Arizona Enacts Limited Privilege For Insurance Self-Audits

Arizona has enacted a privilege applicable to voluntary compliance audits conducted by insurance companies.[1] This “self-evaluative” privilege protects audit documents and testimony in civil and some administrative proceedings. The Arizona legislature based the new law on the National Conference of Insurance Legislators’ Model Act, which has served as a template for similar laws in nine other states.  But Arizona’s privilege differs significantly from the Model Act. As highlighted below, insurers should be aware of these differences when considering whether to conduct a voluntary compliance audit in reliance on the privilege. 

Under the new Arizona law:

  • The privilege applies to audit documents only if an insurer notifies the Arizona Department of Insurance (DOI) at the beginning and end of the audit and makes the documents available to the DOI.
  • The DOI may obtain audit documents at any time and use them against insurers in enforcement actions, as it already can with other insurer records.
  • When an insurer submits audit documents to the DOI or another government agency, the submission does not waive privileges that may be asserted against other parties. The DOI, in particular, must treat the submission as a confidential record. And audit documents filed with the DOI are not subject to public records requests or further disclosure.
  • Insurers may expressly waive the privilege.  Insurers may also impliedly waive the privilege by sharing audit documents with non-governmental parties not involved with the audit.
  • To assert the privilege and avoid waiver as to a litigation discovery request, an insurer may petition the court for in camera review of its audit documents. 
  • The privilege will not attach if asserted for a fraudulent purpose or if the insurer has not remedied noncompliance revealed by the audit within a time period set by the DOI. 


Insurance Self-Audits. Insurers may voluntarily audit their practices to identify compliance issues rather than ignore them until after costly DOI investigations and the prospect of severe penalties. Self-audits supplement regulatory enforcement, help detect noncompliance earlier, and allow regulators to focus limited resources on insurers with identified problems. Consumers in turn benefit when insurers audit their practices for compliance with laws designed to protect consumers.

However, there has traditionally been a significant disincentive for self-audits:  they may be discoverable. Government agencies and potential plaintiffs or competitors may use litigation discovery and public records laws to exploit self-audit documents—which may reveal highly unfavorable information—against an insurer.  For instance, an insurer’s efforts to assess and remedy claims handling practices could lead to the broadcast of self-audit documents in response to a public records request, which, in turn, could spur lawsuits.  The documents might also strengthen a plaintiff’s case that an insurer had systemic unfair practices. 

Inadequate Protection of Self-Audit Documents Under the Common Law. Insurers usually cannot rely on common law privileges to shield routine audit documents. The attorney-client privilege only protects audit documents that are communications between an insurer and its counsel to obtain legal services.  While portions of a counsel-coordinated audit could be privileged, a more common, regular review of program areas to detect compliance issues might not be.[2] The work product doctrine also may not provide refuge because regular self-audits, not conducted in anticipation of litigation or in response to a complaint, fall outside its protection.[3] And even if otherwise protected, audit documents may lose protection if disclosed internally or to regulators, barring statutory exceptions.[4]

Similarly, the common law’s self-evaluative privilege provides scant protection to insurance audit documents. The privilege originally protected peer review materials so that physicians would candidly assess their colleagues’ actions.[5] Some courts later expanded the privilege to self-audits,[6] recognizing that compelled disclosure would have a “chilling effect” on an organization’s willingness to conduct audits[7].  But courts do not uniformly recognize the self-evaluative privilege.[8]  In the insurance context, courts have narrowly construed the privilege or have declined to apply it at all.[9] Arizona courts fall among the courts that have declined to expand the privilege beyond the hospital context.[10]

Campaign for Codification of the Self-Evaluative Privilege. The National Conference of Insurance Legislators (NCOIL) recognized this dearth of protection for audit documents. It adopted the Insurance Compliance Self-Evaluative Privilege Model Act in 1998 to provide a template for state legislatures willing to consider the privilege for insurers.[11] The Act declares that the “protection of insurance consumers is enhanced by companies' voluntary compliance with this State's insurance and other laws and that the public will benefit from incentives to identify and remedy insurance and other compliance problems.”[12]  Under the Act, self-audit documents are not discoverable or admissible as evidence in any legal action unless the privilege is asserted fraudulently or the insurer does not promptly correct noncompliance identified during the audit.[13]  

Since its adoption, several insurance groups have endorsed the Model Act. The American Council of Life Insurers explained that promoting self-audits “is good public policy,” and “[w]ith increasing pressure upon fiscal conservation in state budgets,” enacting a self-evaluative privilege “releases regulatory resources to focus upon other matters of concern to consumers.” [14] Without the privilege, however, “companies will be less inclined to conduct self-critical evaluations for fear of potential litigation risk.”[15]  

The National Association of Independent Insurers (predecessor to the Property Casualty Insurers Association of America) echoed that sentiment, stating that a self-audit “is most valuable to insurers and the public if it can be done in candor," and public access to such information would be a trial lawyer's “blueprint to a lawsuit.”[16] These groups are also cautious about the regulatory use of audit documents—the American Insurance Association declared that audit information should not be used to penalize carriers attempting to remedy problems.[17]

The efforts of NCOIL, industry groups, and insurers have led to the enactment of legislation based on the Model Act in nine other states. Illinois became the first to enact the privilege in 1997.[18]  New Jersey and North Dakota enacted the privilege in 1999, Michigan and Oregon in 2001, the District of Colombia in 2003, Kansas in 2005, Texas in 2005, Hawaii in 2007, and Oklahoma in 2012.[19]  

Arizona Enacts the Self-Evaluative Privilege

The Model Act had been unsuccessfully introduced in the Arizona legislature in 1999.[20] A decade and a half later, House Bill 2560 based on the NCOIL Model Act was introduced as part of a renewed effort to enact the privilege in Arizona. Several insurers and insurance groups supported enactment of the Bill and advised that the privilege would encourage self-audits.[21]

Subsequent negotiations between the insurance industry and the DOI resulted in amendments to the Bill. Consequently, the enacted version of the Bill differs in material respects from the Model Act. Early on, the DOI raised the concern that the Bill would unduly restrict its access to audit documents and its ability to share them with other regulators.  Under existing law, the DOI could obtain and share an insurer’s records.[22] And recently-enacted environmental and health and safety audit privileges grant regulators open access to audit documents.[23] To obtain the DOI’s support, the Bill was amended to permit the DOI to obtain audit documents at any time, use them in enforcement actions, and share them with regulators including the National Association of Insurance Commissioners (NAIC).[24] 

While making these concessions, proponents wanted to ensure the privilege would provide clear protection from disclosure or discovery in private litigation. The Bill was further revised to incorporate a provision not found in the Model Act or the Act as enacted in other states:  An insurer will not lose the privilege by a judicial determination that an insurer has not promptly corrected noncompliance, but only if it “fails to undertake corrective action . . . within the compliance date set by the [DOI].”[25] 

In contrast, the Model Act as enacted in other states reflects a different compromise: Regulators have limited access to audit documents and sharing capabilities but a court may remove the privilege if it finds—even contrary to a regulator’s determination—that an insurer did not remedy noncompliance quickly enough.[26]  

Mechanics of Arizona’s Self-Evaluative Privilege

Protection Limited to Self-Audit Documents and Testimony. Arizona’s self-evaluative privilege protects documents “prepared as a result of or in connection with an insurance compliance audit,” which is “a voluntary, internal evaluation, review, assessment, audit or investigation that follows adopted written standards and criteria for the purpose of identifying or preventing noncompliance with or promoting compliance with laws, regulations, orders or industry or professional standards.”[27] This means that internal audits aimed at, for example, “improving employee efficiency and cost effectiveness” would not be covered.[28]

Importantly, unlike the Model Act, the Arizona law conditions the privilege upon notification to the DOI about a self-audit’s start and end dates, and insurers must make audit documents available to the DOI. [29]  (It is an open question whether this audit notification or the existence of an audit itself may be discoverable.) The privilege does not discuss the extent or precise timing of the notice or empower the DOI to approve or disapprove it.  Instead, notification is all that is required.

Protected audit documents include: (i) an audit report prepared by an auditor, who may be an employee or independent contractor; (ii) documents analyzing the report or discussing implementation; (iii) an implementation plan for correcting noncompliance and improving compliance in the future; (iv) analytic data generated during the audit; and (v) other audit information such as field notes, observations, and graphical reporting.[30] A person or entity involved in the audit may not be examined about it.[31]

The privilege does not apply to: (i) materials that a company is legally required to maintain or report to an agency; (ii) information that agencies obtain by monitoring; (iii) information from an independent source; and (iv) materials that an insurer prepares in the ordinary course of business.[32] These exceptions may deprive compliance-related documents from protection. For example, an insurer may regularly track internal and external data to detect problem areas or to evaluate the effectiveness of corrective action after an audit. These business records, which are not excepted under the Model Act,[33] are not privileged under the new law.

What is clear, however, is that if audit documents are privileged, they are not admissible in a civil or administrative proceeding, except as expressly provided by the new law.[34]  

The DOI’s Open Access to Self-Audit Documents. The DOI may obtain privileged audit documents at any time.[35] While the Model Act and the privilege in some states do not expressly provide open access to insurance regulators, they recognize that regulators may compel disclosure under other existing law.[36]  

Once the DOI obtains privileged audit documents, it may use them in an enforcement action.[37] Elsewhere, the ability of regulators to use audit documents varies. The Model Act and some states only permit a regulator to use the documents to determine whether defects in an insurer’s practices have been remedied.[38] Some other states allow regulators to use the documents in enforcement actions but timely disclosure is a mitigating factor.[39] And another state requires evidence that the insurer has not remedied noncompliance before allowing any penalty based on audit information.[40]

Confidentiality of Self-Audit Documents and Non-Waiver. Whenever an insurer provides audit documents to a government agency, voluntarily or otherwise, it does not waive privileges as against other parties.[41] The Model Act, by contrast, only prevents waiver of privilege for audit documents submitted during regulatory examinations.[42] 

Moreover, the DOI as recipient must keep the documents confidential.[43] Under Arizona’s privilege, audit documents in the hands of the DOI are not subject to public records requests, unlike the records of some DOI examinations and investigations.[44] An audit document submitted to the DOI at any time, including during an examination, “is not subject to any further disclosure or production”; this language is unqualified.[45]   

Waiver of the Self-Evaluative Privilege. The new law allows an insurer to share documents with “any company, person or entity [that] performs or directs the performance of an insurance compliance audit, an officer, employee or agent involved with the insurance compliance audit or any consultant who is hired for the purpose of performing the insurance compliance audit.”[46] But an insurer may expressly waive the privilege.[47]  And it is possible that waiver may be implied if documents are shared with those not involved in the audit (other than government agencies). 

Asserting the Self-Evaluative Privilege and In Camera Review. An insurer may face a request in litigation for the production of audit documents. Within thirty days of a discovery request, the insurer may file a petition with the court disclosing the audit documents, date and nature of the audit, and auditor, or else the insurer waives privilege as to this request.[48]  The court must then review the documents in camera to determine whether the privilege applies.[49]

The court may compel disclosure of relevant audit documents if: (i) the privilege is being asserted for a fraudulent purpose (the burden to prove this is on the requesting party[50]); (ii) the documents are not subject to the privilege; or (iii) the documents show evidence of the insurer’s noncompliance with the law and the insurer failed to take corrective action within a compliance date set by the DOI.[51]  

If the court compels disclosure, the audit documents do not become public and the disclosure does not cause waiver of privilege as against other parties.[52] The insurer may apply for a protective order to prevent further disclosure.[53]  The parties may also stipulate that specific information in the audit documents is or is not privileged.[54]  

No Self-Evaluative Privilege in Criminal Proceedings. The introduced version of House Bill 2560 contained protection for audit documents in criminal proceedings. However, the legislature amended the Bill to remove this provision. Thus, unlike the Model Act and laws enacted elsewhere,[55] an insurer cannot assert the privilege in a criminal case though the privilege is not waived as against other parties if documents are disclosed in a criminal case.[56]

Other Statutory and Common Law Privileges Preserved. The statutory privilege does not “limit, waive or abrogate” other statutory and common law privileges, including “the work product doctrine, the attorney-client privilege or the subsequent remedial measures exclusion.”[57] This means that if an insurer’s assertion of the self-evaluative privilege is unsuccessful, it may invoke other privileges as a secondary line of defense. 

An insurer may also conduct an audit without relying on the self-evaluative privilege—and avoid informing the DOI about the audit—and instead invoke other privileges to protect audit documents.[58] 


Arizona’s self-evaluative privilege affords protection for audit documents where it previously did not exist.  To obtain the protection, the insurer must first notify the DOI of both the start and completion of the audit. Upon request, the insurer must produce the audit results to the DOI, who, in turn, may review them for compliance and impose penalties for non-compliance. The audit documents are protected from disclosure or admission as evidence in civil litigation and in some administrative proceedings. 


[1] See Arizona Revised Statutes (A.R.S.) §§ 20–3301, –3302 (enacted on July 24, 2014.) 

[2] U.S. v. ISS Marine Servs., Inc., 905 F. Supp. 2d 121, 131 (D.D.C. 2012) (“For the results of an internal investigation to enjoy the attorney-client privilege, the company must clearly structure the investigation as one seeking legal advice and must ensure that attorneys themselves conduct or supervise the inquiries and, at the very least, the company must make clear to the communicating employees that the information they provide will be transmitted to attorneys for the purpose of obtaining legal advice.”).

[3] See S.E.C. v. Microtune, Inc., 258 F.R.D. 310, 318 (N.D. Tex. 2009) (“If the document would have been created without regard to whether litigation was expected to ensue, it was made in the ordinary course of business and not in anticipation of litigation.”); Klaiber v. Orzel, 714 P.2d 813, 816 (Ariz. 1986).

[4] State v. Sucharew, 66 P.3d 59, 65 (Ariz. App. 2003) (“Because the attorney-client privilege exists to protect confidential communications between the attorney and client, a client waives the privilege by disclosing the confidential communications to a third party.”); see also In re OM Securities Litigation, 226 F.R.D. 579, 592 (N.D. Ohio 2005) (audit committee waived attorney-client privilege for documents related to board presentation about internal investigation); McKesson Corp. v. Green, 597 S.E.2d 447, 451 (Ga. App. 2004) (work product protection waived when audit documents provided to SEC).

[5] See Bredice v. Doctors Hosp., Inc., 50 F.R.D. 249, 250 (D.D.C. 1970).  

[6] See, e.g., Reichhold Chemicals, Inc. v. Textron, Inc., 157 F.R.D. 522, 524 (N.D. Fla. 1994) (environmental compliance); Shipes v. BIC Corp., 154 F.R.D. 301 (M.D. Ga. 1994) (products safety compliance).

[7] Webb v. Westinghouse Elec. Corp., 81 F.R.D. 431, 433 (E.D. Pa. 1978).

[8] See Scroggins v Uniden Corp. of Am., 506 N.E.2d 83 (Ind. App. 1987) (Indiana courts only recognize statutory privileges, thus no common-law privilege for self-critical analysis exists); S. Bell Tel. & Tel. Co. v Beard, 597 So.2d 873 (Fla. App. 1992) (same).

[9] For example, in LeClere v. Mutual Trust Life Insurance Co., No. C99-0061, 2000 WL 34027973 (N.D. Iowa June 14, 2000), policyholders subpoenaed their insurer’s self-audit report.  The insurer relied on the self-evaluative privilege and declined to produce the report.  Holding that the report was not privileged, the court reasoned that “few courts have adopted this relatively novel theory of privilege” and it was not appropriate “for this voluntary internal investigation” since “[d]isclosure here will not inhibit insurance companies from assessing their anti-fraud controls.”

[10] See Jolly v. Super. Ct. of Pinal Cnty., 540 P.2d 658, 662 (Ariz. 1975); State ex rel Corbin v. Weaver, 680 P.2d 833, 840 (Ariz. App. 1984) (noting that extending the privilege “might stop . . . an investigation in the public interest at the very threshold of inquiry”). 

[11] NCOIL is “an organization of state legislators whose main area of public policy concern is insurance legislation and regulation.”  NCOIL, (last visited Aug. 18, 2014).  “Many legislators active in NCOIL chair or are members of the committees responsible for insurance legislation in their respective state houses across the country.”  NCOIL History and Purpose,  About 29 states are currently “contributing members” of NCOIL, including Arizona.  NCOIL Member States,

[12] NCOIL Model Act § 1(a) (2012).

[13] Id. § 1(g)(1). 

[14] Victoria E. Fimea, American Council of Life Insurers, Developments in Distribution Litigation and Enforcement Proceedings, SG058 ALI-ABA 273, 276 (2001). 

[15] Id.

[16] Jim Connolly, Insurers Seek Protection On Internal Audits, National Underwriter Property & Casualty, April 9, 1999 (available at 

[17] Id.

[18] 215 ILCS 5/155.35. 

[19] N.J. Stat. § 17:23C-1; N.D. Cent. Code § 26.1-51; Mich. Comp. Laws § 500.221; Or. Rev. Stat. § 731.760; D.C. Code § 31-851; Kan. Stat. § 60-3351; Tex. Ins. Code § 751.251; Haw. Rev. Stat. § 431:2D-107; Okla. Stat. § 6830.

[20] See SB 1106, 44th Leg., 1st Reg. Sess., (Ariz. 1999) (available at

[21] House Comm. on Ins. and Ret., Minutes, 51st Leg., 2d Reg. Sess., 8 (Feb. 18, 2014). 

[22] A.R.S. §§ 20–157(A), –158(E).

[23] Id. §§ 49–1407(B), 12–2327(B).

[24] Yarbrough Floor Amendment, Explanation, 51st Leg., 2d Reg. Sess., 1 (Apr. 14, 2014). 

[25] A.R.S. § 20-3302(B)(2). 

[26] See, e.g., 215 ILCS 5/155.35(b)(3), -(c)(2)(C) (regulator cannot compel disclosure of privileged documents but court may do so if insurer has not promptly taken corrective action); Kan. Stat. § 60-3352(a)(1); D.C. Code § 31-855(3).

[27] A.R.S. § 20–3301(A)(1), –(A)(2)(a). 

[28] See Chauvin v. State Farm Mut. Auto. Ins. Co., No. 10-CV-11735, 2011 WL 1810625, at *2 (E.D. Mich. May 11, 2011) (State Farm’s “Advancing Claims Excellence (ACE) file documents” not protected under Michigan’s self-evaluative privilege because the materials were created “during an internal review of State Farm's catastrophic claims handling procedures for purely business reasons”).

[29] A.R.S. § 20–3302(A)(5).

[30] Id. § 20–3301(A)(2)(b).  Audit documents must be labeled “Compliance Report: Privileged Document” to be protected.  Id. § 20–3302(A)(7). 

[31] Id. § 20–3302(A)(1).

[32] Id. § 20–3302(A)(8). 

[33] See Model Act § 1(f). 

[34] A.R.S. § 20–3302(A). 

[35] Id. § 20–3302(A)(5).

[36] Model Act § 1(b)(3); see, e.g., Kan. Stat. § 60-3351(c); Or. Rev. Stat. § 731.762(1).  But see N.J. Stat. § 17:23C-13(a) (“The department may require production of any document from an insurance carrier through timely disclosure or pursuant to compulsion of law, for its review.”).

[37] A.R.S. § 20–3302(A)(6).

[38] Model Act § 1(b)(3); see, e.g., Mich. Comp. Laws § 500.221(3); Kan. Stat. § 60-3351(c); Haw. Rev. Stat. § 431:2D-107(g)(3).

[39] N.J. Stat. § 17:23C-11(b); Or. Rev. Stat. § 731.762(3)(a).

[40] N.D. Cent. Code § 26.1-51-05(1).

[41] A.R.S. § 20–3302(A)(3), –(A)(4). 

[42] Model Act § 1(b)(3); see Lawndale Restoration Ltd. Psh'p v. Acordia of Ill., Inc., 853 N.E.2d 791, 795-98 (Ill. App. 2006) (holding that because Illinois’s statutory privilege only protects self-audit documents submitted to the DOI in connection with an examination, sending the documents to anyone, including the DOI, when not conducting an examination, waives the privilege). 

[43] A.R.S. § 20–3302(A)(3).

[44] Id. § 20–3302(A)(3)(c); see id. § 20-153 (“Records of all official transactions, examinations, investigations and proceedings of the [DOI] shall be open to public inspection pursuant to section 39-121, except as otherwise provided in this title.”).

[45] A.R.S. § 20–3302(A)(2), –(A)(3)(b).

[46] Id. § 20–3302(A)(1).

[47] Id. § 22–3302(B)(1).

[48] Id. § 20–3302(C)(1), –(4). 

[49] Id. § 20–3302(C). 

[50] Id. § 20–3302(D). 

[51] Id. § 20–3302(B)(2). 

[52] Id. § 20–3302(C)(3). 

[53] Id. 

[54] Id. § 20–3302(E). 

[55] Model Act § 1(c)(3); see, e.g., Mich. Comp. Laws § 500.221(7)(b); Kan. Stat. § 60-3352(b); Haw. Rev. Stat. § 431:2D-107(h)(3).

[56] A.R.S. § 20–3302(A)(9). 

[57] Id. § 20–3302(F). 

[58] Some believe, however, that A.R.S. § 20–157 permits the DOI to access even records arguably covered by these privileges, including the attorney-client privilege.