OGC Op. No. 04-10-12

The Office of General Counsel issued the following opinion on October 14, 2004 representing the position of the New York State Insurance Department.

Re: Healthcare Consulting, Licensing and Privacy Requirements

Questions Presented:

1) Will the provision of the consulting service contemplated by XYZ Co. require any additional licenses from the Insurance Department?

2) Will XYZ Co. have to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. 160.101, et seq. (2002)?

Conclusions:

1) Based upon representations made, XYZ Co. will not be required to obtain any additional licenses from the Insurance Department to provide the contemplated services, provided that it is compensated on a fee for service basis.

2) Since XYZ Co. is not a "covered entity", as that term is defined in the HIPAA Privacy Rule, 45 C.F.R. § 60.101, et seq. (2002), it would not have to comply with that Rule. In addition, since XYZ Co. would be acting outside the scope of its license it would not have to comply with N.Y. Comp. Codes R. & Regs. tit. 11, Part 420 (2001) (Regulation 169).

Facts:

XYZ Co., and a principal officer, are licensed as life insurance consultants in accordance with New York Insurance Law § 2107(a) (McKinney 2000). Such licensees may consult on annuities and accident & health insurance.

In addition to being a sublicensee of XYZ Co., the principal officer is an attorney admitted to practice in New York and registered as a physician’s assistant in accordance with New York Education Law § 6542 (McKinney 2001). By virtue of his education and training, as well as having worked in a library while a student, he believes that he is qualified to function with, and advise on, the various available data sources involving healthcare.

It is intended that XYZ Co. will engage in five activities: (1) patient complaint management, (2) resolution of insurance company denials and collection disputes, (3) profiling of health care providers, including physicians and hospitals, (4) providing patient care education and information, and (5) medical records review. It was inquired as to whether these activities will require additional licenses from the Insurance Department and whether the Privacy Rule promulgated in accordance with HIPAA would be applicable to XYZ Co.’s activities.

With respect to patient complaint management, XYZ Co. will contact the health care provider involved and attempt to resolve the complaint. If resolution of the complaint is not possible and XYZ Co. believes the individual health care provider has committed unprofessional conduct, as that term is defined in the New York Education Law (McKinney 2001 & 2004 Supplement), it will assist the patient in making a complaint with the appropriate disciplinary authorities. While legal advice may be given to clients, neither the principal officer nor XYZ Co. will evaluate complaints for possible referral to another attorney to institute a lawsuit for malpractice. In addition, XYZ Co. will counsel clients on organizing and coordinating their medical care. Clients will compensate XYZ Co. for patient complaint management by either a pre-paid fee or on a fee for service basis.

With respect to resolution of insurance company denials and collection disputes, XYZ Co. will attempt to secure a reversal of the insurance company denial. In this activity, XYZ Co. may function as an "insured’s designee" within the meaning of New York Insurance Law Article 49 (McKinney 2000) and New York Public Health Law Article 49 (McKinney 2002). If the matter cannot be resolved, XYZ Co. may represent the patient in any collection proceeding instituted by the health care provider or its assignee. Clients will compensate XYZ Co. for these services on a fee for service basis.

With respect to profiling of health care providers, XYZ Co. will search both public and private data bases and through its own expertise and that of other individuals affiliated with XYZ Co., will furnish a profile to a client. Clients will compensate XYZ Co. on a fee for service basis, with the charge depending upon the depth of the profile requested.

With respect to patient education and information, XYZ Co. will utilize its own expertise, including publications its principal officer has authored and seminars he has conducted, and that of other individuals affiliated with XYZ Co., to provide clients with authoritative information on their medical conditions. Clients will compensate XYZ Co. on a fee for service basis, with the charge depending upon the depth of the information required.

With respect to medical records review, XYZ Co. will review such records as are requested by clients who believe that they may have been the victim of negligent care. The reviews will utilize XYZ Co.’s own expertise and that of other individuals affiliated with XYZ Co.. Clients will compensate XYZ Co. on a fee for service basis, with the charge depending upon the depth of the record reviewed.

Analysis:

Necessity of an Insurance Department License

The Insurance Department cannot express any opinion as to whether the activities in which XYZ Co. or its principal officer will engage are within the scope of practice of either an attorney or a physician’s assistant. As to the scope of practice of insurance consultants, New York Insurance Law § 2102(b)(3) (McKinney 2000 and 2004 Supplement) provides:

Unless licensed as an . . . insurance consultant with respect to the relevant kinds of insurance, no person, firm, association or corporation shall receive any money, fee, commission or thing of value for examining, appraising, reviewing or evaluating any insurance policy, annuity or pension contract, plan or program or shall make recommendations or give advice with regard to any of the above.

The activities in which XYZ Co. intends to engage would not be within the scope of its license as an insurance consultant.

Among the lines of insurance permitted in New York is "legal services insurance." New York Insurance Law § 1113(a)(29) (McKinney 2000 and 2004 Supplement):

‘Legal services insurance’ means insurance providing legal services or reimbursement of the cost of legal services.

Doing an insurance business is defined in New York Insurance Law § 1101(a) (McKinney 2000 and 2004 Supplement):

(1) ‘Insurance contract’ means any agreement or other transaction whereby one party, the ‘insurer’, is obligated to confer benefit of pecuniary value upon another party, the ‘insured’ or ‘beneficiary’, dependent upon the happening of a fortuitous event in which the insured or beneficiary has, or is expected to have at the time of such happening, a material interest which will be adversely affected by the happening of such event

(2) ‘Fortuitous event’ means any occurrence or failure to occur which is, or is assumed by the parties to be, to a substantial extent beyond the control of either party.

In accordance with New York Insurance Law § 1102 (McKinney 2000 & 2004 Supplement), one may not engage in the insurance business without either a license from the Insurance Department or an exemption from the requirement of a license.

If XYZ Co. were to be compensated by its clients for patient complaint management, as the activity was described, on the basis of a pre-paid fee, based upon the regulation of the practice of law in New York Judiciary Law Article 15 (McKinney 1983 & 2004 Supplement), it would be doing the business of legal services insurance. However, the Insurance Department has opined that a party may agree to provide goods or services dependent upon fortuitous events for a fee for service, so long as the fee covers the cost of rendition of the goods or service (e.g. cost of labor, material, and reasonable overhead expenses). Accordingly, under such circumstances, the provision of services by XYZ Co. on a fee for services basis would not constitute the doing of an insurance business.

New York Insurance Law §§ 4904(a) (McKinney 2000) & New York Public Health Law § 4904(1) (McKinney 2002) and New York Insurance Law §§ 4910(b) (McKinney 2000) & New York Public Health Law § 4910(2) (McKinney 2002) establish rights of internal and external review respectively and permit such review to be requested by designees of the patient. The term "designee" is not defined in the statutes. It is the Insurance Department’s belief that no registration with either Department is required provided the authority to act as a designee is clearly conferred.

Privacy Requirements

HIPAA, Pub. L. No. 104-191 (1996), is a comprehensive enactment dealing with health insurance. Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 2002 Supplement), required the Secretary of Health & Human Services (HHS) to promulgate a regulation dealing with privacy of protected health information. The Regulation as promulgated by the Department of HHS, 45 C.F.R. § 160.101 et seq. (2003), contains comprehensive requirements for the protection of protected health information. Protected health information is defined in the HIPAA Privacy Regulation, 45 C.F.R. § 160.103 (2003):

Protected health information means individually identifiable health information: . . . that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media . . . or (iii) Transmitted or maintained in any other form or medium.

Health information is defined, 45 C.F.R. § 160.103:

Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, . . . or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

Health care providers, health plans, and health care clearinghouses, as defined in the HIPAA Privacy Rule, 45 C.F.R. § 160.103, are "covered entities" within the meaning of the HIPAA Privacy Rule. Since neither XYZ Co. nor its principal officer are health care providers, health plans or health clearinghouses, and thus not covered entities, the HIPAA Privacy Rule would not be applicable.

In addition, New York Public Health Law § 18 (McKinney 2002) regulates access to health information.

Further, as required by Title V of the Gramm-Leach Bliley Act, 15 U.S.C. § 6801 et seq. (West 1999), this Department has promulgated a regulation relating to Privacy of Consumer Financial and Health Information. N.Y. Comp. Codes R & Regs. tit. 11, Part 420 Regulation 169. A licensee is defined in Regulation 169. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(p)(1) (2001) provides: "‘Licensee’ means a person licensed . . . pursuant to the Insurance Law of this State . . . ."

While, as an insurance consultant, XYZ Co. is a licensee within the meaning of Regulation 169, it is the position of the Insurance Department that a licensee acting outside the scope of its license is not subject to Regulation 169.

The submission did not indicate exactly what information XYZ Co. will receive, what authorizations will be received from clients, and how the health information will be utilized. If, after review of the statute, there are any questions concerning the application of Public Health Law ¶ 18, they should be addressed to:

Division of Legal Affairs
Department of Health
Tower Building
Empire State Plaza
Albany, NY 12237

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.