The Office of General Counsel issued the following informal opinion on April 2, 2002, representing the position of the New York State Insurance Department.

Re: Standards for Safeguarding Customer Information and Regulation 173

Questions Presented:

Are physicians encompassed within the term "service providers" in Regulation 173?


Physicians are "service providers" only if the services provided to an insurer are in furtherance of the insurer’s underwriting or claims functions.


Since this was a general inquiry, no facts were provided.


This Department promulgated Regulation 173, N.Y. Comp. R. & Regs. tit. 11, Part 421, which became effective February 27, 2002. The regulation requires "licensees," as that term is defined in N.Y. Comp. R. & Regs. tit. 11, § 420.3 (r) (2001) (Regulation 169), to develop and implement a comprehensive information security program. For the purpose of this inquiry, licensee is presumed to mean both an insurer licensed by the Superintendent of Insurance to transact the business of accident & health insurance and a Health Maintenance Organization (HMO) holding a Certificate of Authority from the Commissioner of Health pursuant to New York Public Health Law Article 44 (McKinney 2002).

The regulation, N.Y. Comp. R. & Regs. tit. 11, § 421.1(e), defines "service provider":

‘Service provider’ means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the licensee.

The term service provider is intended to encompass those situations where the services are rendered for the licensee, even if the contact is with an insured or potential insured. A physician would not be a service provider where the physician is rendering services for the diagnosis or treatment of an individual for the benefit of such individual, and not for the benefit of the licensee.

However, in situations where the physician is acting primarily for the licensee (e.g. has examined an individual at the request of a licensee in order for the licensee to determine if it will issue a policy or contract to the individual, or for the purpose of the licensee determining if the individual is entitled to benefits, or for the purpose of providing the licensee with information to defend a liability claim) the physician would be considered to be a service provider.

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.