Lance's Corner

DFS Issues Guidance to Health Insurers on Disaster Responses

Jun 5, 2025

The New York State Department of Financial Services (DFS) has issued guidance to all health insurers, as well as other insurers, on their required responses to disasters.

Insurance Circular Letter No. 4

TO: All authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law § 1124

RE: Disaster Planning, Preparedness, and Response by the Life and Health Insurance Industries

STATUTORY AND REGULATORY REFERENCES: Insurance Law Sections 308, 1109, and 1124 and Articles 42, 43, 45, 46, and 47; Financial Services Law Section 202; and11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173)

I.  Summary

Experience teaches us that disasters – crippling storms, floods, terrorist attacks, cybersecurity breaches, pandemics – can happen unexpectedly, meaning that we must be prepared to respond at every level if such an event occurs.  This circular letter sets forth the standards expected of authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law §1124 (collectively, “addressees”) in planning and preparing for, and responding to, disasters occurring anywhere in the world, including in New York State, that could affect an addressee’s ability to continue doing business and servicing the people of New York State.  This circular letter repeals and replaces Circular Letter No. 5 (2024).  A separate circular letter covers disaster planning, preparedness, and response by the property/casualty industry.

II.  Discussion

When a disaster occurs in New York, the New York State Department of Financial Services (“Department”) provides the Governor and the New York State Office of Emergency Management (“SOEM”) with critical information regarding the amount and extent of losses, damages, personal injuries, and deaths resulting from the disaster.  Based on this information, the Governor determines whether and when to request a federal disaster declaration and how to prioritize the deployment of state assets.

The insurance industry has been identified as a key resource in providing early assessments of losses, damages, personal injuries, and deaths arising from disasters, and plays an important role in quantifying the magnitude of losses, damages, personal injuries, and deaths, whether insured or uninsured, and in determining the appropriate response.  Accordingly, all addressees should assist the Department with obtaining necessary information before, during, and after a disaster.

An integral part of the response to any disaster is the Department’s Insurance Emergency Operations Center (“IEOC”), which is staffed by insurance industry disaster liaisons and Department representatives, and which coordinates disaster responses.  The Superintendent of Financial Services (“Superintendent”) will activate the IEOC in accordance with the nature and extent of the disaster.  Where possible, the Superintendent will consult with the insurance industry before activating the IEOC.

Before a Disaster Strikes

Each addressee should perform at least annually a business impact analysis to predict the consequences of disruption of any business function and process as a result of a disaster, and gather information needed to develop recovery strategies.  The business impact analysis should identify the operational and financial impacts resulting from the disruption of business functions and processes and should consider the following, at a minimum, as relevant: (a) the point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter; (b) the amount of time before which the business interruption would have an operational or financial impact; (c) the operational and financial impact of physical damage to buildings; damage to or breakdown of machinery, systems, or equipment; restricted access to a site or building; a utility outage; damage to or loss or corruption of information technology; and absenteeism of essential employees; (d) resources needed for the business to continue to function at varying levels of disruption; and (e) potential for dissatisfaction or defection by policy owners, policyholders, contract holders, insureds, annuitants, payees, beneficiaries, and health service providers (collectively, “customers”).

An addressee should use the results of this analysis to establish, maintain, and update as necessary a business continuity plan.  Each addressee also should perform at least annually a risk-based analysis of its capacity to assist customers in New York State affected by a disaster occurring anywhere in the world, including in New York State, and should use the results of this analysis to establish, maintain, and update as necessary a disaster response plan that takes into account the results of the analysis.  The business continuity and disaster response plans should be separate documents.

The Department recognizes that size, lines of business, and corporate structure vary among addressees.  Therefore, an addressee’s business continuity and disaster response plans should be appropriate for the nature, scale, and complexity of the addressee and the business it writes or conducts and should adhere to the standards set forth in this circular letter, as relevant.

The Department understands that certain addressees are members of holding company systems under Insurance Law Article 15 or are subsidiaries of parent corporations under Insurance Law Article 17 (collectively, “groups”).  An addressee may be covered under a business continuity or disaster response plan established by the holding company or parent corporation or another member of the group.  In such cases, the addressee should be prepared to demonstrate to the Department that the plan provides for the needs of the addressee and its customers.  If the plan does not do so, or if, in the Department’s judgment, the plan, as applied to the addressee, is inadequate, then the Department will ask the addressee to establish its own business continuity or disaster response plan.

1.  Business Continuity Plan

A business continuity plan should, at a minimum, address the following items, as relevant:

  1. define the scope, objectives, and assumptions of the business continuity plan;
  2. address all significant business activities, including financial functions, underwriting and claims functions, telecommunication services, data processing, network services, and security and remote access, and assign a restoration priority to each significant business activity
  3. define the roles and responsibilities of addressee employees;
  4. identify the lines of authority, succession of management, and delegation of authority;
  5. address communication and interaction with employees, customers, insurance producers, independent adjusters, and other external business entities, including contractors and vendors, and any contingency plans in the event that the insurance producers, independent adjusters, and other external business entities experience a business interruption;
  6. include results of a business impact analysis;
  7. identify recovery time objectives for business processes and information technology;
  8. identify the recovery point objective for data restoration;
  9. set forth detailed procedures, resource requirements, and logistics for execution of all recovery strategies;
  10. set forth detailed procedures, resource requirements, and logistics for relocation to alternate worksites;
  11. set forth detailed procedures, resource requirements, including a list of critical computer programs, operating systems, and data files, and a data restoration plan for the recovery of information technology, such as networks and required connectivity, servers, computers, wireless devices, applications, and data;
  12. document all forms and resource requirements for all manual workarounds;
  13. define procedures for incident detection and reporting, alerts and notifications, business continuity plan activation, emergency operations center activation, damage assessment and situation analysis, and the development and approval of an incident action plan;
  14. describe a training curriculum for business continuity team members;
  15. set forth a periodic review of the business continuity plan, including a testing schedule, procedures, and forms for business and information technology recovery strategies; and
  16. set forth a corrective action program to address deficiencies discovered as a result of testing or deployment of the business continuity plan.

The business continuity plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s: (1) board of directors, or appropriate committee thereof; or (2) governing body.

Addressees located in the same geographic area may find it cost-effective to pool their resources and establish shared facilities, such as shared alternate worksites, in the event that their business functions and processes are disrupted as a result of a disaster.  The Department encourages this kind of cooperative approach, provided that: (1) the addressees maintain separate management and operations; (2) an addressee does not disclose confidential customer information without appropriate consent; and (3) an addressee maintains records in compliance with 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).

2.  Disaster Response Plan

A disaster response plan should, at a minimum, address the following items, as relevant:

  1. the jurisdiction in which the addressee is domiciled;
  2. the addresses of the addressee’s offices where the following is handled for policies or contracts delivered or issued for delivery in New York: (i) claims; (ii) cash value surrenders or withdrawals; (iii) policy loans; (iv) changes to annuity payouts or separate account transfers; (v) other policy or contract changes; (vi) premium payments; and (vii) any other policy or contract holder or policy or contract owner services or administration;
  3. the kinds of insurance products sold or administered by the addressee;
  4. the methodology the addressee uses for identifying a disaster and determining whether the addressee should activate all or part of its disaster response plan;
  5. the name and title of the person responsible for activating the disaster response plan and for deactivating the plan;
  6. the name and title of the person responsible for monitoring the disaster response plan;
  7. the responsibilities and reporting authority of the disaster response team;
  8. the names of and contact information for the addressee’s primary and secondary employees who are available during and after a disaster to relay information between the addressee and the Department (“disaster liaisons”);
  9. the names of and contact information for the addressee’s primary and secondary employees who have control of the addressee’s disaster operations (“disaster leaders”);
  10. the way in which the addressee trains its employees and agents to assist customers during and after a disaster;
  11. the way in which the addressee prepares staff for its responsibility to respond to changing circumstances, as a disaster enters varying stages, that will necessitate activation of different phases and parts of the disaster response plan;
  12. the way in which the addressee will provide additional or alternative claims and customer service handling capacity and procedures, including ensuring that there is adequate personnel and information technology systems;
  13. if the addressee uses an independent adjuster or managing general agent (“MGA”), then the way in which the independent adjuster or MGA will provide additional or alternative claims and customer service handling capacity and procedures, including when the independent adjuster or MGA may be located in the disaster-affected area;
  14. whether the addressee has a local or toll-free number for customers to report claims;
  15. whether the addressee has a website for customers to report claims;
  16. whether the addressee requires that there be legal counsel available to advise on coverage or claim issues;
  17. the steps the addressee will take to notify, in a timely manner, the addressee’s customers of any procedural changes;
  18. the steps the addressee will take to notify, in a timely manner, insurance producers or independent adjusters of any procedural changes made in response to a disaster;
  19. the additional or alternative communication channels the addressee will use to communicate with insurance producers or independent adjusters located in or servicing a disaster-affected area;
  20. if an addressee supplies facilities and equipment for insurance producers, then the alternate facilities or equipment the addressee will provide for producers affected by the disaster;
  21. the additional or alternative procedures an addressee will use for detecting a fraudulent insurance act during and after a disaster; and
  22. the methodology the addressee uses to test the disaster response plan and the frequency of testing.

The disaster response plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s: (1) board of directors, or appropriate committee thereof; or (2) governing body.

3.  Storage of Business Continuity and Disaster Response Plans

An addressee should distribute the business continuity and disaster response plans to all relevant employees.  The business continuity team leader and disaster leader should maintain a master copy of the business continuity plan and disaster response plan, respectively.  Copies of the business continuity and disaster response plans should be stored at a secure off-site location in a format that allows access if an addressee’s servers are down and allows for printing on demand.

4.  Filing of Disaster Response Plan and Questionnaire and Business Continuity Plan Questionnaire

By August 15, 2025, each addressee must submit to the Department a disaster response plan, a response to the disaster response plan questionnaire, and a response to the business continuity plan questionnaire, pursuant to Insurance Law § 308.  Under Insurance Law § 308(a)(1), an addressee’s submission must include the signature of the officer or other executive who has responsibility for the oversight of the submission, affirming that the information set forth in the submission is true under penalty of perjury.

The Department requests that an addressee make all required submissions to the Department through the Department’s portal application.  The instructions for completion and submission of the disaster response plan and questionnaire and business continuity plan questionnaire, as well as instructions for use of the portal application, are available on the Department’s website.  An addressee should report to the Department as soon as possible any change in the information requested by submitting an updated response to the disaster response plan or business continuity plan questionnaire.

As indicated in the portal application, when submitting a disaster response plan, an addressee must document that the relevant board of directors, or appropriate committee thereof or, if there is no board of directors, then the governing body, approved the disaster response plan.  An addressee must track any changes to the disaster response plan since the last submission so that the changes are readily identifiable by the Department.  If the current disaster response plan is the same as the last plan filed with the Department, then an addressee need not submit the plan again.  Rather, the addressee must indicate in the portal application that the previously filed disaster response plan is still in effect and upload to the portal application the signed affirmation referenced above.

A disaster response plan should include the name of the addressee or addressees covered by the disaster response plan, the addressee’s National Association of Insurance Commissioners (“NAIC”) number, and a contact person’s name, e-mail address, and telephone number.  In addition, an addressee should submit a disaster response plan as a searchable document, such as an Adobe pdf file.

B.  After a Disaster

1.  Disaster Liaisons

After a disaster, the Superintendent may contact designated addressee disaster liaisons representing addressees with the greatest amount of direct written premiums in the disaster area.  Disaster liaisons should be prepared to participate in the state’s disaster response plan as follows:

  • the Department will arrange a conference call of the selected disaster liaisons, where possible, following the occurrence of a disaster to discuss the disaster’s magnitude and the scope of IEOC activation plans;
  • upon activation of the IEOC, disaster liaisons or their designees will be expected to staff the IEOC at the Department’s offices in Albany or New York City or an alternative location, as appropriate;
  • the Department will provide a fully-equipped IEOC at one of the aforementioned locations;
  • the Department will continue to coordinate communications through ongoing teleconference or videoconference calls in order to plan staffing of the IEOC, discuss with each addressee’s disaster liaison the addressee’s disaster operations, review each addressee’s disaster response plan, and discuss disaster operations and emerging issues; and
  • disaster liaisons or their designees may be expected to remain on duty at the IEOC as determined by the Superintendent in consultation with the insurance industry.

Addressee disaster liaisons should:

  • be members of the addressee’s disaster response team or manager-level employees who are familiar with addressee protocols and have access to critical information;
  • provide coverage data and claim statistics as requested by the Department;
  • be knowledgeable about addressee internal information systems and sources and authorized to access such systems, so that applicable, timely information can be provided to SOEM, the New York City Office of Emergency Management, and other emergency responders via the Department; and
  • be prepared to remain on duty during the hours when the IEOC is operating, normally from 7:00 a.m. to 6:00 p.m., or for such time periods as necessary to assist with the effective management of the disaster.  Depending on the level of the disaster, this may be a seven-day-per-week commitment.

2.  Post Disaster Coverage Data and Loss Statistics

After a disaster, the Department will contact disaster liaisons, as needed, who should provide the Department with coverage data and claim statistics.  The Department may request the data and statistics on an on-going basis as necessary.

C.  New York Information Network

On May 3, 2002, the former Insurance Department issued Insurance Circular Letter No. 12 (2002) establishing the New York Information Network (“NYIN”).  The NYIN is the main conduit through which the Department will communicate intelligence reports and other critical but sensitive information on terrorism to the New York insurance community.  As part of the NYIN, addressees’ chief executive officers (“CEOs”), or their equivalent, should designate a primary and secondary intelligence or information officer using the form available on the Department’s website.  The primary intelligence or information officer will serve as the sole liaison for all terrorism-related intelligence and information.  This person will be responsible for providing the Department with any such intelligence or information.  In instances where the Department needs to communicate sensitive information to addressees, the Department will initiate the communication through the NYIN and information will be directed to the primary intelligence or information officer only.  The secondary intelligence or information officer will serve as the back-up liaison when the primary intelligence or information officer is unavailable.  The Department will contact the secondary intelligence or information officer when critical information must be relayed to the addressee and multiple attempts to contact the primary intelligence or information officer have failed.

The primary and secondary intelligence or information officers should be senior-level executives who possess the authority to communicate directly with the addressee’s CEO (or equivalent).  A person should not serve as the primary and the secondary intelligence or information officer for the same addressee.  For addressees that are a part of a group, the designation of the primary and secondary intelligence or information officer should be done on an individual addressee basis.  While the same person may be designated as either the primary or secondary intelligence or information officer for individual addressees within a group, the designation should be entered separately for each addressee at the link provided above.

An addressee should provide the Department with updated information as soon as possible when any previously provided information changes.

III.  Conclusion

This circular letter endeavors to assist addressees with planning and preparing for, and responding to, disasters.  An addressee’s cooperation in furnishing timely and accurate responses is essential and appreciated by the Department and the people of New York State.

Please direct questions concerning this circular letter to Ashbert Carrington, Financial Services Examiner 2, by telephone at (212) 480-4702 or by e-mail to disasterplanning@dfs.ny.gov.

Very truly yours,

Adrienne A. Harris

Superintendent of Financial Services

USDOL Issues Comprehensive Employer Guidance on Long COVID

The United States Department of Labor (USDOL) has issued a comprehensive set of resources that can be accessed below for employers on dealing with Long COVID.

Supporting Employees with Long COVID: A Guide for Employers

The “Supporting Employees with Long COVID” guide from the USDOL-funded Employer Assistance and Resource Network on Disability Inclusion (EARN) and Job Accommodation Network (JAN) addresses the basics of Long COVID, including its intersection with mental health, and common workplace supports for different symptoms.  It also explores employers’ responsibilities to provide reasonable accommodations and answers frequently asked questions about Long COVID and employment, including inquiries related to telework and leave.

Download the guide

Accommodation and Compliance: Long COVID

The Long COVID Accommodation and Compliance webpage from the USDOL-funded Job Accommodation Network (JAN) helps employers and employees understand strategies for supporting workers with Long COVID.  Topics include Long COVID in the context of disability under the Americans with Disabilities Act (ADA), specific accommodation ideas based on limitations or work-related functions, common situations and solutions, and questions to consider when identifying effective accommodations for employees with Long COVID.  Find this and other Long COVID resources from JAN, below:

Long COVID, Disability and Underserved Communities: Recommendations for Employers

The research-to-practice brief “Long COVID, Disability and Underserved Communities” synthesizes an extensive review of documents, literature and data sources, conducted by the USDOL-funded Employer Assistance and Resource Network on Disability Inclusion (EARN) on the impact of Long COVID on employment, with a focus on demographic differences.  It also outlines recommended actions organizations can take to create a supportive and inclusive workplace culture for people with Long COVID, especially those with disabilities who belong to other historically underserved groups.

Read the brief

Long COVID and Disability Accommodations in the Workplace

The policy brief “Long COVID and Disability Accommodations in the Workplace” explores Long COVID’s impact on the workforce and provides examples of policy actions different states are taking to help affected people remain at work or return when ready.  It was developed by the National Conference of State Legislatures (NCSL) as part of its involvement in USDOL’s State Exchange on Employment and Disability (SEED) initiative.

Download the policy brief

Understanding and Addressing the Workplace Challenges Related to Long COVID

The report “Understanding and Addressing the Workplace Challenges Related to Long COVID” summarizes key themes and takeaways from an ePolicyWorks national online dialogue through which members of the public were invited to share their experiences and insights regarding workplace challenges posed by Long COVID.  The dialogue took place during summer 2022 and was hosted by USDOL and its agencies in collaboration with the Centers for Disease Control and Prevention and the U.S. Surgeon General.

Download the report

Working with Long COVID

The USDOL-published “Working with Long COVID” fact sheet shares strategies for supporting workers with Long COVID, including accommodations for common symptoms and resources for further guidance and assistance with specific situations.

Download the fact sheet

COVID-19: Long-Term Symptoms

This USDOL motion graphic informs workers with Long COVID that they may be entitled to temporary or long-term supports to help them stay on the job or return to work when ready, and shares where they can find related assistance.

Watch the motion graphic

A Personal Story of Long COVID and Disability Disclosure

In the podcast “A Personal Story of Long COVID and Disability Disclosure,” Pam Bingham, senior program manager for Intuit’s Diversity, Equity and Inclusion in Tech team, shares her personal experience of navigating Long COVID symptoms at work.  The segment was produced by the USDOL-funded Partnership on Employment and Accessible Technology (PEAT) as part of its ongoing “Future of Work” podcast series.

Listen to the podcast

HHS OIG Issues Annual Report on State MFCUs

Per the notice below, the Office of the Inspector General (OIG) of the United States Department of Health and Human Services (HHS) has issued its annual report on the performance of state Medicaid Fraud Control Units (MFCUs).

Medicaid Fraud Control Units Fiscal Year 2023 Annual Report (OEI-09-24-00200) 

Medicaid Fraud Control Units (MFCUs) investigate and prosecute Medicaid provider fraud and patient abuse or neglect. OIG is the Federal agency that oversees and annually approves federal funding for MFCUs through a recertification process. This new report analyzed the statistical data on annual case outcomes—such as convictions, civil settlements and judgments, and recoveries—that the 53 MFCUs submitted for Fiscal Year 2023.  New York data is as follows:

Outcomes

  • Investigations1 - 556
  • Indicted/Charged - 9
  • Convictions - 8
  • Civil Settlements/Judgments - 28
  • Recoveries2 - $73,204,518

Resources

  • MFCU Expenditures3 - $55,964,293
  • Staff on Board4 - 257

1Investigations are defined as the total number of open investigations at the end of the fiscal year.

2Recoveries are defined as the amount of money that defendants are required to pay as a result of a settlement, judgment, or prefiling settlement in criminal and civil cases and may not reflect actual collections.  Recoveries may involve cases that include participation by other Federal and State agencies.

3MFCU and Medicaid Expenditures include both State and Federal expenditures.

4Staff on Board is defined as the total number of staff employed by the Unit at the end of the fiscal year.

Read the Full Report

View the Statistical Chart

Engage with the Interactive Map

GAO Issues Report on Medicaid Managed Care Service Denials and Appeal Outcomes

The United States Government Accountability Office (GAO) has issued a report on federal use of state data on Medicaid managed care service denials and appeal outcomes.  GAO found that federal oversight is limited because it doesn't require states to report on Medicaid managed care service denials or appeal outcomes and there has not been much progress on plans to analyze and make the data publicly available.  To read the GAO report on federal use of state data on Medicaid managed care service denials and appeal outcomes, use the first link below.  To read GAO highlights of the report on federal use of state data on Medicaid managed care service denials and appeal outcomes, use the second link below.
https://www.gao.gov/assets/d24106627.pdf  (GAO report on federal use of state data on Medicaid managed care service denials and appeal outcomes)
https://www.gao.gov/assets/d24106627_high.pdf  (GAO highlights on federal use of state data on Medicaid managed care service denials and appeal outcomes)

CMS Issues Latest Medicare Regulatory Activities Update

The Centers for Medicare and Medicaid Services (CMS) has issued its latest update on its regulatory activities in the Medicare program.  While dentistry is only minimally connected to the Medicare program, Medicare drives the majority of health care policies and insurance reimbursement policies throughout the country.  Therefore, it always pays to keep a close eye on what CMS is doing in Medicare.  To read the latest CMS update on its regulatory activities in Medicare, use the link below.
https://www.cms.gov/training-education/medicare-learning-network/newsletter/2024-03-14-mlnc