from this approach. The individual's position with respect to the records the insurance relationship generates about him will be strengthened, while insurers and insurance-support organizations will be assured of obtaining the kind of information that promotes fair and efficient operations. Greater confidence in insurance institutions and their role in society should result from opening up the process in this way.

    One of the major reasons legislation is needed is that the individual is currently at a disadvantage in the insurance relationship. Some of the Commission's recommendations have attempted to protect the applicant, policyholder, or claimant by placing certain restraints on the insurer-limiting certain collection techniques, creating standards for the authorization forms used, and requiring reasonable procedures in the collection, use, and disclosure of information about an individual. The Commission's aim, however, is not so much to constrain insurance institutions and support organizations as it is to enhance the position of the individual so that he can protect his own privacy interests. To this end, the Commission has concluded that the insurer should inform the individual of the scope of its underwriting inquiry by a clear notice and an adequate authorization form; that the subject of an investigative report should be interviewed if he so desires; and that a mechanism should be created whereby the individual can question the propriety of a specific type of inquiry made in connection with an insurance decision about him. These recommendations are designed to give the individual a central role in the record-keeping practices (including information collection) of the insurance industry.

    The ability of the individual to protect himself depends upon the knowledge he has of the records that are made about him. Thus, an individual should have access to a record about himself and a mechanism should exist whereby disputes concerning the accuracy of such a record can be settled. Access and correction rights are also needed to enable the individual to protect himself from investigations which exceed the scope of the notice he is given at the time he seeks to establish a relationship with an insurer, and to assure that the records maintained about him are accurate, timely, and complete. In addition, the individual should be informed of the reasons for an adverse decision about him and the specific information which supports those reasons, so that he can protect himself from unfair treatment resulting from the use of inaccurate, obsolete, or incomplete information.

    This approach is not simply intended to be a procedural one. Rather, it is intended that the dynamics of the relationship between the insurer and the individual, rather than action by a legislature or regulator, will create certain standards governing the collection, maintenance, use, and disclosure of information by insurance institutions and support organizations. The Commission believes that notice, access, dispute, and an enforceable expectation of confidentiality are the tools an individual must have if he is to play an effective role in preventing the record-keeping practices of insurance institutions and support organizations from trespassing on his privacy interests. Armed with them, he can exert constructive pressure upon an insurer or agent. Even where the abuse concerns an insurance-support organization, pressure will be most effective on the insurer or agent, because the individual has a direct relationship with them, and because the prospect of adverse publicity that could affect the insurer's position in the marketplace provides the insurer with more incentive to be responsive than the support organization.

    Overall, the Commission believes that the strategy it proposes for implementing these recommendations is a reasonable and practical one in that it:

    • uses existing regulatory and legislative mechanisms to the maximum extent possible;
    • keeps the cost of administration and compliance at acceptable levels;
    • provides inducements to comply willingly so that disputes over compliance can be kept to a minimum; and
    • provides reasonable protection against liability for unintentional failure to comply, coupled with appropriate penalties for willful failure to comply.

    As previously noted, because insurance is regulated primarily by State Insurance Departments, the Commission believes that the responsibility for implementing some of its recommendations should be properly lodged at the State level. In addition, the personal-data record-keeping practices of insurance institutions are also regulated to some extent by the Federal Fair Credit Reporting Act which the Commission believes is the proper vehicle for implementing recommendations that aim to strengthen the insurance relationship by eliminating artificial distinctions between the record-keeping practices of insurance institutions and the record-keeping practices of their support organizations. Finally, for reasons that are fully elaborated in Chapter 9 on government access to records about individuals maintained by organizations in the private sector, the Commission has concluded that the enforceable expectation of confidentiality it recommends must be implemented by Federal statute.

    It should be noted, moreover, that the recommendations to be implemented by Federal statute, including those that would be implemented by amending the Fair Credit Reporting Act, give the individual actionable rights against insurance institutions and support organizations. The Commission has explicitly rejected the establishment of a Federal regulatory structure that could be quite costly both to the taxpayer and to the insurance industry. Instead, by making those who do not comply civilly liable for their failure to do so, and by making it comparatively easy for such actions to be brought, the Commission believes that a strong incentive for systemic reform will be created without subjecting those who favor reform to unnecessarily costly government regulation. The burden will fall on those who by their actions willfully and repeatedly disregard their responsibilities rather than on those who make a good faith effort to comply fully. In short, the implementation of the Commission's recommendations is designed to place an increasing financial burden on those companies who encourage costly disputes by resisting openness, or who fail to adopt reasonable procedures to control the collection, use, or disclosure of records about individuals.

    Finally, insurance institutions should not be unduly exposed to liability which arises only because of the openness of the process. The objective of the Commission's recommendations is to cleanse the system of decisions based on inaccurate or incomplete information; not to create windfall recoveries for bad information or practices of the past.

    Definitions for some of the terms used in the recommendations and discussion which follow may be found in the glossary at the end of this chapter.

    Intrusiveness

    The Commission's first three recommendations address the scope and character of the inquiry to which an insurer may require an individual to submit as a condition of establishing or maintaining an insurance relationship. Because insurance is concerned with the protection of individuals or personal property, the process of granting insurance coverage necessarily involves intrusions on personal privacy. The question is simply (or perhaps not so simply) how much of an intrusion and by what methods.

    GOVERNMENTAL MECHANISMS

    For some years now, controversies over the propriety of asking certain kinds of questions of an individual have generally centered on the relevance of the information sought to the decision to be made. For example, the Privacy Act of 1974 requires each Federal agency to limit its collection, maintenance, use and dissemination of information about individuals to that which "is relevant and necessary" to a purpose the agency is required to perform by statute or Executive Order.⁸⁹ The California Insurance Department, relying on its authority to prevent unfairly discriminatory practices, investigates the relevance of certain items of information used by insurers doing business in the State and may prohibit the use of any item whose relevance to underwriting decisions or pricing cannot be demonstrated to the Department's satisfaction.

    A related, and in many respects more difficult, question concerns inquiries which, while demonstrably relevant, are objectionable on other grounds. Legislatures may prohibit, and have prohibited, the use of certain items of information on fairness grounds. Race, for example, has been excluded as an eligibility or rating criterion for life underwriting even though its relevance to life expectancy can be demonstrated.⁹⁰ On the other hand, the Privacy Act of 1974 strives, not very successfully, to ban the collection and use of information pertaining to an individual's exercise of his First Amendment rights on the grounds that such inquiries by government agencies constitute an unwarranted invasion of personal privacy, i.e., that they fail the test not of relevance or fairness, but of propriety ⁹¹

    Thus far, there have been few instances in which items of personal information have been proscribed on grounds of impropriety, i.e., unwarranted intrusiveness. In the insurance area, California has come close in proscribing the collection and use of information concerning "moral lifestyle."92 The California approach is almost unique among State insurance regulatory authorities and all the California Department's other investigations, except for "moral life-style," have turned on other issues, such as fairness. In some cases regulation has not been necessary because the impropriety of certain types of inquiries is universally recognized. An example would be collection of information about an individual from his priest, minister, or rabbi.

    It should be noted, moreover, that fairness and propriety issues usually cannot be dealt with in the same way. As briefly discussed in Chapter 2, when. fairness is the overriding concern, such as in the Equal Credit Opportunity Act as amended, [15 U.S.C. 1691 et seq.], continued collection of certain information may be necessary to demonstrate that it is no longer being used to make decisions about individuals. For example, one cannot show that sex and race are not being systematically used to make credit decisions unless one can show that credit has been extended to women and minorities in proportion to their relative numbers in the credit grantor's market. And the most practical way to do that may well be to have the credit grantor record the sex and race of all applicants. This, however, is much different from situations where impropriety is the reason for proscribing information. There, the first act must be to prohibit collection, since the problem lies primarily in the asking of the question. Use may also be prohibited in such a situation but only to make sure that the information is totally excluded from the decision-making process.

    The Commission believes that, in the future, society may have to cope with objections to the collection of certain information about an individual on the grounds that it is "nobody's business but his own." In some cases, these propriety issues may be resolved by prohibiting an inquiry on the grounds that it is irrelevant, but in others, where relevance can be demonstrated, proscription may be necessary on propriety grounds alone. In the Commission's view, questions of this nature are best resolved on a caseby-case basis. One must be concerned about undue government interference in such controversies. The Commission believes, moreover, that all such determinations must be prospective, so as to avoid retroactive punishment for behavior which at the time was wholly consistent with prevailing societal expectations and norms. However, the Commission also believes that institutional mechanisms are needed so that such questions can be raised and resolved.

    Insurers have historically enjoyed considerable latitude in determining what information is and is not necessary to a given decision about an individual. Underwriting is far from an exact science. Moreover, industry spokesmen argue that the cost of collecting information is a powerful enough incentive to collect only relevant information. Yet others claim that insurance institutions collect a great deal of information whose relevance is questionable. Indeed, the industry has been criticized for not taking advantage of its actuarial and computer expertise to refine its relevance criteria.

    To a large extent, the relevance-propriety issue in insurance stems from some insurers' belief that they should insure only those of "high moral character," and should shun those whose mode of living differs from what society considers normal. In a society as diverse as ours, however, determining what "society considers normal" is no easy task, and relying on the independent judgment of underwriters to make this determination has led to considerable difficulties.

    The Commission is mindful of the complexities that lie beneath the surface of the relevance-propriety issue in the insurance area. It is aware that a few States have taken an interest in certain insurance-related inquiries. Most, however, have not. The Commission, moreover, is not fully persuaded that the problem can be handled exclusively through market mechanisms. Although Recommendation (5) (see below) seeks to set corrective market forces in motion, the necessity of insurance in today's society may make it difficult for individuals to make their objections felt. Furthermore, should there be sentiment in favor of banning a particular category of inquiry, irrespective of its relevance, some way will have to be found for society to estimate and consider the cost involved in such an action and the way in which the cost will be distributed. Thus, in light of all these considerations, and out of its desire to eliminate unreasonable invasions of personal privacy, the Commission recommends:

    Recommendation (1):

    That governmental mechanisms should exist for individuals to question the propriety of information collected or used by insurance institutions, and to bring such objections to the appropriate bodies which establish public policy. Legislation specifically prohibiting the use, or collection and use, of a specific item of information may result; or an existing agency or regulatory body may be given authority, or use its currently delegated authority, to make such a determination with respect to the reasonableness of future use, or collection and use, of a specific item of information.

    To implement this proposal, the Commission recommends that each State Insurance Commissioner collect individuals' complaints and questions concerning the propriety of particular types of inquiries, prepare periodic summary reports on the number of questions and complaints by category, and make them available to legislative bodies. If already authorized by the legislature, the Commissioner may take action. In California, for example, the legislature empowered the Commissioner to promulgate rules and regulations under the unfair trade practices article of the State insurance laws and the Commissioner then used that authority to declare discrimination based on sex, marital status, or sexual orientation a prohibited practice.⁹³[§790.03 and 790.10 of the California Insurance Code]. The rules the Commissioner adopts may prohibit the use of certain information in one line of insurance but not in another. Furthermore, within a given line of insurance, the Commissioner might allow certain information to be used as the basis for rating or determining risk, but not unless it has an impact on one or the other. For example, inquiry into the fact of cohabitation might be relevant in determining use of a vehicle, a valid rating criterion, but the mere fact of cohabitation, unrelated to vehicle use, could not be the basis of an underwriting or rating decision.

    Currently, most Insurance Commissioners could address the use of irrelevant information under their general authority to hold hearings and issue cease and desist orders in connection with undefined unfair trade practices. The Commission believes, however, that the rule-making technique is fairer and more effective than looking one at a time at possible violations of a general prohibition against unfair trade practices. Not only will more insurers than the one offender have a say in the wisdom of the Commissioner's proposed prohibition, but the Commissioner's decision will only be subject to the narrow judicial review generally applied to rulemaking decisions. The Federal Insurance Administrator could also collect the reports compiled by the State Insurance Commissioners and periodically report on them to the Congress.

    An alternate and not mutually exclusive suggestion is that the Federal Insurance Administrator, or another appropriate Federal entity, collect complaints concerning the propriety of insurance inquiries directly from individual consumers and from time to time report and make recommendations on them to the Congress. It is not recommended, however, that the Federal Insurance Administrator have the rule-making authority urged for State Insurance Commissioners, since regulation of information practices within the insurance industry is currently a State function.

    PRETEXT INTERVIEWS

    As indicated earlier, Factual Service Bureau obtained some of its information through pretext interviews or other false or misleading representations.⁹⁴ A pretext interview is one in which the inquirer (1) pretends to be someone he is not; (2) pretends to represent someone he does not; or (3) misrepresents the true purpose of the interview. Mere silence on any or all of these points would not normally constitute a pretext interview. Indeed, an investigator could refuse to identify himself, his client, or the purpose of the inquiry, letting the person of whom the inquiry is being made infer whatever he wishes from such behavior. Nonetheless, an investigator dressed in a white lab coat making inquiries of a clerk in a hospital medical records room would be conducting a pretext interview if he allowed the clerk to assume he was a properly credentialed medical professional.

    As pointed out in several chapters of this report, the Commission believes that some investigative practices are unreasonably intrusive, or at least have a high potential for depriving an individual of even a modicum of control over the disclosure of information about himself. An investigator conducting a pretext interview clearly raises that prospect. Thus, out of its desire to prevent unreasonable invasions of privacy resulting from the techniques used to collect information about individuals, the Commission recommends:

    Recommendation (2):

    That the Federal Fair Credit Reporting Act be amended to provide that no insurance institution or insurance-support organization may attempt to obtain information about an individual through pretext interviews or other false or misleading representations that seek to conceal the actual purpose(s) of the inquiry or investigation, or the identity or representative capacity of the inquirer or investigator.

    This recommendation would apply to all insurance inquiries-whether for underwriting or first- or third-party claims. The prohibition would be enforceable by the Federal Trade Commission (FTC) against organizations that collect information by means of pretext interviews. An organization would be able to defend itself against an FTC action on the basis that it had k, taken reasonable steps and instituted reasonable procedures to prevent such activity. The use of pretext interviews should be made a civil offense, punishable by fines and cease and desist orders.

    REASONABLE CARE IN THE USE OF SUPPORT ORGANIZATIONS

    The reported practices of Factual Service Bureau also raise a legitimate concern about the care with which insurance institutions select and use the services of support organizations. An institution should not be totally unaccountable for the activities of others who perform services for it. The Commission believes that an insurance institution should have an affirmative obligation to check into the modus operandi of any support organizations it uses or proposes to use; and that if an insurance institution does not use reasonable care in selecting or using such organizations, it should not be wholly absolved of responsibility for their actions. Moreover, a like obligation should obtain where one support organization uses the services of another.

    Currently, the responsibility of an insurance institution for the acts of a support organization depends upon the degree of control the insurance institution exercises over the support organization. Most insurance-support organizations are independent contractors who traditionally reserve the authority to determine and assure compliance with the terms of their contract. Thus, under the laws of agency, an insurer may be absolved of any liability for the illegal acts of a support organization if those acts are not required by the terms of the contract ⁹⁵ In the Commission's opinion, the Factual Service Bureau case illustrates why this is not desirable. Accordingly, to deal with the responsibility of the institution that uses others to gather information about individuals for its own use, the Commission recommends:

    Recommendation (3):

    That the Federal Fair Credit Reporting Act be amended to provide that each insurance institution and insurance-support organization must exercise reasonable care in the selection and use of insurance-support organizations, so as to assure that the collection, maintenance, use, and disclosure practices of such organizations comply with the Commission's recommendations.

    If it could be shown that an insurance institution had hired or used a support organization with knowledge, either actual or constructive, that the organization was engaging in improper collection practices, such as pretext interviews, an individual or the Federal Trade Commission could initiate action against both the insurance institution and the support organization and hold them jointly liable for the support organization's actions.

    Fairness

    THE REASONABLE PROCEDURES OBJECTIVE

    As a general objective guiding the personal-data record-keeping practices of insurance institutions and their support organizations, the Commission recommends:

    Recommendation (4):

    That each insurance institution and insurance-support organization, in order to maximize fairness in its decision-making processes, have reasonable procedures to assure the accuracy, completeness, and timeliness of information it collects, maintains, or discloses about an individual.

    Subsection 3(e)(5) of the Privacy Act of 1974 requires each Federal agency to

    collect, maintain, use and discloses ⁹⁶ all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.

    This provision is a requirement on management wholly independent of the rights the Act gives an individual. For a Federal agency whose administrative procedures are subject to congressional oversight, it s an appropriate requirement.⁹⁷ The same, however, cannot be said of its applicability to the private sector.

    As pointed out in Chapter 1, the Commission believes that the mix of rights and obligations its private-sector recommendations would establish are in themselves incentive enough to foster the kind of management attention to personal data record-keeping policy and practice that subsection 3(e)(5) of the Privacy Act requires. Thus, the Commission does not recommend that Recommendation (4) be incorporated in statute or regulation. Rather it envisages Recommendation (4) being implemented automatically as a consequence of the adoption of the other recommendations in this section, particularly Recommendations (10), (11), (12), (13), and (16), on access, correction, adverse decisions, disclosure of information from proper medical sources, and Recommendations (5), (6), and (17), on notice and disclosure.

    The adoption of these recommendations will promote the maintenance of reasonable procedures by insurance institutions to assure the accuracy, completeness, and timeliness of information and provide a means whereby information collected, maintained, or disclosed may be corrected or updated by the individual.

    FAIRNESS IN COLLECTION

    NOTICE REGARDING COLLECTION FROM THIRD PARTIES

    As indicated in the discussion of Recommendation (1), the Commission believes that the type of governmental mechanism called for should be used mainly in instances where the forces of the marketplace are not strong enough to induce the elimination of objectionable items from the insurer's scope of inquiry-for example, items that are demonstrably relevant but nonetheless objectionable on the grounds of propriety. To make market forces work to the advantage of the insurance purchaser, however, he must know the type of information that may be developed and considered in the decision-making process for an insurance transaction. Otherwise, he has no way of judging whether to take his business elsewhere. The application form itself serves to apprise the individual of some of the information that will be gathered about him, but as previously pointed out, the application normally gives at best only faint clues as to the type of inquiry that may be made of sources other than the individual himself.

    Thus, to minimize the need for public-policy determinations as to the propriety of an insurer's inquiries about an individual, as well as inform the individual of the disclosures that must be made in order to obtain a favorable decision on his insurance application, the Commission recommends:

    Recommendation (5):

    That an insurance institution, prior to collecting information about an applicant or principal insured from another person in connection with an insurance transaction, notify him as to:

    (a) the types of information expected to be collected about him from third parties and that are not collected on the application, and, as to information regarding character, general reputation, and mode of living, each area of inquiry;

    (b) the techniques that may be used to collect such types of information;

    (c) the types of sources that are expected to be asked to provide each type of information about him;

    (d) the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed;

    (e) the procedures established by statute by which the individual may gain access to any resulting record about himself;

    (f) the procedures whereby the individual may correct, amend, delete, or dispute any resulting record about himself;

    (g) the fact that information in any report prepared by a consumer-reporting agency (as defined by the Fair Credit Reporting Act) may be retained by that organization and subsequently disclosed by it to others.

    Recommendation (5) would not apply to information collected for first- or third-party claims or for marketing purposes where the information is collected prior to the initial application. in all other cases, however, it would provide the individual with information about the scope of inquiry to which he is agreeing: the manner in which the inquiry will be conducted (e.g.,through interviews of neighbors and associates) and the disclosures other institutions may possibly make in response to an inquiry from the insurer or an insurance-support organization. Most importantly, it would apprise the individual of the types of uses that may later be made of information without his authorization-for example, of medical-record information acquired by the insurer, or of "adverse information" acquired and retained by an investigative-reporting agency-while at the same time anticipating his need or desire to see and copy, or correct, information developed in the course of the inquiry. Thus, the recommendation would provide the individual with a detailed map of the information flows attendant upon the relationship he proposes to establish with the insurer.

    It should be noted, moreover, that the subsection (a) requirement to notify as to "each area of inquiry" when information regarding character, general reputation, and mode of living is to be collected from a third party anticipates a level of specificity finer than currently considered acceptable under the Fair Credit Reporting Act. Furthermore, while the recommendation does not apply to information collected in connection with first- or third-party claims or for marketing purposes prior to the time the individual submits his application, the subsection (d) requirement to notify the individual of those parties to whom the information may be disclosed without his authorization would include notice of the fact that information on first-party property and liability claimants is sometimes disclosed to the loss indexes and the Insurance Crime Prevention Institute.

    While unanimously agreeing that the type of notice called for in Recommendation (5) is necessary to solve the problems it addresses, the Commission was concerned about its practicality. One insurer, however, drafted an example which showed that the requirements of Recommendation (5) could be met by a notice that is neither unreasonably lengthy nor unreasonably complex.

    As to implementation, while the Fair Credit Reporting Act governs notice requirements to some extent, Insurance Commissioners can also independently monitor industry compliance through their hearing authority under unfair trade practices laws as well as their authority to approve certain application forms. Finally, Recommendation (5) may be self-enforcing because Recommendations (11) and (12), it' adopted, will give the individual a right to have information beyond the scope of the notice given him deleted from any resulting underwriting or support-organization record about him.

    NOTICE AS THE COLLECTION LIMITATION

    The notice given pursuant to Recommendation (5) will be useless if the insurer's inquiry goes beyond what the notice anticipates. Furthermore, as indicated in the discussion of Recommendation (3) on reasonable care in the selection of support organizations, one of the problems with the insurance relationship is the degree to which it is attenuated by the insurer's frequent reliance on independent contractors in gathering information about individuals.

    Thus, to assure that there will be consistency between the scope, techniques, and sources described in the Recommendation (5) notice and the actual inquiry that takes place, the Commission recommends:

    Recommendation (6):

    That an insurance institution limit:

    (a) its own information collection and disclosure practices to those specified in the notice called for in Recommendation (5); and

    (b) its request to any organization it asks to collect information on its behalf to information, techniques, and sources specified in the notice called for in Recommendation (5).

    Like the notice recommendation itself, this recommendation does not apply to information collected in connection with first- or third-party claims or for marketing purposes where the information is collected prior to the initial application. Compliance with Recommendation (6) could be verified through the correction procedures called for in Recommendations (11) and (12) as well as Insurance Department examinations. If an individual finds that the insurer has information beyond that specified in the notice, the individual should be able to have it deleted from his record.

    INFORMATION FOR MARKETING AND RESEARCH

    Subsection 3(e)(3) of the Privacy Act of 1974 requires agencies to advise individuals whether the divulgence of particular items of information is mandatory or voluntary and the consequences of refusing to divulge them. The mandatory and voluntary concepts, however, have little meaning in the private sector, inasmuch as an individual's divulgences are all "voluntary" and an insurance institution can make "mandatory" anything it wishes. As a practical matter, an individual may have little choice but to comply with whatever requests for information are made of him. An example of the trepidation this can cause will be found in the discussion of the Blue Cross-Blue Shield psychiatric claims form in Chapter 7, on the medical-care relationship. Since this is so, insurance institutions should at least indicate on their application forms any requested information which is unnecessary for insurance coverage determination purposes but which is sought for marketing, research, or other purposes. Otherwise individuals will have no way of knowing whether such inquiries are necessary, and thus whether they should bring pressure on the insurer to make the inquiries truly voluntary. Accordingly, the Commission recommends:

    Recommendation (7):

    That any insurance institution or insurance-support organization clearly specify to an individual those items of inquiry desired for marketing, research, or other purposes not directly related to establishing the individual's eligibility for an insurance benefit or service being sought and which may be used for such purposes in individually identifiable form.

    This recommendation, which would not apply to third-party claim transactions, should be voluntarily complied with by insurers and support organizations. While the determination of what is required to establish eligibility is left to the individual company and will undoubtedly vary to some degree, fairness to the individual requires that he be apprised of those items of information desired, but not required by the company to determine acceptability or price.

    AUTHORIZATION STATEMENTS

    The authorization forms used by the insurance industry determine what information insurance institutions and their support organizations can obtain from those with whom an individual has a confidential relationship. Many authorization forms now in use are so broad as to constitute an invitation to abuse. Many do not indicate that they will be used by investigative-reporting agency representatives to develop inspection reports or acquire medical-record information to be transmitted to the insurer. Many do not indicate that they will be used to get credit reports, or information from banks and other organizations.

    Although today, banks, employers, and some other types of record-keeping organizations may be willing to disclose certain information about an individual without his authorization, the Commission's recommendations with respect to those types of organizations would make obtaining the individual's prior authorization necessary. When that happens, as well as in those situations where record keepers have confidential relationships with individuals today, such as in the medical-care relationship, the record keeper on whom the duty of confidentiality rests will be the final arbiter of what constitutes a valid authorization. As a practical matter, however, such a record keeper may be hard-pressed to refuse to honor a broadly worded authorization if the result is grave inconvenience to the individual or refusal to reimburse the record keeper for services already rendered to the individual. Thus, to set the standards whereby those who have a duty of confidentiality to an individual may properly be asked to disclose information about him to others, the Commission recommends:

    Recommendation (8):

    That no insurance institution or insurance-support organization ask, require, or otherwise induce an individual, or someone authorized to act on his behalf, to sign any statement authorizing any individual or institution to disclose information about him, or about any other individual, unless the statementis:

    (a) in plain language;

    (b) dated;

    (c) specific as to the individuals and institutions he is authorizing to disclose information about him who are known at the time the authorization is signed, and general as to others whose specific identity is not known at the time the authorization is signed;

    (d) specific as to the nature of the information he is authorizing to be disclosed;

    (e) specific as to the individuals or institutions to whom he is authorizing information to be disclosed;

    (f) specific as to the purpose(s) for which the information may be used by any of the parties named in (e), both at the time of the disclosure and at any time in the future;

    (g) specific as to its expiration date which should be for a reasonable period of time not to exceed one year, and in the case of life insurance or noncancelable or guaranteed renewable health insurance, two years after the date of the policy.

    The requirements of Recommendation (8) are not as severe as they may seem. Life and health insurance institutions regularly obtain authorizations as a part of their applications. Because of the individual's need for insurance, he exercises little bargaining power over the terms of the authorization. If a claim is involved, the authorization is obtained as a condition to considering the claim. It does the claimant little good to refuse to sign the authorization, for then he must go through the burden of suing the insurer, and even then much of the information will be available during discovery. Because insurers can basically dictate the terms of the authorization, the Commission concluded that the terms of the authorization needed to be specified so that the individual would know what he was agreeing to have disclosed, and so that those who held information of a confidential nature would know that they had received a valid authorization from the individual to release information to others.

    Subsection (f) is especially important because it provides the individual with a description of the uses that may subsequently be made of information obtained about him pursuant to authorization. One particular example is that an individual would have to be told that information obtained from a medical-care provider in connection with underwriting may later be used for claim purposes.

    Subsection (c) requires the authorization to be as specific as possible. It must specifically name those individuals and organizations authorized to release information about him who are known at the time the authorization is obtained. But if, for instance, an insurer subsequently learns of an attending physician whom the individual has not revealed, then the more general language of the authorization can be used with regard to that physician. Returning to the individual every time an insurer learned of a new source would be expensive and, in some cases, distressing to the individual, since it could delay processing of his application. Moreover, the subsequently identified source, a physician, for example, would still only be asked to disclose information of the sort described pursuant to subsection (d) and for the purpose specified pursuant to subsection (f). In addition, the individual would ultimately be able to identify every record-keeper contact by exercising the access rights Commission Recommendations (10) and (13), below, would give him.

    Subsection (g) limits the validity of the authorization to a reasonable period of time not to exceed one year. The only exceptions to this are for life insurance and noncancelable or guaranteed renewable health insurance where an authorization signed in connection with an application would be valid for two years from the date of the policy. Those types of policies, it will be remembered, are contestable for two years after they are issued and during that period an insurer needs to be able to protect itself from fraud or misrepresentation at the time of application.

    Recommendation (8) would be implemented through the refusal of a holder of confidential information to release it unless presented with a valid authorization. It has also been suggested to the Commission that the National Association of Insurance Commissioners or the Commission on Uniform State laws might well develop standard authorization forms to achieve and facilitate the desired uniformity. Further, it should be noted that the necessary generality permitted by parts of Recommendation (8) need not apply to an insurance institution that obtains an authorization from an applicant, insured, or claimant permitting it to release confidential information to others. In that case, the authorization form can and should be specific as to what information, to whom, and for what purpose.

    INVESTIGATIVE INTERVIEWS

    As a general policy, the Commission believes that record-keeping institutions should strive as much as possible to collect information about an individual from the individual himself, rather than rely primarily on third-party sources. Furthermore, where an investigative report is being prepared, such a practice should not just be encouraged; it should be required if the individual so wishes.

    Although inaccuracies in investigative reports prepared by inspection bureaus were a major stimulus to enactment of the Fair Credit Reporting Act, it has not been possible to determine whether the Act has substantially reduced the error rate. The major purposes of an investigative report are to: (1) verify information supplied by the applicant or his agent; and (2) develop information about the applicant's character, general reputation, and mode of living-lines of inquiry which must perforce involve a certain amount of subjective evaluation. Moreover, as Chapter 8 points out, it has been alleged that some reports get prepared without the investigator ever contacting anyone at all. Whatever the merits of that controversy, requiring an interview with the subject of a report as an affirmative requirement will help to resolve it and, if industry spokesmen are correct about the usefulness of interviews with report subjects, such interviews will improve the quality of the information inspection bureaus transmit to their insurer clients.

    Thus, the Commission recommends:

    Recommendation (9):

    That the Federal Fair Credit Reporting Act be amended to provide that any insurance institution that may obtain an investigative report on an applicant or insured inform him that he may, upon request, be interviewed in connection with the preparation of the investigative report. The insurance institution and investigative agency must institute reasonable procedures to assure that such interviews are performed if requested. When an individual requests an interview and cannot reasonably be contacted, the obligation of the institution preparing the investigative report can be discharged by mailing a copy of the report, when prepared, to the individual.

    This recommendation would not apply to any investigative report about an individual made in reasonable anticipation of civil or criminal action, or for use in defense or settlement of an insurance claim. Nor would it require an interview in every instance, since the individual would have to request it and presumably would make himself available for the interview. Not all individuals will seek such an opportunity. When an individual requests an interview and cannot be contacted using reasonable procedures, the requirement for an interview can be discharged by mailing a copy of the report to him.

    The Commission considered having the interview occur just prior to sending the report off to the insurer, on the theory that the individual would then be in a position to review the information which had been gathered and, if necessary, to correct, amend, or dispute it. However, the Commission concluded that the difficulties involved in making a personal contact at a specific time could work to the disadvantage of the individual anxious to get his insurance application processed. Furthermore, the report is often not prepared until the investigator returns to his office. An alternative, also considered and rejected, would have required that a copy of the report be sent to the individual at the same time it is sent to the insurer. This was rejected because of the cost involved (a copy of every report prepared would have to be sent, regardless of whether the report resulted in an adverse decision) and because the adoption of Recommendations (10) and (13), below, would make the report available to the individual on a see and copy basis from either the insurer or the investigative-reporting agency.

    In incorporating this requirement into the Fair Credit Reporting Act, it should be made clear that the interview requirement applies to underwriting investigations undertaken by insurers themselves as well as by inspection bureaus.

    FAIRNESS IN USE

    ACCESS TO RECORDS

    Access to records, as a general concept of fair record-keeping practice, should be extended to insurance records. Allowing an individual to see and copy a record kept about him can be advantageous to the insurance institution as well as to the individual. As suggested earlier, the records an insurance institution maintains about individuals are numerous and can serve a variety of functions. Except for medical records (information from which insurers also maintain), an insurance institution's records may contain information on more dimensions of an individual's life than almost any other type of record the Commission has examined. Moreover, several of the Commission's other recommendations depend on the individual being able to have access to insurance records about himself at times other than when an adverse underwriting decision has been made about him. For example, the notice requirement proposed in Recommendation (5), and the limitation on collection practices in Recommendation (6), depend on the individual being able to find out what information has been collected about him. And, as in other areas, the authorization statement an individual is asked to sign allowing an insurer to disclose information about him will be a meaningless piece of paper if he cannot learn what he has authorized to be disclosed.

    Currently, an individual does not have a legal right to see or even learn the nature and substance of information maintained about him by an insurer, or by any insurance-support organization not subject to the Fair Credit Reporting Act. Moreover, the FCRA only requires an investigative-reporting agency to disclose to an individual the "nature and substance" of information in a report it has prepared about him. [15 U.S.C. 1681g(a)(1)] The Medical Information Bureau voluntarily gives an individual access to the summary data it maintains on him, if he so requests, but the individual has no legal right of access to anything held by an insurer, and thus, may not be able to figure out why the MIB record says what it does, or get the insurer that caused the MIB record to be created to correct errors in it.

    To overcome these deficiencies, the Commission recommends:

    Recommendation (10):

    That the Federal Fair Credit Reporting Act be amended to provide:

    (a) That, upon request by an individual, an insurance institution or insurance-support organization must:

    (i) inform the individual, after verifying his identity, whether it has any recorded information pertaining to him; and

    (ii) permit the individual to see and copy any such recorded information, either in person or by mail; or

    (iii) apprise the individual of the nature and substance of any such recorded information by telephone; and

    (iv) permit the individual to use one or the other of the methods of access provided in (a)(ii) and (iii), or both if he prefers.

    The insurance institution or insurance-support organization may charge a reasonable copying fee for any copies provided to the individual. Any such recorded information should be made available to the individual, but need not contain the name or other identifying particulars of any source (other than an institutional source) of information in the record who has provided such information on the condition that his identity not be revealed, and need not reveal a confidential numerical code.

    (b) That notwithstanding part (a), with respect to medical-record information maintained by an insurance institution or an insurance-support organization, an individual has a right of access to that information, either directly or through a licensed medical professional designated by the individual, whichever the insurance institution or support organization prefers.

    As far as insurance institutions are concerned, it is the Commission's intention that this right of access be to any reasonably described information about the individual. In the case of an applicant, for example, commonly used identifiers such as name and address, coverage requested, and possibly date of application, ought to be enough to identify the record requested. The fact that information on one individual is contained in a record on another would not preclude the first from being able to see and copy it so long as he can provide the requisite identifier. Also, an individual should be able to see and copy information about other people in a record pertaining to himself Wit is pertinent to his relationship with the insurer. For example, a husband who has art automobile policy that insures both him and his wife should be able to review his entire file, including any information in it about his wife. Conversely, as an insured, the wife should be able to see anything in the file on either herself or her husband.

    The proposed right of access would extend to all records about an individual that are reasonably retrievable. Thus, it would include all information in a credit or investigative report, except that the identity of a non-institutional source (for instance, a neighbor or associate) need not be revealed where such a source provided information on the condition that his identity not be revealed. The individual, however, would have full access to all information such a source provided.

    This, it will be noted, is a major departure from current practice wherein an insurer is customarily constrained from disclosing the contents of an investigative report to the individual by provisions in its contract with the inspection bureau. In the future, if the Commission's recommendations are adopted, such contractual constraints will not be possible. Moreover, neither the insurer nor the inspection bureau will be able to withhold the identity of any institutional sources.

    The proposed right of access would also extend to medical-record information held by an insurer or insurance-support organization, although either organization would have the option of disclosing information to the individual through a licensed medical professional designated by the individual. The medical professional would be obligated to allow the individual to see and copy it upon request by the individual.

    Finally, to make his access right convenient to exercise, the recommendation would allow an individual or a licensed medical professional designated by him pursuant to subsection (b). to see and copy records in person or by mail, or to have their nature and substance disclosed by telephone. This, too, is a departure from current practice inasmuch as the recommendation applies to support organizations as well as insurers, and the Fair Credit Reporting Act does not currently require an inspection bureau to provide the individual with a copy of an investigative report.

    It should be noted that this recommendation would not apply to any record about an individual compiled in reasonable anticipation of a civil or criminal action, or for use in settling a claim while the claim remains unsettled. After the claim is settled the recommendation would not apply to any record compiled in relation to a third-party claimant (i.e., a claimant who is not a principal insured or policy owner) except as to any portion of such a record which is disseminated or used for a purpose unrelated to processing the claim. The exception for records compiled in reasonable anticipation of civil or criminal litigation would apply regardless of whether the insurance institution or support organization envisions being a plaintiff or defendant (in a civil action) or a complainant in a criminal proceeding. For example, an insurance institution or support organization may be compiling information to prove arson on the part of a first-party claimant. The insurer may have already paid the claim but is considering prosecution. When such an action is no longer reasonably contemplated, the first-party claimant's access right would be established.

    When information is compiled in connection with the settlement of a first-party claim, and negotiations are in progress or contemplated, allowing access prior to settlement would unbalance the existing legal rights of both parties. However, once the first-party claim has been settled, the Commission believes that there is no sound justification for continuing to deny access.

    The Commission does see the need to distinguish between first- and third-party claimants. Recommendation (10) creates a very limited right of access for a third-party claimant. Whereas the first-party claimant has a contractual relationship with the insurer, the third-party claimant, by definition, occupies an adversary role and has not entered into a relationship with the insurer. Only where information compiled in the course of a third-party settlement is used for a purpose other than settling the claim should the claimant be allowed access to such information. The principle involved is that non-claim decisions should not be made about an individual on the basis of records whose contents he cannot know. However, where the individual claimant is in an adversary negotiation with the record keeper, and existing law creates certain rights of access in the course of litigation, an exception to the general right of access recommended by the Commission can be justified. Information can be given to loss indexes and others solely for claim purposes without violating this exception to access by the individual.

    Since Recommendation (10) would be implemented by amending the Fair Credit Reporting Act, an individual would be able to compel production of a record by an insurance institution or support organization through litigation brought in Federal court or another appropriate court. The right would be similar to the one given a citizen by the Federal Freedom of Information Act. The plaintiff would have to prove that he requested and was denied reasonably described records about himself in the possession of the insurance institution or support organization, and the burden would be on the institution or support organization to present any reason why the statute would not be applicable. Courts would have the power to order the insurance institution or support organization to disclose the particular record or records sought and to award reasonable attorney's fees and other litigation costs to any plaintiff who substantially prevailed.

    Systematic denials of access by an insurance institution or support organization could be subject to Federal Trade Commission enforcement, in which the remedy would be an order directing the institution or support organization to produce records upon request by individuals. Once the Federal Trade Commission issued such an order, the insurance institution or support organization would then be subject to the usual enforcement mechanisms available to the FTC to secure compliance with its orders.

    An alternative to this approach, in the case of insurance institutions, is to encourage the States to enact amendments to the unfair trade practices sections of their insurance laws to give State Insurance Commissioners the authority to enforce the requirements of this recommendation, and of the correction and adverse decision rights that Recommendations (11) and (13) would create. If a State failed to enact such legislation, the Federal Trade Commission would then be able to exercise its enforcement proceedings, using its normal enforcement mechanism with respect to systematic failures in that particular State.

    An individual would have no right to money damages based solely upon a denial of his access right under Recommendation (10). The burden would be on the individual to reasonably describe the document sought and the insurance institution or support organization could defend on the basis that it cannot reasonably locate or identify the records sought by the plaintiff. For example, the individual could sue for any document developed as the result of an application for insurance if the individual could identify the date and nature of the application. If, however, an individual requested any information that relates to him in a file, but could not, with some specificity, identify the circumstances pursuant to which such a file would have been developed, the insurance institution would not be under an affirmative obligation to search manually through each and every document to locate a possible passing reference to the individual.

    The Fair Credit Reporting Act currently creates the following limitation of liability protection:

    Except as provided in Sections 1681n and 1681o of this title, no consumer may bring any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information against any consumer reporting agency, any user of information, or any person who furnishes information to a consumer reporting agency, based on information disclosed pursuant to 1681h or 1681m of this title, except as to false information furnished with malice or willful intent to injure such customer. [15 U.S.C.1681 h(e)]

    The Commission believes that this type of protection should be extended to insurance institutions and support organizations in connection with recorded information furnished pursuant to either Recommendation (10) or Recommendation (13) concerning adverse underwriting decisions. In addition, because insurers, unlike their support organizations, make decisions about individuals, the Commission believes that they should not be liable to suit for retroactive coverage where an adverse underwriting decision is made on the basis of information which proves to be incorrect. Thus, an insurance institution or support organization should have no liability, including liability for defamation, invasion of privacy or negligence, with respect to information which had been disclosed to an individual, regardless of whether or not that information was created or furnished by the insurance institution or insurance-support organization, unless false information was furnished to third parties with malice or willful intent to injure the individual.

    CORRECTION OF RECORDS

    Giving an individual the right to see and copy a record created for the purpose of making a decision about him is of little value if it is not accompanied by a right to get erroneous information in the record corrected. Both the Privacy Act and the Fair Credit Reporting Act establish procedures whereby an individual can correct, amend, or dispute inaccurate, obsolete, or incomplete information in a record about himself. The insurance business stands to gain, moreover, from improving the quality of information about individuals available to it. When an individual s denied insurance on the basis of an inaccurate record about himself, the insurer also suffers through the loss of premium income. Finally, given the observed need to strengthen and balance the respective roles of insurer and individual within the context of the insurance relationship, and given the fact that there is information interchange among insurers (particularly as facilitated by inspection bureaus, the Medical Information Bureau, and the loss indexes), it is unrealistic to expect the individual to chase an error through every insurance-related record-keeping organization to which it may have been transmitted. The insurer, the primary record keeper, must assume its fair share of responsibility for that task.

    Accordingly, to make the individual's right of access to an insurance record worthwhile, and to improve the quality of recorded information available to underwriters and others who make decisions about applicants and insureds, the Commission recommends:

    Recommendation (11):

    That the Federal Fair Credit Reporting Act be amended to provide that each insurance institution and insurance-support organization permit an individual to request correction, amendment, or deletion of a record pertaining to him; and

    (a) within a reasonable period of time:

    (i) correct or amend (including supplement) any portion thereof which the individual reasonably believes is not accurate, timely, or complete; and

    (ii) delete any portion thereof which is not within the scope of information the individual was originally told would be collected about him; and

    (b) furnish the correction, amendment, or fact of deletion to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically, to any insurance-support organization whose primary source of information on individuals is insurance institutions when the support organization has systematically received any such information from the insurance institution within the preceding seven years, unless the support organization no longer maintains the information, in which case, furnishing the correction, amendment, or fact of deletion is not required; and automatically to any insurance support organization that furnished the information corrected, amended, or deleted; or

    (c) inform the individual of its refusal to correct or amend the record in accordance with his request and of the reason(s) for the refusal; and

    (i) permit an individual who disagrees with the refusal to correct or amend the record to have placed on or with the record a concise statement setting forth the reasons for his disagreement; and

    (ii) in any subsequent disclosure outside the insurance institution or support organization containing information about which the individual has filed a statement of dispute, clearly note any portion of the record which is disputed, and provide a copy of the statement along with the information being disclosed; and

    (iii) furnish the statement of dispute to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically, to an insurance-support organization whose primary source of information on individuals is insurance institutions when the support organization has received any such information from the insurance institution within the preceding seven years, unless the support organization no longer maintains the information, in which case, furnishing the statement is not required; and, automatically, to any insurance-support organization that furnished the disputed information;

    (d) limit its reinvestigation of disputed information to those record items in dispute.

    Recommendation (12):

    That notwithstanding Recommendation (11)(a)(i), if an individual who is the subject of medical-record information maintained by an insurance institution or insurance-support organization requests correction or amendment of such information, the insurance institu-tion or insurance-support organization be required to:

    (a) disclose to the individual, or to a medical professional designated by him, the identity of the medical-care provider who was the source of the medical-record information; and

    (b) make the correction or amendment requested within a reasonable period of time, if the medical-care provider who was the source of the information agrees that it is inaccurate or incomplete; and

    (c) establish a procedure whereby an individual who is the subject of medical-record information maintained by an insurance institution or insurance-support organization, and who believes that the information is incorrect or incomplete, would be provided an opportunity to present supplemental information of a limited nature for inclusion in the medical-record information maintained by the insurance institution or support organization, provided that the source of the supplemental information is also included.

    Although Recommendations (11) and (12) appear complex, they contain only two key requirements:

    • that an individual have a way of correcting, amending, deleting, or disputing information in a record about himself, regardless of whether the record is held by an insurance institution or by a support organization; and
    • that the insurance institution or support organization to whom the request for correction, amendment, or deletion is made, shall have an obligation to propagate the correction, amendment, deletion, or statement of dispute in any subsequent disclosure it makes of the information to possible recipients within the previous two years whom the individual designates; and to any insurance-support organization which within the previous seven years has been a regular recipient of the type of information, or which was the source of the information.

    Regular recipients would include support organizations such as the Medical Information Bureau, the Impairment Bureau, or the loss indexes. Sources would mainly be investigative-reporting agencies (inspection bureaus).

    The obvious objective of the second set of requirements is to allow for a thorough cleansing of industry record systems when inaccurate information is discovered and, in the case of amended or corrected information, to provide measures of the completeness and validity of information used in making decisions about an individual, thereby reducing the number of adverse decisions made on the basis of inaccurate or incomplete information. Furthermore, Recommendations (11) and (12) also provide two important vehicles for enforcing compliance with Recommendations (5) and (6) on pre-notice and limits on collection practices.

    The requirement to delete information that falls outside the boundaries set by the notice called for in Recommendation (5), not only from the insurer's records but also from the records of any support organization that has collected it, or to which it has been disclosed, not only gives the individual a means of holding the insurer to its declarations regarding the scope of the inquiry to be made about him, but also enhances the insurer's control over the record-keeping practices of its contractors. In addition, by closely wedding the scope of a support organization's inquiry on behalf of each of its clients to each client's specified needs, the net effect of this requirement should be to allow an insurer that spends money on refining its relevance criteria and information collection techniques to avoid subsidizing other insurers that have not done so. At the present time, the relationship between insurer and investigative-reporting agency, for example, is loose enough to allow the reporting agency to use an inquiry on behalf of one insurer to gather information that can be marketed to others. Today, apparently, this is not a serious problem, because there are broad similarities among the kinds of reports insurers order. If Recommendation (5) succeeds in making privacy protection policy an element in insurers' competition for customers, however, fairness demands that the more socially responsible insurers not have to subsidize the practices of their less conscientious competitors.

    In addition, subsection (d) limits the reinvestigation of disputed information to the items in dispute. The purpose of this provision is to prevent the dispute mechanism from becoming an occasion for a wholly new intrusion merely because of the questioned accuracy of one item.

    As to Recommendation (12), the rationale and explanation for it will be found in the discussion of Recommendation (8) in Chapter 7 on the medical-care relationship.

    Like Recommendation (10), neither Recommendation (11) nor Recommendation (12) would apply to any record about an individual compiled in reasonable anticipation of a civil or criminal action, or for use in settling a claim while the claim remains unsettled. After the claim is settled, moreover, these recommendations would not apply to any record compiled in relation to a claimant who is not an insured or policy owner, except as to any portion of such a record which is disseminated or used for a purpose unrelated to processing the claim. Nor are these recommendations intended to replace entirely the current Fair Credit Reporting Act reinvestigation and dispute requirements. Although Recommendation (11) would extend the current six-month limitation on an inspection bureau's obligation to propagate corrections, amendments, and disputes, it is not intended that this recommendation supplant existing Fair Credit Reporting Act requirements to reinvestigate and record the current status of information (unless the complaint is frivolous) or to delete information which can no longer be verified.

    The Fair Credit Reporting Act should be amended to allow an individual to sue to force compliance with Recommendations (11) and (12) and be entitled to reasonable attorney's fees and other litigation costs if he substantially prevails. This would be the sole remedy in the event an insurance institution or support organization fails to comply with the requirements of Recommendations (11) and (12), except that an intentional or willful refusal to comply could result in up to $1,000 in damages. The alternatives for Federal Trade Commission or State regulatory enforcement when there are repeated violations have been discussed above in conjunction with Recommendation (10) on access and apply equally here.

    ADVERSE UNDERWRITING DECISIONS

    An underwriting decision cannot be fair if it is made on the basis of inaccurate information. Both the individual and the insurance institution have a common objective in this regard. Currently, however, an insurer that makes an adverse underwriting decision about an individual is not required, in most cases, to give any clues as to the information that supported it. If the information came from an investigative-reporting agency or a credit bureau, the insurer must identify the agency or bureau and furnish its address but nothing more. Furthermore, as explained earlier, being able to find out from a support organization the "nature and substance" of information it reported to the insurer is no guarantee that the individual will be able to relate what he learns to the decision that was made on the basis of it. The "nature and substance" of an investigative report may sound harmless to a rejected applicant. How is he to know that something in it, if explained in greater detail, might have caused the adverse decision to come out the other way? Or if something in the report is inaccurate, how is he to know whether it was that particular item that caused the adverse decision and thus the one that needs to be followed up?

    Because the investigative-reporting agency's sources (including institutional sources) need not be disclosed to the individual, he also has no way of knowing to which sources he should go to get an inaccuracy corrected in a manner which will persuade the insurance institution that information the support organization reported was erroneous. Nor is the insurer under any obligation to disclose its own independent sources, such as the Medical Information Bureau, or the Impairment Bureau, or a source identified through the Medical Information Bureau. Finally, if the individual is venturesome enough to try to get inaccurate information corrected, he is expected to make the decision to do so without necessarily knowing what his rights are under the Fair Credit Reporting Act.

    Thus, in order to bring insurance practices in line with current or recommended practice in other areas the Commission has examined, the Commission recommends:

    Recommendation (13):

    That the Federal Fair Credit Reporting Act be amended to provide that an insurance institution must:

    (a) disclose in writing to an individual who is the subject of an adverse underwriting decision:

    (i) the specific reason(s) for the adverse decision;

    (ii) the specific item(s) of information that support(s) the reason(s) given pursuant to (a)(i), except that medical record information may be disclosed either directly or through a licensed medical professional designated by the individual, whichever the insurance institution prefers;

    (iii) the name(s) and address(es) of the institutional source(s) of the item(s) given pursuant to (a)(ii); and

    (iv) the individual's right to see and copy, upon request, all recorded information concerning the individual used to make the adverse decision, to the extent recorded information exists;

    (b) permit the individual to see and copy, upon request, all recorded information pertaining to him used to make the adverse decision, to the extent recorded information exists, except that (i) such information need not contain the name or other identifying particulars of any source (other than an institutional source) who has provided such information on the condition that his or her identity not be revealed, and (ii) an individual may be permitted to see and copy medical-record information either directly or through a licensed medical professional designated by the individual, whichever the insurance institution prefers. The insurance institution should be allowed to charge a reasonable copying fee for any copies provided to the individual;

    (c) inform the individual of:

    (i) the procedures whereby he can correct, amend, delete, or file a statement of dispute with respect to any information disclosed pursuant to (a) and (b); and

    (ii) the individual's rights provided by the Fair Credit Reporting Act, when the decision is based in whole or in part on information obtained from a consumer-reporting agency (as defined by the Fair Credit Reporting Act);

    (d) establish reasonable procedures to assure the implementation of the above.

    Recommendation (13) is similar to the recommendation regarding adverse credit decisions in Chapter 2. It is, however, even more of a departure from current practice in that insurers generally have not had to disclose the specific reasons for their adverse underwriting decisions. On the other hand, Recommendation (13) differs from its counterpart in the credit area in that, like Recommendation (10), above, it takes account of the fact that not all sources of information used to make an insurance decision about an individual are institutional ones and further, that some adverse insurance decisions may be made on the basis of medical-record information. It is linked to Recommendations (11) and (12) through subsection (c), which requires that the insurer apprise the individual of its own correction, amendment, deletion, and dispute procedures, and to Recommendation (4) in requiring that the insurer establish reasonable implementation procedures.

    It should be noted that Recommendation (13) applies only to adverse underwriting decisions, which the Commission has defined as follows:

    • With respect to life and health insurance, a denial of requested insurance coverage (except claims) in whole or in part or an offer to insure at other than standard rates; and with respect to all other kinds of insurance, a denial of requested insurance coverage (except claims) in whole or in part, or a rating which is based on information which differs from that which the individual furnished; or
    • a refusal to renew insurance coverage in whole or in part; or
    • a cancellation of any insurance coverage in whole or in part.

    Since Recommendation (13) would be implemented by amending the Fair Credit Reporting Act, an individual would be able to obtain a court order from a Federal court or other court of competent jurisdiction to force an insurance institution to perform any one of the duties called for if he could prove that the insurance institution had failed to do so. This would include incomplete disclosure of the specific reasons and underlying information. The court would have the power to order the insurance institution to comply and to award attorney's fees to any plaintiff who substantially prevailed. Such an action would be the individual's sole remedy, except that the court should also have the power to award up to $1,000 to the plaintiff if it is shown that the institution intentionally or willfully denied the individual any of the rights Recommendation (13) would give him.

    As noted in the discussion of Recommendation (10), the Commission believes that a limitation of liability similar to that now provided by the Fair Credit Reporting Act should be extended to insurance institutions as well as insurance-support organizations. The implementation of Recommendation (10) would create no liability on the part of an insurance institution or support organization, including liability for negligence, defamation or invasion of privacy, unless the institution or support organization acted with malice or willful intent to harm the individual.

    Like Recommendations (10), (11), and (12), Recommendation (13) depends primarily for its enforcement upon the individual's assertion of his rights. As noted above, however, the Commission proposes two alternate means of government enforcement where an insurance institution repeatedly or systematically denies the rights granted by Recommendations (10), (11), (12), and (13). One alternative is that the Federal Trade Commission would have the authority to bring enforcement proceedings, using its normal enforcement mechanisms. The other would be for the States to be encouraged to enact amendments to the unfair trade practices sections of their insurance laws which would give State Insurance Commissioners the authority to enforce the requirements of these four recommendations. Should a State enact such legislation, the Federal Trade Commission would then be precluded from exercising its enforcement proceedings with respect to systematic failures in that particular State.

    DECISIONS BASED ON PREVIOUS ADVERSE DECISIONS

    In the following chapter, on record keeping in the employer-employee relationship, there are several examples of the harm that can result when actions taken against an individual by one record-keeping organization become the basis for decision making by another. The problem, however, is a general one and stems from the tendency of record-keeping organizations to make unwarranted assumptions about the validity and currency of information generated by other record-keeping organizations. Questions are seldom asked about how recorded information came to be and the caveats knowledge of those processes should evoke.

    As explained earlier, insurers often ask an applicant whether any other insurer has ever declined him, refused to renew a policy, or insured him at other than standard rates. While life insurers seem to use this information as a guide to finding out more about an applicant, automobile insurers often decline applicants solely on the basis of an affirmative response to the question. In the Commission's opinion, this is grossly unfair. The bare fact of an adverse underwriting decision is an incomplete item of information; the reason for the decision is the important item and it is missing. Indeed, using the mere fact of a previous adverse decision as the basis for rejecting an insurance applicant is one of the clearest examples the Commission found of information itself being the cause of unfairness in a decision made on the basis of it. Thus, the Commission recommends:

    Recommendation (14):

    That no insurance institution or insurance-support organization:

    (a) make inquiry as to:

    (i) any previous adverse underwriting decision on an individual, or

    (ii) whether an individual has obtained insurance through the substandard (residual) insurance market, unless the inquiry requests the reasons for such treatment; or

    (b) make any adverse underwriting decision based, in whole or in part, on the mere fact of:

    (i) a previous adverse underwriting decision, or

    (ii) an individual having obtained insurance through the substandard (residual) market.

    An insurance institution may, however, base an adverse underwriting decision on further information obtained from the source, including other insurance institutions.

    It will be remembered that in the explanation of Recommendation (1), it was noted that when the fairness, as opposed to the propriety, of an item of information is at issue, one might both prohibit its use and require its collection. In Recommendation (14), however, the Commission proposes that an insurer both cease to inquire and cease to use, the reason being that compliance will be principally monitored through the individual's exercise of his rights pursuant to Recommendation (13) on adverse underwriting decisions. State Insurance Commissioners should use their unfair trade practices authority, and their authority to review certain application forms to assure that adverse insurance decisions are no longer based on the mere fact of a previous adverse decision. They should also require that insurers collect information about prior declinations only when the reasons for the declination are also collected. The Commission hopes, however, that once the previous adverse decision problem is well enough and widely enough understood, voluntary measures, facilitated by exercise of the statutory rights proposed in Recommendation (13), will assure universal compliance.

    UNDERWRITING DECISIONS BASED ON INFORMATION FROM INDUSTRY DATA EXCHANGES

    The Commission found that in life and health underwriting, there is less than perfect adherence to the industry's own rules regarding the use of information obtained from the Medical Information Bureau. According to MIB rules, no adverse underwriting decision is ever supposed to be ma'':, solely on the basis of an MIB "flag," but the record clearly indicates that efforts to achieve this have been weak and superficial.⁹⁸

    The problem here, of course, is the same one Recommendation (9) addresses, except for the fact that in this case the items of information in question are being obtained from an industry data exchange rather than from the individual himself, thereby multiplying by two the points at which errors could be made. Either the insurer that reports an item to the exchange, or the exchange in reporting it to still another company, could report it incorrectly. Because the item is only a flag, moreover, it is by its very nature without context; that is, it is an incomplete item of information. Accordingly, the Commission recommends:

    Recommendation (15):

    That no insurance institution base an adverse underwriting decision, in whole or in part, on information about an individual it obtains from an insurance-support organization whose primary source of information is insurance institutions or insurance-support organizations; however, the insurance institution may base an adverse underwriting decision on further information obtained from the original source, including another insurance institution.

    This recommendation would apply to the Medical Information Bureau and the Impairment Bureau, but not to the loss indexes, since they do not supply information for use in underwriting decisions. In addition, the recommendation refers only to information about a particular individual and, therefore, would not govern the use of information obtained, for example, from a rating organization.

    As with Recommendation (14), voluntary compliance with this recommendation will be facilitated by exercise of the statutory rights proposed in Recommendation (13), and also by any action taken by State Insurance Commissioners pursuant to their unfair trade practices authority referred to in the discussion of Recommendation (14).

    FAIRNESS IN DISCLOSURE

    DISCLOSURES TO INDUSTRY DATA EXCHANGES

    Life insurance companies have had a longstanding practice of reporting to the Medical Information Bureau or the Impairment Bureau information about an individual's health, which they have obtained from sources other than a licensed medical-care provider, or the individual to whom the information pertains. The same has been true of property and liability reporting on claimants to the loss indexes. In the case of the MIB and the Impairment Bureau, agents' reports and reports compiled by inspection bureaus, in part on the basis of interviews with neighbors and associates, have been a major source of such information. In the Medical Information Bureau this material was coded as "medical information" that because of source does not meet the requirements of the Fair Credit Reporting Act, and "medical information received from a consumer report, not confirmed by the proposed insured or a medical facility."⁹⁹

    As discussed earlier, this is an area in which the MIB Executive Committee took action following the Commission's hearings on the record-keeping practices of insurance institutions and insurance-support organizations. The MIB's action, however, does not affect the existing flow of "health status information" into the Impairment Bureau and the loss indexes. Moreover, as indicated in its discussion of Recommendation (11), the Commission believes that the responsibility for the content of records maintained by industry data exchanges is properly placed on the reporting insurance institutions, since it is they who control the record-keeping policies of the data exchanges.

    The chief problem with health status information is its unreliability. It is bad enough to be labeled as a pariah by those society considers qualified to do so, but it violates all canons of fairness to allow such labels to be attached by anyone, regardless of his qualifications. Accordingly, the Commission recommends:

    Recommendation (16):

    That Federal law be enacted to provide that no insurance institution or insurance-support organization may disclose to another insurance institution or insurance-support organization information pertaining to an individual's medical history, diagnosis, condition, treatment, or evaluation, even with the explicit authorization of the individual, unless the information was obtained directly from a medical-care provider, the individual himself, his parent, spouse, or guardian.

    This recommendation should be implemented in connection with Recommendation (17) concerning the confidential relationship between an individual and an insurance institution or support organization. It would become part of the duty of confidentiality owed to an individual by an insurer or support organization. Although support organizations like the loss indexes have little practical control over the source of medical information sent to them, it is expected that insurance institutions, in order to protect their own interests in not disclosing medical information in violation of subsection (b)(iv) of Recommendation (17), will establish procedures to assure that only medical information obtained from a qualified source is communicated to a support organization or to another insurance institution.

    Expectation of Confidentiality

    The Commission's third policy objective is to establish and define the nature of the confidential relationship between an individual and the record-keeping institutions with which he can be said to have a relationship. A confidential relationship is one in which there is both an explicit limitation on the extent to which information generated by the relationship can be disclosed to others, and a prior mutual understanding by the parties involved as to what that limitation shall be.

    Certain relationships (e.g., doctor-patient, attorney-client) have traditionally carried with them legally enforceable expectations of confidentiality, at least in particular types of circumstances.¹⁰⁰These protections, moreover, have sprung from the breadth of inquiry and observation on which the success of the relationship depends. If one type of relationship requires more divulgence and probing than another, the latter, so the argument goes, should not be permitted to feed off the former at will. To allow that to happen is not only fundamentally unfair; it is also a violation of the ethics of the first relationship.

    One sees this problem vividly today in the record-keeping dimensions of the doctor-patient relationship. It is present, however, in every area of personal-data record keeping where an individual must submit to the collection and recording of intimate details about himself in order to obtain some benefit or service. Furthermore, as the Commission argues in Chapter 9, if society is to solve the problems inherent in the compulsory disclosure of information about an individual from one record-keeping relationship to another, it must limit the circumstances in which voluntary disclosures are permitted at the discretion of the record keeper. Otherwise, there is no point in restricting the circumstances under which a government agency, for example, may compel a record keeper to produce information it holds in its records on an individual. To make such restrictions sensible, as well as to assure the individual a role in determining when and to what extent they will be suspended, one must first impose a duty of confidentiality on the holder of the records.

    With these considerations in mind, the Commission has concluded that each insurance institution and insurance-support organization should owe a duty of confidentiality to the individual on whom it maintains records. The amount, diversity, and character of the information gathered to establish and facilitate the insurance relationship is such as to warrant establishing such a duty of confidentiality. The insurance relationship, moreover, is extraordinarily important to society. Like the credit, depository, and medical-care relationships considered in other chapters of this report, it is one that is increasingly difficult for an individual to avoid. Yet the relationship cannot be maintained successfully if it is perceived as being inherently unfair or as disregarding the legitimate interests of the individuals who enter into it.

    Currently, insurance institutions and their support organizations voluntarily assume some ethical responsibility for the confidentiality of the information they maintain on individuals. However, they do not uniformly respect the individual's legitimate desire to limit the disclosures they make about him, nor are they able to defend the integrity of their record-keeping relationships with individuals against certain demands made on them by extraneous parties. Thus, to create and define obligations with respect to the uses and disclosures that may be made of records about individuals, legitimate patterns of information-sharing within the industry and threshold conditions for the disclosure of such records to outsiders must be established.

    Accordingly, the Commission recommends:

    Recommendation (17):

    That Federal law be enacted to provide that each insurance institution and insurance-support organization be considered to owe a duty of confidentiality to any individual about whom it collects or receives information in connection with an insurance transaction, and that therefore, no insurance institution or support organization should disclose, or be required to disclose, in individually identifiable form, any information about any such individual without the individual's explicit authorization, unless the disclosure would be:

    (a) to a physician for the purpose of informing the individual of amedical problem of which the individual may not be aware;

    (b) from an insurance institution to a reinsurer or co-insurer, or toan agent or contractor of the insurance institution, including a sales person, independent claims adjuster, or insurance investigator, or to an insurance-support organization whose sole source of information is insurance institutions, or to any other party-in-interest to the insurance transaction, provided:

    (i) that only such information is disclosed as is necessary for such reinsurer, co-insurer, agent, contractor, insurance-support organization, or other party-in-interest to perform its function with regard to the individual or the insurance transaction;

    (ii) that such reinsurer, co-insurer, agent, contractor, insur-ance-support organization or other party-in-interest is prohibited from redisclosing the information without the authorization of the individual except, in the case of insurance institutions and insurance-support organiza-tions, as otherwise provided in this recommendation; and

    (iii) that the individual, if other than a third-party claimant, is notified at least initially concurrent with the application that such disclosure may be made and can find out if in fact it has been made; and

    (iv) that in no instance shall information pertaining to an individual's medical history, diagnosis, condition, treat-ment, or evaluation be disclosed, even with the explicit authorization of the individual, unless the information was obtained directly from a medical-care provider, the individual himself, or his parent, spouse, or guardian;

    (c) from an insurance-support organization whose sole source of information is insurance institutions or self-insurers to an insurance institution or self-insurer, provided:

    (i) that the sole function of the insurance-support organization is the detection or prevention of insurance fraud in connection with claim settlements;

    (ii) that, if disclosed to a self-insurer, the self-insurer assumes the same duty of confidentiality with regard to that information which is required of insurance institutions and insurance-support organizations; and

    (iii) that any insurance institution or self-insurer that receives information from any such insurance-support organization is prohibited from using such information for other than claim purposes;

    (d) to the insurance regulator of a State or its agent or contractor, for an insurance regulatory purpose statutorily authorized by the State;

    (e) to a law enforcement authority:

    (i) to protect the legal interest of the insurer, reinsurer, co-insurer, agent, contractor, or other party-in-interest to prevent and to prosecute the perpetration of fraud upon them; or

    (ii) when the insurance institution or insurance-support organization has a reasonable belief of illegal activities on the part of the individual;

    (f) pursuant to a Federal, State, or local compulsory reporting statute or regulation;

    (g) in response to a lawfully issued administrative summons or judicial order, including a search warrant or subpoena.

    In contrast to the corresponding recommendations with respect to credit grantors and depository institutions, wherein interpretative responsibilities would be assigned to existing regulatory authorities, the Commission recommends that the responsibility for enforcing the confidentiality duties of insurance institutions and support organizations be left exclusively to the aggrieved individual. The information flows in and out of the insurance industry, while extensive in some areas, appear less dynamic and thus less prone to change than those in, them credit area, for example. As a result, there is less need for flexibility in establishing their legitimacy; that is, there is no need for an interpretative rule-making function.

    The provisions of the recommended statute, however, should be explicitly drawn to allow an individual to sue an insurance institution or support organization and to obtain actual damages for negligent disclosures that violate the duty of confidentiality, even if there is no showing of an intentional or willful violation. Where an intentional or willful violation of the duty of confidentiality is established, the individual should, in addition to actual damages and court costs, including reasonable attorney's fees, be entitled to general damages of a minimum of $1,000 and a maximum of $10,000. A defense available to the defendant charged with negligent disclosure would be that it had established reasonable procedures and exercised reasonable care to implement and enforce those procedures in attempting to protect the interests of the individual. Where it could not meet such a test, the insurance institution or support organization would then be subject to actual damages and court costs, including legal fees, for any violations.

    The statute should also make clear that subsection (b)(iii) would not apply to any record about an individual compiled in reasonable anticipation of a civil or criminal action, or for use in settling a claim while the claim remains unsettled. After the claim is settled, moreover, subsection (b)(iii) would not apply to any record compiled in relation to a claimant who is not an insured or policyowner (i.e., a third-party claimant), except as to any portion of such record that is disseminated or used for a purpose unrelated to processing the claim.

    The first premise of the proposed statutory duty is that no record should be disclosed by an insurance institution or support organization without the authorization of the individual to whom it pertains. The Commission would expect, moreover, that the authorization statement used would be specific as to the information proposed to be furnished, to whom, and for what purpose. Nonetheless, as in other areas, the Commission has recognized the need to allow certain types of disclosures to occur without the individual's authorization. These exceptions can be divided into three categories:

    • disclosures to protect the individual;
    • disclosures the insurance institution or support organization must make in order to perform duties inherent in the insurance relationship or to protect itself from failure by the individual to meet the terms of the relationship; and
    • disclosures to governmental authorities.

    Subsection (a) of the recommendation falls into the first category. It permits disclosure without authorization to a physician for the purpose of informing the individual of a medical problem about which he may be unaware, and which an insurance institution or support organization may be reluctant to disclose to him directly. Making an exception for such situations seems justified by the benefit to the individual and by the minimal risk to personal privacy it involves, since the physician also stands in a confidential relationship to the individual.

    The second category of exceptions concerns disclosures consistent with the insurer's rights and duties in its relationship with the insurance consumer. The duty of confidentiality, primarily for the benefit of the latter, should not unfairly burden the insurer's ability to fulfill its part of the bargain or to protect its own interests. By the mere fact of applying for insurance, maintaining a policy, or presenting a claim, the individual authorizes the insurer to perform certain functions. Thus, under subsection (b) of the Commission's recommendation, no authorization is required for disclosures to reinsurers, co-insurers, agents, contractors, insurance-support organizations, or any other party-in-interest, when disclosure is necessary  for that person to perform a function concerned with the insurer's relationship with the insured. The insured should nonetheless be notified (see Recommendation (5)) that such disclosures may be made and should be able to find out whether or not they have, in fact, been made (see Recommendation (10)).

    In many cases, individually identifiable information is provided by an insurer to one or more other insurers who act as reinsurers of the first. The individual whose insurance policy is reinsured has no legal relationship with the reinsurer. The only party who has a contractual relationship with the insured is the insurer from whom the individual purchased the policy. Reinsurance is common within the insurance industry, and sometimes involves the transfer of individually identifiable information. Currently, however, the individual has no knowledge of this type of disclosure.

    It would serve no purpose to require an applicant to expressly authorize the dissemination of information about him to a reinsurer. The individual who refused to authorize the disclosure would simply be denied the insurance. The reinsurer, moreover, would have the same duty of confidentiality as the original insurer and be subject to the same requirements for holding information in confidence.

    The reinsurance situation is similar to other party-in-interest situations in which the Commission believes individual authorization should not be required for information disclosure. For example, the amount of one insurer's claim payment may be related to another's payment. In this case, where a pro-rata liability or other coordination of benefits clause exists, each insurer must be considered a co-insurer and should, therefore, be allowed to share necessary information, subject to the same restrictions as to notice and confidentiality outlined above. Other exceptions based on the party-in-interest concept would include cases involving subrogation,¹⁰¹ as well as cases involving insurers who were potentially being defrauded by the same person.

    All parties-in-interest referred to in subsection (b) would either already be bound by or would assume the same duty of confidentiality as the provider of the information-that is, they would not be permitted to redisclose the information without the individual's authorization, unless, in the case of any party-in-interest that is an insurance institution or insurance-support organization, the disclosure would be otherwise authorized under this recommendation. Only information necessary for the recipient to perform its function should be disclosed. Thus, for example, an independent claims adjuster should only be given the information needed to properly settle a claim. As already noted, subsection (b)(iii), which requires notice and a way for an individual to find out whether a particular disclosure had been made, would not apply to cases expected to involve litigation or to claims situations. Subsection (b)(iv) incorporates Recommendation (16) as the Commission urged that it should, above.

    One special concern of insurance institutions and insurance-support organizations is to detect and deter fraud. Privacy requirements should not be used to restrict an insurer's capacity to protect its interests, especially where fraud may be involved. Thus, no authorization is required under subsection (b) for the disclosure of information to the Insurance Crime Prevention Institute or other support organizations that operate as surrogates of the insurer in seeking to prevent fraud. Authorization is also not needed for disclosure to one of the loss indexes or other insurers when the purpose is to deter and detect insurance fraud. Conversely, subsection (c) could allow the loss indexes to continue to disseminate information to their subscribers without individual authorization. To require otherwise would be tantamount to destroying the loss indexes, since those intent on fraud would naturally refuse to agree to the disclosure.

    Currently, "self-insurers" may subscribe to the loss indexes. These subscribers are neither insurance institutions nor insurance-support organizations within the Commission's or insurance regulatory officials' definitions. They are companies and governments that have chosen to retain some or all of their exposure to loss rather than to transfer it to an insurer. Since they are not insurance institutions or insurance-support organizations, they are not subject to the Commission's recommendations on such organizations. Nevertheless, the information from the loss indexes may continue to flow to self-insurers and should, therefore, be subject to a duty of confidentiality as provided in subsection (c)(ii).

    The third category of exceptions concerns disclosures to government. The Commission is aware that, for public policy reasons, information must be disclosed by insurance industry parties to law enforcement officials under certain circumstances. Such disclosures would be permitted, provided they comply with the Commission's recommendations regarding government access to private-sector records, explained in Chapter 9.

    One voluntary disclosure that is permitted without an authorization is to law enforcement officials when an insurance institution or insurance-support organization reasonably concludes, from information generated in its relationship with him, that an individual has violated the law or is suspected of fraud in connection with the insurance coverage. Certainly in this instance, the insurer should not be required to get the authorization of the individual.

    Furthermore, insurance institutions are required to release information to State insurance departments which regulate the insurance industry. Insurance institutions and insurance-support organizations must also respond to Federal, State, and local compulsory reporting statutes and regulations. They have no choice but to disclose information when required by government under these circumstances. A requirement of authorization by the individual would be meaningless. The Commission recognizes, however, that insurance institutions, like other record keepers, should have some obligation to inform an individual that information will be routinely reported to government. Finally, insurance institutions and support organizations must respond to a lawfully issued administrative summons or udicial order, such as a subpoena or search warrant. While they have no choice but to comply with such legal process, and while the primary obligation to assure protection of an individual's rights should rest with government, as explored in Chapter 9, the insurance record keeper has certain responsibilities-primarily to assure the facial validity of the particular form of compulsory process served on it, and to limit its compliance to the specific terms of the order. If, for example, a subpoena requires disclosure of information on a certain date, an insurance institution or support organization should not disclose until that date. Restricted response of this type will permit the individual whose records were sought to exercise those rights the Commission recommends be granted in the context of government access.

    Insurance protection is vital to most Americans. Much personal information is provided or developed through the process of providing needed insurance protection, properly pricing it, and in servicing insurance contracts, including the investigation and settlement of claims. The Commission believes that the recommendations in this chapter respect this need for information and strengthen the relationship between insured and insurer while promoting its three public-policy objectives.

• Glossary of Terms

  • Individual:

    any natural person who is a past, present, or proposed named or principal insured (including any principal insured under a family or group policy or similar arrangement of coverage for a person in a group), policyowner, or past or present claimant.

    Insurance Institution:

    an insurance company (including so-called service plans like Blue Cross and Blue Shield and any other similar service plan), regardless of type of insurance written or organizational form, including insurance company regional, branch, sales, or service offices (or divisions or insurance affiliates), or insurance company solicitors; or agents and brokers.

    Insurance-Support Organizations:

    an organization which regularly engages in whole or in part in the practice of assembling or evaluating information on individuals for the purpose of providing such information or evaluation, to insurance institutions for insurance purposes.

    Insurance Transaction:

    whenever a decision (be it adverse or otherwise) is rendered regarding an individual's eligibility for an insurance benefit or service.

    Adverse Underwriting Decision:

    (1)with respect to life and health insurance, a denial of requested insurance coverage (except claims) in whole or in part, or an offer to insure at other than standard rates; and with respect to all other kinds of insurance, a denial of requested coverage (except claims) in whole or in part, or a rating which is based on information which differs from that which the individual furnished;

    (2) a refusal to renew insurance coverage in whole or in part; or

    (3)a cancellation of any insurance coverage in whole or in part.

    Institutional Source:

    an institutional source is any person who provides information as part of his employment or any other connection with an insurance institution.

    Medical-Record Information:

    information relating to an individual's medical history, diagnosis, condition, treatment, or evaluation obtained from a medical-care provider, from the individual himself, or from his spouse, parent, or guardian for the purpose of making a non-medical decision (e.g., an underwriting decision) about the individual.

    Medical-Care Provider:

    a medical professional or medical-care institution.

    Medical Professional:

    any person licensed or certified to provide medical services to individuals, including but not limited to, a physician, dentist, nurse, optometrist, physical or occupational therapist, psychiatric social worker, clinical dietitian, or clinical psychologist.

    Medical-Care Institution:

    any facility or institution that is licensed to provide medical-care services to individuals, including, but not limited to, hospitals, skilled nursing facilities, home-health agencies, clinics, rehabilitation agencies, and public-health agencies or health-maintenance organizations (HMO's).

• Endnotes

  • ¹ American Council of Life Insurance, Life Insurance Fact Book, (New York: American Council of Life Insurance, 1976), p. 9.

    ²Health Insurance Institute, The Source Book of Health Insurance Data 1974 - 1975, (New York: Health Insurance Institute, 1975), p. 19.

    ³ American Council of Life Insurance, op. cit., p. 38.

    ⁴ Automobile Insurance Plan Services Organization, A IPSO Insurance Facts for 1977, (New York: Automobile Insurance Plan Services Organization, 1977), p. 4.

    ⁵ American Council of Life Insurance, op. cit., p. 55.

    ⁶ Insurance Information Institute, Insurance Facts, (New York: Insurance Information Institute, 1976), p. 12.

    ⁷ American Council of Life Insurance, op. cit., pp. 9 and 52; information obtained orally from A.M. Best and Co.

    ⁸ Business life insurance is life insurance purchased for the benefit of the business itself, e.g.: (i) to indemnify the business for the loss of a key employee; (2) as a source of funds to buy back or purchase ownership of a firm upon the death of a partner or key employee; or (3) as a source of funds in order to discharge financial responsibility pursuant to a contractual agreement.

    ⁹ Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.

    ¹⁰ Written statement of the Medical Information Bureau (hereinafter cited as "MIB"), Insurance Records, Hearings before the Privacy Protection Study Commission, May 19, 1976, p.11 (hereinafter cited as "Insurance Records Hearings").

    ¹¹Ibid., pp. 5-6.

    ¹²Ibid

    ¹³ According to the report of a 1975 interview with then MIB Executive Director, Joseph C. Wilberding, the information companies were reporting to the Bureau came from the following sources: 33 percent from physicians, hospitals, or medical organizations; 15 percent from inspection bureau reports; and 53 percent from insurance forms filled out by the applicant himself or by the insurance agent, or from medical exams required by the companies. Mark Reutter, "Private Medical Records Aren't So Secret," Baltimore Sun, July 13, 1975, "Trend" Section, pp. 1-4.

    ¹⁴ MIB, "General Rules," Handbook and Directory, 1971, Rule 9. Since the Privacy Protection Study Commission hearings, the MIB has changed its rules. Rule 9 has been replaced by Rule D.2, which states that: "Underwriting information involving any impairments listed in the MIB Code Book and received by members from original medical or other sources, from official medical records, or from the applicant during the course of an application for personal life or health insurance must be reported to MIB regardless of the underwriting decision."

    ¹⁵ Written statement of the MIB, Insurance Records Hearings, May 19, 1976, p. 10.

    ¹⁶lbid., p. 3.

    ¹⁷Ibid., p. 4.

    ¹⁸Ibid., p. 5.

    ¹⁹ Testimony of the MIB, Insurance Records Hearings, May 19, 1976, pp. 236 - 38. 20 Ibid, p. 240.

    ²¹ Letter from Neil M. Day, Executive Director and General Counsel, MIB, to the Privacy Protection Study Commission, September 30, 1976.

    ²² Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 279; Letter from Neil M. Day, MIB, to the Privacy Commission, September 30, 1976, p. 4.

    ²³ Letter from Neil M. Day, MIB, to the Privacy Commission, September 30, 1976, p. 4.

    ²⁴ Letter from Neil M. Day, MIB, to the Privacy Commission, October 28, 1976, p. 4.

    ²⁵ Ibid. 26 Ibid.

    ²⁷Ibid, p. 5.

    ²⁸ Written Statement of the MIB, Insurance Records Hearings, May 19, 1976, p. 5.

    ²⁹ MIB, "General Rules," Handbook and Directory, 1971, Rule 14. This is now Rule D.4, which reads: "Underwriting information received from MIB shall be used to alert members of the need for further investigation of the applicants insurability. In the interest of sound underwriting and to avoid unfair competitive ractices in the underwriting of risks, MIB record information shall not be used as the basis for establishing an applicant's eligibility for insurance." MIB, "General Rules," 1977, Rule D.4.

    ³⁰ Written statement of the MIB, Insurance Records Hearings, May 19, 1976, p. 13.

    ³¹ Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 250.

    ³² Written statement of the MIB, Insurance Records Hearings, May 19, 1976, p.7.

    ³³Ibid, p. 16.

    ³⁴ Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 235.

    ³⁵ Letter from Neil M. Day, MIB, to the Privacy Commission, September 30, 1976, pp. 2, 5.

    ³⁶ Testimony of the MIB, Insurance Records Hearings, May 19, 1976, pp. 245-47.

    ³⁷ Letter from Neil M. Day, MIB, to the Privacy Commission, October 28, 1976, pp. 1-3.

    ³⁸ This description of the Impairment Bureau is based on a letter from Charles A. Davis, Executive Director, National Insurance Association, to the>Privacy Commission, May 17, 1976; and a Privacy Commission staff interview with Clarise Hall, National Insurance Association, August 27, 1976.

    ³⁹ Testimony of the American Insurance Association (hereinafter cited as "AIA"), Insurance Records Hearings, May 21, 1976, pp. 755, 764 - 66.

    ⁴⁰Ibid, pp. 764- 65.

    ⁴¹Ibid, p. 765.

    ⁴²Ibid

    ^43>Ibid, p. 766.

    ⁴⁴Ibid, p. 756.

    ⁴⁵ American Insurance Association, "The Index System: Instructions for Subscribers," May, 1974, p. 2; Testimony of AIA, Insurance Records Hearings, May 21, 1976, p. 757.

    ⁴⁶ AIA, "Instructions for Subscribers," p. 3.

    ⁴⁷Ibid., p. 3.

    ⁴⁸Ibid

    ⁴⁹Ibid, p. I.

    ⁵⁰ Testimony of AIA, Insurance Records Hearings, May 21, 1976, p. 755.

    ⁵¹Ibid., p. 769.

    ⁵²Ibid, p. 773.

    ⁵³ Ibid, p. 756.

    ⁵⁴Ibid, pp. 760 - 61.

    ⁵⁵ A witness told the Commission that the loss indexes receive about 100 subpoenas a year from government agencies and that while for many they have no information to disclose, when they do have information they comply. Ibid, p. 776.

    ⁵⁶ Ibid, p. 769.

    ⁵⁷ Ibid, p. 768.

    ⁵⁸Ibid, p. 772.

    ⁵⁹ Statement of the Insurance Crime Prevention Institute (hereinafter cited as "ICPI"), Insurance Records Hearings, May 21, 1976, p. 1.

    ⁶⁰ ICPI, "By-Laws," Art. III, § 1.

    ⁶¹ Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 1; Testimony of ICPI, Insurance Records Hearings, May 21, 1976, p. 776.

    ⁶² Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 1; ICPI, "ICPI 1975," p. 2; ICPI, "By-Laws," Art. I.

    ⁶³ Written statement of ICPI,Insurance Records Hearings, May 21, 1976, p. 1.

    ⁶⁴Ibid.

    ⁶⁵ Testimony of ICPI, Insurance Records Hearings, May 21, 1976, pp. 776 - 77; ICPI, "ICPI - 1975."

    ⁶⁶ Written statement of ICPI, Insurance R cords Hearings, May 21, 1976, p. 2.

    ⁶⁷ ICPI, "A Prosecutor's Introduction to ICPI," r°. 4.

    ⁶⁸ Written statement of ICPI, Insurance Records 14.= :rings, May 21, 1976, p. 2.

    ⁶⁹Ibid, citing Burrows v. Superior Court, 13 Cal. 3d. 238, 245 (1975) as by analogy providing an exception from the rule of confidentiality.

    ⁷⁰ Testimony of ICPI, Insurance Records Hearings, May 21, 1976, pp. 784 - 85.

    ⁷¹Ibid, p. 778; Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. I; ICPI, "ICPI-1975," p. 9.

    ⁷² Testimony of ICPI, Insurance Records Hearings, May 21, 1976, pp. 786-87.

    ⁷³ A Factual Service Bureau advertising flyer asks, "Have you been denied medical authorization by a claimant? Does the claimant's attorney withhold medical information from you, or submit only 'partial' medical records? If either of the above is true, let Factual Service develop the true medical picture. We have specialized in background medical investigations for over two decades.

    ⁷⁴ William J. Giacofci and John A. Andryszak, "Summary of State Insurance Laws and Regulations Serving to Protect the Individual's Right to Privacy," Maryland Casualty Company, July 1976.

    ⁷⁵ Testimony of the MIB, Insurance Records Hearings, May 19, 1976, pp. 265-67. The Federal Trade Commission believes that the MIB is subject to the Fair Credit Reporting Act and thus must give access. While the MIB denies this, it nonetheless grants access and thus the issue has not been brought to a head.

    ⁷⁶ Written statement of Federal Insurance Administration, Department of Housing and Urban Development, Insurance Records Hearings, May 20, 1976, pp. 6 - 11; Department of Transportation Study, "Motor Vehicle Crash Losses and Their Compensation in the United States;" Testimony of Benjamin Lipson, Insurance Records Hearings, May 20, 1976, pp. 407-09.

    ⁷⁷ Written statement of Federal Insurance Admininstration, Department of Housing and Urban Development, Insurance Records Hearings, May 20, 1976, p. 9; Department of Transportation Study, "Motor Vehicle Crash Losses: Their Compensation in the United States." p. 68.

    ⁷⁸ Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 263.

    ⁷⁹Ibid, pp. 235-36; 244-58.

    ⁸⁰ Testimony of the AIA, Insurance Records Hearings, May 21, 1976, p. 771.

    ⁸¹ MIB, "General Rules," Handbook and Directory, Rule 14. Rule 14 is now Rule D.4.

    ⁸² Testimony of the MIB, Insurance Records Hearings, May 19, 1976, pp. 234-36; 244-58. The Commission has no testimony from the Impairment Bureau on this issue, but problems no doubt exist with its subscribers as well. This would seem especially true since the Impairment Bureau lacks even those safeguards and rules under which the Medical Information Bureau operates.

    ⁸³ Written statement of Benjamin Lipson, Insurance Records Hearings, May 20, 1976, p. 7.

    ⁸⁴ Ibid, p. 8: Testimony of Jerome S. Beigler, American Psychiatric Association, Insurance Records Hearings. May 20, 1976. pp. 358-360.

    ⁸⁵ Testimony of Jerome S. Beigler, American Psychiatric Association, Insurance Records Hearings. May 20, 1976, pp. 370-73.

    ⁸⁶ Testimony of the Index System. Insurance Records Hearings, May 21, 1976, p. 769; Testimony of Jerome S. Beigler, Insurance Records Hearings, pp. 361, 372; Written statement of the Blue Cross Organizations. Insurance, Records Hearings, May 20, 1976, p. 5.

    ⁸⁷ Note: e.g., Cal. Ins. Code §§ 790.01, et seq. ; Mass. Gen. Laws Ann., ch. 93a; Vt. Stat. Ann. tit. 63, § 2451; Ill. Rev. Stat., ch. 121 1/2, § 261.

    ⁸⁸ Testimony of the California Department of Insurance, Insurance Records Hearings, May 20, 1976, pp. 496-98.

    ⁸⁹ 5 U.S.C. 552a(eXI).

    ⁹⁰ See, for example, Vital Statistics of the United States, 1972, Vol. 11-Morality, Part A. Table 5-3, Expectation of Life at Single Years of Age by Color and Sex, United States, 1972 (pp. 5-8), published by U.S. Department of Health, Education and Welfare, Public Health Service, Health Resources Administration, National Center for Health Statistics, Rockville, Maryland: 1976.

    ⁹¹ 5 U.S.C. 552a(eX7).

    ⁹² Testimony of the California Department of Insurance, Insurance Records Hearings, May 20, 1976, p. 497; Letter from Angele Khachadour, California Department of Insurance, to the Privacy Commission, July 30, 1976. California Department of Insurance, Ruling No. 204.

    ⁹³Ibid.

    ⁹⁴ Testimony of Dale Tooley, District Attorney, Denver, Colo., Medical Records, Hearings before the Privacy Protection Study Commission, June 11, 1976, pp. 456 - 511.

    ⁹⁵ See, e.g., Milton v. Missouri Pacific Ry. Co., 193 Mo. 46, 91 S.W. 949 (1906); Inscoe Y. Globe Jewelry Co., 200 N.C. 580, 157 S.E. 794 (1932). However, recent decisions in a few jurisdictions indicate that under certain circumstances, one who contracts with a private investigator may not thereby insulate himself from liability for unlawful acts committed by the investigator by merely arguing that they were outside the scope of the contract. Ellenberg v. Pinkerton's, to c., 124 Ga. App. 648, 188 S.E. 2d 911 (1972); Noble v. Sears, Roebuck and Co., 33 Cal. App. 3d 654, 109 Cal. Rptr. 269,73 A.L.R.3d 1164 (1973).

    ⁹⁶ The Act's definition of "maintain" includes all four record-keeping functions: collection, maintenance, use, and dissemination.

    ⁹⁷ For more detailed discussion of this requirement, and the problems agencies have had implementing it, see Chapter 13.

    ⁹⁸ Testimony of MIB, Insurance Records Hearings, May 19, 1976, pp. 244-54; 274-77.

    ⁹⁹ Submission of MIB, "Official Code List of Impairments - 1962," Insurance Records Hearings, May 19, 1976, p. 1.

    ¹⁰⁰ For a discussion of the doctor-patient testimonial privilege to most medical record-keeping situations, see Chapter 7.

    ¹⁰¹ Subrogation is the substitution of one party in place of another with reference to a lawful claim or right.