The Office of General Counsel issued the following informal opinion on August 14, 2001, representing the position of the New York State Insurance Department.
Re: Medical Authorization and Release
Is an Authorization and Release that would, inter alia, allow an insurer to release information to government authorities when necessary to prevent or prosecute insurance fraud and to medical researchers in violation of applicable statutes and regulations?
No, there is no violation. However, there is no requirement under the Insurance Law that a client must sign an Authorization and Release.
The inquirers client applied for an individual insurance policy providing income in case of disability to the ABC Life Insurance Company, which was subsequently merged into XYZ Mutual Life Insurance Company and then restructured as the ABC-XYZ Life Insurance Company (Insurer). Shortly after receiving the policy, the client became disabled within the terms of the policy and made application for benefits to Insurer.
Insurer paid benefits for 11 years and then discontinued payment of benefits. While there was initially some question as to whether the client was disabled, Insurer subsequently agreed that the client was entitled to benefits. Insurer, however, refused to continue to pay benefits because the client refused to execute an "Authorization to Obtain and Disclose Information". After consultation with the inquirer, the insured executed the document after redacting the cited clause, which authorized Insurer to release information to: "Governmental authorities when necessary to prevent or prosecute fraud or other illegal activities, to any person conducting medical or statistical studies".
After extensive correspondence, Insurer, through its claims administrator, released 12 months of benefit payments and has continued to make payments to the client, all under a reservation of rights. By letter of November 30, 2000 to this Departments Consumer Services Bureau, the inquirer requested an opinion as to whether the above portion of the "Authorization" is, overreaching. By letter of December 21, 2000, counsel for Administrator indicated to the Consumer Services Bureau why it believes the language of the "Authorization" is appropriate.
New York Insurance Law § 405(a) provides, in pertinent part:
Any person licensed pursuant to the provisions of this chapter who has reason to believe that an insurance transaction may be fraudulent, or has knowledge that a fraudulent insurance transaction is about to take place, or has taken place shall, within thirty days after determination by such person that the transaction appears to be fraudulent, send to the insurance frauds bureau on a form prescribed by the superintendent, the information requested by the form and such additional information relative to the factual circumstances of the transaction and the parties involved as the superintendent may require.
Therefore, Insurer, either directly or through Administrator, is obligated to report suspected insurance fraud to this Department.
This Department has promulgated a Regulation, N.Y. Comp. R. & Regs. tit. 11, § 420 et seq. (2001), governing privacy of nonpublic personal information. The Regulation, N.Y. Comp. R. & Regs, tit. 11, § 420.3(r), defines "nonpublic personal information" as "nonpublic personal financial information and nonpublic personal health information". The Regulation, N.Y. Comp. R. & Regs. tit. 11, § 420.3 (t), further defines "nonpublic personal health information" as:
Health information: (1) that identifies an individual who is the subject of the information: or (2) with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
It is surmised that the information about which the client is concerned falls within the definition of nonpublic personal health information. The Privacy Regulation, N.Y. Comp. R. & Regs. tit. 11,
§ 420.17, provides, in pertinent part, and will require after December 31, 2001:
(a) a licensee shall not disclose nonpublic personal health information about a consumer unless an authorization is obtained from the consumer ... whose nonpublic personal health information is sought to be disclosed.
(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity .
The United States Department of Health & Human Services, in accordance with the requirements of the Health Insurance Portability & Accountability Act (HIPAA), Pub. L. No. 104-191 § 262, has also promulgated a regulation dealing with privacy of health information. The regulation took effect in April 2001 and will impose its restrictions beginning in April 2003.
"Individually identifiable health information" is defined in the federal regulation, 45 C.F.R.
§ 164.501 (2001) as:
information that is a subset of health information, including demographic information collected from an individual, and: 1) is created or received by a health care provider and (2) relates to the past, present, or future physical or mental health of an individual and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
The federal regulation further provides, 45 C.F.R. § 164.512 (2001):
A covered entity [which would include Insurer] may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
There is, at present, no requirement that an insurer secure permission from an insured in order to make a report to this Department of suspected insurance fraud. Nor will the state or federal privacy regulations, when they become operative, impose such a requirement. Therefore, while Insurer, as a courtesy, desires to secure the clients permission, it is not required to do so. Accordingly, this Department has no objection to the first clause with which the client takes issue.
As to the second "objectionable" clause, there is protection under the applicable privacy regulations for information that could lead to identification of individuals. Release of only aggregate and non-personally identifiable information concerning medical conditions and treatments of which it has been made aware would not be protected information under either the state or federal privacy regulation.
For further information, you may contact Principal Attorney Alan Rachlin at the New York City office.