OGC Op. No. 08-10-11
The Office of General Counsel issued the following opinion on October 29, 2008, representing the position of the New York State Insurance Department.
RE: Privacy of consumer’s nonpublic personal financial information
1) Does the Insurance Law or regulations promulgated thereunder require an insurer or its agent to purge a consumer’s personal information from its records after giving the consumer a quote for an automobile insurance policy, when the transaction does not result in the purchase of insurance?
2) Under what circumstances, if any, may an insurer or its agent disclose to third parties personal information that it receives about a consumer for an insurance quote, when the transaction does not result in the purchase of insurance?
1) No. Neither the Insurance Law nor regulations promulgated thereunder require an insurer or its agent to purge information it receives from persons who request an insurance quote. In fact, the Department’s regulations require the insurer to maintain certain information for minimum specified periods.
2) An insurer and its agent may not disclose a consumer’s personal information to third parties, except in accordance with N.Y. Comp. Codes R. & Regs. Tit. 11, Part 420 (Regulation 169).
The inquirer reports that he called several insurers to request quotes for automobile insurance. Each insurer required different types of personal information to process the inquirer’s request. The inquirer asks whether an insurer must purge the information once the inquirer decided not to purchase the policy, and if not, how long an insurer is permitted to retain the information. The inquirer also asks whether an insurer may disclose such personal information to third parties.
I. Records Retention
The Department’s regulations specify minimum recordkeeping requirements for insurers with regard to certain types of records. See 11 NYCRR Part 243 (Regulation 152). Regulation 152 does not directly specify any retention requirement for information an insurer obtains from consumers seeking insurance quotes. But Regulation 152 does require an insurer to retain applications for insurance (which typically contain similar information as that provided by the consumer when requesting a quote), whether or not the consumer purchases the insurance. In addition to the application, Regulation 152 also requires an insurer to keep any “other information necessary for reconstructing the solicitation, rating, and underwriting of the contract or policy” for each policy purchased. 11 NYCRR
(b) Except as otherwise required by law or regulation, an insurer shall maintain:
(1) A policy record for each insurance contract or policy for six calendar years after the date the policy is no longer in force or until the filing of the report on examination in which the record was subject to review, whichever is longer . . . A policy record shall include:
* * *
(ii) the application, including any application form or enrollment form for coverage under any insurance contract or policy;
* * *
(iv) other information necessary for reconstructing the solicitation, rating, and underwriting of the contract or policy.
* * *
(2) An application where no policy or contract was issued for six calendar years or until after the filing of the report on examination in which the record was subject to review, whichever is longer.
Thus, an insurer is required to retain insurance quote information to the extent that such information is included in an application for insurance (whether or not a policy is issued), and if such information is necessary to reconstruct the solicitation, rating and underwriting of an issued insurance policy. See Opinion of Office of General Counsel No. 03-09-05 (September 8, 2003). An insurer also must retain such records for at least six years, or until after the filing of a report on examination by the Department, whichever is longer.1
Insurance agents maintaining records on behalf of insurers are subject to the same record retention requirements. Indeed, 11 NYCRR
An insurer shall require, by contract or other means, that a person authorized to act on its behalf in connection with the doing of an insurance business, including a managing general agent, an administrator, or other person or entity, shall comply with the provisions of this Part in maintaining records that the insurer would otherwise be required to maintain. Notwithstanding the above, the insurer shall be responsible if the person or entity fails to maintain the records in the required manner.
Thus, an insurance agent must maintain those records that an insurer itself is required to retain under Department regulations. See Opinion of Office of General Counsel No. 07-11-07 (November 28, 2007).
That being said, there is no Insurance Law or regulation promulgated thereunder that requires an insurer to purge or destroy records after the required retention period has expired, or that prohibits the insurer from retaining more information than Regulation 152 requires insurers to retain. Indeed, provided that the insurer meets the minimum standards specified by Regulation 152, the insurer may retain or purge such information in accordance with its own privacy policies.
II. Disclosure of nonpublic personal information
11 NYCRR Part 420 (Regulation 169) governs the disclosure of nonpublic personal information of consumers by a licensee (such as an insurer, its agent, or an insurance broker), including nonpublic personal financial information and nonpublic personal health information. 11 NYCRR
A. Nonpublic personal financial information
The federal Gramm-Leach Bliley Act (GLBA), 15 U.S.C.
Nonpublic personal financial information includes “personally identifiable financial information” and “any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using personally identifiable financial information other than publicly available information.” 11 NYCRR
A person who requests a quote for personal automobile insurance but who does not purchase the insurance is a “consumer” for purposes of Regulation 169, rather than a “customer.” The distinguishing difference between a “customer” and a “consumer” is that the former is a consumer who has entered into a continuing business relationship under which the licensee provides one of more insurance products or services. See 11 NYCRR
Except as otherwise provided by Regulation 169, a licensee may not disclose the nonpublic financial information of a consumer unless the licensee complies with the requirements of 11 NYCRR
But pursuant to 11 NYCRR
(b) When initial notice to a consumer is not required
A licensee is not required to provide an initial notice to a consumer under paragraph (a)(2) of this section if:
* * *
(1) the licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by sections 420.14 and 420.15 of this Part and the licensee does not have a customer relationship2 with the consumer.
Nor is the licensee required to deliver an opt-out notice if the licensee does not intend to disclose the consumer’s nonpublic personal financial information, other than as permitted by 11 NYCRR
B. Nonpublic Personal Health Information
As required by the federal Health Insurance Portability and Accountability Act (HIPAA), codified as a Note to 42 U.S.C.
The inquiry does not contain sufficient information for the Department to determine whether any of the insurers that provided the inquirer with a quote would fall within the definition of a “covered entity” within the meaning of HIPAA. But as a general matter, an insurer that issues only property/casualty insurance (and not also accident and health insurance) is not an insurer to which HIPAA would apply.3 See Opinion of General Counsel No. 04-06-05 (June 8, 2004). See also United States Department of Health and Human Services, HIPAA Frequent Questions, http://www.hhs.gov/hipaafaq/providers/ covered/364.html (last visited Oct. 20, 2008). A property/casualty insurance agent or broker for an insurer that is not a “covered entity” is also not subject to the HIPAA Privacy Rules.4 Nevertheless, as discussed below, the HIPAA rules are relevant because an insurer and other licensees may choose to follow the HIPAA rules as a means of complying with the Department’s own health privacy rules, which are set out in 11 NYCRR Part 420 (Regulation 169).
Regulation 169 defines “nonpublic personal health information” as “health information that identifies an individual who is the subject of the information; or with respect to which there is a reasonable basis to believe that the information could be used to identify the individual.” 11 NYCRR
(a) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions . . . any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; . . . .
For further information you may contact Senior Attorney Brenda M. Gibbs at the Albany Office.
1 Pursuant to Insurance Law §§ 309 and 310, the Insurance Department conducts periodic examinations of insurers, compiles reports of its findings, and files such reports for public inspection.
2 N.Y. Comp. Codes R. & Regs., Tit 11, § 240.3(i)(1) defines “customer relationship” as “a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services in this State to the consumer that are to be used primarily for personal, family or household purposes.”
3 A property/casualty insurer that also sells accident and health insurance may choose to be a “hybrid entity” under the HIPAA Privacy Rules with respect to the “health care components” of its business. See 45 C.F.R. §§ 164.103 and 164.105(a)(2)(iii)(C). See also United States Department of Health and Human Services, HIPAA Frequent Questions, http://www.hhs.gov/hipaafaq/permitted/research/315.html (last visited Oct. 20, 2008). A “hybrid entity” is “a single legal entity: (1) That is a covered entity; (2) Whose business activities include both covered and non-covered functions; and (3) That designates health care components in accordance with paragraph § 164.105(a)(2)(iii)(C).” 45 C.F.R. § 164.103. A “health care component” includes any portion of the insurer’s business that would meet the definition of a covered entity if it was a separate entity. 45 C.F.R. § 164.105(a)(2)(iii)(C). A health care component also includes a component of the business that performs covered functions or “activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities.” Id.
4 While insurance agents and brokers are not considered to be “covered entities” within the definition of the HIPAA Privacy Rule, agents and brokers can be “business associates” of a covered entity. Opinion of General Counsel No. 08-06-04 (June 6, 2008). “Business associate” That term is defined in 45 C.F.R § 160.103 in relevant part as:
[A] a person who: (i) On behalf of such covered entity . . . but other than in the capacity of a member of the workforce of such covered entity . . . performs or assists in the performance of (A) A function or activity involving the use or disclosure of individually identifiable health information including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
If the insurer is not a covered entity, , then by the terms of the HIPAA Privacy Rules, its insurance agents or brokers are not its “business associates,” and thus not subject to the HIPAA Privacy Rules. See 45 C.F.R § 160.103.