[This Transcript is Unedited]
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
HEARING OF THE
SUBCOMMITTEE ON PRIVACY & CONFIDENTIALITY
“PRIVACY PROTECTIONS FOR MEDICAL RECORDS OF
NON-COVERED ENTITIES”
September 14, 2006
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington , DC 20001
Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax , Virginia 22030
(703) 352-0091
TABLE OF CONTENTS
- Introductions and Opening Remarks – Mark Rothstein, J.D., Chair
- Panel I – Non-Health Insurers
P R O C E E D I N G S [2:37 p.m.]
Agenda Item: Introductions and Opening Remarks – Mr. Rothstein
MR. ROTHSTEIN: Good afternoon, my name is Mark Rothstein, I’m the director
of the Institute for Bioethics, Health Policy and Law at the University of
Louisville School of Medicine, and chair of the Subcommittee on Privacy and
Confidentiality of the National Committee on Vital and Health Statistics. The
NCVHS is the statutory advisory committee to the Secretary of HHS on health
information policy.
On behalf of the subcommittee and its staff I want to welcome you to
today’s hearing on the implications of extending health information privacy
regulations beyond the three classes of covered entities currently subject to
the HIPAA privacy rule. I also want to extend our welcome to those of you who
are listening on the internet.
We’ll begin with introductions of the subcommittee, staff, witnesses, and
guests, subcommittee members should disclose if they have any conflicts of
interest, others need not do so, I will begin by noting that I have no
conflicts of interest.
Marjorie?
MS. GREENBERG: Good afternoon, I’m Marjorie Greenberg from the National
Center for Health Statistics, CDC, and executive secretary to the committee.
MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina,
member of the committee and no conflicts.
MS. HORLICK: Gail Horlick, CDC Atlanta, staff to the subcommittee.
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the
subcommittee, no conflicts.
MS. BERNSTEIN: Maya Bernstein from the Office of the Assistant Secretary
for Planning and Evaluation, I’m lead staff to the subcommittee.
MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member
of the committee as well as the subcommittee, no conflicts.
MS. MCANDREW: I’m Susan McAndrew, I’m the deputy director for health
information privacy in the Office for Civil Rights and I’m privacy liaison to
the subcommittee.
MR. FELDMAN: Hi, my name is Paul Feldman with the Health Privacy Project,
I’m also the co-chair of the Confidentiality, Security and Privacy Workgroup of
the American Health Information Community.
(Introductions around room.)
MR. ROTHSTEIN: Thank you and good afternoon to everyone. Oh yes, we need
our witnesses, if you could please introduce yourselves just briefly.
MS. MEYER: I’m Robbie Meyer with the American Council of Life Insurers.
DR. WAKE: Robert Allen Wake, I’m with the State of Maine Bureau of
Insurance and I’m here on the National Association of Insurance Commissioners
today.
MR. ROTHSTEIN: Thank you, I’m sorry for that slight oversight.
This afternoon from 4:15 to 4:45 members of the public may testify for up
to five minutes on issues relating to the topic of today’s hearing or
tomorrow’s hearing when we’ll be discussing privacy issues surrounding
employment and schools. There will be no public testimony tomorrow. If you want
to testify please sign up at the registration table.
Invited witnesses have been asked to limit their remarks to 20 minutes,
after both of the witnesses on a panel have testified we should have ample time
for questions and discussion. Witnesses may submit additional written testimony
to Marietta Squire within two weeks of the hearing. I would ask that witnesses
and guests please turn off their cell phones and other electronic devices that
could interfere with our hearing.
Now the purpose of our hearing today is to explore one of the
recommendations that we made to the Secretary in our June 22nd
letter that was part of our report on privacy and confidentiality issues in the
Nationwide Health Information Network. Recommendation R-12 reads as follows,
HHS should work with other federal agencies and the Congress to ensure that
privacy and confidentiality rules apply to all individuals and entities that
create, compile, store, transmit, or use personal health information in any
form and in any setting including employers, insurers, financial institutions,
commercial data providers, application service providers and schools.
In advance of this hearing and to focus our discussion the subcommittee
distributed to each of the witnesses a list of three questions which we hope
and expect that the witnesses will address in their testimony. For those of you
who have not seen the three questions they should be in your material somewhere
and for those of you who are listening on the internet the three questions read
as follows.
First, what federal and state laws currently regulate the privacy,
confidentiality and security of individually identifiable health information
used by your organization or those you represent?
Second, if HIPAA were extended or some comparable legislation were enacted
to regulate your use of health information what affect do you think the law
would have on your operations?
And third, if instead of receiving all of an individual’s health records
pursuant to an authorization you received only those relevant to your needs how
would this affect your operations?
So those are the three questions that I hope our witnesses today and as
well tomorrow will address.
And without further, unless there is anyone on the subcommittee or staff
who has something to say by way of introduction I would like to welcome our
first and only panel this afternoon and I’d like to proceed in the order listed
on the agenda and ask that Robbie Meyer go first —
MS. MEYER: We were thinking that Mr. Wake could set the general framework
and then I could be specific with respect to life insurance.
MR. ROTHSTEIN: I always defer to my witnesses. Please, Mr. Wake, happy to
have you with us, please.
Agenda Item: Panel I – Non-Health Insurers – Dr. Wake
DR. WAKE: Thank you very much, good afternoon, Chairman Rothstein, members
of the subcommittee, I’d like to thank you for inviting me to testify this
afternoon on privacy protections for medical records of non-health insurers.
I’m Bob Wake, I’m an attorney with the State of Maine Bureau of Insurance
and I’m testifying today on behalf of the NAIC, the national organization of
chief insurance regulators of the 50 states, the District of Columbia and the
territories.
As you know for insurers which are what today’s panel is about the state
insurance departments are the primary regulators so that’s the perspective that
I’ve been asked to provide. My written testimony is focusing on three basic
areas, the general federal law framework that sets common minimum privacy
standards, the state law framework, and also just an overview of how non-health
insurers, that is to say insurers that are not HIPAA covered entities, how they
use medical information which is primarily for underwriting claims practices.
So the focus of my testimony is really your question number one. Question
number two, extension of HIPAA or other federal legislation, how that would
affect us really depends on whether it harmonizes or clashes with the
protections that already exist at the state level and our work to refine and
improve those.
And in terms of the information we receive I certainly agree, in fact I was
just on another panel last week about how the government itself uses sensitive
information but it’s my understanding that that isn’t the focus here and we are
not in the practice of obtaining blanket authorizations, we generally as an
insurance regulator don’t get very much individual medical information except
in very limited contexts. When a consumer with an issue related to their own
health privacy or their own medical care files a complaint with us we get the
information that they volunteer us and when we do an examination then under
strict confidentiality we may find ourselves looking at whatever is in the
files of the entities we regulate. So we already get medical information only
on a need to know basis so that wouldn’t affect our operations nearly as much
as it affects the industry where I imagine you will hear that sometimes you
don’t know what you need until you already see it.
So getting back to the areas in my written testimony, at the federal level
it really starts with Gramm-Leach-Bliley. Title V of Gramm-Leach-Bliley was the
first comprehensive federal privacy initiative protecting insurance consumers,
I guess there have also been some things in Fair Credit Reporting Act that
predate that but that doesn’t focus nearly as much on health information.
Gramm-Leach-Bliley as you know establishes a comprehensive regulatory
framework for the entire financial services industry. As it applies to the
insurance industry it builds upon and expressly reaffirms the McCarran-Ferguson
Act which establishes the states as the primary regulators of the insurance
industry in interstate as well as intrastate commerce.
So Gramm-Leach-Bliley overall replaced the former system of entity based
regulation with a functional regulatory approach. What this means is under the
former entity based approach each financial institution, which is
Gramm-Leach-Bliley’s catch all term for all regulated entities in the financial
services industry, each financial institution was required to specialize in one
sector of the industry over the oversight of a single regulator and there were
laws in place to put firewalls between the different sectors, this was the
Glass-Stiegal law of the Depression era. It was felt that some of the abuses
that had led to the crash of ’29 could be mitigated by making everyone
specialized and having one regulator closely watch them.
It was perceived that in the modern marketplace that didn’t work so
Congress tried a different approach in the late ‘90s which is functional
regulation, entities can operate either directly or through affiliates in
multiple sectors of the industry and when they are issuing or selling insurance
contracts then we as the functional regulators of the insurance industry
oversee those activities. So we’ve got primary jurisdiction over insurance
companies, insurance agencies and other traditional insurance licensees, but we
also engage in functional regulation, if for example a bank is selling
insurance and conversely if an insurance company has a banking subsidiary that
would be regulated by the federal banking regulator.
So Gramm-Leach-Bliley as it applies to privacy, that’s Title V. One of the
things Congress was looking at and folded into Gramm-Leach-Bliley was
establishing national minimum privacy standards for the sensitive information
that all financial institutions acquire, so Title V places strict limitations
on the disclosure of non-public personal information to non-affiliated third
parties and generally with limited exceptions requires the consumer to be given
an informed opportunity to opt out of disclosures to non-affiliated third
parties.
Title V further requires all financial institutions to send their customers
written notices at least annually describing the kinds of non-public personal
information they collect, their policies governing disclosure of information to
third parties, consumers right to opt out where they have one, there are some
situations where Gramm-Leach-Bliley doesn’t give them the right to opt out, and
then also the measure they take to protect the confidentiality and security of
this sensitive information.
Now one issue which I’ll be getting back to later with the state framework
that comes up with Gramm-Leach-Bliley is that the drafters of Title V were
looking at non-public personal financial information. That’s sensitive enough
but insurance companies collect information that banks and lenders don’t need
to collect. Many branches of the insurance industry use health information for
a number of purposes as Ms. Meyer and I will both be discussing and that means
that special protections are required that weren’t built into
Gramm-Leach-Bliley. So when I get to the story at the state level we’ll be
going back to the need for extra protection for health information.
As noted in the written statement each functional regulator is given the
authority to conduct rulemaking to implement the privacy title and required to
establish standards both for consumer privacy and information security. And
when the state insurance regulators were confronted with that mandate we added
an additional overlay of protection for health information for the reasons
discussed. But the core standards that all the functional regulators were
required to deal with were more detailed provisions on what has to be in these
annual information practice disclosure statements, how the opt out procedure
works and the form and contents of these notices of information policies and
practices that everyone receives.
State insurance departments are the only state based functional regulators
under Gramm-Leach Bliley and we’re in a very unique position as state
regulators of the national industry and that’s one of the reasons the
activities of the NAIC are so important where we can get together, share ideas,
and develop a common national framework coming from our perspective as state
regulators, and we work closely with the industry and with consumer groups in
setting these standards.
And then for health insurers additional federal privacy requirements are
imposed under HIPAA. Now as Robbie explained in her testimony even though life
insurers are only subject to regulation as HIPAA covered entities, if they
write something like a long term care product their acquisition of personal
medical information is going to be governed by HIPAA because they get them from
patients and from providers. But in terms of who’s actually directly regulated
by HIPAA that would be by and large the health insurance industry and one of
the recurring themes in this afternoon’s panel is medical information, its
collection and use within the insurance industry, is not limited to health
insurers and state regulators and the industry have been well aware of that and
have developed a privacy framework for this purpose.
So just briefly going through the framework, the privacy rule was something
that was mandated for either Congress or HHS to do back in 1996, since Congress
did not act there was springing(?) rulemaking authority which went into place
for the Department of Health and Human Services, issued regulations in the last
months of the Clinton Administration, instead of rescinding the regulation the
Bush Administration chose to work from that as a base and make modifications
and this is the HIPAA privacy regulation we’re all familiar with now. It
protects all, the term of art is individually identifiable health information
however transmitted by a covered entity or its business associate, sets a
national standard for privacy health information, the extent it’s maintained by
health plans, health care clearinghouses and regulated health care providers.
So again, for the insurance industry that mostly means health insurers.
Now state insurance information privacy protections were not limited to
health insurers, they weren’t entity based, but before HIPAA and
Gramm-Leach-Bliley they did vary widely from state to state and interpretations
also varied widely. The NAIC did conduct a comprehensive effort to develop
privacy standards in 1980 and revised those in 1982, and about a third of the
states enacted the NAIC model privacy act. In particular although the privacy
act similar to Gramm-Leach-Bliley allowed most personal information to be
disclosed on an opt out basis for marketing purposes health information was
among the items that was specifically protected by an opt in standard.
In Maine we were one of the last states to adopt this model regulation, we
adopted it in the late 1990s, not long before Gramm-Leach-Bliley, and the
reason for this history, it started with a genetic testing bill and the
insurance industry said we’ll be happy to work with you on privacy standards,
there’s already a set of national privacy standards that many states have
adopted and we’re used to operating under that framework, we’ll work with you
to enact the model act in Maine. I worked on helping draft that and trying to
bring the consumer protections up to date in light of 15 years of intervening
knowledge.
One thing we did include in that in our version of the bill was a standard
that disclosure be limited to the minimum necessary to accomplish a lawful
purpose and we were going to, the NAIC at this time was just finishing up the
model health privacy regulation, this was started in 1994 when there was no
comprehensive health privacy legislation in place but a strong perception at
all levels that this was important. Because HIPAA was passed in the middle of
the process it ended up being more a guidance document than something that was
actually enacted in the states but it was one of the prototypes for HIPAA. It
almost got incorporated into the main privacy law but the legislature said
since this is still a work in progress come back to us if you want to adopt
this when the final model has been adopted and instead that was when
Gramm-Leach-Bliley and the HIPAA privacy regulations were setting standards so
we didn’t need it.
So this is where we are, after Gramm-Leach-Bliley the states got together,
developed a model privacy regulation implementing Gramm-Leach-Bliley, and as
discussed earlier and in the written testimony the biggest difference between
that and the federal Gramm-Leach Bliley implementing regulation is that it
contains specific additional protections for health information. Something like
this was enacted in every state that didn’t have an even stronger privacy
statute so this would be about 40 states adopted the Gramm-Leach-Bliley privacy
regulation as developed by the NAIC, we’ve got 18 states, so there’s some
overlap, that have the 1980 model act and have developed procedures. We had a
caucus of the model act state to work on common protocols for harmonizing this
with Gramm-Leach-Bliley, so all states have some regulations that meet the
standards of Gramm-Leach-Bliley and also provide an additional layer of
protection for health information. In addition both HIPAA and
Gramm-Leach-Bliley mandate information security regulations.
So that’s the basic federal and state framework, I can flesh out more at
question time but I’d like to take at least a few minutes to remind people
where medical information comes into the process apart from the most obvious
place which is health insurance itself which deals with health information all
the time 24/7. Other lines of insurance that rely on the insurer’s medical
condition in various ways are life insurance and annuities and disability and
long term care.
The entire life and health insurance hemisphere of the industry relies on
medical information in some way. Disability insurance and long term care
insurance, the benefits are keyed to a patient’s medical condition and in the
case of long term care insurance the benefits consist of the delivery of health
care. Disability insurance is income replacement so that’s a different story.
Life insurance and annuities, the benefits are financial and for life insurance
the claims trigger is easy to diagnose, it’s when the patient is dead, however
even there you may have things like preexisting condition exclusions or
questions of application fraud where the application history where medical
history is still important, you do need to know more than is this person still
alive.
And pervasively in all these lines of insurance medical information is
crucial to the underwriting process, in other words the evaluation of the risk
of is this person insurable, is this person is preferred risk, a standard risk,
a substandard risk, how much do we need to charge for this in order to be able
to pay benefits. So they need to gather this information, we in the government
recognize they need to gather this information, and they recognize that this is
very important sensitive information that they need to take care of. So the
laws are written in that framework.
But finally one other use of health information that we need to think about
is that health information is at the center of the life and health hemisphere
of the industry but on the other side, the property casualty industry, insurers
also need to deal with health information. You don’t need to submit a health
questionnaire usually in order to get auto insurance although they might ask
about certain conditions that make you a dangerous driver, we need to be
careful of that. You don’t need to submit medical information for homeowner’s
insurance but for liability insurance and worker’s compensation insurance
health information, and very sensitive health information, can be at the heart
of the claims process. So just about any insurance company comes across health
information at some stage with some of its insureds, they need to recognize the
sensitivity, we need to recognize it and we need to plan for it and that is why
the states have already developed comprehensive privacy protections with
recognition of the fact that the entire insurance industry at some stage or
other tends to deal with health information in a way that other financial
services entities do not.
Now like other regulators and other industries we’re also recognizing that
information security protections need to be refined to keep pace with the kinds
of risks that have recently arisen and this is something we are very actively
considering, like all regulators dealing with issues like security breaches,
which is another area we’ll need to do with with privacy protections.
I think that’s my allotted time so if it is I’ll turn it over to Robbie.
MR. ROTHSTEIN: Well thank you very much and we’re going to hold the
questions until after both of you have finished. And before I ask Robbie to
give her testimony for the record I should mention that I’ve known her for at
least ten or 15 years and she has written a chapter in a book that I published
in 2004 but I don’t believe that that’s going to inhibit me from asking some
questions later.
Agenda Item: Panel I – Non-Health Insurers – Ms.
Meyer
MS. MEYER: Nice to be here, my name is Robbie Meyer, I’m an attorney for
the American Council of Life Insurers and for those of you who aren’t familiar
with the ACLI, ACLI is a national trade association, at the present time we
have 377 members, they account for 91 percent of the industry’s total assets so
we’re essentially the primary association for life insurers in the United
States. We very much appreciate the opportunity to appear before you today to
talk to you about the ways in which life insurers use medical information and
the federal and state laws that Bob has already talked about that provide a
very broad, very comprehensive regulatory framework for the way in which we get
it, the way in which we keep it and the ways in which we can disclose it.
As Bob also said we have a very long history of dealing with highly
sensitive information, the life industry has long supported strict rules with
respect to our information practices particularly with respect to medical
information. At the same time it’s imperative in order for us to serve our
customers and to perform basic functions that we be able to obtain this
information, use it and disclose it in a limited basis very responsibly in
order to conduct very basic legitimate insurance business functions. We have
strongly supported almost all the privacy laws that I am going to discuss and
that do provide this very comprehensive for our practices in relation to
medical information.
As a result of that we believe respectfully that life insurers use of
medical information belonging to consumers is already adequately and
comprehensively protected by really the plethora of laws that govern our
information practices relating to particularly health information. As I’m going
to explain in a few minutes in our view it’s very interesting, these laws all
kind of fit together. HIPAA governs life insurers’ ability to obtain protected
health information because the fact is is doctors and hospitals can’t release
the information to life insurers, disability income or long term care insurers
unless their authorization forms are fully compliant with the HIPAA privacy
rules.
There are other laws that also govern our ability to get the information
but in essence it’s the HIPAA rule that governs our ability to get it, then
they have a host of all these other laws that some of which also address our
ability to get the information but almost all of them then govern our ability
to disclose the information, so really what you have is a real fit with respect
to life insurers, DI, long term care insurers, which you may not have with
respect to other entities. HIPAA to get it, then you have the
Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the NAIC models that
implement the Gramm-Leach-Bliley Act, and a host of disease specific state
privacy laws that also govern our ability to disclose it.
Interestingly, and I’ve not done a side by side along this but if you do
take the body of law that regulates life insurers’ information practices what
you end up with is a framework very similar to that which is set forth in the
HIPAA privacy rule. I mean you have some, you have health care ops as opposed
to legitimate insurance business functions but essentially the framework is
very, very similar.
Our medical information privacy as I said without detailing it reflects the
fact that we have a very long history of recognizing that consumers care a
great deal about our use of and the way we maintain the security of their
health information, just like their financial information, but as Bob said we
fully recognize that consumers have particular and understandable concerns that
we use their health information responsibly. We have a set of principles that
support, that articulate our very strong support for very strict rules with
respect to our ability to obtain and responsibly disclose health information on
an as needed basis. We also support laws that would prohibit our ability to
share medical information for marketing purposes or to an entity that would
determine someone’s eligibility for credit.
I thought I would start with our uses of the information and then go into
the laws that govern those uses, and as Bob said our life insurers’ major
concern with health insurance is that we need it to be able to fully and fairly
underwrite. And it’s worth mentioning that medical information, our ability to
obtain and use medical information does indeed lie at the core of the risk
classification process and that process lies at the core of our ability to make
our products widely available at affordable prices.
What I did not address in my written comments, I think this is the only one
of the three questions I didn’t address, was this idea that we should only be
able to get information that’s relevant to our needs. And Bob hit the nail on
the head, part of our problem is we don’t know what we don’t know particularly
in the underwriting process but also in the claims process until we get the
information, medical information as part of an application, we don’t know
what’s totally relevant and then sometimes we need to go back.
We would also be concerned and I think we said this in our voluminous
comments in connection with the HIPAA privacy rule, we would be very concerned
about another entity, a health care provider, that’s not familiar with risk
classification determining the minimum necessary or what’s relevant. So it
would be very difficult to fold into the law limitations on our ability to
underwrite based on relevant information or to evaluate claims based on
relevant information because you can’t anticipate it up front plus the entities
that are disclosing and the individual people in those entities understandably
don’t know what’s going to be relevant to risk assessment.
Other uses of medical information by life insurers, as Bob pointed out we
do indeed use medical information for a number of legitimate insurance business
purposes, notably for claims evaluation for administration. We also use this
information because it’s imbedded in our policy files in connection with the
performance of a number of legitimate business functions, maybe not necessarily
related to a particular policy but also imperative to our ability to most
effectively and efficiently serve our prospective and our existing customers.
And sometimes, and I go into some detail on this in my written comments,
sometimes often companies use either affiliates or non-affiliated third parties
to perform these functions for them because they’re the best ones to do it,
they can do it most efficiently and most effectively, and the benefits of those
efficiencies devolve to our customers. So there are other, one basic functions,
certainly claims evaluation, certainly policy administration, but also uses and
disclosures that devolve from the fact that the medical information
understandably is part of the file.
Related to this there’s certain disclosures that we have to make, we are
required to make certain disclosures to state insurance departments, we as a
matter of public policy make disclosures to state guaranty associations that
pay claims when an insurer becomes insolvent. We make disclosures to prevent
fraud, we make those disclosure to law enforcement agencies, to the medical
information bureau. We also make disclosures in connection with mergers, much
of this is very similar, I quickly took a look at the definition of health care
ops and the HIPAA privacy rule and many of these same things are listed, maybe
the words are different, very similar to what’s listed in the HIPAA privacy
rule. We do when there are mergers and acquisitions of insurance companies,
medical information is part of the file so when the file goes over to the new
company the medical information is in the file.
Similarly in connection with reinsurance arrangements depending upon the
nature of the reinsurance arrangement, re-insurers assume the risk, re-insurers
are evaluating underwriting practices, medical information goes to the
re-insurer. These are limited disclosures but they are absolutely critical
disclosures and I felt I should mention these to you because they do fall
within the rubric of ways in which life insurers use this information other
than just for underwriting.
Existing privacy laws, Bob has hit on a lot, most of them, in fact almost
all them, but I do look at it from a different perspective as I said before, I
think that the body of law applicable to life insurers really fit together. As
I said HIPAA governs life insurers’ ability to get the information and then
there’s this plethora of both state and federal laws that govern our ability to
use it and then to subsequently disclose it.
I went into some detail in my written piece on the Fair Credit Reporting
Act, very complicated body of law particularly as it relates to medical
information but very recently amended by the Fair and Accurate Credit
Transactions Act, the FACT Act, in 2003, and in those amendments it really did
enhance the protections for medical information. And it’s a very circular piece
of legislation and obligations of entities are very much tied to whether or not
the information constitutes a consumer report, the definition of which is three
pages, and whether or not entities are consumer reporting agencies. But long
story short and pertinent to you all’s inquiry this is but another body of law
that does indeed govern life insurers’, as well as other entities, ability to
both get medical information and to share that information.
I think it’s also worth nothing that the primary reason for the HIPAA, I’m
sorry, for the FACT Act amendments to the FCRA with respect to medical
information privacy was really to address concern about medical information
being used by creditors to make determinations about eligibility for credit,
not applicable to insurers but something that I thought was worth noting
because I would think that would be a concern, it seems to be a global concern
about medical information being used for credit purposes and there’s an express
provision in there that prohibits creditors from that use.
In making those amendments to the Fair Credit Reporting Act the definitions
of medical information and consumer report were significantly broadened to make
frankly the definition of medical information very similar to the HIPAA
definition, to also include references to information that relates to receipt
of medical products and services. And very significantly from our perspective
it took into account and exempted from the definition of consumer report
disclosures of medical information for insurance purposes.
They also added in the FACT Act to the FCRA a limitation on consumer
reporting agencies disclosing consumer reports with medical information to
insurers unless there’s affirmative consent from the subject of the
information, so they require that the consent not just be there but that it be
affirmative consent. Also added in language regarding redisclosure of medical
information by insurers and by third parties to whom insurers disclose and
require that there cannot be such redisclosure unless it’s necessary to carry
out the purpose for which the information was initially disclosed or otherwise
permitted by statute, and again added in that prohibition on creditor’s use of
medical information for credit purpose.
GLB as Bob said did create this very broad regulatory framework for
disclosures by financial institutions to non-affiliates of non-public personal
information meaning mainly financial information but as Bob said when the NAIC
looked at this, and we worked very closely with the NAIC in the development of
this model, the NAIC model included specific and very strict rules with respect
to disclosure of health information for purposes, other insurance business
purposes, and requires an opt in for that purpose. Of the 40 odd states that
have adopted this model 28 of those states have adopted the medical privacy
piece, so here again you have very express provisions for get the information
from HIPAA and then the health information privacy rules require an opt in for
disclosure except for a very express list of business functions.
The GLB also as Bob said imposed on the regulators this obligation to
develop standards to also protect the security of customer information, the
NAIC also developed the NAIC model safeguards reg to accomplish this, that
regulation has been adopted in 36 states. And then in addition to that the NAIC
developed as Bob was saying before GLB was enacted the old NAIC model privacy
act which provides a very broad regulatory framework governing insurers’
ability to obtain, redisclose, grant access and correction rights, a host of
obligations applicable to insurers, and that old act has been adopted in 18
states.
So you really do have a host of general laws governing insurers’
information practices and then across the country there are a host of other
disease specific laws, genetic testing laws, the HIV laws, and there are all
those domestic violence laws that require in many cases specific consent to
either get the information or to disclose it.
So just to conclude ACLI member companies support strict privacy laws
governing our information practices, particularly with respect to medical
information, have worked very hard in connection with the enactment of many of
these laws. We do respectfully submit that we feel that the body of law created
with respect to our practices adequately and in fact comprehensively protects
consumer information held by life insurers.
Thank you.
MR. ROTHSTEIN: Thank you very much and now the floor is open for questions,
we’ll go sort of clockwise beginning with Dr. Tang.
DR. TANG: Thanks. I have a series of questions along one theme because the
primary message that you started with and concluded with is that there’s a body
of law that already protects it and you drew analogy to HIPAA, so I have a
number of things that in my mind just not being familiar with that law in your
field that apply in HIPAA that I’d appreciate knowing in your field.
So the first one is very simple, HIPAA actually dictates the point size,
the font size, of the notice of privacy practices and sort of the content needs
to be in plain language in 12 point font to explain what an organization does.
I think it’s common that we say well in life insurance there’s all this fine
print and included in that is this MIB. Why wouldn’t you do the same thing like
put it out in front and let people know about it with the same plain language
and readable font?
MS. MEYER: Well indeed the NAIC model GLB privacy regulation, and I haven’t
gone through it late but is very specific about the requirements of our notice
of information practices. I don’t recall that it requires, provides for a
specific font but it does indeed subject us to very definite requirements of
providing very clear notice of our information practices to our customers.
We’ve tried to, and financial institutions generally try to maintain some
flexibility with respect to the nature of the notices so they can be specific
to their particular practices, but indeed we already under the
Gramm-Leach-Bliley, the federal law itself, and then under the
Gramm-Leach-Bliley insurance regulation adopted in 40 odd states, are required
to provide this notice, and indeed we are also required to provide notice under
the old privacy act. So the notice is really required across the board —
DR. TANG: My question is very specific —
DR. WAKE: I actually have to say there is a tradeoff because we require
certain things to be clear and conspicuous but thinking back on privacy notices
I have received from my financial institutions, from my banks and credit card
companies, I know that there’s no specific requirement that it be in 12 point
type, and that would frankly be a lot of paper.
I would say further that I think you were on this group, we had a
regulatory industry group trying to post mortem what was actually happening
with the Gramm-Leach-Bliley notices and certainly evaluating and encouraging
plain language disclosure and frankly we didn’t get as far as I and some others
might have wished although we made some proposals but I would say a lot of that
was because of non-plain language that was dictated by Congress and I would
also say I have seen HIPAA notices with the abbreviation PHI in them and I will
bet that at most five percent of us patients were able to read past PHI —
MS. MEYER: Also its been pointed out to me in the rules of construction our
notices are required to be designed to call attention to the fact that they are
indeed a notice and the specific examples in the rules of construction provide
that a licensee, an insurer, designs its notice to call attention to the nature
and significance of the information in it, that the licensee uses a plain
language heading to call attention to the notice, uses a type face and type
size that are easy to read, provides wide margins and ample line spacing, uses
bold face or italics for key words, and in a form that combines the licensee’s
notice with other information uses distinctive type size, style and graphic
devices such as shading or sidebars. So I think we’re pretty much there.
DR. TANG: Actually my question was very specific, it’s the fine print under
signature that says you’ll disclose it to MIB and I’m sure it’s not in 12 point
font. But let me move on because that was the simple question.
MS. MEYER: I’m sorry, I thought you were asking about —
DR. WAKE: We do prohibit that part of the notice from being smaller than
the rest or hidden away, so if you see these and you think it is deceptive or
hidden call your insurance department.
MS. MEYER: But I will say are you drawing a distinction between privacy
notices and authorization forms, we were speaking to the required privacy
notices —
DR. TANG: And I was referring to —
DR. WAKE: In model act states there would be a disclosure related to the
MIB, I’m not sure that in Gramm-Leach-Bliley, in pure Gramm-Leach Bliley states
don’t have anything in particular that addresses the MIB.
DR. TANG: The second question goes to the MIB and that’s the reason why I
was interested in explaining MIBs to applicants and that is I don’t know that
people know that it goes to the MIB, I don’t know that people know, I certainly
don’t, what information is in the MIB, and in HIPAA what happens is we all have
guaranteed access to our medical record, do we have guaranteed access to the
contents of the MIB on our behalf? And the other thing that would be of
interest is the audit of who is looking at our information in the MIB because
we have this requirement —
DR. WAKE: So the question is about the law —
MR. ROTHSTEIN: Excuse me, before we get an answer to the question and we’re
being broadcast on the internet, could you explain what the MIB stands for and
exactly what’s in there, that might be helpful.
DR. TANG: So all I know is that it stands for medical information bureau
and I would like to know —
DR. WAKE: And again Robbie can say more about exactly what the MIB is and
does, I know I obtained access to my MIB file because I was curious and at the
time there was absolutely zippo in it, it was before I applied for my first
life insurance policy. But in states that have, in the 18 states that have the
1980 model act there is a specific right for access to your MIB file, it’s my
understanding that as a matter of operating policy the MIB discloses its files
voluntarily in the other 33 states but I’m not sure.
MS. MEYER: And I certainly am not an expert on the MIB but I can tell you
what I know, the medical information, the medical information bureau is set up
to detect and prevent fraud. It obtains information from insurers and then
codes it, places it into codes and then has very, very elaborate as I
understand it, I can get you more details on this, protocols for the manner in
which other insurers can access this information, I mean they have to call in
with a special code and the ability for outsiders to access this information is
extremely limited and is very tightly guarded. And it is also my understanding,
and I can check on this, that indeed the fact that this information is going to
be disclosed in the ordinary course of business and to the MIB is on
application forms that individuals —
DR. TANG: Correct, and that goes back to my point. So again, my line of
questioning is comparing it to HIPAA so HIPAA does guarantee to all, not just
the model states, and it’s a full disclosure and not relying on voluntary
disclosure, so that’s sort of another comparison. So another principle of HIPAA
is the need to know test, the idea that we don’t know what we don’t know, need
to know and asking for everything then, let me guess that in your underwriting
process you almost, it’s almost formulaic in the sense that you have certain
variables you look for that predict the risk of an individual and one could say
for the important variables in that formula you could ask for those so that it
can feed into your underwriting process versus asking for everything under the
you don’t know what you don’t know kind of theory. So I’m wondering why,
wouldn’t it make sense —
MS. MEYER: To my knowledge it is not formulaic, now if you buy a certain
size policy they do more or less underwriting but there are not certain
conditions that they ask about and that that they look at. They do need to know
what, the whole body of information that may or may not be relevant, at the
same time the vast, vast, vast majority, now we’re talking about life insurance
now, the vast majority of folks who apply for life insurance coverage get it
and the vast majority of those get it a standard or better rates. So it is a
different situation then where there are availability concerns or used to be
perhaps with other forms of coverage.
We don’t know, it is not formulaic and also to think that you would have
someone in a hospital, a very busy person in a hospital or a doctor’s office
that’s going to make a determination as to what’s going to be relevant to an
analysis just would not work, first of all they don’t have the time or the
knowledge or the expertise appropriately to make this analysis. And another
relevant point is that not only are we subject to these very strict laws with
respect to keeping the information secure, keeping it confidential, but there’s
another whole host of Unfair Trade Practices Act that govern the way in which
we use the information, so if we get irrelevant information and it’s not
relevant to the risk then it would be an unfair trade practice for us to make
an underwriting decision based on that information. So if I seem like I’m
definite, this question of the information we can get in order to underwrite
really gets to the core of how we do our thing, so it’s a real fundamental for
our industry.
DR. TANG: So let me look at another perspective, you talked about the
re-insurers and others —
MR. ROTHSTEIN: Excuse me, Paul, may I jump in and just follow-up on this
point and then you can make the re-insurer issue. I don’t want to drop this,
this is our question number three and that’s could the information be limited.
Robbie, I assume you’re familiar with tele-underwriting?
MS. MEYER: Not very.
MR. ROTHSTEIN: Well, tele-underwriting has been started by many life
insurance companies that found that it was too expensive to actually have a
physician or a nurse draw blood, get the medical records, go through it, so
voluntarily and as a way of saving money they hired, and I’ll spare you the
names of the vendors, some third parties, well known sort of lab type
companies, that put together a formula of the dozen or 15 major questions that
you would want to have from an applicant. Are your parents living, what did
they die from, do you have a history of cancer, heart disease, do you smoke,
and we can imagine what those questions might be.
And following this computerized script the company calls the applicants and
if they get a negative answer on all the questions the policy is issues without
any release of medical records. So it seems to me that the industry already
voluntarily is adopting the notion that they don’t need the whole file, it’s a
waste of money and time to go through the whole file, and that a discreet
expertly selected type of information could be disclosed.
And if I may let me just give you the context for why this hearing is
taking place because it relates to this particular point, and I don’t speak in
this first point necessarily for my colleagues but I’m less concerned about the
inappropriate underwriting policies of companies, I don’t think people are
getting denied coverage when they ought to get coverage and that you’re using
crazy things to deny them coverage. I’m not concerned that you’re taking
medical information and selling it and doing all sorts of nefarious things with
it and that the confidentiality is breached. What I am concerned about is the
following, the game is changing in terms of medical information, as we go to
electronic health records the scope, the quantity of information that anybody
gets, anybody meaning anyone who can require the execution of an authorization
because they want life insurance, they want a job, they want all the things
that we’re going to look into, so you’re going to be able to get much more
longitudinal data and the quantity of information is going to increase
dramatically, it’s not going to be the same medical records that you’ve gotten
before and included in that is a lot of arguably old irrelevant no bearing on
mortality risk very sensitive stuff.
And so our committee wants to explore the possibility that there’s some way
electronically, not that would be imposed on the industry but I mean at least
personally in my view that industry leaders, the AIM(?), the NAIC, and computer
experts could design, so that you press a button and only that stuff from the
medical record electronically gets to the company rather then everything that
doesn’t have any bearing. So that’s sort of the context for question three and
it seems to me that at least to some degree the industry is recognizing that
they can move to that.
DR. WAKE: And some of this cuts both ways because I have seen a case for
example where an insurer obtained very irrelevant, very old and very sensitive
medical information and tried to use it to essentially browbeat a claimant into
settling on more favorable terms. That insurance company was given a rather
stiff fine when that came out so there is the problem of irrelevant
information. On the other hand if you ask a provider just release the relevant
information that’s dangerous at the other end because the provider’s overriding
duty —
MR. ROTHSTEIN: Well, I understand that —
DR. WAKE: — is the best interest of the patient.
MR. ROTHSTEIN: If you have a paper record system that is, it’s impossible
for anybody to decide what’s relevant and to filter things in and out. The
potential of an electronic system is that you can do that much more easily we
think.
DR. WAKE: If a provider who is thinking globally about the best interest of
the patient knows which codes are going to be disclosed for purposes adverse to
the patient and which codes are not and the provider has a choice, again, if
it’s an ethical provider as most providers are it’s going to be on the gray
areas. Some providers frankly, big story in Texas, national litigation, some go
beyond the gray areas.
MS. MEYER: And how do you define what is and isn’t relevant, I mean that is
a major —
MR. ROTHSTEIN: It’s being done today.
MS. MEYER: I don’t know how many insurers are doing that but the beauty, I
like to say this all time —
DR. WAKE: But he is proposing that it can —
MS. MEYER: By virtue of the fact that some companies are doing it, and I’m
not saying they won’t do it but I think one of the beauties of them are the
life market is the fact that everybody does their own thing and what’s
relevant, what’s appropriate underwriting for one company for one type of
product is not necessarily going to be relevant —
MR. ROTHSTEIN: I understand your point, if you’re talking about a $10,000
dollar policy versus a $10 million dollar policy that’s one thing but it
strikes me that the position that we need it all because we have to, we don’t
know what’s in there and so on and so forth, personally I would say that’s no
longer defensible given the magnitude of the information that’s going to be in
medical records and that the industry needs to endorse these steps that its
already taken voluntarily to see if there is a way that they can get what they
need without getting the stuff that they clearly don’t need.
DR. WAKE: Actually my instinct is that the stuff that we really need to
protect is stuff that’s already in traditional paper records, what I could
imagine but I’m shooting from the hip so maybe I shouldn’t be saying this on
the internet, but I could imagine having several specific CPT codes where there
is a presumption, have the computer search for these codes, flag them, and say
don’t disclose them if they are more than X years old without a specific
showing of the need to know. I’m not sure you can go much further then that but
maybe the medical community and the consumer community and the insurance
community working together could go further then that.
MR. ROTHSTEIN: And one of the things that we’ve recommended, and I’ll just
finish up on this because other people have questions but I wanted to follow-up
on this point, I think this is a fertile area for research and for public and
private research to see if accurate medical underwriting can be done under sort
of different, based on different assumptions and so on. No one wants to make
sort of guesses to who to cover and how much to charge them or anything but my
concern is not to have too much disclosed. Not that you’re going to redisclose
it necessarily or whatever but there’s certain information that shouldn’t be
disclosed to anyone. Paul —
DR. TANG: It’s still on the minimum necessary again, trying to apply what
we do as clinicians, and so you mentioned reinsurance as one example where you
have to share all the personal files. I would guess that just for, a re-insurer
would want to know what is my risk in re-insuring, being a re-insurer for your
company or someone merging with you needs to know your total risk so I know my
financial liability. It seems to me that you would only need aggregate data to
make that decision versus all the individual files and perhaps you can help
illuminate that.
MS. MEYER: Well, I am out of my depth on reinsurance, and I don’t know Bob
if you’re an expert, but it depends on the nature of the arrangement and there
are different types of arrangements, where they get aggregate information,
where they do individual underwriting, but there are, as I understand it there
are certain situations where they do do actual individual underwriting or they
go in and make sure that the primary carrier, the carrier, the direct carrier,
they go in and they check to see if they’re underwriting pursuant to the
re-insurer’s guidelines, so they check the files so they go in and they see the
actual files. On a merger and acquisition then the file is just moved to the
new company so the information, by virtue of the fact that the information is
in the file it moves, the whole file moves —
DR. WAKE: It is different though, if you’ve got a consummated merger and
acquisition obviously new company needs and will have all the records of old
company, that’s no-brainer, the question is if you’re doing due diligence for a
potential or in progress merger and acquisition and frankly in that case I
would want to drill down and closely audit a representative sample of actual
claim files. You might also need that for similar reasons for a high stakes
reinsurance transaction with, especially with a new partner, and sometimes for
a facultative reinsurance contract, that is to say one that focuses on a single
account, you want to know something about that account. So there are situations
where you’d want to know more than aggregate, essentially you’re saying you
want to know what the risk is, well, if you want to know what the risk is that
means you want to know what the primary company knows. Sometimes that’s just a
high level summary but sometimes you need to drill down in order to know how
well you trust these numbers and I have seen looking at insolvencies what
happens when you don’t.
MS. MEYER: And one point to be aware too, re-insurers are insurers so
they’re subject to this whole body of privacy laws just like other insurers
are, so we said re-insurance arrangements but they are insurers subject to all
of the privacy laws —
DR. WAKE: That is very important and in fact if you look at the business
associate concept in HIPAA I don’t know what other sources it may have come
from but I know that we developed something similar to an ancestor of the
business associate concept while we were working on the privacy regulations and
while we were working on the domestic violence victims protection regulations,
the idea that here is some sensitive information, if you’re letting it out of
the bottle you want to build a bigger bottle around it that it stays within.
DR. TANG: Thank you for your indulgence, I just want to observe that based
on just this series of questions I don’t think the uniformity guarantees that
we have in HIPAA apply to health information is very similar to what you have
in your industry just based on this but certainly open to further information.
MR. ROTHSTEIN: Okay, Harry?
MR. REYNOLDS: A couple things, one, thank you very much, you obviously know
your subject very well. So now I’m going to ask you to step over here with us
because I think you did a great job from where you sit, step over with us and
step over with us talking to the general consumers. So as I try to look at the
HIPAA privacy, and I’ll read a statement out of a letter we’re working on right
now that we discussed yesterday, support a public awareness campaign that
educates the public, that a Nationwide Health Information Network is ta da ta
da ta da ta da. Obviously we’ve all seen the HIPAA privacy rule in action in
real offices and in real situations and people don’t get it. So as we’re trying
to role out, and I think Mark hit on it well and Paul did too so I’m playing,
I’m not asking a lot of my initial questions because they kind of covered them.
So we’re talking to consumers and that same person deals with everything
that you’re dealing with, that we’ve all talked about, so how does that person,
how do we reconcile with that person that some of their medical information
going here they’re covered under this, and some of their medical information
going over there they’re covered under these under laws, I mean how do we
actually, let’s talk to the real person.
MS. MEYER: I think one thing to be aware of is is that we’re not like other
entities, we get it coming and going on these laws, as Bob pointed out in all
50 states they have either enacted the old NAIC model privacy act or the new
Gramm-Leach-Bliley Act, so insurers —
DR. WAKE: — post Gramm-Leach-Bliley everything is opt in —
MS. MEYER: And everything is opt in and so we’re not like these entities
that are not subject to any privacy laws, our ability to govern, to get the
information is largely governed by HIPAA but it’s also governed by the old NAIC
model privacy act, it’s governed by the Fair Credit Reporting Act, and then
once we got it we are required by Gramm-Leach-Bliley itself to keep it secure,
we are subject to the Gramm-Leach-Bliley state laws with respect to our
disclosure of the information and can only disclose it with an opt in —
MR. REYNOLDS: Let me stop you right there for a second, I heard all that
the first time and I’m not saying that in any negative way, you are very
convincing of what you do, I asked you to step over with us for a minute, so
we’re talking to the consumer, the consumer when they go into a medical
situation with their medical information right now is only aware of HIPAA and
so my base question is why not. If you’re already covered by this other stuff
and you already got all this other stuff going on then what are the pieces that
really, really get you fired up about not being a part of HIPAA. Because what’s
interesting is I joined this committee three years ago and my very first
session which I wasn’t actually going to be on this committee was the banks
sitting exactly where you are saying exactly the same thing, yet right now they
clear an awful lot of financial transaction, the HIPAA 835 which contains the
whole claim itself and everything else. We’re getting into an electronic world
where this stuff is moving around and what used to be isn’t the same. So answer
my question from the view of the general public sitting at another table
listening to us —
MS. MEYER: I guess from my perspective if HIPAA were to be extended, and I
assume you mean the privacy rule as opposed to HIPAA itself, it would impose on
life insurers but another regulatory framework for our ability to serve our
customers and we already have all these laws out there. The HIPAA rule, and I’m
not an expert on the HIPAA rule but I did take a quick look at the laws, the
provisions in the privacy rule that govern its interface with the state laws
and to me it looks like it’s not, the HIPAA rule is not clearly preemptive and
stricter state laws are preserved.
So from my perspective what will happen is we get a new law, probably same
preemption provisions, and what’s going to happen is that it is going to
undermine the efficiency with which we serve our customers and of course that
makes it more expensive sometimes. It also if you’re going to have duplicative
and different notices it’s confusing to consumers, and in our case if we don’t
keep our customer’s information secure, even if you don’t think we’re nice
businesses, people won’t come back to us, it’s in our self interest as insurers
to make sure that our customers feel comfortable with this information and that
we protect it, it’s the duplication that I think will be a major problem.
DR. WAKE: I guess from my side one thing I would say to Robbie is maybe
it’s not the end of the world, we should look at it and see what the real life
ramifications are but duplicative notices are a major issue, I remember working
very hard when Gramm-Leach-Bliley was enacted to try to develop a single notice
or try to encourage insurers to have a single notice that could meet the
requirements of the 1980 model act and Gramm-Leach-Bliley for use in model act
states. Some of them liked that approach, some of them preferred sending
different notices. With HIPAA you’ve got a third notice. There really are
things that insurers need to send out, there are things insurers have to tell
people that aren’t in the HIPAA notice, so you can’t just come back and say
well send the HIPAA notice instead of the state law or Gramm-Leach-Bliley —
MR. REYNOLDS: Every covered entity right now that is a health insurance
company has the exact same issue that you two are explaining, I understand
that, trust me —
[Simultaneous comments.]
MR. REYNOLDS: My point is, I’m making a point that as we’re trying to deal
as we are going to be moving from a paper based, and Mark made the point and
others, from a paper based world that has its limitations as to what can move,
where it can move and how it can move, and that is much more to a significantly
more automated environment the ability to try to help the base person
understand what’s happening to them is important.
And the other thing I would say is and I found interesting, Robbie, in your
reading of the document that was brought over to you, the plain language
heading, I could have gotten real excited if it would have said a plain
language document but I thought that was an interesting twist of a statement,
because one of the things we put in this letter is this stuff needs to be clear
to people, what they’re actually doing. One other question, that was more of a
statement, excuse me that was more of a reading back of your statement —
DR. WAKE: But just compare plain language headings with some of the
headings that you have all seen in notices, it’s progress, incremental but it’s
progress.
MR. REYNOLDS: One last thing is on the business associates, and you had,
Bob, you just had a little discussion on that, so kind of quickly what is
really the chain that is set up in these other laws, and I’m a little bit
familiar with Gramm-Leach-Bliley, but within these other laws that is
comparable to the business associate chain that is under HIPAA which those of
us who are working on the privacy law still don’t think that the business
associate chain necessarily goes as far, and as again we move into this new
world where you’re sitting there representing the life insurance company but
all of a sudden somebody goes to a website or somebody goes to a vendor that
you’ve hired or something else and now that data is moving around. So I did
not, if you could just help me quickly with the chain that will be my last
question.
MS. MEYER: I apologize, I didn’t have time to reread the HIPAA rules so
I’ve forgotten all the details with respect to business associates but in our
world, and I think you’re talking about our disclosures to entities with which
we do business who operate for us, and then their redisclosure of —
MR. REYNOLDS: And what is their responsibility and who governs their
responsibility.
MS. MEYER: Those entities are, when an insurer rediscloses under
Gramm-Leach-Bliley itself and then under the state TLB confidentiality rules,
those entities are subject to the same limits that the insurer is subject to.
As far as enforcing their compliance the insurer is obligated to make sure that
the entities to which it discloses or rediscloses comply with the requirements
of Gramm-Leach-Bliley. And as I also said the federal Fair Credit Reporting Act
was just amended to also impose these obligations and limitations on
redisclosures by insurers and by third parties that insurers disclose to and in
those cases they can only, there can only be redisclosure for the purpose for
which the information was originally disclosed —
MR. REYNOLDS: It’s a bit of a mirror —
DR. WAKE: I would have to look it up, my recollection is there isn’t as
much detail about the specific concept, content of a business associate
agreement and the term business associate isn’t used but for these types of
disclosures there is a requirement that the licensee have an agreement not to
redisclose of some sort in place.
On this plain language header the language before, the plain language
header is one of the requirements for attention getting, the text itself should
be presented in clear concise sentences, short explanatory sentences, definite
concrete everyday words and active voice, avoids explanations that are
imprecise, avoids legal and highly technical business terminology whenever
possible. So there is a plain language text requirement also.
MR. ROTHSTEIN: If I may, John, I want to follow-up Harry’s question on the
business associate. Its been one of our disappointments with the privacy rule I
think it’s fair to say, with the business associate agreements and the way they
have or haven’t worked under certain circumstances and it’s one of the things
that we’ve been looking into for several years. So my question is this, and I
thought for sure that Harry was going to ask this, so you decide that, you’re
an insurance company as opposed to an organization, that it’s cheaper to do
your medical underwriting overseas and so now you sign a contract with some
overseas vendor who may have subcontracts with all sorts of other people and
you just zip them the aps and the records and as I hear you saying your
obligations are sort of comparable to HIPAA but some of us don’t necessarily
think that those are adequate in terms of the responsibility that’s placed on
the initial recipient, the insurance company, to guarantee that confidentiality
—
DR. WAKE: I’m going to break in and say as a regulator I dropped the ball
on that because I was part of, I think lots of us dropped the ball on that but
I know I was one of them and I’ll tell you why. I was part of an NAIC group
that before Gramm-Leach-Bliley, before HIPAA, did a lot of work and Robbie was
in this on how to deal with sensitive information being disclosed by regulated
entities to unregulated entities, and we worked through and maybe HIPAA even
used our work, I don’t know, but we worked through the concept that first of
all we can nail the insurer as a violation if they disclose the information
negligently without having these safeguards in place and part of the safeguard
should be that the consumer as third party beneficiary should have a right of
action but where we drop the ball, where HHS dropped the ball, and you’re HHS,
I’m sorry, what we all didn’t anticipate is that in the 21st century
that private right of action was going to be useless because the editing was
going to be in the third world.
MS. MEYER: But let me say this, we do have the NAIC GLB safeguards reg that
reflects Gramm-Leach-Bliley itself, Gramm-Leach-Bliley says that all financial
institutions have this continuing, affirmative and continuing obligation to
protect the security of their customer’s information. So then the NAIC
developed its safeguards regulation and companies are required to have these
security programs, they have to be written, they have to be comprehensive, they
have to be designed to protect against unauthorized access to and use of
information, and by way of example it says what companies are required, what
insurers should do is exercise appropriate due diligence in selecting their
service providers regardless of where they are and should require its service
to implement appropriate measures designed to meet the objectives of this
regulation which is to ensure the security of the information and where
indicated by the insurer’s risk assessment take appropriate steps to confirm
that its service providers have satisfied these obligations. So it doesn’t
matter where in the world the service provider is the insurer, the buck stops
with the insurer provider to which it discloses the information, the insurer
has the obligation to maintain the security of the information in these world
wide sourcing arrangements.
DR. WAKE: And I would agree with Robbie there, I don’t think that’s the
whole story, I think as with the Choice Point debacle, that these overseas
disclosures are a specific problem that we need to think about specific better
solutions for but I agree with Robbie that in the interim, maybe my mea culpa
was a little bit overstated because, well, I feel badly about the fact that it
would have been possible for somebody to be burned once on some of this perhaps
without any negligence, but once we know its happened due diligence means that
there is a duty on the insurer or other regulated entity to make damn sure it
doesn’t happen twice.
MR. ROTHSTEIN: Thank you. John and then Maya.
MR. HOUSTON: I’m going to make a couple statements, I don’t even know if I
have a question at this point in time. I mean I think it’s pretty obvious to me
that there’s a lot of regulation that’s already inherent to the industry and
also at the same time when somebody decides they’re going to get life insurance
or other types of insurance they’re making the conscious decision to do so and
are signing an authorization, and I guess their recourse is always that they
don’t need to get that insurance, they may desire to get the insurance, they
could go to a different plan or they could look for somebody who has different
requirements to what the information that will be disclosed, but regardless as
I said in my opening comment there’s already a good bit of regulation that
exists and I guess I question whether anything else is required and trying to
cause somebody to abide by a more rigorous standard, or a different standard,
achieves anything. Again, I can decide never to get insurance because I don’t
want to give my information —
DR. WAKE: Well that ties into the earlier questions, more rigorous,
different, and on the one hand as I said don’t automatically assume it’s the
end of the world, maybe aside from the efficiency of notice issue which is
already a problem, we all know notices are a problem, under all the various
framework. We can learn from experience, everybody can do it better and we
should try to do it once. But the substantive privacy, maybe HIPAA is just
telling you to do what you’re already doing and if it is —
MR. HOUSTON: I still think there’s a regulatory, it sounds like there’s a
regulatory framework and process in place in order to improve notice, that’s
one thing, and I think the other thing that I believe came out in this
testimony is that if you guys are all a bunch of bad people, people are going
to find other organizations to go to who are more consumer friendly, so I guess
I don’t have a question other then just having made that comment.
MS. BERNSTEIN: If they’re all bad there’s no place to go.
MR. ROTHSTEIN: Maya?
MS. BERNSTEIN: Two things, I guess as you guys were talking I was thinking
about all these different, it seems like a patchwork of different laws which on
the whole somehow cover everybody, but in another life I worked on some other
new formed state law in another area and I was kind of wondering in this case
what are the impediments to getting more uniformity in the more recent versions
of the NAIC models or the 1980 model I guess is, there are more modern versions
that have stronger privacy protections in place —
DR. WAKE: Biggest impediment is that that the 1980 model has stronger
privacy protections than Gramm-Leach-Bliley on the whole.
MS. MEYER: So when we went, and we fought all over the country, worked with
the NAIC to get the new model adopted across the country and it has been widely
adopted but not in every state with the health provisions but every state
either has the old model or this new model and the problem was just as Bob
said, the states that have the old model is much more comprehensive and so they
didn’t want to give it up, in some cases we tried to mesh it. I mean what you
have, the real answer is, Maya, is you have 50 different state legislatures,
that’s both the beauty and the problem of the system and we I think, one point
that I neglected to make is we support state regulation of our privacy
practices at this point and indeed the one problem with the HIPAA privacy rule
appropriately was crafted taking into account the needs of health care
providers and health insurers and so appropriately didn’t take into
consideration the needs of life insurers and the uniqueness of their business
practices. The technical point is not even worth mentioning.
MS. BERNSTEIN: The other thing I wanted to comment on was a couple of
times, Ms. Meyer, you were saying that losses that we can’t redisclose, unless
it’s for the, I don’t remember the exact language but the related compatible
purpose for why the information was collected unless permitted by law. But
every time. in my view as a privacy person every time you add the phrase unless
permitted by law well anything that’s not prohibited by law is pretty much
permitted by law, so unless not permitted, if it’s otherwise permitted by law
doesn’t get you anything and that’s sort of anything we haven’t thought of we
can do.
MS. MEYER: You’re absolutely right however the relevant laws are very
specific, I mean it all kind of circles back to one of the Gramm-Leach-Bliley
statutes or the privacy act. I hear you but it’s not as open ended and actually
Gramm-Leach-Bliley as I recall was more, you were thinking of the language that
I read from the Fair Credit Reporting Act, the Gramm-Leach-Bliley language is
even more limited in that respect.
DR. WAKE: Generally when you have a catch all exclusion, I mean a catch all
exception for as permitted by law at least when I’m involved in drafting it I
try to make sure it’s as otherwise expressly permitted by law and on
disclosures we have had some problems with Gramm-Leach-Bliley notices saying or
is permitted by law when they bury some things that consumers would really want
to know and I have tried to assist in developing model disclosures that make
sure that things that get buried under this catch all exception are things like
in response to a subpoena or for what are clearly internal operating purposes
or things that don’t wave any red flags, in the 35 states that permit
disclosure over the consumer’s objections under joint marketing agreements I
would like the notice to say that. Under the 1980 model act except in the few
states that modified it to harmonize it with Gramm-Leach-Bliley that is not a
permitted exception to opt out but it’s something the consumer should know
about.
MS. BERNSTEIN: I just want to make one other quick point to some of the
things that Paul and Harry were getting at with respect to notices, some of you
may be aware that the Federal Trade Commission is doing some very significant
work on Gramm-Leach-Bliley notices, the format, the language, just the
presentation of them to the consumer and maybe it’s something that might be
applicable to other privacy notices, HIPAA notices, other sorts of notices, and
it may be something that this subcommittee wants to look at at some point.
MS. MCANDREW: I want to thank you both for your testimony and I think the
questioning from the panel so far has taken care of most of my questions with
my policy, HIPAA policy hat on, but putting on my enforcement hat if you could
just spend a minute or two to outline what the enforcement mechanisms are that
would apply to adherence to these privacy protections under your scheme, I
assume it’s the state insurance commission that would be the enforcer, what is
the penalty, what kinds of enforcement mechanisms are in existence and if
there’s any kind of track record in terms of looking into and taking action
based on privacy concerns.
DR. WAKE: Well I did mention one case although that was brought under a
different statute that resulted in a significant fine which the insurer
appealed to the law court and the consumer, the administrative agency won. In
general the enforcement remedies are fines, cease and desist orders, the
possibility of suspending or revoking the license, and if there has been money
damage, damages and restitution to the affected consumer. Our version of the, I
can’t remember whether there is a private right of action here but let me just
—
MS. MEYER: Of the confidentiality reg?
DR. WAKE: No, of the 1980 model act, yes, the 1980 model act section 20
also provides a private right of action in addition to the regulatory
enforcement provisions. So in a nutshell that’s the enforcement scheme on
paper, I will say in Maine we have never taken a formal enforcement action,
we’ve worked to consensually through the complaint process, we haven’t
encountered any major violations except to shake down issues when the notice
requirement first came where the remedy was getting them to fix their notice
and talk to the consumer and make things clearer.
MR. ROTHSTEIN: Any other questions? Well I want to thank you both very much
for coming today and sharing your expertise with us, as you can see we are just
beginning the process of trying to figure out how we can both protect the
privacy of this greater universe of information without unduly disrupting the
entities that have a legitimate need to access information.
I assume we have no public testimony and therefore tomorrow at 9:00 we will
resume the hearing and we’ll hear from representatives of employers and
schools. So thank you, the hearing is adjourned.
[Whereupon, at 4:20 p.m. the hearing was adjourned.]