Statement of
Steve Bartlett
President
The Financial Services Roundtable
Before the
Committee on Banking and Financial Services
U.S. House of Representatives
on
H.R. 4585, the Medical Financial Privacy Protection Act
June 14, 2000

Good morning, Mr. Chairman and Members of the Committee.

The Financial Services Roundtable appreciates the opportunity to testify on H.R. 4585, the Medical Financial Privacy Protection Act. The Financial Services Roundtable is a national association of 100 of the nation’s largest integrated financial services firms. The members of the Roundtable engage in banking, securities, insurance, and other financial services activities.

H.R. 4585 addresses an issue that is of importance to all members of The Financial Services Roundtable and all consumers of financial services — the privacy of health information in the possession of a financial institution. We support the purpose of this legislation. In fact, as I discuss later in this statement, the Roundtable believes that protecting the confidentiality of health information in the possession of a financial institution is a matter that merits a uniform, national policy.

Also, I believe it is important to note at the outset of this statement that the members of the Roundtable – and as far as I know most providers of financial services – do not currently use health information derived from customers other than for medical reasons or as otherwise intended by customers. In other words, this issue is, at best, a potential "loophole" in our privacy laws.

As integrated financial services providers, the members of the Roundtable believe that the sharing of consumer information with affiliates and third parties can benefit the consumers of financial services. Information sharing between affiliates, for example, can permit an integrated firm to structure products and services that meet a consumer's specific needs.

At the same time, the Roundtable’s members recognize that financial institutions have an obligation to maintain the confidentiality of certain information within their possession. As a result, the Roundtable joined the rest of the financial services industry in supporting the privacy provisions in the Gramm-Leach-Bliley Act. As the members of this Committee know, the House version of the Gramm-Leach-Bliley Act included provisions protecting health information. The Roundtable supported those provisions, but they were dropped for various reasons. I commend the Chairman for his efforts.

H.R. 4585 would expand upon the privacy provisions in the Gramm-Leach-Bliley Act by establishing new standards for the protection of health information held by financial institutions. The Gramm-Leach-Bliley Act provides that a financial institution may not disclose personal information to a non-affiliated third party, without giving the consumer an appropriate notice and opportunity to prevent such disclosure. H.R. 4585 would impose a more stringent standard for health information. It would prevent a financial institution from sharing health information without the affirmative consent of the consumer. Furthermore, the bill's limitations on the sharing of health information would apply not only to non-affiliated third parties, but also to any affiliate of a financial institution.

The Roundtable supports the protections for health information contained in H.R. 4585. The Roundtable's members recognize that health information can be more sensitive than other forms of personal information. Roundtable members also know that consumers provide medical information to financial institutions only for specific purposes, such as the purchase of insurance, and the Roundtable members limit the use of such information accordingly.

Our support for H.R. 4585 is a reflection of current industry practice. Almost every state has adopted some law to protect the confidentiality of health information, and, in most states, health information cannot be disclosed without the affirmative consent of an individual.

Additionally, the financial services industry has voluntarily agreed to safeguard health information within its possession. Just last month, for example, the Roundtable joined the nation's major banking trade associations in the release of voluntary guidelines for the banking industry which call for a banking institution to obtain the affirmative consent of a customer before sharing health information. It is my understanding that the major national insurance trade groups have adopted similar policies for insurance companies.

The U.S. Department of Health and Human Services (HHS) also is in the midst of finalizing regulations that relate to the privacy of health information.

As the Committee continues its deliberations of H.R. 4585, we would urge it to review and take into account this framework of existing law and industry guidelines.

Our support for H.R. 4585 is not unqualified. While we believe that the sharing of health information should be subject to a policy of affirmative consent, we also believe that the bill should be revised in several respects. The following are some of our concerns.

Under H.R. 4585, most of the exceptions to the sharing of personal information that are contained in the Gramm-Leach-Bliley Act would apply to the sharing of health information. For example, the bill would permit a financial institution to share health information with another party to protect against or prevent actual or potential fraud or claims. However, the bill does not extend two of the exceptions in the Gramm-Leach-Bliley Act to health information, and these two exceptions should apply to the sharing of health information.

First, the bill would not allow an insurance firm to share information with an insurance rate advisory organization or a state insurance guaranty fund without affirmative consent. Insurance companies share health information with rate advisory organizations to establish rates for particular lines of insurance. Similarly, when an insurer is declared insolvent, health information in its possession must be shared with a state guaranty fund. If such information cannot be shared freely with rating organizations or guaranty funds, the establishment of rates and resolution of insolvencies may be seriously impaired. We urge the Committee to include the Gramm-Leach-Bliley exception for information sharing with rate advisory organizations and state guaranty funds.

The absence of this exception is a serious flaw in the current draft; one which I hope is inadvertent. Without this exception, the basis for pricing insurance products and resolving insolvencies of insurance firms could be seriously harmed. I do not believe that is the intent of Congress or the will of the American people.

Second, the Gramm-Leach-Bliley Act includes an exception for the sharing of information with service providers and joint marketers as long as such parties maintain the confidentiality of the information. We believe a similar exception should be included in H.R. 4585. Without such an exception, it would be difficult for many insurance firms to use independent agents, banks, broker/dealers or others to service or market products, and this could have a negative impact on the consumers of insurance products.

Additionally, the Committee should consider exceptions for other current industry practices. For example, the operation of worker’s compensation programs and medical research programs depends heavily on the sharing of information between insurance companies and third parties. The effectiveness of these programs could be impaired by the application of the affirmative consent requirement.

Consumer Rights to Access and Corrections

H.R. 4585 would provide consumers with a right to review health information in the possession of a financial institution and a right to dispute the accuracy of such information. While we endorse the intent of these provisions, we believe that they deserve further consideration by the Committee.

First, the Committee should recognize that there are instances in which it is not appropriate for a financial institution to share unconditionally health information with a consumer. Consider, for example, a situation in which a life insurance company learns through a required blood test that an applicant for life insurance is HIV positive. Because of the sensitive nature of this information, most insurance companies currently will not convey the results of such a test directly to the applicant, but will notify the applicant’s doctor and rely on the applicant's doctor or a trained counselor to convey that information. Some states have addressed this and similar situations by limiting an individual's access to health information that could endanger the life or safety of the individual.

Second, the Committee should clarify that a financial institution has an obligation to "amend, correct, or delete" health information that is incomplete or inaccurate only if the financial institution created such information. As drafted, H.R. 4585 implies that a financial institution has some obligation to amend, correct, or delete any incomplete or inaccurate information, regardless of who created the information.

Third, H.R. 4585 would provide that a consumer does not have a right to obtain information assembled by a financial institution as part of its efforts to "comply" with laws preventing fraud. We recommend that this exception also include information assembled to "identify or investigate" possible fraud, as well as information assembled in the context of a dispute with the consumer.

Finally, the Committee should consider what procedures apply to these provisions. For example, does the consumer's right apply to all information, no matter when created? How quickly must a financial institution respond to a request for information? If there is a dispute over the accuracy of the information, how is that dispute to be adjudicated?

Spending Habits and Aggregate Lists

The affirmative consent requirement in H.R. 4585 would apply to the compilation of lists and descriptions of consumer spending habits if such lists and descriptions are derived from health information. Also, the affirmative consent requirement would apply to the compilation of aggregate lists of consumers that contain or are derived from health information. Presumably, these provisions are intended to limit the use of health information for marketing purposes. However, as drafted, the provisions would limit the sharing of experience information between an insurance company and third parties, including affiliates that use such information to develop generic claims profiles and insurance rates. Also, care needs to be taken to ensure that these provisions do not affect aggregated lists of credit card charges and checking account activities currently provided to consumers. To avoid such problems, we recommend that these provisions be limited to "marketing" activities.

Treatment of Mental Health Information

H.R. 4585 would require a financial institution to obtain a separate consent from a consumer before sharing any information related to the mental health or mental condition of the consumer. This means that in certain cases a financial institution would be required to obtain two, separate consents from a consumer — one governing the consumer's "individually identifiable health information," and a second specifically related to the consumer's "mental health or mental condition." We do not see the need for this double consent requirement. The bill's definition of "individually identifiable health information" expressly includes any information related to the "physical or mental health or condition" of an consumer. One consent should be sufficient.

Additionally, the bill does not define what constitutes "mental health" or "mental condition." If any provisions specifically relating to these terms are included in the bill, we urge the Committee to define them.

Definition of "Individually Identifiable Health Information"

We are concerned about the relationship between the protections for health information in H.R. 4585 and the protections for personal information that already are part of the Gramm-Leach-Bliley Act. The existing privacy provisions in the Gramm-Leach-Bliley Act do not prohibit the sharing of demographic information about a consumer, such as an individual's address, telephone number or zip code, if that information is publicly available. On the other hand, H.R. 4585 would prohibit the sharing of demographic information created by an employer or health care entity that relates to an individual's health and that identifies the individual. In order to avoid any confusion with the Gramm-Leach-Bliley Act, we believe the Committee should clarify that publicly available demographic information that does not include health information is not subject to the affirmative consent requirement imposed by the bill.

As I noted at the outset of this statement, the Roundtable believes that the confidentiality of health information is a matter that merits a national policy approach. In other words, it is a concern to all consumers and all financial institutions that possess health information. As a result, the Roundtable believes that maintaining the confidentiality of health information demands a uniform, national policy.

All consumers, regardless of where they reside or receive health care, should be able to expect the same level of protection for their health information. Similarly, all financial institutions that possess health information should be able to comply with one national set of confidentiality requirements.

Absent a single, national standard governing the confidentiality of health information held by financial institutions, the customers of those institutions and the institutions themselves will face a patchwork of requirements imposed by state and federal legislators and regulators. As I have previously noted, most states already have adopted laws governing the confidentiality of health information, and HHS is in the process of finalizing a regulation on this issue. These requirements, however, are far from uniform or comprehensive.

The Committee faces an important choice. It can either layer the requirements of H.R. 4585 on this existing patchwork of laws and regulations and thereby add to the confusion of consumers and the compliance burden of financial institutions, or it can establish a single national standard governing the confidentiality of health information maintained by financial institutions. The Roundtable would recommend that the Committee impose a national standard. Thank you for the opportunity to share our views on this important and timely topic.