The Office of General Counsel issued the following informal opinion on July 1, 2002, representing the position of the New York State Insurance Department.
Re: N.Y. Comp. Codes R. & Regs. tit. 11 § 420.17(b) Exceptions (Reg. 169)
When an agent or broker shares loss run information with other agents, brokers or insurers for the purpose of shopping policies to get a better price for the insured, do any of the N.Y. Comp. Codes R. & Regs. tit. 11 § 420.17(b) (2001) (Regulation 169) exceptions to the authorization requirement for disclosure of nonpublic personal health information apply?
Upon issuance of the initial policy, the "policy placement or issuance" exception under § 420.17(b) would apply. However, upon renewal of the policy, the "policy placement or issuance" exception would apply only when the insured requests that the agent or broker shop the policy.
No additional facts relating to this inquiry were given.
N.Y. Comp. Codes R. & Reg. tit. 11, § § 420.0- 420.24 (2001) (Regulation 169) governs the treatment of nonpublic personal information concerning individuals (defined as consumers or customers) in New York by all licensees of the Insurance Department.
With respect to authorization for disclosure of nonpublic personal health information, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(a) (2001) governs, which requires a licensee to obtain an authorization from a consumer or customer before disclosing such individuals nonpublic personal health information, unless an exception contained in § 420.17(b) applies.
The term "health information" is defined in § 420.3(n) as:
(n) Health information means any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:
(1) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;
(2) the provision of health care to an individual; or
(3) payment for the provision of health care to any individual.
The term "nonpublic personal health information" is defined in § 420.3(t) (2001) (Reg. 169) as meaning health information:
(1) That identifies an individual who is the subject of the information; or
(2) With respect to which there is a reasonable basis to believe that the information could be sued to identify an individual.
Pursuant to § 420.17(a), a licensee may not disclose nonpublic personal health information about a consumer or a customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is being disclosed. However, § 420.17(b) contains exceptions for certain insurance functions when performed by or on behalf of the licensee. That section provides:
Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan or workers' compensation policy or program; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the Federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods to enforce the licensee's rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the superintendent to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers (emphasis added).
When an agent or broker shares loss run information with other agents, brokers or insurers for the purpose of shopping policies for initial placement, an authorization from the insured is not required for the disclosure of nonpublic personal health information pursuant to the exception listed in § 420.17(b) for "policy placement or issuance." However, upon renewal, the agent or broker could shop the policy pursuant to the same exception, when requested by the insured. If the insured has not requested that the agent or broker shop the policy, the disclosure does not fall under any exceptions, and the insureds authorization is required.
In addition, an insureds health information contained in the loss run may not be shared with another insured or member of a group plan for any purpose, outside of the exceptions listed in § 420.17(b), and thus such sharing would require authorization from the insured.
For further information, you may contact Senior Attorney Meredith S. Kaufer at the New York City Office.