In the Information Age, one's personal information--often presumed to be private--may be bartered by others. While an individual may determine that free membership or subscription to a website, for example, warrants relinquishing one's privacy, that same individual may not want her financial institution or health insurer trading her personal information for its corporate financial gain. However, the sale of personal information by insurance companies has been largely unregulated.
Taking the lead in that regard, the New York State Insurance Department promulgated the Privacy of Consumer Financial and Health Information Rule (Regulation 169), effective Nov. 13, 2000. Regulation 169 was created as required by the federal Gramm-Leach-Bliley Act(which protects personal financial information) and apparently in response to the federal privacy rule proposed pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protects individually identifiable health information.
As the title of the rule indicates, Regulation 169 restricts the disclosure of health and financial information by entities regulated by the Insurance Department, such as insurance companies. Regulation 169 generally prohibits insurance companies from disclosing nonpublic personal health and financial information to nonaffiliated third parties.
Although the general provisions of Regulation 169 affecting health information for the most part are similar to those contained in the proposed HIPAA privacy rule, there are notable differences. Part one of this article will summarize Regulation 169 and compare it with the proposed HIPAA privacy rule; the second part will compare Regulation 169 with the Gramm-Leach-Bliley Act.
Like the proposed HIPAA privacy rule, Regulation 169 requires insurance companies to give initial and annual notices of their privacy policies, with some exceptions. The people entitled to notice are both applicants for personal (including family and household) insurance products and customers for those products.
With respect to disclosures of financial information, Regulation 169 is an "opt-out" rather than "opt-in" rule--the covered individuals may, if they want, opt out of certain disclosures to nonaffiliated third parties, but the covered entities are not required to get them to opt in to such disclosures. With respect to health information, the reverse is true: Individuals must "opt-in" by providing authorization to disclose information if such disclosures are not specifically permitted by the rule.
The health information protected by Regulation 169 is broader in one sense than the proposed HIPAA privacy rule. It applies to information kept in all forms, not just information stored or transmitted electronically. Other than this difference, the health information protected by Regulation 169 is virtually identical to the health information protected by HIPAA.
The proposed HIPAA privacy rule and Regulation 169 cover different entities. The proposed HIPAA privacy rule covers healthcare providers, health plans, and healthcare clearinghouses (entities that process data on behalf of healthcare providers and health plans). Regulation 169 covers only those entities licensed by the New York Insurance Department. This excludes healthcare professionals and clearinghouses, but includes health plans, as well as life and accident insurers and other insurers.
A more important difference is in the acts prohibited. The HIPAA rule restricts not only disclosure of health information, but also certain uses, such as marketing and certain types of research. By contrast, Regulation 169 restricts only disclosures of information. Consequently, there are no limits on what internal uses insurance companies and their affiliates can make of health information.
This difference extends to third party uses. While insurance companies, covered by Regulation 169, may not disclose health information to third parties without written authorization, once authorization is obtained, there are no limits on what that third party may do with the information. Unlike the proposed HIPAA privacy rule, Regulation 169 does not require an insurance companies to place any restrictions on third parties' use or disclosure of health information.
By contrast, with respect to financial information, under 169, insurance companies have the option to enter into contracts with the third parties to whom they disclose information (for marketing purposes, for example) restricting further uses or disclosure by such third parties; if such contracts are entered, consumers lose the right to opt out of such disclosures discussed above.
One important similarity is that neither the proposed HIPAA privacy rule nor Regulation 169 gives individuals a private right of action for violations of the rule. (Whether an individual may have a remedy under a different law for an act that also violates Regulation 169 is beyond the scope of this article.) Regulation 169 gives enforcement powers only to the superintendent of the Department of Insurance by providing that a violation "shall be deemed to be an unfair method of competition or an unfair or deceptive act and practice in the conduct of business of insurance" and a violation of Section 2403 of the New York Insurance Law.
The superintendent of insurance has the power to investigate violations of that section and levy civil penalties, but it appears that there is no private right of action under that statute. As a result, Regulation 169 provides no legal recourse to the individual whose information is wrongfully disclosed, except to complain to the Department of Insurance. If the superintendent investigates and files charges that result in a hearing, the superintendent may allow such aggrieved individual to intervene in the hearing, but no further remedy is given by the statute or regulation.
Thus Regulation 169 provides protections for personal health information similar to, but generally more limited than, the protections in the proposed HIPAA privacy rule. The proposed HIPAA privacy rule is not final, however, and will not become so until 60 days after publication (which as of press time has not occurred), and it seems likely that covered entities will have two to three years after finalization to comply.
Regulation 169 became effective Nov. 13, 2000; compliance is required generally by July 31, 2001, and compliance with those provisions regarding health information is required by Dec. 31, 2001. Therefore, until the HIPAA privacy rule becomes effective, Regulation 169 will provide at least some protection for health information (and financial information) for New Yorkers.
David Rabinowitz (drabinowitz@mosessinger.com) is a partner with Moses & Singer LLP in New York City. He is a co-chair of both the Litigation and eHealth Law practice group.
Jessica Blazer (jblazer@mosessinger.com) is an associate in both the Healthcare and eHealthlaw Group.
From the November 29, 2000 issue of iHealthcare Weekly, a Rising Tide Studios Publication. Reprinted with the Permission of the Publisher. All Rights Reserved. Copyright 2000. Please visit http://www.ihealthcareweekly.com/issues/ihcw11292000.html
© 1999 - Moses & Singer LLP all rights reserved.