The Office of General Counsel issued the following opinion on May 9, 2005 representing the position of the New York State Insurance Department.
Re: Disclosure of Health Insurance Information
May a health insurer withhold information from an employer/policyholder regarding the number of hospital and out-of-network provider visits made by covered employees?
Unless the policy or contract places an obligation upon the insurer to provide specific claims data, a health insurer is not required to provide information to the employer/group policyholder. A health insurer may provide an employer/policyholder with aggregate employee information regarding hospital and out-of-network visits; or information regarding individual participants if the identity of the participants are not disclosed or made discoverable. Each health insurance company is required to file with the Department a "Quarterly New York Data Requirements Form" which contains aggregate claims payment information. Such information is available pursuant to a Freedom of Information Law (FOIL), New York Public Officers Law Article 6 (McKinney 2003 and 2005 Supplement) request.
The inquirer is a labor attorney with a client who is an employer/policyholder. The inquirers client has requested that its health insurer provide reports or information that shows the number of hospital and out-of-network provider visits made by its employees. Initially, the health insurer agreed to provide the employer with two reports containing the requested information, but subsequently declined, stating that it did not see the benefit of providing the reports. The inquirer inquires whether or not the health insurer is legally entitled to withhold the requested information.
It has been the position of the Department that unless the policy or contract of insurance confers an obligation to share specific claims data, an insurer is not required to provide claims data to a group policyholder; although an insurer should be able to provide a justification of its proposed rate.
Because of New York Insurance Law (McKinney 2000 and 2005 Supplement) community rating requirements, many insurers and Health Maintenance Organizations (HMOs) do not maintain statistics on the claims experience of particular small groups under the N.Y. Ins. Law community rating requirements. New York Insurance Law § 3231(a) (McKinney 2000 and 2005 Supplement) regulates policies of commercial insurers, while New York Insurance Law § 4317(a) (McKinney 2000 and 2005 Supplement) regulates contracts of not-for-profit insurers and all HMOs. Sections 3231 and 4317 have identical requirements and provide that no "small group" health insurance policy, covering between two and fifty employees, exclusive of spouses and dependants, shall be issued unless it is "community rated" based on the experience of the entire pool of risks covered by that policy or contract without regard to age, sex, health status or occupation.
However, each health insurance company is required, pursuant to New York Insurance Law § 308 (McKinney 2000), to file with the Insurance Department Quarterly New York Data Requirements forms that contain data reflecting aggregate, not particularized, claims experience. These reports may be obtained by filing a FOIL request with the Departments Office of General Counsel.
If an insurer does provide information regarding hospital and out-of-network visits to an employer/group policyholder, the disclosure regulations must be met. Disclosure of health information is regulated by both Federal and New York Law and regulation. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. §164.502 (2002) generally provides that a "covered entity," as defined in 45 C.F.R. §160.103 (2002) to include health insurers, may not disclose protected health information without an authorization. The information protected by the Privacy Rule is "individually identifiable health information," defined in 45 C.F.R. §160.103 (2002):
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
The Financial Modernization Act (Gramm-Leach-Bliley), Pub. Law No. 106-102 (1999), requires states to promulgate privacy rules for financial institutions, including insurers, under their jurisdiction. This Department promulgated N.Y. Comp. Codes R. & Regs. Tit. 11, 420.21 (Regulation 169) (2001), which provides that compliance by a licensee with the HIPAA Privacy Rule is deemed to be compliance with Regulation 169.
Accordingly, an insurer is not required to provide the health information, but may disclose aggregate health information regarding employees, or health information regarding an individual employee provided it has been sufficiently de-identified so that the identity of the individual is not disclosed or discoverable.
For further information one may contact Principal Attorney Alan Rachlin at the New York City office.