Policy, Program and Procedures

This message was posted by a user wishing to remain anonymous

Good morning, 

I have a question for fellow insurance professionals.  We've recently started discussion whether we should define Claim Number and Policy Number as NPI, when used with first and last name, due to that fact that it is a numerical identifier of potentially one individual (could also be more than one).

• How are your teams treating Claim and Policy Number? 
• How are you addressing the same in third party contracts, specifically on the claims side when Claim Number needs to be disclosed as the connection between two information systems, filing and tracking purposes, but many of the third parties don't meet security standards for NPI or are use/based, low contract value and wont budge on limitations of liability?
  • Examples would be auto, machine, building replacement cost experts, independent adjusters, private investigators, etc. ​

Thanks in advance!

We do not define claim number or policy number as NPI as it does not appear in privacy related laws or regulations. However,  as it is business information, it would fall under our category of Restricted Business Information.

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------

Original Message:
Sent: 10-11-2022 12:58 PM
From: Anonymous Member
Subject: Insurance Professionals...Claim # and PII

This message was posted by a user wishing to remain anonymous

Good morning, 

I have a question for fellow insurance professionals.  We've recently started discussion whether we should define Claim Number and Policy Number as NPI, when used with first and last name, due to that fact that it is a numerical identifier of potentially one individual (could also be more than one).

• How are your teams treating Claim and Policy Number? 
• How are you addressing the same in third party contracts, specifically on the claims side when Claim Number needs to be disclosed as the connection between two information systems, filing and tracking purposes, but many of the third parties don't meet security standards for NPI or are use/based, low contract value and wont budge on limitations of liability?
  • Examples would be auto, machine, building replacement cost experts, independent adjusters, private investigators, etc. ​

Thanks in advance!

I liked the question and Mark's answer. 

Privacy laws may come into effect if any part of your Claims/Policy number actually includes any address component more granular than the STATE.  For structured data where "NYnnnnnnn-xx" was in the fixed field, it would not be an issue.

In last ten to fifteen years, there is a growing possibility where more technical formats are being used to define information using unstructured data (i.e., JSON, XML, etc.) which if applied to policy number or claim number, any subcomponent for even a single record, that addressed identifiable information more granular than state may fall under consideration as a privacy violation.

I won't give an example of a JSON record here, but review with your technical, risk or legal teams if new apps might think it a simple idea to expand on what is included in an API or Data exchange between cloud services, etc.   I follow CSA (cloud security alliance) and many API focused groups to track whether there are cloud controls that focus on privacy too.

All the best, Larry

Original Message:
Sent: 10-11-2022 12:58 PM
From: Anonymous Member
Subject: Insurance Professionals...Claim # and PII

This message was posted by a user wishing to remain anonymous

Good morning, 

I have a question for fellow insurance professionals.  We've recently started discussion whether we should define Claim Number and Policy Number as NPI, when used with first and last name, due to that fact that it is a numerical identifier of potentially one individual (could also be more than one).

• How are your teams treating Claim and Policy Number? 
• How are you addressing the same in third party contracts, specifically on the claims side when Claim Number needs to be disclosed as the connection between two information systems, filing and tracking purposes, but many of the third parties don't meet security standards for NPI or are use/based, low contract value and wont budge on limitations of liability?
  • Examples would be auto, machine, building replacement cost experts, independent adjusters, private investigators, etc. ​

Thanks in advance!