Zoning In - Fall 2024
- IRES
- Nov 12, 2024
- 11 min read
Updated: Feb 27
Northeast Zone
Connecticut
In the Notice dated September 12, 2024 the Connecticut Insurance Department (CID) alerts insurance companies that the “coverage standards for paid family and medical leave products (CT PFML policies) established by the Paid Family and Medical Leave Insurance Authority have been amended pursuant to Public Act 24-5.” Effective October 1, 2024 these standards were expanded to provide coverage to sexual assault victims who satisfy certain requirements for leave. The CID has published a revised filing checklist for CT PFML policies on its website and reminds carriers with CT PFML policy forms that have previously been approved by the CID to file amendments through SERFF.
New York
The Department of Financial Services’ Industry Letter of October 16, 2024 addresses cybersecurity risks arising from artificial intelligence and strategies to combat-related risks. This Industry Letter provides guidance in response to inquiries received about how AI is changing cyber risk and how Covered Entities can mitigate risks associated with AI. The Department indicates that the Industry Letter “is intended to be a tool to assist Covered Entities in understanding and assessing cybersecurity risks associated with the use of AI and the controls that may be used to mitigate those risks. This Guidance does not impose any new requirements beyond obligations that are in DFS's cybersecurity regulation codified at 23 NYCRR Part 500 (the "Cybersecurity Regulation" or "Part 500"); rather, the Guidance is meant to explain how Covered Entities should use the framework set forth in Part 500 to assess and address the cybersecurity risks arising from AI.” Topics addressed include: AI-Enabled Social Engineering; AI-Enhanced Cybersecurity Attacks; Exposure or Theft of Vast Amounts of Nonpublic Information; and Increased Vulnerabilities Due to Third-Party, Vendor, and Other Supply Chain Dependencies. Other topics covered controls and measures that mitigate AI-related threats such as: Risk Assessments and Risk-Based Programs, Policies, Procedures, and Plans; Third-Party Service Provider and Vendor Management; Access Controls; Cybersecurity Training; Monitoring; and Data Minimization.
Pennsylvania
Notice 2024-15, dated September 14, 2024, addresses the “Filing of Rate Ranges” and indicates that “except for the use of schedule rating (which is confined to commercial lines products), product filings should not be submitted containing rate ranges.” While this is not a new requirement, the Department states that, “entities are not required to resubmit previous filings that contained rate ranges, but that it will not accept new filings that include manual pages previously submitted containing rate ranges."
Rhode Island
Bulletin 2024-8, dated September 9, 2024, addresses the use of various types of vehicle history scores in private passenger automobile insurance rating. The Bulletin reminds insurers of the wording found in 230-RICR-20-05-3 Automobile Insurance Rating section 3.7 and the requirements for the criteria of a Chargeable Accident as well as the allowed three year look back period. Bulletin 2024-8 further states that “any insurer currently utilizing a non-compliant vehicle history score must submit a filing to the Division via SERFF removing the non-compliant elements no later than November 30, 2024. These non-compliant rating elements shall not be included in future filings.”
Southeast Zone
Arkansas
Bulletin 19-2024, dated October 15, 2024, addresses health plan and prescription drug coverage identification cards in accordance with the recently amended Healthcare Payor Identification Card Act (Ark. Code Ann. §§ 23-79-2001 et seq.) The Arkansas Insurance Department is clarifying its expectations regarding terminology on healthcare identification cards and has included the following specifics that apply to healthcare plan ID cards. The Bulletin indicates that healthcare payors shall issue its insureds or enrollees healthcare plan ID cards with language that indicates whether the plan is:
Insured;
Self-funded; or
Short term, limited duration.
Regarding the language on the ID cards, the Bulletin further specifies that “description of one of the three types of plans specified in the Act must appear on every identification card. The terminology should be simple and clear. For suggestions on acceptable terminology for insured or self-funded plans, please see Bulletin 6-2019. For short term, limited duration plans, a payor may use the full description or the acronym "STLD".” Note that the Bulletin also states that payors are not required to reprint and reissue hard copy identification cards that have already been issued.
Mississippi
The Mississippi Department of Insurance has adopted a Pet Insurance Regulation (19-5-6.01 through 19-5-6.08) which is effective January 1, 2025. The adopted provisions address: definitions, consumer disclosures, policy conditions, sales practices for wellness programs, and continuing education requirements.
Midwest Zone
Indiana
Bulletin 275, dated August 1, 2024, addresses nonforfeiture requirements for index-linked variable annuity products. This Bulletin specifies that “Actuarial Guideline 54, ‘Nonforfeiture Requirements for Index-Linked Variable Annuity Products’ (“AG 54”) is effective for all Index-Linked Variable Annuity (“ILVA”) contracts (including associated riders, endorsements, or amendments) issued on or after July 1, 2024. This is true regardless of when an insurance product filing was approved by the Indiana Department of Insurance (the “Department”). Companies that have ILVA products approved in Indiana, but have not yet demonstrated AG 54 compliance, will need to do so in order to sell those products in Indiana after June 30, 2024.” Also included in this Bulletin are specific actuarial memorandum requirements of AG 54.
Additionally, the Department sets forth its interpretations of AG 54 as follows:
The sum of the fixed income proxy and derivative proxy must be calibrated to the crediting base at the beginning of the crediting period.
Material consistency demonstrations should show contractual interim, values, AG 54 interim values, and percentage differences for the tested scenarios. It is preferred that demonstrations be provided under a set of deterministic scenarios that capture the material range of consistency results. If stochastic-based demonstrations are provided, they should demonstrate the full distribution of stochastic results. Demonstrations based on an average of stochastic results are not acceptable.
The following valuation methods for the fixed income proxy are considered compliant with the AG 54 hypothetical portfolio method: market value, book value, or book value with market value adjustment (“MVA”). An MVA formula that is applied to a contract value other than the fixed income proxy book value or that contains adjustment factors that might inflate or bias the MVA, is considered a deviation from the hypothetical portfolio method and requires a material consistency demonstration.
Michigan
Bulletin No. 2024-23-INS, dated September 11, 2024, addresses short-term limited duration policies and fixed indemnity excepted benefits and supersedes Bulletin 2018-20-INS. This most recent Bulletin provides guidance on new federal requirements for short-term limited duration insurance (STLDI) and fixed indemnity excepted benefits coverage. Key points included in Bulletin No. 2024-23-INS are:
Amendments to the federal rules impose a new duration limit on STLDI of no more than three months, with a maximum coverage period of no more than four months, including any renewal or extension. A renewal or extension of STLDI includes renewals or extensions sold by the same insurer or an insurer in the same controlled group to the same policyholder within 12 months. These requirements apply to STLDI plans issued on or after September 1, 2024.
The amended federal rules also require a new notice requirement on the first page of all plans, applications, and marketing and enrollment materials. The notice must be prominently displayed in at least 14-point font. This requirement applies to STLDI plans issued on or after September 1, 2024.
This requirement also applies to group and individual market fixed indemnity excepted benefits coverage, for new and existing coverage, for plan years beginning on or after January 1, 2025.
Insurers offering STLDI or fixed indemnity plans are expected to make all necessary changes to comply with the amended federal rules. State law requirements unrelated to the durational limitation for STLDI continue to apply. All rates and forms must be submitted via SERFF for review and approval.
Western Zone
Alaska
SB 134 (Chapter No. 2024-39) enacts Insurance Data Security requirements and establishes the exclusive state standard for data security for licensees and govern the investigation and notification of a cybersecurity event. SB 134 amends Title 21 Insurance, Chapter 23 Risk Management; Own Risk and Solvency Assessment to include Article 2: Insurance Data Security. These new provisions include sections named: Information security program; Investigation of cybersecurity event; Notification of cybersecurity event; Confidentiality; Applicability; Enforcement penalties; and Definitions. Enacted provisions include:
Licensees will be obligated to develop, implement, and maintain a written information security program that encompasses administrative, technical, and physical safeguards. This includes measures for preventing unauthorized access or use of nonpublic information, establishing proper information retention and destruction schedules, and ensuring the program is periodically reviewed and updated to respond to evolving technological or threat landscapes, as well as changes in business arrangements.
In the event of a cybersecurity incident, the statutes outline specific protocols for immediate investigation and assessment, including determining the nature and scope of the event, identifying the nonpublic information affected, and taking steps to restore the security of the information systems involved. A notable requirement is for licensees to notify the Alaska Division of Insurance (“DOI”) within three business days if the cybersecurity event impacts 250 or more consumers in Alaska or if it poses a material risk of harm to individuals.
Furthermore, the statutes detail the confidentiality and privilege accorded to information shared with or obtained by the DOI in the context of a cybersecurity event, outline exceptions for small licensees or those in compliance with HIPAA, and describe enforcement mechanisms and penalties for non-compliance.
Arizona
Effective January 1, 2025, HB 2599 enacts multiple revisions to the health care appeals statutory requirements in Title 20, Chapter 15 – Utilization Review, Arizona Revised Statutes (A.R.S.). Some key provisions, outlined briefly below, address definitional changes, levels of appeals, and requirements for such appeals. This bill establishes definitions for: "final internal adverse determination," "grandfathered individual plan," "health care setting," "internal level of review," "rescission," and “advanced practice registered nurse.” It also renames the defined term of "adverse decision" to "adverse determination" and expands the definition. Additionally, the definition of "denial" is expanded to include a reduction or termination of a service or a rescission of coverage.
Revisions to A.R.S. § 20-2533 include required levels of review and cost imposition prohibition as follows: “No minimum dollar amount may be imposed on any claim that is the subject of an adverse determination for a member to, and any member who receives an adverse determination may, pursue the applicable review process prescribed in this article. Except as provided in sections 20-2534 and 20-2535, health care insurers shall provide at least the following levels of review, as applicable:
An expedited medical review and expedited appeal pursuant to section 20-2534.
An initial appeal pursuant to section 20-2535.
An external independent review pursuant to section 20-2537.”
A.R.S. § 20-2533, as revised, establishes specific requirements for group plans and for grandfathered individual plans electing to offer a voluntary internal appeal as an additional internal level of review after a determination of an initial appeal. Regarding individual plans and group plans for which the health care insurer does not elect to offer a voluntary internal appeal as an internal level of review, the health care insurer shall adhere to the specific requirements newly set forth in this statutory section.
A.R.S. § 20-2534, as revised, increases the timeframe within which the member may request an expedited external independent review after the member receives an adverse determination at the expedited internal levels of review. The member may make an oral request for expedited external independent review for an adverse determination involving an experimental or investigational service if the member’s treating provider certifies in writing that the recommended service or treatment would be significantly less effective if not promptly initiated. Additionally, the member may initiate an expedited external independent review if the utilization review agent denies a health care service for which the member received emergency services under certain circumstances or if the member exhausted or the insurer waived the insurer’s internal levels of review.
Regarding standard external independent review, the member may submit additional written evidence for consideration within five business days after receiving acknowledgment that external independent review has been initiated. HB 2599 further addresses information that an independent review organization must review in rendering a determination on standard external independent review.
Concerning member disclosures, HB 2599 mandates that “before a health care insurer makes a final internal adverse determination that relies on new or additional evidence generated directly or indirectly by the health care insurer, the health care insurer shall provide the new or additional information to the member free of charge sufficiently in advance of the final adverse determination to allow the member a reasonable opportunity to respond within the applicable time frames for the health care insurer to provide the member with a written determination prescribed” in the applicable subsections of A.R.S. § 20-2533.
Regarding record retention, newly enacted A.R.S. § 20-2542 requires a health care insurer and an independent review organization to maintain all records relating to internal and external appeals and exception requests for at least three years after the completion of the appeals process or exception request process.
Colorado
Bulletin B-10.004, dated October 18, 2024, provides updated information concerning the quantitative testing reporting requirement for life insurers that use external consumer data and information sources. The current Colorado Division of Insurance (the “Division”) position is as follows:
“Because the Division has not yet adopted a regulation establishing the required quantitative testing referenced in Regulation 10-1-1, the quantitative testing reporting requirement is not applicable for the current reporting period and the annual report due December 1, 2024 is not required to include a description of the quantitative testing referenced in Section 5.A.10. The waiver of this requirement is for the annual report due December 1, 2024 only; subsequent annual reports will be expected to include a description of the quantitative testing conducted.” The Division further notes that all other requirements outlined in Regulation 10-1-1 remain in effect.
New Mexico
Bulletin 2024-018, dated October 1, 2024 serves as the replacement guidance (Bulletins 2022-001 and 2022-003 are rescinded) for the confidentiality request determination process. This Bulletin amends the previous processing guidelines to clarify how confidentiality is protected in compliance with the law, and to establish a review procedure that ensures that information that has been deemed to be confidential is not inadvertently disclosed by the Office of Superintendent of Insurance (“OSI”) to the public in response to an Inspection of Public Records Act (“IPRA”) request. The guidelines also enable the OSI to track confidentiality request determinations. Detailed processing/SERFF filing requirements are included in the Bulletin.
Oregon
Bulletin 2024-8, dated October 10, 2024, provides “updated guidance on the Division of Financial Regulation's (DFR) expectations of insurers who write Short Term Disability policies, in light of the recent implementation of the Paid Leave Oregon program.” This Bulletin, which replaces the previous guidance published earlier this year in January, provides background on the Paid Leave Oregon program and addresses situations where some Short-Term Disability (“STD”) insurance policies may include "Other Income" or "Other Benefit" provisions. The Division’s updated guidance includes the following: “If the terms of an STD policy allow the insurer to reduce STD benefits due in any part to the availability of Paid Leave Oregon benefits, all plan documents must clearly and conspicuously inform consumers that:
They might be eligible for leave benefits under the Paid Leave Oregon program;
The insurer might require the consumer to apply for Paid Leave Oregon and, if so, the extent to which the person must pursue their Paid Leave Oregon application (such as, "through the highest appeal level," as set forth above), and;
The extent to which STD benefits will be reduced on account of Paid Leave Oregon benefits received by the worker.”
This Bulletin further addresses rates and premiums as well as indicating that effective December 1, 2024, “insurers must submit updated plan documents for DFR approval within 18 months of this Bulletin's date or at renewal, whichever is earlier. Alternatively, when appropriate, insurers may file an endorsement notice included with their renewal.”
Utah
Bulletin 2024-9, dated August 1, 2024, addresses the new motorboat reporting requirement in HB 184. Effective January 1, 2025, all insurers that offer motorboat insurance must also report motorboats that they insure to the Utah Uninsured Motorist Identification Database Program. The Bulletin notes that the process for reporting motorboats will be very similar to the current vehicle reporting requirement and indicates that instructions for the reporting requirements can be found on the vendor's website which is: https://www.insure-rite.com/motorboats.
Kathy Donovan is Senior Compliance Counsel, insurance with Wolters Kluwer Financial Services. Kathy has more than two decades of experience in insurance compliance. Her expert commentary on legal and regulatory issues affecting the insurance industry is widely published and she is a regular presenter at various industry events.
Comments