The Office of General Counsel issued the following informal opinion on August 6, 2002, representing the position of the New York State Insurance Department.
RE: N.Y. Comp. Codes R. & Regs. tit. 11, § 421.0-421.10 (2002) (Regulation 173) and Nonpublic Personal Health Information
Is N.Y. Comp. Codes R. & Regs. tit. 11, §§ 421.0-421.10 (2002) (Regulation 173) applicable to nonpublic personal health information pertaining to claimants who are covered under a commercial policy?
No. The safeguards in Regulation 173 apply only to customers. A claimant or beneficiary does not meet the definition of customer because there is no continuing relationship with a licensee. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(i)(2)(ii) (2001) (Regulation 169).
No facts were presented.
Section 421.0(a) of Regulation 173 provides:
This Part establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality and integrity of customer information, pursuant to sections 501, 505(b) and 507, codified at 15 U.S.C. 6801, 6805(b) and 6807 of the Gramm-Leach-Bliley Act. (Emphasis added).
The standards set out in Regulation 173 for safeguarding nonpublic personal information pertain only to customer information. A term "customer" is defined in Section 421.1(a) as having the meaning set forth in Section 420.3(h) of Regulation 169. Section 420.3(h) defines a customer as "a consumer who has a continuing relationship with a licensee." Section 420.3(i) provides examples of when there is a continuing relationship and when there is no continuing relationship. Under the examples of no continuing relationship in Section 420.3(i)(2) is clause (ii) "the consumer is a beneficiary or claimant under a policy." Accordingly, a claimant or beneficiary is not a customer and, thus, Regulation 173 does not apply to a claimant or beneficiarys nonpublic personal information.
For further information you may contact Supervising Attorney Joan Siegel at the New York City Office.