Testimony of the
American Council of Life Insurers
before the
The Subcommittee for Privacy and Confidentiality
of
The National Committee on Health and Vital Statistics
regarding
Life Insurers’ Use of Consumers’ Personal Health Information
and
Related Federal and State Privacy Laws
September 14, 2006
Presented by
Robbie Meyer
Associate General Counsel
American Council of Life Insurers
My name is Robbie Meyer. I am an Associate General Counsel for the American Council of Life Insurers (“ACLI”). The ACLI is a national trade association for life insurers with 377 member companies that account for 91% of the industry’s total assets and 90% of the life insurance premiums in the United States. ACLI members are also major participants in the annuity, pension, long-term care insurance, disability income insurance and reinsurance markets. The ACLI appreciates the opportunity to appear before the Subcommittee for Privacy and Confidentiality (“the Subcommittee”) to talk about the ways in which life insurers use consumers’ personal health information and the federal and state laws and regulations that provide a comprehensive regulatory framework for the protection of the confidentiality and security of information used in this context.
Overview
Life insurers have a long history of dealing with highly sensitive information, including consumers’ medical information, in a professional and appropriate manner. Life insurers must collect and use medical information in order to perform essential life insurance business functions, such as underwriting and claims evaluations, and to most effectively serve their existing and prospective customers, At the same time, life insurers support strict protections for medical records confidentiality, including prohibitions on the sharing of medical information in connection with extensions of credit or for marketing purposes. ACLI member companies have strongly supported enactment of existing federal and state privacy laws and regulations, discussed below, that require life insurers to protect the confidentiality as well as the security of their customers’ personal health information.
The ACLI strongly believes that the privacy of consumers’ health information is adequately protected under the plethora of existing federal and state privacy laws and regulations that already govern life insurers’ information practices. Also, the protections required under the body of existing privacy laws applicable to life insurers are quite similar to those required under the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (“the HIPAA Privacy Rule”). Accordingly ACLI does not believe extension of the HIPAA Privacy Rule to life insurers or the enactment of comparable legislation applicable to life insurers is necessary to protect the confidentiality or security of consumer health information. ACLI also believes that the imposition of new limitations on life insurers’ information practices could inadvertently jeopardize performance of fundamental and legitimate life insurance business functions taken into account and balanced with consumers’ privacy concerns under existing laws.
As currently written, the HIPAA Privacy Rule already largely governs life insurers’ ability to obtain protected health information from anyone other than the subject of the information. Life insurers’ further ability to obtain, use, and responsibly disclose such information is governed by a multitude of existing federal and state privacy laws and regulations, including: (i) the federal Fair Credit Reporting Act (“the FCRA”), recently enhanced by the Fair and Accurate Transactions Act of 2003 (“the FACT Act”); (ii) Title V of the Gramm Leach Bliley Act (“the GLBA”); (iii) the 28 state statutes and regulations tracking the NAIC Model Privacy of Consumer Financial and Health Information Regulation (“the NAIC Model GLBA Privacy Regulation”), that include specific privacy rules for health information; (iv) the 36 state statutes and regulations tracking the NAIC Standards for Safeguarding Customer Information Model Regulation (“the NAIC Model GLBA Safeguards Regulation”); (v) the 18 state statutes tracking the National Association of Insurance Commissioners Insurance Information and Privacy Protection Model Act (“the NAIC Model Privacy Act”); and (vi) the many state laws and regulations imposing special confidentiality protections for consumer health information relating to a specific disease or medical information. Existing federal and state privacy laws and regulations already provide a broad comprehensive regulatory framework to protect the confidentiality and security of consumers’ health information used by life insurers. Further restriction of life insurers’ use and limited, responsible sharing of health information for life insurance business purposes could jeopardize performance of fundamental and legitimate insurance business functions in the most efficient, cost effective manner possible.
The ACLI’s Medical Information Confidentiality Policy
ACLI members are keenly aware of the importance of maintaining the confidentiality of medical information of policyholders. They are committed to the principle that they must handle medical information appropriately and ensure that its confidentiality is preserved. To underscore that commitment, several years ago, ACLI has adopted Confidentiality of Medical Information Principles of Support (“the Principles”). The Principles provide for ACLI’s support for legislative and regulatory proposals that would impose strict limits on life insurers’ ability to obtain and disclose medical information about their policyholders and on the redisclosure of such information. The Principles also provide for support of prohibitions against an insurance company sharing a consumer’s medical information for marketing purposes or with a financial institution, such as a bank, for the purpose of determining the person’s eligibility for a loan or other credit — even if the financial institution is affiliated with the insurer.
Life Insurers’ Uses of Medical Information
Risk Classification
In today’s world, it is more important than ever for consumers to have ready access to as much insurance as possible to protect their future financial security as well as the financial security of their families. In order to continue to make insurance products and services widely available at the lowest possible cost, life insurers need access to information that establishes a consumer’s eligibility and the appropriate premium for insurance products for which the consumer has applied. An applicant’s medical condition is an important factor in making that determination. Accordingly, insurers collect personal medical information in connection with underwriting for life, disability income and long term care insurance.
Much application information comes directly from the applicant (with his or her implicit consent to use the information as necessary in connection with the life insurance policy). Depending on the applicant’s age, medical history and the amount and nature of insurance applied for, the insurance company may also need information from the individual’s medical records. In this event, the applicant is requested to sign a HIPPA compliant authorization that is provided by the insurer and that authorizes the insurer to: (i) obtain individually identifiable health information from his or her health care providers; and (ii) use the information in connection with the life insurance policy.
Many of the application questions seek nonmedical information, such as age, occupation, income, net worth, other insurance policies and beneficiary designations. Other questions focus on the proposed insured’s health, including current medical condition and past illnesses, injuries and medical treatments. Other questions ask the applicant to provide the name of each physician or practitioner consulted in connection with any ailment within a specified period of time (typically five years).
The information derived from applications is used to place applicants into groups comprised of individuals with similar characteristics and similar risks of dying prematurely, becoming disabled or requiring long term care. Placement of an applicant in a particular group is based on gender, age, present and past state of health, possibly his or her job or hobby, and the type and amount of coverage sought. Life insurers rely on an applicant’s personally identifiable health to determine the risk that he or she represents.
This system of classifying proposed insureds by level of risk is called risk classification. It enables insurers to calculate premiums based on a particular group’s level of risk. Those with similar risks pay the same premiums. Medical information is a key and essential component in the process.
The process of risk classification provides the fundamental framework for the current private insurance system in the United States. It is essential to insurers’ ability to determine premiums that are fair relative to the risk posed by particular applicants and financially prudent, to ensure an insurers’ ability to pay customers’ future claims. It is the process of risk classification, based in large part on medical information, that has made life, disability income and long term care insurance widely available and affordable in the United States.
Other Uses of Medical Information by Life Insurers
Life insurers commonly use medical information in connection with the performance of legitimate, core insurance business functions other than risk classification. These basic functions include key activities such as claims evaluations and policy administration. Life insurers also use customers’ health information in connection with the performance of important business functions, not necessarily directly related to a particular insurance contract, but essential to the administration or servicing of insurance policies generally, for example, in connection with development and maintenance of computer systems for policy files containing customers’ medical information.
Life insurers often use affiliates or unaffiliated third parties (such as actuaries, employee benefits or other consultants, physicians, attorneys, auditors, investigators, translators, records administrators, third party administrators, and others) to perform these basic business functions. Insurers must be able to share their customers’ personal information, including their health information, with these affiliates and unaffiliated third parties. Often arrangements with these entities provide the most efficient and economical way for an insurer to serve prospective and existing customers. The economies and efficiencies devolving from these relationships inure to the benefit of insurers’ customers.
Life insurers make certain other limited disclosures of customer information, including customers’ medical information, to comply with various regulatory/legal mandates, in furtherance of certain public policy goals, or in connection with legitimate insurance business activities. They must regularly disclose customer information to: state insurance departments; self-regulatory organizations, such as the Insurance Marketplace Standards Association (IMSA); and state insurance guaranty funds. Any limitation on these disclosures would seem likely to operate counter to the underlying public policy reasons for which they were originally mandated – to protect consumers.
Life insurers also need to (and, in fact, in some states are required to) disclose individually identifiable health information and personal financial information in order to protect against or to prevent actual or potential fraud. Such disclosures are made to law enforcement agencies, state insurance departments, the Medical Information Bureau (MIB), or outside attorneys or investigators, which work for the insurer. Again, any limitation on life insurers’ right to make these disclosures would seem likely to undermine the public policy goal of reducing fraud, the costs of which are ultimately borne by consumers.
In the event of a proposed or consummated sale, merger, transfer, or exchange of all or a portion of an insurance company, it is often essential that the insurer disclose company files. Naturally, these files can contain individually identifiable health information as well as personal financial information. Such disclosures are often necessary to the due diligence process which takes place prior to consummation of the deal and are clearly necessary once the deal is completed when the newly created entity often must use policyholder files in order to conduct business.
Insurers also frequently enter into reinsurance contracts to, among other things, increase the amount and volume of coverage they can provide consumers. These arrangements often necessitate the disclosure of personal information, including customers’ medical information, by the primary insurer to the reinsurer. Depending on the particular reinsurance treaty, this might happen because the reinsurer: (i) wishes to examine the ceding insurer’s underwriting practices; (ii) actually assumes responsibility for underwriting all or part of the risk; or (iii) administers claims.
Existing Privacy Laws Governing Life Insurers’ Information Practices
As indicated above, the HIPAA Privacy Rule already largely governs life insurers’ ability to obtain protected health information except that received directly from the subject of the information. This is true because the HIPAA Privacy Rule dictates the requirements for covered entity health care providers to disclose such information. Life insurers’ ability to further obtain, use, and responsibly disclose customers’ health information is governed by a plethora of existing federal and state privacy laws and regulations that impose a continuing and affirmative obligation to protect both the security and the confidentiality of consumer information and require life insurers to have policies and procedures to provide this protection. These laws reflect an appropriate balance between consumer privacy protection and life insurers’ need for medical information to most effectively provide the insurance products and services sought by consumers.
HIPAA Privacy Rule
Life insurers, other than those that sell health or long term care insurance, are not directly subject to the HIPAA Privacy Rule. However, life insurers are significantly indirectly impacted by the HIPAA Privacy Rule because their ability to obtain medical information from health care providers is dictated by its requirements with respect to disclosures by covered entities. Unless they are engaged in treatment, payment or health care operations, health care providers may not disclose medical information about a consumer to others, including life and disability insurers, as well as long term care insurers, unless they first obtain the authorization (i.e., opt-in) of the consumer. Consequently, in order for a life insurer to obtain medical information about an applicant from a health care provider, its authorization forms must meet the requirements of the HIPAA Privacy Rule. Stated differently, unless a life insurer complies with the HIPAA Privacy Rule’s authorization requirements, it cannot obtain medical information necessary to underwrite an application for new coverage or to evaluate a claim submitted under an existing policy.
The Fair Credit Reporting Act
The FCRA governs life insurers’ ability to obtain and share medical information under specified circumstances. It also governs redisclosure of medical information received by third parties from insurers. The applicable requirements are largely determined by whether medical information constitutes a “consumer report,” as defined in the statute. Medical information may be a “consumer report,” subject to the statute’s extensive requirements applicable to obtaining, using and disclosure of consumers reports, because it bears on a consumer’s personal characteristics and is used as a factor in establishing a consumer’s eligibility for insurance. Regardless of whether medical information constitutes a “consumer report,” the FCRA imposes significant requirements, applicable to life insurers, with respect to use and disclosure of medical information.
The Fair and Accurate Credit Transactions Act of 2003 (“the FACT Act) enhanced the special status of medical information under the FCRA. The drafters of the medical information provisions of the FACT Act sought to address concern with use of medical information (and information relating to payment for medical products and services) in connection with determinations of eligibility for credit. At the same time, they recognized how critically important use and disclosure of medical information is to the conduct of the business of insurance. The extensive amendments made to the definitions of “consumer report” and “medical information” and to the provisions providing for protection of medical information reflect the drafters’ effort to address concern with use of medical information in credit decisions without jeopardizing the business of insurance.
The FACT Act broadened the definition of “medical information” in the statute to include, not just information received “with the consent of the individual” from health care providers (as provided in the old definition), but any information, created or obtained from a health care provider or the consumer that relates to: (i) the physical, mental, or behavioral health or condition of the individual; (ii) the provision of health care to the individual; or (iii) the payment for the provision of health. The term does not include: age, gender, demographic information (including residence address or e-mail address), or any other information that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of an insurance policy.
It also amended the definition of “consumer report” to provide that medical information or any individualized list or description or aggregate list of identified consumers based on payment transactions for medical products or services shared among affiliates will be a consumer report unless the information is disclosed to an affiliate: (i) in connection with the business of insurance or annuities, including the activities described in section 18B of the NAIC Model Privacy Act; (ii) for any purpose permitted without authorization under the HIPAA Privacy Rule or described in GLBA § 502(e); or (iii) as otherwise determined to be necessary and appropriate by the FTC, the Federal Banking agencies, the NCUA, the applicable State insurance authority.
The FACT Act amended an existing provision in the FCRA to prohibit consumer reporting agencies from furnishing a consumer report containing medical information (other than medical contact information) in connection with an insurance transaction unless the consumer affirmatively consents to the furnishing of the report. It also added a new provision that would prohibit an insurer or third party receiving medical information from an insurer in connection with the business of insurance from redisclosing such information to any other person except as necessary to carry out purpose for which information was initially disclosed or as otherwise permitted by statute, regulation, or order. Finally, the FACT Act added a new provision to the FCRA to prohibit creditors from obtaining or using medical information in connection with any determination of a consumer’s eligibility for credit.
The Gramm Leach Bliley Act, the NAIC Model GLBA Privacy Regulation, and the NAIC Model GLBA Safeguards Regulation
Under Title V of the GLBA, a consumer’s “nonpublic personal information,” mainly financial information, may not be shared by a financial institution, including a life insurer, with an unaffiliated third party unless the consumer has been given a notice that the information may be shared and is provided with the opportunity to opt-out of such sharing. Nonpublic personal information is permitted to be shared without an opt-out only when it is being shared in connection with the performance of business activities or a joint marketing agreement between two or more financial institutions. However, significantly, as discussed below, state privacy laws and regulations generally require an opt-in for the sharing of medical information.
The GLBA provides that state insurance authorities are to adopt rules to implement and enforce the GLBA under state insurance law. To assist the states in fulfilling these requirements, the NAIC adopted the Privacy of Consumer Financial and Health Information Regulation (“the NAIC Model GLBA Privacy Regulation”) that includes specific, heightened privacy protections for medical information. Twenty eight states have adopted, either as a statute or regulation, the NAIC Model GLBA Privacy Regulation with the model health information privacy provisions.
Under the health information privacy provisions of the NAIC Model GLBA Privacy Regulation, an insurer may not disclose health information about a consumer unless an authorization is obtained from the consumer. In effect, state laws tracking these NAIC model provisions require an opt-in before medical information may be shared by insurers with affiliates or nonaffiliates. It should be noted, of course, that like the GLBA’s provisions with respect to disclosure of nonpublic personal information, the NAIC Model GLBA Privacy Regulation permits the disclosure of medical information without consent when the disclosure is made in connection with the performance of ordinary insurance business functions by or on behalf of an insurer.
The GLBA also provides that it is the policy of the Congress that each financial institution, including each life insurer, has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. The GLBA requires financial institutions’ functional regulators to establish appropriate standards relating to administrative, technical and physical safeguards to: (i) ensure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of such records; and (iii) to protect against unauthorized access to or the use of such records or information which could result in substantial harm or inconvenience to consumers.
The NAIC adopted the Standards for Safeguarding Customer Information Model Regulation (“the NAIC Model GLBA Safeguards Regulation”) to assist the state insurance authorities in implementing this obligation. This model has been adopted in 36 states. It model requires life insurers to implement comprehensive written security programs that include administrative, technical, and physical safeguards for the protection of customer information. The safeguards are required to be appropriate to the size and complexity of the insurer and the nature and scope of its activities. The program is required to be designed to meet the requirements specified in the GLBA, as described above.
The NAIC Insurance Information and Privacy Protection Model Act
Long before Congress enacted the GLBA, the NAIC adopted The Insurance Information and Privacy Protection Model Act (“the NAIC Model Privacy Act”). This model has been enacted in 18 states. It provides a broad regulatory framework with respect to insurers’ information practices. Among many other things, this model requires the written authorization of the consumer before an insurer may share consumer medical information with another person. Again, information may be shared without authorization to enable the insurer to perform basic insurance business functions. The model also requires an insurer to obtain a consumer’s authorization (i.e., opt-in) before it may disclose medical information to a nonaffiliated party for marketing purposes.
Other State Privacy Laws
In addition to the privacy laws described above, many states have enacted a host of additional privacy laws that impose special requirements applicable to life insurers’ obtaining, retaining and disclosing consumer information relating to specific diseases or information, such as HIV status or genetic testing results. Often these statutes require specific consent of the subject of the information to obtain or disclose this information.
Conclusion
ACLI member companies support strict protections for medical records confidentiality. At the same time, the ACLI strongly believes that the privacy of consumers’ health information is adequately and comprehensively protected under the plethora of existing federal and state privacy laws and regulations governing life insurers’ information practices. Accordingly ACLI does not believe extension of the HIPAA Privacy Rule to life insurers or the enactment of comparable legislation applicable to life insurers is necessary to protect the confidentiality or security of consumer health information.
The ACLI again thanks the Subcommittee for the opportunity to testify today and would be glad to answer any questions.