The Office of General Counsel issued the following informal opinion on June 5, 2002, representing the position of the New York State Insurance Department.
Re: Group Policyholders and N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0-420-24 (2001) (Regulation 169)
1. Do the requirements of Regulation 169 apply to a licensee when it performs only administrative services ("ASO") for a self-insurer?
2. What is a licensees privacy notification obligation to the certificateholder under a group policy, if the licensee issues a privacy notice to the group policyholder and does not disclose nonpublic personal information, except as permitted by Sections 420.13, 420.14, 420.15 and 420.17(b) of Regulation 169?
3. When the nonpublic personal health information is comprised of both nonpublic personal health information and nonpublic personal financial information, which provisions of Regulation 169 are applicable?
4. In a group situation, may the licensee provide a monthly claims report that contains nonpublic personal health information about a certificateholder to the group policyholder without obtaining the certificateholders authorization for disclosure of his/her nonpublic personal health information?
5. May an insurer, in order to provide the group policyholder with the claims report, enter into an agreement with a group policyholder whereby the group policyholder will perform one or more of the functions set forth in Section 420.17 on the insurers behalf and agree not to further disclose the information?
6. Is an insurers wholly owned health maintenance organization (HMO) subsidiary an affiliate under Regulation 169?
7. May an insurer disclose information requested by a collection agency or billing agent retained by a health care provider?
1. No. A licensee that provides only administrative services to a self-insurer is not subject to the requirements of Regulation 169, provided that the licensee obtained the nonpublic personal information in a manner and for a purpose that does not require licensing by the Department.
2. As more fully explained below, with respect to nonpublic personal financial information a licensees notice obligation to a certificateholder is governed by Section 420.3(e)(2)(v) and (vi) of Regulation 169. With respect to nonpublic personal health information, authorization must be obtained from the certificateholder before any disclosure, other than as permitted by Section 420.17(b).
3. Where the identifying information appears on a record that comes within the definition of "health information", as that term is defined in Section 420.3(t) of Regulation 169, it must be treated as "nonpublic personal health information."
4. No. The above-described activity does not fall within one of the exceptions contained in Regulation 169. Consequently, the information may not be provided to the plan provider unless each claimant whose nonpublic personal health information is being disclosed provides authorization.
5. No. This would violate the intent of the regulation, which is to protect individuals nonpublic personal health information.
6. The term "affiliate" is defined in Section 420.3(a) of Regulation 169. The term "control" is defined in Section 420.3(g). Under these definitions the insurer and its wholly owned HMO subsidiary are affiliates.
7. Disclosure to a collection or billing agent retained by a health care provider should be treated as any other disclosure to a non-affiliated third party.
An insurer (the "Insurer") is licensed to do business in New York pursuant to N.Y. Ins. Law § 4302 (McKinney 2000). It provides group health insurance including medical/surgical, hospital and dental insurance, to predominantly local, city and state municipalities, as well as to commercial groups. It also provides ASO to "self-insured groups" and others that it does not insure.1
The term "licensee is defined in Section 420.3(p)(1) of Regulation 169 as:
[A] person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this State; a health maintenance organization holding, or required to hold, a certificate of authority pursuant to Article 44 of the Public Health Law; or an unauthorized insurer in regard to the excess line business conducted pursuant to section 2118 of the Insurance Law and Part 27 of this Title (Regulation 41); but shall not included a registered service contract provider, or a licensed viatical settlement company or viatical settlement broker.
Assuming that the insurer obtained the nonpublic personal information in a manner and for a purpose that does not require licensing as an Article 43 corporation, it would not be treated as a licensee, as that term is defined in Section 420.3(p) and, consequently, would not be subject to the requirements of Regulation 169 with respect to its ASO activities.
Sections 420.3(e)(2)(v) and (vi) provide:
(v) Provided that the licensee provides the initial, annual and revised notices under sections 420.4, 420.5 and 420.8 of this Part to the plan sponsor, workers' compensation plan participant, group or blanket insurance policyholder or group annuity contract holder, and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under section 420.13, 420.14 or 420.15 of this Part, an individual is not the licensee's consumer solely because he or she is:
(a) a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary;
(b) covered under a group or blanket insurance or group annuity contract issued by the licensee; or
(c) a beneficiary in a workers' compensation plan.
* * *
(vi)(a) The individuals described in clauses (v)(a), (b) and (c) of this paragraph are consumers of a licensee if the licensee does not meet all the conditions of subparagraph (v) of this paragraph.
(b) In no event shall the individuals, solely by virtue of the status described in clause (v)(a), (b) or (c) of this paragraph, be deemed to be customers for purposes of this Part.
Accordingly, with respect to non-public personal financial information, provided that the insurer does not disclose to non-affiliates, other than pursuant to one of the exceptions in Sections 420.13, 420. 14 or 420.15, it has to provide only the initial, annual and revised notices to the group policyholder. With respect to nonpublic personal health information, unless one of the exceptions in Section 420.17(b) is applicable, the insurer must obtain an authorization from a consumer or customer before disclosing such individuals nonpublic personal health information.
The term "health information" is defined in Section 420.3(n) of Regulation 169 as meaning:
[A]ny information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:
(1) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;
(2) the provision of health care to any individual; or
(3) payment for the provision of health care to any individual.
The term "nonpublic personal health information" is defined in Section 420.3(t) of Regulation 169 as meaning health information:
(1) that identifies an individual who is the subject of the information; or
(2) with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
In accordance with the above, if the identifying information is part of a record that comes under the definition of "health information," it must be treated as "nonpublic personal health information" for the purpose of applying Regulation 169 to its disclosure.
The claims report would contain the following information: patient name, relationship code, certificate number, claim number, payee code, procedure code or type of service, date of service, providers submitted charge, reimbursement check number, amount applied to co-pay, deductible and/or coinsurance, amount paid, denial code and whether the service was in or out of network. As discussed in the response to question 3, this report would be treated as "nonpublic personal health information." Section 420.17(b) contains the exceptions to the requirement that before nonpublic personal health information can be disclosed, authorization must be obtained from the consumer or customer. It provides:
(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers' compensation policy or program; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the Federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the superintendent to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.
In a recent opinion letter, under very similar facts, the Department was asked whether release of a claims report would come under any of the Section 420.17(b) exceptions. In the context of the statutory and regulatory intent, this Office applied the everyday meaning of the terms used in Section 420.17(b) to the activity described and concluded that providing a claims report to the group policyholder is not a component of any of the five functions specifically cited to by the requesting party.2 OGC opinion letter number 02-03-09, entitled N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17 (2001) (Reg. 169) dated March 8, 2002. Although the policyholder may be interested in receiving this information, the "nonpublic personal health information" contained therein must be treated in accordance with the requirements of Regulation 169. Accordingly, the claims report may not be provided to the group policyholder unless each claimant whose nonpublic personal health information is being disclosed provides authorization.
It is suggested that in order to be able to release the claims report to the group policyholder, the group policyholder and the insurer can enter into an agreement to have the group policyholder perform one of the functions enumerated in Section 420.17 on the insurers behalf. The insurer would then provide the group policyholder with the claims report, if the group policyholder promised not to further disclose the information.
As stated in the Preamble to Regulation 169, Title V of the Gramm-Leach-Bliley Act ("GLBA") (15 U.S.C. 6801, et. seq.) requires financial institutions, including insurers, to protect the privacy of consumers and customers. Title V of GLBA requires that state insurance authorities establish appropriate consumer privacy standards for insurance providers. The extensive limits on disclosure and redisclosure support the interpretation that Regulation 169 contemplates that any disclosure under an exception will be as narrow as possible and only to allow the performance of that function. It was never intended that an agreement to perform a specified function under Section 420.17 would be used as a pretext for disclosing nonpublic personal health information that could not otherwise be disclosed.
The term "affiliate" is defined in Section 420.3(a) as "any company that controls, is controlled by, or is under common control with another company." The term "control" is defined in Section 420.3(g) as:
(1) ownership, control or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
(2) control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or
(3) the power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the superintendent determines.
The insurer owns 100% of the HMO. It thereby meets the definition of "control" and, accordingly, the HMO and the insurer are affiliates.
There is no separate exception for disclosure of nonpublic personal information to collection agencies and/or billing agents. Thus, the exceptions that are applicable with respect to the disclosure of nonpublic personal financial information and nonpublic personal health information are applicable in this instance. The amount owed the provider by the patient is a separate obligation between those two parties and, as such, is not part of the insurers claims administration function.3 Accordingly, a licensee may not provide nonpublic personal information about an insured to a collection or billing agent retained by a health care provider without the appropriate authorization from the insured.
The above opinion is informal and not binding on any court. For further information you may contact Supervising Attorney Joan Siegel at the New York City Office.
1 It is unclear whether the term "self-insured groups" refers to an exempt insurer, such as an employer that is exempt from doing an insurance business under ERISA or a true self-insurance situation such as an employer providing workers compensation and statutory disability coverage.
2 Those functions were "claims administration," "claims management," "policyholder service functions," "auditing" and "reporting."
3 In the case of a non-participating provider, the contractual obligation is between the insurer and the patient; the insurer has no obligation to the provider. The amount owed the provider is strictly the obligation of the patient/insured. In the case of a participating provider, the insurer would have paid the provider directly and any remainder owed the provider, such as the co-payment, is strictly the obligation of the patient.