OGC Op. No. 08-10-11
The Office of General Counsel issued the following opinion on October 29, 2008, representing the position of the New York State Insurance Department.
RE: Privacy of consumer’s nonpublic personal financial information
1) Does the Insurance Law or regulations promulgated thereunder require an insurer or its agent to purge a consumer’s personal information from its records after giving the consumer a quote for an automobile insurance policy, when the transaction does not result in the purchase of insurance?
2) Under what circumstances, if any, may an insurer or its agent disclose to third parties personal information that it receives about a consumer for an insurance quote, when the transaction does not result in the purchase of insurance?
1) No. Neither the Insurance Law nor regulations promulgated thereunder require an insurer or its agent to purge information it receives from persons who request an insurance quote. In fact, the Department’s regulations require the insurer to maintain certain information for minimum specified periods.
2) An insurer and its agent may not disclose a consumer’s personal information to third parties, except in accordance with N.Y. Comp. Codes R. & Regs. Tit. 11, Part 420 (Regulation 169).
The inquirer reports that he called several insurers to request quotes for automobile insurance. Each insurer required different types of personal information to process the inquirer’s request. The inquirer asks whether an insurer must purge the information once the inquirer decided not to purchase the policy, and if not, how long an insurer is permitted to retain the information. The inquirer also asks whether an insurer may disclose such personal information to third parties.
I. Records Retention
The Department’s regulations specify minimum recordkeeping requirements for insurers with regard to certain types of records. See 11 NYCRR Part 243 (Regulation 152). Regulation 152 does not directly specify any retention requirement for information an insurer obtains from consumers seeking insurance quotes. But Regulation 152 does require an insurer to retain applications for insurance (which typically contain similar information as that provided by the consumer when requesting a quote), whether or not the consumer purchases the insurance. In addition to the application, Regulation 152 also requires an insurer to keep any “other information necessary for reconstructing the solicitation, rating, and underwriting of the contract or policy” for each policy purchased. 11 NYCRR § 243.2(b), the relevant provision, provides in relevant part as follows:
(b) Except as otherwise required by law or regulation, an insurer shall maintain:
(1) A policy record for each insurance contract or policy for six calendar years after the date the policy is no longer in force or until the filing of the report on examination in which the record was subject to review, whichever is longer . . . A policy record shall include:
* * *
(ii) the application, including any application form or enrollment form for coverage under any insurance contract or policy;
* * *
(iv) other information necessary for reconstructing the solicitation, rating, and underwriting of the contract or policy.
* * *
(2) An application where no policy or contract was issued for six calendar years or until after the filing of the report on examination in which the record was subject to review, whichever is longer.
Thus, an insurer is required to retain insurance quote information to the extent that such information is included in an application for insurance (whether or not a policy is issued), and if such information is necessary to reconstruct the solicitation, rating and underwriting of an issued insurance policy. See Opinion of Office of General Counsel No. 03-09-05 (September 8, 2003). An insurer also must retain such records for at least six years, or until after the filing of a report on examination by the Department, whichever is longer.1
Insurance agents maintaining records on behalf of insurers are subject to the same record retention requirements. Indeed, 11 NYCRR § 243.2(d) states:
An insurer shall require, by contract or other means, that a person authorized to act on its behalf in connection with the doing of an insurance business, including a managing general agent, an administrator, or other person or entity, shall comply with the provisions of this Part in maintaining records that the insurer would otherwise be required to maintain. Notwithstanding the above, the insurer shall be responsible if the person or entity fails to maintain the records in the required manner.
Thus, an insurance agent must maintain those records that an insurer itself is required to retain under Department regulations. See Opinion of Office of General Counsel No. 07-11-07 (November 28, 2007).
That being said, there is no Insurance Law or regulation promulgated thereunder that requires an insurer to purge or destroy records after the required retention period has expired, or that prohibits the insurer from retaining more information than Regulation 152 requires insurers to retain. Indeed, provided that the insurer meets the minimum standards specified by Regulation 152, the insurer may retain or purge such information in accordance with its own privacy policies.
II. Disclosure of nonpublic personal information
11 NYCRR Part 420 (Regulation 169) governs the disclosure of nonpublic personal information of consumers by a licensee (such as an insurer, its agent, or an insurance broker), including nonpublic personal financial information and nonpublic personal health information. 11 NYCRR § 240.3(e)(1) defines “consumer” as “an individual who, in this state seeks to obtain, obtains or has obtained an insurance product or service, directly or through a legal representative, from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information.” In addition, the Insurance Department has promulgated a data security regulation, 11 NYCRR Part 421 (Regulation 172), which requires all licensees to establish a security program to protect nonpublic personal information.
A. Nonpublic personal financial information
The federal Gramm-Leach Bliley Act (GLBA), 15 U.S.C. § 6801 et seq. (LEXIS 2008), establishes standards for disclosure of nonpublic personal financial information by financial institutions, including insurers. 15 U.S.C. § 6805(a)(6) and (b)(2) vests the Insurance Department with the authority to enforce the GLBA privacy requirements, and requires that the Department “implement the standards prescribed” by 15 U.S.C. 6801(b). To that end, the Department promulgated 11 NYCRR Part 420 (Regulation 169), which governs the treatment of nonpublic personal information about “consumers” or “customers” by all licensees of the Insurance Department.
Nonpublic personal financial information includes “personally identifiable financial information” and “any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using personally identifiable financial information other than publicly available information.” 11 NYCRR § 420.3(s). “Personally identifiable financial information” is any information (1) that a consumer provides to a licensee for the purpose of obtaining an insurance product or service; (2) about a consumer resulting from a transaction involving an insurance product or service between a licensee and the consumer; or (3) that a licensee obtains about a consumer in connection with providing an insurance product or service to that consumer. 11 NYCRR § 420.3(u).
A person who requests a quote for personal automobile insurance but who does not purchase the insurance is a “consumer” for purposes of Regulation 169, rather than a “customer.” The distinguishing difference between a “customer” and a “consumer” is that the former is a consumer who has entered into a continuing business relationship under which the licensee provides one of more insurance products or services. See 11 NYCRR § 420.3(e) and (h). Because the inquiry springs from circumstances where the inquirer opted not to purchase an insurance policy, the analysis that follows discusses only those rules that apply to a licensee’s disclosure of nonpublic financial information of consumers.
But pursuant to 11 NYCRR § 420.4(b)(1), a licensee is not required to provide the privacy notice to a consumer if the licensee does not disclose any of the consumer’s personal financial information. 11 NYCRR 420.4(b)(1) states:
(b) When initial notice to a consumer is not required
A licensee is not required to provide an initial notice to a consumer under paragraph (a)(2) of this section if:
* * *
(1) the licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by sections 420.14 and 420.15 of this Part and the licensee does not have a customer relationship2 with the consumer.
Nor is the licensee required to deliver an opt-out notice if the licensee does not intend to disclose the consumer’s nonpublic personal financial information, other than as permitted by 11 NYCRR §§ 420.13, 420.14 or 420.15. See Opinion of General Counsel No. 02-02-20 (February 15, 2002). These provisions exempt a licensee from the initial notice and opt-out requirements and allow the licensee to disclose a consumer’s nonpublic personal financial information under certain exceptions. For instance, a licensee need not provide the privacy notice and opportunity to opt out when disclosure is required to effect a transaction at the request of the consumer but only to the extent “necessary to effect, administer or enforce” that transaction. See 11 NYCRR § 420.14(a); see also Opinion of Office of General Counsel No. 01-06-27 (June 27, 2001). A licensee also may disclose such information if disclosure is necessary to “comply with Federal, state, or local laws, rules or other applicable legal requirements.” See 11 NYCRR § 420.17(a)(7).
B. Nonpublic Personal Health Information
As required by the federal Health Insurance Portability and Accountability Act (HIPAA), codified as a Note to 42 U.S.C. § 1320d-2 (LEXIS 2008), the United States Department of Health and Human Services promulgated a set of rules collectively known as the “HIPAA Privacy Rules.” These rules apply to “covered entities”, which are defined in 45 C.F.R. § 160.103 to include health plans, health care clearinghouses and in certain instances, health care providers. See Opinion of Office of General Counsel No. 08-06-04 (June 6, 2008) (explaining generally the HIPAA Privacy Rules).
The inquiry does not contain sufficient information for the Department to determine whether any of the insurers that provided the inquirer with a quote would fall within the definition of a “covered entity” within the meaning of HIPAA. But as a general matter, an insurer that issues only property/casualty insurance (and not also accident and health insurance) is not an insurer to which HIPAA would apply.3 See Opinion of General Counsel No. 04-06-05 (June 8, 2004). See also United States Department of Health and Human Services, HIPAA Frequent Questions, http://www.hhs.gov/hipaafaq/providers/ covered/364.html (last visited Oct. 20, 2008). A property/casualty insurance agent or broker for an insurer that is not a “covered entity” is also not subject to the HIPAA Privacy Rules.4 Nevertheless, as discussed below, the HIPAA rules are relevant because an insurer and other licensees may choose to follow the HIPAA rules as a means of complying with the Department’s own health privacy rules, which are set out in 11 NYCRR Part 420 (Regulation 169).
Regulation 169 defines “nonpublic personal health information” as “health information that identifies an individual who is the subject of the information; or with respect to which there is a reasonable basis to believe that the information could be used to identify the individual.” 11 NYCRR § 420.3(t). Pursuant to 11 NYCRR § 420.17, such licensees may not, except under carefully circumscribed circumstances, disclose a consumer’s nonpublic health information where the consumer has not authorized the disclosure. 11 NYCRR § 420.17 reads in relevant part as follows:
(a) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.
(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions . . . any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; . . . .
For further information you may contact Senior Attorney Brenda M. Gibbs at the Albany Office.
1 Pursuant to Insurance Law §§ 309 and 310, the Insurance Department conducts periodic examinations of insurers, compiles reports of its findings, and files such reports for public inspection.
2 N.Y. Comp. Codes R. & Regs., Tit 11, § 240.3(i)(1) defines “customer relationship” as “a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services in this State to the consumer that are to be used primarily for personal, family or household purposes.”
3 A property/casualty insurer that also sells accident and health insurance may choose to be a “hybrid entity” under the HIPAA Privacy Rules with respect to the “health care components” of its business. See 45 C.F.R. §§ 164.103 and 164.105(a)(2)(iii)(C). See also United States Department of Health and Human Services, HIPAA Frequent Questions, http://www.hhs.gov/hipaafaq/permitted/research/315.html (last visited Oct. 20, 2008). A “hybrid entity” is “a single legal entity: (1) That is a covered entity; (2) Whose business activities include both covered and non-covered functions; and (3) That designates health care components in accordance with paragraph § 164.105(a)(2)(iii)(C).” 45 C.F.R. § 164.103. A “health care component” includes any portion of the insurer’s business that would meet the definition of a covered entity if it was a separate entity. 45 C.F.R. § 164.105(a)(2)(iii)(C). A health care component also includes a component of the business that performs covered functions or “activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities.” Id.
4 While insurance agents and brokers are not considered to be “covered entities” within the definition of the HIPAA Privacy Rule, agents and brokers can be “business associates” of a covered entity. Opinion of General Counsel No. 08-06-04 (June 6, 2008). “Business associate” That term is defined in 45 C.F.R § 160.103 in relevant part as:
[A] a person who: (i) On behalf of such covered entity . . . but other than in the capacity of a member of the workforce of such covered entity . . . performs or assists in the performance of (A) A function or activity involving the use or disclosure of individually identifiable health information including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
If the insurer is not a covered entity, , then by the terms of the HIPAA Privacy Rules, its insurance agents or brokers are not its “business associates,” and thus not subject to the HIPAA Privacy Rules. See 45 C.F.R § 160.103.