The Office of General Counsel issued the following opinion on April 14, 2005 representing the position of the New York State Insurance Department.

Re: Health Insurance Portability & Accountability Act (HIPAA), Privacy Rule, Psychotherapy Notes

Question Presented:

May an insurer require an insured to authorize release of psychotherapy notes as a condition of coverage?

Conclusion:

No, such a requirement would be violative of the HIPAA Privacy Rule. Accordingly, insisting on such an improper authorization might be an unfair business practice in accordance with the New York Insurance Law (McKinney 2000 and 2005 Supplement) and the regulations promulgated thereunder.

Facts:

An insured is undergoing treatment with a psychologist that is being reimbursed by the insured's health insurer. The insured executed a general authorization for the insured’s psychologist to release information to the insurer. The insurer has transmitted the authorization to the psychologist and requested all information maintained on the insured, including psychotherapy notes.

The psychologist has informed the insured that he believes that psychotherapy notes are usually "off-limits" to insurers, but that he interprets the authorization that the insured executed as granting permission for their release. The insurer has indicated that, while the insured may restrict the authorization, in turn, it may curtail or terminate the insured's benefits. The insured is concerned that, if the notes are released to the insurer, the insurer may release them to third parties.

Analysis:

General HIPAA Privacy Requirements

As required by HIPAA, 42 U.S.C.A. § 320d-2 (Note) (West 2003), the Secretary of Health and Human Services promulgated a Privacy Rule. 45 C.F.R. § 160.101 et seq. (2002). The Privacy Rule, 45 C.F.R. § 160.103 (2002), defines protected health information as individually identifiable health information, which is defined, 45 C.F.R. § 160.103:

Individually identifiable health information is information that is a subset of health information . . . and (1) Is created or received by a health care provider . . . and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

The requirements of the HIPAA Privacy Rule are applicable to covered entities, 45 C.F.R. § 160.103:

Covered entity means: (1) A health plan. . . . (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

Health Plan and Health Care Provider are defined, 45 C.F.R. § 160.103:

Health plan means an individual or group plan that provides, or pays the cost of, medical care . . . (1) Health plan includes the following, singly or in combination: (i) A group health plan . . . (ii) A health insurance issuer . . . (iii) An HMO . . . .

Health care provider means a provider of services . . . a provider of medical or health services . . . and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Based upon the information provided, it appears that both the psychologist and the insurer are covered entities.

Treatment of Psychotherapy Notes

The general standard under the HIPAA Privacy Rule, 45 C.F.R. § 164.502(a) (2002), is that a covered entity may not use or disclose protected health information, except as permitted or required elsewhere in the Privacy Rule. The Privacy Rule further provides, 45 C.F.R. § 164.502(b):

Standard: Minimum necessary. (1) Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

The general standard is further elucidated in 45 C.F.R. § 164.508 (2002):

(a) Standard: authorizations for uses and disclosures. -- (1) Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.

(2) Authorization required: psychotherapy notes. Notwithstanding any provision of this subpart . . . a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except (i) To carry out the following treatment, payment, or health care operations: (A) Use by the originator of the psychotherapy notes for treatment; (B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or (C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and (ii) A use or disclosure that is required by § 164.502(a)(2)(ii) [to the data subject] or permitted by § 164.512(a) [required by law] ; § 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1) [to coroners or medical examiners]; or § 164.512(j)(1)(i) [prevent a threat to a person or the public].

. . .

(b) Implementation specifications: general requirements . . . (3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: . . . (ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; (iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations.

(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: . . . (ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if: . . . (B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section . . . .

. .

(c) Implementation specifications: Core elements and requirements. -- (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. . . . (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . . (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

(2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: (i) The individual's right to revoke the authorization in writing, . . . (ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization . . . (iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart. . . .

. . .

Psychotherapy Notes are defined, 45 C.F.R. § 164.501 (2002):

Psychotherapy notes means notes recorded . . . by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session . . . and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Pursuant to the HIPAA Privacy Rule, 45 C.F.R. § 164.508(b)(4)(ii)(B), it would be improper for the insurer to condition future benefits on the insured granting permission for release of psychotherapy notes. In its fact sheet issued upon promulgation of the HIPAA Privacy Rule, the United States Department of Health & Human Services indicated that psychotherapy notes are granted special protection because they "are never intended to be shared with anyone else." Complaints concerning violations of the HIPAA Privacy Rule should be addressed to:

Office for Civil Rights
United States Department of Health & Human Services
36 Federal Plaza
New York, NY 10278.

In addition, New York Insurance Law § 2601(a) (McKinney 2000) provides:

No insurer doing business in this state shall engage in unfair claim settlement practices. Any of the following acts by an insurer, if committed without just cause and performed with such frequency as to indicate a general business practice, shall constitute unfair claim settlement practices: (1) knowingly misrepresenting to claimants pertinent facts or policy provisions relating to coverages at issue . . . .

If done as a general business practice, it would be an unfair claims settlement practice to knowingly misrepresent the consequences of failure to authorize the release of psychotherapy notes.

However, insurers may conduct utilization review to ascertain if the treatment in question is medically necessary. In that case, the insured has a right of review in accordance with New York Insurance Law Article 49 (McKinney 2000 and 2005 Supplement.) and New York Public Health Law Article 49 (McKinney 2000 and 2005 Supplement).

Re-disclosure of Health Information

Protected health information validly given to the insurer is protected against re-disclosure to those not required to receive it as part of their functions by the HIPAA Privacy Rule minimum necessary standard, 45 C.F.R. § 164.502(b)(1).

As required by the Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley), Public Law No. 106-102, the Insurance Department promulgated a privacy regulation, N.Y. Comp. codes R. & Regs. tit. 11, Part 420 (2002) (Regulation 169). The relevant definitions for Regulation 169, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.3 (2001) are:

(h) ‘Customer’ means a consumer who has a customer relationship with a licensee.

(i) (1) ‘Customer relationship’ means a continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services in this State to the consumer that are to be used primarily for personal, family, or household purposes. . . .

(p) (1) ‘Licensee’ means a person licensed, or required to be licensed, or authorized, or required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this State . . . .

(t) ‘Nonpublic personal health information’ means health information: (1) That identifies an individual who is the subject of the information; or (2) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

Regulation 169 provides with respect to health information, N.Y. Comp. Codes R. & Regs. tit. 11, § 420.17 (2001):

(a) A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

(b) Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; . . . case management; disease management; quality assurance; quality improvement; . . . any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services . . . and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. . . .

While, pursuant to N.Y. Comp. Codes R. & Regs. tit. 11, § 420.21 (2001), a licensee that is in compliance with the HIPAA Privacy Rule is exempt from Regulation 169, if the licensee is not in compliance with the HIPAA Privacy Rule or Regulation 169, such violations may be penalized by both the United States Department of Health and Human Services and the Insurance Department.

Also as required by the Gramm-Leach-Bliley Act, the Department has promulgated Standards for Safeguarding Customer Information, N.Y. Comp. Codes R. & Regs. tit. 11, Part 421 (Regulation 173) (2002). In so far as it is applicable to nonpublic personal health information, Regulation 173 complements the HIPAA Security Standards, 45 C.F.R. § 164.302 (2002), which become effective on April 20, 2005 for most covered entities.

Accordingly, both New York and Federal regulations would prevent insurers from disclosing protected health information to other third parties without a valid reason.

For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.