Declare Your Medical Privacy Intentions

Financial Institutions

In 1999, Congress made sweeping changes to the financial industry, allowing insurance companies to take on banking and other financial functions, and allowing financial and security institutions to assume insurance functions. As a result, medical data can now be held by both insurance and financial companies. Concerns about the merger of these functions include the possibility that a bank could use health information supplied by an affiliated health insurance company to deny a loan.

Title V of the Financial Modernization Act, (15 U.S.C. 6801 et seq.) widely referred to as the Gramm-Leach-Bliley Act (GLBA) was signed into law November 12, 1999 with compliance required on July 1, 2001. Several federal agencies were required to draft regulations on implementing the new federal law, including use, access to, and disclosure of both financial and health data. In addition, state regulators, particularly departments of insurance, found it necessary to determine how to best comply with the new federal law. The GLBA specifically allows data standards required by the 1996 Health Insurance Portability and Accountability Act (see Healthcare Services Declaration form) to supersede data provisions of the GLB Act.

PRIVACY LOOPHOLE

Most citizens do not realize that the new right to ‘opt-out’ of disclosure of their medical and financial data is limited to non-affiliated groups and companies. The law allows unconsented use by and disclosure to ‘affiliates’ of financial and insurance companies. In addition, for a broad array of “insurance functions” no patient or consumer consent is required prior to disclosure. Therefore, even if an individual chooses to follow the ‘opt-out’ process announced by their bank or insurer to prevent of disclosure of information, ‘non-public’ medical, personal and financial data can still be disclosed and exchanged.

The National Association of Insurance Commissioners (NAIC) has published an example of legislation that legislatures and regulators can enact into law and implement in each state. Rather than restricting access to data, the NAIC permit insurers and financial institutions to use, disclose and access individually-identifiable health data without consent for 32 broad categories of insurance and business activities (see list on declaration form). According to an April 2001 NAIC press release, 24 states have already adopted the NAIC model as state law. To clarify the entities involved, one attorney writes:

“The term ‘financial institution’ as used in the Privacy Rules [Title V and various federal regulations] is very broad. A financial institution is any institution that is significantly engaged in financial activities. ‘Financial activities’ include traditional activities such as: a) lending, exchanging, transferring, investing for others, or safeguarding money or securities; b) underwriting or acting as an agent or broker of insurance or annuities; c) providing financial, investment, or economic advisory services; and d) underwriting or dealing in securities. In addition, financial activities may include certain activities specified by the Federal Reserve Board, such as: a) brokering or servicing loans; b) leasing real or personal property; c) appraising real or personal property; d) check guaranty, collection agency, credit bureau, and real estate settlement services; e) providing financial or investment advisory activities including tax planning, tax preparation, and instruction on individual financial management; f) management consulting and counseling activities; g) printing and selling checks and related documents; h) selling money orders, savings bonds, or traveler’s checks; and i) providing financial data processing and transmission services, facilities (including hardware, software, documentation, or operating personnel), databases, advice or access to these by technological means.” (“Financial Privacy and the GLBA,” Michael P. Carlson, Your Business and the Law TRENDS, Spring 2001, Faegre & Benson, LLP)

Individuals should consider providing the following entities with CCHC’s Financial Institutions Declaration form:

Bank Mortgage Company Life Insurer Investment Corporation
Loan Institution Securities Agency Cheque Service Financial Planning Corporation
Credit Card Company Retail Business (Retail credit cards) Credit Bureau Tax Accountant/Preparer


Separate declaration forms addressing additional health, financial, medical and personal data disclosures by doctors, health insurers, health care professionals, hospitals, health care facilities, and data clearinghouses, as permitted by the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 2001 federal medical privacy regulation, and the federal home health care data collection system, called OASIS, can be found at the CCHC website: www.cchfreedom.org.

COPYRIGHT © CITIZENS' COUNCIL ON HEALTH CARE"FOR THE RECORD" MEDICAL PRIVACY PROJECT, 2001