Insights & Resources

HIPAA Resource Center

    Back To HIPAA Resource Center

    HIPAA Regulations: Gramm-Leach-Bliley - Relationship to Other Federal Laws

    As Contained in the HHS HIPAA  Rules


    HHS Description
    Relationship to Other Federal Laws - Gramm-Leach-Bliley


    In 1999, Congress passed Gramm-Leach-Bliley (GLB), Pub. L. 106-102, which included provisions, section 501 et seq., that limit the ability of financial institutions to disclose “nonpublic personal information” about consumers to non-affiliated third parties and require financial institutions to provide customers with their privacy policies and practices with respect to nonpublic personal information. In addition, Congress required seven agencies with jurisdiction over financial institutions to promulgate regulations as necessary to implement these provisions. GLB and its accompanying regulations define “financial institutions” as including institutions engaged in the financial activities of bank holding companies, which may include the business of insuring. See 15 U.S.C. 6809(3); 12 U.S.C. 1843(k). However, Congress did not provide the designated federal agencies with the authority to regulate health insurers. Instead, it provided states with an incentive to adopt and have their state insurance authorities enforce these rules. See 15 U.S.C. 6805. If a state were to adopt laws consistent with GLB, health insurers would have to determine how to comply with both sets of rules.

    Thus, GLB has caused concern and confusion among health plans that are subject to our privacy regulation. Although Congress remained silent as to its understanding of the interaction of GLB and HIPAA's privacy provisions, the Federal Trade Commission and other agencies implementing the GLB privacy provisions noted in the preamble to their GLB regulations that they “would consult with HHS to avoid the imposition of duplicative or inconsistent requirements.” 65 Fed. Reg. 33646, 33648 (2000). Additionally, the FTC also noted that “persons engaged in providing insurance” would be within the enforcement jurisdiction of state insurance authorities and not within the jurisdiction of the FTC. Id.

    Because the FTC has clearly stated that it will not enforce the GLB privacy provisions against persons engaged in providing insurance, health plans will not be subject to dual federal agency jurisdiction for information that is both nonpublic personal information and protected health information. If states choose to adopt GLB-like laws or regulations, which may or may not track the federal rules completely, health plans would need to evaluate these laws under the preemption analysis described in subpart B of Part 160.


    HHS Response to Comments Received
    Relationship to Other Federal Laws - Gramm-Leach-Bliley


    Comments: One commenter noted that the Financial Services Modernization Act, also known as Gramm-Leach-Bliley ("GLB"), requires financial institutions to provide detailed privacy notices to individuals. The commenter suggested that the privacy regulation should not require financial institutions to provide additional notice.

    Response: We disagree. To the extent a covered entity is required to comply with the notice requirements of GLB and those of our rules, the covered entity must comply with both. We will work with the FTC and other agencies implementing GLB to avoid unnecessary duplication. For a more detailed discussion of GLB and the privacy rules, see the "Relationship to Other Federal Laws" section of the preamble.

    Comment: A few commenters asked that the Department clarify that financial institutions, such as banks, that serve as payors are covered entities. The comments explained that with the enactment of the Gramm- Leach-Bliley Act, banks are able to form holding companies that will include insurance companies (that may be covered entities). They recommended that banks be held to the rule's requirements and be required to obtain authorization to conduct non-payment activities, such as for the marketing of health and non-health items and services or the use and disclosure to non-health related divisions of the covered entity.

    Response: These comments did not provide specific facts that would permit us to provide a substantive response. An organization will need to determine whether it comes within the definition of "covered entity." An organization may also need to consider whether or not it contains a health care component. Organizations that are uncertain about the application of the regulation to them will need to evaluate their specific facts in light of this rule.