LEXIS-NEXIS® Congressional Universe-Document

Search Terms: health information privacy, House or Senate or Joint

Document 7 of 45.

View Related Topics

June 14, 2000, Wednesday

SECTION: CAPITOL HILL HEARING

LENGTH: 32722 words

HEADLINE: HEARING OF THE HOUSE BANKING AND FINANCIAL SERVICES COMMITTEE

SUBJECT: HEALTH INFORMATION PRIVACY

CHAIRED BY: REPRESENTATIVE JAMES LEACH (R-IA)

LOCATION: 2128 RAYBURN HOUSE OFFICE BUILDING, WASHINGTON, D.C.

TIME: 10:00 AM. EDT DATE: WEDNESDAY, JUNE 14, 2000

WITNESSES:

GARY GENSLER, UNDER SECRETARY FOR DOMESTIC FINANCE, DEPARTMENT OF THE TREASURY;

KATHLEEN SEBELIUS, COMMISSIONER OF INSURANCE FOR KANSAS, VICE PRESIDENT, NATIONAL ASSOCIATION OF INSURANCE COMMISSIONERS;

RICHARD K. HARDING, PRESIDENT ELECT, AMERICAN PSYCHIATRIC ASSOCIATION, VICE CHAIR, CLINICAL AFFAIRS AND PROFESSOR OF PSYCHIATRICS AND PEDIATRICS, UNIVERSITY OF SOUTH CAROLINA SCHOOL OF MEDICINE;

STEVE BARTLETT, PRESIDENT, FINANCIAL SERVICES ROUNDTABLE;

DON BRAIN, PRESIDENT, LOCKTON BENEFIT COMPANY, KANSAS CITY, MISSOURI, ON BEHALF OF INDEPENDENT INSURANCE AGENTS OF AMERICA;

ROBERT H. RHEEL, SENIOR VICE PRESIDENT, FIREMAN'S FUND, ON BEHALF OF AMERICAN INSURANCE ASSOCIATION;

EDWARD L. YINGLING, DEPUTY EXECUTIVE VICE PRESIDENT, AMERICAN BANKERS ASSOCIATION;

ROBBIE MEYER, SENIOR COUNSEL, AMERICAN COUNCIL OF LIFE INSURANCE;

NICOLE BEASON, ESTHER PETERSON FELLOW, CONSUMER UNION;

A.G. BREITENSTEIN, CHIEF PRIVACY OFFICER, CHOOSINGHEALTH.COM;

EVAN HENDRICKS, EDITOR AND PUBLISHER, PRIVACY TIMES;

EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, U.S. PUBLIC INTEREST RESEARCH GROUP;

JOY L. PRITTS, SENIOR COUNSEL, HEALTH PRIVACY GROUP, GEORGETOWN UNIVERSITY;

RONALD WEICH, ATTORNEY, ZUCKERMAN, SPAEDER, GOLDSTEIN, TAYLOR AND KOLKER, LLP, ON BEHALF OF AMERICAN CIVIL LIBERTIES UNION;

BODY:
REP. JIM LEACH (R-IA): The committee will come to order. The committee meets today to hear testimony on HR-4585, the Medical Financial Privacy Protection Act and other measures in this arena which are designed to protect the most sensitive information about an individual that is held by a financial firm.

Before summarizing this proposal, let me review the legislative background of the issue. Last year in consideration of HR-10, the Financial Services Modernization Act, this committee for the first time in the long history of bank reform legislation approved a privacy package. In addition to erecting privacy shields for American financial services customers including a ban on the transfer of information to third-party telemarketers and a clamp-down on identity theft, the bill as it left this committee contained a provision that would have walled off the medical records held by an insurance company from other affiliates of a financial services holding company as well as nonaffiliated third parties.

HR-10 passed the House with the strongest privacy protections ever incorporated in the banking law importantly including the medical privacy provisions that originated in our committee. Later, however, at the request of the administration, the insistence of the minority party on the floor that the issue be addressed through executive action rather than legislation, the medical privacy provisions were dropped from the final version of the bill. Now it appears that consensus is developing among the interested parties in the government on the desirability of moving forward with the legislative approach to medical privacy. In this regard, the language of HR-4585 is consistent with medical privacy recommendations forwarded to Congress by the Treasury Department six weeks ago in response to the concerns outlined by the president in his April 30th speech at the Eastern Michigan University in Ypsilanti. And in an important disclosure area that deals with information concerning mental health for a condition, HR-4585 goes beyond the administration's recommendations.

The legislation is also consistent with the industry accord announced last week. The industry is to be complimented in agreeing to voluntary provide a credible degree of privacy protection of the medical records of their customers. Some would even contend that because of this voluntary agreement and because of the industry's general record of safeguarding medical records any legislation represents a solution seeking a problem. Yet the background of legislative concern in this area relates less to any history of past industry abuse or a new financial industry organization, but rather to the implications of modern information technology as it relates to the new genetic sciences.

So much more can now be known about and predicted about individuals based upon medical testing that it is important to put common sense restraints in place before temptingly improper industrial practices begin. The major provisions of the bill HR-4585, which is the principal subject matter of the hearing, are as follows.

Financial institutions will require to obtain customers' affirmative consent or opt in before disclosing individually identifiable health information to an affiliate or nonaffiliated third party. A financial institution will be prohibited from obtaining or using individually identifiable health information in deciding whether to issue credit unless the prospective borrower expressly consents. Information relating to mental health or mental condition will be singled out for particular protection with separate and specific customer consent required to disclose such information and special policies developed by regulators to protect its confidentiality.

Consumers will be given the right to inspect, copy and correct individually identifiable health information that is under the control of a financial information, strict limitation will be placed on the redisclosure and reuse of individually identifiable health information legitimately obtained by a financial institution, and nothing will be done to modify, limit, or supersede medical privacy standards promulgated by the Secretary of Health and Human Services pursuant to authority granted under the Health Insurance Portability and Accountability Act.

The approach contemplated in HR-4585 is designed to augment the privacy provisions of the Financial Modernization Bill passed last year. Rules to implement those privacy protections are in the process of being implemented by the executive branch, and I believe I can speak for all members of the committee and encourage that regulators should move expeditiously so that all Americans can be more secure in the privacy of their financial information.

Before hearing today from the administration, government officials, and industry representatives and privacy groups and their perspectives, let me ask Mr. LaFalce if he has any opening comments.

REP. JOHN J. LAFALCE (D-NY): Mr. Chairman, I do. The difficulty is I think we have about five minutes left to vote, and I don't know that I'd be able to get my five minutes in.

REP. LEACH: I'll tell you, the gentleman is correct. We have a little more than that, but I think that if he doesn't want to be interrupted it would be better to move to the vote, and I think that's very appropriate. Let me say we have a very, very long hearing panel, set of panels, and we have votes expected in the floor actively today. And so it will be my intent to limit opening statements for five or six or seven more minutes, and then turn immediately to our witness, our first witness.

The committee then will be in recess pending the vote.

(Recess.)

REP. LEACH: The committee will reconvene. And Mr. LaFalce is recognized.

REP. LAFALCE: I thank the chairman. This morning's hearing continues our committee's work on financial privacy which we began two years ago when Chairman Leach introduced legislation which I cosponsored to prohibit pretext calling and other privacy abuses, and I introduced a related bill to impose obligations on financial institutions to protect the confidentiality of customer information. I am very pleased to say that both proposals were enacted into law as part of last year's financial modernization legislation in much the same form as they were originally introduced.

This year I introduced 4380, a comprehensive proposal developed in concert with the administration to address financial privacy broadly. I think it's an excellent bill. HR-4584, which the chairman has introduced, addresses one of the issues dealt with in 4380-- medical privacy, by restricting the use and disclosure of financial institutions of personally identifiable health and medical information. This is an issue not included in the legislation adopted last year and not adequately addressed in pending HHS privacy regulations. Both 4380 and 4585 reflect the growing bipartisan recognition that the privacy protections adopted last year do not go far enough in assuring that sensitive personal information will be protected by financial institutions and that additional protections must be enacted.

The issue of medical financial privacy eluded us last year. Our committee did adopt a narrow provision to restrict the use of health information in connection with credit decisions. That was replaced by a broader bipartisan financial privacy proposal on the House floor. The Commerce Committee had a proposal that would restrict the disclosure of health-related information by insurance companies. It was referred to as the Ganske provision. And that was omitted in conference in response to strong bipartisan concerns that it might preempt pending HHS privacy regulations, preempt stronger state medical privacy laws, and permit widespread sharing of sensitive health data under broad exceptions for many different things.

So all the major medical and hospital associations, all the patient and consumer groups and privacy advocates agreed that the Ganske language at that time created greater potential privacy problems than it resolved. And so both HR-4585 and 4380 have meritorious proposals on medical privacy. In many respects, 4585 is comparable to the medical privacy provisions of 4380, in some respects it does differ, and in some of those respects where it differs I have some difficulties, but I'm sure those difficulties could be worked out and probably in a manager's amendment. But the primary limitation of 4585 is not what it does. It's, rather, what it doesn't do. It applies only to medical and health information which we must do; it's extremely important.

But the higher standard of protection for the sharing of consumer profiles and lists should apply to all sensitive health and financial information, and the new protections for consumer access and correction should apply to all sensitive financial information. And the stronger standards for reuse and redisclosure of information should apply to all sensitive financial information and not just health or medical information.

In short, I think HR-4585 is a very good effort, but I also think we need to do more. If consumers do not want their financial account information shared with affiliated companies without their knowledge, we need to do more. If consumers object to having their spending habits and product preferences--referred to this as profiling--if they don't want these habits and preferences monitored and sold or shared for marketing purposes we need to do more. And if consumers don't want health and insurance information taken into consideration for investment or employment decisions, we need to do more. And if American consumers want to have the same privacy rights being given to European customers of United States institutions we need to do more.

And if consumers want the right to determine if their financial records are accurate and up-to-date, we need to do more. And so I urge today's witnesses not to confine themselves solely to the topic of a very important and necessary need of medical privacy legislation that's before us but I personally would welcome any comments on the broader aspects of the administration's privacy proposals either as contained in 4380 or any other proposals that are needed to assure the strongest possible privacy protections for American consumers.

I want to especially thank the chairman for accommodating my request for witnesses for today's hearings, all of whom will be on Panel IV, and I join with the chairman in welcoming all of today's witnesses, and I thank the chair.

REP. LEACH: What I would like to do in limiting opening statements is limit it to the chairman and ranking member of the subcommittee of jurisdictions.

REP. MARGE ROUKEMA (R-NJ): I thank you, Mr. Chairman, and I will be brief and have the full text of my opening statement in the record, but I will just make a couple of observations here, and as you know we in the subcommittee held hearings last year on these subjects including not only financial but also medical privacy. And as you have already noted, we have to go farther than what was in the Graham- Leach-Bliley Bill, and that is quite appropriately-- I just want to endorse everything that you have previously stated on that subject. But clearly today we are opening up the door and continuing what we did in the subcommittee with respect to exploring medical privacy.

And really the financial and the medical privacy are interrelated, and we have to come to terms with them. Of course, we don't have the rules and the regulations yet evaluated. It's too early for that, but we hopefully will begin to evaluate those regulatory proposals by this July or certainly September.

I am questioning however why, what the status is and the scope of the medical privacy standards that were being developed or should be developed by HHS under the Health Insurance Portability and Accountability Act. I don't think that they have been clearly enunciated, and I think you made reference to that, and perhaps we will find out something more today or if not today then I certainly would expect to make a formal inquiry with them for a complete report.

But in addition, Mr. Chairman, I also wanted to say although we do have the American Psychiatric Association here today and at least one other group that's directly involved that are direct health- related organizations, I do plan to inquire with at least the American Medical Association, the Health Care Leadership Council, and the National Alliance for the Mentally Ill and other medical groups because I think it is absolutely appropriate for us to have those who deal on a daily basis with medical issues in the immediate world with patients to have more input into our deliberations here.

So I will be making those inquiries, and we can discuss at another time whether or not it would be appropriate to make that a formal part of our report. Thank you, Mr. Chairman.

REP. LEACH: Thank you, Mrs. Roukema.

Mr. Gensler, please.

MR. GENSLER: Thank you, Mr. Chairman, ranking member LaFalce, members of the committee. Thank you for having me here to talk about this critical issue of privacy. I'm also honored to have with me my second daughter. Lee Gensler is right behind me. I know that Congressman (Capuano ?) last week when I did this with my other daughter thought it might be bordering on, as he said, child abuse. But, believe it or not, my second daughter also wanted to come and see how Congress works.

REP. LEACH: Well, on behalf of the committee we give a special welcome to Miss Lee Gensler, and Miss Gensler if you would like to sit next to your father you'd be welcome so to do.

(Laughter.)

REP. LEACH: If you're like my family, we know that the rule is inverse proportion to age, but please, Miss Gensler.

MR. GENSLER: I'm pleased to have the opportunity to talk about the chairman's bill, 4585, and privacy in general. My written testimony that I hope to submit for the record, let me just summarize, but does address four areas, both, first the needs for privacy protections in the financial area; secondly, last year's advances in the Financial Modernization Act; thirdly, the president's Comprehensive Consumer Financial Privacy Initiative; and then fourthly medical privacy.

But if I may just summarize briefly, many Americans increasingly feel their privacy threatened by those with whom they do business, particularly when it comes to privacy around their financial information. We're in the midst of extraordinary changes in the financial industry. These C-changes (sp) are brought about we think in three ways: First, integration and consolidation in part brought on by the Graham, Leach, Bliley Act, but largely brought on by consumers and markets. Secondly, advances in technology-- clear and dramatic changes in technology. And thirdly, the explosion of the use of electronic payments and electronic receipts where transactions can be measured and recorded.

Last year's efforts were very significant, and we believe the Congress and the administration work together in a bipartisan way to move privacy protections forward in a constructive way around notice and choice, around third-party sharing, about important protections beyond that. The administration believes, however, that much more can be done and should be done to protect financial consumer privacy.

To that tend, the president announced there's an important new legislative proposal in late April to provide Americans more fully with effective Financial Privacy Act. That legislation now before Congress is HR-4380, the Consumer Financial Privacy Act, is a balanced, comprehensive approach to financial privacy providing important new rights and protections while addressing some of the shortcomings in last year's bill.

A central administration principle is that the greater the sensitivity of the data and the possible harm from misuse, the greater should be the level of privacy protection and the chairman I think recognizes that with regard to the medical area. The administration's proposals therefore calls for the strongest protections in two highly sensitive areas-- first, the sharing of medical information as again the chairman's bill also recognizes and, secondly, the use of detailed personal spending habits information about an individual consumer. The entire list of all of our spending, where we spend our money, how we spend our money, a whole portrait of an individual.

For other financial information however, the administration's proposal would give consumers the opportunity only to opt out. The first two opt in, but other areas just to opt out before a financial services firm could share that information for marketing purposes. This would in essence extend the protections of last year's bill to affiliate sharing. But importantly, the administration recognizes that there's a bulk of information sharing, a third type of information sharing if I might call it. It provides for consumers to understand that sharing but not have a choice to opt out, and that's for risk management, for fraud, for law enforcement-- many of the provisions Congress wrestled with last year.

The administration suggests actually adding one very important component to that that would help consumers and help the economy, which is related to consolidated statements and consolidates call-in centers to facilitate, again, the consumers.

We're pleased so many members of Congress have supported this approach, especially thank ranking member LaFalce who sponsored this and led this with many members of this committee.

Let me now just turn to more specifically the medical privacy. We're deeply committed to providing consumers control and rigorous safeguards with regard to medical privacy. Under the terms of the HIPAA law which was passed by Congress in 1996 and the rules under them, privacy protections apply to covered entities. And I think that this was one of the questions raised earlier is that "covered entities" are only health-providers, health plans and health clearing houses, so thus includes health insurers. They do not cover life insurers, do not cover property and casualty insurers, do not cover auto insurers and many disability insurance programs, all of which I would say are now financial institutions and define such under the Financial Modernization Act of last year.

The proposals offered last year address some of the issues but could have seriously undermined the crucial medical privacy initiatives such as preempting the HIPAA rules and the other issues I think that Congressman LaFalce outlined in his opening statement. HHS is right now in the midst of a rule-writing process. They put out the proposed rules last fall, and the president committed in the State of the Union to finish these rules this year. They are right now in the midst of rule-writing and have received many comments on those critical, important rules. But again, those rules would not be able to cover many financial institutions such as life insurance companies, property and casualty disability insurers because of the nature of the 1996 Act.

Mr. Chairman, by convening this hearing you have focused attention on the important issues surrounding financial privacy and medical privacy. While we continue to believe it's necessary to seek legislation to provide comprehensive privacy protections, your bill offers a starting point for consideration of the issues that will be very important and truly important for a privacy regime.

Let me say, there's common ground between your bill and the administration's proposal regarding financial privacy. HR-4585 does differ in some significant respects, and I'd like to just highlight two of those for you today.

First, the scope of the bill. We believe that financial privacy legislation should address the full range of financial privacy issues, as the administration proposal does; 4585, while sharing many of the administration's views on medical privacy is, in contrast, a narrower bill that does not address issues beyond medical privacy. Medical privacy within the financial services industry is vitally important. There's only one aspect, we believe, in moving forward.

Second, with regard to the bill itself on medical privacy, in one regard with regard to receipt and use provisions these are the provisions that will prohibit unless the consumer consents for a financial institution to receive or use medical information. To receive or use medical information they are limited to the extension of credit or a loan. Thus, the chairman's bill suggests that before you receive or use medical information in an extension of credit or loan you have to get specific opt-in by the consumer.

We share that view, but we believe that it's important to have that receipt or use limitation broader than just in the extension of a credit or a loan. If a financial firm is giving investment advice should it be able to get information from a life insurance affiliate before it decides on the investment advice? If a financial firm is providing an auto insurance, should it be able to reach to the insurance company and get the medical information or even providing travel services which by the way under the Financial Modernization Act travel agencies are part of financial services. Before giving travel services, should it be able to reach next door to an affiliate to get medical information?

We think that the receipt and use provisions are strong but should be broadened and should be through the broad set of financial services and products.

In conclusion, Mr. Chairman, we thank you for providing this forum to discuss this critically important issue.

This hearing provides a starting point for a thorough consideration of the range of privacy issued raised by changes in technology and our financial markets. This is truly a historic opportunity to get financial privacy right, to put in place all of the protections that American citizens want and need. And we recognize that special sensitivity of personal medical information and we support having effective laws that match the sensitivity of that data.

At the same time, we should also address the vital issues that were included in the Consumer Financial Privacy Act. We think to do otherwise is to miss out on an opportunity and that we could work together and address these issues. We look forward to working with you and thank you again.

REP. LEACH: Well, thank you very much, Secretary Gensler, and thank you for your loyal support.

Mrs. Roukema.

REP. ROUKEMA: Mr. Chairman, you caught me a little off-guard here. I expected you and Mr. LaFalce to first be speaking. But let me ask this, Mr. Gensler. You state that the president has pledged that the final medical privacy regulations will be issued this year pursuant to the authority of HIPAA which I referenced, the '96 law, and I referenced that in my opening statement.

But these rules would apply only to certain, as I understand it, only certain, quote/unquote, "covered entities" and would not apply to most financial institutions. And I believe in your opening statement, although I was interrupted at one point, necessarily interrupted, that you made reference to the question of Graham-Leach-Bliley. But maybe you could amplify that. But the point is, there's not specificity as to what would apply and what would not apply to the financial institutions.

But I am really deeply concerned because they are integrated. They are in some ways integrated. Aside from that, we have to beyond necessarily in this legislation. But what can be done has not yet been done under existing law, and so could you amplify please or be, with more specificity as to what we can expect and how you recommend we close those loopholes?

MR. GENSLER: The bill that was passed by Congress in 1996 provided that if Congress were unable to pass further legislation within a three-year period then the president was authorized through HHS to put in place these regulations. Those were proposed last fall. They only cover health providers, health care plans, and health clearing houses. That's what the bill said. And thus they cover health insurers but not life insurers, not property and casualty like auto insurers and the like.

So financial institutions and what this committee has before it in the chairman's bill and in the ranking member's bill does cover those other financial entities.

REP. ROUKEMA: Well, I believe I understand that, but are you saying that these rules-- oh, all right. Those are the covered entities that you were defining.

MR. GENSLER: Right, and Congress defined those in '96, and thus the HHS rules are unable to address the other sharing that may go on.

REP. ROUKEMA: Oh, I certainly realize that. But are they now being instituted, or are they still in the comment period?

MR. GENSLER: They've closed the comment period. They got, I think, literally thousands of comments.

REP. ROUKEMA: But they're not instituted as yet.

MR. GENSLER: The final rules would become effective later this year, and I think under the statute had two years for implementation.

REP. ROUKEMA: All right. Well, you see no conflict here by any means, either with under regulatory authority or with the affiliation proposal-- affiliation regulation in the law where this legislation will certainly close those loopholes in a defined manner. Yes?

MR. GENSLER: Well, I think both the chairman and the ranking member's bill recognizes the HIPAA rules and has, I recall, like sort of a safe harbor for that. And this is additive thus. And I think that is appropriate in both these bills.

REP. ROUKEMA: But in terms of additive you don't see any conflict coming up there in terms of a legal question within the affiliation structure, none whatsoever?

MR. GENSLER: I don't believe so.

REP. ROUKEMA: All right.

MR. GENSLER: I don't believe so.

REP. ROUKEMA: All right. I thank the treasury secretary.

MR. GENSLER: Thank you.

REP. LEACH: Thank you, Marge. John.

REP. LAFALCE: Thank you very much. First of all, Mr. Gensler, let me commend you on the outstanding job you've been doing in your role as assistant secretary of the Treasury for Domestic Finance and for the fine testimony you've given us today.

As I understand it having worked with you very closely in the development of the administration's broader, more comprehensive privacy package, you believe that the bill before us today, Mr. Leach's bill, is a good bill but you have difficulty with, A, its scope--which we'll talk about later--and, secondly, with certain details which I have said I think can be worked out and perhaps even by a manager's amendment.

Let's deal with those details first. Could you expand upon those just a bit more? If we were only to consider the bill before us, forget about scope, how would you want it improved?

MR. GENSLER: I think we've made some very good progress together since last year's debate and identified a new way to address financial medical privacy, and it's in the receipt or use of that information. If some part of the financial institution under the chairman's bill, a bank in extending a mortgage or extending an auto loan receives or uses information from an affiliate or a third party in fact it can't do that if it's medical information unless it has specific consent from the consumer.

We applaud that provision. We think that's right. It stops the use or receipt of that information. Our comment is that we think that in the president's bill we went broader, that it was not only in the extension of a mortgage or an auto loan, but it was the extension of other financial services. And as I highlighted, we think that whether you're extending investment advice or extending an auto loan, for instance, should not without the consumer's specific consent receive or use medical information from one of your affiliates. I think that would be-- again, the chairman's bill did include many of the provisions on access, on reuse, on personal spending habits around medical.

REP. LAFALCE: I haven't had dialog with the chairman on this specific, but I feel confident this is something that we could come to closure on. But what I'm concerned about is that we not lose sight of the fact that there are broader issues too which we have attempted to address in the broader bill. And I made a statement that I'll ask you to comment on some of them seriatim. If consumers don't want their financial account information shared with affiliated companies without their knowledge, would we need to do more than 4580?

MR. GENSLER: We think that we should not stop at medical. We think that there are broader issues, particularly around personal spending habits that are enhanced and are heightened level of sensitivity that ought to be included and the American people want included in their-- a zone of privacy.

REP. LAFALCE: Okay. Well, if we want to stop profiling, wouldn't we need to do more than 4580?

MR. GENSLER: Yes, we would.

REP. LAFALCE: If we want to give American consumers the same privacy rights that European consumers of the United States financial institutions have, wouldn't we have to go further?

MR. GENSLER: Well, in particular that would-- yes. The answer is yes, particularly as it relates to affiliate sharing.

REP. LAFALCE: Right. All right. Good. I just wanted to set the stage that I don't think that we should arbitrarily-- I may scratch the word "arbitrarily." I don't think we should prejudge the legislative approach we should take to our problems. I think we ought to hear what the scope of the problems are and then come in with legislation to address it rather than just start out with something narrow. And I don't want to turn down something that deals in a good manner with one piece of the problem. By the same token I don't want to make a prejudgment that we can only deal with one piece of the problem. I prefer to go for a larger, more comprehensive approach. I thank you.

REP. LEACH: Thank you, John.

Mr. Bereuter.

REP. DOUG BEREUTER (R- NE): Thank you very much, Mr. Chairman. Secretary Gensler, one of the exceptions to the opt-out provisions of the Graham-Leach-Bliley Act authorized disclosure of information by insurance companies to state RNT funds. Neither the administration's bill nor HR-4585 extends the state-guarantee fund exception to the opt-in provisions applicable disclosure of the health information. Several of the industry witnesses bring up this point or will bring it up before the committee later in at least their written testimony.

What is the administration's rationale in omitting the state guarantee fund exception from the medical privacy opt-in proposal?

May I ask a second question too? It relates to a concern among some financial institutions of a significant regulatory burden that could be imposed when they have only a one-time transaction with respect to a person. For example, wiring something by Western Union one time only.

Would you care to respond to both of those two items?

MR. GENSLER: Yes, Congressman. In terms of the state guarantee point, what was not clear to us in the last four months in developing the bill was why there might be a need for individual medical records with regard to that exemption that you rightly point out is Graham- Leach. So we have not heard a specific reason why medical, individual medical records are needed. Again, we look forward to working with this committee if there's something that we've overlooked, but nothing's come to our attention.

In terms of the second issue, there are provisions even under the Act last year and the rules that are now put in place in terms of one- time transactions to really lessen the, as you say, burdens, or lessen the requirements on any one-time transaction. Somebody goes up and uses an ATM machine and it's not their bank's ATM machine.

We took a lot of public comet on that. We know the regulators modified that in the final rule. We've not changed that in the president's bill or in the chairman's bill; I don't think we've changed that aspect moving forward.

REP. BEREUTER: But, I gather you're willing to look at possible changes in that area if in fact it can be demonstrated that there is a particular--

MR. GENSLER: We look forward to working with this committee in trying to move a product forward that addresses the needs of the American people, so all parties I think issues.

REP. BEREUTER: Thank you. We'll see if there is a case to be made and then make it. Thank you, Mr. Chairman.

REP. LEACH: Thank you, Doug.

Ms. Maloney.

REP. CAROLYN B. MALONEY (D-NY): Thank you, Mr. Chairman, and I request that my opening comments be placed in the record.

REP. LEACH: Without objection, and without objection any member who wants to make opening comments.

REP. MALONEY: And thank you, Mr. Gensler, for appearing before the committee again and bringing your daughter Lee. First I want to thank you and the administration for making consumer privacy one of your highest priorities. I know that this issue is critically important to Secretary Summers--he's spoken before the committee on it--and to the vice president who just spoke out last week on this issue.

I would like to ask you. My district is the home of a number of large institutions, especially hospitals. And could you comment on your interpretation of the bill as it relates to patient service? Could the opt-in provisions prevent medical staff from having the most timely access to information that they may need for emergency patients or are additional exemptions necessary?

MR. GENSLER: I think it's a very critical issue. We do not believe so. This is also a very critical issue that HHS is addressing in their medical regulations in terms of sharing of information, and we know they have done comment on it, but we don't believe so, and it certainly would not be the intent either in rule or in law that a patient in an emergency room setting would have that difficulty.

It is the intent though to limit in the advancement of a financial product-- again, investment advice or other financial products where there's not that emergency situation.

REP. MALONEY: Okay. I certainly support the chairman's bill, but I am disappointed that it only, and that we are considering today only the area that it addresses which is medical privacy. And I wish that it had a broader scope, particularly the broader bill that Mr. LaFalce has put forward that includes really the administration's policies that they put forward. And I'm concerned that U.S. citizens are really treated differently than many of our trading partners in our global economy, specifically in Europe where they have much stronger consumer privacy. And given that much of the opposition to consumer privacy protection is based on their cost and operational difficulty, why should U.S. law be weaker than that of our trading partners?

MR. GENSLER: Well, this administration stands for strong consumer privacy protections particularly with regard to financial privacy. I think that as you've seen in the ranking member's bill and the president's full support, it would bring us to those standards which we think are, again, balanced whereby industry would have a base of information they could share but then have the sensitive information have higher standards surrounding them.

REP. MALONEY: I certainly hope that the chairman will have a hearing on the administration's proposal because these extended and more complete consumer protections are very, very important.

I've spoken to many industry representatives that tell me, particularly in the health industry, that they are willing to go forward and provide this consumer privacy to their customers particularly on medical information. And why is legislation necessary if companies are willing to take these voluntary measures?

MR. GENSLER: Well, we think as the chairman said in his opening remark that this is important in moving forward, not only to prevent action even if they're not rampant today, but also to instill confidence in our financial system. Something fundamentally is changing around commerce today, not just banking but overall, and it's the internet and it's electronic commerce.

And to instill confidence in the internet and instill confidence in the financial system we think that fundamental consumer protection, fundamental privacy rights actually promotes the economy by building confidence. So if they're not going to do it anyway, instilling it in law doesn't take anything away but it builds confidence.

REP. MALONEY: Well, actually as we speak the e-commerce bill is on the floor that will break down yet another barrier for signatures for contracts which is a very important bill which underscores the point that you're making.

MR. GENSLER: We've worked successfully with this Congress on that bill, and that is a very important bill to move forward electronic commerce. But again that bill is done in a way that was sensitive to consumer needs to build the confidence in this new economy.

REP. MALONEY: Well, my time has expired. Thank you very much for your testimony.

REP. LEACH: Thank you.

Ms. Kelly.

REP. SUE W. KELLY (R-NY): Thank you, Mr. Chairman. I just have a couple of very quick questions here. There's been some concern expressed that provisions that we have here threatens to impose a significant regulatory burden on financial institutions that have to respond. I wonder how the administration responds to those concerns. The regulatory burden on the financial institutions is something that I think we really need to think about. I wonder how you respond to that concern.

MR. GENSLER: Well, I think that the bill before you today and the president's bill build on the provisions in the Graham-Leach- Bliley Act, so they're meant to be consistent and build upon that. But there's two areas that people have raised. One, they have said, might there be a burden because you limit information and the great new economy that we have?

And we think not because there is a base of information that can be shared as long as it's restricted to reuse but shared for risk management, fraud, for securitization, and we've actually added a provision in our proposal for consolidated account statements, an important provision. So, there's a base that provides all that information. What the administration is saying is, to market to an individual that we should provide individuals the right to opt out, to say I might not want to be marketed to, and then for medical and for complete profile of an individual that it would be an opt-in.

And we think that that, those limited provisions, are important actually to promote the financial industry.

REP. KELLY: Your testimony just now, though, didn't include the problems with one-time transactions. There are some serious, I think, problems there in terms of the regulatory burden that will be imposed on the financial institutions. People have a one-time transaction I think that needs to be considered, and do you think the administration would consider possible changes to address something like that?

MR. GENSLER: In terms of -- you're right that the bill and the testimony actually do not take up the issue. It's consistent, precisely consistent with what Congress enacted last year; and in that regard there was, the rules that were put in place had less of a responsibility on the financial institutions for those one-time transactions in terms of the, in essence, the opt-out for third-party sharing and the like. And I believe that the regulators addressed that in their final rule. I'm not aware of further comments that came up.

REP. KELLY: Would the administration be open to a change?

MR. GENSLER: Well, again, we look forward to working with this committee, moving forward on getting the best privacy protections for consumers but also those that are balanced and work for the economy.

REP. KELLY: Are you aware of any specific instances, or is the administration aware of any specific instances where banks have denied credit based on medical information about the loan applicant, whether it's been gotten from an affiliate or from a nonaffiliated third party? Do you know of any instance like that?

MR. GENSLER: While I'm not familiar with them, we are in a world that's really new in terms of the ability to have databases and to bring together data across a financial institution in a way that it's important to put these protections in-- I think as the chairman said before commercial interests take over. There's a temptation there that's really there. And we think it's best to address this now and in addition to instill the confidence in the system that I think will promote the banking system in itself.

REP. KELLY: If I understand you correctly, you're talking about instilling confidence by drafting a law, but you don't have any instances, specific instances that you can talk about where banks have denied credit to people in those instances.

MR. GENSLER: Well, I think with all respect, we see no reason to allow somebody in extending an mortgage to look into your personal medical history unless they're asking that of all those applicants of the mortgage and unless they're asking your permission. We cannot see any reason why that should be allowed.

REP. KELLY: Well, I don't think anybody does, except -- that anybody wants that really. But on the other hand, I think it's important that we have, that we not draft laws and pass laws when there's not a need for a law. Thank you, Mr. Chairman.

REP. LEACH: Thank you, Sue.

Mr. Ackerman? Or do you wish to come now?

Mr. Bentsen.

REP. KEN BENTSEN (D- TX): Thank you, Mr. Chairman.

Mr. Gensler, in reading your testimony as it relates specifically to the health information issue, would the administration be supportive of 4585 if the receipt and use provisions were similar to what is in the president's bill including the requirement that it's the same requirement on all customers? Is that your main hold-up with respect to the health issue?

I understand that you want, that the administration believes that the Congress ought to go further in revisiting the entire Title V of the Graham-Leach-Bliley Act. But if we were just to focus on health which was effectively carved out at the end of the process last year would those be the main changes you would be looking at for 4585?

MR. GENSLER: You're correct to say those would be the main changes in terms of the health provisions of 4585. The administration feels that it's important to move forward in these other areas, that to share all of the ways that Congressman Bentsen spends his money, where you spend it, how you spend it, a complete list of that, be able to share that without your affirmative consent is not an appropriate standard.

So we feel that it's best to be comprehensive, and we look forward to working with this committee and the Congress to achieve that.

REP. BENTSEN: And I understand where Mr. LaFalce wants to go as well. It seems to me that a very strong case can be made that with respect to health information or medical privacy that we did not go as far in that area as we did in other areas of financial privacy in the Graham-Leach-Bliley Act. And were we not able to muster broad support, or support for a broader bill, would it not be appropriate to at least plug this one gap in the medical privacy?

I realize your aide is providing you with answers there, but to plug this one gap with this, with a bill like 4585. Would the administration-- I know you don't want to give up the whole thing yet. But don't you think that if there was one thing we could get done this year, isn't this an area where Graham-Leach-Bliley was failing in medical privacy as compared to other areas?

MR. GENSLER: We share this committee's view that that's a gap and earlier questions a gap I think in part created because we have a new situation where insurance companies can affiliate with banks. Before the Graham-Leach Bill, that was not legally permissible. But the administration, I would say, Congressman, would still feel strongly that we should address these other issues, that it's important.

Some issues that actually benefit industry to allow for these consolidated call-in centers, but some we think very importantly benefit consumers not only through getting greater services like consolidated call-in centers would give greater services, but also in terms of giving greater confidence and protection around the sharing of especially sensitive information.

REP. BENTSEN: The HR-4585 as the administration reads it, would this be, would the enforcement of this be in the same way as the other financial privacy parts of Graham-Leach-Bliley are? And the chairman has pointed out that it would not preempt or superseded the HHS's role under the HIPAA law. Does the administration agree with that interpretation? Do you believe that this in any way would preempt the Secretary of HHS or HHS or the HIPAA law? Are you comfortable with how that section is?

MR. GENSLER: Let me just make sure with at least these aides, not this one. (pause in proceedings)

I think the answer to both parts of your question are yes, but the chairman's language and the language in 4380 do not supersede HIPAA or HHS as we can see in any way.

REP. BENTSEN: And finally, does this bill, and the chairman may answer this-- I don't know-- but does this bill or does your bill preempt state law, or does it follow along the same track that Graham- Leach-Bliley did that gave the states the predominant role in setting privacy standards?

MR. GENSLER: It sort of adds to Graham-Leach-Bliley, and so you're familiar with those provisions, and in these bills there's no statement on preemption. So thus leaves in place the regime that we have prior to these bills.

REP. BENTSEN: Thank you. Thank you, Mr. Chairman.

REP. LEACH: Mr. Lucas.

Mrs. Biggert?

REP. JUDY BIGGERT (R-IL): Thank you, Mr. Chairman.

Mr. Gensler, with this bill and concerning Workers Compensation and the automobile insurance,both of which deal with number one timely access to health or medical records, timely receipt of that, do you think that this would cause delay in obtaining the relevant health data needed by Workers Comp to proceed with claims? And in the health or the auto insurance which also deals with indemnifying consumers for medical losses, I see a delay perhaps in Workers Comp cases. What if the consumer actually refused to opt in to provide that medical, their medical records in a case which questions their claim?

MR. GENSLER: We don't believe that it would delay, but also if in any way when we think through this and together that that would be an issue, we'd look at what technical issues needed to be added. We don't think so, and I would add that because it allows for specific opt-in product by product, you could put a specific opt-in if that was, you know, in cases that are necessary around providing the medical services at Workers Compensation and the like, more if it was medical services on disability.

REP. BIGGERT: And that would apply then to maybe auto insurance too?

MR. GENSLER: It could, but again we don't think that either bill limits the timely payments under auto insurance because again if you have an accident that's the time you share the medical information.

REP. BIGGERT: Um-hum. Okay. And then as far as the provisions for opting in and Graham-Leach has the opt-out, is this going to be confusing for when you opt-in, when you opt-out? Is this something that we need to deal with?

MR. GENSLER: Well, we don't think so. I mean, there are many provisions already in law around that are opt-in-- video rental, even under the Federal Privacy Act certain provisions even under FCRA, the Fair Credit Reporting Act in terms of sharing your credit report with employers and the like. So there are standards that Congress has put in place that are opt in where there is especially sensitive information. Even under HIPAA it's effectively a consent or opt-in for health or medical information under HIPAA, but unfortunately it only applies to health insurers and not other insurers.

REP. BIGGERT: Well, did the U.S. Supreme Court refuse to hear an appeal by a federal appeals court ruling in Colorado that struck down as unconstitutional regulations promulgated by the FCC that restricted inter-carrier sharing of certain customer information? And what they looked at specifically was the opt-in provisions which seemed to be somewhat similar to this bill and the administration proposals. So have you looked at that case?

MR. GENSLER: I haven't personally. Let me ask if there's -- I think I'm going to get an expert answer. (laughs) Let me just say, we've been working with the Department of Justice, and around all the administration privacy proposals, and focused on the Tenth Circuit opinion and believe that the bill that's before you that the administration's bill in terms of its opt-in provisions, I think this would also count for the chairman's bill but I don't know that DOJ has had the same amount of time on that are constitutional and even in light of the Tenth Circuit opinion.

REP. BIGGERT: Thank you. Thank you, Mr. Chairman.

REP. LEACH: Thank you, Ms. Biggert.

Mr. Ackerman.

REP. GARY ACKERMAN (D- NY): Thank you very much, Mr. Chairman. I did have a question, Mr. Secretary. On a previous question, did I understand you to say that you would be supportive of an exemption for one-time transactions as it might --

MR. GENSLER: I think what I said was that, in terms of the regulations under last year's law we think it was put in place a different set of obligations on those one-time transactions. We think they were effective. We are not aware of comments that have come in subsequent to that final rule. What I also said is, we look forward to working with this committee on this broad, comprehensive privacy and moving broad comprehensive privacy forward related to financial privacy. If there is a specific issue then it would be rightly taken up in that comprehensive bill.

And we would be open to looking at appropriate issues to help protect consumers but also to foster commerce.

REP. ACKERMAN: In your view, would somebody undergoing a medical examination as a prospective insured under health insurance, would that be considered a one-time transaction?

MR. GENSLER: Well, as we don't have right now in place a medical financial privacy law, it's more in the prospective, I think, that you'd probably be asking it. But in terms of the administration's approach if you're conducting an exam for life insurance, that's specific to that product and if the life insurer is asking it of all customers under the president's proposal as long as it's asked of all customers and you're consenting to it, you're having the physical so you're personally consenting to it, then that moves forward.

What we're trying to attack then that that health information is not then used by some affiliate for some other financial product, a separate financial product.

REP. ACKERMAN: What about for the same financial product? I'll give you a specific example if that would be of assistance to you in thinking this through.

MR. GENSLER: All right.

REP. ACKERMAN: A person goes for a medical exam for life insurance, and they make a determination that the person tested positive for HIV. And they decide not to insure the person. And they decide not to disclose it to the person who was tested. And they decide to post it using a secret code on the internet made available to insurance companies so no other insurance company, so that every other insurance company who belonged to the association knowing the code would understand that this person tested positive and would therefore be warned not to issue insurance.

Would you be in favor of that one-time exclusion under those circumstances?

MR. GENSLER: Absolutely not, sir. Absolutely not. The only thing that trying to highlight I think in your earlier question is that nothing in these bills would prohibit a life insurance company from requesting that you have a physical exam for that product provided by that life insurer, but that life insurer should not, and I think Americans would all agree, be able to share that information with others or post it on the internet.

REP. ACKERMAN: Not every insurance company agrees with that. Thank you, Mr. Chairman.

REP. LEACH: Thank you, Mr. Ackerman.

Mr. Terry, did you seek recognition? Fine.

Mrs. Hooley.

REP. DARLENE HOOLEY (D-OR): Thank you, Mr. Chair. Thank you, Mr. Gensler, and thank you for bringing your daughter. I think that's great.

MR. GENSLER: Well, thank you.

REP. HOOLEY: Now most of my questions have been asked, but there are a couple that I still have. Do we need any special provisions or anything different that deals with mental health? You put that in the same category as all other health?

MR. GENSLER: Well, the chairman's bill actually has a specific provision with regard to mental health and it was an enhancement in fact on the president's bill to have a specific consent with regard to mental health, and we think that it probably is appropriate to have that, have even an additional and separate category, and we look forward to working with this committee if there's other enhancements in that specific field.

REP. HOOLEY: Another question is, tell me one me one more time, what's the difference in this bill that enhances that privacy regulation over what the secretary of Health and Human Services has come up with?

MR. GENSLER: The secretary Health and Human Services has limited authority, limited because the 1996 law people are referring to as HIPAA only related to, quote, "covered entities" -- health providers, health plans, and health clearing houses. Life insurers are not a covered entity. Disability insurers are not a covered entity. Auto insurers, property and casualty are all not covered entities. Banks by the way are not covered entities.

So she's moving forward, and the president's moving forward the best they can, but it's within that law.

REP. HOOLEY: And then lastly, I know your bill is looking at how do we protect consumers. Have you done any looking at what it costs financial institutions to implement these proposals?

MR. GENSLER: Well, I know that the regulators did some on the Graham-Leach provisions. But in terms of moving this bill forward, it again just builds on the base of the Graham-Leach provisions for notice and choice and importantly a choice with regard to medical in the chairman's bill. But we've tried, I think in both bills, to just build upon the same regimes and the same methodologies that I'd say went through public comment. I think there were 2,600 comments that came in, and on the earlier provisions, and most of which were constructively addressed.

REP. HOOLEY: Thank you very much. Thank you, Mr. Chair.

REP. LEACH: Thank you.

Mrs. Carson, did you wish to be recognized? Not right now. Thank you.

Mr. Inslee.

REP. JAY INSLEE (D-WA): Thank you, Mr. Chair. I want to thank the chair for following through on this important issue. I know the chair feels strongly about closing this massive loophole and getting this resolved. I'm very hopeful that we'll do that this year and that the other chamber will follow our lead, and I appreciate the chair's advancing this at this time.

But I think it's very important to note that I feel that our job even if we resolve this issue, and I'm confident we will at least in this committee, that there are really massive imperfections in the Graham-Leach bill that we ought to address this month and to date we have not been had an encouraging signs that we'll have hearings either in full committee or subcommittee on closing the affiliate-sharing loophole. And that causes me great concern because I can tell you that since we last addressed the issue of privacy in this committee, this issue has taken off like a rocket in America. We had the first sort of inkling of that last fall when I first brought an amendment and Graham-Leach-Bliley to address this whole privacy issue. And I think all of us members of Congress since then have learned that there's probably no issue in America today that is growing in people's anxiety levels than their loss of privacy in this country.

And I think since we passed the Graham-Leach bill, that has continued to grow exponentially. You cannot pass a magazine stand without reading it or pick up a newspaper today, and I can echo those comments that are on Main Street.

So the question comes, when are we going to address this affiliate sharing issue, and when will this committee have hearings to do that? I suppose we could wait until the next Congress to address that if we felt we didn't have enough information to know whether there's a problem today. But have to ask this question. Do we have to wait until the next Congress to figure out that companies are going to share private personal financial information against our interests, against our specific directions, with their various affiliates under Graham-Leach? We do not have to wait until the next Congress to know that that is going to happen as soon as it is legally permissible.

Secondly, do we have to wait that when our constituents find out that that's going on that they're going to be outraged? Do we have to wait until the next Congress to figure that out? And I suggest we do not have to wait to know that Americans are going to be outraged about this telemarketing gambits that are going on to sharing their personal, private information.

We don't have to wait for the next Congress to figure that out, and lastly do we have to figure out the next Congress on how to deal with this issue? And I don't think there's any reason that we're going to learn something between now and the next Congress. So I feel very strongly that this committee ought to have hearings this Congress on the affiliate sharing issue and the issue of opt-in, opt-out, which remains in contention. The chair has shown leadership in bringing this to this committee, and I'm just hopeful that we will have an opportunity to further address this affiliate sharing issue this Congress.

Having said that, Mr. Gensler, on my soapbox, I'd just ask if there's anything you'd like to add on the timing of this discussion.

MR. GENSLER: Well, Congressman Inslee, we applaud your leadership on this issue, and it was very good to work with you on the digital signature bill as well which is such an important issue for this nation. We share your views. We think that there's no time to address this issue like now. This is all going one way it seems. I mean, one of my colleagues earlier today said that Congress is conducting five different hearings that the administration is talking about privacy in one realm or another this week. And it just gives a sense of the potency of this to the American people. I think that we have had a thoughtful, balanced approach about affiliate sharing. We come out on the side of the debate, the administration comes out as you do that it should have some choice where we believe that that notice in choice there's no distinction between affiliates and third parties, that the single one issue that industry has raised we've dealt with is consolidated call-in centers and consolidated statements. They already had what was known as the 502(e) exceptions in the Graham-Leach bill which was a series of 8 important exceptions. And it's time to move on.

And I think we believe that credit card companies should not be able to share a complete list of how you spend your money, where you spend the money, in essence a total portrait of you as an individual without you having the right to say, yes, you can share that and tell somebody the complete search and the complete portrait on Congressman Inslee.

REP. INSLEE: That actually could be interesting reading, I suppose, but-- (laughs). Well, thank you, Mr. Gensler, and thank you, Mr. Chair, for bringing this to our attention, and I just am hopeful that the chair can see to it to allow this committee to address this issue and not have to wait for new members of Congress. And I think there will be some new members of Congress here perhaps because of this issue. But we shouldn't have to wait for them, and we ought to on a bipartisan basis move forward in this regard. Thank you.

REP. LEACH: The chair would like to thank the gentleman for his advice and the secretary as well, and I would also like to thank both the gentleman and the secretary for switching to the chair's position and now supporting in a more timely basis the medical privacy issue. And I'm glad that having sought delay on that issue last year you're now in favor of moving forthrightly at this time. Mr. Moore.

REP. DENNIS MOORE (D-KS): Mr. Chairman, I don't have any further questions of Mr. Gensler. I do appreciate your work in this area, and I am hopeful that we can as Mr. Inslee pointed out, expand at some point beyond just medical privacy and financial privacy. But internet privacy and a lot of other issues are of a great concern, I think, to the American people. Thank you.

REP. LEACH: Mr. Gonzalez.

REP. CHARLIE GONZALEZ (D-TX): Thank you very much, Mr. Chairman. Mr. Gensler, quickly, a couple of questions. As you've indicated that one medical record, medical information and personal spending habits information, profiles, would be two categories of information that would rise to the level of this special zone of privacy. I think that may be the term, which really equates to opt-in in essence pretty much. That's a distinction in mine anyway. So I'm wondering what other types information in your opinion would rise again to the level which would place it in the special zone of privacy?

MR. GENSLER: The two areas I think you highlighted were those two areas-- medical information and then the complete portrait, the complete spending habits. Those were the only two that we thought would be at that enhanced level and then in essence the burden would be on the provider of services to get your consent. Another area, just marketing, the burden in essence would be on the consumer to fill out the form and send it back in. But we thought that that less- sensitive information and thus the burden more appropriate on the consumer.

REP. GONZALEZ: In all your discussions though, nothing else has entered those discussions that again may get this type of treatment on the opt-in standard?

MR. GENSLER: That's correct, and as I noted earlier Congress has had opt-in for other provisions, whether it's in the Telecommunications Act or video rentals and other areas that Congress has saw that as an appropriate means of protecting a zone of privacy.

REP. GONZALEZ: And the second question goes, the HHS standards would apply to health plans, health care clearing houses and certain health care providers as you've pointed out. Then we had this bill here, 4585, that would encompass financial institutions. Who have we left out?

MR. GENSLER: I'm not quick enough to think, but in terms of medical, this addresses financial institutions. I'm sure there's some institutions that are neither financial nor health care providers.

REP. GONZALEZ: That's my point. I guess it's going to be this piecemeal effect, and I understand that we approach it many times that way, and maybe in the final outcome is that we have one bill that maybe can address all the different activities. The reason obviously is that you have certain entities that may have shared activities, for instance, that would subject them to one set of rules possibly-- as to another set of rules. And that is a problem out there, and that's why I was just asking you, is there anything that you see now that needs to be addressed differently, some other enterprise, some other activity, some other business?

MR. GENSLER: The president has laid out and the administration has felt strongly that there's three areas broadly that's appropriate to address statutorily-- and that's medical, financial and children's on-line. And those are the three broad areas that he and the vice president laid out a number of times in the administration has moved forward and worked successfully with the Congress and the children's on-line Privacy Act some time ago, worked successfully even last year on the financial bill even though we think we should do more.

REP. LAFALCE: I wonder if the gentleman from Texas would yield for a question.

REP. GONZALEZ: Of course. Yes, sir.

REP. LAFALCE: Mr. Gensler has been assisted in his testimony by a relative of his, and it's my understanding that you have assisted your questioning on this issue as an appropriate zone of privacy by a relative of yours, an attorney from San Antonio who has prepared quite an outstanding book dealing with the issue of zones of privacy, which I hope you would share with the members of the committee.

REP. GONZALEZ: Not at this time because it would be a lengthy discourse; I guarantee you. Thank you. That's all I have. Thank you very much, Mr. Chairman.

REP. LEACH: Do you seek recognition? Yes. The gentleman, Mr. Moore. Mr. Capuano.

REP. MICHAEL E. CAPUANO (D-MA): Thank you, Mr. Chairman. Mr. Gensler, I just have a couple of questions. I guess one is purely educational as far as I'm concerned. Under the current situation, the current laws, oftentimes I pick up the local papers and I read on a regular basis, probably several times a week about a prominent in the community coming up with some medical problems, admitted into the hospital for this, admitted in the hospital for that, being treated in an experimental way for this problem, that problem.

Under current situations, is that person protected from any retribution, potential-- maybe a better word could be used-- any reaction from the financial community? Could that person have his loans or her loans pulled, have them culled, be denied if they're in the middle of getting a mortgage and some one happens to read right now a banking executive happens to read right now that they're getting treatment for some heart anomaly?

MR. GENSLER: I just want to check. No. There are no federal statutes in place that would limit that at all.

REP. CAPUANO: I guess, I didn't think there were, but I wasn't sure, and I wanted to make sure. I guess I would like at some point some people to take a look at that as well. I'm not so sure it's easy to put your arms around. I'm not so sure it's something you can address, but it's something that there should be lines. I think there should be lines. I certainly-- I mean, especially people in our world, in your world. You know? There is nothing I do that's private. Nothing. And, heck, people have websites up on probably pretty much everybody here, probably on you too, telling all the terrible things that I did just yesterday, never mind the rest of my life. And I would be concerned deeply if my family were negatively impacted. It's not just politicians-- anybody in the public realm is subject to that, and it would concern me if there were no limits whatsoever on-- it's one thing in freedom of speech to say whatever you want to say. I understand all that. But you know as well as I do, if you go right now, if you were admitted into a hospital for a checkup right now you know darned well the likelihood is pretty good that we'll be reading in the paper tomorrow.

And I just don't think that's something that we should just ignore. It's one thing to focus on the immediate problem in front of us, and I think that's all well and good. I think it's a great step forward. But I don't want to also lose sight of a bigger issue as well.

Shifting gears, the only other issue I have is, I heard earlier some concern, and I know there's always concern about passing laws that aren't needed, we're not sure we need them. I guess, I'm not interested in the morality, not interested in the ethics, not interested in the social aspects of privacy. I have my own opinions on that and that's all well and good. I'm interested in the financial aspects.

In the banking world, do you think that the banking world would be better served financially if Congress were to sit back on this issue or any other issue and not speak, let it go until there's a problem, and then react after the businesses have invested probably millions of dollars in software, millions of dollars in personnel, millions of dollars in mailing and telephone centers, et cetera, et cetera, et cetera, because maybe I'm wrong but my estimation is that once the first financial institution starts sharing medical information even though the others will say it's morally reprehensible, terrible, we'll never do that, but the first time they save money or they make money someone else is going to fall in line, someone else is going to fall in line and eventually we're going to act.

It strikes me as financially better for the financial services community if we can set the rules now, let them know what the rules are going to be now rather than waiting for some situation to arise, and I don't think any ordinary American thinks that it won't happen if we do nothing. Something will happen, and we will overreact and have wasted millions of dollars, millions of personnel time, millions of hours of personnel time and all the problems associated with changing business practices. I guess I just wondered, do you think I'm completely off the wall? I don't mind being off the wall. That's what I do. But, or do you think there's any legitimacy to that concern?

MR. GENSLER: We think that it's fundamentally important to address this issue for consumers and for the banking system. We think, as we said earlier, not only instills confidence but gets ahead of an issue that could be-- it's like an attractive nuisance. I mean, it's too tempting, frankly. And having been in commerce I could never imagine that any of my former partners would do anything on this, but I think it's just attractive and it's there, and I think we should address it.

REP. CAPUANO: I never would have thought that so many people would be calling me in the middle of the night 20 years ago trying to sell me another credit card after I have 400 in my pocket already. But that attractive nuisance is just unavoidable when there's money to be made, and I understand that. So I guess that's how-- I asked the question already having formed my opinion. I think it is good business practices for Congress on the issues such as this to set the bars now to save the time, the trouble, and the money that's involved in following down what I think will end up being -- MR. GENSLER: It's also as we change so rapidly what we want to do is adopt the new information age as we move from the, sort of the industrial age to the information age. The president said in his speech in Ypsilanti, when we move from an agricultural age to an industrial age it was important to adopt new laws at that time to put in place really the progress and to expand to the full middle class the nature of the industrial age as we moved into the 20th century. And as he said better than I could, we need to do the same as we move into the information age and put in and adopt laws to help us move and promote for all Americans the success moving forward.

REP. CAPUANO: As a little footnote to that, I think it's well- put, there were many people in those days that objected to the proposed laws at the time as overbearing, overreaching, we don't need them, we're doing fine without them. It is not a new story; it's an old story, and I think it clearly worked well for this country and for the American people in the past transitions. I think it will work well here. Thank you.

REP. LEACH: I think that is the last question -- or excuse me.

Ms. Schakowsky, did you? No, thank you. The last questioner.

Let me just briefly opine because we're in the realm of privacy and several constitutional issues have been raised, and the chair is willing to suggest that freedom of information requests do not apply to the notes passed from Ms. Lee Webber to her father.

MR. GENSLER: To my daughter. Oh.

REP. LEACH: In any regard, and we thank you very much, Gary.

MR. GENSLER: Thank you, Mr. Chairman. You want to say thank you? Say thank you.

MS. LEE GENSLER: Thank you.

REP. LEACH: Our second panel is composed also of a single witness, Ms. Kathleen Sebelius who's commissioner of Insurance for Kansas and vice president of the National Association of Insurance Commissioners. I'd like to ask Mr. Ryun if he would like to make any welcoming remarks.

REP. JIM RYUN (D-KS): Mr. Chairman, first of all, I'm sorry I missed the opening statement and didn't have an opportunity to welcome my insurance commissioner, Kathleen Sebelius, but I do want to thank her for coming today. She's been advocate for the medical privacy of Kansas. She's been recognized for her efforts in Kansas and certainly by the national association, and I welcome her testimony to do what we can to ensure that all Americans have the kind of medical privacy that we're looking forward to protecting in light of the Graham-Leach- Bliley Bill, and I want to thank you for the opportunity to say something and welcome. Thank you for coming.

REP. LEACH: Thank you, Jim. Mr. Moore, would you like to comment as well?

REP. DENNIS MOORE (D-KS): Thank you. Mr. Chairman, again I congratulate you on your good work on convening this hearing and the bill that you've drafted, and I also appreciate the opportunity to extend some brief remarks to welcome Insurance Commissioner Kathleen Sebelius here. Kathleen has a very interesting background. She comes from a bipartisan political family. Her father was governor of Ohio. Her father-in-law was a former member of Congress from Kansas. Her husband is now nominated to be United States District Court judge in Kansas, and I'm very, very pleased to have Kathleen here today. She was first elected in 1994 and reelected in 1998 as Kansas Insurance Commissioner and previously served four terms in the Kansas House of Representatives. She currently is, as I think the chairman indicated, vice president of the National Association of Insurance Commissioners and is chair of the working group on Privacy. And that's the capacity she appears before our committee today.

She was recently recognized as a Renaissance regulator by the June issue of Best Review, a national magazine focusing on insurance issues. They observed, and I thought this was very interesting, that she was able in the last five years to eliminate almost half of the regulations on insurance in the state of Kansas.

She has established a reputation as a national leader on health insurance issues and is leading the NAIC effort to develop uniform regulations. That balance, privacy for individuals against insurers' business needs for consumer information, I often turn to Kathleen for advice and counsel, and I really am pleased to have her before this committee today, and she is always very able to render thoughtful and insightful testimony I think. And I appreciate that

Welcome, Kathleen.

REP. LEACH: Well, thank you very much, and looks like you're come with near-perfect credentials, Ms. Sebelius, although some of us would prefer that you took your father-in-law's rather than your father's part. But you are very welcome, and please proceed as you see fit.

MS. KATHLEEN SEBELIUS: Thank you, Mr. Chairman. It's nice to be here, and it's nice to be here with half of our congressional delegation. My own congressman and my friend Congressman Moore. I appreciate the opportunity to be here and also bring you greetings, Mr. Chairman, from your own insurance commissioner, Terry Vaughn, who is now serving as secretary/treasurer of our association and we just finished four days of insurance meetings, our summer meetings, so she said to be sure and extend her greetings to you.

Unfortunately my colleague, Glen Pomeroy, who is a former president of our association from North Dakota whose brother serves with you in the House, is socked in at Bismark that planes couldn't get out of Minneapolis last night and couldn't get Mr. Pomeroy to Washington today. So, he apologizes for his absence at this hearing.

What I'd like to do before I talk a bit about health privacy, Mr. Chair, is just use a few minutes to give you an update on the way insurance regulators are moving to comply with the features of Graham- Leach-Bliley which is fairly sweeping change for, say, regulators.

I think it's safe to say that the passage of this bill focused attention and mobilized the attention of my colleagues from around the country, and they are moving very quickly to comply with various aspects of that bill. In just three short months we've had 50 state regulators sign a statement of intent on implementation features which have a comprehensive buy-in for uniform standards across the country on a variety of issues including a more efficient and uniform regulation of the financial services market place.

We have nine different commissioner level working groups in place to implement the law in areas like privacy and agent licensing and speed to market for insurance products. The Graham-Leach-Bliley has created expectations, and frankly our goal is to exceed these expectations. We feel it gives us a good framework to moving to a 21st century regulatory system and have been hard at working doing that.

Having said that, I also do appreciate the opportunity to appear on the very important issue of health information privacy and the new legislation before this committee, HR-4585. This will be the sixth time during the course of the 106th Congress that we've come to testify on health privacy and are pleased to see that there is a recognition in this proposal as there is in the president's proposal to recognize that an unintended consequence of Graham-Leach-Bliley is the fact that now a consumer-sensitive health information can be shared freely without distinction from other sorts of financial information.

Although as you all know, health privacy wasn't specifically included in the language of Graham-Leach-Bliley, the federal regulation changed that landscape because the definition of financial information now includes health information. And unfortunately given the framework of the original bill, the law doesn't provide the kind of stringent protection that we feel and most consumers feel is needed for sensitive health information.

Mr. Chair, the regulators were very sensitive to the pleas from the industry that the financial portion of the regulations that we're mandated to promulgate for insurers across this country not put them at a competitive disadvantage with their colleagues. So our initial draft regs follow that guideline set out by Graham-Leach-Bliley. On the other hand, unanimously the commissioners felt that health information needed to be treated differently, should be treated differently, and we're in the process of crafting regulations which would separate out health information and provide for the same kind of opt-in standard that you provided in this bill.

Specifically I'd like to highlight a couple of areas where there is a lot of consistency between our approach and the approach of HR- 4585. I mean, first is the basic recognition that health information should be treated differently than financial information. Secondly, it should be treated with more protection than financial information with an opt-in standard across the board. Again, the NAIC framework has always been to save the information that should be protected, not necessarily the entity that has that information. So in our prior models and in our current regs we don't delineate between a Workers' Comp company or an auto insurance company or a life company from a health insurer who may have health-sensitive information. We think it's the information that deserves the same kind of protection.

And it should be across the board with financial institutions. Again recognized by your bill. These aspects of your bill mirror the standing NAIC policy, and we applaud your efforts in amending Graham- Leach-Bliley to include the important protections. As I say, we've been fairly consistent on this. We had a model in 1980, a general privacy model that recognized an opt-in standard. We updated that model in 1998 specifically for health information-- again recognizing an opt-in standard. And we are currently at work drafting the model regs which we will urge our colleagues across the country to implement in compliance with the Graham-Leach-Bliley regs which again have an opt-in standard for health information.

Frankly, it's probably preferable if Congress acts on this measure because that is a way to ensure that that standard is in place simultaneously around the country and doesn't need to wait on a state- by-state implementation of the regulatory framework, but it's that framework that we're here to urge you to move forward on.

We do have an accelerated timetable for finalizing our reg. As you know, the federal regs were not final until mid-May of this year. We wanted to wait and see the framework of the final financial federal regs before we moved ahead. But we hope to have the final draft of the regulation for insurers ready by September so states can move either with their own regulatory authority or in next year's legislature to put these in place.

As has already been discussed, a lot of what is in your bill does mirror the HHS regs but given the jurisdiction of Health and Human Services a lot of entities who collect and hold sensitive financial information will not be covered by the regulations which at the earliest I think are scheduled to be effective December of 2002. So we're still a long way from seeing some sort of standard on health privacy regs.

Having said that, Mr. Chair, the insurance commissioners across this country look forward to working with this committee on this very important issue. We applaud separating health information, having an opt-in standard for health information and urge you to move forward.

REP. LEACH: Well, thank you very much, Ms. Sebelius.

Mrs. Roukema.

REP. ROUKEMA: Mr. Chairman, I'm going to reserve my time. Thank you.

REP. LEACH: Mr. Ryun.

REP. RYUN: If I may, I'd like to ask a question related to your testimony. You apparently, you share a very disturbing story with regard to a company that apparently shares a claimant's, if you will, prescription information with a pharmaceutical company and then it tried to market those particular products to the customer's physician. Now how often does this happen? I mean, is this simply an isolated situation or is it rather frequent?

MS. SEBELIUS: Frankly, Congressman Ryun, I can't enumerate the number of times I'd chaired the Privacy Working Group that drafted our 1998 model, and that testimony was part of the hearing process that came forward. We heard a number of very disturbing pieces of testimony where bits of medical information were revealed, clearly not by the consumer but by some entity collecting it. I know that in my own situation and I've had a gentleman in Atchison come up to me after a speech I gave on medical privacy to say that he was terribly concerned because he just finished a series of tests which resulted in his diagnosis as an adult onset diabetic, and within about a week of that confirmation by the medical clinic he began receiving bulb serrated syringe mailings, insulin alternative products, a variety of information, and as he said to me, I didn't put a bumper sticker on my car, I didn't put a sign in my yard saying "guess what, I'm a diabetic," I didn't take an ad out in the Atchison Globe, but somebody in that chain of events did release my information, and I'm now seeing ads as a marketing tool. He was quite unhappy with that. And unfortunately I think it happens more than we would like, but I can't quantify around the country how many times it's going on.

REP. RYUN: What we're advocating here, do you think that it would in this situation help solve part of this problem, or--

MS. SEBELIUS: I think it would help greatly. As has already been raised by earlier questions to the assistant Treasury secretary, the combination of this bill which is aimed at financial institutions and I think the currently pending Health and Human Services regulations which covers a broader scope of health plans and providers and hospitals and medical information I think create a pretty substantial umbrella for those who are collecting and holding financial information to prohibit its sharing without specific consumer consent.

Having said that, I think that our draft model, and certain we would urge the committee when regulations would be drafted, create large business exemptions. We recognize that insurers, for instance, need to process health information on a regular basis to pay Work Comp claims, to analyze PIP auto carrier to underwrite a product, and those were recognized within the regulations that we would put forward.

It doesn't impede the business of insurance, but it does preclude you from sharing it, selling it, marketing it for other reasons without the consumer saying it's okay to do so.

REP. RYUN: Thank you. Mr. Chair, thank you.

REP. LEACH: Thank the gentleman.

John.

REP. LAFALCE: Thank you very much.

Ms. Sebelius, I was discussing with the chairman earlier privately the importance of trying to find the appropriate role for both the federal and the state governments in so many different issues with resect to bank charters, to charters of credit unions, et cetera; and one of the areas that we're going to have to grapple with in the future is the appropriate role of federal legislation as opposed to state legislation in protecting privacy. Do you think as a starting point philosophically that federal law should, A, be preempted of the states or, B, just establish minimal standards but not preclude the states from adopting their own additional consumer standards?

MS. SEBELIUS: Congressman, the Association that I'm here to represent and my own personal view are that the kind of federal floor issue, particularly in this area, is very appropriate. As you know, state law is--

REP. LAFALCE: But when you "federal floor" then I think you mean it should not be preemptive; is that correct?

MS. SEBELIUS: That is correct, and the way I understand at least the overall framework of Graham-Leach-Bliley, particularly in the privacy areas, it does recognize the opportunity for states to be more consumer-friendly, more restrictive. States have over the course of 50 years developed various kinds of health privacy standards often tied to some very specific kinds of laws in place, certain kind of Work Comp systems which are tracked, medical tests which are done in a certain state.

While I think we have said consistently in the past we think there is a clear role for Congress, we think it's appropriate to have national privacy standards governing national definition, governing a large area of this, our caution about blanket preemption, particularly in the privacy arena, is the unintended consequences, the various kind of particular state laws which could be wiped out and put consumers actually steps behind where they are right now. So we're very cautious about blanket preemptions.

Having said that, I think we would encourage moving forward with broad guidelines that re nationally implemented, nationally known. I don't want to go skiing in Colorado and have a different set of record-keeping for my medical records there than in Kansas. I don't think that serves the consumer well. It certainly is very difficult for an industry to operate under.

So there are major areas I think to set standards and say, these should be nationalized, are very appropriate.

REP. LAFALCE: Very good. I think that's basically the approach we took last year in Financial Services Modernization, and I think that's the approach both that the chairman and I have taken in our respective bills further addressing the issue. Now you mentioned that the NAIC has come up with some model standards, model legislation, and you've pointed out the similarities between the model legislation you've come up with and the bill introduced by the chairman dealing with the issue of medical privacy.

My first question is, did your model standards only deal with the issue of medical privacy, or did you consider other issues?

MS. SEBELIUS: The bill, we attached two pieces of model legislation to I think the written comments, Congressman LaFalce. The 1998 model which is attached specifically dealt with health information privacy and kind of recognized a need to carve out that area. The earlier model which I think was 1980 dealt with across-the- board information kept by insurers, and it also had a --

REP. LAFALCE: That was 1980.

MS. SEBELIUS: '80. It had an opt-in standard for nonaffiliates to receive any kind of information-- financial or health collected by insurers. So we've sort of dealt with both areas. But the 1998, the newest area, was very specifically dealing with health and lots of detail.

REP. LAFALCE: Has the NAIC reconsidered its 1980 and adopted a new, or have you just not gone back? That's two decades ago, and there were a few advances in technology and electronics and market usage in the past two decades.

MS. SEBELIUS: Right now we are in the process of trying to comply with the mandate to develop regulations as functional insurers to apply privacy regulations for insurance companies across the country. We are developing a model reg, and frankly we're doing that in two phases. The first is what's underway right now and hopefully will be completed by September, which is an interim reg which we actually drafted with a sunset clause on it and have attempted to mirror on the financial side the standards that are in Graham-Leach- Bliley, no disclosure among affiliates and an opt-out for nonaffiliates with the exception of health information where are drafting a more stringent standard.

I will share with you that there are a number of colleagues of mine who feel very strongly that we should revisit even those earlier standards for financial entities, that those are not strong enough and are not protective enough of consumer interests on the financial side. And we see that as phase II.

REP. LAFALCE: All right. Well, I think it would be eventually helpful if we kept in close touch on these developments because we could both gain. Now if I could go back though. You addressed similarities between your 1998 standard and 4580, and there are similarities between that, the bill that I introduced working in concert with the administration. But Mr. Gensler also pointed out some concerns. One of them was scope-- it just didn't deal with other issues. But aside from scope and not dealing with other issues, there was some particular difficulties that I think can be addressed.

Are there any dissimilarities between your model standards and 4580 that you think we should address? And particularly, what about the dissimilarities that Mr. Gensler pointed out in particular?

MS. SEBELIUS: Excuse me.

REP. LAFALCE: Surely.

MS. SEBELIUS: (pause) I don't want to mis-speak because I'm not as familiar as I should be with all the details of 4585, but I think that there really aren't any inconsistencies. In fact, when we saw the draft of the bill our privacy model, I think, could be good regulations to implement the bill that's before you.

REP. LAFALCE: What I would ask then is, do you think you could, in writing, make comments on the specific details that Assistant Secretary Gensler had with 4580, okay?

MS. SEBELIUS: Sure. I'd be glad to.

REP. LAFALCE: Thank you. Thank you, Mr. Chair.

REP. LEACH: Mr. Bentsen, do you seek recognition?

REP. BIGGERT: Thank you, Mr. Chairman. I think you have one on your side down there.

REP. LEACH: Oh, Judy. Ms. Biggert. Yes, please.

REP. BIGGERT: Thank you, Mr. Bentsen. Thank you, Mr. Chairman. You mentioned several times the Workers Compensation and the auto insurance issue which I had asked before.

Do you think there needs to be something put into this bill to clarify that issue?

MS. SEBELIUS: Congresswoman, I think that as I read this there is nothing inconsistent in here with having a regulation that would give the kind of-- I think you're going to need very specific business exemptions, and as part of what is contained in our privacy model which is attached we really tried, again from the insurance side, to think through carefully what are the areas that insurers, both property, casualty and health, are involved in that need to share health information.

So I think it could be addressed in the regulations. I think it would need to be addressed in the regulations and perhaps some notice in the bill to do that, to not impede the business of insurance specifically, would be a good notice in the overall bill. But I don't think it's, the draft of the bill I don't think is inconsistent with providing those various business exemptions.

REP. BIGGERT: The other issue that was discussed earlier was the state guarantee funds and how they operate. Could you explain that a little bit to me and then, whether there should be some clarification as to that in this bill also?

MS. SEBELIUS: I think that again they would be covered in a broad business exemption. I'm not quite sure, and I know that that is part of the ACLI testimony, exactly what it is in terms of the health arena that a guarantee fund would receive that would be prohibited by this. But certainly if there would be some impeding of the work of the guarantee fund and as you all probably know the guarantee funds pay are assessed and pay for claims left by an insolvent company. So it's typically financial information which is gathered and exchanged. But perhaps the ACLI could explain. I mean, if this would somehow impede that flow of information, we would certainly not favor that. And I think it could be easily provided for by an additional business exemption.

REP. BIGGERT: Thank you. Maybe just briefly also if I have some time left, do you think that the, could you just tell what are the real benefits for consumers? Are they heightened or are they lessened? And how does this really benefit the single consumer?

MS. SEBELIUS: Well, I think most people believe that their personal health history is probably the most sensitive personal information they have, and it seems to me that financial institutions actually may be enhanced with a role with consumers that they feel they are in a trusted position, that the information they give to get a life insurance policy or pay in on a claim or get payment under Work Comp system is not going to be marketed to their disadvantage. It's not going to be shared and won't be used by a mortgage banker to not give them a home loan if they have some sort of chronic condition. I mean, I think consumer confidence is key to any commercial dealings, and assuring consumers that this information is personal and private, it is protected, it needs to be exchanged for the commerce of doing the business of insurance and other financial entities, but it's not going to end up being used against them. It's not going to be something that will keep them from getting a home, getting a loan, driving a car, you know, operating in the normal business of their workday.

And I think that goes to the general good, and given the ease of collection and transfer of information I think it's even more critical that the rules be clear at the outset that consumers know what is and is not going to happen to the information they give and have some regulatory authority who's making sure that the companies follow those rules.

REP. LEACH: Mr. Bentsen.

REP. BENTSEN: Thank you, Mr. Chairman. I still remember what it was like to sit down on the lower row, so I wanted to make sure that Ms. Biggert got her time in order.

Ms. Sebelius, I want to ask you just a couple of questions. One is related to the testimony of the panel that will appear after you, and I may not be able to be here for all of their testimony, and so I would hope and expect that they might respond to the question that I'm going to pose for the record as well. And that is, in reading-- I haven't read all the testimony, but in reading some of the testimony, a number of the organizations surprisingly would oppose provisions of the Leach Bill as it relates to an opt-in requirement. They raise a, I guess a, this is my question, the reason that they raise is specifically with respect to employer-provided health benefit plans that a restrictive opt-in requirement would make it difficult for the broker or the insurance provider to make adjustments in that plan with whoever I guess the carrier may be.

In your capacity as an insurance commissioner, as a regulator, do you see that as a problem, or is the initial agreement between the employee, employer and insurance broker or underwriter with an opt-in at that point, would that be sufficient in giving the insurance carrier, broker, underwriter, whichever, the ability to make policy changes during the term of the agreement between them and the employer? Or is this a legitimate concern that these groups have?

And second of all, as far as that, they raise the question that this could become problematic between the insurance carrier, how the insurance carrier would work with a specific health care provider. I guess the example might be when you go into the emergency room and they are trying to verify your insurance coverage that there's a potential, that this could block the transfer of information that would then make the provider unwilling to provide care for some particular reason. And then I have another question after that.

MS. SEBELIUS: Again, Congressman, I think that in the employee benefit plan arena in the regs that we're attempting to put in place right now covering insurers, we recognize that it isn't until information would be shared actually outside, not to do, you know, the general course of the business of insurance-- but if you're then going to go outside that course of business that triggers the notice and the disclosure issue.

I do think that if the employee benefit area isn't specifically enough carved into this umbrella it would be relatively easy to do that, to include that in the broad business exemptions because I think it is important to conduct the business of insurance. And it is something that again I think we tried to do very carefully in that 1998 model which we came and urged Congress to look at as one of the possibilities to meet the HIPAA standards that were at that point pending.

I think in the treatment area, again the model attached to our testimony deals with all sorts of health care related issues-- when you go into an emergency room when you would need to exchange information. And what if you have an unconscious patient? How could he or she give disclosure? And you don't want to shut down the possibility that they're going to get medical treatment if they can't get their records accessed.

That area is captured, and I think very much present. The way I read HR-4585 it is sort of the 20,000 view level. It captures the major framework of what then would be implemented in specific regulations. And I think some of these issues and exemptions could, are not inconsistent with the framework. They would just need to be crafted into the regulations to make sure that you don't impede medical treatment. You don't want to impede research issues. There are broad exemptions I think needed for the research community to make sure you don't grind that to a halt by having two stringent rules on disclosure, nondisclosure for the business of insurance. But I don't think those are inconsistent with the notion that you're not going to sell, market or share this information outside of doing some very specific issues.

REP. BENTSEN: So with the chairman's indulgence, properly crafted an opt-in-- an opt-in could be properly crafted that would not impede the functioning of the insurance agent or broker, underwriter, you believe, and still provide this protection?

MS. SEBELIUS: We believe that that is true, and actually that's what we're going to advocate that our colleagues adopt as the standard for the insurance regulations which would meet the Graham-Leach-Bliley mandate.

REP. BENTSEN: And as I said, I'm going to have to leave in a little bit. I did have one other quick question, Madam Chair, but I would hope and expect that the other panel would address that issue when they testify but--

MS. SEBELIUS: They've been addressing me for the last four days.

REP. BENTSEN: I'm sure--

MS. SEBELIUS: Both in personal, so I'm sure we'll go on.

REP. BENTSEN: They'll be addressing us as well. The other thing, you said in response to Mr. LaFalce I think it was, the concern about a patchwork of state rules with respect to medical privacy protection. Am I to understand that you would favor a federal preemption of some sort or a uniform federal standard as it relates to privacy rules? And that would be somewhat contrary to what we did in Graham-Leach-Bliley.

MS. SEBELIUS: Congressman Bentsen, I think that what I was trying to say, we testified in the period that the Kassenbaum-Kennedy Bill would have mandated federal privacy action by August of '99, that we urged Congress to move ahead and gave as part of that testimony what we thought would be a framework that at least would work well for insurers, which was the privacy model attached. We have participated actively in the comments on the HHS regs which are pending which eventually will at least be in place for a portion of the industry that I'm familiar with, that whole sensitive health information but not the entire industry.

I think it is appropriate that we have broad federal standards in place simultaneously around the country with the same kind of definitions and the same kind of protections for most of the areas of privacy. The reason I have the caveat that I do is that there are literally thousands and thousands of state laws which have been in place for half a century which have to do often with very particular kinds of state collections, databanks, Work Comp systems, special tests. I mean, in Kansas we do a special test for hearing of infants that is not nationally promulgated but it's done specifically.

By wiping out in one fell swoop all of the state privacy laws which are in place in statutes I think could have some serious unintended consequences for consumers, and that's what we're concerned about. I think defining broadly an area that you would preempt laws, outlining it saying that the federal rules would be in place, makes sense. But you need to be very cautious about what else you're wiping out in state statutes.

REP. BENTSEN: Thank you, Madam Chair.

REP. ROUKEMA: Thank you. I do have a question, and that is, this bill, the chairman's bill, singles out for particular protection information relating to mental health and/or mental condition. And it requires a separate and specific customer consent for disclosing such information. Now, there is at least one other group or maybe others on the next panel that states in its testimony that a separate consent requirement for mental health information is not needed. I don't believe that you address this directly in your testimony, but I have a special interest in this concern. And of course on the next panel we will also be having the American Psychiatric Association giving its own testimony.

But I would appreciate having your input and your perspective on this particular question. Should there be a specific separation, or I believe there should be a specific customer consent as required in the bill. Could you please express yourself on the subject?

MS. SEBELIUS: I'm not sure I'm able to give you a very complete answer on that. I can tell you that at least, our old models and the current regulations which are in place do not have specifically enhanced standards for mental health. And as far as I know, that was not a topic that was either addressed and rejected or accepted during the course of that process. I would just suggest I think there could be other groups who come and say, this sort of condition or illness may be equally--

REP. ROUKEMA: But you're saying that your group has not specifically addressed that?

MS. SEBELIUS: We did not, no, and so I'm not really able--

REP. ROUKEMA: Can you explain in any way, even from your own perspective, how you could possibly separate one health issue from another?

MS. SEBELIUS: Well, the only-- the chairman may be better able to answer that. The only issue that I am aware of and quite sensitive to is that there is a strong belief that mental health treatment carries with it such an extraordinary stigma that seeking treatment, seeking information about treatment in and of itself may deter people from getting the help they need. And so having additional protection attached to confidentiality in that area actually may propel people to get much-needed help and treatment. And that makes sense to me.

REP. ROUKEMA: Thank you. I appreciate that. Mr. Chairman, I've concluded my question. I appreciate your answer.

REP. LEACH: Well, we have no further questions. I want to thank you very much.

MS. SEBELIUS: Well, thank you, and we do look forward to continuing to work with the committee on this very critical issue. Thank you.

REP. LEACH: Thank you.

(Panel III prepares to testify.)

REP. LEACH: Our third panel is composed of Mr. Richard K. Harding who's the president elect of the American Psychiatric Association and vice chair of Clinical Affairs and professor of Psychiatrics and Pediatrics at the University of South Carolina School of Medicine. Our former colleague Mr. Steve Bartlett who's president of the Financial Services Roundtable. Mr. Don Brain who's president of Lockton and Benefit Company of Kansas City, Missouri on behalf of the Independent Insurance Agents of America. Mr. Robert H. Rheel, senior vice president, Fireman's Fund, on behalf of American Insurance Association. Mr. Edward L. Yingling, deputy executive vice president of American Bankers Association. And Robbie Meyer, senior counsel, American Council on Life Insurance.

We'll begin with the order of introduction, and let me welcome Professor Harding. Please.

MR. RICHARD K. HARDING: Thank you, Chairman Leach and Ranking Member LaFalce and Mrs. Roukema and other members of the committee for this opportunity to testify.

In addition to being at the University of South Carolina, I also serve on the National Committee on Vital and Health Statistics which advises the U.S. Secretary of HHS on medical privacy and medical information issues, but I am here today testifying as president elect of the American Psychiatric Association.

We now face what a bipartisan national panel of experts called a "privacy health crisis." Many of us would say that this represents somewhat of an understatement. As many of you saw probably a month or so ago on the newsstands, a magazine that said "we know everything about you." We live today in the 21st century cyberspace high- definition financial and health care system, but we also live with medical privacy laws that are more along the line of the bygone black and while television era of Marcus Welby, MD. While there are some very good corporate citizens who are voluntarily protecting patient privacy, such actions cannot substitute for statutory protections to ensure that all patients will enjoy needed confidentiality protections.

Your efforts, Mr. Chairman, as well as those of the Clinton administration and Mr. LaFalce to add needed privacy protections to the Financial Services Modernization Act is critical important first steps, and we strongly urge that you and your colleagues come together on a bipartisan basis and pass legislation to add privacy protections to the Financial Modernization Law.

As we consider this issue today, I hope that each and every one of us in the room will think not only of the public policy issues involved but also in terms of our own medical records and those of our family members.

Medical records contain the most sensitive information about ourselves and our families and as dedicated individuals in the financial services are I can assure you that as a patient I want to make the choice myself as to whether my medical information is disclosed and want the same thing for my family. The decision should not be made for us by a financial institution, insurance company or a bank's mortgage lender. Disclosures of certain medical records information can jeopardize my career, our careers, our friendships, marriages and even our health.

How, you might ask, can Financial Modernization Law affect medical privacy? Simply put, the 1999 financial law insurers, including health, life insurers can easily merge with banks and other financial companies. As a result, in these large, new holding companies it is easy for any one of these entities to disclose medical records information to a corporate affiliate such as a life insurance company, bank, mortgage lender or credit card issuer.

While I have no doubt that the new law will produce many benefits, we cannot ignore these privacy issues. In addition, the importance of privacy and consumer transactions and in our personal and professional lives, patient privacy is needed for physicians to provide the highest quality of care. It is often forgotten that the doctor/patient confidentiality is an essential element for effective medical treatment. Without this high level of patient trust, many people will be deterred from seeking needed health care and for making a full and frank disclosure of information needed for this treatment.

This is particularly true in psychiatric care. In 1996 the Supreme Court in Jaffe versus Redmond decision, mental health information was decided to be so sensitive that additional privacy protections are needed for psychiatric treatment. The court held that, quote, "Effective psychotherapy depends upon the atmosphere of confidence and trust. For this reason, the mere possibility of disclosure may impede the development of confidential relationship necessary for successful treatment."

We also were pleased with the 1999 U.S. Surgeon General's report on mental health research, and he reached a similar conclusion.

HR-4585 establishes a key principle for protecting the medical records held by financial services companies. The legislation would create a general rule allowing patients to choose if their medical records will be disclosed to an affiliate company or nonaffiliated third parties. In these cases, companies would need the express written consent of the patient before disclosing medical records.

We strongly support this patient consent rule. I am equally enthusiastic about the bill's general rule ensuring the patient's mental health records not be disclosed without the patient's separate and specific consent. I do believe there needs to be further discussion on the provisions implementing these general rules. No one wants the exceptions to the rule to swallow the rule. Yet as currently drafted, do these provisions ensure that in the routine course of business patient consent will be voluntary and noncoerced? This remains unclear.

Likewise, the secretary is now given new authority to create additional exceptions. We look forward to working on these issues with you and your staff so that the consumers in the real world enjoy meaningful new protections. Thank you for this opportunity to testify.

REP. LEACH: Thank you very much, Professor Harding.

Congressman Bartlett.

MR. STEVE BARTLETT: Mr. Chairman and Madam Chair, members of the committee, I appreciate the chance to be here. The Financial Services Roundtable, as you know, is a national association of 100 of the nation's largest integrated financial services firms, and as such our member companies engage in banking, securities, insurance, and other financial services activity.

Mr. Chairman, I'm here to support your legislation, the purpose of the legislation, and to encourage you in this process. The Roundtable believes that protecting the confidentiality of health information that is in the possession of a financial institution is a matter that merits uniform, a national policy. We supported similar legislation within Graham-Leach-Bliley last year. We were disappointed when that legislation was deleted, and for reasons which we don't understand. And Mr. Chairman, we commend you on your leadership and consistency in promoting medical privacy.

We support that legislation today, and we would support it in the future if it comes up in the future.

I want to say at the outset of this statement, that the member companies that I represent insofar as I know most providers of financial services do not use or disclose health information derived from their customers other than for medical reasons or as otherwise intended by their customers. In other words, this issue is at best a potential loophole in our privacy laws, but it has quite a high emotional impact, and so even as a potential loophole we believe it ought to be closed.

Mr. Chairman, overall the members of the Roundtable believe that on the overall issue of sharing of information that the sharing of consumer information in general with affiliates and third parties can and generally does benefit the consumers of financial services. Information sharing between affiliates can permit and with outside third parties can permit an integrated firm to structure products and services that meet a customer's specific needs. We support, therefore, Graham-Leach-Bliley's privacy protections because it provides for both the consumer benefits from appropriate information sharing as well as protecting customer confidence.

However, we think that medical privacy is a whole different category, that medical information is in a separate category and ought to be dealt with in a much stricter fashion in which the information should only be used for medical purposes as it was intended. We believe that medical institutions already have an obligation to maintain the confidentiality of medical records. That is an industry practice, and we think it's covered by a myriad of state laws, regulations, various voluntary industry practices and court cases, and we think that what is called for here is a uniform national policy.

Mr. Chairman, having expressed my support for the bill in its proposed form as well as in its purpose, the bill is not without some details that I believe need some change. We have worked with our member companies of all kinds of financial institutions, and we cite in our testimony a number of changes, some of which are highly significant that I would put in the "must change" category for this legislation to work.

Number one is in Graham-Leach-Bliley there are uniform exceptions to the confidentiality, and we think that those exceptions ought to be mirrored in medical privacy. First and probably most important and the one most significant part of this whole legislation as it's currently drafting is that the bill as drafted would not allow an insurance firm to share information with an insurance rating advisory organization or a state insurance guarantee fund. If such information cannot be shared freely with the rating organizations then the establishing of rates is not going to be possible.

Now, Mr. Chairman, perhaps there are some that believe that we ought to eliminate rating of insurance and have one giant pool of 270 million Americans. I don't think that would be the intent of Congress. I don't think that would be the view of the majority of the American people. But if there's legislation to do that, we ought to have legislation that does that and not do it in a back-door way through some other topic.

Second, the Graham-Leach-Bliley provides other exceptions for the sharing of information with service providers which ought to continue in this legislation and in other GLB exceptions. Mr. Chairman, we also believe that the consumer's access to correct their information has some ways in which as I suggest in my written testimony in which it can be drafted in a way that is more beneficial to consumers.

Next is believe, and we've looked at the mental health provision. We think it is, we appreciate the intent of the mental health provision, but Mr. Chairman I have to say that we believe that this legislation is near absolute prohibition of the use of medical information either physical or mental for uses that it wasn't intended for. We think that prohibition ought to apply equally to heart, lung or mind, and there's no particular reason that it ought to be separate.

Last, Mr. Chairman, I would say that we strongly believe there is a need for a national standard. Every state has a different law. There are multiple laws in different states.

Only two states have a comprehensive laws. There are 12 states that have a model law. All the others have a variety of laws, and then you have the federal regulations on top of that and court cases on top of that. We think this issue calls out for a national standard, and we would encourage you to include that in the legislation.

REP. LEACH: Thank you very much, Steve.

Mr. Brain.

MR. DON BRAIN: Thank you, Mr. Chairman, members of the committee. My name is Don Brain. I'm president of Lock (sp) and Benefit Group. We're the 11th largest employee benefits consulting and brokerage firm in the country. And the nearly 2,000 employees of Lock and Benefit Group administer and work with clients all over the United States in their employee benefit programs. Today I'm appearing on behalf of the insurance agents and brokers, the nearly 1 million men and women who work in every part of the United States. These professionals are represented by the Independent Insurance Agents of America, IIAA; the National Association of Insurance and Financial Advisors formerly known as the National Association of Life Underwriters; and the National Association of Professional Insurance Agents, PIA.

I serve as the IIAA's Governmental Affairs Committee member, the health care liaison to that committee. In addition to my role at Lock and Benefit Group many of my associates are members of NAIFA and the Association of Health Insurance Advisors. NAIFA's conference is devoted exclusively to health insurance and benefits issues. All three associations represent health insurance professionals all over the country.

The associations that I'm appearing on behalf of commend you for your leadership in bringing HR-4585, the Medical Privacy Act, to this testimony today. We appreciate your holding this hearing and allowing us to testify on behalf of this legislation. Perhaps no more important topic today in politics than the privacy of information, particularly medical information. At the outset, we appreciate your leadership in this area, and we appreciate your sensitivity in working with all three associations in their concerns to protect consumer's privacy regarding their medical histories.

The primary message that I want to relate today is that we want to work with you and Ranking Member LaFalce in making sure that this bill becomes the law of the land. The insurance agents fully support the overarching objective to protect individual sensitive health information and your approach to achieving that objective. At the same time, insurance agents need to share information that they receive in the normal course of business with health care providers in order to provide high level of service and the employee benefits that health care that we all want and need.

Indeed, the vast majority of small businesses in the United States cannot afford separate health benefits administration services or human resource services and rely on agents to fill those roles for their businesses. From our perspective, the only clarification that's necessary to ensure that the ongoing administration of employer sponsored health benefit programs and Workers Compensation programs is not disrupted in any way is to specifically provide that this information obtained in conjunction with the administration of these plans is not used for any purpose other than administration or securing information on a replacement plan.

Historically, the agent system has worked, has been the principal method of distribution for the life and health industry in the United States. Agents have been the essential link between the consumers and the insurance company providing services and products while educating consumers in how to manage risks and how to make informed choices about insurance purposes.

Dramatic increases in health costs over the last decade have caused the agent's role to become even more important as part of the health equation. Agents fill roles in helping clients evaluate programs, educating them about information they need to make informed decision, often making specific recommendations on programs that are designed to fill their needs and fit their budgets.

We work with clients to ensure that accurate and complete information is available to secure the lowest possible premiums on their behalf in the marketplace. We keep in touch with them constantly to review and update periodic information and assist them in compliance requirements. We also review claims information and serve as ombudsman in their dealing and their associates' dealings with insurance companies. We assist business owners in communicating benefit packages to their employees

At the outset, IIAA, NAIFA and PIA share the overarching concern about confidentiality of medical information. Although HR-4585 would help ensure that these confidentiality objectives are met, it must be clarified to make clear that these restrictions are not intended to interfere with the provision of employer-sponsored group health plans or Workers Compensation programs in any way.

Without these clarifications that we have requested, the legislation thus undoubtedly serve to both increase the cost of providing health care and reduce the number of options that employers would be able to consider. This would greatly undermine the level of care that many Americans are able to receive, and it would likely lead to a tremendous expansion in the cost of un- or under-insured Americans.

In addition, many employers whose rates are established based on claims information rely on agents' review of the accuracy of the financial reports generated by third-party administrators and insurance companies to ensure that their claims information is accurately reported. Thank you.

REP. LEACH: Thank you very much, Mr. Brain.

Mr. Rheel.

MR. ROBERT H. RHEEL: Thank you, Mr. Chairman and members of the committee for the opportunity to present Farms Fund testimony on behalf of the American Insurance Association on HR-4585. It is my privilege to appear before the committee, and I hope my testimony will provide you with helpful information as you move forward with this bill. I sit before you today not as an attorney or a regular member of an individual who comes through this great capitol of ours to testify on behalf of bills. In fact this is my first time I've physically been in the Capitol and I look forward to future visits.

Instead, my profession, my trade is a business leader serving the needs of consumers. I'd like to share with you today my perception and our perception of what this bill means to the services to consumers as respect to Workers Compensation insurance. We all agree that medical privacy is an important issue for consumers and for those financial institutions that hold that information. However, I urge you to take due consideration on the unintentional harm to consumers and other groups that you're seeking to protect.

It is our belief that the broad sweeping changes could have negative impacts to consumers and other groups with respect to Workers Compensation. In particular, if we look at the basic objectives of Workers Compensation which is to provide no-fault benefits to injured employees, the safe workplace, returned injured employees back to productive work life, we believe this bill will prevent us from serving those needs.

Preventing legitimate share of information with employees and medical vendors and affiliates will prevent us from establishing appropriate timely payments to injured employees. We could not establish with the employer the appropriate work conditions in return to the injured employee. We could not assist doctors who are not trained in occupational medicine to address the medical injuries as it relates to occupational injuries and how to return the injured employee back to work. We could not conduct appropriate Work Comp research. Workers Compensation research is an important element of what we participate in order to improve the system for all.

We also believe we could not prevent the cost to consumers to increase from litigation, from fraud, from excess litigation as it relates to medical information and also the cost of adjustment claims would go up in respect to the undue burden of collecting additional paperwork.

Finally, to the consumer we could not provide that consumer information in the cost for insurance. Responsibility to pay premiums as relates to Workers Compensation, we could not provide them backup information with respect to that premium.

Nearly 50 percent of the cost of insurance for Workers Compensation relates to medical payments, not being able to share that information with employers would not give them the opportunity to understand the true cost.

Again, we thank you for the opportunity to testify today, and I will welcome any questions you may have.

REP. LEACH: Thank you very much.

Mr. Yingling.

MR. EDWARD L. YINGLING: Mr. Chairman, thank you for holding this hearing on medical privacy. Throughout its history, the banking industry has protected the medical information of its customers. Thus our approach is straightforward. Medical information should only be used for the purpose for which it is provided and should not be shared without the express consent of the customer. Although limited, there are instances where medical information is relevant. For example in small businesses where the franchise value of the firm hinges on one or two individuals, insurance on these individuals might be required for a loan. In these cases, the bar will know what information is required and consent to its acquisition and use. Otherwise, medical information should not be used.

On June 6, the ABA joined by the Financial Services Roundtable and the Consumer Bankers Association announced new voluntary guidelines on the appropriate use and protection of information. One of the most important guidelines relates to medical information. This guideline states, and I quote, "Medical Information will not be shared. Financial institutions recognize that when consumers provide medical information for a specific purpose they do not wish it to be used for other purposes such as for marketing or in making a credit decision. If a customer provides personal medical information to a financial institution the financial institution will not disclose the information unless authorized by the customer."

This and the other nine guidelines represent core values for our industry. Last year the ABA's supported provisions on medical privacy. They were in early versions of the GLB Act. We were disappointed that this issue was not dealt with in that legislation. Therefore, the ABA supports the thrust behind HR-4585. The ABA, however, has concerns in two areas.

The first relates to process. While the broad consensus may be possible on a targeted bill on medical information, the financial services industry would be strongly opposed to opening up the privacy provisions of GLB on a broader front. The provisions of GLB need an opportunity to work. The implementing regulations are complex, and I would add that the cost of compliance will be huge. Indeed, for your information we believe that as a conservative estimate that the initial cost across all financial services firms will be in excess of $1 billion with additional costs each year.

The second concern relates to some specific provisions in the bill, particularly the subsection on consumer access to information. We find this provision, frankly, totally unworkable in the real world. We recognize it was taken in large part form the administration's bill. Under the literal language of the bill an individual-- and that individual does not even have to be a current customer of the bank-- can demand to see any medical information that might be anywhere in the financial institution no matter for what purpose it is held. To comply with such a request, the institution would have to ask employees throughout the institution if they somehow had obtained medical information about that consumer.

Well, this may not have been the intent, but it's the plain reading of the language.

Perhaps there is a misconception that financial institution maintain one master list containing all information about a consumer. This is not the case even for small banks. Typically there are many lists developed under different circumstances or for different purposes. Moreover, information may be kept in individual employees' files, never put on any list or in any database. For example, under the bill a bank would have to go through every check written by a consumer and every credit card slip to see if they contained any medical information, a process that is not done today and a process that is antithetical to the notion of medical privacy.

In conclusion, Mr. Chairman, the ABA believes that medical information should only be used for the purpose for which it is provided. However, the ABA does have concerns about the legislative process going beyond medical privacy and about specific provisions of the bill. We hope that these concerns can be addressed by the committee, and we look forward to working with the committee to that end.

REP. LEACH: Thank you very much.

Ms. Meyer.

MS. ROBBIE MEYER: I represent the American Council of Life Insurers, the ACLI. The ACLI thanks you, Mr. Chairman, for giving us the opportunity to testify before you today in connection with the Medical Financial Privacy Protection Act, House Bill 4585. We also commend you for calling this hearing and for sponsoring this legislation.

Life, disability income and long-term care insurers are well- aware of the very unique positions and the very unique responsibility they have regarding an individual's personal medical and financial information. Toward this end, the ACLI Board of Directors has adopted a policy in relation to the confidentiality of both medical information and financial information. And our policy principles acknowledge the changing horizon on the financial marketplace. We support strict protections for medical record confidentiality. We support a prohibition on an insurer sharing medical records with a financial company such as a bank for determining eligibility for loan or credit even if the bank and the insurer are affiliates. We also support a prohibition on the sharing of medical information for marketing purposes.

Before I get into the balance of my prepared comments, however, I did want to respond to Congressman Ackerman's statement regarding our sharing of information for posting on the internet, and wanted to state unequivocally that it is a fiction to say that life insurance companies are any ACLI member companies share medical information, encrypted or otherwise, to be posted on the internet in order to decline applicants for insurance or to cause them to be declined for insurance.

The very nature of life disability income and long-term care insurance involves a very personal and very confidential relationship. However, in order for us to serve our existing and our prospective customers, it is essential for us to be able to obtain and use consumer's personal medical as well as their financial information in order to perform very legitimate essential insurance business functions.

In other words, life, disability income and long-term care insurers must be able to use medical information as well as personal financial information in order to underwrite prospective customers' applications for coverage, in order to process their claims, and in order to perform essential but related administrative functions in connection with those contracts.

It is essential for us to share and disclose information in order to fulfil legal and regulatory mandates. In other words, it is essential for us to disclose confidential information, medical information to state guarantee funds. They need to be able to have access to individual identifiably health information in order to evaluate health insurance claims that a claimant might submit in connection with an insurance company that has become insolvent. Insurance companies also need to make disclosure and to share information with state insurance departments and law enforcement agencies in order to detect and deter fraud.

Also in connection with very ordinary, basic business transactions such as reinsurance treaties or mergers and acquisitions it is also necessary for us to share our customers' information in order to effectuate those business arrangements.

As you know, Title V of the GLB Act enacted the strictest regulatory framework ever enacted into law in connection with financial records privacy, and we very much appreciate the fact that your bill, Mr. Chairman, tracks the general framework of a Title V in seeking to balance consumers' very legitimate and grave concerns about their confidentiality rights with insurers' needs to use consumers' medical as well as their financial information in order to perform legitimate insurance business functions which are necessary for us to meet American consumers' insurance needs.

However, we are concerned that the bill fails to achieve this balance, primarily because of its failure to totally track the GLB framework.

In other words, we are concerned that the bill does not include the GLB provisions dealing with the necessary sharing of information by a financial institution with a guarantee association. We are also worried about the fact that it does not include the provisions permitting financial institutions to share information with service providers, and that concern arises because many of our member companies have independent agents who are not company employees with whom they would now have difficulty or be hindered in having ordinary business communication about proposed insureds' new policies or the best policies for a particular individual under particular circumstances.

We are also concerned by the bill's broad rights or the broad rights that it grants consumers to access and correct information held by a financial institution primarily because the bill does not clearly protect from that access information that an insurer may have collected in connection with a fraud or a material misrepresentation investigation and also materials collected in preparation for litigation.

Finally, the ACLI strongly supports the concept of a federal preemption. We feel very strongly that individuals who live across the country should not have to be concerned that they have different medical records privacy protection depending upon the state in which they live.

Finally, we would like to thank you once again, Mr. Chairman, for giving us the opportunity to testify.

REP. LEACH: Thank you all very much. The testimony was very helpful, and certainly as we go forward suggestions of a specific legislative nature we'll certainly review as well.

Mrs. Roukema.

REP. ROUKEMA: Thank you, Mr. Chairman. I'm not sure that I heard with specificity the explanations as to how people or how individual groups stood on the subject of the mental health disclosure question. But I will say, putting it another way to this group as I have on other occasions to the business groups, there are certain issues that are becoming highly emotional and highly political that have the potential of creating a backlash. And I think you're all aware of this, particularly if you've been reading the press lately or if you've been reading our e-mails lately.

The potential of creating a backlash that could, and you saw some of that when we got into the controversy here on the committee with H.R. 10 and in conference on H.R. 10, and we had to pull back from some of the things.

But the point is, that if we can't come up with a definition here, a precise definition of how in this brave new world of not only instant communication but also these new holding companies and affiliate relationships, if we don't come to terms with that and get thinking minds on both sides of the issue whether it's the health care professionals or the insurance groups or the financial services together, we may end up with something that all of us are going to wring our hands over.

So I didn't hear everyone's comments, but I do have to ask my good friend Mr. Bartlett and former colleague Mr. Bartlett-- I'm sorry that I really didn't hear any specific reason as to why your group or any of the other groups might object to the mental health provision. It seems so blatantly obvious out there, and I don't know what is so objectionable to treating that as a separate entity as the chairman's bill proposes.

Mr. Bartlett, do you want to substantiate some of your general comments, or if anybody else wants to add to it, please.

MR. BARTLETT: Madam Chair, we're available to be convinced. Essentially we look at this bill not as an opt-in bill or not as an affirmative consent bill. We look at this bill as a prohibition against using medical information other than for purposes for which it was intended, and we think that same prohibition ought to apply to mental health information or to physical health information. And I took a very careful look at this because it's a new approach and this approach is talked about, and I knew it would be a hot button. We talked with our members. We couldn't identify any benefit to having a separate consent for mental health or a separate from physical health. We think that it is a prohibition against the use of information, ought to stay that way, and we couldn't see a benefit to adding a second or a double consent procedure other than adding paperwork and consumer confusion. We couldn't find anything that someone would want to consent on for mental health information that they wouldn't consent with for physical health information.

We could be convinced. I just, we couldn't find any reason to do it.

REP. ROUKEMA: We're going to have to convince you I think. But no, I think the woman on the previous panel, I'm sorry her name escapes me right at the moment, but in answer to my question did say that the insurance group didn't have an official position but in her own opinion she thought there was a reason for a separating. Dr.

Harding, do you want to comment? I'm sorry. I'm talking about Kathleen Sebelius, the commissioner of Insurance in Kansas. Dr. Harding, do you want to amplify on your own position in response to what's been stated on this panel?

MR. HARDING: Yes, ma'am. Only that in an ideal world allergies and psychosis would be handled the same, and that that certainly would be the goal of all of us, but in the real world because of prejudices or stigma or whatever you call it, certain illnesses have a higher sensitivity than others, and until we overcome that societal prejudice or stigma we're going to have to look out for special circumstances within the medical field that needs special sensitivity protections. But hopefully and some day we'll have that where it will all be the same.

REP. ROUKEMA: All right, thank you. I appreciate that, and I just hold out the hand of cooperation here because, again, I want to avoid a kind of backlash that's going to force us into some very untenable positions in the near future, and we have no secret that there's an election coming up and there's all kinds of ideological or demagogic positions that can be stated on these highly sensitive issues, and I'd like to work with everyone on this and come to an intelligent and reasoned conclusions. Thank you. Thank you, Mr. Chairman.

REP. LEACH: Thank you, Marge. John. Gary. Mr. Ackerman? Do you have any questions?

REP. ACKERMAN: Yes. Thank you very much, Mr. Chairman. I'm sorry I was out of the room. I'm at two hearings at the same time. But I understand that Ms. Meyer made reference to the question that I raised with the first panel, and if I'm not mistaken what I've been advised is you've categorically denied that any such system exists whatsoever whereby the insurance companies, some insurance companies, at least one insurance company, does not reveal to a prospective person who's had their medical exam what the results of that exam is if it's medical claiming that they've paid for the exam and therefore it's not the property of the consumer-- turns the person down for insurance and then posts on the computer for all agents to know not to rewrite the policy of that person because he tested positive for AIDS and the person does not know that. In this particular case, the person died.

MS. MEYER: If that happened, that would be absolutely positively contrary to ACLI policy and that of our member companies. We do not

REP. ACKERMAN: In that case, would you reverse your policy and support the legislation I tried to introduce that would prevent that from happening?

MS. MEYER: I'm sorry. I'm not familiar with your legislation. But we would be delighted to take a look at it and -- REP. ACKERMAN: It will be my intent, Mr. Chairman, to offer a, hopefully, friendly and humane amendment that would say that if an insurance company, albeit their physician who pays for the cost of a person's exam and that person is turned down that that person is entitled to know why he was turned down.

MS. MEYER: We absolutely agree that if someone is declined for insurance coverage that they are entitled to know the reason why. A requirement to get that information actually is in the law in 16 or 18 states, and the states that have enacted the old NAIC model on privacy, the ACLI has supported that model for decades.

REP. ACKERMAN: The reason for declining support was given as it would be too expensive to notify all these people about their illnesses that caused them to be turned down for insurance, albeit this one was a certainly life-threatening and life-taking incident. So you're saying that you would be supportive?

MS. MEYER: As always as an attorney I would want to have to look at the words, but we are absolutely strongly in support of an individual being informed of the reasons for any adverse underwriting action taken by an insurance company.

REP. ACKERMAN: Would you be willing to cooperate with us in our determination as whether or not it was posted on the computer system that this particular person when his existing insurance was up should not be rewritten if he was late in payment?

MS. MEYER: Yes. This sounds like a fascinating case. A life insurance policy once it has been issued cannot be cancelled for any reason except for nonpayment of insurance claims. The only thing that can happen with a life insurance policy is that premiums can actually be decreased if an individual becomes more healthy after they've had a policy in effect since--

REP. ACKERMAN: The inference here is that it was posted so that if this person's premium was due on the 4th and it arrived on the 5th he was to have his insurance declined for late payment and should not be extended the courtesy because of the specific reasons.

MS. MEYER: We would be delighted to sit down with you and see what has happened here. This sounds like a horrible situation, and we're delighted to --

REP. ACKERMAN: It is, and when we get into computers and people's very private information and who has control over it. And I thank the chairman for allowing this line of questions.

REP. LEACH: Thank you, Gary. Well, let me thank the panel, and we appreciate very much their testimony, and we hope to work with them. Excuse me. Mrs. Biggert. I keep overlooking you. I am very, very sorry. I apologize.

REP. BIGGERT: Thank you. I'm still here. At least I'm not at the kiddy table, but I am in the front row. So. I do have a couple questions if I might.

REP. LEACH: Please.

REP. BIGGERT: Thank you.

REP. LEACH: And feel free to take extra time.

(Laughter.)

REP. BIGGERT: Thank you. Mr. Rheel, based on your professional experience in the insurance business, do you know of any instances of abuse by the insurance companies or their business partners of any access to health information at the current time?

MR. RHEEL: I am not aware of any abuse as it relates to information held by insurance companies. And we take very seriously the information that we have in our records and do not freely release the information to any unrelated to the transaction or for a need of the information to any third party.

REP. BIGGERT: Can you tell me what the practice of and when would insurance companies require health information when considering an application for insurance?

MR. RHEEL: From a property and casualty standpoint, medical information that we seek is generally aggregate information not pertaining to an individual employee or to the consumer. We make decisions based on information in the aggregate levels from a property and casualty standpoint. And that's my field of expertise in that area. Our underwriting is based on risk conditions not employee conditions as it relates to the individual employee or to the consumer themselves.

REP. BIGGERT: I think I'm through but if I could ask Dr. Harding, are doctors and psychiatrists required by law to protect patient's medical records? So how do these records get transferred to the third party such as an insurance company?

MR. HARDING: Insurance companies often ask for details of medical care as part of the payment for those. If there's a third party involved between a physician and a patient and an insurance company. So they ask for varying amounts of information from the physician with the consent of the patient for means of payment. So they then receive from me in my case information, the smallest amount that I can get away with giving them actually, information that they will then use to determine if the treatment was appropriate and whether they should pay the amount of money that I ask them to. That's how they obtain it originally, although in a hospital setting it's a little different, but it's usually with the consent of the patient that it goes to the insurance company.

REP. BIGGERT: So really if someone had no insurance then there probably would be not any, for example a bank that would not have access to any --

MR. HARDING: Oh, but I think that's where we start getting into some interesting areas because for instance if a patient came in to see me and paid cash, didn't have insurance, and I gave them a prescription, they went down to their local pharmacy, handed in the prescription and paid that prescription with a Visa card, all of a sudden the record of what they bought would be in the financial system. Now, it doesn't take a rocket scientist to know that if that prescription is for Prozac, that might be a psychotropic medication that many people are aware of and that would start a process that potentially has concerns for that patient's medical privacy and which was not intended by any means but is part of a financial system.

REP. BIGGERT: Mr. Bartlett, you look like you might want to say something.

MR. BARTLETT: Congresswoman, technically or potentially as I said in my testimony, potentially that could be true, but in reality it is not. No financial institutions collect this sort of information. We believe they are prohibited by all manner of laws, court cases and regulations from collecting it. No financial institution uses such information or even collects it. So while this is a good legislation to close a potential loophole, but I do want the record to reflect that such a situation so far as I can tell doesn't happen. It's not likely to happen, and this legislation would help to prohibit such a thing from happening, but it doesn't happen today and wouldn't happen in the future I don't believe.

REP. BIGGERT: And you also said in your testimony that the issue of including

REP. LAFALCE: The issue of including an exception for sharing medical information to permit joint marketing of products, what is a joint marketing of products?

MR. BARTLETT: I added several exceptions. Exceptions tracked GLB which had some quite good exceptions. The most important exception was for ratings and for state guarantee funds that had been testified here. We think that's absolutely essential. Otherwise, you just abolish the whole system of rating pools.

In terms of joint marketing, again that was in GLB. We think there are particularly service providers, independent agents that need to have information as an extension of the company, and that's again using the medical information for the purposes for which it was intended, not for any other purposes. So we would encourage the committee for the purposes of the exceptions to track GLB.

And then the prohibitions is an additional and much stronger set of prohibitions of the use of the information, but the exceptions should track GLB.

REP. BIGGERT: And then just a general question.

We've been looking at this privacy issue and protecting patients' medical records, and this was put on to the GLB bill, but should we really take a look at this just as a comprehensive legislation on the subject rather than just legislation dealing only with financial institutions?

MR. BARTLETT: One of the issues facing this committee is the complexity of products. Now in a new brave world as we've been talking this morning about, there are many products. The impact of medical information has different issues with different products. We talked about life insurance, and field of expertise is Worker's Compensation. The impact of medical information is critical to Workers' Compensation, providing the service to the consumer. So I would urge this committee to look at the various components of the financial institution and address the issues that you're concerned about specifically, not broadly over the entire financial institution. We talked about the rating organizations, the need for information for them to create rates. Research organizations needing information to create research to improve the system.

So there is particular needs for every product, and the use of financial information, who uses it and the appropriateness of that information changes product by product.

REP. BIGGERT: So you would agree with what was maybe suggested in one f the earlier panels that we should look at Workers Compensation as perhaps an exception to this because of the opt-in provision, or opt-out? Opt-out provision.

MR. BARTLETT: I would encourage the committee to consider exceptions like Workers Compensation because of those needs. Really what we deal with in the property casualty world is third parties, third party actions. They are making their medical condition at issue. It's an issue that they're bringing claim to consumers and looking to their financial institution. This gets insurance companies to protect them. In order to do our responsibility to protect those consumers we need that information, and as standard practice we provide that information to medical vendors who provide expertise back to the process to ensure that we're providing the best care to injured employees and also the best services to our consumers.

REP. BIGGERT: Thank you. Thank you, Mr. Chairman, for your indulgence.

REP. LEACH: Well, thank you very much, Ms. Biggert.

I would like to thank the panel. In particular I want to thank Professor Harding. The reason I say this is, you come to this table with some limitations in free speech that the rest do not have, and you might wonder why I say that. A couple of decades ago the officers of your association visited me advocating or opposing some bill on Capitol Hill. I forget what it was. And I uttered the opinion that I thought a former high-ranking public official, in fact the president, had exhibited certain signs of what I would describe as paranoia. And I asked them if they agreed with me. And they looked at each other, and the president then responded, well, it's this way, Congressman. It is inappropriate for a psychiatrist to comment on someone he hasn't examined. And if he has examined, it's inappropriate for him to comment without the person's permission. And in any regard, our licenses would be lifted if we said something exhibiting a psychiatric judgment about a public official.

So it strikes me you have First Amendment constraints that no one else in the country has, so I am particularly appreciative of your coming, but I maintain the view that this particular president was crazy.

MR. HARDING: I won't ask you which one.

REP. LEACH: But I can say that as a nontrained, nonsubtle, noninformed individual. Anyway, thank you all.

(Panel IV prepares to testify.)

REP. LEACH: Our fourth panel is composed of Nicole Beason who is the Esther Peterson fellow at the Consumer's Union. A. G. Brietenstein, who is chief privacy officer of ChoosingHelp.com. Evan Hendricks, who's editor and publisher of Privacy Times. Mr. Edmund Mierzwinski, who's consumer program director of the United States Public Interest Research Group. Joy L. Pritts, who's senior counsel, Health Privacy Group of Georgetown University, and Mr. Ronald Weich who's an attorney with Zuckerman, Spaeder, Goldstein, Taylor and Kolker, LLP, on behalf of the American Civil Liberties Union.

And we'll begin with the order of introduction and begin with you, Ms. Beason.

MS. NICOLE BEASON: Mr. Chairman, Congressman LaFalce, members of the committee, my name is Nicole Beason and I am the Esther Peterson fellow at Consumer's Union. As you may know, Consumer's Union is a nonprofit publisher of Consumer Reports Magazine, and we are here today because we believe that protecting the consumers' medical privacy is a very important issue.

What's at stake here? Strangers knowing that at a young age you had a hernia, as a teenager you developed asthma, and now as an adult you recent had bypass surgery. You should be able to have your health checked and treated without having your privacy violated.

Consumers Union has identified certain privacy principles that we believe should be included in any legislation intended to protect consumer privacy. First, every consumer has a privacy interest in individually identifiable health information. Second, waivers of an individual's privacy interests should be made clearly and conspicuously and limited in scope to specific purposes. In fact, we have consistently advocated for an opt-in approach to the release of personal, medical, or financial information. Opt-in simply means that the institution must get the consumer's permission before sharing information about that consumer.

Third, financial institutions, health care providers, and other holders of health information have a duty to maintain the confidentiality of personal health information and should be held accountable for protecting an individual's privacy interests. Personal health information provided to a financial institution by a consumer should not be transmitted to anyone else including affiliates and third parties without the consumer's clear awareness and consent.

Consumers should generally have the right to access and ensure the accuracy of their own health information. Consumers should also have the ability to amend and correct inaccurate information. Inaccurate information could have serious consequences should a consumer consent to sharing their health information. For example, they could be denied insurance coverage because their records falsely indicate that they have a poor medical history. Therefore, mechanisms needs to be implemented to ensure that consumers will be able to amend and/or correct their information.

They also need to be given notice when and a reason for why such requests for amendment and correction are denied by the financial institution. It is also important that consumers are given the identities and referred to the original creator of the inaccurate information. The Fair Credit Reporting Act can serve as a model for the regulators to use and implement this requirement. Specifically, we are concerned that one of the parties who has a vested interest in this information is not allowed to make a blanket determination as to whether the disputed information is included or shared with other parties.

The financial institution or the generator of this information should not automatically deny a consumer's request to amend and correct medical information. Therefore, a dispute process like the one used under the FCRA should be adopted.

Because HR-4585 addresses these issues, Consumers Union supports Chairman Leach's legislation with some suggestion as to strengthening this bill. There are concerns about HR-4585 that we share with other consumer advocates. The exceptions, if any, should be limited. The bill should not contain any loopholes that would allow financial institutions to share consumers' medical information contrary to the intent of this bill.

A financial institution should not be allowed to use health information about a consumer without the consumer's consent, not just for decisions regarding a loan or credit but for any product or service offered by the institution to the consumer. While it is important to focus on medical privacy, there are other components of privacy that consumers care about. We urge this committee to not just take up this narrow aspect but to look at a broader privacy package.

Mr. Chairman, once again, thank you for the opportunity to testify before the committee today. I will be happy to answer any questions the committee may have.

REP. LEACH: Well, thank you very much, Ms. Beason.

Ms. A. G. Breitenstein.

MS. A.G. BREITENSTEIN: Chairman Leach, Representative LaFalce, thank you for inviting me here today. My name is A. G. Breitenstein. I am one of the first chief privacy officers of an internet start-up; ChoosingHealth.com is the service which allows patients to communicate with each other and with their providers and hospitals and researchers without having to give up their privacy. We're dedicated to the notion that people's information belongs to them. And I want to take this time to thank you for taking up this issue.

A Wall Street Journal poll recently found that Americans consider the issue of health privacy to be more threatening than domestic terrorism. The Harris poll has also found that privacy is the number one reason that Americans are staying off the internet. The urgency of this problem is very, very clear. Nancy Dickey, past president of AMA has stated the following: "These days insurance companies don't want summaries. They want the whole record. So I think twice about what I include. And then I hope I can remember it all. If my patients fear that what they tell me can come back to haunt them, they tend to be less forthright. I may come up with the wrong treatment because I was chasing the wrong clues."

And Nancy Dickey is not alone. I myself counseled a doctor whose wife was an OB-GYN and he told me that his wife routinely doodled in the margins of her record. The reason why that she used these doodles to code messages to herself about her patients' medical histories. She felt that this was important to do to protect the privacy of her patients' records, but feared that if anything ever happened to her her patients' records would be impossible to read.

I also want to read you a quick quote from a pediatrician I worked with. He said to me, "Insurance companies are requesting as part of our well visits to ask and document," which I have no problem with, "children-- questions such as do you have sex, do you masturbate, how are your relationships to your parents and friends, have you had an abortion? and many others."

As I have said, I have no problem with these questions. What disturbs me is the access insurance companies have to that information. And they'll refer anybody else who can want to obtain these records legally. We as citizens are caught in the Catch-22. If we document patient confidentiality can be destroyed. If we don't document we are classified as bad physicians. As a pediatrician I am very concerned about how this information will be available to third parties.

Basically patients are put in the position of having to make a choice between their health and their privacy. I want to support you in this legislation. This legislation is a very good first step.

If there's one thought that I can leave you with in terms of my testimony it is this. Personal information, particularly health information, is the new cash in this digital age. Your efforts to protect privacy, personal health information, will set the terms that allow patients to negotiate on a level playing field for the value of this new currency. Without adequate protection, individuals will be robbed of a valuable resource and will be reluctant to purchase the goods and services they need on the internet.

Well, what do I mean by this? People get free stuff, and I put "free" in quote-- in our new digital economy because they are willing to give up certain aspects of personal information in exchange for this. This is very true on the internet. Most websites have as their primary revenue model some plan to sell this personal information collected. And personal health information is the most valuable of all of these categories of information.

If there's a bank, I can collect and sell a list of people who have asthma to an unscrupulous researcher or director marketer. I can make millions of dollars.

How should this affect your work on HR-4585? Privacy legislation will be the backdrop against which the emergent digital economy will be set. It will have a profound influence on the ability and right of consumers to negotiate the value of their personal information in exchange for goods and services. You are in effect creating a new currency of sorts.

There are a few suggestions I'd like to make to this end. The basic rule of consent must be clear and unambiguous with few exceptions, and this consent should be voluntary. Health information collected for one purpose cannot be used for another purpose without consent. I was particularly troubled by the exception for joint marketing that is in the legislation now. It seems to me this is a loophole for sort or reconfiguring the marketing schemes that people are protesting, and as long as it's done along with the entity that first collected the information this seems like a very large loophole.

There also needs to be--

REP. LAFALCE: Excuse me, Ms. Breitenstein. Where is that last concern expressed in your testimony? I was following you on point 2 and I didn't follow you when you were underscoring a point.

MS. BREITENSTEIN: It's actually not in my written testimony, but I'd be happy to amend it for your purposes.

REP. LAFALCE: Please do so.

MS. BREITENSTEIN: Absolutely. And as the banking insurance functions begin to merge under this Act it's going to be exceedingly important to--

REP. LEACH: For a point of clarification, the concern you have in joint marketing is not in the bill. It is advocated by-

MS. BREITENSTEIN: In the original.

REP. LEACH: But not in 45--

MS. BREITENSTEIN: Correct. Correct. It's in the exceptions which are referred to in 4585.

REP. LEACH: That's correct.

MS. BREITENSTEIN: Right.

REP. LEACH: And so this is a concern about an advocacy of a position that another panelist has suggested, but not a concern about the bill itself. Is that correct?

MS. BREITENSTEIN: Correct. It's a concern for pulling those exceptions into this bill. Does that make sense?

REP. LEACH: Sure.

MS. BREITENSTEIN: Okay, great.

REP. LEACH: Thank you.

MS. BREITENSTEIN: As banking and insurance functions begin to merge, it's going to be exceedingly important to make sure that the firewall between these areas is enforced. And finally, individuals must have a say of action to enforce their claims on their own personal health information. Data is property and if there's one thing we have historically protected in this country it is the right of an individual to protect their property. Failure to do so will not only adversely affect health care but will set a dangerous new precedent in this information era.

Many of my esteemed colleagues have testified today that these protections are going to drive up costs and stifle economic growth. I want to challenge this argument head on. Personal information is a resource. It has value as our economy shifts to an information-based system. It will become one of the most valuable resources in the world. If we rob individuals of their data we will render them penniless and powerless to participate freely and fairly in this new market.

We will first feel this in rising health care costs owing to an eroded doctor/patient relationship.

We will then feel the effects when people offer erroneous information or choose not to participate at all. And I want to thank you and offer any suggestions I can for improving.

REP. LEACH: Well, thank you very much, Doctor.

Mr. Hendricks.

MR. EVAN HENDRICKS: Thank you. Mr. Chairman, I'm Evan Hedricks, editor and publisher of Privacy Times. I've been reporting on and following privacy developments in Washington since I arrived here in 1977. I'm in my 20th year of publishing Privacy Times.

There's always a tendency to take good news for granted, and I don't want to do that. I think good news here is you, Mr. Chairman, and the ranking minority member. You have always been willing to give privacy a fair hearing. You were the first one to tackle the tough issue of information brokers. With the help of Mr. LaFalce the two of you have taken a bipartisan approach to privacy, and I've seen the benefits for Americans in that. And I'm glad to see that continuing today.

I think the bad news is there's not another committee that follows the example that you set, and I hope that that will be changing as it becomes clearer to Washington how important privacy is to the American people.

I think we have in front of us a good bill. The core of this bill is good because it's based on affirmative, informed consent which should be the baseline of all privacy law and information usage in the United States. And I think it's only a matter of years before we get that kind of privacy law and information usage in the United States. So I of course advocate speeding the way there.

Of course no bill can be perfect. They can all be improved including the administration's and including the one before us today, and so I incorporate the comments of my fellow panelists-- you've heard Dr. Breitenstein, Consumer Union-- for some of the specifics.

I'd like to speak that traditionally in the United States we've always taken a narrow approach on privacy. Certain issue comes up like we found Judge Bork's situation where a newspaper reporter got ahold of his video rental records and this was an issue that hit close to home in Congress, and they moved quickly to pass the Video Rental Protection Act.

But the narrow approach has left us with many of these gaffs, so we do have Fair Credit Reporting Act, an important law this committee had a role in. Video Rental laws records were protected, cable TV is protected. But many important types of records like medical records, employment, some kinds of financial information, internet retail records are not protected. And this is extremely significant that now in history we are in an age of convergence where we see under GLB the conversion with insurance and banks. We see the convergence of means of communications-- the internet, cable, telephones, the banking and the wireless systems are all converging. And so I think that we need to really move toward a comprehensive approach to privacy if we are going to have our laws fit the technology and the information systems that we have.

And so I favor in just the area of financial privacy the starting point for considering financial privacy would be the administration bill as introduced by Congressman LaFalce that it takes a more comprehensive approach to the issue of financial privacy, and I think that's where we start.

I think it's also important to point out though that there is rampant public concern now about privacy. In our newsletter we've reported bits and pieces about some of the politicians, a proprietary opinion poll showing that privacy is off the charts among Americans' concerns, and the New York Times fleshed this out a week ago Sunday in the Week in Review section showing both Republican and Democratic pollsters are finding that this is the sleeper issue of this campaign.

The lesson to learn is that we must do something dramatic and comprehensive to respond to the well-founded public concerns about privacy. I think the solution is that the administration really has a responsibility to come forward with a comprehensive national package. If the administration doesn't do it then the leadership of the Congress should do it; though traditionally this role has belonged to the administration.

I think one reason the administration hasn't done this is that for too long the Commerce Department has been at the middle, kneeling at the alter of voluntary self-regulation and still does well after voluntary regulation has been discredited as feasible or workable. I think Commerce Department should get out of the privacy policy business altogether and just go back to counting beans.

The good news though is that we have the Treasury Department has come forward with a comprehensive financial privacy bill. The Federal Trade Commission has now recommended national privacy legislation for internet privacy. And the Health and Human Services is moving on medical privacy telling Congress that they need to go beyond what HHS can do in rule-making.

So we have through fits and starts the pieces of what could be a comprehensive privacy policy. I think on top of this we need privacy infrastructure. No matter what happens, we are still going to have to integrate and consolidate and rationalize privacy laws so they consistent across mediums and for kinds of records and have reasonable differences for reasonable contexts but so there is consistency. And this is the role of what other countries, all other western countries have and we don't, and that is a privacy commissioner, an independent privacy commissioner that would answer to the legislature. That is a very important step in creating the privacy infrastructure we're going to need to have a rational scheme of privacy protection.

Finally, I think it's important to note that one of the most pro- consumer developments is development of the internet and e-commerce. Yesterday Chairman Pitofsky of the FTC was talking about the benefits to consumers, but there's a real risk, and we're seeing the numbers and that the phrase "burn rate" is a very dominant phrase now that they're worried that e-tailors are going to go out of business. And that's partly because we have not created an environment of consumer confidence. Without adequate privacy protection, we will not have consumer confidence.

And so not only is this the best thing for the American people and something that eventually will happen, but it's something that's absolutely necessary for us to make e-commerce flourish. Otherwise, it's still possible we could have the unfortunate debate of who lost e-commerce.

Thank you very much, Mr. Chairman.

REP. LEACH: Thank you, Mr. Hendricks. And I am also struck by the fact that you've had a magazine that's been in existence for 20 years and privacy as a concern and merge six months ago. Thank you.

Mr. Mierzwinski.

MR. EDMUND MIERZWINSKI: Thank you, Mr. Chairman. Mr. LaFalce. I'm pleased to offer the views of the U.S. Public Interest Research Group on your important new legislation to protect consumers' financial and medical privacy. We want to commend you for introducing a bill that is very supportable with some amendments, and we are encouraged by the fact that the core of your bill recognizes that opt- in expressed consent by consumers should be the criterion upon which information is shared or used for secondary purposes.

As Mr. Hendricks has articulated, we believe that any privacy laws should be based fundamentally on opt-in consumer consent. We are especially pleased that a number of parts of your bill are quite strong, particularly its provision that the use of information already held by an entity requires express consent, and also it's stronger provisions in the areas of mental health.

That being said, I do have a few points in my written testimony on areas where we think that the bill could be improved. We also think that some of these areas apply equally to the president's bill. And let me just discuss those very, very briefly.

First, I think both bills have too many exceptions and that the committee ought to look very carefully at the need for those exceptions. I'm quite aware that the industry witnesses believe there should be more exceptions, but we believe to protect privacy there should be as few as possible.

Second, in the area of coercion of consent, we are generally concerned that consumers not get into the habit of ignoring warnings and simply giving consent as a condition of applying for any kind of account. And in this area, the president's bill uses one approach, your bill uses a different approach. We believe perhaps the best solution might be a combination of the two approaches with the addition of the approach taken by the comprehensive medical privacy bills, not only the financial privacy bills but some of the other bills, before the Congress that would prohibit the conditioning of any treatment or provision of any service upon provision of consent.

The third area is the issue of loans or credits. Some parts of the strongest parts of your bill appear to be limited only to the issuance of loans or credit. We believe that this potentially means that banks and financial services holding companies might be able to use confidential health-related information for marketing purposes for example or employment purposes for example, and we would suggest that you eliminate that narrow structure and broaden the definitions so that it applies not only to loans and credit but to all uses of information but a holding company,

Neither bill, your bill nor the president's proposal, provides a private right of action under Title V. We believe that a fundamental privacy protection is to give consumers the right to sue when their rights are violated. One area where we think you could come to some congruence with the president is on the important area of access, providing the opportunity for consumers to correct and copy their financial medical records. Your bill, of course, includes this strong provision.

The president's bill, however, includes that provision and applies it not only to health records but also to financial records. The industry often complains about complex regulations, burdensome, excuse me, complex regulations. How could I forget the adjective "burdensome?" The way that you could make the regulation more simple would be to apply the access and correction provisions not only to medical information but also to all information held by a financial services holding company to give consumers that fair information practice as it applies to all of their information-- we think would be a good step forward. Then instead of being under two regimes, the banks would only be under one regime for complying with that provision of the law.

We believe also that as the bill relates to HIPAA, there is language in the bill describing the relationship between the two bills. We think there should be an express provision that says stronger law controls, stronger privacy law controls in all circumstances. That would be a notable improvement to the bill.

We're very pleased that both you and the administration have recognized as has the broad coalition of consumer pro-family, free speech and civil liberties and privacy organizations have that have been supporting privacy legislation in this country, that the core of privacy legislation should be express opt-in consent. We would urge you to work together with the administration. Your bill applies to medical privacy. The president's bill as introduced by Mr. LaFalce applies to an opt-in regime to both medical privacy and sensitive financial information. We would urge, of course, that that be broadened to include all medical and all financial information and ultimately as Mr. Hendricks has described that we establish opt-in express consent across all areas of the economy, because as the industry groups are converging, as companies that used to do one thing are doing many things, the gaps in our privacy law are becoming clearer and clearer.

That being said, we commend you for introducing a bill to solve the most important loophole in the GLB Act, and that is its missing provision on medical financial privacy, and we urge support of your bill. Thank you.

REP. LEACH: Ms. Pritts.

MS. JOY L. PRITTS: Good afternoon. I'd like to first thank you Mr. Chairman and Congressman LaFalce for giving us the opportunity to testify today on this important issue of health privacy. I am with the Health Privacy Project which was formed a few years ago. The mission of the Health Privacy Project is to raise public awareness about the importance of insuring privacy of health information from the standpoint of improving health care access and quality and not just from an individual point of view but also from the community's point of view. We believe that this is an important area which as technology changes is subject to more and more threat.

Given the focus of our project we follow the privacy components of the GLB Act with great interest. Financial information often overlaps with health information, and we had concerns that in the process of modernizing the financial service industry sensitive health information might be turned into just another marketable commodity, and we don't think it should be that type of information.

The bill that is at issue here today HR-4585, goes a long way towards addressing our concerns with that issue. I'd like to address some of the major components of that bill.

One of the first things that we focused on was the opt-in requirement for a financial institution to release the information of a consumer. An opt-in requirement is pretty much the standard quo in other federal bill, and we believe this is the way to go. And we also believe that this is a vast improvement over the opt-out provision that was in the original GLB Act because that kind of presumes that a consumer would consent to the release of this information, and we don't think that presumption is very accurate that people would voluntarily release this information if they know that's how it was going to be used.

We also appreciate the fact that this opt-in requirement applies to nonaffiliates. From a consumer's perspective it really doesn't matter if the information is going to an affiliate or a nonaffiliate. The key issue is whether the information is being released from the original record-holder.

Another aspect of this bill that we were pleased with is to see that it addresses consumer profiles. Although we've heard today that banks do not use medical information in this manner, I think it's quite obvious from anybody who's received a statement of a checking account that many of us at the end of the year receive a statement that lists how things have been processed. Your credit card statement says how your money has been spent during the year. And it could include things like categories such as $10,000 for health information during the last year. So the technology is there. And it is something that in the future people could possibly do.

One other area that this proposal addresses is that it restricts the use of health information for providing certain financial services. We see this as an improvement over the original GLB Act. There are a lot of consumer concerns that their health information may be used to deny them access to financial services such as loans and credit.

There was a question posed earlier today to another panel about whether anybody knew of any circumstances under which that had actually happened. We're aware of an article that was in Time Magazine-- I believe it was in 1996 or 1997-- where they reported an example of a bank officer who also happened to serve on a state board which governed a cancer registry. And the bank officer ran a list of the people who had been reported as having cancer, and he used that list and compared it to the files in his bank. And apparently he terminated their loans.

Now that's really kicking somebody when they're down, so there are circumstances that have been reported where this has actually occurred. And we would really like to see a prohibition on that occurring in the future.

Another major improvement in this act is the provision that would grant consumers the right of access to and to correct their information. If your health information is going to be used to make life-influencing decisions on you such as whether or not you're going to get insurance, or are you going to get a mortgage, or if it's going to be spread to other people for them to use, you should certainly have the ability to see what information is out there about you and to correct it if it's inaccurate.

Although we support the opt-in requirements for use and disclosure, we do believe that those requirements mean almost nothing if they are not truly voluntarily signed. So, and if a financial institution is able to condition the provision of a financial service on a consumer's executing those authorization forms, it's not really voluntary. It's not really an authorization if you have to do it in order to obtain a loan, for instance.

This is one area where we really believe that this bill could be improved. Overall, we're quite happy with the provisions in H.B. 4585 and we're pleased that it's been introduced. We look very much forward to seeing the gaps in GLB Act filled, and it looks like we're moving in that direction, and we'd be happy to assist with that process if we could.

REP. LEACH: Thank you, Ms. Pritts.

Mr. Weich.

MR. RONALD WEICH: Thank you, Mr. Chairman. I appreciate the opportunity to be here today to speak on behalf of the 300,000 members of the American Civil Liberties Union. With the 14 witnesses of today's hearing, I think it's my responsibility to say something that nobody has said and say it briefly.

What I'd like to do is, first of all, endorse the recommendations for strengthening the bill that my colleague at this panel and the Treasury Department official on the first panel put forward. But I want to take a step back and remind the chairman and the ranking member of the importance of this legislation for health and public health.

Over the course of the morning and now the afternoon I think that medical privacy has been discussed in somewhat abstract terms as though the diminution of privacy in the medical area was something that was unfortunate for the individual that might cause pain, might cause embarrassment, could expose somebody to discrimination, but that it was something that was an after-the-fact consequence of the violation of privacy.

The point I want to make is that we believe medical privacy is important because in the absence of an environment in which people are confident that their medical information will be secure and kept confidential, people will not seek medical treatment in the first instance or people will not be candid with their health care provider. And that's very damaging. Let me just give two examples, one ripped from today's newspaper.

The Washington Post reports on a Center for Disease Control study which says that 25 percent of the people who get AIDS tests in this country do not return to receive the results. And CDC speculates that a big part of that is the stigma that's associated with AIDS. A prior study by the Department of Labor found that a majority of women in the study were reluctant to receive genetic screening for breast cancer. There again, a large part of that problem, and the women said that a large part was because they were reluctant to have a piece of paper exist that said that they had this genetic predisposition. They feared that it would be used against them. So it's not just the after-the-fact consequence. It's that people will not receive the health services that they need, and as a result the work that this committee is doing in this area is as important for individual health and for public health as anything that your colleagues in the Health Subcommittee of the Commerce Committee might be working on at this moment.

That said, I don't want you to be left with the impression that the ACLU thinks that the only issue that needs to be addressed with respect to GLB is medical privacy. We regretted the fact that your bill, Mr. Chairman, the landmark GLB Bill did not comprehensively address privacy issues to our satisfaction, and we urged that in this Congress and as soon as possible the Congress return to the privacy issues across the board with respect to financial institutions, including medical privacy. We think your bill is very good as my colleagues have stated, but we think applying the principles, especially the opt-in principle, to financial privacy across the board would be even better.

I would just want to quickly highlight three improvements that I don't believe have been mentioned before, and I'll say them very in bullet form. First of all, with respect to the rights of access and correct information, your bill, Mr. Chairman, permits consumers to do that with respect to records that are in the possession of the financial institution. The ranking member's bill goes a step further and says records that are under the control of the financial institution and reasonably available, which is the standard that I think is not burdensome and would ensure that financial institutions don't play shell games with the record. If there is to be a right of access and a right to correct, it should apply to all records that are under the control and reasonably available.

Secondly, there's been discussion about the mental health protections in the bill, and we commend you, Mr. Chairman, for putting those in there. I think there was some discussion earlier when Congresswoman Roukema was here about why that would be important. Understand that under the opt-in model it is very often the case that the opt-in will occur in advance, that when the consumer signs up for the financial product he or she will be asked to provide consent for the future use of the information.

As we read the mental health protection, the special heightened protection in your bill, the financial institution would if it wanted to use mental health information in the future would need to come back to the consumer and seek consent for that specific use. We think that's vitally important, and we would respectfully suggest that those special protection be extended beyond mental health to other sensitive areas like substance abuse and reproductive health because those are areas where the fear of embarrassment and discrimination is so great that people are reluctant to seek the health service in the first place.

Finally, nobody has emphasized the importance of genetic privacy protections. There again, the breast cancer example is one that we're all very familiar with, but the map of the human genome is about to be completed within the next couple of weeks is what we've been told. We think it's vital for Congress to address the circumstances under which that information is going to be available and the circumstances under which it's going to be used. We strongly support Congresswoman Slaughter's bill to provide those protections and while not within the jurisdiction of this committee of course we think that revisiting the privacy issues raised in the insuring context under GLB presents an excellent opportunity for the Congress to look at the important issue of genetic privacy.

Thank you.

REP. LEACH: Well, thank you very much. I must say all your testimony has been extraordinary and very much appreciated. And as we move forward it will clearly be borne in mind. So any very specific language you want to suggest we'll look at as well, and feel free to contact us directly.

John.

REP. LAFALCE: Thank you very much, Mr. Chairman. A couple of observations. First of all, I thought the presentations of this panel were just outstanding, and I thank the chairman. I requested each of the six of you as witnesses. I think we would have been remiss if we didn't hear from your perspective. I wish more were here to listen to you both sitting here and sitting out there.

You have been supportive of the chairman's bill and my bill. Similarities and differences in our approach, but you've also had some suggested changes for both the chairman's bill and my bill, and we're grateful for that because whatever we do we both recognize that we don't have any particular monopoly on wisdom and anything that we've introduced can always be improved and if pointed out can be improved significantly.

Even in the bill that I introduced on behalf of the administration I don't think it goes far enough in certain very, very key respects. Ms. Breitenstein, you pointed out how very imperative a private right of action is because if my privacy rights are protected, my personal privacy rights, my property rights, then I don't want to have to rely on the FTC. I don't wan to have to rely on a state attorney general which I have to do even under my bill. I ought to have a right to seek individual redress because I'm the one who's been abused. I don't think that's unreasonable. But I think arguments to the contrary are unreasonable. And though here I'm saying this is a defect in my bill even. We need to go further.

I point you out in particular because you made the point and you come from the private sector. And there's something else I think that we must get across, and maybe you could help me buttress this point. By promoting privacy we are promoting good business practice.

How many times have you run into individuals who would have used the internet, for example, who would have used some electronic form of commerce if they didn't have to share personal information? But they get to that point and then they stop.

And I think we could have an exponential growth in utilization of the technology that exists if we adopt the strongest possible privacy protections rather than thinking that the privacy protections will impede that growth. Anyone want to comment on that?

MS. BREITENSTEIN: I want to thank you for that comment. It's incredibly astute, and statistically speaking you're right on the money so to speak. 1999 Consumer's League study found that 70 percent of people were unwilling or reluctant to divulge personal information on line, and a 2000 poll found that 40 percent of women have never made a purchase on line citing privacy as their number one concern.

So I wish I had a terrific little vignette for you. But statistically speaking if we don't solve privacy we are not going to support the development of e-commerce and communication and everything else that we want to do on-line, especially in the health field.

REP. LAFALCE: I thank you. Let me just, Mr. Hendricks, before you respond let me just say that with respect to Mr. Hendricks and I we didn't just talking about privacy six months ago. I remember two year ago we were at the White House at a press conference with Vice President Gore when we were having a press conference about the need for promoting privacy rights at that time, and then I remember the 1970s working on privacy when Mr. Hendricks was covering it. I was particularly working on that with then Congressman John Cavanaugh of Nebraska. But you wanted to comment on the buttress I think Ms. Breitenstein's point?

MR. HENDRICKS: Yeah. The other statistic is that something between 70, 75 percent of the people are filling things up in shopping carts when they go on-line and then abandon the purchase at the point they're talking about actually having to put their credit card number down.

So there's a real perception, fear, hurdle that has to be overcome, and that's why I think we need something dramatic and comprehensive. I think, you noted that Ms. Breitenstein's from the private sector. There's an exciting dynamic going on that there's new models of companies coming in with the new economy that are based on protecting and enhancing privacy. I'm talking some of those companies too. And I look forward to sort of bringing them into the debate here to be able to demonstrate how, where in the past you could only make money by invading privacy, and now there's value in protecting privacy.

REP. LAFALCE: I think I read or heard some place about a San Francisco company that has a patent that's been issued that would assist in the protection of privacy by scrambling this information. Do you have anything you want to share with us on that?

MR. HENDRICKS: Yeah. It's a company I'm talking to that has a patent for scrambling credit card numbers so, and all through commerce the merchant, the e-commerce systems, communication line, you don't see the real credit card number. It scrambles it so it only goes through and then it's confirmed by the acquiring bank, the issuing bank. So it would be a real technological plus to get this sort of technology in the market place, and it's going to take a mix of technology and legislative solutions to finally show the American people that we can protect privacy.

REP. LAFALCE: Let me in closing again thank you, and let me just make a personal observation. This is June. I'm not sure whether we'll be able to, if we report a bill out, advance it to the floor. I'm not sure given the composition of the Senate and the late schedule we'll be able to advance anything at all in the Senate. Those are just question marks. The question is, what should we do now next? A number of you have been very kind in your comments, both toward the chairman and myself. I don't know what's going to happen in the future. I don't know whether I'll be reelected-- assuming I am I'll expect to be either the ranking member or the chairman of this committee. Assuming Congressman Leach is reelected, because of the rules of the House he will not be chairman in the next Congress. Or maybe he could be ranking member. I don't know. But if the Republicans have the majority it will probably be Ms. Roukema or Mr. Oxley or Mr. Baker, God only knows.

But I don't think there's ever going to be a chairman and ranking member who are so similarly disposed substantively on such an extremely important issue and also of similar personal disposition. And I would hope that we could take this opportunity to craft something that is better than both our bills and as broad and as comprehensive as possible because we might never have another opportunity. I thank you, and I thank the chair very much.

REP. LEACH: Well, thank you, John. Let me thank you all again. Your comments have been splendid. Thank you. The committee is adjourned.

END

LOAD-DATE: June 17, 2000

Document 7 of 45.


Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: