The Office of General Counsel issued the following opinion on March 4, 2002, representing the position of the New York State Insurance Department.

Re: Disclosure of Nonpublic Personal Health Information and Regulation 169.

Questions Presented:

1. Does the term "nonpublic personal health information", as defined by N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(n) (2001), include member information, such as name, date of birth, and social security number, that identifies the individual who is the subject of the health information?

2. Does giving documents containing nonpublic personal information to a shredding company for shredding constitute a disclosure under Regulation 169?

3. Does giving documents containing nonpublic personal information to an off-site storage company for storage constitute a disclosure under the Regulation 169?

4. Does permitting the landlord’s security and custodial personnel access to offices containing nonpublic personal information constitute a disclosure under Regulation 169?

5. Is a disclosure of nonpublic personal health information made to administer benefits permitted by N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001)?

6. Pursuant to N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001), may a health plan release nonpublic personal health information to a non-participating provider to whom it refers its members?

7. Do service provider agreements entered into between July 2, 2000 and July 1, 2001 satisfy the grandfathering requirements of N.Y. Comp. Codes R. & Regs. tit. 11, § 420.24 (2001)?

8. How does the "opt-in" provision in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) apply to the Child Health Plus program where each child is a contract holder?

Conclusions:

1. Where the identifying information appears on a record that comes within the definition of "health information", as that term is defined in by N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(t) (2001), it should be treated as "nonpublic personal health information".

2. Providing records containing nonpublic personal information to a company for shredding would not constitute a disclosure under Regulation 169.

3. Providing records containing nonpublic personal information to a company for off-site storage would not constitute a disclosure under Regulation 169.

4. Permitting a landlord’s security and custodial personnel access to offices containing nonpublic personal information would not constitute a disclosure under Regulation 169.

5. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) contains exceptions for activities that are part of benefit administration.

6. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) contains an exception for "disclosure that is required . . . (to) provid(e) a product or service that a consumer requests or authorizes."

7. No. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.24(c) (2001).

8. There must be a separate "opt-in" or "opt-out" choice for each contract holder in the Child Health Plus program.

Facts:

No facts were provided. The inquiry was general in nature.

Analysis:

Question 1:

The term "health information" is defined in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(n) (2001) as meaning:

(A)ny information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer that relates to:

(1) The past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family;

(2) The provision of health care to any individual; or

(3) Payment for the provision of health care to any individual.

The term "nonpublic personal health information" is defined in N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3(t) (2001) as meaning health information:

(1) That identifies an individual who is the subject of the information; or

(2) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

In accordance with the above, if the identifying information is part of a record that comes under the definition of "health information", it should be treated as "nonpublic personal health information’ for the purpose of applying Regulation 169 to its disclosure.

Questions 2, 3, and 4:

A disclosure under Regulation 169 implies a release of the information for its content, not for shredding or storage. Similarly, allowing custodial staff access to a room that contains these records would not implicate this regulation. However, N.Y. Comp. Codes R. & Regs. tit. 11, § 421.0-421.10 (Reg.173), Standards for Safeguarding Customer Information has recently been adopted. It requires licensees to develop and implement a comprehensive information security program. These are the types of transactions and situations that should be addressed by the licensee’s program.

Question 5:

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(a) (2001) prohibits the disclosure of nonpublic personal health information about a customer or a consumer unless an authorization is obtained from the consumer or customer. N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) enumerates certain insurance functions that may require disclosure of nonpublic personal health information. A licensee may perform these insurance functions without obtaining authorization from a consumer or customer. Included in the list are various functions that would appear to be included in benefit administration, such as claims administration and claims adjustment and management. The particular activity involved in benefit administration should be analyzed to determine whether it comes within the specific language of this subsection.

Question 6:

A health plan may release nonpublic personal health information to a non-participating provider to whom it refers its members. This activity would fall under N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(b) (2001) as a "providing a

Question 7:

N.Y. Comp. Codes R. & Regs. tit. 11, §§ 420.24(c) (2001) provides for a two year grandfathering of service agreements. It provides:

Until July 1, 2002, a contract that a licensee has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf satisfies the provisions of section 420.13(a)(2) of this Part even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, as long as the licensee entered into the agreement on or before July 1, 2000.

In accordance with this provision, a service provider agreement entered into between July 2, 2000 and July 1, 2001 would not satisfy the grandfathering requirements of N.Y. Comp. Codes R. & Regs. tit. 11, § 420.24 (2001).

Question 8:

N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(a) (2001) provides:

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

The inquirer stated that under Child Health Care Plus, each child is a contract holder. Thus, in accordance with N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17(a) (2001), the "opt-in" requirement would apply to each child and the licensee would have to give the parent or guardian the opportunity to choose whether to opt-in for each child. There is nothing in the statute that would justify one "opt-in" covering all the children under the parent or guardian’s care.1 However, it would be acceptable for one opt-in authorization to be sent to the parent or guardian, provided that each child/contract holder was listed separately, giving the parent or guardian a separate choice for each child/contract holder.

The two additional questions that the inquirer posed concerning the definitions of the terms "service provider", "business associate" and "trading partner" will be responded to shortly in a separate letter.

For further information, you may contact Supervising Attorney Joan Siegel at the New York City office.

1Because each child is a separate contractholder, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.7(d) (2001), which applies to two or more consumers who have jointly obtained an insurance product or service from a licensee, would not be applicable.