The Office of General Counsel issued the following informal opinion on June 18, 2002, representing the position of the New York State Insurance Department.

Re: Licensee’s Release of Health Information to Non-Affiliated Broker

Question Presented:

With respect to an insured experience rated group account, may a licensee provide to the group policyholder or the policyholder’s designated broker a report that lists the date a claim was paid, the type of provider involved, but does not identify the individual claimant, except by a randomly generated identifier?

Conclusion:

The Department’s Privacy Regulation, found at N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0 - 420.24 (2002) (Regulation 169), would not prohibit a licensee from providing a group policyholder or the policyholder’s designated broker with a report that lists claim history information, such as the date a claim was paid and the type of provider involved, so long as the randomly generated identifier does not identify the individual who is the subject of the information being disclosed or there is no reasonable basis to believe that such identifier could be used to identify such individual. In such a case, pursuant to N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(t) (2002) (Regulation 169), this information would not be "nonpublic personal health information."

Facts:

The inquirer states that he works for a health insurance broker in New York City and are reviewing a renewal for one of his insureds who has a non-community rated point of service product. The health insurer has refused to release claims history information such as reports that list the dates claim were paid and the types of providers used, to the inquirer or the group policyholder. The inquirer is not an affiliate of the health insurer from whom he requested this information. The inquirer would like to know if Regulation 169 prohibits a licensee/insurer from disclosing such information. Further, the inquirer states that the report would not include the claimants’ name or social security number. Instead, it would contain only a randomly generated identifier, such as "employee #1" or "employee #2", which could not be used to identify the claimant.

Analysis:

The release of "non-public personal health information" must be treated in accordance with the requirements of N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.0 - 420.24 (2002) (Regulation 169). Specifically, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(a) (2002) (Regulation 169), provides that a licensee may not disclose nonpublic personal health information about a consumer or a customer unless the consumer or customer whose nonpublic personal health information is being disclosed authorizes such disclosure. That section provides:

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

The inquirer states that, as a designated broker for a group of policyholders he would like to obtain from the licensee a report that lists the dates claims were paid and the types of providers involved. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(n) (2002) (Regulation 169) defines "health information":

(n) Health information means any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:

the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family;

the provision of health care to any individual; or

payment for the provision of health care to any individual. (emphasis in original).

Information such as the date a claim was paid and the type of provider involved constitute "health information", as defined in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(n) (2002) (Regulation 169), because such information is data that is recorded or created by or derived from a health care provider or the consumer that relates to "the provision of health care to an individual." The question that needs to be answered, however, is whether release of the health information the inquirer seeks constitutes "nonpublic personal health information" under N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(t) (2002) (Regulation 169), in which case the consent of the consumer or customer would be required before any disclosure could be made.

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(t) (2002) (Regulation 169) provides:

(t) Nonpublic personal health information means health information:

that identifies an individual who is the subject of the information; or

with respect to which there is a reasonable basis to believe that the information could be used to identify an individual (emphasis in original).

The inquirer states that the report in question will not contain the individual claimant’s name or social security number. Instead it will contain a randomly generated identifier such as "employee #1" or "employee #2". The inquirer claims that such identifier cannot be used to identify the claimant. Regulation 169 would not prohibit a licensee from providing to a group policyholder or the policyholder’s designated broker a report of the type the inquirer describes so long as, pursuant to N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(t) (2002) (Regulation 169), the information contained in such report does not identify the individual who is the subject of the information being disclosed or there is no reasonable basis to believe that information contained therein could be used to identify such individual. Under the regulation, the information that the inquirer requested would not be "nonpublic personal health information" because the randomly generated identifier could not be used to identify the claimant. Accordingly, the requirement in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(a) (2002) (Regulation 169) that "authorization is obtained from the consumer or customer" prior to disclosure, would not apply here.

Please note that although the disclosure in question would not constitute a violation of Regulation 169, there may be statutes other than the Insurance Law that control the release of medical information, with which the inquirer must comply.

For further information you may contact Senior Attorney D. Monica Marsh at the New York City Office.