[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington , DC 20001
Agenda Item: Introductions and Opening Remarks - Mr. Rothstein
MR. ROTHSTEIN: Good afternoon, my name is Mark Rothstein, I'm the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, and chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. The NCVHS is the statutory advisory committee to the Secretary of HHS on health information policy.
On behalf of the subcommittee and its staff I want to welcome you to today's hearing on the implications of extending health information privacy regulations beyond the three classes of covered entities currently subject to the HIPAA privacy rule. I also want to extend our welcome to those of you who are listening on the internet.
We'll begin with introductions of the subcommittee, staff, witnesses, and guests, subcommittee members should disclose if they have any conflicts of interest, others need not do so, I will begin by noting that I have no conflicts of interest.
Marjorie?
MS. GREENBERG: Good afternoon, I'm Marjorie Greenberg from the National Center for Health Statistics, CDC, and executive secretary to the committee.
MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina, member of the committee and no conflicts.
MS. HORLICK: Gail Horlick, CDC Atlanta, staff to the subcommittee.
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the subcommittee, no conflicts.
MS. BERNSTEIN: Maya Bernstein from the Office of the Assistant Secretary for Planning and Evaluation, I'm lead staff to the subcommittee.
MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the committee as well as the subcommittee, no conflicts.
MS. MCANDREW: I'm Susan McAndrew, I'm the deputy director for health information privacy in the Office for Civil Rights and I'm privacy liaison to the subcommittee.
MR. FELDMAN: Hi, my name is Paul Feldman with the Health Privacy Project, I'm also the co-chair of the Confidentiality, Security and Privacy Workgroup of the American Health Information Community.
(Introductions around room.)
MR. ROTHSTEIN: Thank you and good afternoon to everyone. Oh yes, we need our witnesses, if you could please introduce yourselves just briefly.
MS. MEYER: I'm Robbie Meyer with the American Council of Life Insurers.
DR. WAKE: Robert Allen Wake, I'm with the State of Maine Bureau of Insurance and I'm here on the National Association of Insurance Commissioners today.
MR. ROTHSTEIN: Thank you, I'm sorry for that slight oversight.
This afternoon from 4:15 to 4:45 members of the public may testify for up to five minutes on issues relating to the topic of today's hearing or tomorrow's hearing when we'll be discussing privacy issues surrounding employment and schools. There will be no public testimony tomorrow. If you want to testify please sign up at the registration table.
Invited witnesses have been asked to limit their remarks to 20 minutes, after both of the witnesses on a panel have testified we should have ample time for questions and discussion. Witnesses may submit additional written testimony to Marietta Squire within two weeks of the hearing. I would ask that witnesses and guests please turn off their cell phones and other electronic devices that could interfere with our hearing.
Now the purpose of our hearing today is to explore one of the recommendations that we made to the Secretary in our June 22nd letter that was part of our report on privacy and confidentiality issues in the Nationwide Health Information Network. Recommendation R-12 reads as follows, HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit, or use personal health information in any form and in any setting including employers, insurers, financial institutions, commercial data providers, application service providers and schools.
In advance of this hearing and to focus our discussion the subcommittee distributed to each of the witnesses a list of three questions which we hope and expect that the witnesses will address in their testimony. For those of you who have not seen the three questions they should be in your material somewhere and for those of you who are listening on the internet the three questions read as follows.
First, what federal and state laws currently regulate the privacy, confidentiality and security of individually identifiable health information used by your organization or those you represent?
Second, if HIPAA were extended or some comparable legislation were enacted to regulate your use of health information what affect do you think the law would have on your operations?
And third, if instead of receiving all of an individual's health records pursuant to an authorization you received only those relevant to your needs how would this affect your operations?
So those are the three questions that I hope our witnesses today and as well tomorrow will address.
And without further, unless there is anyone on the subcommittee or staff who has something to say by way of introduction I would like to welcome our first and only panel this afternoon and I'd like to proceed in the order listed on the agenda and ask that Robbie Meyer go first --
MS. MEYER: We were thinking that Mr. Wake could set the general framework and then I could be specific with respect to life insurance.
MR. ROTHSTEIN: I always defer to my witnesses. Please, Mr. Wake, happy to have you with us, please.
Agenda Item: Panel I - Non-Health Insurers - Dr. Wake
DR. WAKE: Thank you very much, good afternoon, Chairman Rothstein, members of the subcommittee, I'd like to thank you for inviting me to testify this afternoon on privacy protections for medical records of non-health insurers.
I'm Bob Wake, I'm an attorney with the State of Maine Bureau of Insurance and I'm testifying today on behalf of the NAIC, the national organization of chief insurance regulators of the 50 states, the District of Columbia and the territories.
As you know for insurers which are what today's panel is about the state insurance departments are the primary regulators so that's the perspective that I've been asked to provide. My written testimony is focusing on three basic areas, the general federal law framework that sets common minimum privacy standards, the state law framework, and also just an overview of how non-health insurers, that is to say insurers that are not HIPAA covered entities, how they use medical information which is primarily for underwriting claims practices.
So the focus of my testimony is really your question number one. Question number two, extension of HIPAA or other federal legislation, how that would affect us really depends on whether it harmonizes or clashes with the protections that already exist at the state level and our work to refine and improve those.
And in terms of the information we receive I certainly agree, in fact I was just on another panel last week about how the government itself uses sensitive information but it's my understanding that that isn't the focus here and we are not in the practice of obtaining blanket authorizations, we generally as an insurance regulator don't get very much individual medical information except in very limited contexts. When a consumer with an issue related to their own health privacy or their own medical care files a complaint with us we get the information that they volunteer us and when we do an examination then under strict confidentiality we may find ourselves looking at whatever is in the files of the entities we regulate. So we already get medical information only on a need to know basis so that wouldn't affect our operations nearly as much as it affects the industry where I imagine you will hear that sometimes you don't know what you need until you already see it.
So getting back to the areas in my written testimony, at the federal level it really starts with Gramm-Leach-Bliley. Title V of Gramm-Leach-Bliley was the first comprehensive federal privacy initiative protecting insurance consumers, I guess there have also been some things in Fair Credit Reporting Act that predate that but that doesn't focus nearly as much on health information.
Gramm-Leach-Bliley as you know establishes a comprehensive regulatory framework for the entire financial services industry. As it applies to the insurance industry it builds upon and expressly reaffirms the McCarran-Ferguson Act which establishes the states as the primary regulators of the insurance industry in interstate as well as intrastate commerce.
So Gramm-Leach-Bliley overall replaced the former system of entity based regulation with a functional regulatory approach. What this means is under the former entity based approach each financial institution, which is Gramm-Leach-Bliley's catch all term for all regulated entities in the financial services industry, each financial institution was required to specialize in one sector of the industry over the oversight of a single regulator and there were laws in place to put firewalls between the different sectors, this was the Glass-Stiegal law of the Depression era. It was felt that some of the abuses that had led to the crash of '29 could be mitigated by making everyone specialized and having one regulator closely watch them.
It was perceived that in the modern marketplace that didn't work so Congress tried a different approach in the late ‘90s which is functional regulation, entities can operate either directly or through affiliates in multiple sectors of the industry and when they are issuing or selling insurance contracts then we as the functional regulators of the insurance industry oversee those activities. So we've got primary jurisdiction over insurance companies, insurance agencies and other traditional insurance licensees, but we also engage in functional regulation, if for example a bank is selling insurance and conversely if an insurance company has a banking subsidiary that would be regulated by the federal banking regulator.
So Gramm-Leach-Bliley as it applies to privacy, that's Title V. One of the things Congress was looking at and folded into Gramm-Leach-Bliley was establishing national minimum privacy standards for the sensitive information that all financial institutions acquire, so Title V places strict limitations on the disclosure of non-public personal information to non-affiliated third parties and generally with limited exceptions requires the consumer to be given an informed opportunity to opt out of disclosures to non-affiliated third parties.
Title V further requires all financial institutions to send their customers written notices at least annually describing the kinds of non-public personal information they collect, their policies governing disclosure of information to third parties, consumers right to opt out where they have one, there are some situations where Gramm-Leach-Bliley doesn't give them the right to opt out, and then also the measure they take to protect the confidentiality and security of this sensitive information.
Now one issue which I'll be getting back to later with the state framework that comes up with Gramm-Leach-Bliley is that the drafters of Title V were looking at non-public personal financial information. That's sensitive enough but insurance companies collect information that banks and lenders don't need to collect. Many branches of the insurance industry use health information for a number of purposes as Ms. Meyer and I will both be discussing and that means that special protections are required that weren't built into Gramm-Leach-Bliley. So when I get to the story at the state level we'll be going back to the need for extra protection for health information.
As noted in the written statement each functional regulator is given the authority to conduct rulemaking to implement the privacy title and required to establish standards both for consumer privacy and information security. And when the state insurance regulators were confronted with that mandate we added an additional overlay of protection for health information for the reasons discussed. But the core standards that all the functional regulators were required to deal with were more detailed provisions on what has to be in these annual information practice disclosure statements, how the opt out procedure works and the form and contents of these notices of information policies and practices that everyone receives.
State insurance departments are the only state based functional regulators under Gramm-Leach Bliley and we're in a very unique position as state regulators of the national industry and that's one of the reasons the activities of the NAIC are so important where we can get together, share ideas, and develop a common national framework coming from our perspective as state regulators, and we work closely with the industry and with consumer groups in setting these standards.
And then for health insurers additional federal privacy requirements are imposed under HIPAA. Now as Robbie explained in her testimony even though life insurers are only subject to regulation as HIPAA covered entities, if they write something like a long term care product their acquisition of personal medical information is going to be governed by HIPAA because they get them from patients and from providers. But in terms of who's actually directly regulated by HIPAA that would be by and large the health insurance industry and one of the recurring themes in this afternoon's panel is medical information, its collection and use within the insurance industry, is not limited to health insurers and state regulators and the industry have been well aware of that and have developed a privacy framework for this purpose.
So just briefly going through the framework, the privacy rule was something that was mandated for either Congress or HHS to do back in 1996, since Congress did not act there was springing(?) rulemaking authority which went into place for the Department of Health and Human Services, issued regulations in the last months of the Clinton Administration, instead of rescinding the regulation the Bush Administration chose to work from that as a base and make modifications and this is the HIPAA privacy regulation we're all familiar with now. It protects all, the term of art is individually identifiable health information however transmitted by a covered entity or its business associate, sets a national standard for privacy health information, the extent it's maintained by health plans, health care clearinghouses and regulated health care providers. So again, for the insurance industry that mostly means health insurers.
Now state insurance information privacy protections were not limited to health insurers, they weren't entity based, but before HIPAA and Gramm-Leach-Bliley they did vary widely from state to state and interpretations also varied widely. The NAIC did conduct a comprehensive effort to develop privacy standards in 1980 and revised those in 1982, and about a third of the states enacted the NAIC model privacy act. In particular although the privacy act similar to Gramm-Leach-Bliley allowed most personal information to be disclosed on an opt out basis for marketing purposes health information was among the items that was specifically protected by an opt in standard.
In Maine we were one of the last states to adopt this model regulation, we adopted it in the late 1990s, not long before Gramm-Leach-Bliley, and the reason for this history, it started with a genetic testing bill and the insurance industry said we'll be happy to work with you on privacy standards, there's already a set of national privacy standards that many states have adopted and we're used to operating under that framework, we'll work with you to enact the model act in Maine. I worked on helping draft that and trying to bring the consumer protections up to date in light of 15 years of intervening knowledge.
One thing we did include in that in our version of the bill was a standard that disclosure be limited to the minimum necessary to accomplish a lawful purpose and we were going to, the NAIC at this time was just finishing up the model health privacy regulation, this was started in 1994 when there was no comprehensive health privacy legislation in place but a strong perception at all levels that this was important. Because HIPAA was passed in the middle of the process it ended up being more a guidance document than something that was actually enacted in the states but it was one of the prototypes for HIPAA. It almost got incorporated into the main privacy law but the legislature said since this is still a work in progress come back to us if you want to adopt this when the final model has been adopted and instead that was when Gramm-Leach-Bliley and the HIPAA privacy regulations were setting standards so we didn't need it.
So this is where we are, after Gramm-Leach-Bliley the states got together, developed a model privacy regulation implementing Gramm-Leach-Bliley, and as discussed earlier and in the written testimony the biggest difference between that and the federal Gramm-Leach Bliley implementing regulation is that it contains specific additional protections for health information. Something like this was enacted in every state that didn't have an even stronger privacy statute so this would be about 40 states adopted the Gramm-Leach-Bliley privacy regulation as developed by the NAIC, we've got 18 states, so there's some overlap, that have the 1980 model act and have developed procedures. We had a caucus of the model act state to work on common protocols for harmonizing this with Gramm-Leach-Bliley, so all states have some regulations that meet the standards of Gramm-Leach-Bliley and also provide an additional layer of protection for health information. In addition both HIPAA and Gramm-Leach-Bliley mandate information security regulations.
So that's the basic federal and state framework, I can flesh out more at question time but I'd like to take at least a few minutes to remind people where medical information comes into the process apart from the most obvious place which is health insurance itself which deals with health information all the time 24/7. Other lines of insurance that rely on the insurer's medical condition in various ways are life insurance and annuities and disability and long term care.
The entire life and health insurance hemisphere of the industry relies on medical information in some way. Disability insurance and long term care insurance, the benefits are keyed to a patient's medical condition and in the case of long term care insurance the benefits consist of the delivery of health care. Disability insurance is income replacement so that's a different story. Life insurance and annuities, the benefits are financial and for life insurance the claims trigger is easy to diagnose, it's when the patient is dead, however even there you may have things like preexisting condition exclusions or questions of application fraud where the application history where medical history is still important, you do need to know more than is this person still alive.
And pervasively in all these lines of insurance medical information is crucial to the underwriting process, in other words the evaluation of the risk of is this person insurable, is this person is preferred risk, a standard risk, a substandard risk, how much do we need to charge for this in order to be able to pay benefits. So they need to gather this information, we in the government recognize they need to gather this information, and they recognize that this is very important sensitive information that they need to take care of. So the laws are written in that framework.
But finally one other use of health information that we need to think about is that health information is at the center of the life and health hemisphere of the industry but on the other side, the property casualty industry, insurers also need to deal with health information. You don't need to submit a health questionnaire usually in order to get auto insurance although they might ask about certain conditions that make you a dangerous driver, we need to be careful of that. You don't need to submit medical information for homeowner's insurance but for liability insurance and worker's compensation insurance health information, and very sensitive health information, can be at the heart of the claims process. So just about any insurance company comes across health information at some stage with some of its insureds, they need to recognize the sensitivity, we need to recognize it and we need to plan for it and that is why the states have already developed comprehensive privacy protections with recognition of the fact that the entire insurance industry at some stage or other tends to deal with health information in a way that other financial services entities do not.
Now like other regulators and other industries we're also recognizing that information security protections need to be refined to keep pace with the kinds of risks that have recently arisen and this is something we are very actively considering, like all regulators dealing with issues like security breaches, which is another area we'll need to do with with privacy protections.
I think that's my allotted time so if it is I'll turn it over to Robbie.
MR. ROTHSTEIN: Well thank you very much and we're going to hold the questions until after both of you have finished. And before I ask Robbie to give her testimony for the record I should mention that I've known her for at least ten or 15 years and she has written a chapter in a book that I published in 2004 but I don't believe that that's going to inhibit me from asking some questions later.
Agenda Item: Panel I - Non-Health Insurers - Ms. Meyer
MS. MEYER: Nice to be here, my name is Robbie Meyer, I'm an attorney for the American Council of Life Insurers and for those of you who aren't familiar with the ACLI, ACLI is a national trade association, at the present time we have 377 members, they account for 91 percent of the industry's total assets so we're essentially the primary association for life insurers in the United States. We very much appreciate the opportunity to appear before you today to talk to you about the ways in which life insurers use medical information and the federal and state laws that Bob has already talked about that provide a very broad, very comprehensive regulatory framework for the way in which we get it, the way in which we keep it and the ways in which we can disclose it.
As Bob also said we have a very long history of dealing with highly sensitive information, the life industry has long supported strict rules with respect to our information practices particularly with respect to medical information. At the same time it's imperative in order for us to serve our customers and to perform basic functions that we be able to obtain this information, use it and disclose it in a limited basis very responsibly in order to conduct very basic legitimate insurance business functions. We have strongly supported almost all the privacy laws that I am going to discuss and that do provide this very comprehensive for our practices in relation to medical information.
As a result of that we believe respectfully that life insurers use of medical information belonging to consumers is already adequately and comprehensively protected by really the plethora of laws that govern our information practices relating to particularly health information. As I'm going to explain in a few minutes in our view it's very interesting, these laws all kind of fit together. HIPAA governs life insurers' ability to obtain protected health information because the fact is is doctors and hospitals can't release the information to life insurers, disability income or long term care insurers unless their authorization forms are fully compliant with the HIPAA privacy rules.
There are other laws that also govern our ability to get the information but in essence it's the HIPAA rule that governs our ability to get it, then they have a host of all these other laws that some of which also address our ability to get the information but almost all of them then govern our ability to disclose the information, so really what you have is a real fit with respect to life insurers, DI, long term care insurers, which you may not have with respect to other entities. HIPAA to get it, then you have the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the NAIC models that implement the Gramm-Leach-Bliley Act, and a host of disease specific state privacy laws that also govern our ability to disclose it.
Interestingly, and I've not done a side by side along this but if you do take the body of law that regulates life insurers' information practices what you end up with is a framework very similar to that which is set forth in the HIPAA privacy rule. I mean you have some, you have health care ops as opposed to legitimate insurance business functions but essentially the framework is very, very similar.
Our medical information privacy as I said without detailing it reflects the fact that we have a very long history of recognizing that consumers care a great deal about our use of and the way we maintain the security of their health information, just like their financial information, but as Bob said we fully recognize that consumers have particular and understandable concerns that we use their health information responsibly. We have a set of principles that support, that articulate our very strong support for very strict rules with respect to our ability to obtain and responsibly disclose health information on an as needed basis. We also support laws that would prohibit our ability to share medical information for marketing purposes or to an entity that would determine someone's eligibility for credit.
I thought I would start with our uses of the information and then go into the laws that govern those uses, and as Bob said our life insurers' major concern with health insurance is that we need it to be able to fully and fairly underwrite. And it's worth mentioning that medical information, our ability to obtain and use medical information does indeed lie at the core of the risk classification process and that process lies at the core of our ability to make our products widely available at affordable prices.
What I did not address in my written comments, I think this is the only one of the three questions I didn't address, was this idea that we should only be able to get information that's relevant to our needs. And Bob hit the nail on the head, part of our problem is we don't know what we don't know particularly in the underwriting process but also in the claims process until we get the information, medical information as part of an application, we don't know what's totally relevant and then sometimes we need to go back.
We would also be concerned and I think we said this in our voluminous comments in connection with the HIPAA privacy rule, we would be very concerned about another entity, a health care provider, that's not familiar with risk classification determining the minimum necessary or what's relevant. So it would be very difficult to fold into the law limitations on our ability to underwrite based on relevant information or to evaluate claims based on relevant information because you can't anticipate it up front plus the entities that are disclosing and the individual people in those entities understandably don't know what's going to be relevant to risk assessment.
Other uses of medical information by life insurers, as Bob pointed out we do indeed use medical information for a number of legitimate insurance business purposes, notably for claims evaluation for administration. We also use this information because it's imbedded in our policy files in connection with the performance of a number of legitimate business functions, maybe not necessarily related to a particular policy but also imperative to our ability to most effectively and efficiently serve our prospective and our existing customers.
And sometimes, and I go into some detail on this in my written comments, sometimes often companies use either affiliates or non-affiliated third parties to perform these functions for them because they're the best ones to do it, they can do it most efficiently and most effectively, and the benefits of those efficiencies devolve to our customers. So there are other, one basic functions, certainly claims evaluation, certainly policy administration, but also uses and disclosures that devolve from the fact that the medical information understandably is part of the file.
Related to this there's certain disclosures that we have to make, we are required to make certain disclosures to state insurance departments, we as a matter of public policy make disclosures to state guaranty associations that pay claims when an insurer becomes insolvent. We make disclosures to prevent fraud, we make those disclosure to law enforcement agencies, to the medical information bureau. We also make disclosures in connection with mergers, much of this is very similar, I quickly took a look at the definition of health care ops and the HIPAA privacy rule and many of these same things are listed, maybe the words are different, very similar to what's listed in the HIPAA privacy rule. We do when there are mergers and acquisitions of insurance companies, medical information is part of the file so when the file goes over to the new company the medical information is in the file.
Similarly in connection with reinsurance arrangements depending upon the nature of the reinsurance arrangement, re-insurers assume the risk, re-insurers are evaluating underwriting practices, medical information goes to the re-insurer. These are limited disclosures but they are absolutely critical disclosures and I felt I should mention these to you because they do fall within the rubric of ways in which life insurers use this information other than just for underwriting.
Existing privacy laws, Bob has hit on a lot, most of them, in fact almost all them, but I do look at it from a different perspective as I said before, I think that the body of law applicable to life insurers really fit together. As I said HIPAA governs life insurers' ability to get the information and then there's this plethora of both state and federal laws that govern our ability to use it and then to subsequently disclose it.
I went into some detail in my written piece on the Fair Credit Reporting Act, very complicated body of law particularly as it relates to medical information but very recently amended by the Fair and Accurate Credit Transactions Act, the FACT Act, in 2003, and in those amendments it really did enhance the protections for medical information. And it's a very circular piece of legislation and obligations of entities are very much tied to whether or not the information constitutes a consumer report, the definition of which is three pages, and whether or not entities are consumer reporting agencies. But long story short and pertinent to you all's inquiry this is but another body of law that does indeed govern life insurers', as well as other entities, ability to both get medical information and to share that information.
I think it's also worth nothing that the primary reason for the HIPAA, I'm sorry, for the FACT Act amendments to the FCRA with respect to medical information privacy was really to address concern about medical information being used by creditors to make determinations about eligibility for credit, not applicable to insurers but something that I thought was worth noting because I would think that would be a concern, it seems to be a global concern about medical information being used for credit purposes and there's an express provision in there that prohibits creditors from that use.
In making those amendments to the Fair Credit Reporting Act the definitions of medical information and consumer report were significantly broadened to make frankly the definition of medical information very similar to the HIPAA definition, to also include references to information that relates to receipt of medical products and services. And very significantly from our perspective it took into account and exempted from the definition of consumer report disclosures of medical information for insurance purposes.
They also added in the FACT Act to the FCRA a limitation on consumer reporting agencies disclosing consumer reports with medical information to insurers unless there's affirmative consent from the subject of the information, so they require that the consent not just be there but that it be affirmative consent. Also added in language regarding redisclosure of medical information by insurers and by third parties to whom insurers disclose and require that there cannot be such redisclosure unless it's necessary to carry out the purpose for which the information was initially disclosed or otherwise permitted by statute, and again added in that prohibition on creditor's use of medical information for credit purpose.
GLB as Bob said did create this very broad regulatory framework for disclosures by financial institutions to non-affiliates of non-public personal information meaning mainly financial information but as Bob said when the NAIC looked at this, and we worked very closely with the NAIC in the development of this model, the NAIC model included specific and very strict rules with respect to disclosure of health information for purposes, other insurance business purposes, and requires an opt in for that purpose. Of the 40 odd states that have adopted this model 28 of those states have adopted the medical privacy piece, so here again you have very express provisions for get the information from HIPAA and then the health information privacy rules require an opt in for disclosure except for a very express list of business functions.
The GLB also as Bob said imposed on the regulators this obligation to develop standards to also protect the security of customer information, the NAIC also developed the NAIC model safeguards reg to accomplish this, that regulation has been adopted in 36 states. And then in addition to that the NAIC developed as Bob was saying before GLB was enacted the old NAIC model privacy act which provides a very broad regulatory framework governing insurers' ability to obtain, redisclose, grant access and correction rights, a host of obligations applicable to insurers, and that old act has been adopted in 18 states.
So you really do have a host of general laws governing insurers' information practices and then across the country there are a host of other disease specific laws, genetic testing laws, the HIV laws, and there are all those domestic violence laws that require in many cases specific consent to either get the information or to disclose it.
So just to conclude ACLI member companies support strict privacy laws governing our information practices, particularly with respect to medical information, have worked very hard in connection with the enactment of many of these laws. We do respectfully submit that we feel that the body of law created with respect to our practices adequately and in fact comprehensively protects consumer information held by life insurers.
Thank you.
MR. ROTHSTEIN: Thank you very much and now the floor is open for questions, we'll go sort of clockwise beginning with Dr. Tang.
DR. TANG: Thanks. I have a series of questions along one theme because the primary message that you started with and concluded with is that there's a body of law that already protects it and you drew analogy to HIPAA, so I have a number of things that in my mind just not being familiar with that law in your field that apply in HIPAA that I'd appreciate knowing in your field.
So the first one is very simple, HIPAA actually dictates the point size, the font size, of the notice of privacy practices and sort of the content needs to be in plain language in 12 point font to explain what an organization does. I think it's common that we say well in life insurance there's all this fine print and included in that is this MIB. Why wouldn't you do the same thing like put it out in front and let people know about it with the same plain language and readable font?
MS. MEYER: Well indeed the NAIC model GLB privacy regulation, and I haven't gone through it late but is very specific about the requirements of our notice of information practices. I don't recall that it requires, provides for a specific font but it does indeed subject us to very definite requirements of providing very clear notice of our information practices to our customers. We've tried to, and financial institutions generally try to maintain some flexibility with respect to the nature of the notices so they can be specific to their particular practices, but indeed we already under the Gramm-Leach-Bliley, the federal law itself, and then under the Gramm-Leach-Bliley insurance regulation adopted in 40 odd states, are required to provide this notice, and indeed we are also required to provide notice under the old privacy act. So the notice is really required across the board --
DR. TANG: My question is very specific --
DR. WAKE: I actually have to say there is a tradeoff because we require certain things to be clear and conspicuous but thinking back on privacy notices I have received from my financial institutions, from my banks and credit card companies, I know that there's no specific requirement that it be in 12 point type, and that would frankly be a lot of paper.
I would say further that I think you were on this group, we had a regulatory industry group trying to post mortem what was actually happening with the Gramm-Leach-Bliley notices and certainly evaluating and encouraging plain language disclosure and frankly we didn't get as far as I and some others might have wished although we made some proposals but I would say a lot of that was because of non-plain language that was dictated by Congress and I would also say I have seen HIPAA notices with the abbreviation PHI in them and I will bet that at most five percent of us patients were able to read past PHI --
MS. MEYER: Also its been pointed out to me in the rules of construction our notices are required to be designed to call attention to the fact that they are indeed a notice and the specific examples in the rules of construction provide that a licensee, an insurer, designs its notice to call attention to the nature and significance of the information in it, that the licensee uses a plain language heading to call attention to the notice, uses a type face and type size that are easy to read, provides wide margins and ample line spacing, uses bold face or italics for key words, and in a form that combines the licensee's notice with other information uses distinctive type size, style and graphic devices such as shading or sidebars. So I think we're pretty much there.
DR. TANG: Actually my question was very specific, it's the fine print under signature that says you'll disclose it to MIB and I'm sure it's not in 12 point font. But let me move on because that was the simple question.
MS. MEYER: I'm sorry, I thought you were asking about --
DR. WAKE: We do prohibit that part of the notice from being smaller than the rest or hidden away, so if you see these and you think it is deceptive or hidden call your insurance department.
MS. MEYER: But I will say are you drawing a distinction between privacy notices and authorization forms, we were speaking to the required privacy notices --
DR. TANG: And I was referring to --
DR. WAKE: In model act states there would be a disclosure related to the MIB, I'm not sure that in Gramm-Leach-Bliley, in pure Gramm-Leach Bliley states don't have anything in particular that addresses the MIB.
DR. TANG: The second question goes to the MIB and that's the reason why I was interested in explaining MIBs to applicants and that is I don't know that people know that it goes to the MIB, I don't know that people know, I certainly don't, what information is in the MIB, and in HIPAA what happens is we all have guaranteed access to our medical record, do we have guaranteed access to the contents of the MIB on our behalf? And the other thing that would be of interest is the audit of who is looking at our information in the MIB because we have this requirement --
DR. WAKE: So the question is about the law --
MR. ROTHSTEIN: Excuse me, before we get an answer to the question and we're being broadcast on the internet, could you explain what the MIB stands for and exactly what's in there, that might be helpful.
DR. TANG: So all I know is that it stands for medical information bureau and I would like to know --
DR. WAKE: And again Robbie can say more about exactly what the MIB is and does, I know I obtained access to my MIB file because I was curious and at the time there was absolutely zippo in it, it was before I applied for my first life insurance policy. But in states that have, in the 18 states that have the 1980 model act there is a specific right for access to your MIB file, it's my understanding that as a matter of operating policy the MIB discloses its files voluntarily in the other 33 states but I'm not sure.
MS. MEYER: And I certainly am not an expert on the MIB but I can tell you what I know, the medical information, the medical information bureau is set up to detect and prevent fraud. It obtains information from insurers and then codes it, places it into codes and then has very, very elaborate as I understand it, I can get you more details on this, protocols for the manner in which other insurers can access this information, I mean they have to call in with a special code and the ability for outsiders to access this information is extremely limited and is very tightly guarded. And it is also my understanding, and I can check on this, that indeed the fact that this information is going to be disclosed in the ordinary course of business and to the MIB is on application forms that individuals --
DR. TANG: Correct, and that goes back to my point. So again, my line of questioning is comparing it to HIPAA so HIPAA does guarantee to all, not just the model states, and it's a full disclosure and not relying on voluntary disclosure, so that's sort of another comparison. So another principle of HIPAA is the need to know test, the idea that we don't know what we don't know, need to know and asking for everything then, let me guess that in your underwriting process you almost, it's almost formulaic in the sense that you have certain variables you look for that predict the risk of an individual and one could say for the important variables in that formula you could ask for those so that it can feed into your underwriting process versus asking for everything under the you don't know what you don't know kind of theory. So I'm wondering why, wouldn't it make sense --
MS. MEYER: To my knowledge it is not formulaic, now if you buy a certain size policy they do more or less underwriting but there are not certain conditions that they ask about and that that they look at. They do need to know what, the whole body of information that may or may not be relevant, at the same time the vast, vast, vast majority, now we're talking about life insurance now, the vast majority of folks who apply for life insurance coverage get it and the vast majority of those get it a standard or better rates. So it is a different situation then where there are availability concerns or used to be perhaps with other forms of coverage.
We don't know, it is not formulaic and also to think that you would have someone in a hospital, a very busy person in a hospital or a doctor's office that's going to make a determination as to what's going to be relevant to an analysis just would not work, first of all they don't have the time or the knowledge or the expertise appropriately to make this analysis. And another relevant point is that not only are we subject to these very strict laws with respect to keeping the information secure, keeping it confidential, but there's another whole host of Unfair Trade Practices Act that govern the way in which we use the information, so if we get irrelevant information and it's not relevant to the risk then it would be an unfair trade practice for us to make an underwriting decision based on that information. So if I seem like I'm definite, this question of the information we can get in order to underwrite really gets to the core of how we do our thing, so it's a real fundamental for our industry.
DR. TANG: So let me look at another perspective, you talked about the re-insurers and others --
MR. ROTHSTEIN: Excuse me, Paul, may I jump in and just follow-up on this point and then you can make the re-insurer issue. I don't want to drop this, this is our question number three and that's could the information be limited. Robbie, I assume you're familiar with tele-underwriting?
MS. MEYER: Not very.
MR. ROTHSTEIN: Well, tele-underwriting has been started by many life insurance companies that found that it was too expensive to actually have a physician or a nurse draw blood, get the medical records, go through it, so voluntarily and as a way of saving money they hired, and I'll spare you the names of the vendors, some third parties, well known sort of lab type companies, that put together a formula of the dozen or 15 major questions that you would want to have from an applicant. Are your parents living, what did they die from, do you have a history of cancer, heart disease, do you smoke, and we can imagine what those questions might be.
And following this computerized script the company calls the applicants and if they get a negative answer on all the questions the policy is issues without any release of medical records. So it seems to me that the industry already voluntarily is adopting the notion that they don't need the whole file, it's a waste of money and time to go through the whole file, and that a discreet expertly selected type of information could be disclosed.
And if I may let me just give you the context for why this hearing is taking place because it relates to this particular point, and I don't speak in this first point necessarily for my colleagues but I'm less concerned about the inappropriate underwriting policies of companies, I don't think people are getting denied coverage when they ought to get coverage and that you're using crazy things to deny them coverage. I'm not concerned that you're taking medical information and selling it and doing all sorts of nefarious things with it and that the confidentiality is breached. What I am concerned about is the following, the game is changing in terms of medical information, as we go to electronic health records the scope, the quantity of information that anybody gets, anybody meaning anyone who can require the execution of an authorization because they want life insurance, they want a job, they want all the things that we're going to look into, so you're going to be able to get much more longitudinal data and the quantity of information is going to increase dramatically, it's not going to be the same medical records that you've gotten before and included in that is a lot of arguably old irrelevant no bearing on mortality risk very sensitive stuff.
And so our committee wants to explore the possibility that there's some way electronically, not that would be imposed on the industry but I mean at least personally in my view that industry leaders, the AIM(?), the NAIC, and computer experts could design, so that you press a button and only that stuff from the medical record electronically gets to the company rather then everything that doesn't have any bearing. So that's sort of the context for question three and it seems to me that at least to some degree the industry is recognizing that they can move to that.
DR. WAKE: And some of this cuts both ways because I have seen a case for example where an insurer obtained very irrelevant, very old and very sensitive medical information and tried to use it to essentially browbeat a claimant into settling on more favorable terms. That insurance company was given a rather stiff fine when that came out so there is the problem of irrelevant information. On the other hand if you ask a provider just release the relevant information that's dangerous at the other end because the provider's overriding duty --
MR. ROTHSTEIN: Well, I understand that --
DR. WAKE: -- is the best interest of the patient.
MR. ROTHSTEIN: If you have a paper record system that is, it's impossible for anybody to decide what's relevant and to filter things in and out. The potential of an electronic system is that you can do that much more easily we think.
DR. WAKE: If a provider who is thinking globally about the best interest of the patient knows which codes are going to be disclosed for purposes adverse to the patient and which codes are not and the provider has a choice, again, if it's an ethical provider as most providers are it's going to be on the gray areas. Some providers frankly, big story in Texas, national litigation, some go beyond the gray areas.
MS. MEYER: And how do you define what is and isn't relevant, I mean that is a major --
MR. ROTHSTEIN: It's being done today.
MS. MEYER: I don't know how many insurers are doing that but the beauty, I like to say this all time --
DR. WAKE: But he is proposing that it can --
MS. MEYER: By virtue of the fact that some companies are doing it, and I'm not saying they won't do it but I think one of the beauties of them are the life market is the fact that everybody does their own thing and what's relevant, what's appropriate underwriting for one company for one type of product is not necessarily going to be relevant --
MR. ROTHSTEIN: I understand your point, if you're talking about a $10,000 dollar policy versus a $10 million dollar policy that's one thing but it strikes me that the position that we need it all because we have to, we don't know what's in there and so on and so forth, personally I would say that's no longer defensible given the magnitude of the information that's going to be in medical records and that the industry needs to endorse these steps that its already taken voluntarily to see if there is a way that they can get what they need without getting the stuff that they clearly don't need.
DR. WAKE: Actually my instinct is that the stuff that we really need to protect is stuff that's already in traditional paper records, what I could imagine but I'm shooting from the hip so maybe I shouldn't be saying this on the internet, but I could imagine having several specific CPT codes where there is a presumption, have the computer search for these codes, flag them, and say don't disclose them if they are more than X years old without a specific showing of the need to know. I'm not sure you can go much further then that but maybe the medical community and the consumer community and the insurance community working together could go further then that.
MR. ROTHSTEIN: And one of the things that we've recommended, and I'll just finish up on this because other people have questions but I wanted to follow-up on this point, I think this is a fertile area for research and for public and private research to see if accurate medical underwriting can be done under sort of different, based on different assumptions and so on. No one wants to make sort of guesses to who to cover and how much to charge them or anything but my concern is not to have too much disclosed. Not that you're going to redisclose it necessarily or whatever but there's certain information that shouldn't be disclosed to anyone. Paul --
DR. TANG: It's still on the minimum necessary again, trying to apply what we do as clinicians, and so you mentioned reinsurance as one example where you have to share all the personal files. I would guess that just for, a re-insurer would want to know what is my risk in re-insuring, being a re-insurer for your company or someone merging with you needs to know your total risk so I know my financial liability. It seems to me that you would only need aggregate data to make that decision versus all the individual files and perhaps you can help illuminate that.
MS. MEYER: Well, I am out of my depth on reinsurance, and I don't know Bob if you're an expert, but it depends on the nature of the arrangement and there are different types of arrangements, where they get aggregate information, where they do individual underwriting, but there are, as I understand it there are certain situations where they do do actual individual underwriting or they go in and make sure that the primary carrier, the carrier, the direct carrier, they go in and they check to see if they're underwriting pursuant to the re-insurer's guidelines, so they check the files so they go in and they see the actual files. On a merger and acquisition then the file is just moved to the new company so the information, by virtue of the fact that the information is in the file it moves, the whole file moves --
DR. WAKE: It is different though, if you've got a consummated merger and acquisition obviously new company needs and will have all the records of old company, that's no-brainer, the question is if you're doing due diligence for a potential or in progress merger and acquisition and frankly in that case I would want to drill down and closely audit a representative sample of actual claim files. You might also need that for similar reasons for a high stakes reinsurance transaction with, especially with a new partner, and sometimes for a facultative reinsurance contract, that is to say one that focuses on a single account, you want to know something about that account. So there are situations where you'd want to know more than aggregate, essentially you're saying you want to know what the risk is, well, if you want to know what the risk is that means you want to know what the primary company knows. Sometimes that's just a high level summary but sometimes you need to drill down in order to know how well you trust these numbers and I have seen looking at insolvencies what happens when you don't.
MS. MEYER: And one point to be aware too, re-insurers are insurers so they're subject to this whole body of privacy laws just like other insurers are, so we said re-insurance arrangements but they are insurers subject to all of the privacy laws --
DR. WAKE: That is very important and in fact if you look at the business associate concept in HIPAA I don't know what other sources it may have come from but I know that we developed something similar to an ancestor of the business associate concept while we were working on the privacy regulations and while we were working on the domestic violence victims protection regulations, the idea that here is some sensitive information, if you're letting it out of the bottle you want to build a bigger bottle around it that it stays within.
DR. TANG: Thank you for your indulgence, I just want to observe that based on just this series of questions I don't think the uniformity guarantees that we have in HIPAA apply to health information is very similar to what you have in your industry just based on this but certainly open to further information.
MR. ROTHSTEIN: Okay, Harry?
MR. REYNOLDS: A couple things, one, thank you very much, you obviously know your subject very well. So now I'm going to ask you to step over here with us because I think you did a great job from where you sit, step over with us and step over with us talking to the general consumers. So as I try to look at the HIPAA privacy, and I'll read a statement out of a letter we're working on right now that we discussed yesterday, support a public awareness campaign that educates the public, that a Nationwide Health Information Network is ta da ta da ta da ta da. Obviously we've all seen the HIPAA privacy rule in action in real offices and in real situations and people don't get it. So as we're trying to role out, and I think Mark hit on it well and Paul did too so I'm playing, I'm not asking a lot of my initial questions because they kind of covered them.
So we're talking to consumers and that same person deals with everything that you're dealing with, that we've all talked about, so how does that person, how do we reconcile with that person that some of their medical information going here they're covered under this, and some of their medical information going over there they're covered under these under laws, I mean how do we actually, let's talk to the real person.
MS. MEYER: I think one thing to be aware of is is that we're not like other entities, we get it coming and going on these laws, as Bob pointed out in all 50 states they have either enacted the old NAIC model privacy act or the new Gramm-Leach-Bliley Act, so insurers --
DR. WAKE: -- post Gramm-Leach-Bliley everything is opt in --
MS. MEYER: And everything is opt in and so we're not like these entities that are not subject to any privacy laws, our ability to govern, to get the information is largely governed by HIPAA but it's also governed by the old NAIC model privacy act, it's governed by the Fair Credit Reporting Act, and then once we got it we are required by Gramm-Leach-Bliley itself to keep it secure, we are subject to the Gramm-Leach-Bliley state laws with respect to our disclosure of the information and can only disclose it with an opt in --
MR. REYNOLDS: Let me stop you right there for a second, I heard all that the first time and I'm not saying that in any negative way, you are very convincing of what you do, I asked you to step over with us for a minute, so we're talking to the consumer, the consumer when they go into a medical situation with their medical information right now is only aware of HIPAA and so my base question is why not. If you're already covered by this other stuff and you already got all this other stuff going on then what are the pieces that really, really get you fired up about not being a part of HIPAA. Because what's interesting is I joined this committee three years ago and my very first session which I wasn't actually going to be on this committee was the banks sitting exactly where you are saying exactly the same thing, yet right now they clear an awful lot of financial transaction, the HIPAA 835 which contains the whole claim itself and everything else. We're getting into an electronic world where this stuff is moving around and what used to be isn't the same. So answer my question from the view of the general public sitting at another table listening to us --
MS. MEYER: I guess from my perspective if HIPAA were to be extended, and I assume you mean the privacy rule as opposed to HIPAA itself, it would impose on life insurers but another regulatory framework for our ability to serve our customers and we already have all these laws out there. The HIPAA rule, and I'm not an expert on the HIPAA rule but I did take a quick look at the laws, the provisions in the privacy rule that govern its interface with the state laws and to me it looks like it's not, the HIPAA rule is not clearly preemptive and stricter state laws are preserved.
So from my perspective what will happen is we get a new law, probably same preemption provisions, and what's going to happen is that it is going to undermine the efficiency with which we serve our customers and of course that makes it more expensive sometimes. It also if you're going to have duplicative and different notices it's confusing to consumers, and in our case if we don't keep our customer's information secure, even if you don't think we're nice businesses, people won't come back to us, it's in our self interest as insurers to make sure that our customers feel comfortable with this information and that we protect it, it's the duplication that I think will be a major problem.
DR. WAKE: I guess from my side one thing I would say to Robbie is maybe it's not the end of the world, we should look at it and see what the real life ramifications are but duplicative notices are a major issue, I remember working very hard when Gramm-Leach-Bliley was enacted to try to develop a single notice or try to encourage insurers to have a single notice that could meet the requirements of the 1980 model act and Gramm-Leach-Bliley for use in model act states. Some of them liked that approach, some of them preferred sending different notices. With HIPAA you've got a third notice. There really are things that insurers need to send out, there are things insurers have to tell people that aren't in the HIPAA notice, so you can't just come back and say well send the HIPAA notice instead of the state law or Gramm-Leach-Bliley --
MR. REYNOLDS: Every covered entity right now that is a health insurance company has the exact same issue that you two are explaining, I understand that, trust me --
[Simultaneous comments.]
MR. REYNOLDS: My point is, I'm making a point that as we're trying to deal as we are going to be moving from a paper based, and Mark made the point and others, from a paper based world that has its limitations as to what can move, where it can move and how it can move, and that is much more to a significantly more automated environment the ability to try to help the base person understand what's happening to them is important.
And the other thing I would say is and I found interesting, Robbie, in your reading of the document that was brought over to you, the plain language heading, I could have gotten real excited if it would have said a plain language document but I thought that was an interesting twist of a statement, because one of the things we put in this letter is this stuff needs to be clear to people, what they're actually doing. One other question, that was more of a statement, excuse me that was more of a reading back of your statement --
DR. WAKE: But just compare plain language headings with some of the headings that you have all seen in notices, it's progress, incremental but it's progress.
MR. REYNOLDS: One last thing is on the business associates, and you had, Bob, you just had a little discussion on that, so kind of quickly what is really the chain that is set up in these other laws, and I'm a little bit familiar with Gramm-Leach-Bliley, but within these other laws that is comparable to the business associate chain that is under HIPAA which those of us who are working on the privacy law still don't think that the business associate chain necessarily goes as far, and as again we move into this new world where you're sitting there representing the life insurance company but all of a sudden somebody goes to a website or somebody goes to a vendor that you've hired or something else and now that data is moving around. So I did not, if you could just help me quickly with the chain that will be my last question.
MS. MEYER: I apologize, I didn't have time to reread the HIPAA rules so I've forgotten all the details with respect to business associates but in our world, and I think you're talking about our disclosures to entities with which we do business who operate for us, and then their redisclosure of --
MR. REYNOLDS: And what is their responsibility and who governs their responsibility.
MS. MEYER: Those entities are, when an insurer rediscloses under Gramm-Leach-Bliley itself and then under the state TLB confidentiality rules, those entities are subject to the same limits that the insurer is subject to. As far as enforcing their compliance the insurer is obligated to make sure that the entities to which it discloses or rediscloses comply with the requirements of Gramm-Leach-Bliley. And as I also said the federal Fair Credit Reporting Act was just amended to also impose these obligations and limitations on redisclosures by insurers and by third parties that insurers disclose to and in those cases they can only, there can only be redisclosure for the purpose for which the information was originally disclosed --
MR. REYNOLDS: It's a bit of a mirror --
DR. WAKE: I would have to look it up, my recollection is there isn't as much detail about the specific concept, content of a business associate agreement and the term business associate isn't used but for these types of disclosures there is a requirement that the licensee have an agreement not to redisclose of some sort in place.
On this plain language header the language before, the plain language header is one of the requirements for attention getting, the text itself should be presented in clear concise sentences, short explanatory sentences, definite concrete everyday words and active voice, avoids explanations that are imprecise, avoids legal and highly technical business terminology whenever possible. So there is a plain language text requirement also.
MR. ROTHSTEIN: If I may, John, I want to follow-up Harry's question on the business associate. Its been one of our disappointments with the privacy rule I think it's fair to say, with the business associate agreements and the way they have or haven't worked under certain circumstances and it's one of the things that we've been looking into for several years. So my question is this, and I thought for sure that Harry was going to ask this, so you decide that, you're an insurance company as opposed to an organization, that it's cheaper to do your medical underwriting overseas and so now you sign a contract with some overseas vendor who may have subcontracts with all sorts of other people and you just zip them the aps and the records and as I hear you saying your obligations are sort of comparable to HIPAA but some of us don't necessarily think that those are adequate in terms of the responsibility that's placed on the initial recipient, the insurance company, to guarantee that confidentiality --
DR. WAKE: I'm going to break in and say as a regulator I dropped the ball on that because I was part of, I think lots of us dropped the ball on that but I know I was one of them and I'll tell you why. I was part of an NAIC group that before Gramm-Leach-Bliley, before HIPAA, did a lot of work and Robbie was in this on how to deal with sensitive information being disclosed by regulated entities to unregulated entities, and we worked through and maybe HIPAA even used our work, I don't know, but we worked through the concept that first of all we can nail the insurer as a violation if they disclose the information negligently without having these safeguards in place and part of the safeguard should be that the consumer as third party beneficiary should have a right of action but where we drop the ball, where HHS dropped the ball, and you're HHS, I'm sorry, what we all didn't anticipate is that in the 21st century that private right of action was going to be useless because the editing was going to be in the third world.
MS. MEYER: But let me say this, we do have the NAIC GLB safeguards reg that reflects Gramm-Leach-Bliley itself, Gramm-Leach-Bliley says that all financial institutions have this continuing, affirmative and continuing obligation to protect the security of their customer's information. So then the NAIC developed its safeguards regulation and companies are required to have these security programs, they have to be written, they have to be comprehensive, they have to be designed to protect against unauthorized access to and use of information, and by way of example it says what companies are required, what insurers should do is exercise appropriate due diligence in selecting their service providers regardless of where they are and should require its service to implement appropriate measures designed to meet the objectives of this regulation which is to ensure the security of the information and where indicated by the insurer's risk assessment take appropriate steps to confirm that its service providers have satisfied these obligations. So it doesn't matter where in the world the service provider is the insurer, the buck stops with the insurer provider to which it discloses the information, the insurer has the obligation to maintain the security of the information in these world wide sourcing arrangements.
DR. WAKE: And I would agree with Robbie there, I don't think that's the whole story, I think as with the Choice Point debacle, that these overseas disclosures are a specific problem that we need to think about specific better solutions for but I agree with Robbie that in the interim, maybe my mea culpa was a little bit overstated because, well, I feel badly about the fact that it would have been possible for somebody to be burned once on some of this perhaps without any negligence, but once we know its happened due diligence means that there is a duty on the insurer or other regulated entity to make damn sure it doesn't happen twice.
MR. ROTHSTEIN: Thank you. John and then Maya.
MR. HOUSTON: I'm going to make a couple statements, I don't even know if I have a question at this point in time. I mean I think it's pretty obvious to me that there's a lot of regulation that's already inherent to the industry and also at the same time when somebody decides they're going to get life insurance or other types of insurance they're making the conscious decision to do so and are signing an authorization, and I guess their recourse is always that they don't need to get that insurance, they may desire to get the insurance, they could go to a different plan or they could look for somebody who has different requirements to what the information that will be disclosed, but regardless as I said in my opening comment there's already a good bit of regulation that exists and I guess I question whether anything else is required and trying to cause somebody to abide by a more rigorous standard, or a different standard, achieves anything. Again, I can decide never to get insurance because I don't want to give my information --
DR. WAKE: Well that ties into the earlier questions, more rigorous, different, and on the one hand as I said don't automatically assume it's the end of the world, maybe aside from the efficiency of notice issue which is already a problem, we all know notices are a problem, under all the various framework. We can learn from experience, everybody can do it better and we should try to do it once. But the substantive privacy, maybe HIPAA is just telling you to do what you're already doing and if it is --
MR. HOUSTON: I still think there's a regulatory, it sounds like there's a regulatory framework and process in place in order to improve notice, that's one thing, and I think the other thing that I believe came out in this testimony is that if you guys are all a bunch of bad people, people are going to find other organizations to go to who are more consumer friendly, so I guess I don't have a question other then just having made that comment.
MS. BERNSTEIN: If they're all bad there's no place to go.
MR. ROTHSTEIN: Maya?
MS. BERNSTEIN: Two things, I guess as you guys were talking I was thinking about all these different, it seems like a patchwork of different laws which on the whole somehow cover everybody, but in another life I worked on some other new formed state law in another area and I was kind of wondering in this case what are the impediments to getting more uniformity in the more recent versions of the NAIC models or the 1980 model I guess is, there are more modern versions that have stronger privacy protections in place --
DR. WAKE: Biggest impediment is that that the 1980 model has stronger privacy protections than Gramm-Leach-Bliley on the whole.
MS. MEYER: So when we went, and we fought all over the country, worked with the NAIC to get the new model adopted across the country and it has been widely adopted but not in every state with the health provisions but every state either has the old model or this new model and the problem was just as Bob said, the states that have the old model is much more comprehensive and so they didn't want to give it up, in some cases we tried to mesh it. I mean what you have, the real answer is, Maya, is you have 50 different state legislatures, that's both the beauty and the problem of the system and we I think, one point that I neglected to make is we support state regulation of our privacy practices at this point and indeed the one problem with the HIPAA privacy rule appropriately was crafted taking into account the needs of health care providers and health insurers and so appropriately didn't take into consideration the needs of life insurers and the uniqueness of their business practices. The technical point is not even worth mentioning.
MS. BERNSTEIN: The other thing I wanted to comment on was a couple of times, Ms. Meyer, you were saying that losses that we can't redisclose, unless it's for the, I don't remember the exact language but the related compatible purpose for why the information was collected unless permitted by law. But every time. in my view as a privacy person every time you add the phrase unless permitted by law well anything that's not prohibited by law is pretty much permitted by law, so unless not permitted, if it's otherwise permitted by law doesn't get you anything and that's sort of anything we haven't thought of we can do.
MS. MEYER: You're absolutely right however the relevant laws are very specific, I mean it all kind of circles back to one of the Gramm-Leach-Bliley statutes or the privacy act. I hear you but it's not as open ended and actually Gramm-Leach-Bliley as I recall was more, you were thinking of the language that I read from the Fair Credit Reporting Act, the Gramm-Leach-Bliley language is even more limited in that respect.
DR. WAKE: Generally when you have a catch all exclusion, I mean a catch all exception for as permitted by law at least when I'm involved in drafting it I try to make sure it's as otherwise expressly permitted by law and on disclosures we have had some problems with Gramm-Leach-Bliley notices saying or is permitted by law when they bury some things that consumers would really want to know and I have tried to assist in developing model disclosures that make sure that things that get buried under this catch all exception are things like in response to a subpoena or for what are clearly internal operating purposes or things that don't wave any red flags, in the 35 states that permit disclosure over the consumer's objections under joint marketing agreements I would like the notice to say that. Under the 1980 model act except in the few states that modified it to harmonize it with Gramm-Leach-Bliley that is not a permitted exception to opt out but it's something the consumer should know about.
MS. BERNSTEIN: I just want to make one other quick point to some of the things that Paul and Harry were getting at with respect to notices, some of you may be aware that the Federal Trade Commission is doing some very significant work on Gramm-Leach-Bliley notices, the format, the language, just the presentation of them to the consumer and maybe it's something that might be applicable to other privacy notices, HIPAA notices, other sorts of notices, and it may be something that this subcommittee wants to look at at some point.
MS. MCANDREW: I want to thank you both for your testimony and I think the questioning from the panel so far has taken care of most of my questions with my policy, HIPAA policy hat on, but putting on my enforcement hat if you could just spend a minute or two to outline what the enforcement mechanisms are that would apply to adherence to these privacy protections under your scheme, I assume it's the state insurance commission that would be the enforcer, what is the penalty, what kinds of enforcement mechanisms are in existence and if there's any kind of track record in terms of looking into and taking action based on privacy concerns.
DR. WAKE: Well I did mention one case although that was brought under a different statute that resulted in a significant fine which the insurer appealed to the law court and the consumer, the administrative agency won. In general the enforcement remedies are fines, cease and desist orders, the possibility of suspending or revoking the license, and if there has been money damage, damages and restitution to the affected consumer. Our version of the, I can't remember whether there is a private right of action here but let me just --
MS. MEYER: Of the confidentiality reg?
DR. WAKE: No, of the 1980 model act, yes, the 1980 model act section 20 also provides a private right of action in addition to the regulatory enforcement provisions. So in a nutshell that's the enforcement scheme on paper, I will say in Maine we have never taken a formal enforcement action, we've worked to consensually through the complaint process, we haven't encountered any major violations except to shake down issues when the notice requirement first came where the remedy was getting them to fix their notice and talk to the consumer and make things clearer.
MR. ROTHSTEIN: Any other questions? Well I want to thank you both very much for coming today and sharing your expertise with us, as you can see we are just beginning the process of trying to figure out how we can both protect the privacy of this greater universe of information without unduly disrupting the entities that have a legitimate need to access information.
I assume we have no public testimony and therefore tomorrow at 9:00 we will resume the hearing and we'll hear from representatives of employers and schools. So thank you, the hearing is adjourned.
[Whereupon, at 4:20 p.m. the hearing was adjourned.]