The Office of General Counsel issued the following informal opinion on March 26, 2002, representing the position of the New York State Insurance Department.

Re: Compliance with Privacy Regulations 169 and 173

Questions Presented:

1) Pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.4(a) (2001) (Reg. 169), must an independent adjuster for an authorized insurance company provide a copy of its privacy policies and practices regarding nonpublic personal financial information to customers or consumers?

2) Pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3(e) (2001) (Reg. 169), what notice requirements are imposed on a licensee with regard to third party participants’ or beneficiaries’ nonpublic personal financial information?

3) Pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.17 (2001) (Reg. 169), what restrictions are imposed on a licensee regarding nonpublic personal health information?

4) Must an independent adjuster prepare a written security program pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 421 (2001) (Reg. 173) if such a plan was prepared by the licensee for which it adjusts claims?

Conclusions:

1) No, provided that the requirements of N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3(p)(2) (2001) (Reg. 169) are met.

2) The notification requirements are contained in N.Y. Comp. Codes R. & Regs. tit. 11

§ 420.3(e)(2)(v) (2001) (Reg. 169).

3) The requirements for disclosure of nonpublic health information are contained in N.Y. Comp. Codes R. & Regs. tit. 11 § 420.17 (2001) (Reg. 169).

4) Yes, each separate licensee must prepare its own written information security program pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 421(2001) (Reg. 173).

Facts:

The inquirer described a situation in which two property/casualty claims adjusting companies that, pursuant to a 50%-50% split stock arrangement, are wholly owned by two insurers licensed to write property/casualty insurance. All of these companies are part of a holding company that is itself not licensed. The inquirer stated that the adjusting companies are licensed as "TPAs." The inquirer wanted to know the responsibilities of "TPAs" in various scenarios arising from this arrangement.

Analysis:

In New York State, there are no statutorily defined "TPAs," and there is no licensing of these entities as such. To determine what licensing is required, there needs to be an analysis of the person’s or entity’s activities. In this case, the inquirer describe a company that adjusts claims on behalf of insurers. N.Y. Ins. Law § 2101(g) (McKinney 2000) defines such entities as "independent adjusters." For purposes of answering the inquirer’s questions, it is assumed that the two adjusting companies are licensed as independent adjusters, and that the individual independent adjusters are themselves licensed. The responsibilities of the independent adjusters pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420 (2001) (Reg. 169) and N.Y. Comp. Codes R. & Regs. tit. 11 § 421 (2001) (Reg. 173) are discussed below.

1. Exemption for Independent Adjusters from Providing Personal Financial Information Privacy Notifications

The following analysis detailing the exemption for independent adjusters from sending privacy notices, only applies to nonpublic personal financial information. N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3 (2001) (Reg. 169) defines "nonpublic personal financial information" as follows.

(s)(1) "Nonpublic personal financial information" means:

(i) Personally identifiable financial information; and

(ii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information other than publicly available information.

(2) Nonpublic personal financial information does not include:

(i) Health information;

(ii) Publicly available information, except as included on a list described in subparagraph (ii) of paragraph (1) of this subdivision; or

(iii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information other than publicly available information.

. . . .

Licensees are required to provide privacy notices to their consumers and customers. N.Y. Comp. Codes R. & Regs. tit. 11 §§ 420.4 to 420.9 (2001) (Reg. 169). However, there are exceptions to the general rule.

Pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3(p)(2) (2001) (Reg. 169), an independent adjuster, adjusting a claim or benefit on behalf of an authorized insurer, is exempt from providing privacy notices if the insurer provides the required notices and there is no disclosure of nonpublic personal information, except for disclosures authorized by N.Y. Comp. Codes R. & Regs. tit. 11 §§ 420.13 to 420.15 (2001) (Reg. 169). N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3(p) (2001) (Reg. 169) states in the relevant parts:

(p)(1) "Licensee" means a person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this State; . . .

(2)(i) A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information set forth in sections 420.4 through 420.9 of this Part if the licensee is an employee, agent, sublicensee, or other representative of another licensee ("the principal") and:

(a) The principal otherwise complies with, and provides the notices required by, the provisions of this Part; and

(b) The licensee does not disclose any nonpublic personal information of a consumer or customer to any person other than the principal from or through which such consumer or customer seeks to obtain or has obtained a product or service, or its affiliates in a manner permitted by this Part.

(ii) Examples of employee, agent or other representative of a principal:

. . . .

(b) An independent adjuster adjusting a claim on behalf of an insurer;

. . . .

2. Third Party Participants or Beneficiaries

In a situation where the licensee has, pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3(e)(2)(v) (2001) (Reg. 169), issued notice to a plan sponsor, workers’ compensation plan participant, group or blanket insurance policyholder or group annuity contractholder, and there is no disclosure of nonpublic personal financial information about individual participants or beneficiaries of such plans to nonaffiliated third parties other than what is authorized by N.Y. Comp. Codes R. & Regs. tit. 11 §§ 420.13 to 420.15 (2001) (Reg. 169), then the requirement for privacy notification pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.4(a) (2001) (Reg. 169) does not apply to participants or beneficiaries of such plans, and licensees need not send these individuals privacy notices. However, such individuals would have to be notified if there is disclosure of nonpublic personal financial information about these individual participants or beneficiaries to nonaffiliated third parties, and such disclosure is not authorized by N.Y. Comp. Codes R. & Regs. tit. 11 §§ 420.13 to 420.15 (2001) (Reg. 169).

As discussed above in Section 1, in the case of an independent adjuster, if the principal, (the insurer), complies with all notice requirements, and there is no disclosure of nonpublic personal information, except for disclosures authorized by N.Y. Comp. Codes R. & Regs. tit. 11 §§ 420.13 to 420.15 (2001) (Reg. 169), independent adjusters are exempt from sending privacy notices regarding nonpublic personal financial information pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3(p)(2) (2001) (Reg. 169). Thus, such independent adjuster would be exempt from sending notices to plan sponsors, workers’ compensation plan participants, group or blanket insurance policyholders or group annuity contractholders, regarding nonpublic personal financial information, and also, as discussed in the preceding paragraph, to the individual beneficiaries or participants.

3. Disclosure of Personal Health Information

The regulations protecting "nonpublic personal health information" differ substantially from provisions regarding nonpublic personal financial information. N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3 (2001) (Reg. 169) defines "nonpublic personal health information" as follows.

(t) "Nonpublic personal health information" means health information:

(1) That identifies an individual who is the subject of the information; or

(2) With respect to which is a reasonable basis to believe that the information could be used to identify an individual.

With respect to nonpublic personal health information, N.Y. Comp. Codes R. & Regs. tit. 11 § 420.17(a) (2001) (Reg. 169) states in the relevant part: "[a] licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the customer or consumer whose nonpublic personal health information is sought to be disclosed." Absent an exemption pursuant to N.Y. Comp. Codes R. & Regs. tit. 11 § 420.17(b) (2001) (Reg. 169), authorization must be obtained from either the consumer or customer before any nonpublic personal health information about such customer or consumer can be disclosed.

4. Regulation 173

N.Y. Comp. Codes R. & Regs. tit. 11 § 421.2 (2001) (Reg. 173) requires all licensees, as defined in N.Y. Comp. Codes R. & Regs. tit. 11 § 420.3(p)(1) (2001), including independent adjusters, to implement a comprehensive written information security program for the protection of customer information. The limited exceptions to this general rule are listed in N.Y. Comp. Codes R. & Regs. tit. 11 § 421.1(d) (2001) (Reg. 173).

Regulation 173 requires each separate licensee to assess its own risks, and establish a detailed plan to manage and control such risks. Because each licensee’s situation is unique, each licensee must have its own plan that reflects the individuality of issues that must be addressed by the licensee. The licensees, in this case, the independent adjusters, can adopt and implement the carrier’s plan provided that it is appropriate to its own business.

For further information you may contact Senior Attorney Susan A. Dess at the New York City Office.