This web site was copied prior to January 20, 2005. It is now a Federal record managed by the National Archives and Records Administration. External links, forms, and search boxes may not function within this collection. Learn more.   [hide]
 Page 1       TOP OF DOC


U.S. House of Representatives,
Committee on Banking and Financial Services,
Washington, DC.

    The committee met, pursuant to call, at 10:05 a.m., in room 2128, Rayburn House Office Building, Hon. James A. Leach, [chairman of the committee], presiding.

    Present: Chairman Leach; Representatives Roukema, Bereuter, Lucas, Barr, Kelly, Ryun, Biggert, Terry, Green, LaFalce, C. Maloney of New York, Gutierrez, Ackerman, Bentsen, J. Maloney of Connecticut, Hooley, Carson, Lee, Inslee, Schakowsky, Moore, Gonzalez, Jones and Capuano.

    Chairman LEACH. The hearing will come to order.

    The committee meets today to hear testimony on H.R. 4585, the Medical Financial Privacy Protection Act, and other measures in this arena which are designed to protect the most sensitive information about an individual that is held by a financial firm.

    Before summarizing this proposal, let me review the legislative background of the issue.
 Page 2       PREV PAGE       TOP OF DOC

    Last year, in consideration of H.R. 10, the Financial Services Modernization Act, this committee for the first time in the long history of bank reform legislation approved a privacy package. In addition to erecting privacy shields for American financial services customers, including a ban on the transfer of information to third-party telemarketers and a clampdown on identity theft, the bill that left this committee contained a provision that would have walled off the medical records held by an insurance company from other affiliates of a financial services holding company, as well as non-affiliated third parties.

    H.R. 10 passed the House with the strongest privacy protections ever incorporated into banking law, importantly including the medical privacy provisions that originated in our committee. Later, however, at the request of the Administration and the insistence of the Minority party on the floor that the issue be addressed through Executive action rather than legislation, the medical privacy provisions were dropped from the final version of the bill.

    Now it appears a consensus is developing among the interested parties in the Government on the desirability of moving forward with a legislative approach to medical privacy. In this regard, the language of H.R. 4585 is consistent with the medical privacy recommendations forwarded to Congress by the Treasury Department six weeks ago and responds to the concerns outlined by the President in his April 30 speech at the Eastern Michigan University in Ypsilanti. And in an important disclosure area that deals with information concerning mental health or conditions, H.R. 4585 goes beyond the Administration's recommendations.

    The legislation is also consistent with the industry accord announced last week. The industry is to be complimented for agreeing to voluntarily provide a credible degree of privacy protection of the medical records of their customers. Some would even contend that, because of this voluntary agreement and because of the industry's general record of safeguarding medical records, any legislation represents a solution seeking a problem.
 Page 3       PREV PAGE       TOP OF DOC

    Yet the background of legislative concern in this area relates less to any history of past industry abuse or of new financial industry organization, but rather to the implications of modern information technology as it relates to the new genetic sciences. So much more can now be known about and predicted about individuals based upon medical testing that it is important to put common sense restraints in place before temptingly improper industrial practices begin.

    The major provisions of the bill, H.R. 4585, which is the principal subject matter of the hearing are as follows:

    Financial institutions will be required to obtain customer's consent, or opt-in, before disclosing individually identifiable health information to an affiliate or non-affiliated third party.

    A financial institution will be prohibited from obtaining or using individually identifiable health information in deciding whether to issue credit, unless the prospective borrower expressly consents.

    Information relating to mental health or mental condition will be singled out for particular protection with separate and specific customer consent required to disclose such information and special policies developed by regulators to protect its confidentiality.

    Consumers will be given the right to inspect, copy and correct individually identifiable health information that is under the control of a financial institution.
 Page 4       PREV PAGE       TOP OF DOC

    Strict limitation will be placed on the redisclosure and reuse of individually identifiable health information legitimately obtained by a financial institution.

    And nothing will be done to modify, limit or supersede medical privacy standards promulgated by the Secretary of Health and Human Services pursuant to authority granted under the Health Insurance Portability and Accountability Act.

    The approach contemplated in H.R. 4585 is designed to augment the privacy provisions of the financial modernization bill passed last year. Rules to implement those privacy protections are in the process of being implemented by the Executive Branch, and I believe I can speak for all Members of the committee in encouraging that regulators should move expeditiously so all Americans can be more secure in the privacy of their financial information.

    Before hearing today from the Administration, Government officials, industry representatives and privacy groups on their perspectives, let me ask Mr. LaFalce if he has any opening comments.

    Mr. LAFALCE. Mr. Chairman, I do. The difficulty is I think we have about five minutes left to vote, and I don't know if I would be able to get my five minutes in.

    Chairman LEACH. The gentleman is correct. We have a little more than that, but I think that if he doesn't want to be interrupted it would be better to move to the vote. I think that is very appropriate.
 Page 5       PREV PAGE       TOP OF DOC

    Let me say we have a very, very long set of panels, and we have votes expected on the floor actively today, and so it will be my intent to limit opening statements for five or six or seven more minutes and then turn immediately to our first witness.

    The hearing then will be in recess pending the vote.


    Chairman LEACH. The hearing will reconvene, and Mr. LaFalce is recognized.

    Mr. LAFALCE. I thank the Chairman.

    This morning's hearing continues our committee's work on financial privacy which we began two years ago when Chairman Leach introduced legislation, which I co-sponsored, to prohibit pretext calling and other privacy abuses and I introduced a related bill to impose obligations on financial institutions to protect the confidentiality of customer information. I am very pleased to say that both proposals were enacted into law as part of last year's financial modernization legislation in much the same form as they were originally introduced.

    This year, I introduced H.R. 4380, a comprehensive proposal developed in concert with the Administration to address financial privacy broadly. I think it is an excellent bill. H.R. 4584, which the Chairman has introduced, addresses one of the issues dealt with in H.R. 4380, medical privacy, by restricting the use and disclosure of financial institutions of personally identifiable health and medical information. This is an issue not included in the legislation adopted last year, and not adequately addressed in pending HHS privacy regulations.
 Page 6       PREV PAGE       TOP OF DOC

    Both H.R. 4380 and H.R. 4585 reflect the growing bipartisan recognition that the privacy protections adopted last year do not go far enough in assuring that sensitive personal information will be protected by financial institutions and that additional protections must be enacted.

    The issue of medical financial privacy eluded us last year. Our committee did adopt a narrow provision to restrict the use of health information in connection with credit decisions. That was replaced by a broader bipartisan financial privacy proposal on the House floor.

    The Commerce Committee had a proposal that would restrict the disclosure of health-related information by insurance companies. It was referred to as the Ganske Provision. And that was omitted in conference in response to strong bipartisan concerns that it might preempt pending HHS privacy regulations, preempt stronger State medical privacy laws, and permit widespread sharing of sensitive health data under broad exceptions for many different things. So all the major medical and hospital associations, all the patient and consumer groups and privacy advocates agreed that the Ganske language at that time created greater potential privacy problems than it resolved. And so both H.R. 4585 and H.R. 4380 have meritorious proposals on medical privacy.

    In many respects, H.R. 4585 is comparable to the medical privacy provisions of H.R. 4380; in some respects, it does differ. And some of those respects where it differs I have some difficulties, but I am sure those difficulties can be worked out in probably a manager's amendment.
 Page 7       PREV PAGE       TOP OF DOC

    But the primary limitation of H.R. 4585 is not what it does. It is rather what it doesn't do. It applies only to medical and health information, which we must do and is extremely important. But the higher standard of protection for the sharing of consumer profiles and lists should apply to all sensitive health and financial information, and the new protections for consumer access and correction should apply to all sensitive financial information, and the stronger standards for reuse and redisclosure of information should apply to all sensitive financial information and not just health or medical information.

    So, in short, I think H.R. 4585 is a very good effort, but I also think we need to do more. If consumers do not want their financial account information shared with affiliated companies without their knowledge, we need to do more. If consumers object to having their spending habits and product preferences—referred to as ''profiling''—if they don't want these habits and preferences monitored and sold or shared for marketing purposes, we need to do more. If consumers don't want health and insurance information taken into consideration for investment or employment decisions, we need to do more. And if American consumers want to have the same privacy rights being given to European customers of United States institutions, we need to do more. And if consumers want the right to determine if their financial records are accurate and up-to-date, we need to do more.

    So I urge today's witnesses not to confine themselves solely to the topic of the very important and necessary need of medical privacy legislation that is before us, but I personally would welcome any comments on the broader aspects of the Administration's privacy proposals either as contained in H.R. 4380 or any other proposals that are needed to assure the strongest possible privacy protections for American consumers.
 Page 8       PREV PAGE       TOP OF DOC

    I want to especially thank the Chairman for accommodating my request for witnesses for today's hearing, all of whom will be on Panel IV, and I join with the Chairman in welcoming all of today's witnesses. I thank the Chair.

    Chairman LEACH. Thank you, John.

    What I would like to do in limiting opening statements is limit it to the Chairman and Ranking Member of the subcommittee of jurisdictions.

    Mrs. ROUKEMA. I thank you, Mr. Chairman. I will be brief and have the full text of my opening statement in the record.

    I would just make a couple of observations here. As you know, we in the subcommittee held hearings last year on these subjects, including not only financial, but also medical privacy; and, as you have already noted, we have to go farther than what was in the Gramm-Leach-Bliley bill; and that is quite appropriate.

    I want to endorse everything you have previously stated on that subject. Clearly, today we are opening up the door and continuing what we did in the subcommittee with respect to exploring medical privacy, and really the financial and medical privacy are interrelated, and we have to come to terms with them. Of course, we don't have the rules and the regulations yet evaluated. It is too early for that. But we hopefully will begin to evaluate those regulatory rules by this July, or certainly September.

 Page 9       PREV PAGE       TOP OF DOC
    I am questioning, however, what the status is and the scope of the medical privacy standards that were being developed or should be developed by HHS under the Health Insurance Portability and Accountability Act. I don't think that they have been clearly enunciated. I think you made reference to that. Perhaps we will find out something more today. If not today, then I certainly would expect to make a formal inquiry with them for a complete report.

    In addition, Mr. Chairman, I also want to say, although we do have the American Psychiatric Association here today and at least one other group that is directly involved—that are direct health-related organizations, I do plan to inquire with at least the American Medical Association, the Health Care Leadership Council, and the National Alliance for the Mentally Ill and other medical groups, because I think it is absolutely appropriate for us to have those who deal on a daily basis with medical issues in the immediate world with patients to have more input into our deliberations here. So I will be making those inquiries, and we can discuss it another time whether or not it will be appropriate to make that a formal part of our report.

    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you, Mrs. Roukema.

    Mr. Gensler, please.


 Page 10       PREV PAGE       TOP OF DOC
    Mr. GENSLER. Thank you, Mr. Chairman, Ranking Member LaFalce, Members of the committee. Thank you for having me here to talk about this critical issue of privacy.

    I am also honored to have with me my second daughter. Lee Gensler is right behind me. I know that Congressman Capuano last week, when I did this with my other daughter, thought it might be bordering on, as he said, ''child abuse,'' but, believe it or not, my second daughter also wanted to come and see how Congress works.

    Chairman LEACH. On behalf of the committee, we give a special welcome to Ms. Lee Gensler.

    Ms. Gensler, if you would like to sit next to your father, you would be welcome so to do. If you are like my family, we know that the rule is in inverse proportion to age. Please, Ms. Gensler.

    Mr. GENSLER. She thanks you.

    I am pleased to have the opportunity to talk about the Chairman's bill, H.R. 4585, and privacy in general. My written testimony that I hope to submit for the record, but let me just summarize—does address four areas: first, the need for privacy protections in the financial area; second, last year's advances in the Financial Modernization Act; thirdly, the President's comprehensive Consumer Financial Privacy Act initiative; and then, fourthly, medical privacy.

 Page 11       PREV PAGE       TOP OF DOC
    If I may just summarize briefly.

    Many Americans increasingly feel their privacy threatened by those with whom they do business, particularly when it comes to privacy around their financial information. We are in the midst of extraordinary changes in the financial industry. These changes are brought about, we think, in three ways: first, integration and consolidation, in part brought on by the Gramm-Leach-Bliley Act, but largely brought on by consumers and markets; second, advances in technology—clear and dramatic changes in technology; and, thirdly, the explosion of the use of electronic payments and electronic receipts—where transactions can be measured and recorded.

    Last year's efforts were very significant, and we believe the Congress and the Administration worked together in a bipartisan way to move privacy protections forward in a constructive way around notice and choice, around third-party sharing, and about important protections beyond that. The Administration believes, however, that much more can be done and should be done to protect financial consumer privacy.

    To that end, the President announced an important new legislative proposal in late April to provide Americans more fully with an effective financial privacy act. That legislation now before Congress is H.R. 4380, the Consumer Financial Privacy Act, and is a balanced, comprehensive approach to financial privacy, providing important new rights and protections while addressing some of the shortcomings in last year's bill.

    A central Administration principle is that the greater the sensitivity of the data and the possible harm from misuse, the greater should be the level of privacy protection; and the Chairman, I think, recognizes that with regard to the medical area. The Administration's proposals, therefore, call for the strongest protections in two highly sensitive areas: first, the sharing of medical information, as, again, the Chairman's bill also recognizes; and, second, the use of detailed personal spending habits information about an individual consumer—the entire list of all of our spending, where we spend our money, how we spend our money, a whole portrait of an individual.
 Page 12       PREV PAGE       TOP OF DOC

    For other financial information, however, the Administration's proposal would give consumers the opportunity only to opt-out: the first two opt-in, but other areas just opt-out before a financial services firm can share that information for marketing purposes. This would, in essence, extend the protections of last year's bill to affiliate sharing.

    But, importantly, the Administration recognizes that there is a bulk of information sharing, a shared type of information sharing, if I might call it that, that provides for consumers to understand that sharing, but not have a choice to opt-out; and that is for risk management, that is for fraud, that is for law enforcement, many of the provisions this Congress wrestled with last year. The Administration suggests adding one very important component to that—that would help consumers and help the economy—which is related to consolidated statements and consolidated call-in centers to facilitate, again, the consumers.

    We are pleased so many Members of Congress have supported this approach. We especially thank Ranking Member LaFalce, who sponsored this approach, and led this with many Members of this committee.

    Let me now just turn to, more specifically, to medical privacy. We are deeply committed to providing consumers control and rigorous safeguards with regard to medical privacy. Under the terms of the HIPAA law, which was passed by Congress in 1996, and the rules under them, privacy protections apply to covered entities, and I think that this was one of the questions raised earlier. Covered entities are only health providers, health plans, and health clearinghouses so, thus, includes health insurers. They do not cover life insurers, do not cover property and casualty insurers, do not cover auto insurers and many disability insurance programs, all of which, I would say, are now financial institutions and defined as such under the Financial Modernization Act of last year.
 Page 13       PREV PAGE       TOP OF DOC

    The proposals offered last year addressed some of the issues, but could have seriously undermined the crucial medical privacy initiatives, such as preempting the HIPAA roles and the other issues that I think Congressman LaFalce outlined in his opening statement.

    HHS is right now in the midst of a rule-writing process. They put out the proposed rules last fall, and the President committed in his State of the Union to finish these rules this year. They are right now in the midst of rule writing and have received many comments on those critical, important rules. But, again, those rules would not be able to cover many financial institutions such as life insurance companies, property and casualty, disability insurers, because of the nature of the 1996 Act.

    Mr. Chairman, by convening this hearing you have focused attention on the important issues surrounding financial privacy and medical privacy. While we continue to believe it is necessary to seek legislation that provides comprehensive privacy protections, your bill offers a starting point for consideration of the issues that will be very important and truly important for a privacy regime. Let me say there is common ground between your bill and the Administration's proposal regarding financial privacy. H.R. 4585 does differ in some significant respects, and I would like to just highlight two of those for you today.

    First, the scope of the bill. We believe that financial privacy legislation should address the full range of financial privacy issues, as the Administration proposal does. H.R. 4585, while sharing many of the Administration's views on medical privacy, is in contrast to a narrow bill that does not address issues beyond medical privacy. Medical privacy within the financial services industry is vitally important as only one aspect we believe in moving forward.
 Page 14       PREV PAGE       TOP OF DOC

    Second, with regard to the bill itself on medical privacy, in one regard, with regard to receipt and use provisions, these are the provisions that will prohibit, unless a consumer consents, a financial institution to receive or use medical information. They are limited to the extension of credit or a loan. Thus, the Chairman's bill suggests that, before you receive or use medical information in extension of credit or loan, you have to get specific opt-in by the consumer.

    We share that view, but we believe that it is important to have that receipt or use limitation broader than just for the extension of a credit or a loan. If a financial firm is giving investment advice, should it be able to get information from a life insurance affiliate before it decides on the investment advice? If a financial firm is providing auto insurance, should it be able to reach to the insurance company and get the medical information—or even if it is providing travel services, which, by the way, under the Financial Modernization Act, includes travel agencies as part of financial services? Before giving travel services, should it be able to reach next door to an affiliate to get medical information? We think that the receipt and use provisions are strong, but should be broadened and should apply to the broad set of financial services and products.

    In conclusion, Mr. Chairman, we thank you for providing this forum to discuss this critically important issue. This hearing provides a starting point for a thorough consideration of the range of privacy issues raised by changes in technology and our financial markets. This is truly an historic opportunity to get financial privacy right, to put in place all of the protections that American citizens want and need.

 Page 15       PREV PAGE       TOP OF DOC
    We recognize the special sensitivity of personal medical information, and we support having effective laws that match the sensitivity of that data. At the same time, we should also address the vital issues that were included in the Consumer Financial Privacy Act. We think to do otherwise is to miss out on an opportunity and that we can work together and address these issues. We look forward to working with you and thank you again.

    Chairman LEACH. Well, thank you very much, Secretary Gensler. Thank you for your loyal support.

    Ms. Lee.

    Mrs. Roukema.

    Mrs. ROUKEMA. Mr. Chairman, you caught me a little off guard here. I expected you and Mr. LaFalce to first be speaking.

    Let me ask this, Mr. Gensler. You state that the President has pledged that the final medical privacy regulations will be issued this year. Pursuant to the authority of HIPAA, which I referenced, the 1996 law, and I referenced that in my opening statement, but these rules would apply only to certain—as I understand it, only to certain, ''covered entities'' and would not apply to most financial institutions. I believe in your opening statement, although I was interrupted at one point, necessarily interrupted, that you made reference to the question of not being included in terms of affiliation in Gramm-Leach-Bliley, but maybe you could amplify that.

 Page 16       PREV PAGE       TOP OF DOC
    But the point is, there is not specificity as to what would apply and what would not apply to the financial institutions, but I am really deeply concerned, because they are integrated. They are in some ways integrated. Aside from that, we have to go beyond necessarily in this legislation, but what can be done has not yet been done under existing law. So could you amplify please with more specificity as to what we can expect and how you recommend we close those loopholes?

    Mr. GENSLER. The bill that was passed by Congress in 1996 provided that if Congress were unable to pass further legislation within a three-year period, then the President was authorized through HHS to put in place these regulations. Those were proposed last fall. They only cover health providers, health care plans and health clearinghouses. That is what the bill said. And thus they cover health insurers, but not life insurers, not property and casualty like auto insurers and the like. So, what this committee has before it in the Chairman's bill and in the Ranking Member's bill, does cover those other financial entities.

    Mrs. ROUKEMA. I believe I understand that. Those are the covered entities that you were defining.

    Mr. GENSLER. Right. Congress defined those in 1996; and, thus, the HHS rules are unable to address the other sharing that may go on.

    Mrs. ROUKEMA. I certainly realize that, but are they now being instituted or are they still in the comment period?

    Mr. GENSLER. They have closed the comment period. They got, I think, literally thousands of comments.
 Page 17       PREV PAGE       TOP OF DOC

    Mrs. ROUKEMA. But they are not instituted as yet?

    Mr. GENSLER. The final rules would become effective later this year and I think under the statute had two years for implementation.

    Mrs. ROUKEMA. You see no conflict here by any means either under regulatory authority or with the affiliation regulation and the law where this legislation will certainly close those loopholes in a defined manner. Yes?

    Mr. GENSLER. I think both the Chairman and the Ranking Member's bill recognizes the HIPAA rules and has, I would say, sort of a safe harbor for that, and this is additive, thus, I think that is appropriate in both of these bills.

    Mrs. ROUKEMA. In terms of additive, you don't see any conflict coming up there in terms of a legal question within the affiliation structure, none whatsoever?

    Mr. GENSLER. I don't believe so.

    Mrs. ROUKEMA. I thank the Treasury Secretary.

    Mr. GENSLER. Thank you.

    Chairman LEACH. Thank you, Mrs. Roukema.

 Page 18       PREV PAGE       TOP OF DOC
    Mr. LaFalce.

    Mr. LAFALCE. Thank you very much.

    First of all, Mr. Gensler, let me commend you on the outstanding job you have been doing in your role as Assistant Secretary of the Treasury for Domestic Finance and for the fine testimony you have given us today.

    As I understand it, having worked with you very closely in the development of the Administration's broader, more comprehensive financial privacy package, you believe that the bill before us today, Mr. Leach's bill, is a good bill, but you have difficulty with: A, its scope, which we will talk about later; and second, with certain details which I have said I think can be worked out and perhaps even by a manager's amendment. Let's deal with those details first. Could you expand upon those just a bit more? If we were only to consider the bill before us, forget about scope, how would you want it improved?

    Mr. GENSLER. I think we have made some very good progress together since last year's debate and identified a new way to address financial medical privacy, and it is in the receipt or use of that information. If some part of a financial institution under the Chairman's bill, a bank in extending a mortgage or in extending an auto loan, receives or uses information from an affiliate or a third party, in fact, it can't do that if it is medical information unless it has specific consent from the consumer.

    We applaud that provision. We think that is right. It stops the use or receipt of that information. Our comment is that we think that in the President's bill we went broader, that it was not only in the extension of a mortgage or an auto loan, but it was the extension of other financial services. And, as I highlighted, we think that whether you are extending investment advice or extending an auto loan, for instance, a financial institution should not without the consumer's specific consent receive, use medical information from one of your affiliates. Again, the Chairman's bill did include many of the provisions on access, on reuse, on personal spending habits around medical.
 Page 19       PREV PAGE       TOP OF DOC

    Mr. LAFALCE. I haven't had a dialogue with the Chairman on this, but I feel confident this is something we could come to closure on. What I am concerned about is that we not lose sight of the fact that there are broader issues, too, which we have attempted to address in a broader bill. I made a statement, and I would ask you to comment on them seriatim. If consumers don't want their financial account information shared with affiliated companies without their knowledge, would we need to do more than H.R. 4580?

    Mr. GENSLER. We think that we should not stop at medical. We think that there are broader issues, particularly around personal spending habits, that are enhanced and have a heightened level of sensitivity that ought to be included, and the American people want included, in their zone of privacy.

    Mr. LAFALCE. If we want to stop profiling, would we need to do more than H.R. 4580?

    Mr. GENSLER. Yes, we would.

    Mr. LAFALCE. If we want to give American consumers the same privacy rights that European consumers of United States financial institutions have, wouldn't we have to go further?

    Mr. GENSLER. The answer is yes, particularly as it relates to affiliate sharing.

 Page 20       PREV PAGE       TOP OF DOC
    Mr. LAFALCE. Good. I just wanted to set the stage that I don't think that we should arbitrarily—let me scratch the word arbitrarily—I don't think we should prejudge the legislative approach we should take to our problems. I think we ought to hear what the scope of the problems are and then come in with legislation to address it, rather than just start out with something narrow.

    I don't want to turn down something that deals in a good manner with one piece of the problem. By the same token, I don't want to make a prejudgment that we can only deal with one piece of the problem. I prefer to go for a larger, more comprehensive approach. I thank you.

    Chairman LEACH. Thank you, John.

    Mr. Bereuter.

    Mr. BEREUTER. Thank you very much, Mr. Chairman.

    Secretary Gensler, one of the exceptions to the opt-out provisions of the Gramm-Leach-Bliley Act authorized disclosure of information by insurance companies to State guaranty funds. Neither the Administration's bill nor H.R. 4585 extends the State guaranty fund exception to the opt-in provisions applicable to disclosure of the health information. Several of the industry witnesses bring up this point or will bring it up before the committee later in at least their written testimony. What is the Administration's rationale in omitting the State guaranty fund exception from the medical privacy opt-in proposal?

 Page 21       PREV PAGE       TOP OF DOC
    May I ask a second question, too? It relates to a concern among some financial institutions of a significant regulatory burden that could be imposed when they have only a one-time transaction with respect to a person, for example, wiring money by Western Union one time only.

    Would you care to respond to both of those two items?

    Mr. GENSLER. Yes, Congressman. In terms of the State guarantee point, what was not clear to us in the last four months in developing the bill was why there might be a need for individual medical records with regard to that exemption that you rightly point out is in Gramm-Leach. So we have not heard a specific reason why individual medical records are needed. Again, we look forward to working with this committee if there is something that we have overlooked, but nothing has come to our attention.

    In terms of the second issue, there are provisions even under the Act last year and the rules that are now put in place in terms of one-time transactions to really lessen, as you say, burdens or lessen the requirements on a one-time transaction. Somebody goes up and uses an ATM machine, and it is not their bank's ATM machine. We took a lot of public comment on that. We know the regulators modified that in the final rule. We have not changed that in the President's bill or in the Chairman's bill. I don't think we have changed that aspect moving forward.

    Mr. BEREUTER. Thank you. But I gather you are willing to look at possible changes in that area if, in fact, it can be demonstrated.

 Page 22       PREV PAGE       TOP OF DOC
    Mr. GENSLER. We look forward to working with this committee in trying to move a product forward that addresses the needs of the American people.

    Mr. BEREUTER. Thank you. We will see if there is a case that needs to be made and then make it.

    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you, Mr. Bereuter.

    Mrs. Maloney.

    Mrs. MALONEY. Thank you, Mr. Chairman. I request that my opening comments be placed in the record.

    Chairman LEACH. Without objection, and without objection any Member who wants to make opening comments.

    Mrs. MALONEY. Thank you, Mr. Gensler, for appearing before the committee again and bringing your daughter Lee.

    First, I want to thank you and the Administration for making consumer privacy one of your highest priorities. I know that this issue is critically important to Secretary Summers. He has spoken before the committee on it and to the Vice President, who just spoke out last week on this issue.
 Page 23       PREV PAGE       TOP OF DOC

    I would like to ask you, my district is the home of a number of large institutions, especially hospitals, and could you comment on your interpretation of the bill as it relates to patient service? Could the opt-in provisions prevent medical staff from having the most timely access to information that they may need for emergency patients or are additional exemptions necessary?

    Mr. GENSLER. I think it is a very critical issue. We do not believe so.

    This is also a very critical issue that HHS is addressing in their medical regulations in terms of sharing of information, and we know they have gotten comment on it. But we don't believe so, and it certainly would not be the intent either in rule or in law that a patient in an emergency room setting would have that difficulty. It is the intent, though, to limit information sharing in the advancement of a financial product—again, investment advice or other financial products where there is not that emergency situation.

    Mrs. MALONEY. I certainly support the Chairman's bill, but I am disappointed that it only—and that we are considering today only the area that it addresses, which is medical privacy, and I wish that it had a broader scope, particularly the broader bill that Mr. LaFalce has put forward that includes really the Administration's policies that they put forward.

    I am concerned that U.S. citizens are really treated differently than many of our trading partners in our global economy, specifically in Europe where they have much stronger consumer privacy; and given that much of the opposition to consumer privacy protection is based on their costs and operational difficulty, why should U.S. law be weaker than that of our trading partners?
 Page 24       PREV PAGE       TOP OF DOC

    Mr. GENSLER. Well, this Administration stands for strong consumer privacy protections, particularly with regard to financial privacy. I think that, as you have seen in the Ranking Member's bill and the President's full support, it would bring us to those standards which we think are again balanced, whereby industry would have a base of information they could share, but then the sensitive information would have higher standards surrounding them.

    Mrs. MALONEY. I certainly hope that the Chairman will have a hearing on the Administration's proposal, because these extended and more complete consumer protections are very, very important.

    I have spoken to many industry representatives that tell me, particularly in the health industry, that they are willing to go forward and provide this consumer privacy to their customers, particularly on medical information, and why is legislation necessary if companies are willing to take these voluntary measures?

    Mr. GENSLER. Well, we think, as the Chairman said in his opening remarks, that this is important in moving forward not only to prevent actions even if they are not rampant today, but also to instill confidence in our financial systems. Something fundamentally is changing around commerce today, not just banking, but overall, and it is the internet, and it is electronic commerce. And to instill confidence in the internet and instill confidence in the financial system, we think that fundamental consumer protection, fundamental privacy rights, actually promotes the economy by building confidence. So, if they are going to do it anyway, instilling it in law doesn't take anything away, but it builds confidence.
 Page 25       PREV PAGE       TOP OF DOC

    Mrs. MALONEY. Actually, as we speak, the e-commerce bill is on the floor that would break down yet another barrier for signatures for contracts, which is a very important bill which underscores the point that you are making.

    Mr. GENSLER. We have worked successfully with this Congress on that bill, and that is a very important bill to move forward electronic commerce. But, again, that bill is done in a way that was sensitive to consumer needs to build the confidence in this new economy.

    Mrs. MALONEY. My time has expired. Thank you very much for your testimony.

    Chairman LEACH. Thank you.

    Mrs. Kelly.

    Mrs. KELLY. Thank you, Mr. Chairman. I just have a couple of very quick questions here.

    There has been some concern expressed that the provision that we have here threatens to impose a significant regulatory burden on financial institutions that have to respond. I wonder how the Administration responds to those concerns. The regulatory burden on the financial institutions is something that I think we really need to think about. I wonder how you respond to that concern?
 Page 26       PREV PAGE       TOP OF DOC

    Mr. GENSLER. I think that the bill before you today and the President's bill build on the provisions in the Gramm-Leach-Bliley Act so they are meant to be consistent and build upon that.

    But there are two areas that people have raised. One, they have said there might be a burden, because you limit information in the great new economy that we have. We think not because there is a base of information that can be shared as long as it is restricted to reuse, but shared for risk management, fraud, for securitization; and we have actually added a provision in our proposal for consolidated account statements, an important provision. So there is a base that provides all that information.

    What the Administration is saying is to market to an individual that we should provide individuals the right to opt-out, to say ''I might not want to be marketed to,'' and then for medical and for complete profiles of an individual that it would be an opt-in. We think that those limited provisions are important, actually, to promote the financial industry.

    Mrs. KELLY. Your testimony just now, though, didn't include the problems with one-time transactions. There are some serious problems I think there in terms of the regulatory burden that will be imposed on the financial institutions. People have a one-time transaction. I think that needs to be considered. Do you think the Administration would consider possible changes to address something like that?

    Mr. GENSLER. You are right, the bill and the testimony actually do not take up the issue. It is precisely consistent with what Congress enacted last year; and in that regard, the rules that were put in place had less of a responsibility on the financial institution for those one-time transactions in terms of, in essence, the opt-out for third-party sharing and the like. I believe that the regulators address that in their final rule. I am not aware of further comments that came up.
 Page 27       PREV PAGE       TOP OF DOC

    Mrs. KELLY. Would the Administration be open to a change?

    Mr. GENSLER. Well, again, we look forward to working with this committee, moving forward on getting the best privacy protections for consumers, but also those that are balanced and work for the economy.

    Mrs. KELLY. Are you aware of any specific instances or is the Administration aware of any specific instances where banks have denied credit based on medical information about the loan applicant, whether it has been gotten from an affiliate or from a non-affiliated third party? Do you know of any instance like that?

    Mr. GENSLER. While I am not familiar with them, we are in a world that is really new in terms of the ability to have databases and to bring together data across a financial institution in a way that it is important to put these protections in, as I think the Chairman had said, before commercial interests take over. There is a temptation there that is really there, and we think it is best to address this now and, in addition, to instill the confidence in the system that I think will promote the banking system in itself.

    Mrs. KELLY. If I understand correctly, you are talking about instilling confidence by drafting a law, but you don't have any specific instances that you can talk about where banks have denied credit to people in those instances.

    Mr. GENSLER. I think, with all respect, we see no reason to allow somebody in extending a mortgage to look into your personal medical history unless they are asking that of all those applicants of the mortgage and unless they are asking your permission. We cannot see any reason why that should be allowed.
 Page 28       PREV PAGE       TOP OF DOC

    Mrs. KELLY. I don't think anybody does, except—anybody wants that, really, but, on the other hand, I think it is important that we not draft laws and pass laws when there is not a need for a law.

    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you, Sue.

    Mr. Ackerman.

    Mr. Bentsen.

    Mr. BENTSEN. Thank you, Mr. Chairman.

    Mr. Gensler, in reading your testimony as it relates specifically to the health information issue, would the Administration be supportive of H.R. 4585 if the receipt and use provisions were similar to what is in the President's bill, including the requirement that it is the same requirement on all customers? Is that your main holdup with respect to the health issue?

    I understand that you want—that the Administration believes that the Congress ought to go further in revisiting the entire Title V of the Gramm-Leach-Bliley Act, but if we were just to focus on health, which was effectively carved out at the end of the process last year, would those be the main changes you would be looking at for H.R. 4585?
 Page 29       PREV PAGE       TOP OF DOC

    Mr. GENSLER. You are correct to say those would be the main changes in terms of the health provisions of H.R. 4585. The Administration feels that it is important to move forward in these other areas, that to share all of the ways that Congressman Bentsen spends his money, where you spend it, how you spend it, a complete list of that, to be able to share that without your affirmative consent is not an appropriate standard. So we feel that it is best to be comprehensive, and we look forward to working with this committee and the Congress to achieve that.

    Mr. BENTSEN. I understand where Mr. LaFalce wants to go as well. It seems to me that a very strong case can be made that, with respect to health information or medical privacy, that we did not go as far in that area as we did in other areas of financial privacy in the Gramm-Leach-Bliley Act and were we not able to muster support for a broader bill, would it not be appropriate to at least plug this one gap in the medical privacy? I realize your aide is providing you answers there—but, to plug this one gap with a bill like H.R. 4585, would the Administration—I know you don't want to give up the whole thing yet, but don't you think that if there was one thing we could get done this year, isn't this an area where Gramm-Leach-Bliley was failing in medical privacy as compared to other areas?

    Mr. GENSLER. We share this committee's view that that is a gap. It is a gap I think in part created because we have a new situation where insurance companies can affiliate with banks. Before the Gramm-Leach bill, that was not legally permissible. But, I would say, Congressman, I still feel strongly that we should address these other issues, that it is important. Some issues that actually benefit industry—for example, to allow for consolidated calling centers—we think very importantly also benefit consumers, not only through getting greater services—like consolidated call-in centers would give greater services—but also in terms of giving greater confidence and protection around the sharing of the specially sensitive information.
 Page 30       PREV PAGE       TOP OF DOC

    Mr. BENTSEN. H.R. 4585, as the Administration reads it, would enforcement of this be in the same way as the other financial privacy parts of Gramm-Leach-Bliley are? And the Chairman has pointed out that it would not preempt or supersede the HHS's role under the HIPAA law. Does the Administration agree with that interpretation? Do you believe in any way this would preempt the Secretary of HHS or HHS or the HIPAA law? Are you comfortable with how that section is drafted?

    Mr. GENSLER. Let me make sure. I think the answer to both parts of your question are yes, that the Chairman's language and the language in H.R. 4380 do not supersede HIPAA or HHS, as we can see, in any way.

    Mr. BENTSEN. Finally, does this bill—and the Chairman may answer this. But does this bill or does your bill preempt State law or does it follow along the same track that Gramm-Leach-Bliley did that gave the States the predominant role in setting privacy standards?

    Mr. GENSLER. It sort of adds to Gramm-Leach-Bliley, and so you are familiar with those provisions. In these bills there is no statement on preemption, thus leaving in place the regime that we have prior to these bills.

    Mr. BENTSEN. Thank you.

    Thank you, Mr. Chairman.

 Page 31       PREV PAGE       TOP OF DOC
    Chairman LEACH. Mr. Lucas.

    Mrs. Biggert.

    Mrs. BIGGERT. Thank you, Mr. Chairman.

    Mr. Gensler, with this bill and concerning Worker's Compensation and automobile insurance, both of which deal with, number one, timely access to health or medical records, timely receipt of that, do you think this would cause delay in obtaining the relevant health data needed by worker's comp to proceed with claims and in the auto insurance, which also deals with indemnifying consumers from medical losses? I see a delay perhaps in worker's comp cases. What if the consumer actually refused to opt-in to provide their medical records in a case which questions their claim?

    Mr. GENSLER. We don't believe that it would delay. But, also, if in any way when we think through this together that would be an issue, we would look at what technical issues needed to be added. We don't think so.

    And I would add, because it allows for specific opt-in product-by-product, you could put a specific opt-in exception in cases that are necessary around providing the medical services or Worker's Compensation and the like, if it was medical services or disability.

    Mrs. BIGGERT. That would apply then to maybe auto insurance?

    Mr. GENSLER. It could; but, again, we don't think that either bill limits the timely payments under auto insurance. Because, again, if you have an accident, that is the time you share the medical information.
 Page 32       PREV PAGE       TOP OF DOC

    Mrs. BIGGERT. And then as far as the provisions for opting in and Gramm-Leach has the opt-out, is this going to be confusing for when you opt-in, you opt-out? Is this something that we need to deal with?

    Mr. GENSLER. We don't think so. There are many provisions already in law that are opt-in—video rental, under the Federal Privacy Act, certain provisions under FCRA—the Fair Credit Reporting Act—in terms of sharing your credit report with employers and the like. So there are standards this Congress has put in place that are opt-ins where there is especially sensitive information. Even under HIPAA it is effectively a consent or opt-in for health and medical information under HIPAA, but, unfortunately, it only applies to health insurers and not other insurers.

    Mrs. BIGGERT. A U.S. Supreme Court refused to hear an appeal by a Federal Appeals Court ruling in Colorado that struck down as unconstitutional regulations promulgated by the FCC that restricted intracarrier sharing of certain customer information, and what they looked at specifically was the opt-in provisions, which seemed to be somewhat similar to this bill and the Administration proposals. Have you looked at that case?

    Mr. GENSLER. I haven't personally. Let me just ask. I think I am going to get an expert answer.

    Let me just say, we have been working with the Department of Justice around all the Administration privacy proposals and focused on the 10th Circuit opinion, and believe that the Administration's bill in terms of its opt-in provisions, and I think this would also count for the Chairman's bill, but I don't know that DOJ has had the same amount of time, are constitutional, even in light of the 10th Circuit opinion.
 Page 33       PREV PAGE       TOP OF DOC

    Mrs. BIGGERT. Thank you.

    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you, Mrs. Biggert.

    Mr. Ackerman.

    Mr. ACKERMAN. Thank you very much, Mr. Chairman. I did have a question, Mr. Secretary. On a previous question, did I understand you to say that you would be supportive of an exemption for one-time transactions as it might be burdensome.

    Mr. GENSLER. I think what I said, in terms of the regulations under last year's law, we think they put in place a different set of obligations on those one-time transactions. We think they were effective. We are not aware of comments that have come in subsequent to that final rule. What I also said is we look forward to working with this committee on broad comprehensive privacy and moving broad comprehensive privacy forward related to financial privacy. If there is a specific issue, then it would be rightly taken up in that comprehensive bill. And we would be open to looking at appropriate issues to help protect consumers, but also to foster commerce.

    Mr. ACKERMAN. In your view, would somebody undergoing a medical examination as a prospective insured under health insurance, would that be considered a one-time transaction? Well, as we don't have right now in place a medical financial privacy law, it is more in the prospective I think that you would probably be asking it, but in terms of the Administration's approach, if you are conducting an exam for life insurance that is specific to that product, and if the life insurer is asking it of all customers under the President's proposal, as long as it is asked of all customers and you are consenting to it, you are having the physical, so you are personally consenting to it, then that moves forward.
 Page 34       PREV PAGE       TOP OF DOC

    What we are trying to protect is that that health information is not then used by some affiliate for some other financial product, a separate financial product.

    Mr. ACKERMAN. What about for the same financial product? To give you a specific example of that, that would be of assistance to you in thinking this through, a person goes for a medical exam for life insurance and they make a determination that the person tested positive for HIV. And they decide not to insure the person and they decide not to disclose it to the person who was tested, and they decide to post it using a secret code on the internet made available to insurance companies so that every other insurance company who belonged to the association, knowing the code will understand that this person tested positive and would therefore be warned not to issue insurance. Would you be in favor of that one-time exclusion under those circumstances?

    Mr. GENSLER. Absolutely not, sir. Absolutely not. The only thing that, trying to highlight, I think, in your earlier question, is that nothing in these bills would prohibit a life insurance company from requesting that you have a physical exam for that product provided by that life insurer. But that life insurer should not, and I think Americans would all agree, be able to share that information with others or post it on the internet.

    Mr. ACKERMAN. Not every insurance company agrees with that.

    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you, Mr. Ackerman.
 Page 35       PREV PAGE       TOP OF DOC

    Mr. Terry, did you seek recognition?

    Mr. TERRY. No.

    Chairman LEACH. Ms. Hooley.

    Ms. HOOLEY. Thank you, Mr. Chairman. Thank you, Mr. Gensler. Thank you for bringing your daughter. I think that is great.

    Mr. GENSLER. Thank you.

    Ms. HOOLEY. Most of my questions have been asked, but there are still a couple I have. Do we need any special provisions or anything different that deals with mental health? Do you put that in the same category as all other health?

    Mr. GENSLER. Well, the Chairman's bill actually has a specific provision with regard to mental health, and it was an enhancement, in fact, in the President's bill to have a specific consent with regard to mental health, and we think it probably is appropriate to have an additional protection in a separate category, and we look forward to working with this committee if there are other enhancements in that specific field.

    Ms. HOOLEY. Another question is, tell me one more time what is the difference in this bill that enhances that privacy regulation over what the Secretary of Health and Human Services has come up with?
 Page 36       PREV PAGE       TOP OF DOC

    Mr. GENSLER. The Secretary of Health and Human Services has limited authority, limited because the 1996 law that people are referring to as HIPAA only related to ''covered entities''—health providers, health plans, and health clearinghouses. Life insurers are not a covered entity. Disability insurers are not a covered entity. Auto insurers, property and casualty are all non-covered entities. Banks, by the way, are not covered entities. So she's moving forward and the President is moving forward the best they can, but it is within that law.

    Ms. HOOLEY. Then lastly, I know your bill is looking at how do we protect consumers. Have you done any looking at what it costs financial institutions to implement these proposals?

    Mr. GENSLER. Well, I know that the regulators did some on the Gramm-Leach provisions, but in terms of moving this bill forward, it again just builds on the basis of the Gramm-Leach provisions for notice and choice, and importantly, a choice with regard to medical in the Chairman's bill. But we have tried, I think, in both bills, to just build upon the same regimes and the same methodologies that I say went through public comment. I think there were 2,600 comments that came in on the earlier provisions, most of which were constructively addressed.

    Ms. HOOLEY. Thank you very much.

    Thank you, Mr. Chairman.

 Page 37       PREV PAGE       TOP OF DOC
    Chairman LEACH. Thank you.

    Ms. Carson, did you wish to be recognized?

    Ms. CARSON. Not right now. Thank you.

    Chairman LEACH. Mr. Inslee.

    Mr. INSLEE. Thank you, Mr. Chairman. I want to thank the Chair for following through on this important issue. I know the Chair feels strongly about closing this massive loophole and getting this resolved. I am very hopeful that we will do that this year, and the other Chamber will follow our lead. I appreciate the Chair's advancing this at this time. But I think it is very important to note that I feel that our job, even if we resolve this issue, and I am confident we will, at least in this committee, that there are really massive imperfections in the Gramm-Leach bill that we ought to address this month, and to date, we have not had any encouraging signs that we will have hearings either in full committee or subcommittee on closing the affiliate sharing loophole, and that causes me great concern, because I can tell you that since we last addressed the issue of privacy in this committee, this issue has taken off like a rocket in America.

    We had the first sort of inkling of that last fall when I first brought an amendment in Gramm-Leach-Bliley to address this whole privacy issue, and I think all of us Members of Congress since then have learned that there is probably no issue in America today that is growing in people's anxiety levels than the loss of privacy in this country. I think since we passed the Gramm-Leach bill, that has continued to grow exponentially. You can't pass a magazine stand without reading or pick up a newspaper today, and I can echo those comments that are on Main Street.
 Page 38       PREV PAGE       TOP OF DOC

    So the question comes, when are we going to address this affiliate sharing issue and when will this committee have hearings to do that? I suppose we could wait until the next Congress to address that if we felt we didn't have enough information to know whether there is a problem today. But I have to ask this question: Do we have to wait till the next Congress to figure out that companies are going to share private personal financial information against our interests, against our specific directions with their various affiliates under Gramm-Leach? We do not have to wait till the next Congress to know that that is going to happen as soon as it is legally permissible.

    Second, do we have to wait that when our constituents find out that that is going on, that they are going to be outraged? Do we have to wait till the next Congress to figure that out? I suggest we do not have to wait to know that Americans are going to be outraged about these telemarketing gambits that are going on, sharing their personal private information. We don't have to wait till the next Congress to figure that out.

    Lastly, do we have to figure out in the next Congress how to deal with this issue? I don't think there is any reason we are going to learn something between now and the next Congress. So I feel very strongly that this committee ought to have hearings, this Congress, on the affiliate sharing issue and the issue of opt-in/opt-out, which remains in contention. The Chair has shown leadership in bringing this to this committee, and I am just hopeful that we will have an opportunity to further address this affiliate sharing issue in Congress.

    Having said that, Mr. Gensler, my soap box, I would just ask if there is anything you would like to add on the timing of this discussion?
 Page 39       PREV PAGE       TOP OF DOC

    Mr. GENSLER. Congressman Inslee, we applaud your leadership on this issue. It was very good to work with you on the digital signature bill as well, which is such an important issue for this Nation.

    We share your views. We think that there is no time to address this issue like now. This is all going one way, it seems. One of my colleagues earlier today said that Congress is conducting five different hearings, that the Administration is talking about privacy in one realm or another this week. It just gives a sense of the potency of this to the American people. I think that we have had a thoughtful balanced approach about affiliate sharing. We come out on the side of the debate. The Administration comes out, as you do, that there should be some choice; that regarding notice and choice, there is no distinction between affiliates and third parties, and that the one issue that industry has raised—and we have dealt with, is consolidated call-in centers and consolidated statements. They already had what is known as the 502 E exceptions in the Gramm-Leach bill, which is a series of eight important exceptions, and it is time to move on.

    And I think we believe that credit card companies should not be able to share a complete list of how you spend your money, where you spend the money. In essence, a total portrait of you as an individual, without you having the right to say ''Yes, you can share that and tell somebody the complete search and the complete portrait on Congressman Inslee.''

    Mr. INSLEE. That perhaps could be some interesting reading, I suppose.

 Page 40       PREV PAGE       TOP OF DOC
    Thank you, Mr. Gensler. Thank you, Mr. Chairman, for bringing this to our attention. I am just hopeful that the Chair can see to allow this committee to address this issue and not have to wait for new Members of Congress. I think there will be some new Members of Congress here perhaps because of this issue, but we shouldn't have to wait for them, and we ought to, on a bipartisan basis, move forward in this regard. Thank you.

    Chairman LEACH. The Chair would like to thank the gentleman for his advice and the Secretary as well. I would also like to thank both the gentleman and the Secretary for switching to the Chair's position, and now supporting in a more timely basis, the medical privacy issue. I am glad, having sought delay on that issue last year, you are now in favor of moving forthrightly at this time.

    Mr. Moore.

    Mr. MOORE. Mr. Chairman, I don't have any further questions of Mr. Gensler. I do appreciate your work in this area, and I am hopeful that we can, as Mr. Inslee pointed out, expand it at some point beyond just medical privacy and financial privacy, but internet privacy and a lot of other issues that are of great concern, I think, to the American people. Thank you.

    Chairman LEACH. Mr. Gonzalez.

    Mr. GONZALEZ. Thank you very much.

    Quickly a couple of questions. As you have indicated, one's medical records, medical information and personal spending habits, information profiles, would be two categories of information that would rise to the level of this special zone of privacy. I think that may be the term which really equates to opt-in. That is the distinction in mind, anyway. I am wondering what other type of information, in your opinion, would rise again to the level which would place it in this special ''zone of privacy?''
 Page 41       PREV PAGE       TOP OF DOC

    Mr. GENSLER. The two areas I think you highlighted were those two areas, medical information, and then the complete portrait, the complete spending habits. Those were the only two that we thought would be at that enhanced level, and in essence, the burden would be on the provider of services to get your consent. Another area—just marketing—the burden, in essence, would be on the consumer to fill out the form and send it back in, but we thought that that is less sensitive information, and thus the burden, more appropriately, is on the consumer.

    Mr. GONZALEZ. In all your discussions, though, nothing else has entered those discussions that, again, make it this type of treatment on the opt-in standard.

    Mr. GENSLER. That is correct. As I noted earlier, Congress has had opt-in for other provisions, whether it is in the Telecommunications Act or video rentals and other areas that Congress has seen that as an appropriate means of protecting a zone of privacy.

    Mr. GONZALEZ. The second question relates to the HHS standards which would apply to health plans, health care clearinghouses and certain health care providers, as you pointed out. Then we have this bill here, H.R. 4585, that would encompass financial institutions. Who have we left out?

    Mr. GENSLER. I am not quick enough to think, but in terms of medical—this addresses financial institutions. I am sure there are some institutions that are neither financial nor health care providers.

 Page 42       PREV PAGE       TOP OF DOC
    Mr. GONZALEZ. That is my point. I guess this bill is going to continue the piecemeal approach to privacy legislation. I understand we approach privacy many times in many ways, and maybe the final outcome is we will have one bill that maybe can address all the different activities. The reason, obviously, is that you have certain entities that may have shared activities, for instance, that would subject them to one set of rules, and possibly another set of rules, thus creating confusion. That is why I was just asking you, is there anything that you see now that needs to be addressed differently in this bill? Should some other enterprise, some other activity, some other business, be included or deleted?

    Mr. GENSLER. The President has laid out and the Administration has felt strongly that there are three areas broadly that are appropriate to address statutorily and that is medical, financial, and children's online. Those are the three broad areas that he and the Vice President have laid out a number of times, and the Administration has moved forward and worked successfully with the Congress on the Children's Online Privacy Act some time ago, worked successfully, even last year, on the financial bill, even though we think we should do more.

    Mr. LAFALCE. I wonder if the gentleman from Texas would yield for a question.

    Mr. GONZALEZ. Of course.

    Mr. LAFALCE. Mr. Gensler has been assisted in his testimony by a relative of his, and it is my understanding that you have been assisted in your questioning on this issue that it is an appropriate zone of privacy by a relative of yours, an attorney from San Antonio, who has prepared quite an outstanding book dealing with the issue of zones of privacy, which I hope you would share with the Members of the committee.
 Page 43       PREV PAGE       TOP OF DOC

    Mr. GONZALEZ. Not at this time, because it would be a lengthy discourse, I guarantee you. Thank you.

    That is all I have. Thank you very much, Mr. Chairman.

    Chairman LEACH. Mr. Lucas, do you seek recognition?

    Mr. LUCAS. No.

    Chairman LEACH. Mr. Capuano.

    Mr. CAPUANO. Thank you, Mr. Chairman.

    Mr. Gensler, I just have a couple of questions. I guess one is purely educational, as far as I am concerned. Under the current situation, the current laws, oftentimes I pick up the local papers and I read on a regular basis probably several times a week about a prominent figure in the community coming up with some medical problems, admitted into the hospital for this, admitted into the hospital for that, being treated in an experimental way for this problem, that problem.

    Under current situations, is that person protected from any retribution, potential—maybe a better word can be used—any reaction from the financial community? Could that person have his loans or her loans pulled, have them called, be denied if they are in the middle of getting a mortgage, and a banking executive happens to read right now that they are getting treatment for some heart anomaly?
 Page 44       PREV PAGE       TOP OF DOC

    Mr. GENSLER. I just wanted to check. No, there are no Federal statutes in place that would limit that at all.

    Mr. CAPUANO. I didn't think there were, but I wasn't sure. I want to make sure. I guess I would like at some point some people to take a look at that as well. I am not so sure it is easy to put your arms around. I am not so sure it is something you can address, but it is something, there should be lines. I think there should be lines, especially people in my world, in your world. There is nothing I do that is private. Nothing. And people have websites up and pretty much everybody here, probably on you, too, telling all the terrible things I did just yesterday, never mind the rest of my life, and I would be concerned deeply if my family were negatively impacted.

    It is not just politicians, anybody in the public realm is subject to that, and it would concern me if there were no limits whatsoever on—it is one thing, freedom of speech to say whatever you want to say. I understand all that. But you know as well as I do, if you go right now, if you are admitted into a hospital for a checkup right now, you know darn well the likelihood is pretty good that we'll be reading about it in the paper tomorrow.

    I don't think that that is something we should just ignore. It is one thing to focus on the immediate problem in front of us. I think that is all well and good. It is a big step forward, but I don't want to lose sight of the bigger issue as well.

    Shifting gears, the only other issue I have I heard earlier there is always concern about passing laws that were not needed, we are not sure we need them. I am not interested in the morality, not interested in the ethics, I am not interested in the social aspects of privacy. I have my own opinions on that. That is all well and good. I am interested in the financial aspects. In the banking world, do you think that the banking world would be better served financially if Congress were to sit back on this issue or any other issue and not speak, let it go until there is a problem and then react after the businesses have invested probably millions of dollars in software, millions of dollars in personnel, millions of dollars in mailing and telephone centers, and so forth, and so forth, and so forth, because maybe I am wrong, but my estimation is that once the first financial institution starts sharing medical information, even though the others will say ''It is morally reprehensible, it is terrible, we will never do that.'' But the first time they save money or they make money, someone else is going to fall in line. And eventually we are going to end.
 Page 45       PREV PAGE       TOP OF DOC

    It strikes me as financially better for the financial services community if we can set the rules now, let them know what the rules are going to be now rather than waiting for some situation to arise, and I don't think any ordinary American thinks that it won't happen if we do nothing. Something will happen and we will overreact and have wasted millions of dollars, millions of hours of personnel time and all the problems that are associated with changing business practices.

    I guess I just wonder, do you think I am completely off the wall? I don't mind being off the wall. That is what I do. Or do you think there is in legitimacy to that concern?

    Mr. GENSLER. We think that it is fundamentally important to address this issue for consumers and for the banking system. We think it, as we said earlier, not only instills confidence, but gets ahead of an issue that could be—it is like an attractive nuisance. It's too tempting, frankly. And having been in Commerce, I could never imagine that any of my former partners would do anything on this, but I think it is attractive, and it is there and I think we should address it.

    Mr. CAPUANO. I never would have thought that so many people would be calling me in the middle of the night twenty years ago trying to sell me another credit card after I have 400 in my pocket already. But that attractive nuisance is just unavoidable when there is money to be made. I understand that. I ask the question having already formed my opinion. I think it is good business practices for Congress on issues such as this to set the bars now to save the time, the trouble, the money that is involved in following down what I think will end up being a dead end.
 Page 46       PREV PAGE       TOP OF DOC

    Mr. GENSLER. It is also, as we change so rapidly, what we want to do is adopt the new information age, as we move from sort of the industrial age to the information age. The President said in his speech in Ypsilanti, he said, when we moved from an agricultural age to an industrial age, it was important to adopt new laws at that time, to put in place really the progress and to expand to the full middle class the nature of the industrial age as we moved into the 20th Century. As he said better than I could, we need to do the same as we move into the information age, and put in and adopt laws to help us move and promote, for all Americans, the success moving forward.

    Mr. CAPUANO. As a little footnote to that, I think it is well put that there were many people in those days that objected to the proposed laws at the time as overbearing, overreaching. We don't need them. We are doing fine without them. It is not a new story. It is an old story and I think it clearly worked well for this country, for the American people in the past transitions, and I think it will work well here. Thank you.

    Chairman LEACH. Thank you.

    Ms. Schakowsky.

    Ms. SCHAKOWSKY. No, thank you.

    Chairman LEACH. I think that is the last questioner. Let me just briefly opine, because we are in the realm of privacy, and several constitutional issues have been raised, and the Chair is willing to suggest that Freedom of Information requests do not apply to the notes passed from Ms. Lee Gensler to her father. In any regard, we thank you very much, Gary.
 Page 47       PREV PAGE       TOP OF DOC

    Mr. GENSLER. Thank you, Mr. Chairman.

    Chairman LEACH. Our second panel is composed also of a single witness. Ms. Kathleen Sebelius, who is Commissioner of Insurance for the State of Kansas and Vice President of the National Association of Insurance Commissioners. I would like to ask Mr. Ryun if he would like to make any welcoming remarks.

    Mr. RYUN. Mr. Chairman, first of all, I am sorry I missed the opening statements and didn't have an opportunity to welcome my Insurance Commissioner, Kathleen Sebelius. But I do want to thank her for coming today. She has been an advocate for the medical privacy of Kansas. She has been recognized for her efforts in Kansas, and certainly by the National Association, and I welcome her testimony to do what we can to ensure that all Americans have the kind of medical privacy that we are looking to protect in light of the Gramm-Leach-Bliley bill, and I want to thank her for the opportunity to say something, and welcome. Thank you for coming today.

    Chairman LEACH. Thank you, Mr. Ryun.

    Mr. Moore, would you like to comment as well?

    Mr. MOORE. Thank you. Mr. Chairman, again, I congratulate you on your good work, on convening this hearing, and the bill that you drafted. I also appreciate the opportunity to extend some brief remarks to welcome Insurance Commissioner Kathleen Sebelius here.

 Page 48       PREV PAGE       TOP OF DOC
    Kathleen has a very interesting background. She comes from a bipartisan political family. Her father was Governor of Ohio. Her father-in-law was a former Member of Congress from Kansas. Her husband is now nominated to be a United States District Court judge in Kansas.

    I am very, very pleased to have Kathleen here today. She was first elected in 1994 and reelected in 1998 as Kansas Insurance Commissioner, and previously served four terms in the Kansas House of Representatives. She currently is, as I think the Chairman indicated, Vice President of the National Association of Insurance Commissioners, and is Chair of the Working Group on Privacy. That is the capacity she appears before our committee today.

    She was recently recognized as a renaissance regulator by the June issue of Best's Review, a national magazine focusing on insurance issues. They observed, and I thought this was very interesting, that she was able, in the last five years, to eliminate almost half of the regulations on insurance in the State of Kansas. She has established a reputation as a national leader on health insurance issues and is leading the NAIC effort to develop uniform regulations that balance privacy for individuals against insurers' business needs for consumer information. I often turn to Kathleen for advice and counsel, and I really am pleased to have her before this committee today, and she's always very able to render thoughtful and insightful testimony and I appreciate that.

    Welcome, Kathleen.

    Chairman LEACH. Thank you very much. It looks like you come with near perfect credentials, Mrs. Sebelius, although some of us would prefer that you took your father-in-law's, rather than your father's, party. You are very welcome and please proceed as you see fit.
 Page 49       PREV PAGE       TOP OF DOC


    Ms. SEBELIUS. Thank you, Mr. Chairman. It is nice to be here and nice to be here with half of our congressional delegation, my own Congressman and my friend, Congressman Moore. I appreciate the opportunity to be here and also bring you greetings, Mr. Chairman, from your own insurance commissioner, Terry Vaughan, who is now serving as Secretary-Treasurer of our association. We have just finished four days of insurance meetings, our summer meetings, so she said to be sure to extend her greetings to you.

    Unfortunately, my colleague, Glenn Pomeroy, who is a former President of our association from North Dakota, and whose brother serves with you in the House, is stuck in Bismarck. Planes couldn't get out of Minneapolis last night, and couldn't get Mr. Pomeroy to Washington today, so he apologizes for his absence at this hearing.

    What I would like to do before I talk a bit about health privacy, Mr. Chair, is just use a few minutes to give you an update on the way insurance regulators are moving to comply with the features of Gramm-Leach-Bliley, which is a fairly sweeping change for regulators. I think it is safe to say that the passage of this bill focused attention and mobilized my colleagues from around the country to move very quickly to comply with various aspects of that bill. In just three short months we have had 50 State regulators sign a statement of intent on implementation features which have a comprehensive buy-in for uniform standards across the country on a variety of issues, including a more efficient and uniform regulation of the financial services marketplace.
 Page 50       PREV PAGE       TOP OF DOC

    We have nine different commissioner-level working groups in place to implement the law in areas like privacy, agent licensing and speed to market for insurance products. The Gramm-Leach-Bliley has created expectations, and frankly, our goal is to exceed these expectations. We feel it gives us a good framework to move to a 21st Century regulatory system and we have been hard at work doing that.

    Having said that, I also appreciate the opportunity to testify on the very important issue of health information privacy and the new legislation before this committee, H.R. 4585. This will be the sixth time during the course of the 106th Congress that we have come to testify on health privacy, and are pleased to see that there is a recognition in this proposal, as there is in the President's proposal, to recognize that an unintended consequence of Gramm-Leach-Bliley is the fact that a consumer's sensitive health information can now be shared freely without distinction from other sorts of financial information.

    Although, as you all know, health privacy wasn't specifically included in the language of Gramm-Leach-Bliley, the Federal regulations changed that landscape, because the definition of financial information now includes health information. Unfortunately, given the framework of the original bill, the law doesn't provide the kind of stringent protection that we feel, and most consumers feel, is needed for sensitive health information.

    Mr. Chair, the regulators were very sensitive to the pleas from the industry that the financial portion of the regulations that we were mandated to promulgate for insurers across this country, would not put them at a competitive disadvantage with their colleagues. As such, our initial draft regulations follow the guideline set out by Gramm-Leach-Bliley. On the other hand, the commissioners felt unanimously that health information needed to be treated differently, should be treated differently, and we are in the process of crafting regulations which would separate out health information and provide for the same kind of opt-in standard that you have provided in this bill.
 Page 51       PREV PAGE       TOP OF DOC

    Specifically, I would like to highlight a couple of areas where there is a lot of consistency between our approach and the approach of H.R. 4585. First is the basic recognition that health information should be treated differently than financial information. Second, it should be treated with more protection than financial information with an opt-in standard across the board.

    Again, the NAIC framework has been always to say it is the information that should be protected, not necessarily the entity that has that information. So in our prior models and in our current regulations, we don't delineate between a worker's compensation company, an auto insurance company, a life insurance company or a health insurer who may have health-sensitive information. We think it is the information that deserves the same kind of protection. And it should be across the board with financial institutions, again, recognized by your bill.

    These aspects of your bill mirror the standing NAIC policy, and we applaud your efforts in amending Gramm-Leach-Bliley to include these important protections. As I said, we have been fairly consistent on this. We had a model in 1980, a general privacy model, that recognized an opt-in standard. We updated that model in 1998 specifically for health information, again recognizing an opt-in standard. And we are currently at work drafting the model regulations which we will urge our colleagues across the country to implement in compliance with the Gramm-Leach-Bliley regulations, and which, again, have an opt-in standard for health information.

    Frankly, it is probably preferable if Congress acts on this measure, because that is a way to ensure that the standard is in place simultaneously around the country and doesn't need to wait on a State-by-State implementation of the regulatory framework. It is that framework that we are here to urge you to move forward on. We do have an accelerated timetable for finalizing our regulation. As you know, the Federal regulations were not final until mid-May of this year. We wanted to wait and see the framework of the final financial Federal regulations before we moved ahead, but we hope to have the final draft of the regulations for insurers ready by September, so States can move either with their own regulatory authority, or in next year's legislature, to put these in place.
 Page 52       PREV PAGE       TOP OF DOC

    As has already been discussed, a lot of what is in your bill mirrors the HHS regulations, but given the jurisdiction of Health and Human Services, a lot of entities who collect and hold sensitive financial information will not be covered by the regulations, which, at the earliest, I think are scheduled to be effective December of 2002.

    So we are still a long way from seeing some sort of standard on health privacy regulations. Having said that, Mr. Chair, the insurance commissioners across this country look forward to working with this committee on this very important issue. We applaud separating health information, having an opt-in standard for health information, and urge you to move forward.

    Chairman LEACH. Thank you very much, Ms. Sebelius.

    Mrs. Roukema.

    Mrs. ROUKEMA. Mr. Chairman, I am going to reserve my time. Thank you.

    Chairman LEACH. Mr. Ryun.

    Mr. RYUN. I would like to ask a question related to your testimony. Apparently, you share a very disturbing story with regard to a company that apparently shares a claimant's, if you will, prescription information with a pharmaceutical company. Then it tried to market those particular products to the customer's physician. Now, how often does this happen? Is this simply an isolated situation or is it rather frequent?
 Page 53       PREV PAGE       TOP OF DOC

    Ms. SEBELIUS. Frankly, Congressman Ryun, I can't enumerate the number of times. I chaired the Privacy Working Group that drafted our 1998 model, and that testimony was part of the hearing process that came forward. We heard a number of very disturbing pieces of testimony where bits of medical information were revealed, clearly not by the consumer, but by some entity collecting it.

    I know that in my own situation, and I have had a gentleman in Atchison come up to me after a speech I gave on medical privacy, to say that he was terribly concerned, because he had just finished a series of tests which resulted in his diagnosis as an adult onset diabetic. Within about a week of that confirmation by the medical clinic, he began receiving bulk-rated syringe mailings, insulin alternative products, a variety of information. As he said to me, ''I didn't put a bumper sticker on my car. I didn't put a sign in my yard that said 'guess what, I am a diabetic.' I didn't take an ad out in the Atchison Globe, but somebody in that chain of events did release my information, and I am now seen as a marketing tool.''

    He was quite unhappy with that, and unfortunately, I think it happens more often than we would like. I can't quantify around the country how many times it has gone on.

    Mr. RYUN. What we are advocating here, do you think in this situation it would help solve part of this problem?

    Ms. SEBELIUS. I think it would help greatly. As has already been raised by earlier questions to the Assistant Treasury Secretary, the combination of this bill, which is aimed at financial institutions, and the currently-pending Health and Human Services regulations, which cover a broader scope of health plans, providers, hospitals and medical information, creates a pretty substantial umbrella for those who are collecting and holding financial information to prohibit sharing without specific consumer consent.
 Page 54       PREV PAGE       TOP OF DOC

    Having said that, I think that our draft model, and certainly we would urge the committee when regulations will be drafted, creates large business exemptions. We recognize that insurers, for instance, need to process health information on a regular basis to pay Workers' Compensation claims, analyze a PIP auto carrier, or underwrite a product, and those were recognized within the regulations that we would put forward. It doesn't impede the business of insurance, but it does preclude you from sharing information, selling it, or marketing it for other reasons without the consumer saying it is OK to do so.

    Mr. RYUN. Thank you.

    Mr. Chairman, thank you.

    Chairman LEACH. Thank you.


    Mr. LAFALCE. Thank you very much.

    Ms. Sebelius, I was discussing with the Chairman earlier privately the importance of trying to find the appropriate role for both the Federal and the State governments on so many different issues with respect to bank charters, with respect to charters of credit unions, and so forth. One of the areas we are going to have to grapple with in the future is the appropriate role of Federal legislation as opposed to State legislation in protecting privacy. Do you think, as a starting point philosophically, that Federal law should: A, be preemptive of the States?; or B, just establish minimal standards, but not preclude the States from adopting their own additional consumer standards?
 Page 55       PREV PAGE       TOP OF DOC

    Ms. SEBELIUS. Congressman, the views of the association that I am here to represent, and my own personal view, are that the kind of Federal floor issue, particularly in this area, is very appropriate. As you know, State law has——

    Mr. LAFALCE. When you say Federal floor, I think you mean it should not be preemptive; is that correct?

    Ms. SEBELIUS. That is correct. The way I understand it, at least the overall framework of Gramm-Leach-Bliley, particularly in the privacy areas, is that it does recognize the opportunity for States to be more consumer friendly, more restrictive. States have, over the course of fifty years, developed various kinds of health privacy standards often tied to some very specific kinds of laws in place, certain kinds of Workers' Compensation systems which are tracked, or medical tests which are done in a certain State.

    While I think we have said consistently in the past that we think there is a clear role for Congress, we believe it is appropriate to have national privacy standards governing national definitions, governing a large area of this. Our caution about blanket preemption, particularly in the privacy arena, is the unintended consequences of various kinds of particular State laws which could be wiped out and could actually put consumers steps behind where they are right now. So we are very cautious about blanket preemptions.

    Having said that, I think we would encourage moving forward with broad guidelines that are nationally implemented and nationally known. I don't want to go skiing in Colorado and have a different set of recordkeeping for my medical records there than in Kansas. I don't think that serves the consumer well and it certainly is very difficult for an industry to operate under. In the major areas I think setting standards and saying these should be nationalized are very appropriate.
 Page 56       PREV PAGE       TOP OF DOC

    Mr. LAFALCE. I think that is basically the approach we took last year, financial services modernization. I think that is the approach both that the Chairman and I have taken in our respective bills further addressing the issue.

    Now, you mentioned that the NAIC has come up with some model standards, model legislation, and you pointed out the similarities between the model legislation you come up with and the bill introduced by the Chairman dealing with the issue of medical privacy. My first question is, did your model standards only deal with the issue of medical privacy, or did you consider other issues?

    Ms. SEBELIUS. We attached two pieces of model legislation to, I think, the written comments, Congressman LaFalce. The 1998 model, which is attached, specifically deals with health information privacy and recognizes a need to carve out that area. The earlier model, which I think was 1980, dealt with across-the-board information kept by insurers, and also had an opt-in standard for non-affiliates to receive any kind of information, financial or health, collected by insurers.

    So we have sort of dealt with both areas. But the 1998—the newest area, was dealing very specifically with health in lots of detail.

    Mr. LAFALCE. Has the NAIC reconsidered its 1980 and adopted it anew, or you have just not gone back, that is two decades ago. There were a few advances in technology and electronics and market usage in the past two decades.

 Page 57       PREV PAGE       TOP OF DOC
    Ms. SEBELIUS. Right now we are in the process of trying to comply with the mandate to develop regulations as functional insurers to apply privacy regulations for insurance companies across the country. We are developing a model regulation in two phases. The first, which is what is underway right now, and hopefully will be completed by September, is an interim regulation. We have actually drafted it with a sunset clause and have attempted to mirror, on the financial side, the standards that are in Gramm-Leach-Bliley; no disclosure among the affiliates, and an opt-out for non-affiliates, with the exception of health information where we are drafting a more stringent standard.

    I will share with you that there are a number of colleagues of mine who feel very strongly that we should revisit even those earlier standards for financial entities, because those are not strong enough and are not protective enough of consumer interests on the financial side, and we see that as phase two.

    Mr. LAFALCE. I think it would be helpful, mutually helpful, if we kept in close touch on these developments, because we could both gain.

    If I could go back, though. You addressed similarities between your 1998 standard and H.R. 4580, and there are similarities between that, the bill that I introduced working in concert with the Administration. But Mr. Gensler also pointed out some concerns. One of them was scope, just didn't deal with other issues. Aside from scope is and not dealing with other issues, there was some particular difficulties that I think can be addressed. Are there any dissimilarities between your model standards and H.R. 4580 that you think we should address, and particularly what about the dissimilarities that Mr. Gensler pointed out in particular?

 Page 58       PREV PAGE       TOP OF DOC
    Ms. SEBELIUS. I don't want to misspeak, because I am not as familiar as I should be with all the details of H.R. 4585, but I think that there really aren't any inconsistencies. In fact, the draft of the bill, our privacy model, I think, could be used as regulations to implement the bill that is before you.

    Mr. LAFALCE. What I would ask then, do you think you could, in writing, make comment on the specific details that Assistant Secretary Gensler had with H.R. 6320?

    Ms. SEBELIUS. I would be glad to.

    Mr. LAFALCE. Thank you. Thank you, Mr. Chair.

    Chairman LEACH. Mr. Bentsen, do you seek recognition?

    Mr. BENTSEN. Thank you, Mr. Chairman. I think you have one on your side down there.

    Chairman LEACH. Mrs. Biggert.

    Mrs. BIGGERT. Yes. Thank you, Mr. Bentsen. Thank you, Mr. Chairman.

    You mentioned several times the Workers' Compensation and the auto insurance issue, which I had asked before. Do you think there needs to be something put into this bill to clarify that issue?
 Page 59       PREV PAGE       TOP OF DOC

    Ms. SEBELIUS. Congresswoman, I think that as I read this, there is nothing inconsistent in here with having a regulation that would give the kind of—I think you are going to need very specific business exemptions. It is part of what is contained in our privacy model which is attached. We really tried, again from the insurance side, to think through carefully what are the areas that insurers, both property, casualty and health, are involved in where health information needs to be shared.

    So I think it could be addressed in the regulations. I think it would need to be addressed in the regulations, and perhaps some notice in the bill could do that. To not impede the business of insurance specifically, would be a good notice in the overall bill. I don't think the draft of the bill is inconsistent with providing those various business exemptions.

    Mrs. BIGGERT. The other issue that was discussed earlier was the State guarantee funds and how they operate. Could you explain that a little bit to me, and then whether there should be some clarification as to that in this bill also.

    Ms. SEBELIUS. I think that, again, they would be covered in a broad business exemption. I am not quite sure, and I know that is part of the ACLI testimony, exactly what it is in terms of the health arena that a guaranty fund would receive, which would be prohibited by this. As you probably all know, the guaranty funds assess and pay for claims left by an insolvent company.

    So it is typically financial information which is gathered and exchanged, but if this would somehow impede that flow of information, we would certainly not favor that, and I think it could be easily provided for by an additional business exemption.
 Page 60       PREV PAGE       TOP OF DOC

    Mrs. BIGGERT. Thank you. Maybe just briefly also, since I have some time left, could you just tell what are the real benefits for consumers? Are they heightened or are they lessened, and how does this really benefit a single consumer?

    Ms. SEBELIUS. I think most people believe that their personal health history is probably the most sensitive personal information they have. It seems to me that financial institutions may actually be enhanced in a role with consumers if they feel they are in a trusted position, and that the information they give to get a life insurance policy or pay an auto claim or get payment under a Workers' Compensation system is not going to be marketed to their disadvantage, is not going to be shared, and won't be used by a mortgage banker to not give them a home loan if they have some sort of wrong condition.

    I think consumer confidence is key to any commercial dealings and we should be assuring consumers that this information is personal and private, it is protected, it needs to be exchanged for the commerce of doing the business of insurance and other financial entities, but it is not going to end up being used against them. It is not going to be something that will keep them from getting a loan, driving a car, operating in the normal business of their work day. I think that goes to the general good, and given the ease of collection and transfer of information, I think it is even more critical that the rules be clear at the outset. Consumers should know what is and is not going to happen to the information they give, and that there is some regulatory authority who is making sure that the companies follow those rules.

    Mrs. BIGGERT. Thank you.

 Page 61       PREV PAGE       TOP OF DOC
    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you.

    Mr. Bentsen.

    Mr. BENTSEN. Thank you, Mr. Chairman.

    I still remember what it was like to sit down on the lower row, so I wanted to make sure that Mrs. Biggert got her time in order.

    Mrs. Sebelius, I want to ask you just a couple of questions. One is related to the testimony of the panel that will appear after you. I may not be able to be here for all of their testimony, and so I would hope and expect that they might respond to the question that I am going to pose for the record as well.

    I haven't read all of the testimony, but in reading some of the testimony, a number of the organizations surprisingly would oppose provisions of the Leach bill as it relates to an opt-in requirement. They raise, I guess, this is my question. The reason that they raise is specifically with respect to employer-provided health benefit plans that a restrictive opt-in requirement would make it difficult for the broker or the insurance provider to make adjustments in that plan with whoever I guess the carrier may be.

    In your capacity as an insurance commissioner, as a regulator, do you see that as a problem; or is the initial agreement between the employee, employer, and insurance broker or underwriter with an opt-in at that point, would that be sufficient in giving the insurance carrier, broker, underwriter, whichever, the ability to make policy changes during the term of the agreement between them and the employer? Or is this a legitimate concern that these groups have?
 Page 62       PREV PAGE       TOP OF DOC

    Second of all, as part of that, they raised the question that this could become problematic between the insurance carrier—how the insurance carrier would work with a specific health care provider. I guess the example might be when you go into the emergency room and they are trying to verify your insurance coverage that there is a potential that this could block the transfer of information that would then make the provider unwilling to provide care for some particular reason.

    And then I have another question after that.

    Ms. SEBELIUS. Again, Congressman, I think that in the employee benefit plan arena, in the regulations that we are attempting to put in place right now covering insurers, we recognize that it isn't until information would be shared actually outside the general course of the business of insurance, that triggers the notice and the disclosure issue would be triggered.

    I do think if the employee benefit area isn't carved specifically enough into this umbrella, it would be relatively easy to do that to include it in the broad business exemptions, because I think it is important to conduct the business of insurance. It is something that, again, I think we tried to do very carefully in that 1998 model when we came and urged Congress to look at it as one of the possibilities to meet the HIPAA standards that were at that point pending.

    I think in the treatment area, again, the model attached to our testimony deals with all sorts of health care-related issues. If you go into an emergency room, where you would need to exchange information, what if you have an unconscious patient? How could he or she give disclosure? You don't want to shut down the possibility that they are going to get medical treatment if they can't get their records accessed. So that area is captured and I think very much present.
 Page 63       PREV PAGE       TOP OF DOC

    The way I read H.R. 4585, it is sort of the ''20,000 view'' level. It captures the major framework of what then would be implemented in specific regulations, and I think some of these issues and exemptions are not inconsistent with the framework. They would just need to be crafted into the regulations to make sure that they don't impede medical treatment.

    You also don't want to impede research issues. There are broad exemptions, I think, needed for the research community to make sure you don't grind that to a halt by having too stringent rules on disclosure and nondisclosure for the business of insurance, but I don't think those are inconsistent with the notion that you are not going to sell or market or share this information outside of doing some very specific activities.

    Mr. BENTSEN. With the Chairman's indulgence, properly crafted, an opt-in could be properly crafted that would not impede the functioning of the insurance agent or broker, underwriter, you believe, and still provide this protection?

    Ms. SEBELIUS. We believe that is true, and actually that is what we are going to advocate that our colleagues adopt as the standard for the insurance regulations which would meet the Gramm-Leach-Bliley mandate.

    Mr. BENTSEN. I am going to have to leave, but I have one quick question, Ms. Madam Chairwoman. I would hope and expect that the other panel would address that issue when they testify.

    Ms. SEBELIUS. They have been addressing me for the last four days, up close and personal. I am sure it will go on.
 Page 64       PREV PAGE       TOP OF DOC

    Mr. BENTSEN. They will be addressing us as well. You said in response to Mr. LaFalce, I think it was, the concern about a patchwork of State rules with respect to medical privacy protection, am I to understand that you would favor a Federal preemption of some sort or a uniform Federal standard as it relates to privacy rules, and that would be somewhat contrary to what we did in Gramm-Leach-Bliley?

    Ms. SEBELIUS. Congressman Bentsen, I think that what I was trying to say is that when we testified in the period that the Kassebaum-Kennedy bill would have mandated Federal privacy action by August of 1999, that we urged Congress to move ahead and gave as part of that testimony what we thought would be a framework that would at least work well for insurers, which was the privacy model attached.

    We have participated actively in commenting on the HHS regulations which are pending, and which eventually will at least be in place for the portion of the industry that I am familiar with that holds sensitive health information, but not the entire industry. I think it is appropriate that we have broad Federal standards in place simultaneously around the country with the same kind of definitions and same kind of protections for most of the areas of privacy.

    The reason I have the caveat that I do is that there are literally thousands and thousands of State laws which have been in place for half a century, which have to do often with very particular kinds of State collections; databanks, Workers' Compensation systems, special tests. In Kansas, we do a special test for hearing of infants that is not nationally promulgated, but it is done specifically.

 Page 65       PREV PAGE       TOP OF DOC
    Wiping out in one fell swoop all of the State privacy laws which are in place in statutes could, I think, have some serious, unintended consequences for consumers, and that is what we are concerned about. I think broadly defining and outlining an area where the Rederal rules will be in place and would preempt State laws, makes sense. However, you need to be very cautious about what else you are wiping out in the State statutes.

    Mr. BENTSEN. Thank you.

    Thank you, Madam Chairwoman.

    Mrs. ROUKEMA. [Presiding.] Thank you.

    I do have a question, and that is, this bill or the Chairman's bill singles out for a particular protection information relating to mental health and/or mental condition, and it requires a separate and specific customer consent for disclosing such information.

    Now, there is at least one other group or maybe others on the next panel that states in its testimony that a separate consent requirement for mental health information is not needed. I don't believe that you address this directly in your testimony, but I have a special interest in this concern. And of course on the next panel, we will also be having the American Psychiatric Association giving its own testimony, but I would appreciate having your input and your perspective on this particular question:

    Should there be a specific separation? I believe there should be a specific customer consent as required in the bill. Could you please express yourself on the subject.
 Page 66       PREV PAGE       TOP OF DOC

    Ms. SEBELIUS. I am not sure I am able to give you a very complete answer on that. I can tell you that at least our old models and current regulations which are in place do not have specifically enhanced standards for mental health. And as far as I know, that was not a topic that was either addressed and rejected or accepted during the course of that process. I would just suggest that I think there could be other groups who come and say, you know, this sort of condition or illness may be equally——

    Mrs. ROUKEMA. You are saying that your group has not specifically addressed that?

    Ms. SEBELIUS. No. So I am not able——

    Mrs. ROUKEMA. Can you explain in any way, even from your own perspective, how you could possibly separate one health issue from another?

    Ms. SEBELIUS. The Chairman may be better able to answer that. The only issue that I am aware of and quite sensitive to is that there is a strong belief that mental health treatment carries with it such an extraordinary stigma that seeking treatment or seeking information about treatment, in and of itself may deter people from getting the help they need; and so having additional protections attached to confidentiality in that area may actually propel people to get much-needed help and treatment, and that makes sense to me.

    Mrs. ROUKEMA. Thank you. I appreciate that.

 Page 67       PREV PAGE       TOP OF DOC
    Mr. Chairman, I have concluded my questioning. I appreciate your answer.

    Chairman LEACH. [Presiding.] We have no further questions. We want to thank you very much, Mrs. Sebelius.

    Ms. SEBELIUS. Thank you. We do look forward to continuing to work with the committee on this very critical issue. Thank you.

    Chairman LEACH. Thank you.

    Our third panel is composed of Richard K. Harding, who is the President-Elect of the American Psychiatric Association and Vice Chair of Clinical Affairs and Professor of Psychiatrics and Pediatrics at the University of South Carolina School of Medicine; my former colleague, Mr. Steve Bartlett, who is President of the Financial Services Roundtable; Mr. Don Brain, who is President of Lockton Benefit Company of Kansas City, Missouri, on behalf of the Independent Insurance Agents of America; Mr. Robert H. Rheel, Senior Vice President of Fireman's Fund, on behalf of American Insurance Association; Edward L. Yingling, Deputy Executive Vice President of the American Bankers Association; and Ms. Robbie Meyer, Senior Counsel, American Council of Life Insurance.

    We will begin in the order of introduction. Let me welcome Professor Harding. Please.

 Page 68       PREV PAGE       TOP OF DOC

    Mr. HARDING. Thank you, Chairman Leach, and thank you, Ranking Member LaFalce, Mrs. Roukema, and other Members of the committee for this opportunity to testify.

    In addition to being at the University of South Carolina, I also served on the National Committee on Vital and Health Statistics, which advises the U.S. Secretary of HHS on medical privacy and medical information issues. But I am here today testifying as President-Elect of the American Psychiatric Association.

    We now face what a bipartisan national panel of experts called a privacy health crisis. Many of us would say this represents somewhat of an understatement. As many of you saw probably a month or so ago on the newsstands, a magazine that said we know everything about you, because we live today in a 21st Century, cyberspace, high-definition, financial and health care system; but we also live with medical privacy laws that are more along the lines of the bygone black-and-white television era of Marcus Welby, M.D. While there are some very good corporate citizens who are voluntarily protecting patient privacy, such actions cannot substitute for statutory protections to ensure that all patients will enjoy needed confidentiality protections.

    Your efforts, Mr. Chairman, as well as those of the Clinton Administration and Mr. LaFalce, to add needed privacy protections to the Financial Services Modernization Act is a critical, important first steps; and we strongly urge that you and your colleagues come together on a bipartisan basis and pass legislation to add privacy protections to the financial modernization law.

 Page 69       PREV PAGE       TOP OF DOC
    As we consider this issue today, I hope that each and every one of us in the room will think not only of the public policy issues involved, but also in terms of our own medical records and those of our family members. Medical records contain the most sensitive information about ourselves and our families, and as dedicated individuals in the financial services are, I can assure you that, as a patient, I want to make the choice myself as to whether my medical information is disclosed and I want the same thing for my family. The decision should not be made for us by a financial institution, insurance company, or a bank's mortgage lender. Disclosures of certain medical records information can jeopardize my career, our careers, our friendships, marriages and even our health.

    How, you might ask, can financial modernization law affect medical privacy? Kind of simply put, the 1999 financial law insurers, including health and life insurers, can easily merge with banks and other financial companies. As a result in these large new holding companies, it is easy for any one of these entities to disclose medical records information to a corporate affiliate such as a life insurance company, bank, mortgage lender, or credit card issuer. While I have no doubt that the new law will produce many benefits, we cannot ignore these privacy issues.

    In addition to the importance of privacy and consumer transactions in our personal and professional lives, patient privacy is needed for physicians to provide the highest quality of care. It is often forgotten that doctor-patient confidentiality is an essential element for effective medical treatment. Without this high level of patient trust, many people will be deterred from seeking needed health care and for making a full and frank disclosure of information needed for this treatment. This is particularly true in psychiatric care.

 Page 70       PREV PAGE       TOP OF DOC
    In 1996, the Supreme Court, in the Jaffe v. Redmond decision, mental health information was decided to be so sensitive that additional privacy protections are needed for psychiatric treatment. The Court held that, ''Effective psychotherapy depends upon the atmosphere of confidence and trust, and for this reason, the mere possibility of disclosure may impede the development of the confidential relationship necessary for successful treatment.'' We also were pleased with the 1999 U.S. Surgeon General's report on mental health research, and he reached a similar conclusion.

    H.R. 4585 establishes a key principle for protecting the medical records held by financial services companies. The legislation would create a general rule, allowing patients to choose if their medical records will be disclosed to an affiliate company or nonaffiliated third parties. In these cases, companies would need the express written consent of the patient before disclosing medical records.

    We strongly support this patient consent rule. I am equally enthusiastic about the bill's general rule ensuring the patient's mental health records not be disclosed without the patient's separate and specific consent.

    I do believe there needs to be further discussion on the provisions implementing these general rules. No one wants the exceptions to the rule to swallow the rule. Yet, as currently drafted, do these provisions ensure that in the routine course of business, patient consent will be voluntary and noncoerced? This remains unclear. Likewise, the Secretary is now given new authority to create additional exceptions.

    We look forward to working on these issues with you and your staff so the consumers in the real world enjoy meaningful new protections. Thank you for this opportunity to testify.
 Page 71       PREV PAGE       TOP OF DOC

    Chairman LEACH. Thank you very much, Professor Harding.

    Congressman Bartlett.


    Mr. BARTLETT. Mr. Chairman, Madam Chairwoman, Members of the committee, I appreciate the chance to be here.

    The Financial Services Roundtable, as you know, is a national association of 100 of the Nation's largest integrated financial services firms, and as such, our member companies engage in banking, securities, insurance and other financial services activities.

    Mr. Chairman, I am here to support your legislation, the purpose of the legislation, and to encourage you in this process. The Roundtable believes that protecting the confidentiality of health information that is in the possession of a financial institution is a matter that merits a uniform national policy. We supported similar legislation within Gramm-Leach-Bliley last year. We were disappointed when that legislation was deleted for reasons which we don't understand and, Mr. Chairman, we commend you on your leadership and consistency in promoting medical privacy. We support that legislation today, and we would support it in the future if it comes up in the future.

    I want to say at the outset of this statement that the member companies that I represent—and so far as I know, most providers of financial services do not use or disclose health information derived from their customers other than for medical reasons or as otherwise intended by their customers. In other words, this issue is, at best, a potential loophole in our privacy laws, but it has quite a high emotional impact; and so even as a potential loophole, we believe it ought to be closed.
 Page 72       PREV PAGE       TOP OF DOC

    Mr. Chairman, overall, the members of the Roundtable believe that on the overall issue of sharing information, that the sharing of consumer information, in general, with affiliates and third parties can and generally does benefit consumers of financial services. Information-sharing between affiliates can permit, and with outside third parties can permit, an integrated firm to structure products and services that meet a customer's specific needs. We support, therefore, Gramm-Leach-Bliley's privacy protections, because it provides for both; the consumer benefits from appropriate information-sharing as well as protecting customer confidence.

    However, we think that medical privacy is in a whole different category, that medical information is in a separate category and ought to be dealt with in a much stricter fashion in which the information should only be used for medical purposes, as it was intended.

    We believe that medical institutions already have an obligation to maintain the confidentiality of medical records. That is an industry practice. We think it is covered by a myriad of State laws, regulations, various voluntary industry practices and court cases, and we think that what is called for here is a uniform national policy.

    Mr. Chairman, having expressed my support for the bill in its proposed form, as well as in its purpose, the bill is not without some details that I believe need some change. We have worked with the member companies of all kinds of financial institutions, and we cite in our testimony a number of changes, some of which are highly significant, that I would put in the must-change category for this legislation to work.

    Number one is, in Gramm-Leach-Bliley there are uniform exceptions to the confidentiality, and we think that those exceptions ought to be mirrored in medical privacy. First, and probably most important and the one most significant part of this whole legislation as it is currently drafted, is that the bill, as drafted, would not allow an insurance firm to share information with an insurance rating advisory organization or a State insurance guaranty fund. If such information cannot be shared freely with the rating organizations, then the establishing of rates is not going to be possible.
 Page 73       PREV PAGE       TOP OF DOC

    Now, Mr. Chairman, perhaps there are some that believe we ought to eliminate rating of insurance and have one giant pool of 270 million Americans. I don't think that would be the intent of Congress; I don't think that would be the view of the majority of the American people. But if there is legislation to do that, we ought to have legislation that does that and not do it in a back door way through some other topic.

    Second, the Gramm-Leach-Bliley provides other exceptions for the sharing of information with service providers which ought to continue in this legislation, and then other Gramm-Leach-Bliley exceptions. Mr. Chairman, we also believe that the consumers' access to correct their information has some ways, which I suggest in my written testimony, in which it can be drafted in a way that is more beneficial to consumers.

    Next, we believe—and we have looked at the mental health provision. We think it is—we appreciate the intent of the mental health provision, but Mr. Chairman, I have to say that we believe that this legislation is a mere absolute prohibition of the use of medical information either physical or mental for uses that it wasn't intended for. We think that prohibition ought to apply equally to heart, lung, or mind and there is no particular reason that it ought to be separate.

    Last, Mr. Chairman, I would say that we strongly believe there is a need for a national standard. Every State has a different law. There are multiple laws in different States. Only two States have a comprehensive law. There are twelve States that have model laws. All the others have a variety of laws, and then you have the Federal regulations on top of that and court cases on top of that.
 Page 74       PREV PAGE       TOP OF DOC

    We think this issue calls out for a national standard and we would encourage you to include that in the legislation.

    Chairman LEACH. Thank you very much.

    Mr. Brain.


    Mr. BRAIN. Thank you, Mr. Chairman, Members of the committee. My name is Don Brain. I am President of Lockton Benefit Group. We are the eleventh largest employee benefits consulting and brokerage firm in the country and the nearly 2000 employees of Lockton Benefit Group administer and work with clients all over the United States in their employee benefit programs.

    Today I am appearing on behalf of the insurance agents and brokers, the nearly one million men and women who work in every part of the United States. These professionals are represented by the Independent Insurance Agents of America, IIAA, of the National Association of Insurance and Financial Advisors, formerly known as the National Association of Life Underwriters and the National Association of Professional Insurance Agents.

    I serve as the IIAA's Governmental Affairs Committee member, the health care liaison to that committee. In addition to my role at Lockton Benefit Group, many of my associates are members of NAIFA and the Association of Health Insurance Advisors. NAIFA's conference is devoted exclusively to health insurance and benefits issues. All three associations represent health insurance professionals all over the country.
 Page 75       PREV PAGE       TOP OF DOC

    The associations that I am appearing on behalf of commend you for your leadership in bringing H.R. 4585, the Medical Financial Privacy Act, to this testimony today. We appreciate you holding this hearing and allowing us to testify on behalf of this legislation.

    Perhaps there is no more important topic today in politics than the privacy of information, particularly medical information. At the outset we appreciate your leadership in this area and we appreciate your sensitivity in working with all three associations and their concerns to protect consumers' privacy regarding their medical histories.

    The primary message that I want to relate to is that we want to work with you and Ranking Member LaFalce in making sure that this bill becomes the law of the land. The insurance agents fully support the overarching objective to protect individual sensitive health information and your approach to achieving that objective. At the same time insurance agents need to share information that they receive in the normal course of business and with health care and health care providers in order to provide a high level of service and the employee benefits of health care that we all want and need. Indeed, the vast majority of small businesses in the United States cannot afford separate health benefits, administration services or human resource services and rely on agents to fill those roles for their businesses.

    From our perspective the only clarification that is necessary to ensure that the ongoing administration of employee benefit, employer-sponsored health benefit programs and Workers' Compensation programs is not disrupted in any way is to specifically provide that this information obtained in conjunction with the administration of these plans is not used for any purpose other than administration or securing information on a replacement plan.
 Page 76       PREV PAGE       TOP OF DOC

    Historically, the agent system has worked, has been the principal method of distribution for the life and health industry in the United States. Agents have been the essential link between the consumers and the insurance company providing services and products while educating consumers in how to manage risks and how to make informed choices about insurance purchases.

    Dramatic increases in health costs over the last decade have caused the agents role to become even more important as part of the health equation. Agents fill roles in helping clients evaluate programs, educating them about information they need to make informed decisions, often making specific recommendations on programs that are designed to fill their needs and fit their budgets. We work with clients to ensure that accurate and complete information is available to secure the lowest possible premiums on their behalf in the marketplace. We keep in touch with them constantly to review and update periodic information and assist them in compliance requirements. We also review claims information and serve as ombudsmen in their dealing and associates dealing with insurance companies. We assist business owners in communicating benefit packages to their employees.

    At the outset, IIAA, NAIFA and PIA share the overarching concern about confidentiality of medical information. Although H.R. 4585 would help ensure that these confidentiality objectives are met, it must be clarified to make clear that these restrictions are not intended to interfere with the provision of employer-sponsored group health plans or Workers' Compensation programs in any way.

    Without these clarifications that we have requested, the legislation would thus undoubtedly serve to both increase the costs of providing health care and reduce the number of options that employers would be able to consider. This would greatly undermine the level of care that many Americans are able to receive, and it would likely lead to a tremendous expansion in the number of un- or under-insured Americans.
 Page 77       PREV PAGE       TOP OF DOC

    In addition, many employers whose rates are established based on claims information rely on agents' review of the accuracy of the financial reports generated by third-party administrators and insurance companies to ensure that their claims information is accurately reported.

    Thank you.

    Chairman LEACH. Thank you very much, Mr. Brain.

    Mr. Rheel.


    Mr. RHEEL. Thank you, Mr. Chairman, and Members of the committee, for the opportunity to present Fireman's Fund testimony on behalf of the American Insurance Association on H.R. 4585. It is my privilege to appear before the committee, and I hope that my testimony will provide you with helpful information as you move forward with this bill.

    I sit before you today not as an attorney or a regular member or an individual who comes through this great Capitol of ours to testify on behalf of bills. In fact, this is the first time that I have physically been in the Capitol and look forward to future visits.
 Page 78       PREV PAGE       TOP OF DOC

    Instead, my profession and my trade is as a business leader serving the needs of consumers. I would like to share with you today our perceptions of what this bill means to the services we provide to consumers with respect to Workers' Compensation insurance. We all agree that medical privacy is an important issue for consumers and for those financial institutions that hold that information. However, I urge you to take due consideration of the unintentional harm to consumers and other groups that you are seeking to protect. It is our belief that the broad sweeping changes could have negative impacts to consumers and other groups with respect to Worker's Compensation.

    In particular, if we look at the basic objectives of Workers' Compensation, which is to provide no fault benefits to injured employees, a safe workplace, return injured employees back to a productive work life, we believe this bill will prevent us from serving those needs. Preventing legitimate sharing of information with employees and medical vendors and affiliates will prevent us from establishing appropriate timely payments to injured employees, who could not establish with the employer the appropriate work condition to return the injured employee, who could not assist doctors who are not trained in occupational medicine to address medical injuries as it relates to occupational injuries and how to return injured employee back to work, who could not conduct appropriate Work Comp research. Workers' Compensation research is an important element of what we participate in in order to improve the system for all. We also believe we cannot prevent the cost to consumers to increase from litigation, from fraud, from excess litigation as it relates to medical information, and also the cost of adjusted claims would go up with respect to the undue burden of collecting additional paperwork.

    Finally, to the consumer, we could not provide the consumers with information on the cost for insurance. As for their fiduciary responsibility to pay premiums as relates to compensation, we could not provide them backup information with respect to that premium. Nearly 50 percent of the cost of insurance for Workers' Compensation relates to medical payments. Not being able to share this information with employers would not give them an opportunity to understand their true costs.
 Page 79       PREV PAGE       TOP OF DOC

    Again, we thank you for the opportunity to testify today, and I would welcome any questions you may have.

    Chairman LEACH. Thank you very much.

    Mr. Yingling.


    Mr. YINGLING. Mr. Chairman, thank you for holding this hearing on medical privacy. Throughout its history the banking industry has protected the medical information of its customers. Our approach is straightforward. Medical information should only be used for the purpose for which it is provided and should not be shared without the express consent of the customer.

    Although limited, there are instances where medical information is relevant. For example, in small businesses where the franchise value of the firm hinges on one or two individuals, insurance on these individuals might be required for a loan. In these cases, the borrower will know what information is required and consent to its acquisition and use. Otherwise, medical information should not be used.

    On June 6, the ABA, joined by the Financial Services Roundtable and the Consumer Bankers Association, announced new voluntary guidelines on the appropriate use and protection of information. One of the most important guidelines relates to medical information. This guideline states, and I quote: ''Medical information will not be shared. Financial institutions recognize that when consumers provide medical information for a specific purpose they do not wish it to be used for other purposes, such as for marketing or in making a credit decision. If a customer provides personal medical information to a financial institution, the financial institution will not disclose the information unless authorized by the customer.''
 Page 80       PREV PAGE       TOP OF DOC

    This and the other nine guidelines represent core values for our industry. Last year, the ABA supported provisions on medical privacy that were contained in early versions of the Gramm-Leach-Bliley Act. We were disappointed that this issue was not dealt with in that legislation. Therefore, the ABA supports the thrust behind H.R. 4585.

    The ABA, however, has concerns in two areas. The first relates to process. While broad consensus may be possible on a targeted bill on medical information, the financial services industry would be strongly opposed to opening up the privacy provisions of Gramm-Leach-Bliley on a broader front. The provisions of Gramm-Leach-Bliley need an opportunity to work. The implementing regulations are complex, and I would add that the cost of compliance will be huge. Indeed, for your information, we believe that it is a conservative estimate that the initial cost across all financial services firms will be in excess of $1 billion, with additional costs each year.

    The second concern relates to some specific provisions in the bill, particularly the subsection on consumer access to information. We find this provision, frankly, totally unworkable in the real world. We recognize it was taken in large part from the Administration's bill. Under the literal language of the bill, an individual—and that individual does not even have to be a current customer—can demand to see any medical information that might be anywhere in the financial institution, no matter for what purpose it is held. To comply with such a request, the institution would have to ask employees throughout the institution if they somehow had obtained medical information about that consumer. While this may not have been the intent, it is a plain reading of the language.

 Page 81       PREV PAGE       TOP OF DOC
    Perhaps there is a misconception the financial institutions maintain one master list containing all information about a consumer. This is not the case, even for small banks. Typically, there are many lists developed under different circumstances or for different purposes. Moreover, information may be kept in individual employee's files, and never put on any list or on any database. For example, under the bill, a bank would have to go through every check written by a consumer and every credit card slip to see if they couldn't find any medical information, a process that is not done today and a process that is antithetical to the notion of medical privacy.

    In conclusion, Mr. Chairman, the ABA believes that medical information should only be used for the purpose for which it is provided. However, the ABA does have concerns about the legislative process going beyond medical privacy and about specific provisions of the bill. We hope that these concerns can be addressed by the committee, and we look forward to working with the committee to that end.

    Chairman LEACH. Thank you very much.

    Ms. Meyer.


    Ms. MEYER. My name is Robbie Meyer, and I represent the American Council of Life Insurers, the ACLI. The ACLI thanks you, Mr. Chairman, for giving us the opportunity to testify before you today in connection with the Medical Financial Privacy Protection Act, H.R. 4585. We also commend you for calling this hearing and for sponsoring this legislation.
 Page 82       PREV PAGE       TOP OF DOC

    Life, disability income and long-term care insurers are well aware of the very unique position and the very unique responsibility they have regarding an individual's personal medical and financial information. Toward this end, the ACLI board of directors has adopted policy in relation to the confidentiality of both medical information and financial information.

    Our policy principles acknowledge the changing horizon of the financial marketplace. We support strict protections for medical record confidentiality. We support a prohibition on an insurer sharing medical records with a financial company such as a bank for determining eligibility for a loan or credit even if the bank and the insurer are affiliates. We also support a prohibition on the sharing of medical information for marketing purposes.

    Before I get into the balance of my prepared comments, however, I did want to respond to Congressman Ackerman's statement regarding our sharing of information for posting on the internet, and wanted to state unequivocally that it is a fiction to say that life insurance companies or any ACLI member companies share medical information, encrypted or otherwise, to be posted on the internet in order to decline applicants for insurance or to cause them to be declined for insurance.

    The very nature of life, disability income and long-term care insurance involves very personal and very confidential relationships. However, in order for us to serve our existing and our prospective customers, it is essential for us to be able to obtain and use consumers' personal, medical, as well as their financial information in order to perform very legitimate, essential insurance business functions. In other words, life, disability income and long-term care insurers must be able to use medical information as well as personal financial information in order to underwrite prospective customers' applications for coverage, in order to process their claims, and in order to perform essential, and related administrative functions in connection with those contracts.
 Page 83       PREV PAGE       TOP OF DOC

    It is essential for us to share and disclose information in order to fulfill legal and regulatory mandates. In other words, it is essential for us to disclose confidential medical information to State guaranty funds. They need to be able to have access to individual identifiable health information in order to evaluate health information claims that a claimant might submit in connection with an insurance company that has become insolvent. Insurance companies also need to make disclosures and to share information with State insurance departments and law enforcement agencies in order to detect and deter fraud. Also, in connection with very ordinary basic business transactions such as reinsurance treaties or mergers and acquisitions, it is also necessary for us to share our customers' information in order to effectuate those business arrangements.

    As you know, Title V of the Gramm-Leach-Bliley Act enacted the strictest regulatory framework ever enacted into law in connection with financial records privacy. We very much appreciate the fact that your bill, Mr. Chairman, tracks the general framework of Title V in seeking to balance consumers' very legitimate and grave concerns about their confidentiality rights with insurers need to use consumers' medical, as well as their financial, information in order to perform legitimate insurance business functions which are necessary for us to meet American consumers' insurance needs. However, we are concerned that the bill fails to achieve this balance, primarily because of its failure to totally track the Gramm-Leach-Bliley framework. In other words, we are concerned that the bill does not include the Gramm-Leach-Bliley provisions dealing with the necessary sharing of information by a financial institution with the State guaranty associations.

    We are also worried about the fact that it does not include the provisions permitting financial institutions to share information with service providers. That concern arises because many of our member companies have independent agents who are not company employees, with whom they would now have difficulty or be hindered in having ordinary business communications about proposed new insurance policies, or the best policies for a particular individual under particular circumstances.
 Page 84       PREV PAGE       TOP OF DOC

    We are also concerned by the broad rights the bill grants consumers to access and correct information held by a financial institution, primarily because the bill does not clearly protect from that access information that an insurer may have collected in connection with a fraud or a material misrepresentation investigation and also materials collected in preparation for litigation.

    Finally, the ACLI strongly supports the concepts of a Federal preemption. We feel very strongly that individuals who live across the country should not have to be concerned that they have different medical records privacy protections depending upon the State in which they live.

    And, finally, we would like to thank you once again, Mr. Chairman, for giving us the opportunity to testify.

    Chairman LEACH. Thank you all very much. Your testimony is very helpful and certainly as we go forward suggestions of a specific legislative nature we will certainly review as well.

    Mrs. Roukema.

    Mrs. ROUKEMA. Thank you, Mr. Chairman. I am not sure that I heard with specificity the explanations as to how people or how individual groups stood on the subject of the mental health disclosure question. But I will say, putting it another way to this group, as I have on other occasions to business groups, there are certain issues that are becoming highly emotional and highly political that have the potential of creating a backlash. And I think you are all aware of this, particularly if you have been reading the press lately or you have been reading our e-mails lately, the potential of creating a backlash—and you saw some of that when we got into the controversy here on the committee with H.R. 10 and in conference on H.R. 10. We had to pull back from some of the things.
 Page 85       PREV PAGE       TOP OF DOC

    But the point is that if we can't come up with a precise definition in this brave new world of instant communication, and also these new holding companies and affiliate relationships, if we don't come to terms with that, and get thinking minds on both sides of the issue, whether it is the health care professionals or the insurance groups or the physician services together, we may end up with something that all of us are going to wring our hands over. And so I didn't hear everyone's comments, but I do have to ask my good friend and former colleague, Mr. Bartlett, I am sorry that I really didn't hear any specific reason as to where your group or any of the other groups might object to the mental health provision. It seems to be blatantly obvious out there. And I don't know what is so objectionable to treating that as a separate entity, as the Chairman's bill proposes. Mr. Bartlett, if you want to substantiate some of your general comments or if anybody else wants to add to it, please.

    Mr. BARTLETT. Madam Chairwoman, we are available to be convinced. Essentially we look at this bill not as an opt-in bill or not as an affirmative consent bill. We look at this bill as a prohibition against using medical information other than for purposes for which it was intended. We think that same prohibition ought to apply to mental health information or physical health information. And I took a very careful look at this, because it is a new approach and it is an approach that is talked about and I knew it would be a hot one. We couldn't identify any benefit to having a separate consent for mental health from physical health. We think that it is a prohibition against the use of information. Ought to stay that way. And we couldn't see a benefit to adding a second or a double consent procedure, just didn't—other than adding paperwork and consumer confusion, we couldn't find anything that someone would want to consent on for mental health information that they wouldn't consent with for physical health information.
 Page 86       PREV PAGE       TOP OF DOC

    We could be convinced. We couldn't find any reason to do it.

    Mrs. ROUKEMA. We are going to have to convince you, I think. But no, I think the woman on the previous panel—I am sorry, her name escapes me right at the moment, but in answer to my question did say that the insurance group didn't have an official position, but in her own opinion she thought there was a reason for a separating.

    Dr. Harding, do you want to comment. I am sorry, I am talking about Kathleen Sebelius, the Insurance Commissioner in Kansas. Mr. Harding, do you want to amplify on your own position in response to what has been stated on this panel?

    Mr. HARDING. Yes, ma'am. Only that in an ideal world allergies and psychosis would be handled the same. That certainly would be the goal of all of us. But in the real world, because of prejudices or stigma or whatever you call it, certain illnesses have a higher sensitivity than others, and until we overcome that societal prejudice or stigma we are going to have to look out for special circumstances within the medical field that needs special sensitivity protections. But hopefully someday we will have that where it will all be the same.

    Mrs. ROUKEMA. Thank you. I appreciate that. I just hold out the hand of cooperation here, because again I want to avoid a kind of backlash that is going to force us into some very untenable positions in the near future. And we have—it is no secret that there is an election coming up and there are all kinds of ideological or demagogic positions that can be stated on these highly sensitive issues, and I would like to work with everyone on this and come to an intelligent and reasoned conclusion.
 Page 87       PREV PAGE       TOP OF DOC

    Thank you.

    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you, Marge.

    Mr. Ackerman, do you have any questions?

    Mr. ACKERMAN. Yes, thank you, Mr. Chairman. I am sorry I was out of the room. I am at two hearings at the same time, but I understand that Ms. Meyer made reference to the question that I raised with the first panel. And if I am not mistaken, what I have been advised is you categorically denied that any such system exists whatsoever whereby the insurance companies, some insurance companies, at least one insurance company does not reveal to a prospective person who has had their medical exam what the results of that exam is, if it is a medical claim, that they have paid for the exam and therefore it is not the property of the consumer, turns the person down for insurance, and then posts on the computer for all agents to know not to rewrite the policy of that person because he tested positive for AIDS and the person does not know that. In this particular case, the person died.

    Ms. MEYER. If that happened, that would be absolutely positively contrary to ACLI policy and that of our member companies.

    Mr. ACKERMAN. In that case would you reverse your policy and support the legislation I tried to introduce that would prevent that from happening?
 Page 88       PREV PAGE       TOP OF DOC

    Ms. MEYER. I am sorry, I am not familiar with your legislation, but we would be delighted to take a look at it.

    Mr. ACKERMAN. It will be my intent, Mr. Chairman, to offer hopefully a friendly and humane amendment that would say that if an insurance company, albeit their physician who pays for the cost of a person's exam and that person is turned down, that that person is entitled to know why he was turned down.

    Ms. MEYER. We absolutely agree that if someone is declined for insurance coverage that they are entitled to know the reason why. A requirement to get that information actually is in the law in the sixteen or eighteen States that have enacted the old NAIC model on privacy. The ACLI has supported that model for decades.

    Mr. ACKERMAN. The reason for declining support was given as it would be too expensive to notify all these people about their illnesses that caused them to be turned down for insurance, albeit this one was certainly a life threatening and life taking incident. So you are saying that you would be supportive?

    Ms. MEYER. I, as an attorney, would have to look at the words, but we are absolutely strongly in support of an individual being informed of the reasons for any adverse underwriting action taken by an insurer.

    Mr. ACKERMAN. Would you be willing to cooperate with us in our determination as to whether or not it was posted on the computer system that this particular person, when his existing insurance was up, should not be rewritten if he was late in payment?
 Page 89       PREV PAGE       TOP OF DOC

    Ms. MEYER. This sounds like a fascinating case. A life insurance policy, once it has been issued, cannot be canceled for any reason except for nonpayment of insurance claims. The only thing that can happen with the life insurance policy is that premiums can actually be decreased if an individual becomes more healthy after they have had a policy in effect.

    Mr. ACKERMAN. The inference here is that it was posted so that if this person's premium was due on the 4th and it arrived on the 5th, he was to have his insurance declined for late payment and should not be extended the courtesy because of specific reasons.

    Ms. MEYER. We would be delighted to sit down and see what has happened here. This sounds like a horrible situation.

    Mr. ACKERMAN. It is, when we get to computers and people's private information and who has control of it. And I thank the Chairman for allowing this line of questions.

    Chairman LEACH. Thank you, Gary.

    Well, let me thank the panel. And we appreciate very much their testimony. We hope to work with them.

    Oh, excuse me. Mrs. Biggert. I keep overlooking you. I am very, very sorry. I apologize.
 Page 90       PREV PAGE       TOP OF DOC

    Mrs. BIGGERT. Thank you. I am still here. At least I am not at the kiddie table, so I am in the front row. I do have a couple of questions if I might.

    Chairman LEACH. Please, and feel free to take extra time.

    Mrs. BIGGERT. Thank you.

    Mr. Rheel, based on your professional experience in the insurance business, do you know of any instances of abuse by the insurance companies or their business partners of any access to health information at the current time?

    Mr. RHEEL. I am unaware of any abuses as it relates to information held by insurance companies. And we take very seriously the information that we have in our records and do not freely release the information for any unrelated transaction or for a need of the information to any third party.

    Mrs. BIGGERT. Can you tell me what the practice of and when would insurance companies require health information when considering an application for insurance?

    Mr. RHEEL. From a property and casualty standpoint, medical information that we seek is generally aggregate information. It does not pertain to an individual employee or to the consumer. We make decisions based on information on the aggregate levels from a property and casualty standpoint. That is my field of expertise in that area. Our underwriting is based on risk conditions, not employee conditions as it relates to the individual employee or to the consumers themselves.
 Page 91       PREV PAGE       TOP OF DOC

    Chairman LEACH. Excuse me, Mr. Rheel, if you could pull the microphone a little closer we would appreciate it.

    Mrs. BIGGERT. I think I am through with the witness. But if I could ask Dr. Harding, are doctors and psychiatrists required by law to protect patients' medical records? So how do these records get transferred to the third party, such as an insurance company?

    Mr. HARDING. Well, insurance companies often ask for details of medical care as part of the payment for those cares. There is a third party involved between a physician and a patient and an insurance company. So they ask for varying amounts of information from the physician with the consent of the patient for means of payment. So they then receive from me in my case information, the smallest amount that I can get away with giving them actually, information that they will then use to determine if the treatment was appropriate and whether they should pay the amount of money that I ask them to. That is how they obtain it originally, although in a hospital setting it is a little different, but there it is usually with the consent of the patient that it goes to the insurance company.

    Mrs. BIGGERT. So really if someone had no insurance, then there probably would be not any or, for example, a bank that would not have access to any?

    Mr. HARDING. Oh, but I think that is where we start getting into some interesting areas because, for instance, if a patient came in to see me and paid cash, didn't have insurance, and I gave them a prescription, they went down to their local pharmacy, handed in the prescription and paid that prescription with a Visa card, all of a sudden the record of what they bought would be in the financial system. Now, it doesn't take a rocket scientist to know that if that prescription is for Prozac that might be a psychotropic medication that many people are aware of and that would start a process that potentially has concerns for that patient's medical privacy, and which was not intended by any means, but it is part of the financial system.
 Page 92       PREV PAGE       TOP OF DOC

    Mrs. BIGGERT. Mr. Bartlett, you look like you might want to say something.

    Mr. BARTLETT. Technically or potentially, as I said in my testimony, potentially that could be true, but in reality it is not. No financial institutions collect such sort of information. We believe they are prohibited by all manner of laws, court cases and regulations from collecting it. No financial institutions uses such information or even collects it. So while this is good legislation to close a potential loophole, I do want the record to reflect that such a situation so far as I can tell doesn't happen, it is not likely to happen, and this legislation would help to prohibit such a thing from happening, but it doesn't happen today, and wouldn't happen in the future, I don't believe.

    Mrs. BIGGERT. OK. And you also said in your testimony that the issue of including an exception for sharing medical information to permit joint marketing of products—what is a joint marketing of products?

    Mr. BARTLETT. I added several exceptions and my exceptions tracked Gramm-Leach-Bliley, which had quite good exceptions. The most important exception was for rating and State guaranty funds, as has been testified here. We think that is absolutely essential. Otherwise you just abolish the whole system of rating tools.

    In terms of joint marketing, again that was in Gramm-Leach-Bliley. We think that there are particularly service providers, agents, independent agents that need to have information as an extension of the company, and that is again using the medical information for the purposes for which it was intended, not for any other purposes. So we would encourage the committee for the purposes of the exceptions to track Gramm-Leach-Bliley and then the prohibitions is an additional and much stronger set of prohibitions of the use of the information. But the exceptions should track Gramm-Leach-Bliley.
 Page 93       PREV PAGE       TOP OF DOC

    Mrs. BIGGERT. And then just a general question, we have been looking at this privacy issue and protecting patient's medical records, and this was put on to the Gramm-Leach-Bliley bill, but should we really take a look at this just as comprehensive legislation on the subject rather than just legislation dealing only with financial institutions?

    Mr. RHEEL. One of the issues facing this committee is the complexity of products of financial institutions in a new brave world—as we have been talking this morning about—is that there are many products. The impact of medical information has different issues with different products. We talked about life insurance, and my field of expertise is Workers' Compensation. The impact of medical information is critical to Workers' Compensation providing the service to the consumer.

    So I would urge this committee to look at the various components of the financial institution and address the issues that you are concerned about specifically, not broadly over the entire financial institution. We talked a little bit about the rating organizations, the need for information for them to create rates, research organizations needing information to conduct research to improve the system. So there is a particular need for every product and the use of financial information, who uses it, and the purpose of that information changes product by product.

    Mrs. BIGGERT. So you would agree with what was maybe suggested in one of the earlier panels that we should look at Workers' Compensation as perhaps an exception to this because of the opt-in provision?

 Page 94       PREV PAGE       TOP OF DOC
    Mr. RHEEL. Yes, I would.

    Mrs. BIGGERT. Opt-out provision.

    Mr. RHEEL. I would encourage the committee to consider exceptions like Workers' Compensation because of those needs. What we deal with in the property casualty world is the third parties, and third party actions. They are making their medical condition an issue. It is an issue that they are bringing claims to consumers and looking to their financial institutions, in this case insurance companies, to protect. In order for us to do our responsibility to protect those consumers, we need that information. As a standard practice, we provide that information to medical vendors who provide expertise back to the process to ensure that we are providing the best care to injured employees and also the best services to our consumers.

    Mrs. BIGGERT. Thank you.

    Thank you, Mr. Chairman, for your indulgence.

    Chairman LEACH. Well, thank you very much, Mrs. Biggert.

    I would like to thank the panel. In particular, I want to thank Professor Harding. The reason I say this is you come to this table with some limitations on free speech that the rest do not have. And you might wonder why I say that. A couple of decades ago the officers of your association visited me, advocating or opposing some bill on Capitol Hill, I forget what it was, and I uttered the opinion that I thought a former high ranking public official, in fact a President, had exhibited certain signs of what I would describe as paranoia. I asked them if they agreed with me. And they looked at each other and the president of your association then responded, ''Well, it is this way, Congressman, it is inappropriate for a psychiatrist to comment on someone he hasn't examined, and if he has examined them, it is inappropriate for him to comment without the person's permission. And in any regard, our licenses would be lifted if we said something exhibiting a psychiatric judgment about a public official.''
 Page 95       PREV PAGE       TOP OF DOC

    So it strikes me you have first amendment constraints that no one else in the country has. So I am particularly appreciative of your coming, but I maintain the view that this particular President was crazy.

    Mr. HARDING. I won't ask you which one.

    Chairman LEACH. But I can say that as a non-trained, non-subtle, non-informed individual. Anyway, thank you all.

    Our next panel, we have Nicole Beason, Esther Peterson Fellow at the Consumers Union; A.G. Breitenstein, who is Chief Privacy Officer of; Evan Hendricks, Editor and Publisher of Privacy Times; Mr. Edmund Mierzwinski, who is Consumer Program Director of the United States Public Interest Research Group; Joy L. Pritts, who is Senior Counsel, Health Privacy Group of Georgetown University; and Mr. Ronald Weich, who is an Attorney with Zuckerman, Spaeder, Goldstein, Taylor and Kolker, LLP, on behalf of the American Civil Liberties Union.

    And we will begin with you, Ms. Beason.


    Ms. BEASON. Mr. Chairman——

 Page 96       PREV PAGE       TOP OF DOC
    Chairman LEACH. Excuse me, if I could ask, if you pull the microphone quite close I think it is a little easier.

    Ms. BEASON. Is this good?

    Chairman LEACH. Yes.

    Ms. BEASON. Mr. Chairman, Congressman LaFalce, Members of the committee, my name is Nicole Beason, and I am the Esther Peterson Fellow at Consumers Union. As you may know, Consumers Union is a nonprofit publisher of Consumer Reports, and we are here today because we believe that protecting the consumer's medical privacy is a very important issue. What is at stake here? Strangers knowing that at a young age you had a hernia, as a teenager you developed asthma and now as an adult you recently had bypass surgery. You should be able to have your health checked and treated without having your privacy violated.

    Consumers Union has identified certain privacy principles that we believe should be included in any legislation intended to protect consumer privacy. First, every consumer has a privacy interest in individually identifiable health information.

    Second, waivers of an individual's privacy interest should be made clearly and conspicuously and limited to scope to specific purposes. In fact, we have consistently advocated for an opt-in approach to the release of personal medical or physician information. Opt-in simply means that the institution must get the consumer's permission before sharing information about that consumer.

 Page 97       PREV PAGE       TOP OF DOC
    Third, financial institutions, health care providers and other holders of health information have a duty to maintain the confidentiality of personal health information and should be held accountable for protecting an individual's privacy interest. Personal health information provided to a financial institution by a consumer should not be transmitted to anyone else, including affiliates and third parties, without the consumer's clear awareness and consent.

    Consumers should generally have the right to access and ensure the accuracy of their own health information. Consumers should also have the ability to amend and correct inaccurate information. Inaccurate information could have serious consequences should a consumer consent to sharing their health information. For example, they could be denied health coverage because their records falsely indicate that they have a poor medical history. Therefore, a mechanism needs to be implemented to ensure that consumers will be able to amend and or correct their information.

    They also need to be given notice when and a reason for why such requests for amendment and correction are denied by the financial institution. It is also important that consumers are given the identity and referred to the original creator of the inaccurate information. The Fair Credit Reporting Act can serve as a model for the regulators to use to implement this requirement.

    Specifically, we are concerned that one of the parties who has a vested interest in this information is not allowed to make a blanket determination as to whether the disputed information is included or shared with other parties. The financial institution or the generator of this information should not automatically deny a consumer's request to amend and correct medical information. Therefore, a dispute process like the one used under FCRA should be adopted.
 Page 98       PREV PAGE       TOP OF DOC

    Because H.R. 4585 addresses these issues, Consumers Union supports Chairman Leach's legislation, with some suggestions to strengthen this bill. The concerns about H.R. 4585 that we share with other consumer advocates, the extensions, if any, should be limited. The bill should not contain any loopholes that would allow financial institutions to share consumers' medical information counter to the intent of this bill. A financial institution should not be allowed to use health information about a consumer without the consumer's consent, not just for decisions regarding the loan or credit for any product or service offered by the institution to the consumer.

    While it is important to focus on medical privacy, there are other components of privacy that consumers care about. We urge this committee to not just take up this narrow aspect, but to look at a broader privacy package.

    Mr. Chairman, once again thank you for the opportunity to testify before the committee today. I would be happy to answer any questions the committee may have.

    Chairman LEACH. Well, thank you very much, Ms. Beason.

    Ms. A.G. Breitenstein.


    Ms. BREITENSTEIN. Chairman Leach, Representative LaFalce, thank you for inviting me here today. My name is A.G. Breitenstein. I am one of the first Chief Privacy Officers of an internet startup. is the service which allows patients to communicate with each other and with their providers and hospitals and researchers without having to give up their privacy. We are dedicated to the notion that people's information belongs to them, and I want to take this time to thank you for taking up this issue.
 Page 99       PREV PAGE       TOP OF DOC

    A Wall Street Journal poll recently found that Americans consider the issue of health privacy to be more threatening than domestic terrorism. A Harris poll has also found that privacy is the number one reason that Americans are staying off the internet.

    The urgency of this problem is very, very clear. Nancy Dickey, the past President of AMA, has stated the following, ''These days insurance companies don't want summaries, they want the whole record. So I think twice about what I include, and then I hope I can remember it all. If my patients fear that what they tell me could come back to haunt them, they tend to be less forthright. I may come up with the wrong treatment, because I was chasing the wrong clues.''

    And Nancy Dickey is not alone. I myself counseled a doctor whose wife was an OB/GYN and he told me that his wife routinely doodled in the margins of her record. The reason was that she used these doodles to code messages to herself about her patient's medical histories. She felt that this was important to do to protect the privacy of her patient's records, but feared that if anything ever happened to her, her patient's records would be impossible to read.

    I also want to read you a quick quote from a pediatrician I worked with. He said to me, ''Insurance companies are requesting as part of well visits to ask and document, which I have no problem with, children questions, such as ''Do you have sex?'' ''Do you masturbate?'' ''How are your relationships with your parents and friends?'' ''Have you had an abortion?'' And many others. As I said, I have no problem with asking these questions. What disturbs me is the access that insurance companies have to that information and therefore anybody else that wants or can legally obtain those records. We physicians are in a Catch-22. If we document, patient confidentiality can be destroyed. If we don't document, we are classified as bad physicians. As a pediatrician, I am very concerned about how this information available to third parties will affect these children's futures.''
 Page 100       PREV PAGE       TOP OF DOC

    Basically patients are put in a position of having to make a choice between their health and their privacy. I want to support you in this legislation. This legislation is a very good first step. If there is one thought that I can leave you with in terms of my testimony, it is this: Personal information, particularly health information, is the new cash in this digital age. Your efforts to protect privacy of personal health information will set the terms that allow patients to negotiate on a level playing field for the value of this new currency. Without adequate protections individuals will be robbed of a valuable resource and will be reluctant to purchase the goods and services they need on the internet.

    What do I mean by this? People get ''free'' stuff, and I put free in quotes, in our new digital economy, because they are willing to give up certain aspects of personal information in exchange for this. This is very true on the internet. Most websites have as their primary revenue model some plan to sell this personal information collected, and personal health information is the most valuable of all these categories of information.

    If I, as a bank, can collect and sell a list of people who have asthma to unscrupulous researcher or a direct marketer, I can make millions of dollars.

    How should this affect your work on H.R. 4585? Privacy legislation will be the backdrop against which the emerging digital economy will be set. It will have a profound influence on the ability and right of consumers to negotiate the value of their personal information in exchange for goods and services. You are in effect creating a new currency of sorts.

 Page 101       PREV PAGE       TOP OF DOC
    There are a few suggestions I would like to make to this end. The basic rule of consent must be clear and unambiguous with few exceptions, and this consent should be voluntary. Health information collected for one purpose cannot be used for another purpose without consent. I was particularly troubled by the exception for joint marketing that is in the legislation now. It seems to me that this is a loophole for sort of reconfiguring the marketing schemes that people are protesting and as long as it is done along with the entity that first collected the information, this seems like a very large loophole. There are also——

    Mr. LAFALCE. Excuse me. Where is that last concern expressed in your testimony? I was following you on point two and I didn't follow you when you were underscoring a point.

    Ms. BREITENSTEIN. It is not in my written testimony, but I would be happy to amend it for your purposes.

    Mr. LAFALCE. Please do so.

    Ms. BREITENSTEIN. As the banking insurance functions begin to merge under this Act, it is going to be exceedingly——

    Chairman LEACH. For point of clarification, the concern you have in joint marketing is not in the bill. It is advocating——

    Ms. BREITENSTEIN. In the original, correct.

 Page 102       PREV PAGE       TOP OF DOC
    Chairman LEACH. But not in H.R. 4585?

    Ms. BREITENSTEIN. Correct, it is in the exceptions that are referred to in H.R. 4585.

    Chairman LEACH. So this is a concern about an advocacy of position that another panelist has suggested, but not a concern about the bill itself, is that correct?

    Ms. BREITENSTEIN. Correct. It is a concern for pulling those exceptions into this bill. Does that make sense?

    Chairman LEACH. Sure.

    Ms. BREITENSTEIN. Great.

    As banking and information functions begin to merge, it is going to be exceedingly important to make sure that the firewall between these areas is enforced.

    Finally, individuals must have a right of action to enforce their claims on their own personal health information. Data is property. And if there is one thing we have historically protected in this country, it is the right of an individual to protect their property. Failure to do so will not only adversely affect health care, but will set a dangerous new precedent in this information era.

 Page 103       PREV PAGE       TOP OF DOC
    Many of my esteemed colleagues have testified today that these protections are going to drive up costs and stymie economic growth. I want to challenge this argument head on. Personal information is a resource. It has value as our economy shifts to an information based system. It will become one of the most valuable resources in the world. If we rob individuals of their data, we will render them penniless and powerless to participate freely and fairly in this new market. We will first feel this in rising health care costs, owing to an eroded doctor-patient relationship. We will then feel the effects of when people offer erroneous information or choose not to participate at all.

    I want to thank you and offer any suggestions I can for improving this.

    Chairman LEACH. Thank you very much, Doctor.

    Mr. Hendricks.


    Mr. HENDRICKS. Thank you, Mr. Chairman. I am Evan Hendricks, editor and publisher of Privacy Times. I have been reporting on and following privacy developments in Washington since I arrived here in 1977. I am in my twentieth year of publishing Privacy Times. There is always a tendency to take good news for granted, and I don't want to do that. I think the good news here is you, Mr. Chairman, and the Ranking Minority Member. You have always been willing to give privacy a fair hearing. You are the first one to tackle the tough information of information brokers. With the help of Mr. LaFalce, the two of you have taken a bipartisan approach to privacy and I have seen the benefits for Americans in that, and I am glad to see that continuing today.
 Page 104       PREV PAGE       TOP OF DOC

    I think the bad news is that there is not another committee Chairman that followed the example that you set. I hope that that will be changing as it becomes clearer to Washington how important privacy is to the American people.

    I think what we have in front of us today is a good bill. The core of this bill is good, because it is based on affirmative, informed consent, which should be the baseline of all privacy law and information usage in the United States. And I think it is only a matter of years before we get that kind of privacy law and information usage in the United States. So I of course advocate speeding the way there.

    Of course, no bill can be perfect. They can all be improved, including the Administration's and including the one before us today. And so I incorporate the comments of my fellow panelists, ACLU, Dr. Breitenstein, Consumers Union, for some of the specifics I would like to speak to. Traditionally in the United States we have always taken a narrow approach on privacy. Certain issues come up, like we found in Judge Bork's situation where a newspaper reporter got ahold of his video rental records, and this was an issue that hit close to home in Congress and they moved quickly to pass the Video Rental Protection Act. But the narrow approach has left us with many of these gaps.

    So we do have the Fair Credit Reporting Act, an important law that this committee had a role in, video rental records are protected, cable TV is protected. But many important types of records like medical records, employment, some kinds of financial information, internet, retail records are not protected. And this is extremely significant that now in history we are in an age of convergence, where we see under Gramm-Leach-Bliley the convergence of insurance and banks. We see the convergence of means of communications. The internet, cable, telephones, the banking and the wireless system are all converging. I think we really need to move toward a comprehensive approach to privacy if we are going to have our laws fit the technology and the information systems that we have. And so I favor in just the area of financial privacy the starting point for considering financial privacy would be the Administration bill as introduced by Congressman LaFalce. That would take a more comprehensive approach to the issue of financial privacy, and I think that is where we start.
 Page 105       PREV PAGE       TOP OF DOC

    I think it is also important to point out, though, that there is rampant public concern now about privacy. Even in our newsletter we have reported bits and pieces about some of the politicians' proprietary opinion polls showing that privacy is off the charts among Americans, and the New York Times fleshed this out a week ago Sunday in the Week in Review section, showing both Republican and Democratic polsters are finding that this is the sleeper issue of this campaign.

    The lesson learned, we must do something dramatic and comprehensive to respond to the well-founded public concerns about privacy and I think the solution is that the Administration really has a responsibility to come forward with a comprehensive national package. If the Administration doesn't do it, then the leadership of the Congress should do it, although traditionally this role has belonged to the Administration.

    Now, I think one reason the Administration hasn't done this is for too long the Commerce Department has been at the middle of the Administration's privacy policy and for too long the Commerce Department has been kneeling at the altar of voluntary self-regulation, and still does, well after voluntary regulation has been discredited as feasible or workable. I think the Commerce Department should get out of the privacy policy business altogether and just go back to counting beans.

    The good news, though, is that the Treasury Department has come forward with a comprehensive financial privacy bill. The Federal Trade Commission has now recommended national privacy legislation for internet privacy and Health and Human Services is moving on medical privacy, telling Congress they need to go beyond what HHS can do in rulemaking. So we have, through fits and starts, we have the pieces of what could be a comprehensive privacy policy.
 Page 106       PREV PAGE       TOP OF DOC

    I think on top of this we need privacy infrastructure. No matter what happens, we are still going to have to integrate and consolidate and rationalize privacy laws so they are consistent across mediums and for kinds of records and have reasonable differences for reasonable context so there is consistency. And this is the role of what other countries, all of the Western countries have, and we don't, and that is a privacy commissioner, an independent privacy commissioner that would offer answers to the legislature. That is a very important step in creating the privacy infrastructure we are going to need to have a rational scheme of privacy protection.

    Finally, I think it is important to note that one of the most pro-consumer developments is the development of the internet and e-commerce. Yesterday Chairman Pitofsky of the FTC was talking about the benefits to consumers. There is a real risk, and we are seeing the numbers, and that the phrase ''burn rate'' is a very dominant phrase now that the ''e-tailers'' are going to go out of business. That is partly because we have not created an environment of consumer confidence. Without adequate privacy protection, we will not have consumer confidence. Not only is this the best thing for the American people and something that will eventually happen, but something that is absolutely necessary for us to make e-commerce flourish. Otherwise it is still possible we could have the unfortunate debate of ''Who lost e-commerce?''

    Thank you, Mr. Chairman.

    Chairman LEACH. Thank you, Mr. Hendricks.

    I am also struck by the fact that you had a magazine that has been in existence for twenty years, and privacy as a concern didn't emerge until six months ago. Thank you.
 Page 107       PREV PAGE       TOP OF DOC

    Mr. Mierzwinski.


    Mr. MIERZWINSKI. Thank you, Mr. Chairman, Mr. LaFalce. I am pleased to offer the views of the U.S. Public Interest Group on your important new legislation to protect consumers' financial medical privacy. We want to commend you for introducing a bill that is very supportable, with some amendments, and we are encouraged by the fact that the core of your bill recognizes that opt-in express consent by consumers should be the criterion upon which information is shared or used for secondary purposes. As Mr. Hendricks has articulated, we believe that any privacy laws should be based fundamentally on opt-in consumer consent.

    We are especially pleased that a number of parts of your bill are quite strong, particularly its provision that the use of information already held by an entity requires express consent and also its stronger provisions in the areas of mental health.

    That being said, I do have a few points in my written statement on areas where we think that the bill could be improved. We also think that some of these areas apply equally to the President's bill. And let me just discuss those very, very briefly.

    First, I think both bills have too many exceptions and that the committee ought to look very carefully at the need for those exceptions. I am quite aware that the industry witnesses believe there should be more exceptions, but we believe to protect privacy there should be as few as possible.
 Page 108       PREV PAGE       TOP OF DOC

    Second, in the area of coercion of consent, we are generally concerned that consumers not get into the habit of ignoring warnings and simply giving consent as a condition of applying for any kind of an account. And in this area, the President's bill uses one approach, your bill uses a different approach.

    We believe perhaps the best solution might be a combination of the two approaches, with the addition of the approach taken by the comprehensive medical privacy bills, not only the financial privacy bills, but some of the other bills before the Congress that would prohibit the conditioning of any treatment or provision of any service upon provision of consent.

    The third area is the issue of loans or credits. The strongest parts of your bill appear to be limited only to the issuance of loans or credit. We believe that this potentially means that banks and financial services holding companies might be able to use confidential health-related information for marketing purposes, for example, or employment purposes, for example, and we would suggest that you eliminate that narrow structure and broaden the definition so that it applies not only to loans and credit, but to all uses of information by a holding company.

    Neither bill, your bill nor the President's proposal, provides a private right of action under Title 5. We believe that a fundamental privacy protection is to give consumers the right to sue when their rights are violated.

    One area where we think you could come to some congruence with the President is on the important area of access, providing the opportunity for consumers to correct and copy their financial medical records. Your bill, of course, includes this strong provision. The President's bill, however, includes that provision and applies it not only to health records, but also to financial records.
 Page 109       PREV PAGE       TOP OF DOC

    The industry often complains about complex regulations, burdensome complex regulations. How could I forget the adjective ''burdensome''? The way you could make the regulation more simple would be to apply the access and correction provisions not only to medical information, but also to all information held by a financial services holding company. To give consumers that Fair Information Practice as it applies to all of their information, we think would be a good step forward. Then instead of being under two regimes, the banks would only be under one regime for complying with that provision of the law.

    We believe also that as the bill relates to HIPAA, there is language in the bill describing the relationship between the two bills. We think there should be an expressed provision that says stronger privacy law controls in all circumstances. That would be a notable improvement to the bill.

    We are very pleased that both you and the Administration have recognized, as has the broad coalition of consumer, pro-family, free speech and civil liberties, and privacy organizations that have been supporting privacy legislation in this country, that the core of privacy legislation should be expressed opt-in consent. We would urge you to work together with the Administration.

    Your bill applies to medical privacy. The President's bill, as introduced by Mr. LaFalce, applies to an opt-in regime to both medical privacy and sensitive financial information. We would urge, of course, that that be broadened to include all medical and all financial information, and ultimately, as Mr. Hendricks has described, that we establish opt-in financial consent across all areas of the economy, because as the industry groups are converging, as companies that used to do one thing are doing many things, the gaps in our privacy law are becoming clearer and clearer.
 Page 110       PREV PAGE       TOP OF DOC

    That being said, we commend you for introducing a bill to solve the most important loophole in the Gramm-Leach-Bliley Act; and that is, its missing provision on medical financial privacy and we urge support of your bill. Thank you.

    Chairman LEACH. Thank you.

    Ms. Pritts.


    Ms. PRITTS. Good afternoon. I would like to first thank you, Mr. Chairman and Congressman LaFalce, for giving us the opportunity to testify today on this important issue of health privacy.

    I am with the Health Privacy Project, which was formed a few years ago. The mission of the Health Privacy Project is to raise public awareness about the importance of ensuring privacy of health information from the standpoint of improving health care access and quality, not just from an individual point of view, but also from the community's point of view. We believe that this is an important area which, as technology changes, is subject to more and more threats.

    Given the focus of our project, we follow the privacy components of the Gramm-Leach-Bliley Act with great interest. Financial information often overlaps with health information, and we have had concerns that in the process of modernizing the financial services industry, sensitive health information might be turned into just another marketable commodity, and we don't think it should be that type of information.
 Page 111       PREV PAGE       TOP OF DOC

    The bill that is at issue here today, H.R. 4585, goes a long way toward addressing our concerns with that issue. I would like to address some of the major components of that bill.

    One of the first things that we focused on was the opt-in requirement for a financial institution to release the information of a consumer. An opt-in requirement is pretty much the status quo in other Federal bills, and we believe that this is the way to go. We also believe that this is a vast improvement over the opt-out provision that was in the original Gramm-Leach-Bliley Act, because that kind of presumes that a consumer would consent to the release of this information, and we don't think that that presumption is very accurate, that people would voluntarily release this information if they knew how it was going to be used.

    We also appreciate the fact that this opt-in requirement applies to non-affiliates. From a consumer's perspective, it really doesn't matter if the information is going to an affiliate or non-affiliate. The key issue is whether the information is being released from the original record holder.

    Another aspect of this bill that we were pleased with is that it addresses consumer profiles. Although we have heard today that banks do not use medical information in this manner, I think it is quite obvious from anybody who has received a statement of a checking account, that many of us at the end of the year receive a statement that lists how things have been processed. Your credit card statement says how your money has been spent during the year and it includes things like a category, $10,000 for health information during the last year.

 Page 112       PREV PAGE       TOP OF DOC
    So the technology is there and it is something that in the future people could possibly do.

    One other area that this proposal addresses is that it restricts the use of health information for providing certain financial services. We see this as an improvement over the original Gramm-Leach-Bliley Act. There are a lot of consumer concerns that their health information may be used to deny them access to financial services such as loans and credits. There was a question posed earlier today to another panel about whether anybody knew of any circumstances under which that had actually happened. We are aware of an article that was in Time Magazine, I believe it was in 1996 or 1997, where they reported an example of a bank officer who also happened to serve on a State board which governed a cancer registry, and the bank officer ran a list of the people who had been reported as having cancer and he used that listing, compared it to the files in his bank, and apparently he terminated their loans. Now, that is really kicking somebody when they are down. So there are circumstances that have been reported where this has actually occurred, and we would really like to see a prohibition on that occurring in the future.

    Another major improvement in this Act is a provision that would grant consumers the right of access to and to correct their information. If your health information is going to be used to make life-influencing decisions, such as whether or not you are going to get insurance or you are going to get a mortgage, or if it is going to be spread to other people for them to use, you should certainly have the ability to see what information is out there about you and to correct it if it is inaccurate.

    Although we support the opt-in requirements for use and disclosure, we do believe that those requirements mean almost nothing if they are not truly voluntarily signed, and if a financial institution is able to condition the provision of a financial service on a consumer's executing those authorization forms, it is not really voluntary. It is not really an authorization if you have to do it in order to obtain a loan, for instance. This is one area where we really believe that this bill could be improved.
 Page 113       PREV PAGE       TOP OF DOC

    Overall, we are quite happy with the provisions in H.R. 4585 and we are pleased that it has been introduced. We look very much forward to seeing the gaps in the Gramm-Leach-Bliley Act filled, and it looks like we are moving in that direction and we would be happy to assist with that process if we could.

    Chairman LEACH. Thank you, Ms. Pritts.

    Mr. Weich.


    Mr. WEICH. Thank you, Mr. Chairman. I appreciate the opportunity to be here today to speak on behalf of the 300,000 members of the American Civil Liberties Union.

    As the fourteenth of fourteen witnesses at today's hearing, I think it is my responsibility to say something that nobody else has said, and say it briefly. What I would like to do is first of all endorse the recommendations for strengthening the bill that my colleagues on this panel and that the Treasury Department official on the first panel put forward. But I want to take a step back and remind the Chairman and the Ranking Member of the importance of this legislation for health and public health.

 Page 114       PREV PAGE       TOP OF DOC
    Over the course of the morning, and now the afternoon, I think that medical privacy has been discussed in somewhat abstract terms as though the diminution of privacy in the medical area was something that was unfortunate for the individual; it might cause pain, it might cause embarrassment, could expose somebody to discrimination, but that it was something that was an after-the-fact consequence of the violation of privacy.

    The point I want to make is that we believe medical privacy is important, because in the absence of an environment in which people are confident that their medical information will be secure and kept confidential, people will not seek medical treatment in the first instance or people will not be candid with their health care provider. And that is very damaging.

    Let me just give two examples, one ripped from today's newspaper. The Washington Post reports on a Center for Disease Control study which says that 25 percent of the people who get AIDS tests in this country do not return to receive the results, and CDC speculates that a big part of that is the stigma that is associated with AIDS.

    A prior study by the Department of Labor found that a majority of women in the study were reluctant to receive genetic screening for breast cancer. There again, a large part of that problem, and the women said in large part, was because they were reluctant to have a piece of paper exist that said that they had this genetic predisposition. They feared that it would be used against them.

    It is not just the after-the-fact consequence. It is that people will not receive the health services that they need. As a result, the work that this committee is doing in this area is as important for individual health and for public health as anything that your colleagues on the Health Subcommittee and the Commerce Committee might be working on at this moment.
 Page 115       PREV PAGE       TOP OF DOC

    That said, I don't want you to be left with the impression that the ACLU thinks that the only issue that needs to be addressed with respect to Gramm-Leach-Bliley is medical privacy. We regretted the fact that your bill, Mr. Chairman, the landmark Gramm-Leach-Bliley bill, did not comprehensively address privacy issues to our satisfaction, and we urge that in this Congress, and as soon as possible, the Congress return to the privacy issues across the board with respect to financial institutions including medical privacy. We think your bill is very good, as my colleagues have stated, but we think applying the principles, especially the opt-in principle, to financial privacy across the board would be even better.

    I would just want to quickly highlight three improvements that I don't believe have been mentioned before, and I will say them in very bullet form.

    First, with respect to the right to access and correct information, your bill, Mr. Chairman, permits consumers to do that with respect to records that are in the possession of the financial institution. The Ranking Member's bill goes a step further and says records that are under the control of the financial institution and reasonably available, which is a standard that I think is not burdensome and would ensure that financial institutions don't play shell games with the records. If there is to be a right of access and a right to correct, it should apply to all records that are under the control and reasonably available.

    Second, there has been discussion about the mental health protections in the bill and we commend you, Mr. Chairman, for putting those in there. I think there was some discussion earlier when Congresswoman Roukema was here about why that would be important. Understand that under the opt-in model, it is very often the case that the opt-in will occur in advance; that when the consumer signs up for the financial product, he or she will be asked to provide consent for the future use of the information. As we read the mental health protection, the special heightened protection in your bill, the financial institution would, if it wanted to use mental health information in the future, would need to come back to the consumer and seek consent for that specific use. We think that is vitally important and we would respectfully suggest that those special protections be extended beyond mental health to other sensitive areas like substance abuse and reproductive health, because those are areas where the fear of embarrassment and discrimination is so great that people are reluctant to seek the health service in the first place.
 Page 116       PREV PAGE       TOP OF DOC

    And, finally, nobody has emphasized the importance of genetic privacy protections. There again, the breast cancer example is one that we are all very familiar with. But the map of the human genome is about to be completed within the next couple of weeks is what we have been told. We think it is vital for Congress to address the circumstances under which that information is going to be available and the circumstances under which it is going to be used.

    We strongly support Congresswoman Slaughter's bill to provide those protections, and while not within the jurisdiction of this committee, of course, we think that revisiting the privacy issue, the privacy issues raised in the insurance context under Gramm-Leach-Bliley, presents an excellent opportunity for the Congress to look at the important issue of genetic privacy. Thank you.

    Chairman LEACH. Thank you very much.

    I must say, all your testimony has been extraordinary and very much appreciated. As we move forward, it will certainly be borne in mind, so any very specific language you want to suggest we will look at as well. Feel free to contact us directly.


    Mr. LAFALCE. Thank you very much, Mr. Chairman.

    A couple of observations. First of all, I thought the presentations of this panel were just outstanding and I thank the Chairman. I requested each of the six of you as witnesses. I think we would have been remiss if we didn't hear from your perspective. I wish more were here to listen to you, both sitting here and sitting out there.
 Page 117       PREV PAGE       TOP OF DOC

    You have been supportive of the Chairman's bill and my bill similarities and differences in approach, but you have also had some suggested changes for both the Chairman's bill and my bill, and we are grateful for that, because whatever we do, we both recognize that we don't have any particular monopoly on wisdom and anything that we have introduced can always be improved.

    You have pointed out they can be improved significantly, even in the bill that I introduced on behalf of the Administration. I don't think it goes far enough in certain very, very key respects.

    Ms. Breitenstein, you pointed out how very imperative a private right of action is, because if my privacy rights are protected, my personal privacy rights, my property rights, then I don't want to have to rely on the FTC, I don't want to have to rely on the State attorney general, which I have to do even under my bill. I ought to have a right to seek individual redress, because I am the one who has been abused. I don't think that is unreasonable. I think arguments to the contrary are unreasonable. I hear them saying this a defect in my bill even. We need to go further.

    Ms. Breitenstein, I point you out in particular, because you made the point that you come from the private sector. There is something else I think that we must get across, and maybe you could help me buttress this point: By promoting privacy, we are promoting good business practice. How many times have you run into individuals who would have used the internet, for example, who would have used some electronic form of commerce, if they didn't have to share personal information; but they get to that point and then they stop. And I think we could have an exponential growth in utilization of the technology that exists if we adopt the strongest possible privacy protections, rather than thinking that the privacy protections will impede that growth. Anyone want to comment on that?
 Page 118       PREV PAGE       TOP OF DOC

    Ms. BREITENSTEIN. I want to thank you for that comment, because it is incredibly astute and, statistically speaking, you are right on the money, so to speak. A 1999 consumer's legal study found that 70 percent of people were unwilling or reluctant to divulge personal information online. A 2000 poll found that 40 percent of women have never made a purchase online, citing privacy as their number one concern.

    I wish I had a terrific little vignette for you, but, statistically speaking, if we don't solve privacy, we are not going to support the government of e-commerce and communication and everything else that we want to do online, especially in the health field.

    Mr. LAFALCE. I thank you. Let me just—Mr. Hendricks? Before you respond, Mr. Hendricks, let me just say with respect to Mr. Hendricks and I, we didn't just start talking about privacy six months ago. I remember two years ago we were at the White House at a press conference with Vice President Gore, when we were having a press conference about the need for promoting privacy rights at that time. And then I remember the 1970's, working on privacy when Mr. Hendricks was covering it and I was particularly working on that with then-Congressman John Cavanaugh of Nebraska. But you wanted to comment on the buttress, I think, Ms. Breitenstein's point.

    Mr. HENDRICKS. The other statistic is something between 70 and 75 percent of the people are filling things up in shopping carts when they go online, and abandon the purchase at the point they are talking about actually having to put their credit card number down. So there is a real perception, fear, hurdle, that has to be overcome and that is why I think we need something dramatic and comprehensive.
 Page 119       PREV PAGE       TOP OF DOC

    You noted that Ms. Breitenstein is from the private sector. There is an exciting dynamic going on. There are new models of companies coming in with the new economy that are based on protecting and enhancing privacy. I am talking to some of those companies, too, and I look forward to sort of bringing them into the debate here to be able to demonstrate how—where in the past you could only make money by invading privacy, and now there is value in protecting privacy.

    Mr. LAFALCE. I think I read or heard someplace about a San Francisco company that has a patent that has been issued that would assist in the protection of privacy by scrambling this information. Do you have anything you want to share with us on that?

    Mr. HENDRICKS. It is a company I am talking to that has a patent for scrambling credit card numbers, and all through commerce, the merchant, the e-commerce, systems communication, you don't see the real credit card number. It scrambles it so it only goes through and then is confirmed by the acquiring bank and issuing bank. It would be a real technological plus to get this sort of technology into the marketplace. It is going to take a mix of technology and legislative solutions to finally show the American people that we can protect privacy.

    Mr. LAFALCE. Let me in closing again thank you, and let me just make a personal observation. This is June. I am not sure whether we will be able to, if we report a bill out, advance it to the floor. I am not sure, given the composition of the Senate and the late legislative schedule, we will be able to advance anything at all in the Senate. Those are just question marks.
 Page 120       PREV PAGE       TOP OF DOC

    The question is: What should we do now and next? A number of you have been very kind in your comments, both toward the Chairman and myself. I don't know what is going to happen in the future. I don't know whether I will be reelected. Assuming I am, I will expect I will be either the Ranking Member or the Chairman of this committee. Assuming Congressman Leach is reelected, because of the rules of the House, he will not be Chairman in the next Congress. Maybe he could be Ranking Member, I don't know. But if the Republicans have the Majority, it will probably be Ms. Roukema or Mr. Oxley or Mr. Baker, God only knows. But I don't think there is ever going to be a Chairman and Ranking Member who are so similarly disposed substantively on such an extremely important issue, and also of similar personal disposition. And I would hope that we could take this opportunity to craft something that is better than both our bills and as broad and comprehensive as possible, because we might not ever have another opportunity. I thank you and I thank the Chair very much.

    Chairman LEACH. Well, thank you, John. Let me thank you all again. Your comments have been splendid. Thank you.

    The hearing is adjourned.

    [Whereupon, at 2:05 p.m., the hearing was adjourned.]