The Office of General Counsel issued the following opinion on July 8, 2003, representing the position of the New York State Insurance Department.

Re: Health Insurance Portability and Accountability Act (HIPAA)
Privacy Requirements, No-Fault and Workers’ Compensation

Issue:

Do the HIPAA Privacy requirements affect No-Fault and Workers’ Compensation?

Conclusion:

Workers’ Compensation is not directly affected by the HIPAA Privacy requirements. While release of protected health information under No-Fault may be covered by the HIPAA Privacy Regulation, under existing New York requirements the transfer of health information for the purpose of payment of No-Fault claims is in compliance with such HIPAA Privacy requirements. However, in either instance, the contracts both between the ABC Firm and the entities with which it contracts to provide services to clients and those contracts with the ABC Firm’s clients might have to provide that the ABC Firm would hold protected health information confidential.

Facts:

The ABC Firm has contracted with insurers and self-insurers that provide benefits under the No-Fault program and/or the Workers’ Compensation program to assist such clients in reviewing claims by providing Insurer Medical Examinations (IME) and Diagnostic Tests, such as Magnetic Resonance Imaging. The ABC firm has contracted with physicians and clinical laboratories, as independent contractors, for the actual administration and interpretation of IMEs and diagnostic tests.

The ABC Firm receives the relevant claim material, including health information, from the insurers and self-insurers and transmits the material to the physician or laboratory. The ABC Firm then transmits reports and analyses from the physician or laboratory to the insurer or self-insurer. Based upon the information provided, it does not appear that the ABC Firm engages in activities that would require licensure as an adjuster pursuant to New York Insurance Law §2108 (McKinney 2000).

Analysis:

HIPAA, Pub. L. No. 104-191 (1996), is a comprehensive enactment dealing with health insurance. Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 2002 Supplement), required the Secretary of Health & Human Services (HHS) to promulgate a regulation dealing with the privacy of protected health information. The Regulation as promulgated by the Department of HHS, 45 C.F.R. § 160.101 et seq. (2003), contains comprehensive requirements for the protection of protected health information.

The HIPAA Privacy Regulation regulates protected health information in the custody of "covered entities."

A covered entity under the Regulation, 45 C.F.R. 160.103 (2003), is defined as: (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

Although an insurer that issues No-Fault or Workers’ Compensation policies may issue other types of insurance that would bring it within the definition of health plan, 45 C.F.R. § 160.103, neither type of insurance is among those that, in and of themselves, would make such an insurer a health plan under HIPAA. An insurer that offers health insurance, in addition to either Workers’ Compensation or No-Fault insurance, would, unless it opts to be a hybrid entity, 45 C.F.R. § 164.103 (2003), be a covered entity.

A health care clearinghouse is defined, 45 C.F.R. § 160.103, as:

Health care clearinghouse means a public or private entity . . . that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

A health care provider is defined, 45 C.F.R. § 160.103, as: "Health care provider means . . . a provider of medical or health services . . . and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business."

Health care is defined, 45 C.F.R. § 103, as:

Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

While, based upon the information provided, it appears that the ABC Firm is not a health care clearinghouse, as that term is defined in the HIPAA Privacy Regulation, and is thus not a covered entity, the entities with which the ABC Firm contracts to actually provide reports and analyses would be health care providers, as that term is defined in the HIPAA Privacy Regulation, and thus would be covered persons. In addition, the insurers may be covered entities.

Protected health information is defined in the HIPAA Privacy Regulation, 45 C.F.R. § 160.103 (2003), as: "Protected health information means individually identifiable health information: . . . that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media . . . or (iii) Transmitted or maintained in any other form or medium."

Health information is defined, 45 C.F.R. § 160.103:

Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, . . . or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

The general rule, 45 C.F.R. §§ 164.502(a) (2003) and 164.508(a) (2003), is that authorizations are required before protected health information may be disclosed by covered entities.

However, the HIPAA Privacy Regulation, 45 C.F.R. 164.512(l) (2003), provides:

Standard: Disclosures for workers' compensation. A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

Accordingly, both the entities with which the ABC Firm contracts to provide examinations, tests, and evaluations, and the entities that provide the actual services, may disclose protected health information without the necessity of securing a HIPAA authorization.

The Comprehensive Motor Vehicle Insurance Reparations Act (No-Fault) is codified as New York Insurance Law Article 51 (McKinney 2000 and 2003 Supplement). Included within the basic economic loss to which injured persons are entitled, New York Insurance Law § 5102(a)(1) (McKinney 2000), are:

All necessary expenses incurred for: (i) medical, hospital, . . . surgical, nursing, dental, ambulance, x-ray, prescription drug and prosthetic services; (ii) psychiatric, physical and occupational therapy and rehabilitation; (iii) any non-medical remedial care and treatment rendered in accordance with a religious method of healing recognized by the laws of this state; and (iv) any other professional health services; all without limitation as to time, provided that within one year after the date of the accident causing the injury it is ascertainable that further expenses may be incurred as a result of the injury. . . .

An insurer is defined for the purposes of the No-Fault law, New York Insurance Law § 5102(g), as: "the insurance company or self-insurer, as the case may be, which provides the financial security required by article six or eight of the vehicle and traffic law."

The Regulations promulgated by this Department to effectuate the No-Fault law set forth the mandatory policy language to be used by licensed insurers and provides, inter alia, N.Y. Comp. Codes R. & Regs. tit. 11, § 65-1.1(d) (2001):

Proof of Claim. Medical, Work Loss, and Other Necessary Expenses. In the case of a claim for health service expenses, the eligible injured person or that person's assignee or representative shall submit written proof of claim to the Company, including full particulars of the nature and extent of the injuries and treatment received and contemplated, as soon as reasonably practicable but, in no event later than 45 days after the date services are rendered. . . . Upon request by the Company, the eligible injured person or that person's assignee or representative shall: (a) execute a written proof of claim under oath; (b) as may reasonably be required submit to examinations under oath by any person named by the Company and subscribe the same; (c) provide authorization that will enable the Company to obtain medical records; and (d) provide any other pertinent information that may assist the Company in determining the amount due and payable. The eligible injured person shall submit to medical examination by physicians selected by, or acceptable to, the Company, when, and as often as, the Company may reasonably require.

Claims against self-insurers are subject to the same conditions, N.Y. Comp. Codes R. & Regs. tit. 11, § 65-2.4(c) (2001), except that "self-insurer" is substituted for "Company."

The required claim form, N.Y. Comp. Codes R. & Regs. tit. 11, Appendix 13 (NF-5) (2002), provides both a release and an optional assignment:

This authorization or photocopy thereof, will authorize you to furnish all information you may have regarding my condition while under your observation or treatment, including the history obtained, X-ray and physical findings, diagnosis and prognosis. You are authorized to provide this information in accordance with the New York Comprehensive Motor Vehicle Insurance Reparations Act (No-Fault Law).

I hereby assign to the health care provider indicated below all rights privileges and remedies to payment for health care services provided by the Assignee to which I am entitled under Article 51 (the No-Fault Statute) of the Insurance Law. . . . This Agreement may be revoked by the assignee when benefits are not payable based upon the assignor’s lack of coverage and/or violation of a policy condition due to the actions or conduct of the assignor.

It is this Department’s view, subject to a contrary interpretation by the Office for Civil Rights of the Department of Health and Human Services, that the submission of a claim by a health care provider, pursuant to an assignment, to a no-fault insurer or self-insurer falls within the exception, 45 C.F.R. § 164.506 (2003), for payment operations, from the requirement in HIPAA that an authorization is required. Since the HIPAA Privacy Regulation does not purport to regulate transmittal of his or her own health information, submission of claim directly by the injured party does not implicate the HIPAA Privacy Regulation.

Self-insurers providing Workers’ Compensation or No-Fault benefits are not covered entities under the HIPAA Regulation. Accordingly, their handling of protected health information would be governed by New York Public Health Law § 18 (McKinney 2002) and other relevant enactments of the Health Department’s statutes and regulations.

There is one final matter. The HIPAA Privacy Regulation, 45 C.F.R. § 160.103, defines a business associate:

Business associate . . . means, with respect to a covered entity, a person who: (i) On behalf of such covered entity . . . other than in the capacity of a member of the workforce of such covered entity . . . performs, or assists in the performance of: (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration. . . .

In the transmission of protected health information from an ABC Firm’s client, if such client were a covered entity, the ABC Firm might be considered to be a business associate of the insurer. Further, in the transmission of reports from the ABC Firm’s contractors/covered entities to the ABC Firm’s clients, the ABC Firm might be considered to be a business associate of the contractors/covered entities.

The HIPAA Privacy Regulation provides, 45 C.F.R. § 164.502(e):

(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. . . .

(2) Implementation specification: documentation. A covered entity must document the satisfactory assurances required by paragraph (e)(1) of this section through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e).

Section 164.504(e)(2) (2003) provides:

Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity . . . . (ii) provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware; . . . (H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary [of Health and Human Services] for purposes of determining the covered entity's compliance with this subpart . . . . (iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

Accordingly, the contracts between the ABC Firm and its client, and those between the ABC Firm and its contractors, might have to be amended to delineate responsibilities to hold protected health information confidential.

Questions concerning whether the ABC Firm is a business associate should be addressed to:

Office for Civil Rights
United States Department of Health and Human Services
26 Federal Plaza
New York, NY 10278

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.