OGC Op. No. 08-06-04
The Office of General Counsel issued the following opinion on June 6, 2008 representing the position of the New York State Insurance Department.
RE: Continuation Right, Group Health Insurance; Electronic Storage of Protected Health Information
1. Is there a continuation right where, subsequent to termination of employment but prior to the expiration of the required continuation period, an employer terminates an existing group policy or contract, and replaces it with a group policy or contract from another insurer?
2. If there is such a continuation right, and the new insurer has a smaller network of participating health providers, is there a violation of the continuation right?
3. If there is such a continuation right, and a former employee relocates to an area where the new insurer has a smaller network of participating health providers, is there a violation of the continuation right?
4. If a licensed insurance agent or broker maintains protected health information in electronic form on a database that is available to all of its employees for transmittal to insurers for their underwriting use, is there a violation of applicable privacy requirements?
1. The continuation requirement affecting most employers is set forth in the federal Comprehensive Omnibus Budget Reconciliation Act (“COBRA”), Pub. L No. 99-272 (1986). Questions concerning that statute should be directed to the United States Department of Labor. As to New York’s continuation requirement, the new insurer would have to still provide continuation benefits.
2. Under New York’s continuation requirement, the smaller size of the new insurer’s provider network would not constitute a violation of any continuation right.
3. Under New York’s continuation requirement, when a former employee relocates where the new insurer has a smaller accessible provider network that would not constitute a violation of any continuation right.
4. Security requirements for electronic storage are established by rules promulgated by the United States Department of Health and Human Service (HHS) in accordance with the federal Health Insurance Portability and Accountability Act (“HIPAA”), Pub. L. No. 104-191 (1996). Questions concerning these requirements should be directed to HHS. In addition, New York has its own data protection requirements which are set forth in N.Y. Comp. Codes R. & Regs. tit. 11, Part 421 (Regulation 173) (2002).
The inquirer is licensed as an insurance agent in accordance with N.Y. Ins. Law § 2103(a) (McKinney 2006), and as an insurance broker in accordance with Insurance Law § 2104.
The inquirer reports that one of its clients has switched to an insurer that has fewer participating physicians in some jurisdictions outside of New York than did the previous insurer. It asks generally about the client’s obligation to provide continuation, including specifically where a former employee relocates to a jurisdiction where there are fewer participating health care providers.
The inquirer also reports that 90% of the firm’s records are maintained in an electronic format in a database that is available to all of the firm’s employees. Included in the database is material containing protected health information, as defined in the HIPAA Privacy Rule. Upon occasion, the firm transmits underwriting information1 to insurers that contains protected health information. The firm inquires as to whether its procedures comply with HIPAA.
I. Continuation Benefits
The COBRA continuation requirements affecting private employers are codified as part of the federal Employee Retirement Income Security Act (ERISA) at 29 U.S.C. § 1161-1169 (West 1999). Federal continuation requirements are applicable only to employers with 20 or more employees. See 29 U.S.C. § 1161(b).
The continuation requirements imposed by COBRA have resulted in extensive litigation, including challenges to the interpretations of COBRA by the United States Department of Labor, which is charged with enforcement of ERISA. Questions regarding COBRA should be addressed to: Employee Benefit Security Administration, United States Department of Labor, 33 Whitehall Street, New York, NY 10004.
New York law, too, establishes a continuation requirement, which is set forth in Insurance Law § 3221(m) for group health insurance policies issued by commercial insurers, and Insurance Law § 4305(l) for group contracts issued by not-for-profit health insurers and all health maintenance organizations (“HMOs”.) (Since the requirements are identical, subsequent references herein to Insurance Law § 3221(m) also apply to § 4305(l).) The New York continuation requirement is not applicable to policies and contracts that are covered under COBRA. See Insurance Law §3221(m)(6).
With respect to group health insurance policies, the insurer issuing the replacement policy or contract assumes all obligations imposed by statute. While COBRA imposes an obligation on both the employer and the insurer, New York’s continuation requirement applies only to the insurer. The first paragraph of Insurance Law § 3221(m) provides:
A group policy providing hospital, surgical or medical expense insurance for other than accident only shall provide that if all or any portion of the insurance on an employee or member insured under the policy ceases because of termination of employment . . . such employee . . . shall be entitled without evidence of insurability upon application to continue his hospital, surgical or medical expense insurance for himself or herself and his or her eligible dependents, subject to all of the group policy's terms and conditions applicable to those forms of benefits . . . .
Further, Insurance Law § 3221(m)(4)(E)(i) reads as follows:
The employee or member shall have the right to become covered under that other group policy, for the balance of the period that he would have remained covered under the prior group policy in accordance with this subparagraph had a termination described in this subparagraph not occurred . . . .
Therefore, under New York law, a new insurer is required to honor any continuation right provided by the former insurer to former employees under Insurance Law § 3221(m).
When considering a health insurer, one of the factors usually considered by the employer is the size and location of the network. However, a change of insurers that results in a diminished network in some locations does not constitute a violation of the continuation requirement, because the obligation under New York’s continuation requirement is on the insurer, not the employer.
A special rule applies, however, to continuing care provided under a managed care health insurance contract, independent of whether New York’s continuation requirements apply. Such a contract is defined in Insurance Law § 4801(c):
[A] "managed care health insurance contract" . . . shall mean a contract which requires that all medical or other health care services covered under the contract, other than emergency care services, be provided by, or pursuant to a referral from, a designated health care provider chosen by the insured (i.e. a primary care gatekeeper), and that services provided pursuant to such a referral be rendered by a health care provider participating in the insurer's managed care provider network. In addition, in the case of . . . (ii) a group health insurance contract covering no more than three hundred lives, imposing a coinsurance obligation of more than twenty-five percent upon services received outside of the insurer's provider network, and which has been sold to five or more groups, a managed care product shall also mean a contract which requires that all medical or other health care services covered under the contract, other than emergency care services, be provided by, or pursuant to a referral from, a designated health care provider chosen by the insured (i.e. a primary care gatekeeper), and that services provided pursuant to such a referral be rendered by a health care provider participating in the insurer's managed care provider network, in order for the insured to be entitled to the maximum reimbursement under the contract.
The special rule is set forth in Insurance Law § 4804(f), which requires:
If a new insured whose health care provider is not a member of the insurer's in-network benefits portion of the provider network enrolls in the managed care product, the insurer shall permit the insured to continue an ongoing course of treatment with the insured's current health care provider during a transitional period of up to sixty days from the effective date of enrollment, if (1) the insured has a life-threatening disease or condition or a degenerative and disabling disease or condition or (2) the insured has entered the second trimester of pregnancy at the time of enrollment, in which case the transitional period shall include the provision of post-partum care directly related to the delivery. If an insured elects to continue to receive care from such health care provider pursuant to this paragraph, such care shall be authorized by the insurer for the transitional period only if the health care provider agrees (A) to accept reimbursement from the insurer at rates established by the insurer as payment in full . . . (B) to adhere to the insurer's quality assurance requirements and agrees to provide to the insurer necessary medical information related to such care; and (C) to otherwise adhere to the insurer's policies and procedures . . . . In no event shall this subsection be construed to require an insurer to provide coverage for benefits not otherwise covered or to diminish or impair pre-existing condition limitations contained within the insured's contract.
Where an employee, or former employee, knowingly and voluntarily relocates to an area with a diminished network, the insured individual is presumed to have relocated with full knowledge of the smaller network, and is not entitled to any special consideration other than the situations covered by Insurance Law § 4804(f), where the insurer has a continuing obligation. Accordingly, the relocation by an employee, or former employee, does not constitute a violation of New York’s continuation requirement.
II. Protected Health Information
The other inquiry pertains to protected health information. The Insurance Department has, pursuant to federal mandate, promulgated its own rules regulating protected health information. See 11 NYCRR Part 420 (Regulation 169) (2001). However, pursuant to 11 NYCRR § 420.21, an insurer and other licensees, including insurance agents and brokers, may instead comply with the federal HIPAA Privacy Rules. In addition, the Insurance Department has promulgated a data security regulation, 11 NYCRR Part 421 (Regulation 172), which requires all licensees, including life insurers, insurance agents, and insurance brokers to establish a security program. The regulation does not, however, specifically deal with limitation of access to protected health information.
For licensees that opt to comply with the New York privacy requirements, 11 NYCRR § 420.18 provides:
(a) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions . . . any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; . . . . Additional insurance functions may be added with the approval of the superintendent to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.
As required by HIPAA, HHS has promulgated a number of enactments, collectively known as the “HIPAA Privacy Rules.” For the purpose of those rules, “protected health information” is defined in 45 C.F.R. § 160.103 as:
[I]ndividually identifiable health information: . . . that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.
“Individually identifiable health information” is defined in the same section as:
[A]ny information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual . . . .
The strictures of the HIPAA Privacy Rules are applicable to “covered entities”, which are defined in 45 C.F.R. § 160.103 as:
(1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
Health insurance companies and HMOs are encompassed within the definition of “health plan.” See 45 C.F.R. § 164.103.
While insurance agents and brokers are not considered to be “covered entities” within the definition of the HIPAA Privacy Rule, agents and brokers can be “business associates” of a covered entity. That term is defined in 45 C.F.R § 160.103 as follows:
[A] a person who: (i) On behalf of such covered entity . . . in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity . . . (A) A function or activity involving the use or disclosure of individually identifiable health information . . . .
The general requirement for security of protected health information in electronic form is set forth in 45 C.F.R. § 164.306(a):
General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required . . . (4) Ensure compliance with this subpart by its workforce.
In addition, 45 C.F.R. § 164. 312(a)(1), “Access Control”, provides in pertinent part:
A covered entity must, in accordance with § 164.306: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights . . . .
While life insurers are not “covered entities”, “business associates” should, as a good business practice, maintain the same security controls with reference to life insurance & annuities as they would with respect to health insurance.
Questions concerning the obligations of business associates, and any other questions concerning the HIPAA Privacy Rules should be directed to: Office for Civil Rights, United States Department of Health & Human Services, 26 Federal Plaza, New York, NY 10278.
For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.
1 It is presumed that the inquirer's reference to “underwriting” refers, in the case of health insurance, to those groups that are not subject to Insurance Law § 3231(a) or 11 NYCRR § 52.70(f); and also to underwriting of life insurance policies & annuity contracts.