National Association of Insurance Commissioners
David Wetmore, Director
Federal and International Relations
444 North Capitol St., NW Suite 701
Washington, DC 20001-1512
Tel: 202-624-7790
Fax: 202-624-8579

Good morning, Mr. Chairman and members of the Committee. My name is Kathleen Sebelius. I am the elected Insurance Commissioner for the State of Kansas, and I am testifying today as Vice President of the National Association of Insurance Commissioners (NAIC). I also chair the NAIC’s Health Insurance and Managed Care Committee and the NAIC Privacy Issues Working Group, both of which have devoted much time and energy to the subject before us today.¹ I am accompanied by the Vice-Chair of the working group, Glenn Pomeroy, Insurance Commissioner of the state of North Dakota and a past president of the NAIC.

Let me begin by thanking you, Mr. Chairman, for giving the NAIC this chance to testify on the subject of health information and offer our views and comments on your new legislation, H.R. 4585, the "Medical Financial Privacy Protection Act." We have testified five times previously on health information privacy before the 106^th Congress.

The NAIC has a long history of working to protect the health information of consumers, and we are now working very actively to guide state implementation of the new Title V consumer privacy provisions under the construct of the Gramm-Leach-Bliley Act (GLBA).

My testimony today will focus on: (1) the need for privacy protection of health information in GLBA; (2) NAIC’s activity on privacy and implementing GLBA regulations; and (3) comparison of H.R. 4585 to the NAIC Health Information Privacy Model Act.

When you ask consumers about protection of their personal information, they think health information is the most sensitive and expect a greater level of protection for their personal health information. Unfortunately, GLBA does not reflect consumers’ legitimate concerns in this area.

Congressman Leach, we are pleased with your decision to recognize that an unintended consequence of GLBA is the fact that a consumer’s sensitive health information can be shared freely without distinction from other sorts of financial information. Although we do not believe the intent of Congress last year was to include health information in the final version of GLBA, the implementing regulations have changed the landscape because "financial information" is defined to include health information.

As we all know, limited privacy protections of financial information are included in GLBA’s Title V. But with all due respect, these protections fail in the health area because the law does not provide more stringent protection for health information.

While this "opt-out" standard may be adequate in providing privacy protections for banking and financial information (in the true sense of the word), this standard is not adequate for personal health information.

So what kinds of information could be at risk?

While we were developing the health privacy model, we heard horrible stories of how sensitive personal health information was disseminated without the individual’s knowledge or consent. For example, a man made a claim against his insurance company for reimbursement of the costs of a drug prescribed for a certain medical condition. Within days, his doctor was besieged by calls from pharmaceutical companies trying to convince the doctor to change the patient’s medication to a drug produced by that particular company. This type of disclosure would be prohibited under your bill and our model without the affirmative consent of the consumer.

For these reasons, we think Congress needs to revisit the GLBA provisions and provide comprehensive privacy standards across-the-board regarding financial institutions and individually identifiable health information.

We think H.R. 4585 is a good step in the right direction to accomplish this goal. Specifically, we agree with your approach, Mr. Chairman, in several key areas:

• health information should be treated separately from, and differently than, financial information;
• individually identifiable health information should be afforded more protection than financial information;
• an "opt-in" standard should be implemented for individually identifiable health information due to the sensitive nature of the information; and
• the standard should be the same for all individually identifiable health information and should not be based on the type of financial institution that holds the information.

These aspects of your bill mirror standing NAIC policy, and we applaud your efforts in amending GLBA to include these important protections that are conspicuously missing now. We believe the best approach on the issue of health information privacy would be to set a federal standard that does not preempt stronger state laws that have been protecting health information for so many years. This approach is consistent with the GLBA standard – state laws are preempted only if they are "inconsistent with" GLBA and stronger state laws are not inconsistent.

A. NAIC Model Legislation

Members of the NAIC have been discussing and addressing the privacy of personal information, including health information, for more than 20 years. In 1980 we adopted the Insurance Information and Privacy Protection Model Act (Attachment A). This model applies to all insurance information and generally requires insurers to receive authorization from individuals ("opt-in") to disclose personal information. Health information is specifically included as part of this model.

More recently, in September 1998, the NAIC continued its efforts to strengthen protections for personal information by adopting a new model solely focused on the issues specific to health information, the Health Information Privacy Model Act (Attachment B). This model was developed following an extensive dialogue, over four years, with all stakeholders, including representatives of the insurance and managed care industries, and representatives from the provider and consumer communities.

Our model applies to all insurance carriers and was developed to assist the states in drafting uniform standards for ensuring the privacy of health information.² Similar to our more general 1980 insurance privacy model, this health information privacy model generally requires an entity to obtain an authorization ("opt-in") from the individual to collect, use or disclose protected health information. However, this new model treats personal health information as a different type of information that should receive a higher level of privacy protection. It balances the business needs of insurers against the legitimate privacy concerns of consumers.

We note that your bill would codify these important principles of our new model. We also note that our model could serve as a basis for developing regulations under your bill. Although our model is particular to the insurance business, it is important to remember that insurers are the primary financial institutions in possession of individually identifiable health information. Any regulations drafted under your bill should keep this fact in mind.

B. NAIC’s Draft GLBA Regulations

As members of this Committee know, the GLBA directs Federal and State regulators to establish comprehensive standards for ensuring the security and confidentiality of consumers’ personal information maintained by financial institutions, and to protect against unauthorized access to or use of such information. Moreover, Section 507 authorizes – some would say encourages – States to enact laws that give consumers greater privacy protections than the provisions of GLBA.

As functional regulators of the business of insurance, the states are working through the NAIC to promulgate a model privacy regulation for the business of insurance. We are doing so in a manner that is as consistent as possible with the federal regulations while capturing the unique business and consumer aspects of insurance. As one of the NAIC’s nine commissioner-level working groups, the Privacy Issues Working Group, which I chair along with my vice-chair Commissioner Pomeroy, has been meeting since February to develop a draft regulation although our work began in earnest once the federal regulations were finalized.

We met this past weekend during our Summer National Meeting to discuss a working draft of proposed NAIC interim consumer privacy regulations which are intended to serve as guide for states to satisfy Title V of GLBA. The purpose of these interim regulations is to help state insurance authorities comply with the minimum requirements of GLBA quickly and therefore give to the industry the guidance it needs in this area, while ensuring essential consumer protections.

The draft is based upon the final Federal privacy regulations with regard to consumer financial information. Because of the differences between insurance activities and banking activities, we have made several changes that strengthen the privacy protections for individuals as they relate to insurance, notably with respect to health issues.

Insurance providers typically collect much greater amounts of health information than banks. We have also decided to treat health information differently than financial information and have drafted enhanced protections. This is in accordance with our previously adopted policy standards (as evidenced by existing model laws). As a result, our draft regulations make clear that "financial information" does not include "health information". Having made that distinction, we apply different rules for financial information and for health information. For financial information, we have closely tracked the language in GLBA in drafting regulations for insurers and their treatment of financial information.

For health information, we create an "opt-in" standard to be added to the Federal rules to address the special privacy issues with health information. We then address specific exceptions to the general rule to allow insurers to carry on their day-to-day business operations without undue restrictions. Our intent is to specifically treat personal health information as a different type of information that receives a higher level of privacy protection, as required by the our model.

At our recent Summer National Meeting, the working group discussed the "opt-in" standard for health information. Most insurance industry representatives voiced support for this standard.

We have an accelerated timetable for finalizing this regulation, and we anticipate a final work product by September 2000 so states may implement it by regulation or introduce it as legislation, if necessary, in the next legislative session.

H.R. 4585, which builds upon the privacy protections for financial information in GLBA by adding protections for individually identifiably health information, is similar in several aspects to the NAIC Health Information Privacy Model. Similarities include:

• Treating health information privacy separately from, and differently than, financial information.
• Affording individually identifiable health information more protection than financial information.
• Prohibiting disclosure of individually identifiable health information without affirmative consent ("opt-in") from the individual.
• Giving individuals the right to access and amend individually identifiable health information that is collected by a financial institution.
• Placing strict limitations on the re-disclosure and re-use of individually identifiable health information legitimately obtained by a financial institution.
• Establishing a list of exceptions for certain activities that do not need authorization from the individual. Although the exceptions in H.R. 4585 and the NAIC Model do not exactly correlate (GLBA exceptions geared toward banking business and NAIC Model exceptions geared toward insurance business), each set of exceptions recognizes the needs of financial institutions to use and disclose individually identifiably health information for legitimate business purposes.

While the NAIC model is more detailed than H.R. 4585 in the insurance context, the model is consistent with the GLBA standard that state laws are preempted only if they are "inconsistent with" GLBA. State laws are not inconsistent with GLBA if the protections they afford are greater than GLBA protections. For our draft regulations, we have tried to track the concepts in GLBA for financial information while enhancing protections based on our model for individually identifiable health information.

We believe a national standard for the privacy of personal information is critical for both consumers and financial institutions. We also believe strongly that health information needs enhanced protections, and consumers should be assured that their personal health information will not be shared, sold or released without their specific consent.

We will continue to develop a uniform model regulation to meet the GLBA privacy mandate for insurance activities. Once our model is completed, the regulation must be adopted in each state or legislation must be enacted. Congressional action that could protect health privacy across the country could expedite this process and assure consumers that their personal health information will be protected regardless of where they live or which financial entity collects the information.

In light of the need to protect individually identifiable health information under the standards established in GLBA, we are glad you are addressing this issue. We appreciate your efforts, and in general we agree with the approach taken in H.R. 4585. We encourage you to please take this opportunity to address comprehensive privacy standards across the board for health information. The members of the NAIC would be happy to work with the Members of Congress in this area and willing to discuss and resolve any technical issues with Congressional staff. Thank you.