The Office of General Counsel issued the following opinion on May 28, 2003, representing the position of the New York State Insurance Department.

Re: No-Fault Insurance,
Transfer of Health Information from Hospital to Insurer.
Privacy Requirements

Issue

Is the transfer of health information by a hospital to insurers and self-insurers seeking to secure benefits provided under the No-Fault Law subject to regulation under the New York Insurance Law (McKinney 2000 and 2003 Supplement)?

Conclusion

Yes, the New York Insurance Law regulates such transfers.

Facts

Since this was a general inquiry, no facts were furnished.

Analysis

The Comprehensive Motor Vehicle Insurance Reparations Act (No-Fault) is codified as New York Insurance Law Article 51 (McKinney 2000 and Supp. 2003). Included within the basic economic loss to which injured persons are entitled, New York Insurance Law § 5102(a)(1) (McKinney 2000), are:

All necessary expenses incurred for: (i) medical, hospital, . . . surgical, nursing, dental, ambulance, x-ray, prescription drug and prosthetic services; (ii) psychiatric, physical and occupational therapy and rehabilitation; (iii) any non-medical remedial care and treatment rendered in accordance with a religious method of healing recognized by the laws of this state; and (iv) any other professional health services; all without limitation as to time, provided that within one year after the date of the accident causing the injury it is ascertainable that further expenses may be incurred as a result of the injury. . . .

An insurer is defined for the purposes of the No-Fault law, New York Insurance Law § 5102(g):

‘Insurer’ means the insurance company or self-insurer, as the case may be, which provides the financial security required by article six or eight of the vehicle and traffic law.

The Regulations promulgated by this Department to effectuate the No-Fault law sets forth the mandatory policy language to be used by licensed insurers and provides, inter alia, N.Y. Comp. Codes R. & Regs. tit. 11, § 65-1.1(d) (2001):

Proof of Claim; Medical, Work Loss, and Other Necessary Expenses. In the case of a claim for health service expenses, the eligible injured person or that person's assignee or representative shall submit written proof of claim to the Company, including full particulars of the nature and extent of the injuries and treatment received and contemplated, as soon as reasonably practicable but, in no event later than 45 days after the date services are rendered. . . . Upon request by the Company, the eligible injured person or that person's assignee or representative shall: (a) execute a written proof of claim under oath; (b) as may reasonably be required submit to examinations under oath by any person named by the Company and subscribe the same; (c) provide authorization that will enable the Company to obtain medical records; and (d) provide any other pertinent information that may assist the Company in determining the amount due and payable. The eligible injured person shall submit to medical examination by physicians selected by, or acceptable to, the Company, when, and as often as, the Company may reasonably require.

Arbitration. In the event any person making a claim for first-party benefits and the Company do not agree regarding any matter relating to the claim, such person shall have the option of submitting such disagreement to arbitration pursuant to procedures promulgated or approved by the Superintendent of Insurance.

Claims against self-insurers are subject to the same conditions, N.Y. Comp. Codes R. & Regs. tit. 11,
§ 65-2.4(c) (2001), except that "self-insurer" is substituted for "Company" and the arbitration clause specifically references the arbitration portions of the Regulations.

In accordance with New York Insurance Law § 5106 (McKinney 2000) and N.Y. Comp Codes R. & Regs. tit. 11, Part 65-4 (2001), health care providers, inter alia, may request arbitration of disputes with insurance companies and self-insurers.

The required claim form, N.Y. Comp. Codes R. & Regs. tit. 11, Appendix 13 (NF-5) (2002), provides both a release and an optional assignment:

This authorization or photocopy thereof, will authorize you to furnish all information you may have regarding my condition while under your observation or treatment, including the history obtained, X-ray and physical findings, diagnosis and prognosis. You are authorized to provide this information in accordance with the New York Comprehensive Motor Vehicle Insurance Reparations Act (No-Fault Law).

I hereby assign to the health care provider indicated below all rights privileges and remedies to payment for health care services provided by the Assignee to which I am entitled under Article 51 (the No-Fault Statute) of the Insurance Law. . . . This Agreement may be revoked by the assignee when benefits are not payable based upon the assignor’s lack of coverage and/or violation of a policy condition due to the actions or conduct of the assignor.

The Denial of Claim Form, N.Y. Comp. Codes R. Regs. tit. 11, Appendix 13 (NF-10) (2002) includes a provision whereby the claimant or assignee may request arbitration of the claim. This form does not contain any additional authorizations for release of health information.

No-Fault insurers and self-insurers who receive health information from a hospital, may become aware that the injured party is HIV positive, is undergoing or has undergone treatment for a mental health condition, or is undergoing or has undergone treatment for substance abuse. New York Public Health Law § 2782(1)(i) and (j) (McKinney 2002) regulates disclosure of HIV information to insurers and insurance institutions. New York Mental Hygiene Law § 33.16 (McKinney 2002 and 2003 Supplement) regulates disclosure of information on clinical records relating to mental health treatment. In addition, 42 U.S.C.A. § 290dd-2 (West 1991 and 2002 Supplement) regulates confidentiality of substance abuse treatment records.

Additionally, in accordance with New York Public Health Law Article 28 (McKinney 2002 and 2003 Supplement), the Health Department is the primary state regulator of hospitals. New York Public Health Law § 18(6) (McKinney 2002) requires authorizations before health care providers, including hospitals, may release medical information to third parties. In addition, disclosures of protected health information may be subject to the Health Insurance Portability and Accountability Act (HIPAA), Pub. L. 104-191 (1996).

HIPAA, Pub. L. No. 104-191 (1996), is a comprehensive enactment dealing with health insurance. Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 2002 Supplement), required the Secretary of Health & Human Services (HHS) to promulgate a regulation dealing with privacy of protected health information. The Regulation as promulgated by the Department of HHS, 45 C.F.R. § 160.101 et seq. (2003), contains comprehensive requirements for the protection of protected health information.

Protected health information is defined in the HIPAA Privacy Regulation, 45 C.F.R. § 160.103 (2003):

Protected health information means individually identifiable health information: . . . that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media . . . or (iii) Transmitted or maintained in any other form or medium.

Health information is defined, 45 C.F.R. § 160.103:

Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, . . . or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

The general rule, 45 C.F.R. §§ 164.502(a) (2003) and 164.508(a) (2003), is that authorizations are required before protected health information may be disclosed. Unlike workers’ compensation, where it is specifically provided that consent or authorization is not required for disclosure of protected health information, 45 C.F.R. § 164.512(l) (2002), there are no special provisions for no-fault in the HIPAA Privacy Regulation.

The inquirer stated that the "required by law" exception might be applicable. That term is presently defined, 45 C.F.R. §160.103 (2003):

Required by law means a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law.

This provision would not be applicable to the transfer of protected health information to secure benefits under the No-Fault law. Accordingly, the general requirements of the HIPAA Privacy Regulation would apply.

It is this Department’s view, subject to a contrary interpretation by the Office for Civil Rights of the Department of Health and Human Services, that both the submission of a claim by a hospital to a no-fault insurer or self-insurer and participation in arbitration to secure payment after a claim denial fall within the exception, 45 C.F.R. § 164.506 (2003), for payment operations, from the requirement in HIPAA that an authorization is required. It is further this Department’s understanding that the authorization contained in the No-fault forms complies with the requirements of Public Health Law § 18(6).

This Department has already notified through Circular Letter No. 17 of 2002 (October 17, 2002) all insurers of their obligation to be in compliance with HIPAA.

As required by Title V of the Gramm-Leach Bliley Act, 15 U.S.C. § 6801 et seq. (West 1999), this Department has promulgated a regulation relating to Privacy of Consumer Financial and Health Information. N.Y. Comp. Codes R & Regs. tit. 11, Part 420 (2001). While that Regulation has specific provisions regarding health information, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17 through 420.20, compliance by a licensee with the HIPAA Privacy Regulation obviates the necessity to comply with the health information portions of this Department’s Privacy Regulation. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.21.

Self-insurers providing no-fault benefits are neither covered entities under the HIPAA Regulation, nor licensees under our Privacy Regulation. Accordingly, their handling of protected health information would be governed by New York Public Health Law § 18 and other relevant enactments of the Health Department’s statutes and regulations.

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.