The Office of General Counsel issued the following opinion on June 7, 2001 representing the position of the New York State Insurance Department.
RE: Sharing of Data Processing Systems Containing Nonpublic Personal Health Information (Regulation 169).
May a group of affiliated insurers that shares employees use a common data processing systems that contains nonpublic personal health information?
Yes, provided that only employees who need the information for a purpose permitted under N.Y. Comp. Codes R. & Regs. tit. 11 § 420.17(b) (2001) (Reg. 169) have access to it and use the information solely for that purpose.
No specific facts were presented.
Section 420.17(a) of Regulation 169 prohibits a licensee from "disclos(ing) nonpublic personal health information about a consumer or a customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed." Section 420.17(b) of Regulation 169 permits disclosure by a licensee of nonpublic personal health information for certain specified insurance functions, without authorization from the consumer or customer.
This provision allows a licensee to give an employee, who is also an employee of an affiliated insurer, access to nonpublic personal health information in order to perform one of the functions enumerated in Section 420.17(b). However, the employee can only use the information in his capacity as an employee of the licensee for whom the insurance function is being performed and not for the purpose or purposes of any other licensee, including that of the affiliated insurer. This limitation should be explained to the employee and must be strictly adhered to.
Additionally, it is incumbent upon the licensee to ensure that security measures are in place to keep unauthorized employees from accessing this information.
For further information, you may contact Associate Attorney Joan Siegel at the New York City office.