LEXIS-NEXIS® Congressional Universe-Document

Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint

Document 10 of 124.

View Related Topics

June 14, 2000, Wednesday

SECTION: PREPARED TESTIMONY

LENGTH: 3165 words

HEADLINE: PREPARED TESTIMONY OF RONALD WEICH PARTNER - ZUCKERMAN, SPAEDER, GOLDSTEIN, TAYLOR & KOLKER, L.L.P. LEGISLATIVE CONSULTANT TO THE AMERICAN CIVIL LIBERTIES UNION ON BEHALF OF THE AMERICAN CIVIL LIBERTIES UNION

BEFORE THE HOUSE COMMITTEE ON BANKING AND FINANCIAL SERVICES

SUBJECT - "H.R. 4585 -- THE MEDICAL FINANCIAL PRIVACY PROTECTION ACT"

BODY:
Mr. Chairman and Members of the Committee: My name is Ronald Weich. I am a partner in the law firm of Zuckerman, Spaeder, Goldstein, Taylor & Kolker, and a legislative consultant to the American Civil Liberties Union (ACLU). I am pleased to appear before you today on behalf of the ACLU to discuss the issue of medical privacy in the financial services industry, and to provide our views on the Medical Financial Privacy Protection Act (H.R. 4585) proposed by Chairman Leach.

The ACLU is a nationwide, non-partisan organization of nearly 300,000 members dedicated to protecting the principles of liberty, freedom and equality set forth in the Bill of Rights to the United States Constitution. For almost 80 years, the ACLU has sought to preserve and strengthen privacy in all aspects of American life.

My testimony is divided into two parts. The first section presents an overview of the need for medical privacy protections in federal law. The second section discusses the civil liberties implications of the Chairman's proposal to address medical privacy in the financial industry. I. The Importance of Medical Privacy

Advances in technology have brought about a revolution in every aspect of health care, including the manner in which medical information is maintained and disseminated. Today, medical data can be collected, combined, collated, analyzed and distributed faster and easier than ever before. Huge quantities of health-related information can be stored electronically and transmitted across the country and around the globe with the click of a computer mouse.

Much of this electronic activity benefits individual patients and facilitates public health efforts as well. But, like many technological advances, society's increased reliance on computerized medical records presents significant challenges to privacy. In the absence of legal safeguards, computerization allows for virtually unlimited access to medical records without the knowledge or consent of the patient whose records are accessed.

Privacy is vital in the health care context because trust is a fundamental component of the doctor-patient relationship. Since medical records contain particularly sensitive and intimate information, patients are susceptible to humiliation and discrimination in the event information from their medical records is improperly disclosed. If patients are not confident that their medical privacy will be respected, they will be less likely to seek medical care, and less willing to be candid with medical professionals about their health. The fear of losing medical privacy, therefore, may lead to adverse health consequences for individuals. The failure of individuals to seek medical treatment may also lead to dangerous public health conditions, for example in the areas of sexually transmitted diseases and substance abuse.

At the same time that computer technology has made medical record keeping vastly more efficient and therefore less reliably private, the confidentiality of medical records is separately threatened by the trend toward economic integration of financial institutions, some of which have access to their consumers' personal medical information. Last year Congress enacted a financial services modernization law, now known as the Gramm-Leach-Bliley Act, that dramatically facilitates the merger of -- and therefore the sharing of information between -- banks, insurance companies and other financial entities.

The ACLU regrets that the financial services modernization law did not include stronger privacy protections in general. But we are especially concerned that the bill lacks medical privacy protections, since medical information is among the most sensitive categories of information that integrated financial entities will now be able to share with each other. While we recognize that some commercial uses of personal medical information are legitimate and beneficial to consumers, we believe that other commercial uses of medical information are illegitimate and invasive of personal privacy.

The task for Congress now is to sort out the permissible and impermissible uses of medical information in the financial services sector, and to establish a process by which consumers can participate meaningfully in decisions about their own medical information.

It is fair to ask why consumers have any role at all in this process, if the records in question are generated and maintained by commercial entities rather than individual patients. The answer, in our view, is that patients own their medical records, and that health care providers or insurance companies who maintain those records should be viewed as custodians of the patients' property. We believe that medical records in the possession of health care professionals or third party payors are like client files in the possession of attorneys. The patient or the client retains ultimate control over the disclosure of information in their records. If follows that (1) patients may reasonably expect that their personally identifiable health information will not be disclosed to anyone unless they have given specific and express written consent, and (2) medical records must be protected from unauthorized access to the fullest extent practicable.

These straightforward objectives are elusive because the United States lacks a coherent and consistent medical privacy policy. A patchwork of state laws affords varying levels of protection to citizens in some jurisdictions. That is insufficient. The ACLU continues to urge Congress to enact an omnibus medical privacy law that would provide a consistent and reliable set of privacy protections for medical records in all settings, including the financial services industry.

In the absence of such a law, we have supported the current regulatory process in which the Department of Health and Human Services is finalizing rules to implement medical privacy directives contained in the 1996 Health Insurance Portability and Accountability Act. The ACLU has submitted detailed comments to HHS urging that these regulations be strengthened in key respects.

It is important that less comprehensive congressional efforts to protect medical privacy, such as this Committee's consideration of privacy protections in the financial services industry, not hinder the broader efforts to enact a medical privacy policy through statute or regulation. During consideration of the Gramm-Leach-Bliley legislation last fall, we urged rejection of the so-called Ganske amendment that we believe could have undermined the HHS regulatory process. We appreciated the willingness of this Committee to consider our views and to remove the amendment in conference. We also appreciate the Chairman's recognition that this is now an issue that Congress must address.

With these considerations in mind, I will now turn to specific comments about the bill before the Committee today, H.R. 4585.

II. Civil Liberties Implications of H.R. 4585

We commend Chairman Leach for introducing a bill designed to address the significant deficiencies of the Gramm-Leach-Bliley law in the area of medical privacy. At the time Gramm-Leach-Bliley was considered, some argued that the generic privacy protections in the bill were sufficient to meet concerns about the transfer of sensitive medical information among financial affiliates. The ACLU disputed that assertion, and we view the introduction of H.R. 4585 and this hearing as a welcome acknowledgment that medical records deserve heightened protection in the financial world.

Indeed, we hope that the introduction of H.R. 4585 signals a willingness by Congress to reconsider the broader decisions it made about financial privacy in the Gramm-Leach-Bliley Act.

In general, the ACLU supports an "opt-in" privacy model under which individually identifiable health information may not be disclosed among component entities of a financial institution unless the institution provides notice to the subject of the information and obtains verifiable consent prior to disclosure. While we are pleased that H.R. 4585 generally adopts this approach, we believe there are certain ambiguities in the proposal that should be clarified and other improvements that should be made during this Committee's consideration of the bill.

A threshold question is the relationship between this bill and the forthcoming HHS regulations. Proposed section 502A(e) provides that nothing in the new law would "modify, limit or supercede" standards promulgated by the Secretary of Health and Human Services. That is generally the right approach, although there may be instances in which this bill provides even stronger privacy protections than the regulations, and when that occurs we believe this law should govern. Whenever there is a conflict between the regulation and the law, the rule that provides greater privacy protection for consumers should prevail.

Let me now suggest several specific ways in which the protections in H.R. 4585 could be strengthened.

A. Right to Withdraw Consent

H.R. 4585 requires that before individually identifiable health information is disclosed by a financial institution, the individual who is the subject to the information must be given written notice of the disclosure and the financial institution must elicit the affirmative consent of the individual prior to disclosure of records. This approach embraces the fundamental principle that individuals should control the use of their medical records. But this principle also dictates that a consumer should be able to withdraw his or her consent for the use of health information.

Proposed section 502A(a)(1)(B) is ambiguous on this point. It provides that "(a)ny withdrawal of consent is subject to the rights of any financial institution that acted in reliance on the consent prior to its withdrawal." The bill does not explain what the rights of financial institutions are in this regard, but we fear that the allusion to such rights could serve to blunt what should be the absolute right of a consumer to withdraw consent. This is especially important in a context where consent will sometimes be granted at the outset of a relationship between the consumer and a financial institution, and the consumer will subsequently learn of practices that he or she regards as a breach of privacy.

We urge that section 502A(a)(1)(B) be deleted. If a financial institution has, in fact, detrimentally relied on a consumer's prior consent, standard contract law principles may provide legal rights that will govern the transaction whether or not referenced in statute. This ambiguous provision can only diminish the rights of consumers and undermine the general principle that withdrawal is be effective upon receipt by the financial institution.

B. Right to Access and Correct Records

The bill appropriately includes a mechanism (proposed section 502A(c)) for accessing and correcting individually identifiable health information contained in the records of financial institutions. Damaging inferences may be drawn about an individual from incorrect health information. The opportunity to prevent or minimize the harm caused by inaccurate data entries or other incorrect information is fundamental to ensuring that individuals are treated fairly by those who view their records. Accordingly, the process for correcting records is critical to the protection of the interests at stake in this bill.

To this end, proposed section 502A(c)(1)(A) should be strengthened to require a financial institution to provide customers with access to information that is "under the control of the financial institution," not just information that is "within the possession of the financial institution." This modest change prevents financial institutions from avoiding the responsibility imposed by this provision simply by transferring its information to an affiliated entity.

C. Exceptions to Non-Disclosure

A significant flaw in H.R. 4585 is the broad scope of the exceptions it permits to the general rule of nondisclosure. Certain exceptions which facilitate transactions or which pertain to other routine business functions of financial institutions may be warranted. But the bill carves out broad exceptions in other areas that severely undermine the protections afforded under the general provisions of H.R. 4585.

First, it is difficult to imagine how a financial institution could protect the confidentiality or security of its records pertaining to a customer by disclosing nonpublic personal information about the customer as permitted under section 502(e)(3)(A) of the Gramm-Leach- Bliley Act. We urge that this exception to the general non-disclosure rule should be eliminated.

Second, the exceptions for persons "holding a legal or beneficial interest relating to the customer," or "acting in a fiduciary or representative capacity on behalf of the customer" as provided in section 502(e)(3)(D) and (E) of the Gramm-Leach-Bliley Act unjustifiably limit the privacy rights of minors, particularly with respect to their reproductive health care. The proposed HHS rules carefully address this issue, and should not be undercut by more generic language in this bill.

Third, the exception for requests made by law enforcement and governmental agencies is overly broad to the extent that it expands on the investigative exceptions set forth in the Right to Financial Privacy Act of 1978, 12 U.S.C. '3401 et seq. and other existing laws pertaining to the investigation of financial institutions. Any "investigation on a matter related to public safety" should be conducted in accordance with the provisions of the Right to Financial Privacy Act. The provisions of that law are already contemplate such investigations and any governmental unit conducting such an inquiry should be compelled to comply with the notice provisions in the 1978 Act. Therefore, section 502(e)(5) of the Gramm-Leach-Bliley Act should be modified to clarify that no expansion of existing law enforcement authority is intended.

Fourth, there is no basis for a financial institution to disclose individually identifiable health information about its customers to "self-regulatory organizations." Whatever the administrative functions of such organizations, they should be carried out using aggregate or de-identified information. Therefore this exception in section 502(e)(5) of the Gramm-Leach-Bliley Act should not be applicable to individually identifiable health information.

Finally, section 502(e)(8) of the Gramm-Leach-Bliley Act duplicates the exceptions set forth in section 502(e)(5). We propose that for clarity's sake, the provision should be modified to reflect that this exception pertains only to judicial proceedings involving or action taken by governmental regulatory authorities with jurisdiction over the financial institution. Any law enforcement or other government agency seeking individually identifiable health information about a particular person must comply with the Right to Financial Privacy Act of 1978.

D. Mental Health Protections

The enhanced protections for mental health records in H.R. 4585 is commendable, but should also be afforded to information about other sensitive records such as those pertaining to reproductive health, sexually transmitted diseases and substance abuse treatment.

Just as financial institutions should be required to obtain a consumer's separate and specific consent with respect to the disclosure of, for example, psychotherapy records, so should such specific consent be required for equally sensitive health records.

E. Private Right of Action.

H.R. 4585 fails to provide consumers with a meaningful remedy in the event their individually identifiable health information is improperly disclosed. Regulatory oversight of financial institutions is an insufficient means of policing the vast financial services industry. The absence of a private right of action is, of course, one of the limitations of the HHS medical privacy regulations as well. Congress should establish a mechanism for individuals to receive compensation for wrongful disclosure of their identifiable health information in order to deter this conduct.

F. Genetic Privacy

While H.R. 4585 creates an opportunity for consumers to consent to the disclosure of their health information to financial entities, it does not fully address circumstances in which disclosure of health information should not be permitted because the information should never be used for commercial purposes. The primary example of that concern is the potential disclosure to insurers and others of genetic information about individual consumers.

Scientists will soon complete a map of the entire sequence of human genes. While this breakthrough holds great promise for improving medical treatments, it also presents unique challenges to principles of privacy and non-discrimination. The ACLU believes that genetic information should not be a basis to discriminate against individuals in employment or insurance, for three reasons:

First, it is inherently unfair to discriminate against someone because of immutable characteristics that do not limit their abilities.

Second, the mere fact that someone has a genetic predisposition to a health condition is an unreliable basis to act on the assumption that he or she will actually develop that condition in the future. Genetic tests do not show with certainty that any individual will eventually develop the disease or how severe their symptoms might be.

Third, the threat of genetic discrimination in insurance or employment may lead individuals to decline genetic screenings and other health services to avoid bringing to light information that may be used against them. For example, the Journal of the American Medical Association reports that only 57% of women at risk for breast cancer seek genetic testing, and 84% of those who decline the test do so because they fear genetic discrimination.

Congress has before it legislation to protect all Americans against discrimination based on their genetic information. Senator Daschle and Congresswoman Slaughter have each introduced legislation (S. 1322; H.R. 2457) that would provide comprehensive protections against genetic discrimination. The ACLU supports these proposals, and urges that they be incorporated to the maximum extent feasible in H.R. 4585.

It is especially important to ban databases containing personally identifiable genetic information. Once genetic information is in the hands of an insurer or employer, there are corporate pressures to use it. Prohibiting the compilation of personally identifiable genetic data would minimize this risk.

CONCLUSION

The American Civil Liberties Union appreciates the opportunity to present its views on this important subject and would welcome the opportunity to work with this Committee as it continues its consideration of H.R. 4585 and other medical financial privacy proposals.

END

LOAD-DATE: June 15, 2000

Document 10 of 124.


Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: