The Office of General Counsel issued the following opinion on December 29, 2004 representing the position of the New York State Insurance Department.
Re: Health Insurance, Claims History
If, after a group becomes "experience" rated, is an insurer obligated to furnish claims history for a formerly "community rated" group?
An insurer is not obligated to retain claims history for a group that is part of a larger community pool in a format that will allow retrieval of that groups own history.
A firm, which is licensed, among other licenses, as an insurance agent in accordance with New York Insurance Law § 2103(a) (McKinney 2000 and 2005 Supplement) has a client that heretofore was community rated in accordance with the New York Insurance Law (McKinney 2000 and 2005 Supplement). As of January 1, 2005, because of an increase of the number in the group, the insurer will issue the client an experience rated policy.
The client has been furnished by the insurer with certain aggregate claims data that has been filed with the Insurance Department in accordance with New York Insurance Law § 308(b) and does not believe that such data adequately allows it to evaluate the insurers rate quotation.
New York Insurance Law § 3231(a) (McKinney 2000 and 2004 Supplement), regulating policies of commercial insurers, provides:
No . . . group health insurance policy covering between two and fifty employees or members of the group exclusive of spouses and dependents, hereinafter referred to as a small group, providing hospital and/or medical benefits . . . shall be issued in this state unless such policy is community rated and, notwithstanding any other provisions of law, the underwriting of such policy involves no more than the imposition of a pre-existing condition limitation as permitted by this article. Any . . . small group, including all employees or group members and dependents of employees or members, applying for . . . group health insurance coverage . . . must be accepted at all times throughout the year for any hospital and/or medical coverage offered by the insurer to . . . small groups in this state. Once accepted for coverage, . . . small group cannot be terminated by the insurer due to claims experience. Termination of an individual or small group shall be based only on one or more of the reasons set forth in subsection (g) of section three thousand two hundred sixteen or subsection (p) of section three thousand two hundred twenty-one of this article. . . . . For the purposes of this section, community rated means a rating methodology in which the premium for all persons covered by a policy or contract form is the same based on the experience of the entire pool of risks covered by that policy or contract form without regard to age, sex, health status or occupation.
New York Insurance Law § 4317(a) (McKinney 2000 and 2005 Supplement), regulating contracts of not-for-profit insurers and all Health Maintenance Organizations, has an identical requirement.
There is no statutory requirement that an insurer maintain statistics on a particular community rated group. Accordingly, given that the clients experience was merged with that of other small groups in the calculation of premium rates, it is possible that the insurer did not maintain claims history on the client in a format that that will allow retrieval of that groups own history. However, the insurer should be able to provide a justification of its proposed rate to a prospective experience rated insured.
The amount of information that an insurer may furnish concerning its experience under health insurance policies is governed by both Federal and New York law and regulation. In accordance with the Health Insurance Portability and Accountability Act (HIPAA), Pub. Law No. 104-191 (1996), the Secretary of Health and Human Services (HHS) was required to establish a Privacy Rule. In accordance with the Financial Modernization Act (Gramm-Leach-Bliley), Pub. Law No. 106-102 (1999), states were required to promulgate privacy rules for financial institutions, including insurers, under their jurisdiction.
The Privacy Rule established by HHS imposes requirements on "covered entities", which term has been defined, 45 C.F.R. § 160.103 (2002), to include health insurers. The HIPAA Privacy Rule generally requires, 45 C.F.R. § 164.502 (2002), that protected health information may not be disclosed without an authorization. Protected health information is individually identifiable health information, which is defined, 45 C.F.R. § 160.103:
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
The HIPAA Privacy Rule, 45 C.F.R. § 164.514(a) (2002), also provides:
Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
The HIPAA Privacy Rule further provides, 45 C.F.R. § 160.203 (2002), that state laws regarding health information privacy are preempted, unless they are more protective of protected health information.
Regulation 169, N.Y. Comp. Codes R. & Regs,. Tit. 11, Part 420 (2001), promulgated in compliance with the Congressional mandate of 1999, regulates both personal financial information and personal health information which is in the possession of licensees, which term is defined, N.Y. Comp. Codes R. & Regs. Tit. 11, § 420.3(p)(1) (2001), to include health insurers and insurance agents. It is provided in that portion of Regulation 169 dealing with health information, N.Y. Comp. Codes R. & Regs. Tit. 11, § 420.21 (2001), that compliance with the HIPAA Privacy Rule is deemed to be compliance with Regulation 169.
Accordingly, claims history information that has been maintained by the insurer concerning the client may be disclosed to it, provided it has been sufficiently de-identified so that the identity of the individuals that have received benefits are not disclosed.
For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.