Our latest briefing explores the NAIC’s efforts to address algorithmic bias, the Colorado Division of Insurance’s latest stakeholder session on external consumer data and algorithms, and a private-sector solution for self-regulation regarding the use of non-HIPAA-covered health data.
Regulatory and Legislative Developments
- National Association of Insurance Commissioners keeps the focus on AI. At the NAIC’s national meeting last week, the Innovation, Cybersecurity, and Technology (H) Committee established a Collaboration Forum that will help coordinate a variety of tech-related workstreams, starting with those addressing algorithmic bias. Commissioner Kathleen Birrane (Chair – MD) said that the goals of the Forum are to facilitate fruitful and productive discussions and provide tools for regulators to use. She also said there will be opportunities for stakeholder input. Meanwhile, the Big Data and Artificial Intelligence Working Group (which reports to the H Committee and will participate in the Collaboration Forum) discussed its 2022 work plan. The plan will entail additional surveys (for insurers that write homeowners or life insurance), consideration of third-party data and model vendors, evaluation of tools and resources for monitoring industry’s use of data and AI/ML and consideration of how to implement the high-level AI Principles adopted by the NAIC in 2020.
- Colorado Division of Insurance holds second stakeholder session. On April 12, the Colorado Division of Insurance held its second stakeholder session in connection with the 2021 law that restricts insurers' use of external consumer data, algorithms and predictive models. The session featured a presentation by Cathy O'Neil, whom the Division has retained to assist with the rulemaking process. In her presentation, O’Neil gave examples of unintended algorithmic bias and described how to infer race for purposes of algorithmic testing using the BIFSG method, which relies on census data and an applicant’s name and address. The session also featured discussion about how to define "external consumer data" and "traditional underwriting factors," although Commissioner Conway observed that the distinction may not matter all that much. (The Commissioner’s expectation is that if an algorithm relies on both external consumer data and traditional underwriting factors, both types of factors will need to be tested for potential bias.) Comments on issues raised during the session should be submitted to the Division by May 1. The next stakeholder session will be in late May or early June.
- Executives for Health Innovation (EHI) introduced an independently governed self-regulatory program for non-HIPAA-covered health data. The program was detailed in a recently released report entitled The Case for Accountability: Protecting Health Data Outside the Healthcare System. In the absence of federal data privacy legislation governing the use of non-HIPAA-covered health data held and used by tech companies, the report sets forth “a private-sector solution — a neutral, independently run self-regulatory program that will oversee the data use policies and procedures” (often referred to as the “Framework”) that EHI and the Center for Democracy & Technology previously released. EHI has partnered with BBB National Programs to implement and manage the program and oversee “compliance with the Framework and protecting consumer health data not bound by the obligations of HIPAA.” EHI’s press release regarding the report is available here.