OGC Op. No. 11-02-05
The Office of General Counsel issued the following opinion on February 7, 2011 representing the position of the New York State Insurance Department.
Re: Health Provider, Audit of Provider Claims
Does any state or federal law prohibit the disclosure of patient treatment information by a dentist to an insurer, once an initial authorization for disclosure to the insurer is received from the patient?
The Insurance Department generally has no jurisdiction over health care providers, and there is no provision in the New York Insurance Law that would prohibit a health care provider from complying with the insurer’s demands. Other statutes and regulations may affect the ability of the health care provider to comply with the insurer’s demands. The Insurance Department offers no opinion as to the effect of those statutes.
The inquirer’s firm represents a dental indemnity company that is licensed in New York. The inquirer further reports that the inquirer’s client disagrees with the assertion of a number of New York dentists that New York law prohibits them from furnishing patient treatment information to the inquirer’s client.
In previous correspondence with the Insurance Department, a representative of the inquirer’s client had cited the agreement between the insurer and participating dentists, particularly ¶ 14 thereof, as justification for its demands for nonpublic personal health information:
Dentist shall cooperate with [Insurer] in its claim evaluation activities and be bound by the terms and conditions of the Bylaws of [Insurer] as they apply to the obligations of [Insurer] to its subscribers . . . .
The agreement furnished by the insurer, ¶ 6, also provides, in pertinent part:
Dentists shall submit claims on an [Insurer] claim form, or acceptable substitute, from which [Insurer] shall verify eligibility and coverage. . . .
The inquirer asserts, as did a representative of the insurer in the previous correspondence with the Insurance Department, that the regulations promulgated by the United States Department of Health and Human Services (HHS), which are codified at 45 CFR § 160.101 et seq. (2010), under the Health Insurance Portability and Accountability Act (HIPAA), enacted as Pub. L. No. 104-191 (1996), permits the requested disclosures. While not questioning the applicability of the HIPAA Privacy Rule, the dentists assert, supported in this contention by the New York Dental Society, that New York law is stricter.
In opposition to the dentist’s assertions, the inquirer cites Public Health Law § 18(6) as support for the inquirer’s assertion that, once the patient gives consent, there may be further disclosure of a patient’s nonpublic personal health information, provided that a notation is made in the patient’s chart. The inquirer closes by claiming the refusal by the dentists prevents the insurer’s compliance with its fraud detection plan, which has been filed with the Insurance Department in accordance with Insurance Law § 409.
The inquirer questions whether any state or federal law prohibits the disclosure of patient treatment information by a dentist to an insurer, once an initial authorization for disclosure is received from the patient. In responding to the inquiry, a review of both state and federal statutes 1 is in order.
New York Insurance Law
A. Claim Forms
The inquirer asserts that the content of a claim form is relevant to the inquiry, because it establishes the ability of the health care provider relative to disclosures.
In accordance with Insurance Law § 3224(a), the Superintendent promulgated 11 NYCRR Part 17 (Regulation 88), which established a standard dental claim form. See 11 NYCRR § 17.1(b).
As permitted by 11 NYCRR § 17.4(a), the insurer has inserted a fraud warning and an authorization to be completed by the patient. The latter provides:
I accept this attending dentist’s statement and authorize release of information related thereto. I certify the truth of all personal information contained above. . . .
The inquirer asserts that the above language authorizes the disclosures requested of the dentist by the insurer. However, regardless of what the agreement may say, it cannot permit disclosure otherwise prohibited by federal or state law. Regulation 88 cannot be construed to permit an insurer to controvert any such requirement.
B. Privacy Protection
The protection of personal health information from untoward distribution has been the subject of state and federal regulations. Privacy protection with respect to inquiries is primarily governed by the HIPAA Privacy Rule (Rule). The inquirer asserts that the Rule permits the exchange of patient records between the provider and the insurer under the circumstances because both are covered entities under the Rule. Also, mandated by Title V of the Gramm-Leach-Bliley Act, Pub. L. No 106-02 (1999), the Insurance Department promulgated 11 NYCRR Part 420 (2000) (Regulation 169), which deals with Privacy of Consumer Financial & Health Information. 11 NYCRR § 420.3(n) defines “health information” as:
any information or data . . . , whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to: (1) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family; (2) the provision of health care to any individual; or (3) payment for the provision of health care to any individual.
In addition, 11 NYCRR § 420.21 provides that a licensee in compliance with the federal HIPAA privacy rule is not subject to the rules for health information set forth in sections 420.17-420.20 of Regulation 169.
However, the strictures of Regulation 169 apply only to “licensees”, which are defined in 11 NYCRR § 420.3(p), as, in part, “a person licensed or required to be licensed” in accordance with the Insurance Law.” Therefore, Regulation 169 does not apply to health care providers, and neither prohibits nor requires disclosure by participating health care providers.
The HIPAA privacy rule limits those disclosures that may be made by a “covered entity.” The interpretation of the privacy rule is the sole province of HHS. Questions concerning the HIPAA privacy rule, including whether the requested disclosure is permitted without an authorization or whether the insurer’s authorization is defective, should be addressed to:
Office for Civil Rights
United States Department of Health and Human Services
26 Federal Plaza
New York, NY 10278
C. Fraud Prevention
The inquire§ 409, which the inquirer cites, requires insurers to develop and submit fraud prevention plans to the Insurance Department. However, while report submissions pursuant to Insurance Law § 405 are an integral part of a fraud prevention plan, health care providers are not obliged under the Insurance Law to furnish information to the Insurance Department, and any contractual obligation to furnish information to an insurer for transmission to the Insurance Department is subject to restriction under applicable statutes and regulations.
New York Public Health Law
The inquirer asserts that New York Public Health Law § 18(6) supports the inquirer’s contention that participating health care providers are permitted to furnish health information to insurers because, in the inquirer’s view, entry of the disclosure in the patient’s records obviates the need for authorization. However, questions concerning the Public Health Law should be addressed to:
New York State Health Department
Empire State Plaza
Albany, NY 12237
New York Education Law
In addition to the statutes and regulations the inquirer cited, and which are mentioned above, the New York Education Law primarily determines whether the disclosures demanded by the inquirer’s client are either mandated or required as a condition of retention of a license. Question concerning that statute may be addressed to:
New York State Education Department
89 Washington Avenue
Albany, NY 12234
For further information, you may contact Principal Attorney Alan Rachlin at the New York City Office.
1 This opinion does not purport to make any interpretation of the Patient Protection and Affordable Care Act, Pub. Law 111-148 (2010), which takes effect on various dates through 2014.