VIRGINIA LAW PORTAL

• Code of Virginia
• Virginia Administrative Code
• Constitution of Virginia
• Charters
• Authorities
• Compacts
• Uncodified Acts
• RIS Users (account required)

SEARCHABLE DATABASES

• Bills & Resolutions
  session legislation
• Bill Summaries
  session summaries
• Reports to the General Assembly
  House and Senate documents
• Legislative Liaisons
  State agency contacts

ACROSS SESSIONS

• Subject Index: Since 1995
• Bills & Resolutions: Since 1994
• Summaries: Since 1994

Developed and maintained by the Division of Legislative Automated Systems.

2003 SESSION

• history | hilite | pdf | print version

CHAPTER 266 An Act to amend and reenact §§ 38.2-604, 38.2-604.1, and 38.2-612.1 of the Code of Virginia, relating to insurance information privacy. [H 2524] Approved March 16, 2003

Be it enacted by the General Assembly of Virginia:

1. That §§ 38.2-604, 38.2-604.1, and 38.2-612.1 of the Code of Virginia are amended and reenacted as follows:

§ 38.2-604. Notice of information collection and disclosure practices.

A. An insurance institution or agent shall provide a notice of insurance information practices to all applicants or policyholders in connection with insurance transactions as provided in this section:

1. In the case of an application for insurance a notice shall be provided no later than:

a. At the time of the delivery of the insurance policy or certificate when personal information is collected only from the applicant or from public records; or

b. At the time the collection of personal information is initiated when personal information is collected from a source other than the applicant or public records; or

c. Notwithstanding the provisions of subdivision 1 b of subsection A, when an application for insurance is made by telephone and personal information is collected from a source other than the applicant or public records, the notice of insurance information practices may be given orally at the time of application, provided that, if a policy is issued, such notice is given in writing or, if the applicant agrees, in electronic format, no later than at the time of the delivery of the insurance policy or certificate.

2. In the case of a policy renewal, a notice shall be provided no later than the policy renewal date, except that no notice shall be required in connection with a policy renewal if:

a. Personal information is collected only from the policyholder or from public records; or

b. A notice meeting the requirements of this section has been given within the previous twenty-four 24 months; or

3. In the case of a policy reinstatement or change in insurance benefits, a notice shall be provided no later than the time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution, except that no notice shall be required if personal information is collected only from the policyholder or from public records.

B. The notice required by subsection A of this section shall be in writing or, if the applicant or policyholder agrees, in electronic format, and shall state:

1. Whether personal information may be collected from persons other than an individual proposed for coverage;

2. The types of personal information that may be collected and the types of sources and investigative techniques that may be used to collect such information;

3. The types of disclosures made under subdivisions 1, 2, 3, 4, 5, 8, 10, and 12 of subsection B and subdivision 2 of subsection C of § 38.2-613 and the circumstances under which such disclosures may be made without prior authorization, however only those circumstances need be described that occur with such frequency as to indicate a general business practice;

4. A description of the rights established under §§ 38.2-608 and 38.2-609 and the manner in which those rights may be exercised; and

5. That information obtained from a report prepared by an insurance-support organization may be retained by the insurance-support organization and disclosed to other persons.

C. Instead of the notice prescribed in subsection B of this section, the insurance institution or agent may provide an abbreviated notice in writing or, if the applicant or policyholder agrees, in electronic format, informing the applicant or policyholder that:

1. Personal information may be collected from persons other than an individual proposed for coverage;

2. The information, as well as other personal or privileged information subsequently collected by the insurance institution or agent, in certain circumstances, may be disclosed to third parties without authorization;

3. A right of access and correction exists with respect to all personal information collected; and

4. The notice prescribed in subsection B of this section will be furnished to the applicant or policyholder upon request.

D. The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf.

E. An insurance agent shall not be subject to the requirements of this section in any instance where the insurance institution on whose behalf the agent is acting otherwise complies with the requirements contained herein, and the agent does not disclose any personal information to any person other than the insurance institution or its affiliates, or as permitted by § 38.2-613.

F. [Repealed.]

G. An insurance agent seeking to place coverage on behalf of a current policyholder shall be deemed to be in compliance with the requirements of this section in any instance where the agent has provided the notice required by this section within the previous 12 months.

§ 38.2-604.1. Notice of financial information collection and disclosure practices.

A. An insurance institution or agent shall provide clear and conspicuous notice of financial information collection and disclosure practices in connection with insurance transactions as required by subsection B of this section:

1. To an applicant before any financial information is disclosed about that applicant to any nonaffiliated third party, if the disclosure is made other than as permitted under § 38.2-613. For purposes of this subdivision, a notice provided to an employer benefit plan sponsor, group or blanket insurance contract holder, or group annuity contract holder shall satisfy the notice requirements of this subdivision for applicants of such plan, policy, or annuity, provided the insurance institution or agent does not disclose the financial information of those applicants to a nonaffiliated third party, other than as permitted under § 38.2-613;

2. To a policyholder no later than delivery or issuance of the policy or any other evidence of coverage, or at the later of these events. For purposes of this subdivision, a notice provided to an employee benefit plan sponsor, group or blanket insurance contract holder, or group annuity contract holder shall satisfy the notice requirements of this subdivision for persons covered under such plans, policies, or annuities, provided the insurance institution or agent does not disclose the financial information of those persons to a nonaffiliated third party, other than as permitted under § 38.2-613; and

3. To a policyholder, other than a policyholder of a title insurance policy, not less than once in each calendar year. A notice provided to the sponsor of an employee benefit plan or the owner of a group or blanket insurance policy or group annuity contract shall satisfy the notice requirements of this subdivision for persons covered under such plan, policy or contract. For purposes of this subdivision only, "policyholder" does not include a person who owns a policy that is lapsed, expired or otherwise inactive or dormant under the insurance institution's business practices, and with whom the insurance institution has not communicated about the relationship for a period of twelve 12 consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials.

B. Any notice required by subsection A of this section shall be in writing or, if the applicant or policyholder agrees, in electronic format, and shall state:

1. The types of financial information that may be collected;

2. The types of financial information that may be disclosed;

3. The categories of persons to whom financial information may be disclosed; however, when disclosures are made pursuant to subsection B of § 38.2-613, the notice is only required to state that disclosures may be made without prior authorization as permitted by law;

4. If financial information is disclosed pursuant to subdivision C 1 of § 38.2-613, the types of financial information that may be disclosed and the categories of nonaffiliated third parties to whom financial information may be disclosed by contractual agreement;

5. An explanation of the right to direct that financial information not be disclosed to nonaffiliated third parties as provided in § 38.2-612.1, provided that this explanation shall not be required to be given when information is disclosed pursuant to the provisions of § 38.2-613;

6. A description of the policies and practices for protecting the confidentiality and security of financial information;

7. The disclosure required, if any, under Section 603 (d) (2) (A) (iii) of the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) pertaining to the notices regarding the ability to opt out of disclosure of information among affiliates; and

8. A description of the types of financial information about former policyholders that may be disclosed and a description of the types of affiliates and nonaffiliated third parties to whom financial information about former policyholders may be disclosed; however, when disclosures are made pursuant to subsection B of § 38.2-613, the notice is only required to state that disclosures may be made without prior authorization as permitted by law.

C. An insurance institution or agent that does not disclose, and does not wish to reserve the right to disclose, financial information about policyholders or former policyholders to affiliates or nonaffiliated third parties except as authorized in subsection B of § 38.2-613 may satisfy the requirements of this section by providing a notice, as set forth in subdivisions A 2 and A 3 of this section, that:

1. States the foregoing information regarding such insurance institution or agent;

2. Includes the information described in subdivisions B 1 and B 6 of this section; and

3. States that the insurance institution or agent makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.

D. An insurance institution or agent may satisfy the notice requirements of subdivision A 1 of this section by providing a short form notice at the same time that the insurance institution or agent delivers an opt out notice as required by § 38.2-612.1. Such a short form notice shall: (i) be clear and conspicuous; (ii) state that the notice prescribed in subsection B of this section is available upon request; (iii) explain a reasonable means by which the applicant may obtain that notice; and (iv) be in writing or, if the applicant agrees, in electronic format. The insurance institution or agent is not required to deliver the notice prescribed in subsection B of this section with its short form notice, provided the insurance institution or agent provides the applicant with a reasonable means to obtain such notice.

E. The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance institution or agent authorized to act on its behalf. An insurance institution may provide a joint notice from the insurance institution and one or more of its affiliates or other financial institutions, as identified in the notice, if the notice is accurate with respect to the insurance institution and the other institutions.

F. An insurance institution or agent, prior to disclosing financial information to a nonaffiliated third party other than as described in the notice prescribed in subsection B of this section, shall send a revised notice that accurately describes its information collection and disclosure practices. Such notice shall comply with the provisions of subsection B of this section.

G. An insurance institution or agent may satisfy the notice requirements of § 38.2-604 and this section through the use of separate notices or a combined notice.

H. An insurance agent shall not be subject to the requirements of this section in any instance where the insurance institution on whose behalf the agent is acting otherwise complies with the requirements contained herein, and the agent does not disclose any financial information to any person other than the insurance institution or its affiliates, or as permitted by § 38.2-613.

I. An insurance agent seeking to place coverage on behalf of a current policyholder shall be deemed to be in compliance with the requirements of this section in any instance where the agent has provided the notice required by this section within the previous 12 months.

§ 38.2-612.1. Special requirements for providing financial information to nonaffiliated third parties.

A. Except as otherwise provided in § 38.2-613, no insurance institution, agent, or insurance-support organization may, directly or through an affiliate, disclose to a nonaffiliated third party financial information about an individual collected or received in connection with an insurance transaction, unless:

1. The individual has been given a clear and conspicuous notice in writing, or in electronic form if the individual agrees, stating that such financial information may be disclosed to such nonaffiliated third party;

2. The individual is given an opportunity, before such financial information is initially disclosed, to direct that such information not be disclosed, and in no case shall the individual be given less than thirty 30 days from the date of notice to direct that such information not be disclosed;

3. The individual is given a reasonable means by which to exercise the right to direct that such information not be disclosed as well as an explanation that such right may be exercised at any time and that such right remains effective until revoked by the individual; and

4. The nonaffiliated third party agrees not to disclose such financial information to any other person unless such disclosure would otherwise be permitted by this chapter if made by the insurance institution, agent, or insurance-support organization.

B. 1. No insurance institution, agent, or insurance-support organization may disclose to a nonaffiliated third party, directly or through an affiliate, other than to a consumer reporting agency, a policy number or similar form of access number or transaction account of a policyholder or applicant for use in telemarketing, direct mail marketing or other marketing through electronic mail to an applicant or policyholder, other than to:

a. An agent or other person solely for the purpose of marketing the insurance institution's own products or services as long as the agent or other person is not authorized to directly initiate charges to the account; or

b. A participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the policyholder or applicant at the time the policyholder or applicant enters the program.

2. A policy or transaction account shall not include an account to which third parties cannot initiate charges.

C. No insurance institution or agent shall unfairly discriminate against an individual because (i) the individual has directed that his personal information not be disclosed pursuant to subsection A of this section or (ii) the individual has refused to grant authorization of the disclosure of his privileged information or medical record information by an insurance institution, agent or insurance support organization pursuant to subsection A of § 38.2-613.

D. The requirements of subsection A of this section may be satisfied by providing a single notice if two or more applicants or policyholders jointly obtain or apply for an insurance product. Such notice shall allow one applicant or policyholder to direct that financial information not be disclosed to nonaffiliated third parties on behalf of all of the joint applicants or policyholders, provided that each applicant or policyholder may separately direct that his financial information not be disclosed to nonaffiliated third parties.

E. An insurance agent shall not be subject to the requirements of subsection A of this section in any instance where the insurance institution on whose behalf the agent is acting otherwise complies with the requirements contained herein, and the agent does not disclose any financial information to any person other than the insurance institution or its affiliates, or as permitted by § 38.2-613.

F. An insurance agent seeking to place coverage on behalf of a current policyholder shall be deemed to be in compliance with the requirements of this section in any instance where the agent has provided the notice required by this section within the previous 12 months.