New York State Seal
STATE OF NEW YORK
INSURANCE DEPARTMENT
25 BEAVER STREET
NEW YORK, NEW YORK 10004

George E. Pataki
Governor

Howard Mills
Superintendent

The Office of General Counsel issued the following opinion on July 5, 2005, representing the position of the New York State Insurance Department.

Re: Electronic Transmittal of Explanations of Benefits (EOB)

Issue

May an insurer, including a Health Maintenance Organization, transmit an EOB to a subscriber by electronic means?

Conclusion

Since participation in the electronic transmittal program would be voluntary by the insured or subscriber, such transmission would not be prohibited by any statute.

Facts

The inquirer’s clients are X, an insurer licensed in accordance with New York Insurance Law Article 42 (McKinney 2000 and 2005 Supplement), X, a not-for-profit health insurer licensed in accordance with New York Insurance Law § 4302 (McKinney 2000), and X, an HMO with a Certificate of Authority in accordance with New York Public Health Law § 4402 (McKinney 2002), collectively referred to as X. The three insurers desire to transmit the required EOBs by electronic means, as described below.

If the proposal is effectuated, X would post an EOB containing all information required by New York Insurance Law § 3234 (McKinney 2000) on a secure website, which would be accessible only to those insureds or subscribers who have a unique user ID and password. When an EOB is to be transmitted, for those individuals who have opted into the program, X would send a secure e-mail referring the subscriber to the secure website.

The user ID and password would let an insured or subscriber access only his or her EOB. The employer or other group policyholder or contractholder would not have the ability to access the EOBS of individual insureds or subscribers.

Each insured or subscriber would be given an opportunity to utilize the program. For those insureds or subscribers who choose not to utilize the program, X would continue to transmit EOBs in hard copy. Any insured or subscriber who initially chose not to participate in the program could subsequently opt into the program. X had considered transmitting the EOBS directly to insureds and subscribers by e-mail, but decided that, because some individuals share their e-mail accounts with others or leave their e-mail message accessible without a separate sign-in, that such a methodology would not provide the requisite security.

The inquirer seeks confirmation that the X proposal would be in compliance with applicable statutes and regulations.

Analysis

Since the inquirer has not indicated whether X desires to utilize electronic delivery of EOBS required by New York Insurance Law § 3235 (McKinney 2000 and 2005 Supplement), that statute has not been considered.

New York Insurance Law § 3234 provides:

(a) Every insurer, including health maintenance organizations operating under article forty-four of the public health law or article forty-three of this chapter and any other corporation operating under article forty-three of this chapter, is required to provide the insured or subscriber with an explanation of benefits form in response to the filing of any claim under a policy or certificate providing coverage for hospital or medical expenses, including policies and certificates providing nursing home expense or home care expense benefits.

. . .

(d) This section shall not apply to medicare supplemental insurance policies or certificates or limited benefits health insurance policies or certificates designed primarily to supplement medicare benefits.

Provided that the electronic EOB contains all the elements required by New York Insurance Law § 3234(b), the X proposal would be in compliance with that statute.

New York Insurance Law § 4904(c) (McKinney 2000) and New York Public Health Law § 4904(3) (McKinney 2002) allow an insured or subscriber to appeal within 45 days of receipt of an EOB by such insured or subscriber. In order to assure compliance with the above statutes, X should have a means of verifying and tracking when the electronic EOB was accessed by the insured or subscriber.

The Electronic Signature in Global and National Commerce Act (E-SIGN), Pub. Law No. 106-229 (2000), codified at 15 U.S.C.A. § 7001 et seq. (West 2003 Supplement) regulates inter-state electronic commerce. 29 U.S.C.A. § 7001 provides:

(a) In general. Notwithstanding any statute, regulation, or other rule of law. . . with respect to any transaction in or affecting interstate or foreign commerce--(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

. . .

(c) Consumer disclosures. (1) Consent to electronic records. Notwithstanding subsection (a), if a statute, regulation, or other rule of law requires that information relating to a transaction or transactions in or affecting interstate or foreign commerce be provided or made available to a consumer in writing, the use of an

electronic record to provide or make available (whichever is required) such information satisfies the requirement that such information be in writing if-- (A) the consumer has affirmatively consented to such use and has not withdrawn such consent; (B) the consumer, prior to consenting, is provided with a clear and conspicuous statement--(i) informing the consumer of (I) any right or option of the consumer to have the record provided or made available on paper or in nonelectronic form, and (II) the right of the consumer to withdraw the consent to have the record provided or made available in an electronic form and of any conditions, consequences (which may include termination of the parties' relationship), or fees in the event of such withdrawal; (ii) informing the consumer of whether the consent applies (I) only to the particular transaction which gave rise to the obligation to provide the record, or (II) to identified categories of records that may be provided or made available during the course of the parties' relationship; (iii) describing the procedures the consumer must use to withdraw consent as provided in clause (i) and to update information needed to contact the consumer electronically; and (iv) informing the consumer (I) how, after the consent, the consumer may, upon request, obtain a paper copy of an electronic record, and (II) whether any fee will be charged for such copy; (C) the consumer--(i) prior to consenting, is provided with a statement of the hardware and software requirements for access to and retention of the electronic records; and (ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent; and (D) after the consent of a consumer in accordance with subparagraph (A), if a change in the hardware or software requirements needed to access or retain electronic records creates a material risk that the consumer will not be able to access or retain a subsequent electronic record that was the subject of the consent, the person providing the electronic record--(i) provides the consumer with a statement of (I) the revised hardware and software requirements for access to and retention of the electronic records, and (II) the right to withdraw consent without the imposition of any fees for such withdrawal and without the imposition of any condition or consequence that was not disclosed under subparagraph (B)(i); and (ii) again complies with subparagraph (C). . . .

. . .

(i) Insurance. It is the specific intent of the Congress that this title . . . apply to the business of insurance.

. . .

Accordingly, provided that all the requirements of 15 U.S.C.A. § 7001(c)(1) are met, the X proposal appears to be in accordance with the E-SIGN Act.

The New York Electronic Signatures in Commerce Act is codified in the New York State Technology Law (McKinney 2005 Supplement). New York State Technology Law § 306 (McKinney 2005 Supplement) provides:

In any legal proceeding where the provisions of the civil practice law and rules are applicable, an electronic record . . . may be admitted into evidence pursuant to the provisions of article forty-five of the civil practice law and rules including, but not limited to section four thousand five hundred thirty-nine of such law and rules.

New York State Technology Law § 309 (McKinney 2005 Supplement) provides:

Nothing in this article shall require any entity or person to use an electronic record or an electronic signature unless otherwise provided by law.

Since use of the X website to access the EOB will be voluntary, the X program will be in compliance with the New York State Technology Law (McKinney 2003 Supplement).

EOBs issued to employee welfare benefit plans, as defined in the Employee Retirement Income Security Act (ERISA), 29 U.S.C.A. § 1001 et seq. (West 1999 and 2003 Supplement), are subject to the requirements of a regulation, 29 C.F.R. § 2560.503-1 (2002), issued by the United States Department of Labor. While the regulation does not specify the means of original transmittal of EOBs, 29 C.F.R. § 2560.503-1(j) & (k) provide:

(j) Manner and content of notification of benefit determination on review. The plan administrator shall provide a claimant with written or electronic notification of a plan's benefit determination on review. Any electronic notification shall comply with the standards imposed by 29 C.F.R. 2520.104b-1(c)(1)(i) (iii), and (iv). . . .

(k) Preemption of State law. (1) Nothing in this section shall be construed to supersede any provision of State law that regulates insurance, except to the extent that such law prevents the application of a requirement of this section. . . .

29 C.F.R. § 2520.104b-1(c)(1) (2002) provides in pertinent part:

Except as otherwise provided by applicable law, rule or regulation, the administrator of an employee benefit plan furnishing documents through electronic media is deemed to satisfy the requirements . . . if (i) The administrator takes appropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents --(A) Results in actual receipt of transmitted information (e.g., using return-receipt or notice of undelivered electronic mail features, conducting periodic reviews or surveys to confirm receipt of the transmitted information); and (B) Protects the confidentiality of personal information relating to the individual's accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended); . . . (iii) Notice is provided to each participant, beneficiary or other individual, in electronic or non-electronic form, at the time a document is furnished electronically, that apprises the individual of the significance of the document when it is not otherwise reasonably evident as transmitted (e.g., the attached document describes changes in the benefits provided by the inquirer’s plan) and of the right to request and obtain a paper version of such document; and (iv) Upon request, the participant, beneficiary or other individual is furnished a paper version of the electronically furnished documents.

EOBs issued in conjunction with ERISA employee welfare benefit plans must comply with both New York Insurance Law § 3234 and the Department of Labor regulation. Whether the inquirer’s proposal would be in compliance with the Department of Labor’s regulation would have to be determined by the Employee Benefit Security Administration of the United States Department of Labor.

Since X is a covered entity under the Privacy Rule, 45 C.F.R. § 160.101 et seq (2002), promulgated by the United States Department of Health & Human Services pursuant to the Health Insurance Portability and Accountability Act (HIPAA), Pub. Law No. 104-191 (1996), it must comply with the security standards, 45 C.F.R. § 302 et seq. (2002), of that Rule. Whether the inquirer’s proposal would be in compliance with the HIPAA Privacy and Security Rules would have to be determined by the Office for Civil Rights of the United States Department of Health & Human Services.

For further information one may contact Principal Attorney Alan Rachlin at the New York City Office.