OGC Op. No. 11-02-05
The Office of General Counsel issued the following opinion on February 7, 2011 representing the position of the New York State Insurance Department.
Re: Health Provider, Audit of Provider Claims
Does any state or federal law prohibit the disclosure of patient treatment information by a dentist to an insurer, once an initial authorization for disclosure to the insurer is received from the patient?
The Insurance Department generally has no jurisdiction over health care providers, and there is no provision in the New York Insurance Law that would prohibit a health care provider from complying with the insurer’s demands. Other statutes and regulations may affect the ability of the health care provider to comply with the insurer’s demands. The Insurance Department offers no opinion as to the effect of those statutes.
The inquirer’s firm represents a dental indemnity company that is licensed in New York. The inquirer further reports that the inquirer’s client disagrees with the assertion of a number of New York dentists that New York law prohibits them from furnishing patient treatment information to the inquirer’s client.
In previous correspondence with the Insurance Department, a representative of the inquirer’s client had cited the agreement between the insurer and participating dentists, particularly ¶ 14 thereof, as justification for its demands for nonpublic personal health information:
Dentist shall cooperate with [Insurer] in its claim evaluation activities and be bound by the terms and conditions of the Bylaws of [Insurer] as they apply to the obligations of [Insurer] to its subscribers . . . .
The agreement furnished by the insurer, ¶ 6, also provides, in pertinent part:
Dentists shall submit claims on an [Insurer] claim form, or acceptable substitute, from which [Insurer] shall verify eligibility and coverage. . . .
The inquirer asserts, as did a representative of the insurer in the previous correspondence with the Insurance Department, that the regulations promulgated by the United States Department of Health and Human Services (HHS), which are codified at 45 CFR
In opposition to the dentist’s assertions, the inquirer cites Public Health Law
The inquirer questions whether any state or federal law prohibits the disclosure of patient treatment information by a dentist to an insurer, once an initial authorization for disclosure is received from the patient. In responding to the inquiry, a review of both state and federal statutes 1 is in order.
New York Insurance Law
A. Claim Forms
The inquirer asserts that the content of a claim form is relevant to the inquiry, because it establishes the ability of the health care provider relative to disclosures.
In accordance with Insurance Law
As permitted by 11 NYCRR
I accept this attending dentist’s statement and authorize release of information related thereto. I certify the truth of all personal information contained above. . . .
The inquirer asserts that the above language authorizes the disclosures requested of the dentist by the insurer. However, regardless of what the agreement may say, it cannot permit disclosure otherwise prohibited by federal or state law. Regulation 88 cannot be construed to permit an insurer to controvert any such requirement.
B. Privacy Protection
The protection of personal health information from untoward distribution has been the subject of state and federal regulations. Privacy protection with respect to inquiries is primarily governed by the HIPAA Privacy Rule (Rule). The inquirer asserts that the Rule permits the exchange of patient records between the provider and the insurer under the circumstances because both are covered entities under the Rule. Also, mandated by Title V of the Gramm-Leach-Bliley Act, Pub. L. No 106-02 (1999), the Insurance Department promulgated 11 NYCRR Part 420 (2000) (Regulation 169), which deals with Privacy of Consumer Financial & Health Information. 11 NYCRR
any information or data . . . , whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to: (1) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family; (2) the provision of health care to any individual; or (3) payment for the provision of health care to any individual.
In addition, 11 NYCRR
However, the strictures of Regulation 169 apply only to “licensees”, which are defined in 11 NYCRR
The HIPAA privacy rule limits those disclosures that may be made by a “covered entity.” The interpretation of the privacy rule is the sole province of HHS. Questions concerning the HIPAA privacy rule, including whether the requested disclosure is permitted without an authorization or whether the insurer’s authorization is defective, should be addressed to:
Office for Civil Rights
United States Department of Health and Human Services
26 Federal Plaza
New York, NY 10278
C. Fraud Prevention
New York Public Health Law
The inquirer asserts that New York Public Health Law
New York State Health Department
Empire State Plaza
Albany, NY 12237
New York Education Law
In addition to the statutes and regulations the inquirer cited, and which are mentioned above, the New York Education Law primarily determines whether the disclosures demanded by the inquirer’s client are either mandated or required as a condition of retention of a license. Question concerning that statute may be addressed to:
New York State Education Department
89 Washington Avenue
Albany, NY 12234
For further information, you may contact Principal Attorney Alan Rachlin at the New York City Office.
1 This opinion does not purport to make any interpretation of the Patient Protection and Affordable Care Act, Pub. Law 111-148 (2010), which takes effect on various dates through 2014.