National Association of Mutual Insurance Companies (on behalf of)
Health Breach Notification Rulemaking
NAMIC is the largest full-service national trade association serving the property/casualty insurance industry with more than 1,400 member companies that underwrite more than 40 percent of the property/casualty insurance premium in the United States. NAMIC members are small farm mutual companies, state and regional insurance companies, risk retention groups, national writers, reinsurance companies, and international insurance giants. Notwithstanding our position that the proposed Rule does not apply to insurers in possession of personal health records created or managed primarily for commercial uses, NAMIC offers language we believe is needed to clarify the scope of the Rule to avoid unintended application. (Full comments attached) Specifically, NAMIC offers recommendations with respect to key definitions set forth in the guidance to prevent inadvertent application of the Rule to property/casualty insurers. NAMIC appreciates the opportunity to comment on the various definitions and notice provisions of the Rule. NAMIC believes the legislative history of the statute clearly defines personal health records to exclude records created and held for commercial activities, such as those created and used by life and property/casualty insurers. As such, insurers should be excluded from the definition of vendor. NAMIC supports the harm standard as set forth in FTC Proposed section 318.2, which allows the presumption of unauthorized acquisition of protected information to be rebutted with reliable evidence showing that the information could not reasonably have been acquired. We look forward to working with the Commission to establish appropriate notification requirements covering personal health records managed, shared, and controlled by or primarily for an individual and appropriately excluding commercial use records.