H.R. 10, Financial Services Act of 1999

ADDITIONAL VIEWS
ON
CONFIDENTIALITY OF HEALTH AND MEDICAL INFORMATION

During the consideration of H.R.10, an amendment was offered to add a new section 351, entitled "Confidentiality of Health and Medical Information." While we support increased protection for medical information, we opposed this provision, because, unfortunately, the provision weakens existing protections for medical confidentiality, and establishes a number of poor precedents for private medical information disclosure.

While the provision at first blush appears to place limits on the disclosure of medical information, the lengthy list of exceptions to these limits leaves the consumer with little, if any protection. In fact, the provision ends up authorizing disclosure of information rather than limiting it.

In medicine, the first principle is "Do no harm." In crafting a Federal medical privacy law, this principle requires that state laws providing a greater level of protection be left in place. Yet section 351 could preempt the laws of 21 states that have enacted medical privacy laws. While we agree that genetic information should also be protected – in fact, should deserve a higher level of protection – this provision could also preempt 36 state laws which protect the confidentiality of genetic information.

The provision also lacks any right for the individual to inspect and correct one’s medical records. As a result, an individual has greater rights to inspect and correct credit information than medical records.

There is no requirement that the customer even be told that his medical information is being provided to a third party. Thus there is no way that the customer could prevent the records from being disseminated if the customer believed that statutory rights were being violated.

An individual has no right to seek redress if the rights under this provision are violated. In fact, the customer is unlikely to even know that the rights were violated. The only enforcement authority is given to the states. If the individual is unlikely to have knowledge of the transfer of confidential medical records, it is hard to understand how the state Attorney General would know to bring an action as provided in subsection (b) of the provision. Even if the state brings an action, it can only enjoin further disclosures. The customer has no right to seek damages.

The provision places absolutely no restrictions on the subsequent disclosure of medical records by anyone receiving the records. Once the records are out the door for any of the myriad exceptions in this provision, they are fair game for anyone.

We agree that information should be disclosed only with the consent of the customer, as provided in (a)(1), but this right is rendered meaningless with the extensive laundry list of exceptions that swallows this simple rule. We shall only discuss a few of these exceptions.

The provision allows financial institutions to provide medical records, including genetic information, for purposes of underwriting. As a result, customers could find themselves being uninsurable, or facing whopping rate increases for health insurance, based upon their genetic information, or health records. In addition, the information may be inaccurate, but the customer cannot correct it.

The provision allows financial institutions to provide medical records for "research projects." This term is undefined, and could include marketing research, or nearly anything else. For example, a customer’s prescription drug information could be provided to a drug company doing marketing research on candidates for a new related drug.

Moreover, the provision establishes no research protections for individually identifiable records. The majority of human subject research studies conducted in this country are subject to the Common Rule, a set of requirements for federally-funded research. Analogous requirements apply to clinical trials conducted pursuant to the FDA’s product approval procedures. The Common Rule dictates that a study must be approved by an entity that specifically examines whether the potential benefits of the study outweigh the potential intrusion into an individual’s private records and whether the study includes strong safeguards to protect the confidentiality of those records. Two weeks ago at a hearing before the Health and Environment Subcommittee, witnesses from the National Breast Cancer Coalition and the National Organization for Rare Disorders testified that these Federal standards should be extended to all research using individually-identifiable medical records. Extending these protections would strengthen confidence in the integrity of the research community and encourage more individuals to participate in studies. Because this provision establishes no protections for individually-identifiable records, it could actually stifle research.

The provision allows the disclosure of confidential medical records "in connection with" a laundry list of transactions, most of which have nothing to do with medical records. The provision does not define who can receive the records, but instead allows disclosure to anyone, so long as it is "in connection with" a transaction. There was no explanation at the markup why medical records should be disclosed in connection with "the transfer of receivables, accounts, or interest therein." There is no definition of "fraud protection" or "risk control" for which the provision also authorizes disclosure. The provision gives carte blanche to financial institutions to disclose confidential medical records for "account administration" or for "reporting, investigating, or preventing fraud." Reporting to whom? An investigation by whom?

While most laws protecting medical records provide for disclosure in compliance with criminal investigations, those laws provide safeguards to permit the individual the opportunity to raise legal issues. This provision does not. In fact, as is the case with all other disclosures in this provision, the consumer would not even be informed that the information has been disclosed. Thus, a customer’s medical records could be disclosed to an opponent in a civil action without the customer even knowing it.

Within hours of passage of this provision, we began learning from patient groups and others who have fought to improve the privacy rights of individuals that this provision is seriously flawed. These concerns demonstrate why Congress needs to deal comprehensively with the issue of medical confidentiality, not in a slapdash amendment that has received no scrutiny. The Health and Environment Subcommittee of the Commerce Committee has already held a hearing on medical privacy, and a Senate committee has held multiple hearings on the subject. We look forward to enacting real medical information privacy provisions that will truly protect individuals. Unfortunately, this premature move by the Committee will actually set back the health and medical information privacy rights of all Americans.

JOHN D. DINGELL
HENRY A. WAXMAN
EDWARD J. MARKEY
RICK BOUCHER
EDOLPHUS TOWNS
FRANK PALLONE JR.
SHERROD BROWN
BART GORDON
PETER DEUTSCH
BOBBY L. RUSH
RON KLINK
BART STUPAK
THOMAS C. SAWYER
ALBERT R. WYNN
GENE GREEN
TED STRICKLAND
DIANA DEGETTE
THOMAS M. BARRETT
LOIS CAPPS

rwb_line.gif (207 bytes)
Prepared by the Democratic staff of the Commerce Committee
2322 Rayburn House Office Building, Washington, DC 20515
Select Feedback to let us know what you think.

Back to the Commerce Committee Democrats Home Page