The Office of General Counsel issued the following opinion on March 8, 2002, representing the position of the New York State Insurance Department.
Re: N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17 (2001) (Reg. 169).
1. With respect to an insured experience rated group account, may a licensee provide to the group policyholder a report that lists each claim paid, identifies the individual claimant, and provides information about each claim, including the amount paid, the date of service, the type of service, the name of the provider and the diagnosis and procedure codes?
2. With respect to an exempt ERISA plan administered by the licensee, may the licensee provide to the plan provider a report that lists each claim paid, identifies the individual claimant, and provides information about each claim, including the amount paid, the date of service, the type of service, the name of the provider and the diagnosis and procedure codes?
1. The above-described activity does not fall within one of the exceptions contained in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) (Reg. 169). Consequently, the report can not be provided to the group policyholder unless each claimant whose nonpublic personal health information is being disclosed provides authorization.
2. The above-described activity does not fall within one of the exceptions contained in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) (Reg. 169). Consequently, the report can not be provided to the plan provider unless each claimant whose nonpublic personal health information is being disclosed provides authorization.
The inquirers client is an authorized insurer. In addition to processing claims for its own insurance business, it also processes claims for exempt ERISA benefit plans. The company prepares certain reports that it provides to the group policyholder or to the plan provider. These reports contain identifying information, including the amount paid for the service, the date of service, the type of service, the name of the provider and the diagnosis and procedure codes.
Preliminarily, this response assumes that the inquirers client is also licensed as an independent adjuster for the purpose of adjusting claims on behalf of exempt ERISA benefit plans. This Department has previously opined that, if the activities performed by a licensed insurer on behalf of an exempt ERISA benefit plan come within the definition of "independent adjuster", the authorized insurer must also be licensed as an independent adjuster. N.Y. Ins Law §§ 2101(g)(1), 2108 (McKinney 2000).1
Although the group policyholder or the plan provider, whether it be an experience-rated group account or an exempt ERISA benefit plan, may be interested in receiving this report; the information contained therein is "nonpublic personal health information" and must be treated in accordance with the requirements of the regulation. The term "health information" is defined in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(n) (2001) (Reg. 169) as:
(n) Health information means any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:
(1) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;
(2) the provision of health care to an individual; or
(3) payment for the provision of health care to any individual.
The term "nonpublic personal health information" is defined in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(t) (2001) (Reg. 169) as meaning health information:
(1) That identifies an individual who is the subject of the information; or
(2) With respect to which there is a reasonable basis to believe that the information could be sued to identify an individual.
Pursuant to N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(a) (2001) (Reg. 169), a licensee may not disclose nonpublic personal health information about a consumer or a customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is being disclosed. However, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) (Reg. 169) contains exceptions for certain insurance functions when performed by or on behalf of the licensee. That section provides:
Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers' compensation policy or program; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the Federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the superintendent to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.
The inquirers letter listed five of the functions described in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) (Reg. 169): "claims administration", "claims management", "policyholder service functions", "auditing", and "reporting" and noted that these functions were not defined. We are assuming that these are the functions that the inquirer believes come closest to being applicable to providing the reports. The Department, in interpreting the regulation, analyzes the function described and, in the context of the statutory and regulatory intent, applies the everyday meaning of the terms to the activity described.
Providing this report to the group policyholder or plan provider is neither claims administration nor claims adjustment. The report is not a component of either of these two functions. In fact, the report is not compiled until after the claim is paid. Nor does providing these reports come within the everyday usage of the terms "auditing" and "reporting". An adjuster is not audited by the insureds whose claims are being settled nor is an adjuster required to report to those insureds, as those terms are commonly used and understood. The phrase "policyholder service functions" is understood to mean activities that are performed by or on behalf of the insurer that are necessary for ensuring that the policyholders benefits and other rights under the policy are satisfied.
Accordingly, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) (Reg. 169), does not allow the insurer to provide claimants non-public personal health information to the group policyholder or plan provider without the claimants authorization to do so.
For further information, you may contact Supervising Attorney Joan Siegel at the New York City office.
1A licensee that is providing services to an exempt ERISA benefit plan or a group self insurance trust (both of which are not subject to Reg. 169) in a capacity that does not require licensing, is itself not subject to the requirements of Reg. 169, so long as the nonpublic personal information is obtained in a manner and for a purpose that does not require licensing. OGC opinion letter to Lydia Meunier dated November 26, 2001, copy attached