Section 500.551. Authority.  

(a) These rules establish standards for developing  and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, pursuant to Sections 501, 505(b), and 507 of the Gramm- Leach-Bliley Act, codified at 15 U.S.C. 6801, 6805(b) and 6807, Chapter 5 of the Insurance Code, MCL 500.501 to 500.547, with penalties for violation specified in Chapter 20 of the Insurance Code, MCL 500.2001 to 500.2050.

(b)   Section 501(a) of the Gramm-Leach-Bliley Act provides that it is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information. Section 501(b) of the Gramm-Leach-Bliley Act requires the state insurance regulatory authorities to establish appropriate standards relating to all of the following administrative, technical, and physical safeguards:

(i)   To ensure the security and confidentiality of  customer records  and information.

(ii)   To protect against any anticipated threats or hazards to the security or integrity of such records.

(iii)   To protect against unauthorized access to or use of records or information that may result  in  substantial  harm  or  inconvenience to  a customer.

(c)   Section 505(b)(2) calls on state insurance regulatory authorities to implement by rule the standards prescribed under Section 501(b) with respect to persons engaged in providing insurance; and the Governor signed 2001 PA 24 on June 18, 2001, creating Chapter 5 of the Insurance Code,  titled  "Privacy of Financial Information."

(d)   Section 507 provides, among other things, that a state may afford persons greater privacy protections than those provided by subtitle A of Title V of the Gramm-Leach-Bliley Act. MCL 500.501(3) provides that Chapter 5 of the Insurance Code - applicable to financial information - does  not modify, limit, or supersede statute or rules governing the confidentiality or privacy of individually identifiable health or medical information under state law. To release such private or privileged   health  or  medical information in Michigan generally requires the informed, written consent of the patient or his or her authorized representative. Nothing in these rules shall be construed to diminish state law, recent federal HIPAA standards (45 CFR Parts 160 and 164) that govern the privacy and security of protected health and medical information, or fair credit reporting act protections for medical information (15 U.S.C. 1681 et seq.). The safeguards established pursuant to these rules apply only to nonpublic personal financial information and do not diminish the duty of any licensee to comply with other more stringent state or  federal  laws  affecting  other   types  of  customer information  in

the licensee's possession. For example, licensees are notified that MCL 750.410 (2) establishes criminal penalties for any person, firm, or corporation that buys,  sells,  furnishes, or receives "for any consideration" the identity of a patient or any information concerning treatment unless otherwise authorized by law, administrative rule,  or valid legal process.