The Office of General Counsel issued the following opinion on December 3, 2003, representing the position of the New York State Insurance Department.

Re: Income Insurance, Privacy Considerations

Questions Presented:

1. Is the Employee Retirement Income Security Act (ERISA) implicated in the captioned subject?

2. Is the insured required to execute the authorization as provided by the insurer?

3. Does the authorization in question authorize the insurer to re-disclose the information provided?

4. Could the authorization be used to secure information from the Social Security Administration (SSA)?

Conclusions:

1. Privacy is not an area that is specifically covered by ERISA.

2. If the insured does not execute the authorization as submitted, the insurer may validly refuse to continue to pay benefits.

3. The authorization in question has the insured acknowledge the possibility that information may be re-disclosed, but does not authorize such re-disclosure.

4. The authorization could be used to secure information from the SSA.

Facts:

An insured inquired about the ramifications of a document sent to her by the insurer that is paying her benefits under a disability income policy. The policy provides that she will receive specified benefits with the insurer taking credit for amounts payable to her by the SSA because of her disability. The Authorization sent to her by the insurer provides:

I authorize any health care provider; . . . health plan; rehabilitation professional; vocational evaluator; insurance company; reinsurer; insurance provider; third party administrator; producer; the Medical Information Bureau; Association of Life Insurance Companies; . . . government organization; and employer that has information about my health, financial or credit history, earnings, employment history, or other insurance claims and benefits to disclose any and all of this information to persons who administer claims for [Insurer]. Information about my health may relate to any disorder of the immune system including, but not limited to, HIV and AIDS; use of drugs and alcohol; and mental and physical history, condition, advice or treatment, but does not include psychotherapy notes.

I understand that any information [Insurer] obtains pursuant to this authorization will be used for evaluating and administering my claims for benefits, which may include assisting me to return to work. I further understand that the information is subject to re-disclosure and might not be protected by certain federal regulations governing the privacy of health information.

This authorization is valid for two (2) years from the date below, or the duration of my claim, whichever period is shorter . . . .

. . . .

I understand that if I do not sign this authorization or if I alter its content in any way, [Insurer] may not be able to evaluate or administer my claims and this may be the basis for denying my claims.

Analysis:

ERISA defines an employee welfare benefit plan, 29 U.S.C.A. § 1002(1) (West 1999),:

The terms ‘employee welfare benefit plan’ . . . mean any plan, fund, or program which was heretofore or is hereafter established or maintained by an employer or by an employee organization, or by both, to the extent that such plan, fund, or program was established or is maintained for the purpose of providing for its participants or their beneficiaries, through the purchase of insurance or otherwise . . . benefits in the event of sickness, accident, disability . . . .

If the disability benefits are being provided to the insured under an individual policy of insurance that is not connected with the insured’s employment, ERISA is not implicated. If, however, the benefits are being provided under a policy of insurance issued to or through the insured’s former employment, or through her husband’s employment, it would constitute an employee welfare benefit plan within the terms of ERISA.

While the United States Department of Labor has promulgated a regulation governing handling of claims involving employee welfare benefit plans, 29 C.F.R. 2560.503-1 (2000), there is nothing in that regulation dealing with the issues raised by the insured. Accordingly, ERISA is not implicated in the captioned area.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the United States Congress as Pub. L. No. 104-191 (1996) and is a comprehensive enactment dealing with health insurance. Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 2002 Supplement), required the Secretary of Health & Human Services (HHS) to promulgate a regulation dealing with privacy of protected health information. The Regulation as promulgated by the Department of HHS, 45 C.F.R. § 160.101 et seq. (2003), contains comprehensive requirements for the protection of protected health information. The HIPAA Privacy Regulation is limited to regulation of protected health information in the custody of "covered entities."

"Individually identifiable health information" is defined, 45 C.F.R. § 160.103 (2003):

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, . . . or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

"Protected health information" is defined, 45 C.F.R. § 160.103:

Protected health information means individually identifiable health information: . . . that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. . . .

"Covered entity" is defined, 45 C.F.R. § 160.103:

Covered entity means: (1) A health plan. . . . (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

A "health plan" is defined, 45 C.F.R. § 160.103:

Health plan means an individual or group plan that provides, or pays the cost of, medical care . . . . (1) Health plan includes the following, singly or in combination: . . . (ii) A health insurance issuer, as defined in this section . . . .

A health insurance issuer is defined, 45 C.F.R. § 160.103:

Health insurance issuer . . . means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. . . .

The insurer is licensed to transact in New York the business of accident & health insurance, as that term is defined in New York Insurance Law § 1113(a)(3) McKinney 2000), and issues insurance policies covering the costs of medical care. Therefore, unless the insurer has opted to be treated as a hybrid entity, in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(C) (2003) and makes only part of its insurance operations subject to the HIPAA Privacy Regulation, all of its insurance operations, including investigation of disability income policy claims, are subject to the HIPAA Privacy Regulation. A hybrid entity is defined, 45 C.F.R. § 160.103:

Hybrid entity means a single legal entity: (1) That is a covered entity; (2) Whose business activities include both covered and non-covered functions; and (3) That designates health care components in accordance with paragraph § 164.105(a)(2)(iii)(C).

The general rule of the HIPAA Privacy Regulation with regard to release of protected health information by covered entities, which, in addition to the insurer, would include those health care providers treating the insured, is set forth in 45 C.F.R. § 164.502(a) (2003):

Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter [electronic security standards]. (1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: . . . (iv) Pursuant to and in compliance with a valid authorization under § 164.508 . . . .

The HIPAA Privacy Regulation further provides, 45 C.F.R. § 164.508(a)(1) (2003):

Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.

Accordingly, although the insurer itself may be a covered entity, it could not properly secure protected health information from another covered entity, the health care provider, without a valid authorization. The restrictions on an insurer conditioning an authorization are set forth by 45 C.F.R. § 164.508(b)(4):

Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of . . . eligibility for benefits on the provision of an authorization, except: . . . (ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if: (A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and (B) The authorization is not for a use or disclosure of psychotherapy notes . . . .

The insurer is probably entitled under the provisions of the insurance policy to periodically secure information relating to continuation of the disability and it is probable that the insurance policy contains a provision requiring the insured to cooperate with the insurer in the securing of such information. Therefore, assuming that the policy includes such provisions, the authorization correctly informs the insured that failure to execute the authorization may, because of an inability to verify continuing disability, result in a denial of future benefits.

The required contents of an authorization are set forth in 45 C.F.R. 164.508(c):

(1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. . . . (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . . (vi) Signature of the individual and date. . . .

(2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: . . . (ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either: (A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or (B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization. (iii) The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by this subpart.

If the insurer has not opted to be treated as a hybrid entity for its disability income operations, it is required with respect to protected health information, 45 C.F.R. § 164.508(c)(2)(iii), to inform the subject of the protected health information of the possibility of re-disclosure of protected health information. If the insurer has opted to be treated as a hybrid entity, as detailed below it may have opted to comply with the HIPAA Privacy Regulation in lieu of compliance with New York’s Regulation 169, N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001).

While the second sentence of the second paragraph in the authorization is ambiguous and could be construed, as it is by the insured, to authorize re-disclosure, such an interpretation would render the authorization violative of the HIPAA Regulation, since 45 C.F.R. § 164.508(c)(1)(iii) requires a description of others to whom re-disclosure may be made. In view of the fact that such information is not present, the clause in the authorization in question should not be construed as authorizing such re-disclosure or as indicating that the insurer will re-disclose the information.

Even if the insurer is not a covered entity under HIPAA with respect to its disability income operations, its use of the protected health information it secures in accordance with the authorization may be limited by Regulation 169, regarding privacy of consumer financial and health information promulgated by the Department.

The insurer is a licensee, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(p) (2001), within the meaning of Regulation 169. Regulation 169 includes protections for protected health information. N.Y. Comp. Codes R. & Regs. tit. 11, §420.17 (2001) provides:

(a) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, . . . any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services;. . . and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the superintendent to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.

Since Regulation 169, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.18(b) (2001), puts an outside limit of two years on effectiveness of the authorization, the authorization in question would meet that test.

The relationship of Regulation 169 to the HIPAA Privacy Regulation is set forth in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.21 (2001):

Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act (PL 104-191) privacy rules and regulations as promulgated by the U.S. Department of Health and Human Services (the "federal rule") pursuant to Sections 262 and 264 of such Act, if a licensee complies with all requirements of the federal rule, when promulgated, except for its effective date provision, the licensee shall not be subject to any provisions of sections 420.17 through 420.20 of this Subpart.

Accordingly, even if the insurer is not a covered entity under the HIPAA Privacy Regulation with respect to its disability income operations and does not voluntarily opt to comply with its strictures, its use of protected health information is limited by Regulation 169.

Further questions about the applicability of the HIPAA Privacy Regulation to the insured’s disability income benefits should be addressed to:

Office for Civil Rights
United States Department of Health & Human Services
26 Federal Plaza
New York, NY 10278
(212) 264-3313.

The use of Social Security Information is governed by 42 U.S.C.A. § 405 (West 2003), which authorizes the Secretary of HHS to promulgate regulations governing, among other areas, privacy of social security information. In accordance with this authorization, the Secretary of HHS has promulgated a regulation 20 C.F.R. § 401.100 et seq. (1997). The regulation provides general principles for release of information in possession of the SSA, 20 C.F.R. § 401.140 (1997):

When no law specifically requiring or prohibiting disclosure applies to a question of whether to disclose information, we follow FOIA [Freedom of Information Act] principles to resolve that question. We do this to insure uniform treatment in all situations. The FOIA principle which most often applies to SSA disclosure questions is whether the disclosure would result in a "clearly unwarranted invasion of personal privacy." To decide whether a disclosure would be a clearly unwarranted invasion of personal privacy we consider- (a) The sensitivity of the information (e.g., whether individuals would suffer harm or embarrassment as a result of the disclosure); . . . (c) The rights and expectations of individuals to have their personal information kept confidential; . . . and (e) The existence of safeguards against unauthorized re-disclosure or use.

The standards for protection against re-disclosure are set forth in 20 C.F.R. § 401.145(a) (1997):

The FOIA does not authorize us to impose any restrictions on how information is used after we disclose it under that law. In applying FOIA principles, we consider whether the information will be adequately safeguarded against improper use or re-disclosure. We must consider all the ways in which the recipient might use the information and how likely the recipient is to re-disclose the information to other parties. Thus, before we disclose personal information we may consider such factors as- (1) Whether only those individuals who have a need to know the information will obtain it; (2) Whether appropriate measures to safeguard the information to avoid unwarranted use or misuse will be taken; and (3) Whether we would be permitted to conduct on-site inspections to see whether the safeguards are being met.

The standards for disclosure by consent are set forth in 20 C.F.R. § 401.100(a) (1997):

Except as permitted by the Privacy Act and the regulations in this chapter, or if required by the FOIA, we will not disclose your record without your written consent. The consent must specify the . . . organizational unit or class of . . . organizational units to whom the record may be disclosed, which record may be disclosed and, where applicable, during which time frame the record may be disclosed . . . . We will not honor a blanket consent to disclose all your records to unspecified individuals or organizational units. We will verify your identity and, where applicable . . . the identity of the individual to whom the record is to be disclosed.

Although the SSA is specifically excluded from the definition of covered entity under the HIPAA Privacy Regulation, 45 C.F.R. § 160.103, protected health information in the possession of the SSA is covered by the above-cited provisions. The authorization provided would appear to meet the standards of the SSA. Further questions concerning disclosure of social security information may be addressed to either the local SSA office or:

Office of Public Disclosure
Social Security Information
3-A-6 Operations Building
6401 Security Boulevard
Baltimore, MD 21235.

The Department believes that information that the insurer may receive from the SSA, other than protected health information, would constitute non-public personal financial information, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(s), and that the insurer could not further disclose such information unless the insured had been informed of the scope of the possible re-disclosure and had not opted to prohibit the disclosure. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.10 (2001).

For the reasons given above, the Department believes, subject to a contrary determination by the appropriate Federal authority, that the insurer is within its rights in insisting that the authorization, as presented, be executed.

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.