On behalf of the National Association of Insurance Commissioners (NAIC), I am submitting comments specifically on the marketing exception currently found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. I want to thank you for giving the NAIC this chance to testify on the subject of health information privacy and offer our comments on the marketing exception.
The NAIC has a long history of working to protect the health information of consumers. We have drafted our own model laws on privacy, and most recently we have been very active in guiding state implementation of the new Title V consumer privacy provisions under the construct of the Gramm-Leach-Bliley Act (GLBA) (see last page). We have testified numerous times on health information privacy before Congress and have appeared before this Subcommittee as well.
The NAIC submitted comments on the proposed privacy rule on February 15, 2000. In that letter the NAIC recognized the efforts of HHS to establish standards to protect the privacy of individually identifiable health information, and we noted the similarities between our own models and the proposed regulation, including the use of an opt-in standard for using and disclosing consumers' protected health information. While we had concerns about the preemption of state laws and interference with state insurance departments' responsibilities, overall we supported HHS' approach to ensure that consumers receive the strongest possible privacy protections.
However, we are very concerned about the final regulation that was issued on December 28, 2000. In a significant and unfortunate change from the proposed regulation, the final regulation allows covered entities to disclose protected health information for certain marketing purposes without the individual's authorization. (65 Fed. Reg. 82819 82820, HHS § 164.514(e)). We expressed our concerns about these changes in our March 30, 2001 comment letter on the re-opened final rule.
The regulation states that a covered entity may not use or disclose protected health information for marketing without an authorization, except when the marketing: (1) occurs face-to-face; (2) concerns products or services of nominal value; or (3) concerns health-related products and services of the covered entity or of a third party, and the marketing communication identifies the covered entity, states that the covered entity has received or will receive direct or indirect remuneration, and contains instructions describing how the individual may opt-out. In addition, the covered entity may disclose protected health information for marketing purposes to a business associate that assists the entity with marketing. (65 Fed. Reg. 82819, HHS § 164.514(e)(1), (2)).
This is a significant reversal of HHS' position in terms of protecting consumers. The exception basically swallows the general rule that requires authorization prior to disclosing individuals' protected health information. While we support the establishment of exceptions to the authorization requirement for certain legitimate business transactions, we do not support the inclusion of marketing activities into these exceptions. Like the HHS regulation, the NAIC privacy models allow insurers to use and disclose protected health information for a very broad range of insurance activities such as underwriting, paying claims, and investigating fraud. However, the NAIC privacy models do not allow insurers to disclose or sell consumers' protected health information for marketing purposes without first obtaining the consumers' authorization. We think the marketing exception in the HHS final regulation guts the stated purpose of the regulation of protecting consumers' health information.
HHS claims that this exception will benefit consumers and that consumer protections have been incorporated into the exception. In the preamble, HHS states that this exception will allow health care entities "to discuss their own health-related products and services, or those of third parties, as part of their everyday business" and they will be able to inform their patients and enrollees about "new or valuable health products." (65 Fed. Reg. 82546). HHS also claims that it has incorporated consumer protections within this exception by requiring covered entities to tell consumers why they have been targeted in the marketing and that they can opt-out of future marketing communications. (65 Fed. Reg. 82546, 82819-82820).
We know of no other provision in the regulation that requires a marketing exception in order for a provider or health plan to discuss treatment options with its patient or enrollee. We would argue, however, that offering a way for consumers to opt-out of future marketing efforts is not the same as giving consumers the right to make an initial decision about whether they want to receive any marketing materials. In addition, the covered entity only has to make a "reasonable" effort to ensure that individuals who decide to opt-out of receiving future marketing communications are not sent such communications. (65 Fed. Reg. 82820). This is no guarantee for consumers. Once an individual's information has been disclosed for marketing purposes, the ability to keep that information from being further disclosed is speculative at best.
The assumption behind the HHS regulation is that health information deserves a higher level of protection than other types of information. The NAIC believes this marketing exception is a giant step backwards for consumers, and HHS should remove it from the regulation.
We look forward to continuing to work with you on this important endeavor and hope that you will thoroughly consider our concerns. Thank you.
NCVHS Subcommittee on Privacy and Confidentiality
Hearing Questions: Marketing
As part of this hearing, the NAIC was asked to address the following questions raised by the NCVHS Subcommittee on Privacy and Confidentiality.
1. What specific marketing activities are consumers concerned about?
The NAIC believes consumers are concerned about all types of marketing activities, whether those activities are related to their financial or health information. However, consumers believe their health information is the most sensitive and they expect a greater level of protection for their personal health information. Consumers have a greater concern that their health information will be used against them in terms of obtaining a loan or mortgage or in terms of discrimination or termination of employment.
We studied the differences between the marketing of financial and health information last year when we developed the NAIC Privacy of Consumer Financial and Health Information Model Regulation, which implemented the privacy requirements of GLBA. For financial information, we closely tracked the language in GLBA in drafting regulations for insurers and their treatment of financial information. Generally, under the model regulation, disclosure of nonpublic personal financial information among affiliates is permitted without restriction and disclosures with third parties are subject to the consumer's right to "opt-out". Disclosures to third parties for joint marketing and servicing, however, do not require an "opt-out" opportunity, although the insurer and third party are required to enter into an agreement protecting the confidentiality of such information.
However, in keeping with the philosophy outlined in our previous models, and as allowed under GLBA, the members of the NAIC decided to treat health information different from financial information in the model regulation by providing more stringent protections for health information, including marketing restrictions, and by using an "opt-in" standard for individually identifiable health information, due to the sensitive nature of the information.
Real life examples show why a higher level of protections for health information is necessary. While we were developing our 1998 Health Information Privacy Model Act, we heard horrible stories of how sensitive personal health information was disseminated without the individual's knowledge or consent. For example, a man made a claim against his insurance company for reimbursement of the costs of a drug prescribed for a certain medical condition. Within days, his doctor was besieged by calls from pharmaceutical companies trying to convince the doctor to change the patient's medication to a drug produced by that particular company. Another example is a man who was diagnosed with diabetes and a week later started receiving information on syringes and other products related to his disease, despite the fact that he had disclosed this information to no one.
We strongly believe that health information needs enhanced protections, and under our privacy models, the types of disclosures above would be prohibited without the affirmative consent of the consumer. Consumers should be assured that their personal health information will not be shared, sold or released without their specific consent. While we do not seek to prohibit marketing or prevent consumers from receiving information that they may find useful, consumers should have the right to make an affirmative decision in the first instance whether they want their protected health information disclosed for marketing purposes.
2. When does information stop being health care information and become marketing information?
As long as an individual can be identified, it's health information. It will always be health information--it's just being used for a marketing purpose. That is why it is so important to get authorization from the consumer prior to disclosure.
Companies and insurers are approaching the marketing issue from the perspective that every one will say "no" to sharing their information. Some consumers will decide that the benefits of sharing their information outweigh the privacy concerns, but others will not. Ultimately, it should be the consumer's choice.
3. What is a treatment communication?
This is not our area of expertise.
4. What can doctors use patient lists for? For example, is a mailing on a drug or a service the doctor provides a health related communication or marketing?
Doctors should be using patient lists for treatment rather than for marketing. Otherwise, there would appear to be a conflict of interest. However, we recognize that there may be gray areas where it is not clear whether an activity is a health related communication or marketing. This is why it is so important to explain what you want to do with consumers' information and get their authorization. We are not opposed to marketing. We just think that the consumer should get the opportunity before information is disclosed or shared to opt in or give prior authorization to share.
5. What specific marketing activities should require prior individual authorization?
All marketing activities should require prior authorization. The goal is not to prohibit companies from offering products, or to prevent insurers or doctors from participating in disease management activities or from mailing appointment reminders or other information to consumers, or to prevent consumers from getting helpful information. The goal is to give consumers an affirmative opportunity upfront to decide whether they want their information shared or not for marketing purposes. Consumers should have an opt-in right not an opt-out right, because once their information is disclosed, it will be extremely difficult to re-protect the information. In addition, the authorization given by the consumer to the company, insurer or doctor should be separate from any authorization for treatment or payment of services.
NAIC Model Laws on Health Information Privacy
Members of the NAIC have been discussing and addressing the privacy of personal information, including health information, for more than 20 years. In 1980 we adopted the Insurance Information and Privacy Protection Model Act. This model applies to all insurance information and generally requires insurers to receive authorization from individuals ("opt-in") to disclose personal information. Health information is specifically included as part of this model.
In September 1998, the NAIC continued its efforts to strengthen protections for personal information by adopting a new model solely focused on the issues specific to health information, the Health Information Privacy Model Act. This model applies to all insurance carriers and, similar to our more general 1980 insurance privacy model, this model generally requires an entity to obtain an authorization ("opt-in") from the individual to collect, use or disclose individually identifiable health information. With the development of the 1998 Model, the NAIC took the position that health information deserved a higher level of protection than other types of information due to its sensitive nature and its potential to be improperly used against an individual.
The NAIC continued this policy in September 2000, when we adopted a model privacy regulation - The NAIC Privacy of Consumer Financial and Health Information Model Regulation - to implement the privacy requirements for insurers as directed by the Gramm-Leach-Bliley Act (GLBA). Section 507 of GLBA authorizes the states to enact laws that give consumers greater privacy protections than the provisions of GLBA. In keeping with the philosophy used in our previous models, the members of the NAIC decided to treat health information differently than financial information and to provide more stringent protections for health information, especially since GLBA allowed consumers' sensitive health information to be shared freely without distinction from other sorts of financial information.