Regulatory Roundup: Vermont Flooding, Florida PBM Regulation, Data Breach

State by state variations of laws, compliance protocols, industry transparency, and general regulatory culture can lend one the impression that keeping up with industry changes is a little bit like herding cats. So, what better way to wrangle some of the more localized insurance news than in a Regulatory Roundup?

On an ongoing basis, in no particular order or rank, we’re wrestling the various regulatory changes, compliance actions, and commissioner decisions into our roundup. As a disclaimer: There’s a lot going on at any given time in these here United States, so this isn’t a comprehensive picture of state-level action by any means. Think of it as, instead, a sampler platter of regulation. 

Also important to note: If we’re recapping interpretations of legal decisions, this is some armchair insurance speculation and not at all legal advice. If you need legal advice, get a lawyer. 

Vermont DFR confronts July historical flooding 

Vermont’s Department of Financial Regulation said in its July newsletter that the state is just getting a handle on the full scope of the early July deadly floods.

The state issued a bulletin authorizing a 90-day period from July 10, 2023, to allow insurance carriers to use catastrophe adjusters and appraisers to assess storm damage. As a reminder, the adjuster has to be licensed in their state or have a DHS from another state, the insurance carrier has to email dfr.producerlicensing@vermont.gov to communicate the full list of their emergency adjusters, and a Vermont-licensed adjuster has to review any denied claims within 90 days of the denial.

Another bulletin from the state outlined guidance to different insurance professionals, from adjusters to underwriters to producers about appropriate – and inappropriate – responses to the disaster. For instance, the state instructs property and casualty insurance carriers not to re-rate, cancel, nonrenew, or otherwise refuse to provide insurance coverage solely due to someone’s status as a victim or evacuee of the floods.

Among the news headlines Vermont DFR officials included in its newsletter was a Vox piece that declared the flooding was evidence that, thanks to climate change, there’s “no such thing as a disaster-resistant place anymore.”

Meanwhile, many other states grapple with struggling property and casualty markets in the wake of other “once-in-a-lifetime” weather events that are hitting population centers with increasing regularity. 

Florida Prescription Drug Reform Act to put PBMs under regulations of OIR

A law signed by Florida Gov. Ron DeSantis in May 2023 puts new regulations on pharmacy benefit managers (PBMs), officially putting their regulation under the umbrella of the Florida Office of Insurance Regulation (OIR).

PBMs are businesses that sit between insurance carriers and pharmaceutical manufacturers. The business structures have come under regulatory scrutiny in several states (and Congress) because consumer advocates allege they are another layer of complexity that exist to serve special interest profits and aren’t, in fact, delivering much if anything in terms of consumer good.

Florida’s new requirements mean PBMs that wish to stay in business in 2024 must:

• Obtain a Florida certificate of authority as an administrator in addition to maintaining their state registration
• Submit to transparency reporting requirements, disclosing data on:
  • Financial condition
  • Legal violations in any state
  • Network adequacy compliance
  • Changes in ownership
  • Appeals or denials of specific pharmacies and pharmacists
  • Agreements, relationships, or contracts with pharmacy benefit plans, programs, or participating pharmacies
• Protect patient data privacy from member pharmacies for any reason other than the strict fulfillment of relevant services
• Submit to biennial compliance exams

As insurance departments take interest in regulating these specific structures, health insurance carriers, agencies, and MGAs/MGUs can tighten their own compliance with state regulations by taking a proactive approach to validating producer and adjuster licenses with automated compliance solutions. Know of any good ones? (Yes, you do. It’s AgentSync.)

MOVEit data breach exposes consumer data in numerous states

Several state departments of insurance are broadcasting concerns for consumer data after insurance companies reported cyber breaches.

A criminal hacking group that launched attacks in the U.S. and Europe allegedly targeted MOVEit, a cloud-hosting and file transfer service, according to a news release from Maryland’s DOI.  

Affected insurance carriers are concentrated in the life, health, and annuities spaces thus far, according to Maryland and a news release from Delaware. Hackers collected data that may include Social Security numbers and birthdates.

A news release from Connecticut directs anyone who may have been affected by the hack to:

• Verify all communication independently. If you receive an unsolicited message claiming to be from your health care insurer, find your policy and use the customer service number provided there – don’t merely respond.
• Read any notice you receive about the data breach to see if your provider offers a service like a credit-monitoring program.
• Be extra cautious of phone calls.

And, if you’re operating in Maine and might have been affected by the breach, it may serve you to re-review the state’s newly released guidance on how to comply with the Maine cybersecurity law.

Other state regulatory changes

Colorado Division of Insurance officials issued an emergency regulation to ensure health insurance carriers subject to state regulation will maintain contraceptive coverage. With the Braidwood vs. Becerra ruling putting some coverage mandates of the Affordable Care Act into question, Colorado legislators passed a bill requiring carriers and PBMs to cover contraceptives in 2024. The DOI emergency regulation would act to make the new law effective immediately.

Connecticut Department of Insurance officials issued a reminder to insurance businesses and licensed individuals that they have to submit a data certification (showing that they comply with the state’s laws on the proper use of data and tech) on or before Sept. 1, 2023.

Delaware posted a bulletin to notify captive insurance businesses that the Captive Division of the state’s DOI moved. They’re now at Rockwood Office Park, 503 Carr Road, Suite 303, Wilmington, DE 19809. Additionally, a new state law increased foreign and domestic insurance companies’ annual assessments in the state from $900 to $1,050.

Florida issued a notice that residential property insurers had to submit attestations that their claims processes follow the state’s best practices and legal requirements by Aug. 1, 2023. Moving forward, said the OIR, carriers will sign an attestation by May 1 every spring. 

Georgia Insurance and Safety Fire Commissioner John F. King issued a directive advising health insurance carriers that the state’s new law allows the commissioner to pass rules and regulations about diagnostic breast examinations and the legally required cost-sharing provisions in the state.

New York has updated its regulations for excess line placement. Among the changes: The state requires excess brokers to report the dates of their relevant declinations in their filings.

Ohio moved state continuing education processing vendors from Prometric to its new vendor, PSI, effective Aug. 1, 2023. 

Oklahoma Commissioner Glen Mulready announced that property licensees whose renewals are processed after Sept. 1, 2023, won’t have to take previously mandatory earthquake-specific CE credits. 

Pennsylvania released an updated export list – the summary of what coverages are presumably best covered by surplus and excess lines carriers as opposed to domestic admitted insurance carriers. (If you need a primer on E&S compliance, we got you.)

Texas issued a notice to the insurance industry that, to comply with federal cybersecurity reporting laws, domestic insurance companies and HMOs should sent cybersecurity incident reports to financialanalysis@tdi.texas.gov, and other insurance carriers, regulated entities, and individuals should submit reports to cyberreporting@tdi.texas.gov.

Washington Insurance Commissioner Mike Kreidler held a workshop July 17 to allow industry professionals and consumers alike to discuss (and air grievances about) auto and homeowners insurance claim issues. A summary of the workshop (which you can rewatch on YouTube) said the event was scheduled for two hours and lasted for more than five. 

While these points of interest aren’t comprehensive, our knowledge of insurance producer and variable lines broker license and compliance maintenance is. See how AgentSync can help make you look smarter today; head over to the Compliance Library and wrassle up some state-by-state regulation and more jurisdictional updates.