In addition, on October 25, 2012, Governor Andrew M. Cuomo signed into law Chapter 491 of the Laws of 2012, effective January 1, 2013, Part E of which amends Insurance Law § 2612 to require a health insurer to accommodate a reasonable request made by a person covered by an insurance policy or contract issued by the health insurer to receive communications of claim related information from the health insurer by alternative means or at alternative locations if the person clearly states that disclosure of all or part of the information could endanger the person. Except with the express consent of the person making the request, the amendment prohibits a health insurer from disclosing to the policyholder: (1) the address, telephone number, or any other personally identifying information of the person who made the request or child for whose benefit a request was made; (2) the nature of the health care services provided; or (3) the name or address of the provider of the covered services.

Insurance Law § 2612 requires the Superintendent, in consultation with the Commissioner of Health, Office of Children and Family Services, and Office for the Prevention of Domestic Violence, to promulgate rules to guide and enable insurers to guard against the disclosure of the confidential information protected by § 2612. Section 2612 provides important protections to persons who may be subject to domestic violence.

For the reasons stated above, emergency action is necessary for the general welfare.

(h) Insurer shall have the meaning set forth in Insurance Law section 2612(c)(2) and shall include a fraternal benefit society.

(1) the address, telephone number, or any other personally identifying information of the covered individual or any child residing with the covered individual;

(2) the nature of the health care services provided to the covered individual;

(3) the name, address, and telephone number of the provider of the covered health care services; or

(4) any other information from which there is a reasonable basis to believe the foregoing information could be obtained.

(1) with respect to a health insurer, the procedure by which a requestor may make a reasonable request, provided that the procedure shall not require a justification as part of the reasonable request;

(2) the procedure by which a victim of domestic violence or a covered individual may provide an alternative address, telephone number, or other method of contact;

(3) the procedure for limiting access to personally identifying information, such as the name, address, telephone number, and social security number of a victim or covered individual and any other information from which there is a reasonable basis to believe the foregoing information could be obtained;

(4) the procedure for limiting or removing personal identifiers before information is used or disclosed, where possible;

(5) a system of internal control procedures, which the insurer shall review at least annually, to ensure the confidentiality of:

(i) addresses, telephone numbers, or other methods of contact;

(ii) the fact that a requestor made a reasonable request or that an order of protection was delivered to the insurer, and any information contained therein; and

(iii) any other information from which there is a reasonable basis to believe the information specified in subparagraphs (i) and (ii) could be obtained; and

(6) with respect to a health insurer, the procedure by which a requestor may revoke a reasonable request, provided, however, that the health insurer may require the requestor to submit a sworn statement revoking the request.

(d)(1) An insurer shall notify its employees, agents, representatives, and other persons with whom the insurer contracts who have access to the information sought to be kept confidential, that the insurer’s protocol is to be followed for the specified victim of domestic violence or covered individual, within three business days of:

(i) receipt of a valid order of protection and an alternative address, telephone number, or other method of contact; or

(ii) receipt of a reasonable request, with regard to a health insurer.

(2) Upon receipt of a valid order of protection or a reasonable request, an insurer shall inform the individual who delivered the order of protection or the requestor that the insurer has up to three business days to implement paragraph (1) of this subdivision.

(f)(1) Prior to releasing any information prohibited to be disclosed pursuant to subdivisions (a) and (b) of this section pursuant to a warrant, subpoena, or court order involving the policyholder or another insured covered under the policy, an insurer shall notify the individual who delivered the order of protection or the requestor, as soon as reasonably practicable, that it intends to release information and specify what type of information it intends to release, unless prohibited by the warrant, subpoena, or court order.

(2) Upon release of information pursuant to a warrant, subpoena, or court order, an insurer shall advise the person to whom the insurer is releasing the information that the information is confidential and that the person should continue to maintain the confidentiality of the information to the extent possible.

(1) a description of Insurance Law section 2612;

(2) the information required by section 244.3(c)(1), (2), and (6); and

(3) the phone number for the New York State Domestic and Sexual Violence Hotline.

1. Statutory authority: Financial Services Law §§ 202 and 302 and Insurance Law §§ 301 and 2612.

Financial Services Law §§ 202 and 302 and Insurance Law § 301 authorize the Superintendent of Financial Services (the “Superintendent”) to prescribe regulations interpreting the provisions of the Insurance Law and to effectuate any power granted to the Superintendent under the Insurance Law.

Insurance Law § 2612 requires the Superintendent to promulgate rules to guide and enable insurers (as § 2612 defines that term, which includes health maintenance organizations as well as agents, representatives, and designees of the insurers that are regulated under the Insurance Law) to guard against the disclosure of confidential information protected by Insurance Law § 2612.

2. Legislative objectives: Insurance Law § 2612, with respect to every insurer regulated under the Insurance Law, provides in relevant part that if any person covered by an insurance policy delivers to the insurer a valid order of protection against the policyholder or other covered person, then the insurer cannot, for the duration of the order, disclose to the policyholder or other person the address and telephone number of the insured, or of any person or entity providing covered services to the insured. Section 2612 also requires a health insurer, as defined in that section, to accommodate a reasonable request made by a person covered by an insurance policy or contract to receive communications of claim-related information by alternative means or at alternative locations if the person clearly states that disclosure of the information could endanger the person. This section further prohibits a health insurer from disclosing certain information to the policyholder.

The Legislature enacted Insurance Law § 2612, and amendments thereto, to protect domestic violence victims and to ensure that an abuser has one less record that the abuser may use to track down the victim. This rule is consistent with the public policy objectives that the Legislature sought to advance by enacting § 2612, because the rule helps to protect domestic violence victims by guiding and enabling insurers to guard against the disclosure of the confidential information protected by § 2612.

3. Needs and benefits: Insurance Law § 2612 requires the Superintendent, in consultation with the Commissioner of Health, Office of Children and Family Services, and Office for the Prevention of Domestic Violence, to promulgate rules to guide and enable insurers to guard against the disclosure of the confidential information protected by Insurance Law § 2612. Therefore, after consultation with the Commissioner of Health, the Office of Children and Family Services, and the Office for the Prevention of Domestic Violence, the Superintendent drafted this rule to guide and enable insurers to guard against disclosure.

4. Costs: The rule may impose compliance costs on insurers because it requires insurers to develop confidentiality protocols and provide certain notices. However, such costs are difficult to estimate and will vary depending upon a number of factors, including the size of the insurer. In fact, insurers already should be complying with the existing requirements of the statute. Moreover, the rule is designed to provide flexibility to insurers and does not prescribe the way in which an insurer must provide the notices, but rather leaves the method up to each insurer. In addition, an agent, representative, or designee of an insurer that is regulated pursuant to the Insurance Law need not establish its own protocol or give certain notices, provided that it follows the protocol of the insurer. In any event, the requirement that insurers may not disclose the information protected by Insurance Law § 2612 is mandated by the statute itself, not the rule.

The Department does not anticipate significant additional costs to the Department to implement the rule. The Department will monitor compliance with the rule as part of its market conduct examinations of insurers and consumer complaint handling procedures.

The regulation does not impose compliance costs on state or local governments because it is not applicable to them.

5. Local government mandates: This rule does not impose any program, service, duty, or responsibility upon any county, city, town, village, school district, fire district, or other special district.

6. Paperwork: The rule requires an insurer to notify its employees, agents, representatives, or other persons with whom the insurer contracts or who have gained access to the information from the insurer, with respect to the solicitation, negotiation, or sale of insurance or the adjustment or administration of insurance claims, that the insurer’s confidentiality protocol is to be followed for the specified victim of domestic violence or covered individual, within three business days of receipt of a valid order of protection and an alternative address, telephone number, or other method of contact, or receipt of a reasonable request, with regard to a health insurer.

The rule also requires a health insurer to annually provide to all of its participating health service providers a description of Insurance Law § 2612, certain information contained within the insurer’s confidentiality protocol, and the phone number of the New York State Domestic and Sexual Violence Hotline.

7. Duplication: The rule does not duplicate, overlap, or conflict with any state rules or other legal requirements. The rule may overlap with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, and may impose additional requirements that are not set forth in HIPAA. However, the rule does not conflict with HIPAA.

8. Alternatives: Originally, the rule required an insurer’s confidentiality protocol to have written procedures to be followed by its employees, agents, representatives, or any other persons with whom the insurer contracted or who had gained access to the information from the insurer, with respect to the solicitation, negotiation, or sale of insurance or the adjustment or administration of insurance claims. The rule also required an insurer to notify the foregoing persons that the insurer’s protocol was to be followed for the specified domestic violence victim or covered individual within three business days of receipt of a valid order of protection and alternative contact information, or receipt of a reasonable request, with regard to a health insurer.

After receiving comments from trade associations representing life and property/casualty insurers, the Department, recognizing that the rule could be construed in an overly broad way, clarified the rule to require that the written procedures in the insurer’s confidentiality protocol be followed by its employees, agents, representatives, and persons with whom the insurer contracts where such employees, agents, representatives, or persons may have access to the information sought to be kept confidential. The Department also amended the rule to require an insurer to notify its employees, agents, representatives, and persons with whom the insurer contracts where such employees, agents, representatives, or persons have access to the information sought to be kept confidential, that the insurer’s protocol is to be followed for the specified domestic violence victim or covered individual within three business days of receipt of a valid order of protection and alternative contact information, or receipt of a reasonable request, with regard to a health insurer.

The rule also originally stated that prior to releasing any information pursuant to a warrant, subpoena, or court order, an insurer must notify the individual who delivered the order of protection or the requestor, as soon as reasonably practicable, that it intends to release information and specify the type of information it intends to release, unless prohibited by the warrant, subpoena, or court order. However, after receiving an inquiry from an attorney that represents health insurers, the Department amended this language to make clear that the information to which the language is referring is limited to the information barred from disclosure by § 244.3(a) and (b) of the rule, and that the warrant, subpoena, or court order must involve the policyholder or another insured covered under the policy.

In addition, the Department had included language in the rule that prohibited an insurer or any person subject to the Insurance Law from engaging in any practice that would prevent or hamper the orderly working of the rule in accomplishing its intended purpose of protecting domestic violence victims and covered individuals. A trade organization questioned how a person would prevent or hamper the orderly working of the rule. After further discussion, the Department deleted the foregoing language.

Finally, a trade organization stated that it was not always clear which provisions applied only to health insurers. The Department revised the rule to make clearer when it applies to all insurers and when it applies just to health insurers.

9. Federal standards: HIPAA sets forth rules for restricting the use and disclosure of certain health information and permits an individual to make a request to a health plan to receive communications of protected health information from the health plan by alternative means or at alternative locations if the individual clearly states that the disclosure of all or part of the information could endanger the individual. Insurance Law § 2612, as amended by Chapter 491, and this rule, are consistent with HIPAA. However, § 2612 and the rule may impose additional requirements that are not set forth in HIPAA. For example, the rule sets forth required elements of a confidentiality protocol and requires insurers to provide notice of their confidentiality protocols and of Insurance Law § 2612 by posting certain information on their websites.

10. Compliance schedule: The existing statute already requires an insurer to protect certain information when a person provides the insurer with an order of protection. The new requirements of Insurance Law § 2612 took effect on January 1, 2013. This regulation has been in effect on an emergency basis since June 27, 2013. Insurers had to post certain information on their websites by July 1, 2013.

1. Effect of rule: The rule will not affect any local governments. It will affect regulated insurers, most of which do not come within the definition of “small business” as set forth in State Administrative Procedure Act § 102(8), because they are not independently owned and operated and employ less than one hundred individuals. The rule also would affect insurance producers and independent insurance adjusters, the vast majority of which are small businesses, because they are independently owned and operated and employ one hundred or less individuals. There are over 200,000 licensed resident and non-resident insurance producers and over 15,000 licensed resident and non-resident independent insurance adjusters in New York that the rule will affect. The Department does not have a record of the exact number of small businesses included in that group. The Department has designed the regulation to place the least burden possible on insurance producers and independent insurance adjusters, as discussed below.

2. Compliance requirements: Insurance Law § 2612(c)(2) and (h)(1)(A) define “insurer” and “health insurer,” respectively, to include an agent, representative, or designee of an insurer, a corporation organized pursuant to Insurance Law Article 43, a health maintenance organization (“HMO”), a municipal cooperative health benefit plan, or a provider issued a special certificate of authority pursuant to Public Health Law § 4403-a, who is regulated pursuant to the Insurance Law. The rule requires insurers (including health insurers) to develop and implement confidentiality protocols that include written procedures that their employees, agents, representatives, or any other persons with whom the insurers contract or who have gained access to the information from the insurers, with regard to the solicitation, negotiation, or sale of insurance or the adjustment or administration of insurance claims, must follow. The rule also requires insurers to post certain information on their websites. Since, an agent, representative, or designee who is regulated pursuant to the Insurance Law is included in the definitions of “insurer” and “health insurer,” these requirements apply to insurance agents and independent insurance adjusters. In certain cases, insurance brokers may act on behalf of insurers, such as when they administer insurance programs for the insurers, and thus the rule would apply to brokers as well. Furthermore, the rule prohibits any person subject to the Insurance Law from engaging in any practice that would prevent or hamper the orderly working of the rule in accomplishing its intended purpose of protecting victims of domestic violence and covered individuals.

However, the Department has attempted to minimize the impact of the rule on insurance producers and independent insurance adjusters by including language that states that an agent, representative, or designee of an insurer, a corporation, an HMO, or a provider, who is regulated pursuant to the Insurance Law, need not develop its own confidentiality protocol if the agent, representative, or designee follows the protocol of the insurer, corporation, HMO, or provider. Nor does a producer or an adjuster who follows the protocol of the insurer, corporation, HMO, or provider need to post certain information on its website.

3. Professional services: The rule would not require an insurance producer or independent insurance adjuster to use professional services.

4. Compliance costs: The rule will not impose any compliance costs on local governments. Insurance producers and independent insurance adjusters, many of whom are small businesses, may incur additional costs of compliance, but they should be minimal. The cost to a producer or an adjuster will be associated primarily with developing and implementing a confidentiality protocol, unless the producer or adjuster chooses to follow the protocol of the insurer, corporation, HMO, or provider.

5. Economic and technological feasibility: Local governments will not incur an economic or technological impact as a result of this rule. Insurance producers and independent insurance adjusters, many of whom are small businesses, will not have to purchase any new technology to comply with the rule.

6. Minimizing adverse impact: The rule applies to the insurance market throughout New York State. In accordance with Insurance Law § 2612, the same requirements will apply to all insurance producers and independent insurance adjusters, so the rule does not impose any adverse or disparate impact on small businesses. Further, the Department has designed the regulation to place the least burden possible on an insurance producer or insurance adjuster by allowing the producer or adjuster to follow the protocol of the insurer, corporation, HMO, or provider, rather than develop its own protocol.

7. Small business and local government participation: A proposed rule was published in the State Register on October 9, 2013, and the Department invited public comments on the rule from all interested parties including small businesses and local governments.

1. Types and estimated numbers of rural areas: Insurers, insurance producers, and independent insurance adjusters affected by this rule operate in every county in this state, including rural areas as defined under State Administrative Procedure Act (“SAPA”) § 102(10).

2. Reporting, recordkeeping and other compliance requirements; and professional services: The rule requires insurers located in rural areas (as Insurance Law § 2612 defines that term, which includes health maintenance organizations as well as agents, representatives, and designees of the insurers who are regulated under the Insurance Law) to develop and implement confidentiality protocols that include written procedures that their employees, agents, representatives, or any other persons with whom the insurers contract or who have gained access to the information from the insurers, with regard to the solicitation, negotiation, or sale of insurance or the adjustment or administration of insurance claims, must follow. The rule also requires insurers to post certain information on their websites.

However, the Department has attempted to minimize the impact of the rule on insurance producers and independent insurance adjusters located in rural areas by including language that states that an agent, representative, or designee of an insurer, a corporation, an HMO, or a provider, who is regulated pursuant to the Insurance Law, need not develop its own confidentiality protocol if the agent, representative, or designee follows the protocol of the insurer, corporation, HMO, or provider. Nor does a producer or an adjuster who follows the protocol of the insurer, corporation, HMO, or provider need to post certain information on its website.

The rule would not require an insurer, insurance producer, or independent insurance adjuster located in a rural area to use professional services.

3. Costs: Insurers, insurance producers, and independent insurance adjusters located in rural areas may incur additional costs of compliance, but they should be minimal. The cost to an insurer, producer, or adjuster located in rural areas will be associated primarily with developing and implementing a confidentiality protocol. However, a producer or adjuster may choose to follow the protocol of the insurer, corporation, HMO, or provider.

4. Minimizing adverse impact: The rule applies to the insurance market throughout New York State. In accordance with Insurance Law § 2612, the same requirements will apply to all insurers, insurance producers, and independent insurance adjusters, so the rule does not impose any adverse or disparate impact on insurers, insurance producers, or independent insurance adjusters in rural areas.

5. Rural area participation: A proposed rule was published in the State Register on October 9, 2013, and the Department invited public comments on the rule from all interested parties including those located in rural areas.

The Department of Financial Services finds that this rule should have no impact on jobs and employment opportunities. As required by Insurance Law § 2612, the rule establishes certain limited requirements to guide and enable insurers to guard against the disclosure of the confidential information protected by § 2612.

The New York State Department of Financial Services (“Department”) received comments from an organization that represents the New York family planning provider network (“family planning organization”), an organization that represents people living with HIV/AIDS (“HIV organization”), an organization that works to defend constitutional rights (“civil liberties organization”), a trade organization that represents property/casualty insurers (“property/casualty trade organization”), and an organization that represents United States insurers (“insurer trade organization”), in response to its publication of the proposed rule in the New York State Register.

Comments on specific parts of the proposed rule are discussed below.

11 NYCRR 244.2 (“Definitions”)

Comment

The family planning organization, HIV organization, and civil liberties organization commented that the Department should expand the rule to apply to more than just domestic violence by defining “endanger” to encompass concerns that an insured individual’s privacy or confidentiality could be compromised if he or she did not receive communications and claim-related information at an alternate address. These organizations also commented that the Department should amend the definition of “requestor” to include a minor who is able to consent or has consented to health care services under the law.

Department’s Response

The Department is considering whether to make any change in the context of adopting the permanent rule.

11 NYCRR 244.3 (“Delivers”)

Comment

The insurer trade organization stated that consistent with statutory law, this section requires that the victim deliver to the insurer’s home office a valid order of protection issued by a court of competent jurisdiction in New York, and recommended clarifying that “deliver” does not require physical delivery to the insurer’s home office.

Department’s Response

This term comes directly from the statute. To effectuate the intent and goals of the statute, the Department construes the term broadly to mean delivery to the insurer by any means, including mail, email, or otherwise. The Department is considering whether to clarify the text of the rule in the context of adopting the permanent rule.

11 NYCRR 244.3(a) (“Covered Services”)

Comment

The property/casualty trade organization and insurer trade organization noted that this provision requires insurers to keep certain information confidential for “a person providing covered services to the victim”, and commented that there is confusion as to what this might mean in the property/casualty insurance context. The organization suggested that the Department add clarifying language if this provision is not intended to apply to property/casualty insurers.

Department’s Response

The Department construes this to mean any benefit or service provided under the policy to the victim. For example, this could be information about a medical provider under a no-fault or workers’ compensation claim or the name and address of a body shop under an automobile claim. The Department is considering whether to clarify the text of the rule in the context of adopting the permanent rule.

11 NYCRR 244.3(c) and (d) (“Contractor Notification”)

Comment

The insurer trade organization commented that the broad scope of these subdivisions was extremely troublesome because insurers contract with numerous vendors and many of these vendors are not in a position be to be able divulge any of the victim’s information or to change the address of the victim. The organization recommended revising these subdivisions to limit their applicability solely to employees and draft a new section that clearly outlines the responsibilities of and expectations for insurance producers.

Department’s Response

The Department revised a prior version of the emergency rule and the proposed rule to address this comment by adding language that makes it clear that the subdivisions apply to employees, agents, representatives, or persons who have or may have access to the information sought to be kept confidential.

11 NYCRR 244.3(c)(4) (“Personal Identifiers”)

Comment

The insurer trade organization noted that this paragraph requires an insurer’s written procedures to include the procedure for limiting or removing personal identifiers before information is used or disclosed, and commented that it is unclear what would constitute “limiting or removing personal identifiers.”

Department’s Response

The Department thinks that it is clear that limiting or removing personal identifiers means limiting or removing, such as by redacting, any information that could identify the victim or covered individual. Therefore, the Department did not make any changes to the rule to address this comment.

11 NYCRR 244.3(h) (“Hampering this Rule”)

Comment

The insurer trade organization noted that the rule contained language stating that an insurer or any person subject to the Insurance Law may not engage in any practice that would prevent or hamper the orderly working of the rule in accomplishing its intended purpose of protecting victims of domestic violence and covered individuals. The organization commented that it is unclear how a person would prevent or hamper the orderly working of the rule.

Department’s Response

The Department deleted this language in a prior version of the emergency rule and the proposed rule and relettered section 244.3 of the rule.

11 NYCRR 244.4 (“Notice”)

Comment

The insurer trade organization suggested that the Department amend the rule to require that an insurer include a simple disclosure on the “contact us” or privacy page of the insurer’s website rather than on the homepage of the insurer’s website.

Department’s Response

The rule requires an insurer to post on its website certain information. It does not require that information be posted on homepage of the insurer’s website. Therefore, the Department did not make any changes to the rule to address this comment.

Applicability to Property/Casualty Insurers

Comment

The property/casualty trade organization commented that there are a number of areas throughout the rule in which it is unclear whether the language applies to property/casualty insurers, and gave the example of where the rule refers to a “victim or covered individual.” The organization suggested that clarifying the rule’s applicability would reduce confusion and facilitate compliance.

Department’s Response

When the rule applies to all insurers, including property/casualty insurers, the rule uses the term “insurer” as defined in Insurance Law section 2612(c)(2). When the rule applies to just a health insurer, the rule uses that term (which Insurance Law section 2612(h)(1)(B) defines). In addition, the rule clearly defines “covered individual” as applying to an individual covered under a policy issued by a health insurer only. The rule also defines “victim” as having the meaning set forth in Social Services Law section 459-a(1), which applies generally and does not distinguish between kinds of insurance. Therefore, the Department did not make any changes to the rule to address this comment.

Comment

The insurer trade organization commented that the legislative history of Insurance Law section 2612 indicates a clear focus on medical information and health insurers and therefore, the rule should not apply to property/casualty insurance. The organization also suggested that if the rule applies to property/casualty insurance, then it should exclude certain commercial lines policies.

Department’s Response

Insurance Law section 2612(c)(2) defines “insurer” as an insurer, an Insurance Law Article 43 corporation, a municipal cooperative health benefit plan, a health maintenance organization, a provider issued a special certificate of authority pursuant to the Public Health Law, or an agent, representative, or designee thereof regulated pursuant to the Insurance Law. This definition is not limited to health insurers or personal lines insurance.

This rule merely implements Insurance Law section 2612 and cannot narrow its applicability. Therefore, the Department did not make any changes to the rule to address these comments. Moreover, medical information is often involved in property/casualty policies, such as under no-fault or workers’ compensation insurance, and is not limited to strictly health insurance or personal lines.

Alternate Contact Information

Comment

The insurer trade organization commented that it cannot find any statutory requirement that property/casualty insurers establish a procedure to accept an alternate address for domestic violence victims. However, the organization stated that it would be willing to have the rule establish an alternate contact information requirement for property/casualty medical claims payments to such victims.

Department’s Response

The requirement is implicit in the law. Insurance Law section 2612(f) and (g) state that if a person covered under an insurance policy delivers to an insurer an order of protection against the policyholder or another person covered under the policy, then the insurer may not disclose to the policyholder or other covered person the address or telephone number of the victim or of any person providing covered services to the victim. This language presumes that the victim already is using an alternate address or telephone number otherwise there would be no reason to keep it confidential from the policyholder or other covered person. Therefore, the Department did not make any changes to the rule to address this comment. Nor is there any basis in the law to limit the rule to medical claims.

Joint Policy Confidentiality

Comment

The property/casualty trade organization commented that it will be difficult, and in some cases potentially impossible, to keep information confidential where the victim and the person against whom the order of protection is issued on are on the same policy, such as in the homeowners’ insurance context where there is joint ownership of a home.

Department’s Response

As a preliminary matter, Insurance Law section 2612 requires an insurer to keep confidential certain information if the insurer receives an order of protection from an insured or other person covered under the insurance policy. This rule merely implements the legislative mandate that insurers must have confidentiality protocols in place. The association did not explain why it would be difficult or impossible to keep the victim’s address and telephone number confidential from another person covered under the policy. Therefore, the Department did not make any changes to the rule to address this comment.