The Office of General Counsel issued the following opinion on March 6, 2003, representing the position of the New York State Insurance Department.

Re: Health Insurance Portability and Accountability Act (HIPAA).

Question Presented:

Is ABC Corp. subject to the requirements of HIPAA?

Conclusion:

Yes, it appears that ABC Corp. is subject to the requirements of HIPAA.

Facts:

Since this is a general inquiry, no facts were provided.

Analysis:

ABC Corp. is a corporation licensed by this Department pursuant to New York Insurance Law § 4302(c) (McKinney 2000):

Notwithstanding the other provisions of this article, the superintendent may issue a permit to organize and a license to do business to a not-for-profit corporation organized and operated under the supervision of the New York State Public High School Athletic Association, unrestricted as to its territorial operations in this state, for the sole purpose, however, of furnishing medical, dental and hospital expense indemnity to bona fide students in elementary and high schools injured (i) in intramural and interscholastic athletic games and sports activities, (ii) while engaged in preparation for such games, sports or contests, (iii) in physical education classes, and (iv) in any other accidents which in the judgment of the superintendent should be included. The dental indemnity is to apply, however, only in case of dental expense caused by injury occurring as above set forth.

HIPAA, Pub. L. 104-191 ( 1996), is a comprehensive enactment by the United States Congress concerning health care and imposes substantive requirements on, inter alia, insurers. The New York Insurance Law (McKinney 2000 and 2003 Supplement) was substantially amended to bring it into compliance with HIPAA.

HIPAA is composed of a number of Titles, each of which may impose administrative requirements on an insurer. There is, contrary to what the inquirer may have been informed, nothing generally in HIPAA that makes direct billing for either Medicare, 29 U.S.C.A. § 1395 et seq. (West 1982 and 2003 Supplement) or Medicaid, 42 U.S.C.A. § 1396 et seq. (West 1982 and 2003 Supplement) a condition precedent to compliance with HIPAA’s requirements, although some portions of HIPAA are specifically concerned with Medicare and Medicaid. Since the inquirer did not specify which portion of HIPAA generated his inquiry, we have concentrated on its privacy requirements, which are those HIPAA provisions that generate the most questions to this Department.

Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 1999), required the imposition of requirements governing at least: "(1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required". That section further provided:

(1) In general.- If legislation governing standards with respect to the privacy of individually identifiable health information . . . is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act. Such regulations shall address at least the subjects described in subsection (b).

(2) Preemption.- A regulation promulgated under paragraph (1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.

In December 2000, the Secretary of Health & Human Services promulgated a privacy regulation, which was subsequently modified. A final regulation was promulgated in 2002. 67 Fed. Reg. 53182 (August 14, 2002). The regulation, 45 C.F.R. § 160.103, defines a covered entity:

Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

A health plan is defined:

Health plan includes the following, singly or in combination: . . . (ii) A health insurance issuer, as defined in this section. (iii) An HMO, as defined in this section. . . .

Health insurance issuer is defined:

Health insurance issuer . . . means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.

Since ABC Corp. is licensed by this Department pursuant to New York Insurance Law § 4302(c), it is a health insurance issuer, and thus a covered entity, within the terms of the HIPAA Privacy Regulation.

As required by Title V of the Gramm-Leach Bliley Act, Pub. L. 106-102 (1999), 15 U.S.C. § 6801 et seq. (West 1999), this Department has promulgated a regulation relating to Privacy of Consumer Financial and Health Information. N.Y. Comp. Codes R & Regs. tit. 11, Part 420 (2001) (Regulation 169). While that Regulations has specific provisions regarding health information, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17 through 420.20, compliance by a licensee with the HIPAA Privacy Regulation obviates the necessity to comply with Regulation 169. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.21:

Irrespective of whether a licensee is subject to the federal Health Insurance Portability and Accountability Act . . . privacy rules and regulations as promulgated by the U.S. Department of Health and Human Services (the "federal rule") . . . if a licensee complies with all requirements of the federal rule, when promulgated . . . the licensee shall not be subject to any provisions of sections 420.17 through 420.20 of this Subpart.

A licensee is defined, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(p)(1):

‘Licensee’ means a person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this State; a health maintenance organization holding, or required to hold, a certificate of authority pursuant to Article 44 of the Public Health Law; . . . but shall not include a registered service contract provider, charitable annuity society, or a licensed viatical settlement company or viatical settlement broker.

Accordingly, if ABC Corp. complies with the HIPAA privacy requirements, ABC Corp. does not have to comply with the requirements concerning health information in Regulation 169. ABC Corp. still remains subject to all other applicable provisions of Regulation 169.

The inquirer was directed to contact the United States Department of Health & Human Services for questions concerning HIPAA and its regulations, including the privacy requirements.

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.