EFFector Vol. 12, No. 2 Sep. 22, 1999 editor@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 IN THE 146th ISSUE OF EFFECTOR (now with over 18,000 subscribers!): * ALERT: H.R. 10 "Confidentiality" Legislation Undermines Medical Privacy! * Administrivia For more information on EFF activities & alerts: http://www.eff.org _________________________________________________________________ NOTE: We apologize to those of you who will not get this alert in time. Some will, some will not, depending on mail queue processing speeds, Net lag and intermediary server delays, etc. We've issued this as fast as possible after gathering the necessary info. Electronic Frontier Foundation ACTION ALERT: H.R. 10 "Confidentiality" Legislation Undermines Medical Privacy! (Issued: Sept. 22, 1999; deadline: Sept. 23, 1999) ACTION ALERT: Proposed law (US House bill H.R. 10, the "Financial Services Act of 1999") would allow insurance institutions to share your sensitive and personally identifiable medical information without your knowledge or consent, to a wide variety of agencies and financial and research entities. H.R. 10 would actually reduce existing medical privacy protections! WHY YOU SHOULD CARE: The language in the provision misleadingly named H.R. 10's "Subtitle E: Confidentiality" (and known colloquially as "the Ganske Amendment") is riddled with loopholes that make your private medical information available to law enforcement (with no requirements for a warrant, only a subpoena), to vaguely defined "research" projects, and to virtually all affiliates of insurance companies, even banks, credit agencies, and debt collectors. (See text and analysis at end for more detail.) ___________________________________ WHAT YOU CAN DO: Contact your own legislators and urge them to pressure the conference committee to oppose the Ganske Amendment to H.R. 10 You can send a free fax to your Senators and Representatives (you don't even have to know who they are) about this issue, at: http://www.aclu.org/cgi-bin/take_action.pl?GetDoc=282&dir=aclu IMPORTANT: At this page you first enter your contact info, then select "CLICK to add the congressmembers for your zipcode". Next, please paste the following text into the middle section of the letter, where you can add your own comments: I urge you to IMMEDIATELY contact the conference committee and register your opposition to the Ganske Amendment to H.R. 10, before it is too late. (Then add your own comments, too, if you like.) The Web-to-fax sample letter is not up to date, and does not reflect the fact that the bill has passed both houses of Congress and is up for final conference committee vote on Thu., Sept. 23. Non-US activists: There's not much you can do at this point. Probably the best possible actions are to a) go to http://www.eff.org/congress and follow the contact information instructions there to send a letter to the White House (i.e., the US President), and ask that this bill be vetoed should it pass with the Ganske provisions intact. Secondly, you may wish to send a letter to your own national privacy commissioner, data protection agency or other similar entity, and ask them to send a critical communique to the US Administration regarding this legislation. ___________________________________ FULL TEXT: The text of the relevant section of the bill reads: Subtitle E--Confidentiality SEC. 351. CONFIDENTIALITY OF HEALTH AND MEDICAL INFORMATION. (a) IN GENERAL- A company which underwrites or sells annuities contracts or contracts insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death (other than credit-related insurance) and any subsidiary or affiliate thereof shall maintain a practice of protecting the confidentiality of individually identifiable customer health and medical and genetic information and may disclose such information only-- (1) with the consent, or at the direction, of the customer; (2) for insurance underwriting and reinsuring policies, account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), providing information to the customer's physician or other health care provider, participating in research projects, enabling the purchase, transfer, merger, or sale of any insurance-related business, or as otherwise required or specifically permitted by Federal or State law; or (3) in connection with-- (A) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card or account number, or by other payment means; (B) the transfer of receivables, accounts, or interest therein; (C) the audit of the debit, credit, or other payment information; (D) compliance with Federal, State, or local law; (E) compliance with a properly authorized civil, criminal, or regulatory investigation by Federal, State, or local authorities as governed by the requirements of this section; or (F) fraud protection, risk control, resolving customer disputes or inquiries, communicating with the person to whom the information relates, or reporting to consumer reporting agencies. (b) STATE ACTIONS FOR VIOLATIONS- In addition to such other remedies as are provided under State law, if the chief law enforcement officer of a State, State insurance regulator, or an official or agency designated by a State, has reason to believe that any person has violated or is violating this title, the State may bring an action to enjoin such violation in any appropriate United States district court or in any other court of competent jurisdiction. (c) EFFECTIVE DATE; SUNSET- (1) EFFECTIVE DATE- Except as provided in paragraph (2), subsection (a) shall take effect on February 1, 2000. (2) SUNSET- Subsection (a) shall not take effect if, or shall cease to be effective on and after the date on which, legislation is enacted that satisfies the requirements in section 264(c)(1) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 2033). (d) CONSULTATION- While subsection (a) is in effect, State insurance regulatory authorities, through the National Association of Insurance Commissioners, shall consult with the Secretary of Health and Human Services in connection with the administration of such subsection. [end excerpt] ___________________________________ ANALYSIS: Section (a) states that in general the confidentiality of medical and genetic information shall be protected. Exceptions follow. Subsection (a)(2) will allow medical information to be given out by insurers to virtually any affiliated or assisting entities and also provides for personally identifiable medical data to be used for "research projects" without the consent of the person to whom this intensely revealing information pertains. Subsubsections (a)(3)(A), (C) and (F) will allow private medical information to be given out by insurers to credit bureaus, banks, debt settlement entities. Subsubsection (a)(3)(E) will allow private medical information to be given out to law enforcement. No provisions are present that would require a warrant before the information is disclosed. A simple administrative subpoena or other display of supposed "authorization" would be sufficient to obtain medical information held by insurance companies. _________________________________________________________________ Administrivia EFFector is published by: The Electronic Frontier Foundation 1550 Bryant St., Suite 725 San Francisco CA 94103-4832 USA +1 415 436 9333 (voice) +1 415 436 9993 (fax) Editor: Stanton McCandlish, Program Director/Webmaster (editor@eff.org) Membership & donations: membership@eff.org General EFF, legal, policy or online resources queries: ask@eff.org Reproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. Press releases and EFF announcements may be reproduced individually at will. To subscribe to EFFector via email, send message BODY of: subscribe effector-online to listserv@eff.org, which will add you to a subscription list for EFFector. To unsubscribe, send a similar message body, like so: unsubscribe effector-online to the same address. Please ask editor@eff.org to manually add you to or remove you from the list if this does not work for some reason. Back issues are available at: http://www.eff.org/effector To get the latest issue, send any message to effector-reflector@eff.org (or er@eff.org), and it will be mailed to you automagically. You can also get: http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html