In this aptly dubbed "Information Age", one's personal information - often presumed to be private - may be bartered by others. While an individual may determine that free membership or subscription to a website, for example, warrants relinquishing one's privacy, that same individual may not want her financial institution or health insurer trading her personal information for its corporate financial gain. However, the sale of personal information by insurance companies has been largely unregulated.

The New York State Insurance Department, taking the lead, promulgated the Privacy of Consumer Financial and Health Information Rule (Regulation 169), effective November 13, 2000. Regulation 169 was promulgated as required by the federal Gramm-Leach-Bliley Act (which protects personal financial information) and apparently in response to the federal privacy rule proposed pursuant to the Health Insurance Portability and Accountability Act of 1996 (which protects individually identifiable health information).

As the title of the rule indicates, Regulation 169 restricts the disclosure of health information and financial information by entities regulated by the Insurance Department (i.e., insurance companies). Regulation 169 generally prohibits insurance companies from disclosing nonpublic personal health and financial information to non-affiliated third parties.

Although the general provisions of Regulation 169 affecting health information for the most part are similar to those contained in the proposed HIPAA privacy rule, there are notable differences. This article will summarize Regulation 169 and compare it with the proposed HIPAA privacy rule; the second article in this series will compare Regulation 169 with the Gramm-Leach-Bliley Act.

Like the proposed HIPAA privacy rule, Regulation 169 requires insurance companies to give initial and annual notices of their privacy policies, with some exceptions. The people entitled to notice are both applicants for personal (including family and household) insurance products and actual customers for those products. With respect to disclosures of financial information, Regulation 169 is an "opt-out" rather than "opt-in" rule - the covered individuals may, if they want, opt out of certain disclosures to nonaffiliated third parties, but the covered entities are not required to get them to opt in to such disclosures. With respect to health information, the reverse is true: individuals must "opt-in" by providing authorization to disclose information, if such disclosures are not specifically permitted by the rule.

The health information protected by Regulation 169 is broader in one sense than the proposed HIPAA privacy rule. It applies to information kept in all forms, not just information stored or transmitted electronically. Other than this difference, the health information protected by Regulation 169 is virtually identical to the health information protected by HIPAA.

The proposed HIPAA privacy rule and Regulation 169 cover different entities. The proposed HIPAA privacy rule covers health care providers, health plans, and health care clearinghouses (entities which process data on behalf of health care providers and health plans). Regulation 169 covers only those entities licensed by the New York Insurance Department. This excludes health care professionals and clearinghouses, but includes health plans, as well as life and accident insurers and other insurers.

A more important difference is in the acts prohibited. The proposed HIPAA privacy rule not only restricts disclosure of health information, but also restricts certain uses, such as marketing and certain types of research. By contrast, Regulation 169 restricts only disclosures of information. Consequently, there are no limits on what internal uses Regulation 169 entities and their affiliates can make of health information. This difference extends to third party uses. While entities covered by Regulation 169 may not disclose health information to third parties without written authorization, once authorization is obtained, there are no limits on what that third party may do with the information. Unlike the proposed HIPAA privacy rule, Regulation 169 does not require a regulated entity to place any restrictions on third parties' use or disclosure of health information.

By contrast, with respect to financial information, Regulation 169 entities have the option to enter into contracts with the third parties to whom they disclose information (for marketing purposes, for example) restricting further uses or disclosure by such third parties; if such contracts are entered into, then consumers lose the right to "opt out" of such disclosures discussed above.

One important similarity is that neither the proposed HIPAA privacy rule nor Regulation 169 gives individuals a private right of action for violations of the rule. (Whether an individual may have a remedy under a different law for an act that also violates Regulation 169 is beyond the scope of this article.) Regulation 169 gives enforcement powers only to the Superintendent of the Department of Insurance. It does so by providing that a violation "shall be deemed to be an unfair method of competition or an unfair or deceptive act and practice in the conduct of business of insurance" and a violation of Section 2403 of the New York Insurance Law. The Superintendent of Insurance has the power to investigate violations of that section and levy civil penalties, but it appears that there is no private right of action under that statute. As a result, Regulation 169 provides no legal recourse to the individual whose information is wrongfully disclosed, except to complain to the Department of Insurance. If the Superintendent investigates and files charges that result in a hearing, the Superintendent may allow such aggrieved individual to intervene in the hearing, but no further remedy is given by the statute or regulation.

In summary, Regulation 169 provides protections for personal health information that are similar to, but generally more limited than, the protections in the proposed HIPAA privacy rule. However, the proposed HIPAA privacy rule is not final and will not become final until sixty days after publication (which has not yet occurred as of the date this article was written), and it seems likely that covered entities will have two to three years after finalization to comply. Regulation 169 became effective on November 13, 2000; compliance is required generally by July 31, 2001 and compliance with those provisions regarding health information is required by December 31, 2001. Therefore, until the HIPAA privacy rule becomes effective, Regulation 169 will provide at least some protection for health information (and financial information) for New Yorkers.