Copyright 1999 Federal Document Clearing House, Inc.
Federal Document Clearing House Congressional Testimony
July 21, 1999
SECTION: CAPITOL HILL HEARING TESTIMONY
LENGTH: 2331 words
HEADLINE:
TESTIMONY July 21, 1999 DONALD J. PALMISANO, MD, HOUSE BANKING
AND FINANCIAL SERVICES FINANCIAL INSTITUTIONS AND CONSUMER CREDIT UNIONS
FINANCIAL PRIVACY
BODY:
Statement of the American
Medical Association to the Subcommittee on Financial Institutions and Consumer
Credit Committee on Banking and Financial Services U.S. House of Representatives
RE: Medical Privacy Issues in HR 10 Presented by Donald J. Palmisano, MD, JD
July 21, 1999 The American Medical Association (AMA) is pleased to provide
testimony to the Financial Institutions and Consumer Credit Subcommittee of the
House Banking and Financial Services Committee regarding the privacy of
medical information in the context of financial services modernization
legislation. The AMA s Position on Medical Privacy The patient-physician
relationship is based first on trust. Confidentiality of communications within
this relationship is a cornerstone of good medical care. In order for physicians
to provide the best and most appropriate care, patients must feel that they can
disclose to their physicians personal facts and information that they would not
want others to know. Without such assurances, patients may not provide the
information necessary for proper diagnosis and treatment. Nor might they avail
themselves of genetic tests that may be available to assist in the detection and
possible amelioration or prevention of various disorders. The AMA believes that
patients have the basic right of privacy of their medical
information and records and that this right should be honored unless
waived in a meaningful way. This requires informed consent for disclosures of
personally identifiable health information for any purpose. Recognizing that
there are situations in which obtaining specific informed consent is not always
practicable or possible, however, the AMA believes that, in such instances,
either (a) the information should have identifying information stripped from it,
or (b) an objective, publicly accountable entity must determine that patient
consent is not required after weighing the risks and benefits of the proposed
use. The AMA s Position on HR 10 The stated purpose of HR 10, the "Financial
Services Act of 1999," is to remove current barriers preventing affiliation
among banks, securities firms, insurance companies, and other financial service
providers, with the goal of enhancing competition in the financial services
industry and fostering innovation and efficiency. The AMA went on record, in
coalition letters to Members of the House of Representatives preceding the full
House s debate and vote on HR 10, expressing deep concerns about the medical
information component of the bill. Since health insurers are considered
"financial services institutions" under the bill, new opportunities are created
for personally-identifiable health information collected by insurers to move
laterally through a company and its affiliates without patient consent or
knowledge. We appreciate Representative Greg Ganske, MD, Representative Edward
J. Markey and other Members bringing the issue of medical information
privacy to the attention of their colleagues during the HR 10 debate.
While the laudable intention of medical privacy language added to the bill was
to limit the sharing of personal medical information among financial industries
and their affiliates, in fact, the bill ended up doing exactly the opposite -
facilitating the broad sharing of just such information. Our testimony today
expands on the concerns raised in our letters to the House. Financial entities
other than health insurers that are included in HR 10 s scope would become de
facto secondary users of personal medical information. Generally speaking,
secondary users are those whose use of medical records does not go directly to
the treatment, payment or quality assessment of medical and health care provided
to an individual. They can include life insurers; auto, property and casualty
insurers; employers; licensing agencies public health agencies; medical
researchers; educational institutions and even the media. "The flow of
information to these parties in some cases affects people s lives in very direct
ways, determining whether they are hired or fired, whether they can secure
business licenses and life insurances, whether they are permitted to drive cars,
whether they are placed under police surveillance or labeled as security risks."
(Protecting Privacy in Computerized Medical
Information, Office of Technology Assessment report, 1993, p. 48.) It
is essential that individuals be notified of such information sharing and that
their affirmative consent be required for disclosure of their
individually-identifiable health information. The Dual Role of Insurers The
matrix of the financial services affiliations covered by HR 10 is complex.
Health insurers, as a function of paying claims for medical care, are privileged
to have access to personal medical information and records. When insurers
function as financial service institutions, the medical record becomes an item
of commerce and a market indicator. Insurers claim, in the context of the
congressional debate on a comprehensive confidentiality bill, that they are
"providers" seeking to improve the quality of care for populations. Yet in their
role here as "financial services institutions," they also seek to benefit from
affiliating with banks, mortgage companies, holding companies, brokers and
dealers and other insurers, to name a few possibilities envisioned by HR 10,
creating financial services conglomerates. We find this troubling and believe
that specific constraints are required to preclude inappropriate and
unconsented-to disclosures of personally identifiable medical information in
this context. The medical record is created primarily as a clinical tool to
assist in the diagnosis and treatment of individuals in trust relationship with
their physicians. We believe that, as a general rule, patients must be provided
the opportunity to consent to disclosures on their personal medical information,
with narrowly tailored exceptions for certain defined public benefits. When the
record migrates from its primary purpose as a clinical tool, that consent
becomes even more important in that its secondary uses are not generally
anticipated by the individual in facilitating his or her personal care and
payment for that care. The Medical Privacy Provisions in HR 10 The medical
privacy provisions in HR 10, as set out in Section 351, while well-intentioned,
are inadequate to protect patients sensitive medical information in the
non-clinical setting. Despite the fact that patient consent is offered as a
first alternative for insurers releasing personal medical information, a series
of broad ranging exceptions swallow the rule. One exception, for example, would
allow financial institutions to share an individual s personal medical
information for "research projects." This term is not defined and could easily
be construed to include a vast array of marketing evaluations or consumer
profiling ventures. Further, it does not relate in any way with "research" and
related protections as defined by the Common Rule (45 CFR 46). Another set of
exceptions would allow disclosure of individually- identifiable health
information "in connection with" an array of largely transaction-related
activities. While some of these are legitimate functions of insurers, it is
nevertheless imperative that they be carefully defined and, more important, that
consumer consent be required for dislcosures for any of these functions. "In
connection with" is vague language that, read with each of the exceptions,
creates gaping holes in any systematic effort to protect patient privacy. Even
more troubling than what appears in Section 351 is what doesn t appear in
Section 351. Granted, the "Financial Services Act of 1999" should not become the
vehicle for comprehensive medical privacy legislation; nevertheless, if
provisions are included at all, they should contemplate the full range of
protections for such information in at least the financial services context. The
bill does not preclude redisclosures or circumscribe subsequent uses by
affiliates and others. The bill does not create limits on government s and law
enforcement s access to medical information. The bill does not provide any
remedies for privacy breaches, except for those available at the state level,
thus reducing the incentive for institutions to comply. The bill does not
include any incentives whatsoever to de- identify personal medical information
prior to sharing it with affiliates or unaffiliated third parties. Title V
Privacy Provisions The "opt-out" provision offered in Section 502 of the bill -
Title V, Subtitle A - does not apply at all to medical information. Section 507,
also in Title V, Subtitle A, states that " t his subtitle shall not apply to any
information to which subtitle D of title III applies, namely, section 351,
"Confidentiality of Health and Medical Information." The only protections
afforded by Title V to a consumer s health records would flow from Subtitle B,
regarding "Fraudulent Access to Financial Information." Curing
the Medical Privacy Provisions of HR 10 The AMA believes that
it may be possible to improve the privacy language of HR 10, such that it
provides adequate protections until comprehensive privacy legislation is passed
by the Congress. However, it is a difficult task to define the proper boundaries
and decide how comprehensive the provisions should be. We are prepared to join
with other interested parties in assisting the House with this task. HR 10
should prohibit the transfer of medical information, even among affiliates,
without the explicit consent of the individual. "Opt-out," even if it would
apply to medical information disclosures under the bill - which it does not - is
insufficient. Individuals should have the affirmative right to direct who has
access to their information, particularly outside of the therapeutic and payment
context. One approach we believe could work would be to include an explicit
"opt-in" provision for individually identifiable health information. Financial
institutions, their affiliates and any unaffiliated third parties would be
required to affirmatively acquire an individual s consent to disclose their
personally-identifiable medical and health information. We understand the
arguments from the floor of the House regarding the expectation of consumers for
efficient and integrated financial operations regarding their related accounts
in a financial institution. However, health insurers play a dual role that does
not fit so easily into this construct. Insurers want to be characterized as
"financial service institutions" for the purposes of affiliating with other
financial and securities based corporate entities. Yet when it comes to the
health care delivery system, insurers want to be regarded as health "providers."
They cannot have it both ways, and their inclusion in HR 10 explicitly
demonstrates the dangers inherent in such an approach. The most prudent option
would be to adopt stringent privacy protections, which the Congress may then
have the opportunity to modify in comprehensive privacy legislation. It would be
reckless to provide so-called "protections" that would allow personal health
information to flow freely without individual consent among affiliated and
unaffiliated third parties when the consequences are so enormous. Deleting the
medical privacy provisions completely, leaving the status quo of state law in
place for the time being, would be preferable to passing a version of HR 10 that
allows such sweeping access to private medical information. The Congress should
take the most measured approach possible in HR 10 to information sharing - the
gate cannot be closed once it is opened. Information cannot be "un-shared." Once
a financial institution has our medical information, it will become a permanent
part of our consumer profile, regardless of future protections that might be
imposed. Thus, we would urge the utmost caution so that, if Congress errs at
all, it is on the side of protecting patients and their information rather than
financial conglomerates desire to exploit that information. Relationship to
State Laws If the Congress decides to retain and strengthen these medical
privacy provisions, rather than deleting them entirely, we think it is essential
to allow more protective state laws to remain in force. It is our understanding
that the sponsor intended a "federal floor," however, and we suggest the
language be modified to permit more protective state provisions to prevail. This
would be consistent with the intent in Title V, Section 524, which provides that
subtitle B, regarding "Fraudulent Access to Financial Information," should not
be construed as superceding State law, and that greater State protections should
prevail. Conclusion HR 10 provides an opportunity for significant enhancement of
financial services industry operations. It also presents the potential for
ethically perilous conglomerations of information and power as regards
individually-identifiable health records. When insurers function as financial
service institutions, the medical record becomes an item of commerce and a
market indicator. Health insurers dual role as "providers" and as "financial
services institutions" highlights the concern of physicians and patients that
information will be shared without consent or knowledge of the individual, for
purposes unanticipated by the individual. The AMA finds this to be a troubling
possibility and urges the Congress to seek more protective language in HR 10 to
specifically prohibit inappropriate and unconsented-to disclosures of personally
identifiable medical information in the financial services context. Issues as to
how medical information is disclosed and used are not a footnote to HR 10;
rather they go to the heart of individuals rights within evolving commercial and
market systems. The AMA thanks the Subcommittee for focusing its specific
attention on these important matters.
LOAD-DATE: July
26, 1999