The Office of General Counsel issued the following opinion on July 15, 2005, representing the position of the New York State Insurance Department.
Re: Disclosure of Policyholder Files by Insurance Agents (Regulations 169 and 173).
Pursuant to N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169), may an insurance agent disclose its policyholder files to an insurer who did not issue the policies, to comply with an agreement between the insurance agent and the insurer?
Yes, provided that the insurance agent complies with the notice and opt out requirements of the Regulation in regard to nonpublic personal financial information and opt-in requirement for nonpublic personal health information.
An insurance agent has an agreement with an insurer that allows him to sell business that is not acceptable to the insurer, provided that he is given permission to do so through a letter of authority issued by the insurer. This involves the sale of both personal lines insurance (automobile, homeowners, boat and umbrella) and commercial lines insurance. As part of the agent's agreement with the insurer, the insurer reserves the right to inspect the agent's files to determine whether he is selling insurance in accordance with the terms of the agreement. While reviewing the files, the insurer records the name of the policyholder, the reason for the sale and supporting documentation, correspondence between the agent, policyholder and/or the agency, and any other general information in the file. The agent's agreement with the insurer does not preclude the insurer from recording such information. The agent would like to know whether he may disclose such information to the insurer under these circumstances.
N.Y. Comp. Codes R. & Regs. tit. 11, § 420.1(a)(2001) (Regulation 169) provides as follows:
(a) Purpose. This part governs the treatment of nonpublic personal information about individuals (defined in this part as consumers or customers) in this State by all licensees of the Insurance Department. This Part:
(1) requires a licensee to provide notice to individuals about its privacy policies and practices;
(2) describes the conditions under which a licensee may disclose nonpublic personal health information and nonpublic personal financial information about individuals to nonaffiliated third parties;
(3) provides methods for individuals to prevent a licensee from disclosing that information; and
(4) provides a method for individuals to prevent a licensee from disclosing nonpublic personal health information by not affirmatively consenting to such disclosure, subject to the exceptions in section 420.17(b) of this Part.
N.Y. Comp. Codes R. & Regs. tit. 11, § 420.1(b) (2001) (Regulation 169) provides as follows:
(b) Scope. This Part applies to:
(1) Nonpublic personal financial information about individuals who obtain, seek to obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. This Part does not apply to information about companies or about individuals who obtain products or services for business, commercial, or agricultural purposes; and
(2) all nonpublic personal health information. (emphasis supplied)
Section 420.3(p)(1) defines the term "licensee" as follows:
(p)(1) [A] person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this State; a health maintenance organization holding, or required to hold, a certificate of authority pursuant to article 44 of the Public Health Law; or an unauthorized insurer in regard to the excess line business conducted pursuant to section 2118 of the Insurance Law and Part 27 of this Title (Regulation 41); but shall not include a registered service contract provider, charitable annuity society, or a licensed viatical settlement company or viatical settlement broker. (emphasis added)
An insurance agency would come within the definition of "licensee" in Section 420.3(p)(1). Although Section 420.3(p)(2) provides an exemption for certain licensees, including insurance agents, it is not relevant here. Section 420.3 of Regulation 169 contains the definitions of consumers and customers. Specifically, Section 420.3(e)(1) defines the term "consumer" as:
[A]n individual who, in this State, seeks to obtain, obtains or has obtained an insurance product or service, directly or through legal representative, from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal information.
Section 420.3(h) defines the term "customer" as "a consumer who has a customer relationship with a licensee." Section 420.3(i)(1) states that a "customer relationship" is a "continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services in this State to the consumer that are to be used primarily for personal, family, or household purposes." Pursuant to Section 420.3(i)(2)(i)(a), "a consumer has a continuing relationship with a licensee if the consumer is a current policyholder of an insurance product issued by or through the licensee . . ."
However, Section 420.3(i)(2)(ii) provides that a consumer does not have a continuing relationship with a licensee if:
(a) The consumer applies for insurance but does not purchase the insurance;
(b) The licensee sells the consumer airline travel insurance in an isolated transaction;
(c) The individual is no longer a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;
(d) The consumer is a beneficiary or claimant under a policy;
(e) The customers policy is lapsed, expired, or otherwise inactive or dormant under the licensees business practices, and the licensee has not communicated with the customer about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, communication at the direction of a state or federal authority, or promotional materials; or
(f) The individual is an insured or an annuitant under an insurance policy or annuity, respectively, but is not the policyholder or owner of the insurance policy or annuity.
Different provisions of the Regulation apply depending on whether an individual is defined as a consumer or a customer under the Regulation, including the requirement that privacy notices be sent, and the timing thereof. Here, under the Regulation, the agent's current policyholders would be customers and his former policyholders would be consumers. Since the agent's situation does not appear to fall under any of the applicable exceptions contained in the Regulation, the agent would have to comply with the initial, annual and opt out privacy notice requirements for nonpublic personal financial information pertaining to customers prior to disclosure with respect to personal lines insurance. The Regulation does not apply to nonpublic personal financial information about the agent's policyholders who obtained commercial lines insurance. With respect to the agent's consumers, the agent would have to comply with the initial and opt out privacy notice requirements prior to disclosure.
Section 420.4(a)(2) provides as follows:
Initial notice requirement.A licensee shall provide a clear and conspicuous notice that accurately reflects the licensees privacy policies and practices to:
(2) [A] consumer, before a licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if a licensee makes such a disclosure other than as authorized by sections 420.14 and 420.15 of this Part.
Section 420.10(a)(1) provides as follows:
Conditions for disclosure. Except as otherwise authorized in this Part, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:
(i) the licensee has provided to the consumer an initial notice as required under section 420.4 of this Part;
(ii) the licensee has provided to the consumer an opt out notice as required under section 420.7 of this Part;
(iii) the licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(iv) the consumer does not opt out.
Section 420.5(a)(1) requires licensees to provide an annual privacy notice to its customers. That Section provides, in pertinent part, as follows:
[A] licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee must apply it to the customer on a consistent basis.
With respect to the disclosure of nonpublic personal health information, Section 420.17(a) provides that:
A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
Section 420.17(b) contains exceptions to this authorization requirement. Section 420.21 provides an exemption for licensees who comply with all the requirements of the federal Health Insurance Portability and Accountability Act (HIPAA), Pub. L. No. 104-191 (1996) privacy rules and regulations, as promulgated by the U.S. Department of Health and Human Services. See 45 C.F.R. § 160.101 et seq. Here, based on the facts provided, it appears that none of the exceptions contained in the Regulation would apply to the agent's situation. Thus, if the file contains nonpublic personal health information, the agent must provide the requisite opt-in authorization before disclosing nonpublic personal health information.
Accordingly, if the policyholder chooses to opt out of disclosure of nonpublic personal financial information and/or the policyholder does not provide the requisite opt-in authorization for the release of nonpublic personal health information (depending on what is in the file), the agent may not disclose the file containing such information to the insurer. Another option would be to redact the policyholder's nonpublic personal information in the file prior to disclosure, so that it no longer contains nonpublic personal information.
The agent should also be aware that N.Y. Comp. Codes R. & Regs. tit. 11, § 421.2 (2001) (Regulation 173) requires all licensees, as defined by Section 420.3(p)(1), including insurance agents, to implement a comprehensive written information security program for the protection of customer information.1 Thus, in addition to complying with Regulation 169, the agent must also take those steps necessary to comply with the requirements of Regulation 173.
For further information you may contact Associate Attorney Pascale Jean-Baptiste at the New York City Office.
1 Section 421.1(d) of Regulation 173 provides an exemption for purchasing groups and unauthorized insurers in regard to excess line business conducted pursuant to section 2118 of the Insurance Law and N.Y. Comp. Codes R. & Regs. tit. 11, Part 27 (Regulation 41). Section 420.3(p) of Regulation 169 also contains exemptions for certain licensees.