The Office of General Counsel issued the following opinion on May 7, 2003, representing the position of the New York State Insurance Department.

Re: Health Insurance Portability and Accountability Act (HIPAA); Privacy Regulation


Must an authorization which is developed to comply with the HIPAA Privacy Regulation, 45 C.F.R. §&p;160.101 et seq. (2003), and is not part of any other document, be submitted to this Department for approval under New York Insurance Law § 3201 (McKinney 2000 and Supp. 2003)?


No, such a document is not subject to approval by this Department.


Since this was a general question, no facts were furnished.


Utica National is a domestic insurer licensed to transact both a life insurance and health insurance business. HIPAA, Pub. L 104-191 (1996), is a comprehensive enactment regarding health insurance. Section 264 of HIPAA, codified as a note to 42 U.S.C.A. § 1320-d (West Supp. 2002), required the Secretary of Health and Human Services to promulgate a regulation governing the treatment of health information.

The HIPAA Privacy Regulation (Regulation), as promulgated, imposes requirements on covered entities with respect to protected health information. Covered entities are defined, 45 C.F.R. § 160.103 (2003), as, inter alia, health plans, which term includes insurance companies issuing health insurance policies. Protected health information is defined, 45 C.F.R. § 160.103, as individually identifiable health information.

Generally, in the absence of an authorization, protected health information may not be disclosed. 45 C.F.R. § 164.502(a) (2003). The Regulation, 45 C.F.R. § 508(c), specifies what an authorization must contain. In accordance with 45 C.F.R. § 164.508(b)(4)(ii)(A), a health insurer may condition issuance of a policy upon execution of an authorization by an applicant.

New York Insurance Law 3201 provides, in pertinent part:

(a) In this article, ‘policy form’ means any policy, contract, certificate, or evidence of insurance and any application therefor . . . .

(b) (1) No policy form shall be delivered or issued for delivery in this state unless it has been filed with and approved by the superintendent as conforming to the requirements of this chapter and not inconsistent with law . . . .

An authorization that is developed to comply with the Regulation is not a policy form subject to approval pursuant to New York Insurance Law § 3201(b)(1). However, an authorization contained in the policy application, which is clearly a policy form within the meaning of New York Insurance Law § 3201, would be subject to prior approval under that statute.

Of course, any underwriting of health insurance must comply with the strictures of New York Insurance Law § 3231 (McKinney 2000 and Supp. 2003), which prohibits the underwriting of individual and small group health insurance.

Further questions concerning the HIPAA Privacy Regulation should be addressed to:

Office for Civil Rights
United States Department of Health & Human Services
26 Federal Plaza
New York, NY 10278.

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.