The Office of General Counsel issued the following opinion on April 30, 2003, representing the position of the New York State Insurance Department.

Re: Health Insurance Portability and Accountability Act (HIPAA), Privacy


Is a health insurer acting properly in its privacy practices?


A health insurer’s privacy practices are subject to the HIPAA Privacy Regulation, which has been promulgated by the United States Department of Health and Human Services.


The inquirer retired from service as an employee of the City of New York and is a beneficiary under the Medicare program, for which the health insurer is a fiscal intermediary, and are insured for dental benefits under a contract issued by the health insurer. The inquirer recently received a Notice from the health insurer concerning its privacy practices and question whether the health insurer is acting properly.


HIPAA, Pub. L. No. 104-191 (1996), is a comprehensive enactment dealing with health insurance. Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 2002 Supplement), required the Secretary of Health & Human Services (HHS) to promulgate a regulation dealing with privacy of protected health information.

The Regulation as promulgated by the Department of HHS, 45 C.F.R. § 160.101 et seq. (2003), contains comprehensive requirements for the protection of protected health information and requires, 45 C.F.R. § 164.520 (2003), covered entities, which include health insurers such as the health insurer, to furnish to insureds by April 14, 2003 with a notice of their privacy practices. The inquirer is advised to direct any questions or concerns with the health insurer’s privacy practices to the health insurer.

Questions may also be addressed to:

Office for Civil Rights
United States Department of Health & Human Services
26 Federal Plaza
New York, NY 10278.

This Department has promulgated a Regulation, N.Y. Comp. Codes R. & Regs. tit. 11, Article 420 (2002) (Regulation 169), dealing with Privacy of Consumer Financial and Health Information. While Regulation 169 does set forth standards for privacy of individually identifiable health information, N.Y. Comp. Codes R. & Regs, tit. 11, § 420.21 (2002) provides that, if a licensee is in compliance with the HIPAA Privacy Regulation, the licensee is not subject to those portions of Regulation 169 dealing with health information. If the United States Department of Health & Human Services indicates that the HIPAA Privacy Regulation does not deal with areas the inquirer is concerned about, the inquirer may contact this Department’s Consumer Services Bureau.

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.