The following informal opinion was issued by the Office of General Counsel on June 29, 2001, representing the position of the New York State Insurance Department.
Re: Insurance Companys Retention of Medical Information
Issue:
If an insurance policy is not issued or accepted, may an insurance company retain medical information that it obtained as part of its underwriting of the application?
Conclusion:
Yes, however, the insurer may not further transmit the information without the specific permission of the applicant.
Facts:
The inquirers wife applied for life insurance from an insurer licensed in New York. As part of its underwriting process, the insurer requested that his wife authorize it to receive medical information from physicians who had treated her. The insurer subsequently received such medical information. After reviewing the medical information, and other information relevant to its underwriting requirements, the insurer offered to issue a life insurance policy to his wife. His wife reviewed the policy and, based upon the anticipated premium, declined the insurers offer.
His wife then requested that the insurer return, either to her or to the physicians from whom the information had been received, all the medical information. The insurer refused. The inquirer wants to know whether the insurer is properly retaining the information.
Analysis:
There is no provision in the New York Insurance Law that would require the insurer to return the medical information on his wife. However, New York Public Health Law §18(6) (McKinney 2001), dealing with medical records, provides, in pertinent part:
Whenever a health care provider, as otherwise authorized by law, discloses patient information to a person or entity other than the subject of such information or to other qualified persons, either a copy of the subject's written authorization shall be added to the patient information or the name and address of such third party and a notation of the purpose for the disclosure shall be indicated in the file or record of such subject's patient information maintained by the provider provided, however, that for disclosures made to insurance companies licensed pursuant to the insurance law such a notation shall only be entered at the time the disclosure is first made. Any disclosure made pursuant to this section shall be limited to that information necessary in light of the reason for disclosure. Information so disclosed should be kept confidential by the party receiving such information and the limitations on such disclosure in this section shall apply to such party. (Emphasis added)
Pursuant to the above cited provision of the New York Public Health Law, the insurer could not further disclose the information, unless it complied with other relevant statutory or regulatory provisions.
In addition, this Department has promulgated a Regulation, N.Y. Comp. R. & Regs. tit. 11, §420 et seq. (2001), governing privacy of nonpublic personal information. The Regulation, N.Y. Comp. R. & Regs, tit. 11, §420.3(r), defines "nonpublic personal information" as "nonpublic personal financial information and nonpublic personal health information". The Regulation, N.Y. Comp. R. & Regs. tit. 11, §420.3(t), further defines "nonpublic personal health information" as:
Health information: (1) that identifies an individual who is the subject of the information: or (2) with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
It is surmised that the information about which the inquirer is concerned falls within the definition of nonpublic personal health information. As an applicant for insurance, his wife would be considered to be a "consumer" within the purview of the Regulation. N.Y. Comp. R. & Regs. tit. 11, §420.3(c).
The Privacy Regulation, N.Y. Comp. R. & Regs. tit. 11, §420.17, provides, in pertinent part, and will require after December 31, 2001:
(a) a licensee shall not disclose nonpublic personal health information about a consumer unless an authorization is obtained from the consumer .. whose nonpublic personal health information is sought to be disclosed.
(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: underwriting .
Therefore, if the insurer retains still the information after December 31, 2001, his wife will be considered a consumer and the insurer could not transmit the information to an unrelated entity without his wifes authorization.
It is possible, however, that his wife authorized the transmission of some of the nonpublic personal health information to a not-for-profit cooperative entity established by life and health insurers to aid them in their policy underwriting. While that entity, the Medical Information Bureau, is not subject to this Departments Privacy Regulation, because it is not a licensee of this Department, its operations are governed by New York Insurance Law §321 (McKinney 2001), which provides in pertinent part:
Whenever any insurance company (which is a member of a medical information exchange center or which otherwise may transmit medical information in whatever manner to any other similar facility ) requests medical information from any applicant for personal insurance, it shall not transmit, nor be considered to have obtained the applicant's informed consent to transmit, the information to any such facility unless such company furnishes such applicant with a clear and conspicuous notice disclosing: (1) a description of such facility and its operations, (2) the circumstances under which such facility may release such medical information to other persons; and (3) such applicant's rights to request such facility to arrange disclosure of the nature and substance of any information in its files pertaining to him, and to seek correction of any inaccuracies or incompleteness of such information.
(c) No such facility shall release, transmit or otherwise communicate any medical information it may have to any other person unless such other person shall have in its possession a written instrument signed by the person who is the subject of medical information specifically naming such facility and authorizing such other person to obtain such medical information from such facility.
The Medical Information Bureau, therefore, could not transmit any information it may have received from the insurer in question to another insurer member, without his wifes specific authorization.
Accordingly, while there is no requirement in statute or regulation requiring the insurer to return the nonpublic personal health information in its possession, the information in question is protected from unauthorized transmission.
For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.