New York State Seal
STATE OF NEW YORK
INSURANCE DEPARTMENT
25 BEAVER STREET
NEW YORK, NEW YORK 10004

George E. Pataki
Governor

Gregory V. Serio
Superintendent

The Office of General Counsel issued the following opinion on June 10, 2003, representing the position of the New York State Insurance Department.

RE: Insurance Agency’s Obligation to Provide Privacy Notices to Consumers and Customers (Regulation 169).

Question Presented:

Pursuant to N.Y. Comp. Codes R. and Regs. tit. 11, Part 420 (2001) (Regulation 169), is an independent insurance agency required to provide its own separate privacy notices to consumers and customers?

Conclusion:

An independent insurance agency must comply with the notice and opt out requirements of the regulation, prior to disclosing nonpublic personal financial information, unless it meets the conditions contained in Section 420.3(p)(2). With respect to nonpublic personal health information, the agency must provide the requisite opt-in authorization prior to disclosure, unless one of the exceptions contained in Section 420.17(b) applies or the agency is in compliance with the Health Insurance Portability and Accountability Act ("HIPAA").

Facts:

Insurance Agency A, is an operating subsidiary of ABC, Inc., a national bank. Agency A is an independent insurance agency and has a relationship with several different insurance companies. Licensed agents of Agency A are sponsored by insurers to take applications on their behalf. The insurer may then choose to underwrite insurance policies based upon these applications. The inquirer would like to know whether an insurance agency is required to provide its own separate privacy notices to prospective insureds that apply for insurance through the insurance agency, but do not purchase insurance. The inquirer would also like to know whether such insurance agency is required to provide annual privacy notices to those who purchase insurance.

Analysis:

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.1(a) (2001) (Regulation 169) provides as follows:

(a) Purpose. This Part governs the treatment of nonpublic personal information about individuals (defined in this part as consumers or customers) in this State by all licensees of the Insurance Department. This Part:

(1) Requires a licensee to provide notice to individuals about its privacy policies and practices;

(2) Describes the conditions under which a licensee may disclose nonpublic personal health information and nonpublic personal financial information about individuals to nonaffiliated third parties;

(3) Provides methods for individuals to prevent a licensee from disclosing that information; and

(4) Provides a method for individuals to prevent a licensee from disclosing nonpublic personal health information by not affirmatively consenting to such disclosure, subject to the exceptions in section 420.17(b) of this Part. (emphasis added)

Section 420.3(p)(1) defines the term "licensee" as follows:

(p)(1) [A] person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this State; a health maintenance organization holding, or required to hold, a certificate of authority pursuant to Article 44 of the Public Health Law; or an unauthorized insurer in regard to the excess line business conducted pursuant to section 2118 of the Insurance Law and Part 27 of this Title (Regulation 41); but shall not include a registered service contract provider, charitable annuity society, or a licensed viatical settlement company or viatical settlement broker. (emphasis added)

Independent insurance agencies come within the definition of "licensee" in Section 420.3(p)(1). However, Section 420.3(p)(2) provides an exemption for certain licensees, including insurance agents, if certain conditions are met. That section provides, in relevant part, as follows:

(2)(i) A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in section 420.4 through 420.9 of this Part if the licensee is an employee, agent, sublicensee, or other representative of another licensee ("the principal") and:

(a) The principal otherwise complies with, and provides the notices required by, the provisions of this Part; and

(b) The licensee does not disclose any nonpublic personal information of a consumer or customer to any person other than the principal from or through which such consumer or customer seeks to obtain or has obtained a product or service, or its affiliates in a manner permitted by this Part.

ii) Examples of employee, agent or other representative of a principal: . . .

c) An insurance agent of an insurer . . .

Thus, where the insurance agency is a representative of the insurer, the agent does not disclose any nonpublic personal financial information other than to the insurer and the insurer complies with the notice provisions of the regulation, it would not have to send its own separate privacy notices to consumers and customers. Conversely, if the insurance agency does not meet the above conditions, it would have to comply with the notice and opt out requirements of the regulation.

With respect to the disclosure of nonpublic personal health information, Section 420.17(a) provides that:

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

Section 420.17(b) contains exceptions to this authorization requirement. Section 420.21 provides an exemption for licensees who comply with all the requirements of the federal HIPAA, Pub. L. No. 104-191 (1996) privacy rules and regulations, as promulgated by the U.S. Department of Health and Human Services. See 45 C.F.R. § 160.101 et seq.

Accordingly, an insurance agency that does not meet the conditions contained in Section 420.3(p)(2) must comply with the notice and opt out requirements prior to the disclosure of nonpublic personal financial information. Additionally, the agency must provide the requisite opt-in authorization before disclosing nonpublic personal health information, unless one of the exceptions contained in Section 420.17(b) applies or the agency is in compliance with HIPAA.

For further information you may contact Senior Attorney Pascale Joasil at the New York City Office.