The Office of General Counsel issued the following opinion on March 18, 2003, representing the position of the New York State Insurance Department.

RE: Health Insurance Portability & Accountability Act (HIPAA), Privacy Requirements

Issue

Are insurers required to amend their filed policy forms to incorporate restrictions imposed on Group Health Plans by the HIPAA Privacy Regulation, 45 C.F.R. § 164.504 (2002)?

Conclusion

If the matter regulated by the above cited provision has been included by an insurer in a policy or contract, amendment of such policy or contract may be required. Further, in order for insurers to bring themselves generally into compliance with HIPAA privacy requirements, amendment of policy and contract forms may be required.

Facts

Since this was a general inquiry, no facts were presented.

Analysis

HIPAA, Pub. L. 104-191 (1996) is a comprehensive enactment by the United States Congress concerning health insurance. Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 1999), required the Secretary of Health & Human Services to promulgate a regulation governing at least: "(1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required". In accordance with the directive, the Secretary promulgated a final privacy regulation in 2002, 67 Fed. Reg. 53182 (August 14, 2002), and a security regulation this year. 68 Fed Reg. 8334 (February 20, 2003).

The HIPAA Privacy Regulation defines a covered entity, 45 C.F.R. § 160.103 (2002):

Covered entity means: (1) A health plan. . . . (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

Health Plan is defined, id.:

Health plan includes the following, singly or in combination: . . . (ii) A health insurance issuer, as defined in this section. . . . .

Health Insurance Issuer is defined, id.:

Health insurance issuer . . . and used in the definition of health plan in this section) means an insurance company, insurance service, or insurance organization . . . that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.

Group Health Plan is defined, id.:

Group health plan . . . means an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), including insured and self-insured plans, to the extent that the plan provides medical care . . . including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that: (1) Has 50 or more participants (as defined in section 3(7) of ERISA, or (2) Is administered by an entity other than the employer that established and maintains the plan.

Since an insurer may, under the policy or contract, or other agreement, administer the plan, the plan would be considered under the HIPAA Privacy Regulation to be a Group Health Plan. The provision in the HIPAA Regulation you cite, 45 C.F.R. § 164.504, that addresses Group Health Plans is subsection (f):

(1) Standard: Requirements for group health plans. (i) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under § 164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. (ii) The group health plan, or a health insurance issuer . . .with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for the purpose of: (A) Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or (B) Modifying, amending, or terminating the group health plan. (iii) The group health plan, or a health insurance issuer . . .with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer . . . offered by the plan

Subdivisions (2) and (3) of subsection (f) establish requirements for plan documents and uses & disclosures.

Since the subject matter regulated by 45 C.F.R. § 164.504(f)(1) may be covered in a policy or contract issued by the insurer, in order for the policyholder to come into compliance with the HIPAA privacy requirements, amendment of such policy form may be required. Even if the policy or contract need not be amended, the insurer may still be required to take affirmative action to be in compliance with this provision.

As this Department instructed in Circular Letter No. 17 (October 3, 2002), it is the responsibility of the insurer to be in compliance with HIPAA privacy requirements. Accordingly, an insurer should conduct a review of all filed policies and contracts to ascertain which policy or contract provisions, if any, require modification. Questions concerning the specific requirements of the HIPAA Privacy Regulation should be addressed to the Office for Civil Rights of the Department of Health and Human Services.

As required by Title V of the Gramm-Leach Bliley Act, Pub. L. 106-102 (1999), 15 U.S.C. § 6801 et seq. (West 1999), this Department has promulgated a regulation relating to Privacy of Consumer Financial and Health Information. N.Y. Comp. Codes R & Regs. tit. 11, Part 420 (2001) (Regulation 169). While that Regulations has specific provisions regarding health information, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17 through 420.20, compliance by a licensee with the HIPAA Privacy Regulation obviates the necessity to comply with Regulation 169. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.21:

Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act . . . privacy rules and regulations as promulgated by the U.S. Department of Health and Human Services (the "federal rule") . . . if a licensee complies with all requirements of the federal rule, when promulgated . . . the licensee shall not be subject to any provisions of sections 420.17 through 420.20 of this Subpart.

A licensee is defined, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(p)(1):

‘Licensee’ means a person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this State; a health maintenance organization holding, or required to hold, a certificate of authority pursuant to Article 44 of the Public Health Law; . . . but shall not include a registered service contract provider, charitable annuity society, or a licensed viatical settlement company or viatical settlement broker.

Therefore, if an insurer complies with the HIPAA privacy requirements, that insurer does not have to comply with the requirements concerning health information in Regulation 169. Insurers, however, still remain subject to all other applicable provisions of Regulation 169.

For further information one may contact Principal Attorney Alan Rachlin at the New York City Office.