EFFector       Vol. 12, No. 2       Sep. 22, 1999       editor@eff.org

                                      
   A Publication of the Electronic Frontier Foundation     ISSN 1062-9424
                                      
  IN THE 146th ISSUE OF EFFECTOR (now with over 18,000 subscribers!):
  
     * ALERT: H.R. 10 "Confidentiality" Legislation Undermines Medical
       Privacy!
     * Administrivia
       
   For more information on EFF activities & alerts: http://www.eff.org
     _________________________________________________________________
   
   
   
   NOTE: We apologize to those of you who will not get this alert in
   time. Some will, some will not, depending on mail queue processing
   speeds, Net lag and intermediary server delays, etc. We've issued this
   as fast as possible after gathering the necessary info.
   
                Electronic Frontier Foundation ACTION ALERT:
                                      
                   H.R. 10 "Confidentiality" Legislation
                        Undermines Medical Privacy!
                                      
             (Issued: Sept. 22, 1999; deadline: Sept. 23, 1999)
                                      
   ACTION ALERT: Proposed law (US House bill H.R. 10, the "Financial
   Services Act of 1999") would allow insurance institutions to share
   your sensitive and personally identifiable medical information without
   your knowledge or consent, to a wide variety of agencies and financial
   and research entities. H.R. 10 would actually reduce existing medical
   privacy protections!
   
   WHY YOU SHOULD CARE: The language in the provision misleadingly named
   H.R. 10's "Subtitle E: Confidentiality" (and known colloquially as
   "the Ganske Amendment") is riddled with loopholes that make your
   private medical information available to law enforcement (with no
   requirements for a warrant, only a subpoena), to vaguely defined
   "research" projects, and to virtually all affiliates of insurance
   companies, even banks, credit agencies, and debt collectors. (See text
   and analysis at end for more detail.)
                    ___________________________________
   
   WHAT YOU CAN DO: Contact your own legislators and urge them to
   pressure the conference committee to oppose the Ganske Amendment to
   H.R. 10
   
   You can send a free fax to your Senators and Representatives (you
   don't even have to know who they are) about this issue, at:
   http://www.aclu.org/cgi-bin/take_action.pl?GetDoc=282&dir=aclu

   IMPORTANT: At this page you first enter your contact info, then select
   "CLICK to add the congressmembers for your zipcode". Next, please
   paste the following text into the middle section of the letter, where
   you can add your own comments:
   
     I urge you to IMMEDIATELY contact the conference committee and
     register your opposition to the Ganske Amendment to H.R. 10, before
     it is too late.
     
   (Then add your own comments, too, if you like.) The Web-to-fax sample
   letter is not up to date, and does not reflect the fact that the bill
   has passed both houses of Congress and is up for final conference
   committee vote on Thu., Sept. 23.
   
   Non-US activists: There's not much you can do at this point. Probably
   the best possible actions are to a) go to http://www.eff.org/congress
   and follow the contact information instructions there to send a letter
   to the White House (i.e., the US President), and ask that this bill be
   vetoed should it pass with the Ganske provisions intact. Secondly, you
   may wish to send a letter to your own national privacy commissioner,
   data protection agency or other similar entity, and ask them to send a
   critical communique to the US Administration regarding this
   legislation.
                    ___________________________________
   
     FULL TEXT: The text of the relevant section of the bill reads:
   
   Subtitle E--Confidentiality
   
   SEC. 351. CONFIDENTIALITY OF HEALTH AND MEDICAL INFORMATION.
   (a) IN GENERAL- A company which underwrites or sells annuities
   contracts or contracts insuring, guaranteeing, or indemnifying
   against loss, harm, damage, illness, disability, or death (other
   than credit-related insurance) and any subsidiary or affiliate
   thereof shall maintain a practice of protecting the
   confidentiality of individually identifiable customer health and
   medical and genetic information and may disclose such information
   only--
       
       (1) with the consent, or at the direction, of the customer;
       (2) for insurance underwriting and reinsuring policies, account
       administration, reporting, investigating, or preventing fraud or
       material misrepresentation, processing premium payments,
       processing insurance claims, administering insurance benefits
       (including utilization review activities), providing information
       to the customer's physician or other health care provider,
       participating in research projects, enabling the purchase,
       transfer, merger, or sale of any insurance-related business, or as
       otherwise required or specifically permitted by Federal or State
       law; or
       (3) in connection with--
       
        (A) the authorization, settlement, billing, processing, clearing,
        transferring, reconciling, or collection of amounts charged,
        debited, or otherwise paid using a debit, credit, or other payment
        card or account number, or by other payment means;
        (B) the transfer of receivables, accounts, or interest therein;
        (C) the audit of the debit, credit, or other payment information;
        (D) compliance with Federal, State, or local law;
        (E) compliance with a properly authorized civil, criminal, or
        regulatory investigation by Federal, State, or local authorities
        as governed by the requirements of this section; or
        (F) fraud protection, risk control, resolving customer disputes or
        inquiries, communicating with the person to whom the information
        relates, or reporting to consumer reporting agencies.
       
   (b) STATE ACTIONS FOR VIOLATIONS- In addition to such other remedies
   as are provided under State law, if the chief law enforcement officer
   of a State, State insurance regulator, or an official or agency
   designated by a State, has reason to believe that any person has
   violated or is violating this title, the State may bring an action to
   enjoin such violation in any appropriate United States district court
   or in any other court of competent jurisdiction.
   
   (c) EFFECTIVE DATE; SUNSET-
       (1) EFFECTIVE DATE- Except as provided in paragraph (2), 
       subsection (a) shall take effect on February 1, 2000.
       (2) SUNSET- Subsection (a) shall not take effect if, or shall
       cease to be effective on and after the date on which, legislation
       is enacted that satisfies the requirements in section 264(c)(1) of
       the Health Insurance Portability and Accountability Act of 1996
       (Public Law 104-191; 110 Stat. 2033).
       
   (d) CONSULTATION- While subsection (a) is in effect, State insurance
   regulatory authorities, through the National Association of Insurance
   Commissioners, shall consult with the Secretary of Health and Human
   Services in connection with the administration of such subsection.
   
   [end excerpt]
                    ___________________________________
   
   ANALYSIS: Section (a) states that in general the confidentiality of
   medical and genetic information shall be protected. Exceptions follow.
   
   Subsection (a)(2) will allow medical information to be given out by
   insurers to virtually any affiliated or assisting entities and also
   provides for personally identifiable medical data to be used for
   "research projects" without the consent of the person to whom this
   intensely revealing information pertains.
   
   Subsubsections (a)(3)(A), (C) and (F) will allow private medical
   information to be given out by insurers to credit bureaus, banks, debt
   settlement entities.
   
   Subsubsection (a)(3)(E) will allow private medical information to be
   given out to law enforcement. No provisions are present that would
   require a warrant before the information is disclosed. A simple
   administrative subpoena or other display of supposed "authorization"
   would be sufficient to obtain medical information held by insurance
   companies.
   
     _________________________________________________________________
   
                                 Administrivia
                                       
   EFFector is published by:
   
   The Electronic Frontier Foundation
   1550 Bryant St., Suite 725
   San Francisco CA 94103-4832 USA
   +1 415 436 9333 (voice)
   +1 415 436 9993 (fax)
   
   Editor: Stanton McCandlish, Program Director/Webmaster
   (editor@eff.org)
   
   Membership & donations: membership@eff.org
   General EFF, legal, policy or online resources queries: ask@eff.org
   
   Reproduction of this publication in electronic media is encouraged.
   Signed articles do not necessarily represent the views of EFF. To
   reproduce signed articles individually, please contact the authors for
   their express permission. Press releases and EFF announcements may be
   reproduced individually at will.
   
   To subscribe to EFFector via email, send message BODY of:
   subscribe effector-online
   to listserv@eff.org, which will add you to a subscription list for
   EFFector. To unsubscribe, send a similar message body, like so:
   unsubscribe effector-online
   to the same address.
   
   Please ask editor@eff.org to manually add you to or remove you from
   the list if this does not work for some reason.
   
   Back issues are available at:
   http://www.eff.org/effector
   
   To get the latest issue, send any message to
   effector-reflector@eff.org (or er@eff.org), and it will be mailed to
   you automagically. You can also get:
   http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html