The Office of General Counsel issued the following informal opinion on June 4, 2001, representing the position of the New York State Insurance Department.

Re: Regulation 169- Privacy Notices

Questions Presented:

1. Under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2000) (Regulation 169), if a licensee satisfies either a section 420.14 or 420.15 exception, is the licensee still required to send out the annual privacy notice pursuant to section 420.5?

2. Under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2000) (Regulation 169), if a licensee satisfies either a section 420.14 or 420.15 exception, does the requirement of section 420.13(a)(1)(ii) apply?

3. Under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2000) (Regulation 169), if a health plan discloses financial information (name, address, social security number) to its contracted providers, does this information fall under section 420.14(a)(1) or section 420.15(a)(1)?

Conclusions:

1. Yes.

2. No.

3. It could depending on the reasons for such disclosure.

Facts:

No additional facts relating to this inquiry were given.

Analysis:

Question No. 1:

Under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2000) (Regulation 169), a licensee that satisfies either a section 420.14 or 420.15 exception, is still required to send out the annual privacy notice pursuant to section 420.5.

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.14(a) (2000) states:

Exceptions for processing transactions at consumer’s request. The requirements for initial notice to the consumer in section 420.4(a)(2) of this Part, and the opt out provisions in sections 420.7 and 420.10 of this Part and their application to service providers and joint marketing as described in section 420.13 of this Part, do not apply if the licensee discloses nonpublic financial information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:

Servicing or processing an insurance product or service that a consumer requests or authorizes;

Maintaining or servicing the consumer’s account with the licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity;

A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;

Reinsurance or stop loss or excess loss insurance; or

The solicitation of insurance quotes on behalf of a consumer by an insurance agent or broker.

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.15(a) (2000) states in part:

Exceptions to opt out requirements. The requirements for initial notice to consumers in section 420.4(a)(2) of this Part, and the opt out provisions in sections 420.7 and 420.10 of this Part and their application to service providers and joint marketing in as described in section 420.13 of this Part, do not apply when a licensee discloses nonpublic personal financial information:

(1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction . . .

(2)(i) To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction;

To protect against or prevent actual or potential fraud or unauthorized transaction, claims, or other liabilities;

For required institutional risk control or for resolving consumer disputes or inquiries;

To persons holding a legal or beneficial interest relating to the consumer; or

To persons acting in a fiduciary or representative capacity on behalf of the consumer; . . .

Both sections 420.14 and 420.15 refer to N.Y. Comp. Codes R. & Regs. tit. 11, § 420.4(a)(2) (2000), which describes the Regulation’s initial notice requirements for consumers.

In addition, both sections 420.14 and 420.15 refer to N.Y. Comp. Codes R. & Regs. tit. 11, § 420.7 (2000), which describes the Regulation’s opt-out notice requirements for both consumers and customers.

However, sections 420.14 and 420.15 do not refer to N.Y. Comp. Codes R. & Regs. tit. 11, § § 420.4(a)(1) and 420.5 (2000), which requires that, "a licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. . ." Because sections 420.14 and 420.15 refer only to the requirements for the initial notice to consumers and the opt out notice, a licensee must still provide the initial notice to customers in accordance with section 420.4(a)(1) and the annual notice to customers in accordance with section 420.5.

Question No. 2:

Under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2000) (Regulation 169), if a licensee satisfies either a section 420.14 or 420.15 exception, the requirement of section 420.13(a)(1)(ii) does not apply.

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.13(a) (2000) states that the opt out requirements in sections 420.7 and 420.10 do not apply for disclosure of nonpublic personal financial information to nonaffiliated third parties to perform services for the licensee or act on behalf of the licensee if the licensee:

(ii) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in section 420.14 or 420.15 of this Part in the ordinary course of business to carry out those purposes.

If an exception exists to the notice and opt out requirements under sections 420.14 and 420.15, the licensee may rely on that exception, and does not need to enter into a contractual agreement with the service provider or joint marketer that states that the third party is prohibited from disclosing or using the nonpublic personal information other than to carry out the purposes for which the licensee disclosed the information.

Question No. 3:

Under N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2000) (Regulation 169), if a health plan discloses financial information (name, address, social security number) to its contracted providers, this information may fall under section 420.14(a)(1) or section 420.15(a)(1). However, without knowing the reason for the disclosure of the financial information, we can not be certain that it falls under one of the exceptions as stated above.

For further information, you may contact Senior Attorney Meredith S. Kaufer at the New York City Office.