[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]




 
                      THE ROLE OF FCRA IN EMPLOYEE
                       BACKGROUND CHECKS AND THE
                   COLLECTION OF MEDICAL INFORMATION

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
               FINANCIAL INSTITUTIONS AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 17, 2003

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 108-38



91-543              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts
DOUG BEREUTER, Nebraska              PAUL E. KANJORSKI, Pennsylvania
RICHARD H. BAKER, Louisiana          MAXINE WATERS, California
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York              NYDIA M. VELAZQUEZ, New York
EDWARD R. ROYCE, California          MELVIN L. WATT, North Carolina
FRANK D. LUCAS, Oklahoma             GARY L. ACKERMAN, New York
ROBERT W. NEY, Ohio                  DARLENE HOOLEY, Oregon
SUE W. KELLY, New York, Vice Chair   JULIA CARSON, Indiana
RON PAUL, Texas                      BRAD SHERMAN, California
PAUL E. GILLMOR, Ohio                GREGORY W. MEEKS, New York
JIM RYUN, Kansas                     BARBARA LEE, California
STEVEN C. LaTOURETTE, Ohio           JAY INSLEE, Washington
DONALD A. MANZULLO, Illinois         DENNIS MOORE, Kansas
WALTER B. JONES, Jr., North          CHARLES A. GONZALEZ, Texas
    Carolina                         MICHAEL E. CAPUANO, Massachusetts
DOUG OSE, California                 HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois               RUBEN HINOJOSA, Texas
MARK GREEN, Wisconsin                KEN LUCAS, Kentucky
PATRICK J. TOOMEY, Pennsylvania      JOSEPH CROWLEY, New York
CHRISTOPHER SHAYS, Connecticut       WM. LACY CLAY, Missouri
JOHN B. SHADEGG, Arizona             STEVE ISRAEL, New York
VITO FOSSELLA, New York              MIKE ROSS, Arkansas
GARY G. MILLER, California           CAROLYN McCARTHY, New York
MELISSA A. HART, Pennsylvania        JOE BACA, California
SHELLEY MOORE CAPITO, West Virginia  JIM MATHESON, Utah
PATRICK J. TIBERI, Ohio              STEPHEN F. LYNCH, Massachusetts
MARK R. KENNEDY, Minnesota           ARTUR DAVIS, Alabama
TOM FEENEY, Florida                  RAHM EMANUEL, Illinois
JEB HENSARLING, Texas                BRAD MILLER, North Carolina
SCOTT GARRETT, New Jersey            DAVID SCOTT, Georgia
TIM MURPHY, Pennsylvania              
GINNY BROWN-WAITE, Florida           BERNARD SANDERS, Vermont
J. GRESHAM BARRETT, South Carolina
KATHERINE HARRIS, Florida
RICK RENZI, Arizona

                 Robert U. Foster, III, Staff Director

       Subcommittee on Financial Institutions and Consumer Credit

                   SPENCER BACHUS, Alabama, Chairman

STEVEN C. LaTOURETTE, Ohio, Vice     BERNARD SANDERS, Vermont
    Chairman                         CAROLYN B. MALONEY, New York
DOUG BEREUTER, Nebraska              MELVIN L. WATT, North Carolina
RICHARD H. BAKER, Louisiana          GARY L. ACKERMAN, New York
MICHAEL N. CASTLE, Delaware          BRAD SHERMAN, California
EDWARD R. ROYCE, California          GREGORY W. MEEKS, New York
FRANK D. LUCAS, Oklahoma             LUIS V. GUTIERREZ, Illinois
SUE W. KELLY, New York               DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio                CHARLES A. GONZALEZ, Texas
JIM RYUN, Kansas                     PAUL E. KANJORSKI, Pennsylvania
WALTER B. JONES, Jr, North Carolina  MAXINE WATERS, California
JUDY BIGGERT, Illinois               DARLENE HOOLEY, Oregon
PATRICK J. TOOMEY, Pennsylvania      JULIA CARSON, Indiana
VITO FOSSELLA, New York              HAROLD E. FORD, Jr., Tennessee
MELISSA A. HART, Pennsylvania        RUBEN HINOJOSA, Texas
SHELLEY MOORE CAPITO, West Virginia  KEN LUCAS, Kentucky
PATRICK J. TIBERI, Ohio              JOSEPH CROWLEY, New York
MARK R. KENNEDY, Minnesota           STEVE ISRAEL, New York
TOM FEENEY, Florida                  MIKE ROSS, Arkansas
JEB HENSARLING, Texas                CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey            ARTUR DAVIS, Alabama
TIM MURPHY, Pennsylvania
GINNY BROWN-WAITE, Florida
J. GRESHAM BARRETT, South Carolina
RICK RENZI, Arizona


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    June 17, 2003................................................     1
Appendix:
    June 17, 2003................................................    51

                               WITNESSES
                         Tuesday, June 17, 2003

Maltby, Lewis, President, National Workrights Institute..........    13
McClain, Eddy, Chairman, Krout & Schneider, Inc., on behalf of 
  the National Council of Investigation and Security Services....    16
Meyer, Roberta B., Senior Counsel, American Council of Life 
  Insurers.......................................................    28
Morgan, Harold, Senior Vice President, Human Resources, Bally 
  Total Fitness Corporation, on behalf of the Labor Policy 
  Association....................................................    11
Petersen, L. Chris, Attorney, Morris, Manning & Martin, LLP, on 
  behalf of the Health Insurance Association of America..........    26
Plummer, Margaret, Director of Operations, Bashen Consulting.....    14
Pritts, Joy, Assistant Research Professor, Health Policy 
  Institute, Georgetown University...............................    31
Reynolds, Christopher P., Partner, Morgan, Lewis and Bockius, 
  LLP, on behalf of the U.S. Chamber of Commerce.................     9
Rotenberg, Marc, Executive Director, Electronic Privacy 
  Information Center, Adjunct Professor, Georgetown University 
  Law Center.....................................................    30
Yingling, Edward L., Executive Vice President, American Bankers 
  Association....................................................    33

                                APPENDIX

Prepared statements:
    Bachus, Hon. Spencer.........................................    52
    Oxley, Hon. Michael G........................................    55
    Gillmor, Hon. Paul E.........................................    57
    Sessions, Hon. Pete..........................................    58
    Maltby, Lewis................................................    60
    McClain, Eddy................................................    63
    Meyer, Roberta B.............................................    72
    Morgan, Harold...............................................    82
    Petersen, L. Chris...........................................    96
    Plummer, Margaret............................................   105
    Pritts, Joy..................................................   113
    Reynolds, Christopher P......................................   121
    Rotenberg, Marc..............................................   146
    Yingling, Edward L...........................................   162

              Additional Material Submitted for the Record

The Impact of National Credit Reporting Under the Fair Credit 
  Reporting Act, Financial Services Coordinating Council.........   169


                      THE ROLE OF FCRA IN EMPLOYEE
                       BACKGROUND CHECKS AND THE
                   COLLECTION OF MEDICAL INFORMATION

                              ----------                              


                         Tuesday, June 17, 2003

             U.S. House of Representatives,
Subcommittee on Financial Institutions and Consumer 
                                            Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:09 a.m., in 
Room 2128, Rayburn House Office Building, Hon. Spencer Bachus 
[chairman of the subcommittee] presiding.
    Present: Representatives Bachus, LaTourette, Kelly, Ryun, 
Gillmor, Biggert, Hart, Tiberi, Hensarling, Barrett, Oxley (ex 
officio), Sanders, Maloney, Watt, Sherman, Moore, Velaquez, 
Hooley, Lucas of Kentucky, Crowley, McCarthy, and Emanuel. 
Representative Pete Sessions was also in attendance.
    Chairman Bachus. [Presiding.] Good morning. The 
Subcommittee on Financial Institutions will come to order.
    Our hearing today is the fifth in a series of hearings the 
subcommittee is holding on FCRA. We previously held hearings 
covering the importance of the national uniform credit system 
to consumers and to the economy, and more specifically how the 
Fair Credit Reporting Act helps consumers obtain more 
affordable mortgages and credit in a timely and efficient 
manner.
    Today, we will hear how FCRA regulates employee background 
checks and the collection and use of health information or 
medical information. This hearing consists of two panels. The 
first panel will focus on the application of FCRA to employee 
screening and other background checks. Witnesses will include 
various business groups, human resource managers and private 
investigators.
    The second panel will examine how medical information is 
collected and used for various financial products, including a 
discussion on the prohibition of the use of health or medical 
information in the credit-granting process. Panelists will 
include representatives of life and health insurance companies, 
the banking industry, and independent experts.
    While we usually think of FCRA in the context of credit 
information, it also applies to background checks for 
employees. For example, information collected for an employer 
by a third party about an employee's criminal record, driving 
record, educational record or prior employment history in some 
instances falls within FCRA's coverage. The 1996 amendments to 
FCRA established consumer protections for employee background 
screening.
    Some of these include consumer consent before a prospective 
employer may obtain a consumer report, disclosure of the report 
to the consumer once it is completed, and notice to the 
consumer of his rights before taking adverse action based on 
the report. Many employers conduct background checks of their 
employees as a safety precaution. Moreover, according to a 2002 
Harris poll, a majority of Americans support their employers's 
conducting detailed background checks.
    Congress has mandated background checks for many workers in 
the financial services industries, as well as for nuclear, 
airport and childcare businesses. The number of worker 
background checks has dramatically increased since 9-11 due to 
heightened security concerns. As a result, mandatory background 
checks are now required for workers at ports and for those who 
transport hazardous chemicals.
    Because background checks are becoming commonplace, one 
issue we need to review today is the FTC's staff Vail opinion 
letter. It makes it much more difficult for employers to 
conduct background checks or investigations of their employees. 
Under the Vail letter, if an employer believes that an employee 
is engaged in workplace misconduct such as committing sexual 
harassment, racial discrimination or embezzling funds or other 
criminal activity, the employer cannot hire an independent 
third party investigator without getting the employee suspected 
wrongdoer's consent and telling him about the investigation and 
how the investigation will be conducted. That makes absolutely 
no sense. If you are trying to catch a criminal, why warn him 
in advance?
    Strangely, employers can investigate alleged misconduct 
without following any of the Vail letter requirements if they 
do so internally. The Vail letter makes it unworkable to hire 
an outside unbiased party to do an impartial investigation. 
Even the FTC admits the law should be fixed.
    Our second panel will discuss medical information, health 
information, and how the FCRA and other state and federal laws 
govern its use.
    The FCRA prohibits consumer reporting agencies from 
furnishing reports containing medical information without the 
consumer's consent. Congress passed another law, the Health 
Insurance Portability and Accountability Act of 1996 which 
limits the sharing of health information by health care plans 
and providers. In addition, the States have various laws 
governing insurance companies in the use and sharing of health 
information by those companies.
    The second panel will help us understand whether there are 
gaps in the convergence of these laws and whether financial 
providers are using such information, and if they are, whether 
they should be prevented from using an individual's medical or 
health information in any way or in an inappropriate way.
    I want to express my gratitude to Chairman Oxley for his 
leadership in these FCRA hearings. I want to commend Ranking 
Member Frank and Mr. Sanders for working with the staff, with 
me, and with Chairman Oxley on FCRA reauthorization. I note 
that for the second week in a row we have accommodated all of 
the minority witness requests.
    The Chair now recognizes the ranking member of the 
subcommittee, Mr. Sanders, for his opening statement.
    [The prepared statement of Hon. Spencer Bachus can be found 
on page 52 in the appendix.]
    Mr. Sanders. Thank you very much, Mr. Chairman, for holding 
this important hearing. I very much appreciate all of our 
witnesses being with us today.
    This hearing will focus on the role of the Fair Credit 
Reporting Act in employee background checks and the collection 
of medical information. These are important matters that must 
be carefully scrutinized by this subcommittee. Before we delve 
into these issues, Mr. Chairman, I would like to briefly 
highlight the testimony of two of our witnesses from last 
week's hearing.
    Mr. Chairman, as I recall, you raised a number of concerns 
about my support for consumers to receive a free copy of their 
credit reports at least once a year from all three of the 
credit bureaus. It should come as no surprise that all of the 
major consumer groups in this country support that view, 
including U.S. PIRG, the Consumer Federation of America, 
Consumers Union, and the National Consumer Law Center.
    Yet what the chairman and some of the members of the 
subcommittee might not have heard clearly is that according to 
the testimony we received last week, that view is also shared 
by the America's Community Bankers and the Independent 
Community Bankers of America. I think that it is important that 
they are coming on board in order to make sure that all 
Americans receive a free credit report.
    Let me turn for a moment to today's hearing. First, the 
issue of employee background checks, Mr. Chairman, under the 
Fair Credit Reporting Act. Companies can turn down job 
applicants because of the credit history contained in their 
credit reports, including large student loan debt, high credit 
card payments, a big auto loan, or a heavy mortgage bill. Even 
worse, job applicants who have errors in their credit reports 
as a result of identity theft are being denied employment. In 
most instances, by the time these errors are taken off the job 
applicant's credit report, the job they are applying for has 
already been filled by another person.
    Mr. Chairman, this raises troubling questions for the 
subcommittee. One, should a young person who has accumulated 
$30,000 or more in student loan debt be denied a job in favor 
of someone who was fortunate enough to have wealthy parents to 
pay for their college education?
    According to a May 26, 2003 article in The State newspaper 
in Columbia, South Carolina, ``Ayana Woodson, a recent business 
administration and finance graduate from Howard University in 
Washington, DC learned this the hard way. 'These are jobs I 
have not gotten because of my credit,' said Woodson, now 
carrying a $25,000 college debt, 'I just assumed after I 
graduated I would have this high-paying job and would be able 
to pay it off,' she said. It is like a double-edged sword. I 
take out this loan so I can get a job, but it may be the very 
reason to keep me from getting a job.''
    Mr. Chairman, according to the U.S. Department of 
Education, the average student loan debt has nearly doubled 
over the past 8 years to close to $17,000. I think we can all 
agree that people who had to go into debt to get through 
college should not be forced to lose job opportunities because 
of that debt.
    Secondly, should employers be allowed to deny employment 
opportunities to job applicants due to errors contained in 
their credit reports? I do not think so, but according to a 
March 3, 2003 article in Investment Dealers Digest, ``If you 
want to work for Goldman Sachs, your name had better be squeaky 
clean. All it takes is one blemish on your credit history to 
prohibit employment there. At least that is what one 
secretarial job candidate recently found out the hard way, and 
she is not alone. Like many young people at age 24, Kate ran up 
significant debt on a Citibank credit card. She was unable to 
pay it off quickly, and the account was ultimately sent to 
collection.
    ``Over the next 9 years, she gradually paid down the debt, 
satisfying it completely by 2002. The problem was the 
collection agency failed to report this to the credit agencies, 
and the account showed up on Goldman's credit check-a-mistake 
for which the collection agency took full responsibility and 
promised to put it into writing in 30 to 60 days, but would 
gladly relay orally to Goldman. But according to Kate, 
Goldman's background checker told her the firm would not accept 
an oral explanation and needed it in writing.''
    To make a long story short, this young lady has a hard time 
with jobs. Mr. Chairman, I do not believe job applicants should 
be turned down from their jobs because of errors contained in 
their credit report.
    Finally, we will be looking today at the Fair Credit 
Reporting Act in the collection of medical information. I have 
two concerns on this issue. First, we need to make it clear 
that banks and insurance companies cannot use medical 
information to deny consumers credit or insurance. Banks should 
not be allowed to use the fact that you have cancer to increase 
the interest rate on your credit card. Insurance companies 
should not be allowed to use the fact that you have diabetes to 
raise your premiums on your renter's insurance.
    Mr. Chairman, thank you very much for calling this 
important hearing. I look forward to hearing from the 
witnesses.
    Chairman Bachus. Thank you, Mr. Sanders.
    Chairman Oxley?
    Mr. Oxley. Thank you, Mr. Chairman. Let me thank you for 
your leadership on this important issue of FCRA as we continue 
the series of hearings. You have done yeoman work and we 
appreciate all that you have done.
    I am pleased to announce that last Thursday another federal 
regulator came out in support of reauthorization of the 
national uniform standards for FCRA. Don Powell, the chairman 
of the FDIC, who testified before this committee, said he 
believes it is necessary to make permanent the preemptions in 
the FCRA in order to ensure no negative economic impact. Mr. 
Powell joins the Treasury Secretary, the chairman of the Fed, 
and the Conference of State Bank Supervisors in support of 
reauthorizing uniform FCRA standards.
    I also just received a report by the independent 
Congressional Research Service analyzing a critical consumer 
benefit of the FCRA, and that is increased labor mobility. CRS 
found that mobility is an important barometer to judge the 
importance of having a national credit reporting system. No 
surprise, the U.S. is one of the most mobile societies, with 
14.5 percent of the population moving in any given year, and 
lower-income individuals more likely to move than higher-income 
groups. It is our national uniform credit system that makes 
this mobility possible and gives us a further competitive edge 
over the rest of the world.
    Throughout modern history, national economies have risen 
and fallen based in large part on the flexibility and mobility 
of labor and management. American consumers and workers enjoy 
unprecedented mobility in part because of our uniform national 
credit standards.
    Today's hearing looks at two particular aspects of uniform 
standards under FCRA. The first panel will address the use of 
FCRA in employee background screening. Even before 9-11, 
Americans had become increasingly concerned about ensuring 
their safety on the job from individual predators with criminal 
records.
    Homicide was the second leading cause of occupational 
fatalities in 2001, and the recent wave of corporate scandals 
has highlighted the need to keep out bad actors at all levels 
of the American workplace. Congress has been calling for 
expanded background checks for a number of sensitive jobs and 
courts have been imposing more liability on businesses that do 
not perform adequate background checks.
    Unfortunately, an interpretation of FCRA by the Federal 
Trade Commission, known as the Vail letter, undermines the 
ability of businesses to protect their employees and consumers. 
The Vail letter prohibits employers from using outside third 
parties to investigate employee misconduct unless they first 
notify the wrongdoer of the precise investigation, get his 
consent, and ultimately give him a copy of the investigative 
report.
    How do you investigate a CEO, for example, who is 
embezzling funds if you have to first get his permission and 
give him time to cover up his actions? How do you get victims 
to cooperate with a sexual or racial harassment inquiry if they 
know their identities will not be protected? You don't, and 
that is why the FTC's interpretation is at best problematic. 
Ironically, a company can perform an employee investigation 
without these requirements, but only by doing it internally 
without any of the protections of an outside, unbiased, and 
professional third party. The Vail letter is simply 
impractical.
    Subcommittee Chairman Bachus and I wrote to the FTC last 
term asking the Commission to change its views, and we support 
efforts by the members here today to correct this problem.
    On our second panel, we will receive testimony on the use 
of medical information in the credit-granting process and the 
interplay between various federal and state health privacy 
laws. I share the concerns of many of my colleagues that 
medical information may require special protections to prevent 
its improper use or theft, and I look forward to our 
witnesses's views on the appropriate balance of national 
consumer standards on this issue. Once again, I would like to 
thank the chairman for his leadership and the continued 
bipartisan cooperation of our ranking subcommittee and full 
committee members, Mr. Sanders and Mr. Frank.
    I yield back.
    [The prepared statement of Hon. Michael G. Oxley can be 
found on page 55 in the appendix.]
    Chairman Bachus. Thank you.
    The gentleman from North Carolina?
    Mr. Watt. Thank you, Mr. Chairman.
    I had intended not to say anything, but my chairman 
provoked me to say something to balance at least one thing, not 
necessarily to contradict what he is saying, but to thank you 
for having this hearing today and the series of hearings, 
because of the difficulty of these issues.
    While the chairman is right to have the governing agency 
bring these employment background checks and medical 
information under its jurisdiction, it may be presenting some 
problems. The other side of that is if they are not under 
somebody's supervision, then they have the capacity to collect 
erroneous misinformation on people, and not be subject to any 
kind of oversight.
    So we have got to figure out a way to allow them to provide 
the valuable service that they provide to employers, but do it 
in a way that makes sure they are regulated and that they 
answer to somebody and that they are accountable for collecting 
information that is not correct and viable. That is the 
difficulty. I am not arguing with the concern that the chairman 
of the full committee and the chairman of the subcommittee 
raised in the letter you wrote, but if they are not regulated 
under the Fair Credit Reporting Act, then who is going to 
regulate them, I guess, is the question; and how do they get 
regulated and how do we keep employees or prospective employees 
from having their employment possibilities adversely affected 
by information that may not even be correct?
    That is the difficult balance this committee has to deal 
with. It is for that reason that we have witnesses here to 
enlighten us about how we walk that balance and get to a result 
that is fair, both to employers and the agencies that report 
information to them about people's criminal records and medical 
records and sexual harassment in prior venues, or what have 
you, yet make sure that that information is correct and 
defensible; and if it is not, that somebody is held accountable 
for it.
    So I thank the chairman. I did not take the time to argue 
with him about this, but more to point out the difficulty of 
the balance and the requirement that this committee has as we 
go forward.
    With that, I will yield back, unless the chairman wants me 
to give him the last word. I am always willing to give my 
chairman the last word.
    [LAUGHTER]
    I yield back.
    Chairman Bachus. Thank you.
    I have a unanimous consent request, and that is that 
without objection the gentleman from Texas, Mr. Sessions, may 
be recognized for the purpose of making an opening statement 
and for the purpose of questioning witnesses under the five-
minute rule after all members of the subcommittee and the 
committee have been recognized. Is there objection? Hearing 
none, I would ask the gentleman from Texas, who is a cosponsor 
of H.R. 1543 which addresses the Vail letter, if he has an 
opening statement.
    Mr. Sessions. I thank the chairman and appreciate you 
allowing me to be here today. I have got to be on the floor in 
a few minutes, when they are ready for the new rule.
    Mr. Chairman, I would like to thank you for inviting me to 
join you at this hearing on the Fair Credit Reporting Act, 
FCRA, as it pertains to employee background checks and the 
collection of medical information. I am pleased to be rejoining 
the chairman and my esteemed former colleagues on the Financial 
Services Committee to discuss an issue that has long been of 
great interest to me.
    I would also like to thank my colleague from Alabama, the 
Chairman, for scheduling this important hearing, for your 
strong leadership on the issue, and for your diligent oversight 
on all aspects of FCRA. Certainly, Chairman Bachus's efforts 
are commendable, and by holding this hearing today he will help 
Congress to take the first step toward making the workplace a 
better and safer place for all working Americans.
    Mr. Chairman, in order to provide a historical context to 
this hearing, I would like to recount briefly the events that 
have brought us here today. In 1999, the staff of the Federal 
Trade Commission issued an opinion known as the Vail opinion, 
concluding that outside consultants who perform investigations 
of alleged employee misconduct are considered to be credit 
reporting agencies.
    As a result, outside consultants and the employees who hire 
them to help ensure unbiased workplace safety are subject to a 
number of burdensome and unintended restrictions on their 
ability to perform these investigations safely, professionally, 
and efficiently. Accordingly, they are hampered in performing 
many kinds of workplace investigations, including employee 
complaints of sexual harassment, discrimination and threats of 
violence. For the last few Congresses, I have introduced 
legislation to fix this problem by removing the FCRA 
requirements for investigations of suspected misconduct related 
to employment and to compliance with existing laws and 
preexisting written policies of the employer.
    This proposed legislation also respects the rights of the 
subject of the workplace search, while removing employers from 
the onerous and potentially dangerous requirement to notify 
their subject prior to beginning an investigation. The removal 
of this requirement is important because it prevents violence 
from employees, from giving them time to cover their tracks, or 
to initiate intimidation against coworkers who make or 
corroborate complaints, and are an integral part to ensuring 
the veracity of data included in these complaints.
    Mr. Chairman, back in 1997 when a constituent brought the 
problems to me that she was having as a result of the Vail 
opinion, I was shocked to learn that federal law requires an 
employer who suspects that an employee is dealing drugs or 
engaged in other misconduct at the workplace to ask that 
employee's permission before beginning an investigation.
    Furthermore, I was greatly dismayed to find that federal 
law would also require that the same employer to provide to a 
potentially violent employee with a report identifying the 
coworker who made or who corroborated those allegations of 
wrongdoing, making those helpful employees who were only trying 
to make the workplace safer a target for violence or 
retribution, and placing themselves in harm.
    This important legislation that I have introduced removes 
requirements of the federal Fair Credit Reporting Act solely 
for the purpose of having unbiased third party professional 
investigations of illegal or unsafe activities in the 
workplace. These limited activities include drug use or the 
sale of drugs, violence, sexual harassment, employee 
discrimination, job safety or health violations, and criminal 
activities including theft, embezzlement, sabotage, arson, 
patient or elderly abuse, and child abuse.
    I believe that it is critical for Congress to pass this 
legislation in order to make our workplaces safer, to stop 
illegal activities such as drug dealing, and to identify 
dangerous employees so that they can be provided with treatment 
before violence occurs. This legislation offers Congress the 
opportunity to replace illegal and dangerous activities in the 
workplace with investigation and remediation. I think that this 
is precisely the goal for which we should all be striving.
    I also would like to thank the panel that is before us, 
many of whom have come from all over the country to share their 
experiences with the Vail opinion and FCRA with us today. I 
look forward to hearing their testimony on the issue.
    I would also like to thank the 16 members of Congress on 
both sides of the aisle who have cosponsored this bipartisan 
legislation. I want to thank you, Mr. Chairman, for your 
leadership, and I appreciate the time you have given me today.
    [The prepared statement of Hon. Pete Sessions can be found 
on page 58 in the appendix.]
    Chairman Bachus. Thank you.
    Are there any other members wishing to make an opening 
statement? If not, I would like to welcome our first panel, 
which deals with the role of FCRA in employee background 
checks. Our panelists consist of, from my left, Mr. Christopher 
P. Reynolds, partner in the law firm of Morgan, Lewis and 
Bockius, on behalf of the U.S. Chamber of Commerce. I noted 
that you were a U.S. Attorney for the Southern District of New 
York.
    Mr. Reynolds. Mr. Chairman, I would hasten to say that I 
was an assistant U.S. Attorney for the Southern District.
    Chairman Bachus. Assistant U.S. attorney, and dealt with 
many cases involving employee and employment matters.
    Mr. Reynolds. Yes, I did, Mr. Chairman.
    Chairman Bachus. Our second panelist is Mr. Harold Morgan, 
senior vice president, human resources, at Bally Total Fitness 
Corporation, on behalf of the Labor Policy Association, and 
previously with Hyatt Corporation where you were director of 
employee and labor relations. Our third panelist, at the 
request of Mr. Sanders, is Mr. Lewis Maltby, president of the 
National Workrights Institute. We welcome you, Mr. Maltby. Mr. 
Sanders also requested the testimony of Ms. Margaret Plummer, 
director of operations for Bashen Consulting. We welcome you as 
a panelist.
    Our final panelist on the first panel is Mr. Eddy McClain, 
chairman of Krout and Schneider, on behalf of the National 
Council of Investigation and Security Services. Mr. McClain, 
you are a former private investigator on work-related 
investigations?
    Mr. McClain. Yes, sir.
    Chairman Bachus. So we welcome you.
    At this time, Mr. Reynolds, we would recognize you for your 
opening statement.

 STATEMENT OF CHRISTOPHER P. REYNOLDS, PARTNER, MORGAN, LEWIS 
   AND BOCKIUS, LLP ON BEHALF OF THE U.S. CHAMBER OF COMMERCE

    Mr. Reynolds. Thank you, Mr. Chairman, and distinguished 
members of the subcommittee. Good morning.
    I am grateful to you for the privilege of testifying before 
you today. In the interests of time and with your permission, I 
will summarize my written testimony. My purpose today is to 
testify on behalf of the U.S. Chamber of Commerce regarding 
FCRA's affect on employee background checks and employer 
investigations into workplace conduct.
    I do that on the basis of my experience as a partner at 
Morgan, Lewis and Bockius representing employers in litigation, 
investigations, and providing advice and guidance; as a member 
of the American Bar Association's Labor Section and Equal 
Employment Opportunity Committee; and as also a member of the 
Securities Industry Association's Legal Division.
    Mr. Chairman, the reauthorization of FCRA's uniform 
standards provisions is terribly important to the members of 
the Chamber and to the efficient functioning of the national 
credit system. Without those standards, we would be faced with 
a complex and confusing web of conflicting state standards that 
could only impede the availability of credit and limit the 
access of small businesses to the credit that will help them 
grow and survive tough economic times. We urge this committee 
at a minimum to preserve those standards.
    The two issues that also concern the Chamber beyond 
reauthorization would be the background check issue and the 
workplace investigation issue. Concerning background checks, 
our primary concern is not with existing law, but with the 
possibility that new provisions will be added, provisions that 
hurt an employer's ability to ensure workplace integrity and 
workplace safety by obtaining reliable job-related information 
compelled by business necessity on applicants and employees.
    Now, employers use these background checks to make sure 
their workplaces are safe and secure. We need them. A recent 
study by the Avert Internet-based screening firm found that 24 
percent of 1.8 million applications in the year 2000 were 
submitted with misleading or negative information. The Society 
for Human Resources Management found in a 1998 survey that 45 
percent of employers found that an applicant had lied 
concerning their criminal record. Many states impose on 
employers the potential liability for negligently hiring 
someone who is a danger to the safety and security of the 
workplace. Background checks allow us to avoid that liability 
and fulfill our legal duty.
    Against the painful backdrop of September 11, the public 
and this government also increasingly expect employers to use 
background checks. According to a Harris interactive poll in 
2002, 53 percent of employees want their employers to conduct 
more detailed background checks of applicants and coworkers to 
ensure safety. In this session alone, Congress has introduced 
21 different bills requiring background checks for workers. It 
is a clear signal that the government expects employers to use 
them.
    The Chamber understands and appreciates that there is a 
necessary and welcome balance between workplace security and 
privacy. We believe that the existing FCRA provisions of 
consent, notice and disclosure provide that balance. We also 
believe that the nation's existing equal employment laws 
provide a ready remedy for any company or employer that abuses 
background checks for discriminatory purpose. We also note the 
numerous State laws that restrict or limit the ability of 
employers to use information in background checks improperly.
    If you do make changes to FCRA on the background check 
issue beyond its reauthorization, we urge you to allow 
employers who use contract workers to have access to the 
contractor's background check information without converting 
that contractor into a consumer reporting agency. There are 
many safety-sensitive industries that use contract workers and 
the underlying employer needs that information to ensure 
safety.
    Now, with your permission, Mr. Chairman, let me echo your 
previous comments on the Vail letter. The issue is simple. The 
FTC through the Vail letter has thrown up a roadblock to the 
effective use of workplace investigations of employee 
misconduct. We understand that the FTC will not retract that 
letter unless Congress acts. The Chamber urges that action.
    Employers are instructed by statute in the case of 
Sarbanes-Oxley; instructed by the Supreme Court in the case of 
the Faragher-Ellerth precedent; and by regulations of the Equal 
Employment Opportunity Commission to conduct thorough, 
effective and objective investigations. Often, the only 
effective way to do that is through an outside firm or 
investigator. Under Vail, there is a requirement for notice and 
consent provisions that would require almost immediate notice 
to the object of that investigation. That fundamentally guts 
the investigation's effectiveness. Just a quick example. Say 
that I receive a request to investigate a senior executive for 
a sexual harassment complaint. Under the Vail letter, I am 
obligated to advise that senior executive before I begin my 
investigation that he or she might be the object of a 
complaint, and therefore that is going to constrict greatly the 
ability to find out what happened and take appropriate remedial 
action. There is simply no way to satisfy both Vail and the 
need to investigate effectively workplace conduct.
    Against that backdrop of increased corporate responsibility 
for self-monitoring, we believe that this choice must be 
resolved the way Congress intended under Sarbanes-Oxley, the 
way the Supreme Court dictated in Faragher-Ellerth, and the way 
the EEOC's guidance has laid out in favor of effective 
investigations. The Chamber believes that H.R. 1543 is the 
right step to address that concern and we urge its passage.
    Mr. Chairman, thank you.
    [The prepared statement of Christopher P. Reynolds can be 
found on page 121 in the appendix.]
    Chairman Bachus. Thank you very much, Mr. Reynolds, for 
that testimony.
    Mr. Morgan?

   STATEMENT OF HAROLD MORGAN, SENIOR VICE PRESIDENT, HUMAN 
 RESOURCES, BALLY TOTAL FITNESS CORPORATION, ON BEHALF OF THE 
                    LABOR POLICY ASSOCIATION

    Mr. Morgan. Thank you very much. Do not worry. I will not 
be asking the members of the committee to do exercises before 
we begin the testimony today.
    [LAUGHTER]
    This morning, I have two simple and basic messages 
regarding FCRA. The first is please do not make it any harder 
to keep our workplaces safe. And two, if possible, please help 
us to make it easier to keep our workplaces safe.
    I am sure the original intent and the purpose for expanding 
FCRA to include background checks was to ensure that potential 
employees were guaranteed certain rights and privileges if 
their backgrounds were checks. I am sure the same thought 
applies to investigations in the workplace. However, the actual 
on-the-job reality of FCRA makes it increasingly difficult to 
maintain a safe workplace.
    Many individual states have added to these restrictions on 
top of FCRA. The FCRA regulations, in addition to the 
additional State laws, really cut to the heart of workplace 
safety. The fact of life today is that every critical public or 
stakeholder that has anything to do with our operations expects 
me to run a safe workplace. The duty and trust and obligation 
of maintaining this safe workplace is even more difficult in 
businesses such as mine where you have large amounts of 
employees, a lot of employee turnover, and where you are 
dealing with customers on a minute-to-minute basis.
    So by way of introduction, this is the overview of where we 
are coming from on FCRA. But what is at the heart of the 
problem? The problem is that to make hiring decisions with 
increasingly more difficult limits and restrictions on what we 
cannot and can look at is unrealistic and is increasingly 
compromising workplace safety. For instance, should I hire 
someone to be a childcare attendant who has several arrests, 
but no convictions for child molestation? Should I hire a 
salesperson who has information regarding credit cards and 
financial information about a potential customer, but who has a 
deferred adjudication for fraud? Should I hire a personal 
trainer who has been arrested for assault and battery, but has 
pled down to a misdemeanor, or who has a conviction that is 
over seven years old? The problem with FCRA and the additional 
State laws is that I cannot use this information in making 
employment decisions.
    Congressmen and congresswomen, I believe that this is 
playing roulette with the safety of everyone involved in the 
workplace. Employers cannot be subject to courtroom standards 
in order to keep their workplaces safe. The reality of life is 
that I should not hire the personal trainer with several 
arrests, but no convictions, and I should not hire the 
childcare attendant who has pled down to a misdemeanor for 
child molestation. Nevertheless, FCRA and the State laws 
suggest that I should not consider any of this information in 
making my employment decision.
    The other issue, which Mr. Reynolds has covered, is Vail. 
Very simply, this makes it difficult to conduct investigations 
in the workplace, which all of you would agree is something 
that should be done and should be done in a fair and consistent 
manner. Vail only results in a chilling effect on people coming 
forward regarding workplace misconduct and problems that are 
going on in the workplace. Investigations should be able to be 
done and proceed in a way that does not limit us and that 
affords all people involved a great deal of confidentiality.
    As I said in the beginning, please help us to make 
workplaces safer. In order to do that, I would suggest five key 
issues. First, please allow us to look at criminal backgrounds 
without any time limitations. Second, please allow us to 
consider arrests in looking at the totality of an individual's 
background regarding their suitability to work in a particular 
place. As long as we are within the EEOC guidelines, the burden 
of proof beyond a reasonable doubt should not be a standard 
that applies in the workplace.
    Three, please give us access to national databases so that 
we do not have to go to thousands of jurisdictions to see if 
someone should or should not be an employee regarding what they 
have done in their past. Please give us a safe harbor from more 
restrictive State laws, provided that FCRA is adhered to from a 
regulation standpoint. And fifth, please allow us to conduct 
any and all investigations regarding workplace misconduct in a 
confidential manner and not subject to FCRA.
    Last and certainly to highlight this issue, in 1999, as all 
of us are aware, several terrorists tried to come through the 
Canadian border to blow up the LAX airport in celebration of 
the millennium. The identities that these folks were using were 
partially stolen out of databases of my company. Now, we have 
since closed up that issue regarding our databases.
    The employee that was involved in selling off these 
identities to the terrorists had a complete criminal background 
screen that I conducted; was drug tested; and every attempt was 
made to make sure that this employee, like all of my employees, 
were safe in the workplace. Nevertheless, those identities were 
sold and those identities were given to the terrorists that 
were fortunately caught before they were able to set up a bomb 
at LAX airport.
    The point is this: It is difficult enough to make decisions 
about the unknown and about what may happen in the workplace. 
Please at least let us make decisions regarding what is known.
    [The prepared statement of Harold Morgan can be found on 
page 82 in the appendix.]
    Chairman Bachus. Thank you very much.
    Our next witness is Mr. Lewis Maltby. Mr. Maltby, I 
mentioned that you were with the National Workrights Institute. 
I did not mention that you were the founder of that Institute, 
so we very much welcome your testimony. We know you as a 
nationally recognized expert on employee rights in the 
workplace.

   STATEMENT OF LEWIS MALTBY, PRESIDENT, NATIONAL WORKRIGHTS 
                           INSTITUTE

    Mr. Maltby. Thank you, Mr. Chairman, and thank you for 
inviting me to be here this morning.
    Let me say from the very beginning, I have no problem, no 
objection to pre-hire investigations. I have three school-age 
children. Every morning, I put them on a school bus. I do not 
want anyone behind the wheel of that school bus with DUI 
convictions.
    But it is not always that simple. There are many situations 
in which pre-hire investigations occur in ways that simply are 
not fair and do not help anyone. For example, at least 2.5 
million people every year are required to take so-called 
honesty tests to get a job. There is nothing wrong with 
employers wanting to hire honest people, but honesty tests fail 
at least four honest people for every dishonest person they 
screen out. That is a very high price for a lot of honest 
people to pay for businesses to get a dubious advantage at 
best.
    Personality tests are extremely common. They are not 
inherently wrong. Someone who would do very well in a laid-back 
Silicon Valley company might not do so well in a very straight-
laced Wall Street firm. But some of the questions on these 
tests I would not ask my wife. There are questions about your 
religious belief, your sex life, even your bathroom habits on 
some of these common personality tests. With all due respect to 
Mr. Reynolds, I do not know why you have to ask an employee 
about their bathroom habits to tell if they are going to be a 
productive and safe employee.
    I mentioned criminal records checks. There are many cases 
where that is totally appropriate, like the one with my 
children. On the other hand, there are many employers in 
America today that will not hire a person for any job at any 
time in their lives if they have ever been convicted of 
anything. You could be, and sometimes are, denied a job as a 
40-year-old electrician because when you were 19 you shoplifted 
a CD. There is something wrong when employers go to that 
incredible unreasonable extreme.
    The worst part of all of this is the way the information is 
being used. If this information were being used as something to 
inform the judgment of a seasoned HR professional, I would not 
be so concerned. But what is happening is, the machines are 
taking over. The test results are trumping the evaluation and 
the judgment of the HR professional. If the honest test says 
you are dishonest, I don't care if you are a nun, and this is a 
real case, the HR person cannot say, ``Well, the test is 
obviously wrong.'' They can't and they don't. If the test says 
you are dishonest or you don't fit or anything else, you are 
simply out. That is not the way things ought to be done.
    Regarding the Vail letter, let me not belabor the obvious, 
except to say Mr. Morgan and Mr. Reynolds are right. There is a 
problem here. As a civil rights lawyer, I want to see 
investigations of alleged sexual harassment or racial 
harassment or other civil rights violations conducted quickly, 
thoroughly and effectively, and the Vail letter as it stands is 
an obstacle. The real question is, how do we fix the obstacle? 
Mr. Sessions has certainly taken us the first step in that 
direction. It is clearly surreal, maybe that is too kind, to 
say we have to tip off the person we are investigating and get 
their permission before we conduct an investigation.
    But that is not the entire situation we have to deal with. 
What if, for example, the employee is innocent? Perhaps the 
investigation clears them. Shouldn't they be told after the 
investigation is over that they were investigated and they were 
cleared, and being shown a copy of the report? Is it really 
fair that that report should follow them for the rest of their 
career, or at least their career at this company, and they 
don't even know it happened? I do not think so.
    For example, what if there never was any genuine suspicion 
of wrongdoing? Pretext investigations are not common, but they 
happen. We do not want a law that says that a company can 
investigate somebody whose real offense is trying to organize a 
union on the pretext they have stolen a pencil. The law ought 
to require that there be a genuine suspicion of wrongdoing 
before the investigation starts in the first place. And 
whatever minimal standards the FCRA contains about fairness and 
accuracy in conducting the investigation and compiling the 
report should not be lost either.
    I know that none of those problems were intended to be 
created by Mr. Sessions's bill, but we need to do more than 
just simply crudely yank criminal investigations in the 
workplace out from under the FCRA. It has to be done in a more 
nuanced, thoughtful fashion. Mr. Sessions's bill is the first 
step, but it is not the only step.
    From having looked at the issues, I see nothing here that 
people of good will and intelligence could not resolve, given 
discussion. We have already had some discussions on these 
matters and I am confident that if allowed to continue we could 
reach a resolution that would accomplish Congressman Sessions's 
objectives and the concerns of people like me in the civil 
rights world.
    Thank you.
    [The prepared statement of Lewis Maltby can be found on 
page 60 in the appendix.]
    Chairman Bachus. Thank you, Mr. Maltby.
    We would also welcome coming together on this issue. We are 
also optimistic that we can do that.
    Ms. Plummer, I previously recognized you. You actually 
manage EEOC claims, risk management services, quality 
assurance, and consultant supervision for Bashen. I noted that 
you practiced business and employment law with the firm of 
Randolph, Hunter in Greenville, South Carolina, so you also 
have litigation experience in employment matters. We welcome 
you.

 STATEMENT OF MARGARET PLUMMER, DIRECTOR OF OPERATIONS, BASHEN 
                           CONSULTING

    Ms. Plummer. Thank you very much, and also thank you to the 
members of the subcommittee for having us here today.
    Bashen Consulting is a minority-owned human resources 
consulting firm that has conducted thousands of employment 
discrimination, harassment and ethics investigations for 
companies nationwide. I thank you for allowing us to 
participate in these important discussions regarding the role 
of the FCRA in employment-related investigations.
    The Federal Trade Commission's interpretation of the FCRA 
as expressed in the 1999 Vail opinion letter will have a 
chilling effect on the efforts of employers to prevent and 
correct unethical discriminatory and harassing behavior in the 
workplace.
    In 1998, the Supreme Court profoundly changed the workplace 
harassment landscape. It became clear that for employers to 
protect themselves, they must implement effective policies and 
complaint procedures, conduct prompt and thorough 
investigations of employee complaints, and take remedial 
action. Today, courts and government agencies charged with 
enforcing civil rights legislation examine not only the 
fundamental question of whether unlawful conduct occurred, but 
the quality and integrity of the employer's investigation of 
the alleged conduct.
    Many employers naturally seek the experience and expertise 
of qualified third parties to thoroughly and impartially 
investigate employee concerns. Countless companies, especially 
small companies, do not have the internal resources or skills 
to investigate employee complaints. In many situations, 
companies hire third parties to ensure that maximum credibility 
is given to the investigation, often due to the sensitive 
nature of the allegations or the high-level position of the 
alleged wrongdoer.
    I recently conducted an investigation for a large 
corporation in which a human resources staff member complained 
that he was discriminated against based on his national origin 
when he was denied a promotion. The company would have been 
placed in the untenable position of having its human resources 
department police itself if the investigation was conducted in-
house.
    The HR department recognized its potential conflict of 
interest, and more importantly the appearance of a conflict if 
the investigation failed to support the staff member's claim. 
The company hired Bashen Consulting to ensure the integrity of 
the investigation. However, according to the FTC this company 
would be subject to increased liabilities and requirements 
because they hired experts in the field instead of 
investigating the complaint internally.
    Under the FTC's interpretation, companies striving to 
comply with civil rights legislation must now decide between 
the risk of uncapped damages under the FCRA if they request an 
investigation, and the limited damages available under civil 
rights laws if they fail to investigate at all. Companies would 
also be required to obtain a written authorization by the 
alleged wrongdoer to conduct the investigation. The notion that 
an accused harasser must consent to an investigation of his 
inappropriate behavior is contrary to common sense.
    More alarming is the detrimental effect the FTC's 
interpretation of the FCRA poses for employees. The law would 
require the company to provide the alleged wrongdoer with a 
complete copy of the investigative report. These reports 
identify witnesses and the information each provided, and 
producing it would irreparably compromise the confidentiality 
of the investigation.
    Absent assurances of confidentiality, the FCRA will create 
a chilling effect on witnesses's willing participation in the 
investigatory process. Many victims will be too intimidated to 
complain, thus undermining the expressed intent of all 
workplace civil rights legislation. The impact of applying the 
FCRA to employment investigations is monumental. It would erode 
the great strides companies have made toward eliminating 
discrimination and harassment.
    H.R. 1543 will remove these roadblocks to progress by 
excluding workplace investigations from the FCRA's purview. We 
commend Representatives Sessions and Jackson Lee for their 
leadership on this issue and urge you to amend the FCRA 
accordingly.
    Thank you.
    [The prepared statement of Margaret Plummer can be found on 
page 105 in the appendix.]
    Chairman Bachus. Thank you very much.
    Mr. McClain, we note that you have lectured at UCLA and 
other California colleges and universities, so this ought to be 
a piece of cake, after doing that.

 STATEMENT OF EDDY MCCLAIN, CHAIRMAN, KROUT & SCHNEIDER, INC., 
ON BEHALF OF THE NATIONAL COUNCIL OF INVESTIGATION AND SECURITY 
                            SERVICES

    Mr. McClain. Thank you, Mr. Chairman. Thank you to the 
committee.
    I am chairman of Krout and Schneider, which is a 76-year-
old firm, but I have only been a licensed investigator for 47 
years. I am appearing today on behalf of the National Council 
of Investigation and Security Services, NCISS, which represents 
investigative and protective service companies and their state 
trade associations throughout the United States. We appreciate 
the opportunity to discuss the FCRA.
    Besides many small-and mid-size employers, even many 
Fortune 100 firms hire third parties for their expertise and 
impartiality. The FTC says any person who regularly conducts 
employment investigations is a consumer reporting agency under 
the law. We agree that is what the law says, even before Vail, 
but we believe that investigators of workplace misconduct 
should not be designated as consumer reporting agencies and the 
reports should not be classified as consumer reports.
    The 1996 amendments to the FCRA have substantially set back 
progress, as Ms. Plummer said, on sexual harassment and 
discrimination. The EEOC recommends prompt, thorough and 
impartial investigation of sexual harassment, but the Act 
provides no explanation or suggestion of what an employer 
should do if an accused person refuses to give his or her 
permission to be investigated.
    Regarding violence, when an employee exhibits symptoms of 
derangement, the last thing the employer wants to do is ask the 
employee for permission to investigate him. My firm is often 
hired to assist employers to deal with potentially violent 
employees. It is not uncommon to have little or no background 
information in a personnel file.
    In addition to public records and surveillance, we need to 
conduct covert neighborhood interviews. Neighbors are often 
aware of suspicious activity, proclivity toward firearms 
ownership, and even knowledge of explosives. Since the 1996 
amendments, the report of such an investigation would be 
considered an investigative consumer report and it would be 
unlawful for the employer to order such an investigation 
without disclosure and permission. The ramifications of 
advising such an employee that he is going to be investigated, 
then giving him a report of what witnesses said about him are 
obvious.
    Many business failures are the result of employee theft. 
When businesses fail, employees lose their jobs. These are the 
same employees the FCRA is supposed to protect. Investigation 
of embezzlement requires stealth and expertise. Embezzlers are 
usually in the best position to cover their tracks.
    Yet before an employer can hire an outside expert to 
investigate embezzlement, written permission must be obtained. 
Illicit drugs are a scourge on our society. Seven percent of 
American workers use drugs on the job, but the FCRA makes it 
very difficult to ferret out drug dealers from the workplace.
    Regarding intellectual property and trade secret theft, 
prior to the 1996 amendments employers were able to hire 
impartial experts to covertly conduct sensitive investigations 
that would not be possible today. For example, my firm was 
engaged to investigate an alleged theft of trade secrets by a 
Fortune 100 defense contractor. Using a combination of public 
record information, surveillance and undercover techniques, we 
were able to determine the facts.
    A salesman, marketing manager and a production chief had 
conspired with a scientist to form a competing company that was 
bidding on the same government contracts. Although one 
conspirator left our client's employ, he was fed information by 
the other two who remained as moles. Not only were the 
scientific secrets being disclosed, but bidding information 
allowing the competitor to slightly undercut their pricing on 
closed bids. This successful prosecution would have been nearly 
impossible if our client had to notify the culprits in advance 
of the investigation.
    Conversations with witnesses are considered to be 
interviews and our report to be an investigative consumer 
report. The employer must advise the accused of the nature and 
scope of the investigation, and before taking any adverse 
action against an employee, a complete unedited copy of the 
report must be provided to the employee no matter how felonious 
their behavior. Since the advent of the 1996 amendments, many 
of our labor lawyer clients have advised their clients not to 
risk investigations, even in the face of significant losses or 
danger to coworkers. The reason is the attorneys do not wish to 
provide subjects with a copy of the investigative consumer 
report.
    We strongly support Representative Sessions's H.R. 1543. 
This bipartisan measure would make clear the investigations of 
employee misconduct are exempt from the disclosure and 
authorization requirements, while still providing protections 
for consumers and employees. H.R. 1543 does not change the 
permission requirement for access to credit reports. It also 
would require that after taking adverse action against an 
employee, an employer must provide a summary containing the 
nature and substance of the communication upon which the action 
is based.
    At the FTC, former Chairman Pitofsky recommended Congress 
consider a legislative change to remedy the unintended 
consequences of the 1996 amendments. Last month, Howard Beales 
made the same recommendation to this committee. We hope action 
will finally be taken.
    Thank you for your attention.
    [The prepared statement of Eddy McClain can be found on 
page 63 in the appendix.]
    Chairman Bachus. I thank the gentleman.
    My first question, Ms. Plummer. Prior to the FTC letter, 
was there any indication that Congress intended the Fair Credit 
Reporting Act to apply to workplace discrimination or 
harassment investigations?
    Ms. Plummer. There is no indication whatsoever, either in 
the intent or purposes section of the statute or within the 
contents of the statute.
    Chairman Bachus. Thank you.
    Mr. Reynolds, you testified that the Vail letter makes it 
virtually impossible to use third party investigators, 
particularly since failure to comply with FCRA can result in 
unlimited liability, including punitive damages. And yet in 
many cases, employers lack the resources, skills and fairness 
to do those investigations in-house. What do these employers 
end up doing?
    Mr. Reynolds. Mr. Chairman, those employers are caught 
between a rock and a hard place in fulfilling the mandates of 
the regulatory schemes that I mentioned earlier and Supreme 
Court precedent. Often they make the choice, a tough choice, 
but the choice to protect their employees and to do the 
investigation nonetheless in a way that allows for the safety 
and integrity of the workplace. Employers should not be put to 
that choice by the Vail letter.
    Chairman Bachus. Thank you.
    In your opening statement you mentioned Sarbanes-Oxley and 
some of the requirements of that Act. If a company finds itself 
in a potential Enron-WorldCom-type situation and decides that 
it needs to investigate some top management for financial 
impropriety, does the Vail letter pose a problem?
    Mr. Reynolds. The Vail letter poses a significant problem. 
Under Sarbanes-Oxley, often corporate boards and management 
will reach out, and are in fact encouraged to reach out to 
third party objective investigators. Under the Vail letter, 
once that investigation begins, even before the investigation 
begins, consent has to be obtained from the subject or object 
of that investigation. As Mr. McClain has testified, that has 
the effect of completely negating the ability to gain a fair 
and complete picture of the facts, which is precisely what 
Sarbanes-Oxley went to.
    Chairman Bachus. Thank you.
    Mr. Morgan, suppose you want to investigate the head 
manager of a fitness center, how does FTC's Vail letter make it 
more difficult?
    Mr. Morgan. I would have to inform them and get consent 
prior to that occurring. In a lot of cases, there are things 
going on that you don't wish them to know about or you don't 
wish them to know because they could cover their tracks. If 
someone was stealing money from the facility or if that 
particular manager was sexually harassing one of my employees, 
I would certainly want an investigation done in a way that I 
could get all the information before I made a fair and balanced 
decision.
    Chairman Bachus. Okay, thank you.
    Mr. McClain, if a third party investigator uncovers 
significant evidence of employee wrongdoing, such as racial or 
sexual harassment, what stops the wrongdoer from disputing 
every item, particularly the testimony of the victims?
    Mr. McClain. Nothing would stop him, Mr. Chairman. One of 
the major problems that I have with on the sexual harassment 
issue is when we get an assignment like that from a client, the 
first thing that we do is we ask our client to get permission 
from not only the accused, but also the accuser. The reason is 
we want to establish the credibility of the accuser and 
oftentimes, not as often as the other way, but sometimes people 
do conspire to give false information.
    So talk about a chilling effect, when someone, take a 
fairly new employee who is in the probationary basis trying 
hard to hang onto their job and is being hit on by a 
supervisor, so they reluctantly go to management, to HR, 
because they have heard that they should report this kind of 
activity. So they reluctantly go forth and report this, and 
then management has to turn around and ask their permission to 
investigate them. Of course, any other witnesses that would 
come forth, we investigate them, too, because we need to know 
who all the players are and try to determine what their 
interests are to be impartial and fair.
    So it just doesn't work. As I said before, what do we do 
when someone refuses to give permission to be investigated? The 
employer is within his rights to terminate him for failure to 
cooperate with an investigation, but that in itself could be 
unfair. Maybe the person does not want to agree just on general 
principles. So it creates many unintended consequences, I 
believe.
    Chairman Bachus. In fact, I think two or three of the 
panelists mentioned the EEOC, which actually asks us to protect 
the identity or protect the witnesses. But under this FTC 
letter, actually, you cannot protect their identities. In fact, 
you go to the wrongdoer and give him this information which 
could actually expose them to danger.
    Mr. McClain. Some people think it is a hit list.
    Chairman Bachus. Okay, a very good point.
    Mr. Maltby, you testified about the bill introduced by 
Representative Sessions and other members as a step in the 
right direction, I believe, but not a complete solution. What 
additional changes would you recommend, particularly since 
employers can avoid any FCRA requirements simply be conducting 
investigations in-house?
    Mr. Maltby. Mr. Chairman, if I could give you a complete 
and thorough set of standards for how to get the guilty without 
violating the rights of the innocent, I would be a much smarter 
man than I am. I can mention two or three critical points. One 
is we need to have protection against pretext investigations. 
They are not common, but they do occur. It is not clear that 
Congressman Sessions's bill addresses that issue.
    We need to have people be able to see the results of the 
investigation, possibly with certain information redacted, at 
whatever time is appropriate. You obviously cannot show 
someone, especially if they are guilty, the results of the 
investigation in mid-stream, but at some point the 
investigation is over. There is nothing left to compromise and 
the employee, guilty or innocent, ought to be able to see the 
report, again possibly with certain information redacted.
    There are provisions, I believe, in the Fair Credit 
Reporting Act, not terribly strong, to be sure, but I believe 
they exist, that set some sort of minimal standards for the 
fairness of the process and the accuracy of information. Those 
would be lost if we took employee investigations completely out 
from under the jurisdiction of the FCRA. I do not think anyone 
wants to do that.
    I would be happy to submit additional suggestions to the 
Chair in a very short time, if I might have permission to do 
that.
    Chairman Bachus. Thank you, and we would welcome that.
    At this time, the gentleman from North Carolina, Mr. Watt.
    Mr. Watt. Thank you, Mr. Chairman.
    I would welcome a copy of Mr. Maltby's follow-up also. Mr. 
Maltby, you seem to be a little outnumbered on this panel.
    Mr. Maltby. I am not, Congressman.
    Mr. Watt. Not necessarily. I am trying to find common 
ground here, rather than trying to score points about who is 
right and who is wrong, because there is some right, as you 
acknowledged, on both sides of this issue.
    So that I can explore that common ground, let me talk to 
Mr. Reynolds and Mr. Morgan for a little bit here, about their 
reactions to the things that Mr. Maltby has proposed. He, as I 
was jotting down what he said, agrees that the prior consent 
requirement of Vail is probably not a good thing. I think most 
people would probably agree with that. I take it you all agree 
with that.
    Mr. Reynolds. Yes, Congressman.
    Mr. Watt. Check one for common ground there.
    On pretext investigations, he thinks there ought to be some 
explicit protection that says you cannot use criminal or other 
background information as a pretext to try to eliminate 
somebody. What do you think about that?
    Mr. Reynolds. Congressman, there are already provisions in 
existing law to cover that.
    Mr. Watt. What law?
    Mr. Reynolds. For example, under Title VII, if an employer 
were to use a criminal background check as a pretext where the 
real purpose, for example, was to discriminate, that would 
clearly violate Title VII.
    Mr. Watt. So what you are saying is we just need to 
reconcile EEOC Title VII and the Fair Credit Reporting. Is that 
an explicit provision or is that case law?
    Mr. Reynolds. That is case law, and it is commonly held 
case law that has been in place since the 1970s.
    Mr. Watt. And you agree with that, so if we could figure 
out some way to get those things consistent, you would be happy 
with that?
    Mr. Reynolds. Congressman, I believe they are already 
consistent. Title VII is in existence. The case law is quite 
explicit.
    Mr. Watt. Okay, but if we made it explicit under Fair 
Credit Reporting that you cannot do pretext, would that be 
something you and Mr. Morgan would object to?
    Mr. Reynolds. At least from my standpoint, Congressman, I 
believe the pretext issue is covered completely by both Title 
VII and the courts and I do not see a need to add to the 
provisions of FCRA in order to address that issue.
    Mr. Watt. Okay, well, I think you are missing my point. You 
have one law that doesn't say anything about it, and another 
law that says something explicit about it, at least in case 
law, and you all are testifying that there is a conflict here. 
Couldn't we reconcile that by simply making it explicit? That 
is the question I am asking. I am looking for common ground 
here. Am I missing something here?
    Ms. Plummer, would I be chasing the wrong dog if I tried to 
just make explicit what Mr. Reynolds says is already over there 
somewhere in another area, but if we just put it in Fair Credit 
Reporting, would that be okay with you?
    Ms. Plummer. No, it would not be okay.
    Mr. Watt. Okay, then why wouldn't it be okay?
    Ms. Plummer. The effect of doing that would be to muddy the 
waters because Title VII and the case law that follows it do 
completely cover the issue of pretext based on protected class 
status. If you then add that to the FCRA, you are simply adding 
yet another burden, yet another interpretation that has to be 
made of that law.
    Mr. Watt. But Mr. Reynolds just told me that I am not 
adding anything because FCRA is already subject to Title VII. 
So why would I care about making that explicit?
    Ms. Plummer. You would not be adding anything to the rights 
of the employees or to the citizens, but you would be adding 
yet another layer of judicial interpretation of the statute 
that employers would have to combat. As we can see here, the 
language in the existing statute has brought us all here today. 
So my concern if we attempt or Congress attempts to clarify 
pretext in the FCRA, it will lead to confusion.
    Mr. Watt. Mr. Maltby, what do you say to this? I am trying 
to be an honest broker here and walk down the middle.
    Mr. Maltby. Congressman, I would not say you are chasing 
the wrong dog, but I would say you are missing a lot of the 
pack.
    Mr. Watt. Okay. Go ahead.
    Mr. Maltby. I actually think Mr. Reynolds is correct.
    Mr. Watt. All right.
    Mr. Maltby. If the investigation is a pretext for getting 
the black employee out of the workplace because of some sort of 
racial bias, I think he may be right; that that is already 
adequately addressed by Title VII. But that is one of 100 
possible reasons for pretext.
    What if the real reason for launching the investigation is 
because the person is organizing a union, or they are a woman 
who does not like the way women are being treated in the 
company and they are starting to make some noise about it, or 
because you just don't like the guy, or because he is gay in a 
jurisdiction where that is not protected by law? There are 100 
reasons to launch a pretext investigation. One of them may be 
covered, but the other 99 are not protected.
    Mr. Watt. What about this copy of the report in some 
redacted form at some appropriate time? Mr. Reynolds, do you 
think if somebody is investigating me and I am found to not 
have any problem; I am investigated and you have found nothing. 
Do you think it is okay if I get the report at some point, that 
maybe then I can take it to another employer and say, look, 
this one turned me down after they found that I was not guilty; 
maybe you will consider me positively.
    Mr. Reynolds. Congressman, let me at the outset just 
caution the use of the words ``innocence'' and ``guilt.'' In 
the context of workplace investigations, the employer is not 
the government. They do not make findings of whether someone 
has violated a statute. This is important for this reason. What 
Mr. Maltby may suggest in his comments, the provision of the 
report et cetera, those are certainly potentially due process 
protections, but they are due process protections that are 
better suited to the context of governmental action in a 
criminal prosecution.
    In this context, you have an employer whose obligation is 
to make the best possible judgment based on the best possible 
investigation they can do. They are not held to the standards 
of reasonable doubt, nor should a question of innocence or 
guilt be at issue. The real question is whether or not the 
employer can do an effective investigation to determine whether 
or not the company's policies have been violated, and sometimes 
those policies are broader and more expansive at the employer's 
option than law.
    So under those circumstances, to get to your question, 
Congressman, my answer would be that there are many 
circumstances where it would not be appropriate to mandate that 
the employer provide a copy of the report. One quick example, 
there are many instances in which the investigation is about a 
current employee's actions vis-a-vis another current employee. 
It is the employer's obligation to make sure that the 
complaining employee is not retaliated against. We would not 
want to be in a position of creating the atmosphere, the 
conditions for retaliation.
    Mr. Watt. I think that is what Mr. Maltby was trying to 
redact, I assume. I do not think we would have any problem with 
that.
    Okay, I think what you all have succeeded in doing is 
showing us how difficult this area is. Mr. McClain is going to 
clarify it for us.
    Mr. McClain. Thank you, Mr. Watt. I would just like to 
comment on some of these issues.
    With regard to providing a copy of the report, Section 609 
of the FCRA does provide for discovery. So even if 
Representative Sessions's bill were enacted, anybody that 
wanted to dispute their termination still has the ability to 
get a complete copy of that report usually under a 
confidentiality agreement supervised by the court. That is the 
way they do it, so they can get a copy.
    Mr. Watt. I have to be in litigation before I can get a 
copy of it?
    Mr. McClain. Well, there are reasons for that. The court 
can protect the witnesses, for instance. If there is some 
indication that the names of those witnesses should not be just 
handed over, so then they use the attorneys for insulation. The 
other thing, regarding Mr. Maltby's statement, talk about 
unfairness, some employers, and I do not have any hard and 
proof evidence of this, but I do believe that sometimes because 
employers are unable to do a thorough investigation without 
telling everyone, because of the Fair Credit Reporting Act, I 
think they sometimes think that the easier way, and it is 
certainly cheaper than hiring me, the easier way is to just get 
rid of the suspect; find another reason to get rid of him. Now, 
that is unfairness and that is an indirect result of a law that 
is supposed to be protecting these same employees.
    Mr. Watt. I think Mr. Morgan wants to say something. I have 
run out of time myself, but maybe the Chair will let you 
respond.
    Mr. Morgan. Congressman, in a lot of workplaces, the 
reality is that there are sometimes small groups of employees. 
My stores, which would not be untypical, usually employ 50 
employees. With a 50-employee work group, even providing a 
redacted document, it will be obvious who did this and that 
would create additional workplace problems that I would really 
be concerned with.
    Also, regarding Mr. Maltby's comments, if someone was 
organizing, I cannot fire someone as a pretext under the 
National Labor Relations Act. And also, if there were a history 
of discrimination that was going on, I would be subject to a 
patterns and practice suit under EEOC for that. So there really 
are a lot of protections out there already.
    Chairman Bachus. At this time, I am going to ask Mr. Tiberi 
to take the chair, and I am going to recognize Mr. Crowley, the 
gentleman from New York, for questions.
    Mr. Crowley. I thank the Chairman.
    My staff is telling me the second round of panelists is 
going to have more difficult issues, and it is interesting to 
hear about the Vail letter and the FTC, that this seems to be 
an issue that needs to be worked on a great deal more. So I 
appreciate the testimony of all of you here today.
    I thank Mr. Watt for his line of questioning as well. I 
think it amply demonstrated that there is a need to really 
clarify what the intent is.
    I just want to move to another area, and that is concerning 
the seven criteria. Mr. McClain, if I can direct the question 
to you, and then if the other members of the panel could 
respond in some way, I would appreciate it. The consumer credit 
report certainly includes information about a consumer's credit 
worthiness, credit standing, and credit capacity, and then four 
other categories: character, general reputation, personal 
characteristics, and mode of living.
    I understand that for the most part, the financial services 
industry generally looks at the issue of credit worthiness, 
credit standing and credit capacity for granting or denial of 
credit. The terms ``character, general reputation, personal 
characteristics and mode of living'' are used more in 
investigatory reports that are governed by the FCRA.
    As these four criteria are not defined at all under 15 U.S. 
Code, I was wondering if you would both define these terms as 
you believe they are used, as well as let the committee know if 
these are important criteria. And if so, should they be defined 
in statute to prevent such a broad swath of information from 
being used in investigatory and/or credit reports under FCRA?
    Mr. McClain. I think further definition would always be 
helpful. I am not sure to what extent you can do that. The FTC 
has taken the position, and I don't think wrongfully, that 
pretty much in any report it is very difficult to have a report 
that does not encompass one or more of those definitions.
    So I do not know if a further definition might help, but I 
think the big issue is whether or not these types of reports 
should be consumer reports. I believe rather than trying to 
define all of these things further, if we just made it clear in 
the law that these types of investigative reports are not 
covered by the FCRA, I think that would be appropriate.
    Many of the investigations that we do, we do not 
necessarily run credit reports. Credit reports contain 
information that would be very helpful on embezzlement 
investigations, particularly when you are looking for someone 
who is living beyond their means. It is a flag that indicates 
you might be on the right track. But in every instance, the 
Sessions bill would not change that. You would still have to 
have the consumer's written permission before you could run a 
credit report. So we would be able to do other types of 
investigations, but we would not be able to run credit reports. 
I hope I was responsive to your question.
    Mr. Crowley. Would you be in favor of the status quo, then, 
leaving the seven criteria and those four particularly that I 
mentioned at the end, intact?
    Mr. McClain. We have learned to live with and understand 
what they mean, provided that this general category of 
misconduct investigation is excluded, and it clearly indicates 
that it is not a consumer report, then those definitions would 
not affect misconduct investigations, but they would still 
affect all of the other investigations.
    I do not have any problem with preemployment. We have 
learned to live with that. I think most of the employers have 
learned to get applicants's permission before they investigate 
them. That is not a problem. It is when you have an existing 
employee who is malfeasant in some respect that you have to 
investigate. Therein lies the problem.
    Mr. Crowley. In all four of these, character, general 
reputation, personal characteristics, mode of living, are these 
all opinions that you derive from information that is given to 
you? For instance, personal characteristics and general 
reputation, how would you define that?
    Mr. McClain. Well, the FTC can say that just about anything 
we do, I mean, if I go down and check Superior Court records on 
someone and they say that that record check is going to 
possibly indicate the mode of living or the characteristics, so 
I do not know how else to get around that.
    Mr. Tiberi. [Presiding.] The gentleman's time has expired.
    The gentlelady from New York is recognized for five 
minutes.
    Ms. Velazquez. Thank you, Mr. Chairman, and thank you to 
all the members of the panel for the information that will help 
us embarking on this comprehensive reauthorization of the 
legislation that is before us.
    Mr. Maltby, employers obviously collect an abundance of 
data regarding their employees. Some of the data, such as 
salary, is furnished to credit reporting agencies and plays an 
integral part in the credit-granting process. Outside of salary 
and tenure data, what sort of data to employers do employers 
systematically collect on their employees?
    Mr. Maltby. It obviously varies a great deal from employer 
to employer. But if I think back to the days when I was a 
corporate general counsel and had responsibility for the HR 
function, I cannot think of a great deal that I could not find 
out about one of our employees if I were to take a very careful 
look through the personnel file. There is almost nothing that I 
could imagine that would not be in there.
    Ms. Velazquez. How do employers use this information? Do 
they furnish this data to credit reporting agencies?
    Mr. Maltby. Ma'am, I really do not know that for sure. My 
assumption would be that if the employee had applied for the 
loan and the employer knew the employee had applied for the 
loan, the employer would provide any information that appeared 
to be relevant, but that is strictly an impression on my part. 
I really do not have any hard data to back that up.
    Ms. Velazquez. Mr. Morgan, given your HR experience, could 
you please comment on this as well?
    Mr. Morgan. Yes. We would only give out information to an 
agency if I had written permission from the employee to do 
that. Under normal circumstances, I am not gathering data up 
and giving it out to anyone. As a matter of fact, I see it as 
one of my great responsibilities to the employees to not do 
that.
    So generally speaking, I would only give out any 
information as long as I had a release from the employee. That 
also would go for reference checks. The reality of life today 
is that reference checks do not exist because no employers are 
giving out any information.
    Ms. Velazquez. Thank you.
    I would like to ask this question of Ms. Plummer and Mr. 
Maltby. I understand the restrictions that the Vail letter 
imposes on employers. Employers must provide an employee with 
notice that they are being investigated, and also must secure 
their consent before an investigator can begin their 
investigation.
    I also understand that these restrictions can prevent 
outside consultants from conducting an effective investigation. 
What risks to the employee do external private investigators 
pose to employees? In your experience, is there a need for 
enhanced protections when a third party conducts these employee 
investigations?
    Mr. Maltby.  Ma'am, I would not go so far as to say that 
there are no concerns for having an outside third party 
investigator, but in general it is probably better off if there 
is a third party investigator. There are just too many 
possibilities for bias or intimidation in an internal 
investigation, particularly if the person being accused is 
fairly far up the corporate food chain.
    Again, I would not want to make that as a blanket 
recommendation, but my blood does not run cold when I hear that 
a firm has brought in an outside investigator, assuming they 
are a competent professional firm. It might be better to bring 
in someone from the outside who does not have all the potential 
for bias that an inside party might have.
    Ms. Velazquez. Ms. Plummer?
    Ms. Plummer. There are no enhanced concerns for the 
employee when a third party is brought in to investigate. In 
fact, it improves, as Mr. Maltby just expressed, the 
possibility of an impartial and fair investigation. In fact, it 
is to the employee's benefit to have somebody from outside the 
company come in to investigate for just that purpose.
    Ms. Velazquez. Thank you.
    Thank you, Mr. Chairman.
    Mr. Tiberi. Thank you.
    I would like to thank the panelists from our first panel 
for testifying today, and ask the second panel to be seated for 
their testimony. Thank you very much.
    Thank you all for coming today. I will introduce the second 
panel, starting from my left, working to my right: Mr. Chris 
Petersen, attorney with Morris, Manning and Martin, LLP, on 
behalf of the Health Insurance Association of America; Mrs. 
Roberta Meyer, Senior Counsel, American Council of Life 
Insurers; Mr. Marc Rotenberg, Executive Director, Electronic 
Piracy Information Center; Ms. Joy Pritts, Assistant Research 
Professor, Health Policy Institute, Georgetown University; and 
last but not least, Mr. Edward L. Yingling, Executive Vice 
President, American Bankers Association.
    Thank you all for being here today. I would like to remind 
all of you that you have 5 minutes to give us your testimony, 
and it will be followed by questions from those who remain here 
today. I would like to start with Mr. Petersen. Thank you for 
being here.

  STATEMENT OF L. CHRIS PETERSEN, ATTORNEY, MORRIS, MANNING & 
 MARTIN, LLP, ON BEHALF OF THE HEALTH INSURANCE ASSOCIATION OF 
                            AMERICA

    Mr. Petersen. Thank you very much, Mr. Chairman, members of 
the subcommittee.
    My name is Chris Petersen. I am a partner with the law firm 
of Morris, Manning and Martin. Today I am testifying on behalf 
of the Health Insurance Association of America. The HIAA is the 
nation's most prominent trade association representing the 
private health insurance system. Its nearly 300 members provide 
the full array of health insurance products, including medical 
expense, long-term care, dental, disability and supplemental 
coverage to over 100 million Americans.
    My written statement focuses on the continuum of federal 
and state privacy laws and the interplay among those various 
laws. In my oral testimony, I will examine these additional 
privacy laws, in conjunction with the Fair Credit Reporting 
Act, limiting health insurers' ability to disclose information. 
As the committee is aware, important provisions of the FCRA are 
up for reauthorization. The HIAA supports the reauthorization 
of the Fair Credit Reporting Act.
    The HIPAA privacy rule is the first of these many privacy 
laws that health insurers must comply with. The rule provides 
that those insurers that meet the definition of a health plan 
may not use or disclose protected health information except as 
permitted or required by the privacy rule. In addition, the 
privacy rule provides for six instances under which a health 
plan is permitted to use or disclose information. Most relevant 
for today's discussion are the permitted uses and disclosures 
for treatment, payment and health care operations, and those 
uses and disclosures made pursuant to an authorization.
    Health care operations encompass uses and disclosures 
necessary to administer a health plan's business and provide 
benefits to covered individuals. Many of the health plan's 
routine uses would fall under this provision. However, 
disclosing to a financial institution for that institution's 
operations would not fall under the health care operations 
exception. As a result, the HIPAA privacy rule would not allow 
a health plan to disclose health information to another 
financial institution without that individual's signed 
authorization for purposes of that financial institution to 
make credit decisions regarding the individual that is the 
subject of the information.
    The HIPAA privacy rule also provides the privacy standards 
requirements under the rule. State laws are preempted if they 
are contrary to the HIPAA privacy rule. Therefore, we have to 
also look at state privacy laws to determine how they interact 
and regulate the ability of a health insurer to disclose 
financial information or health information.
    In 1999, Congress enacted the Gramm-Leach-Bliley Act 
establishing a statutory framework for all financial 
institutions to use in disclosing information. The National 
Association of Insurance Commissioners adopted a model law 
regulating Gramm-Leach-Bliley disclosures by health insurers at 
the State level to provide guidance for State insurance 
departments in regulating this important area.
    That model regulation governs financial disclosures, but 
the State insurance departments went further than the federal 
law as they also regulate disclosures regarding health 
insurance information. Insurance entities may not rely on the 
opt-out rule of the Gramm-Leach-Bliley Act to disclose 
nonpublic personal health information. Instead, insurance 
entities must either have the individual's written 
authorization to disclose the information, or the disclosure 
must be allowed under the regulation's permitted exceptions.
    Generally, the regulation allows an insurance entity to 
disclose information in order to service a transaction that a 
consumer requests, or to conduct insurance functions, or to 
make disclosures that are in the public good. This regulation 
was drafted with industry, regulatory and consumer input, and I 
believe those exceptions, once again, would not allow an 
insurance entity to disclose health information to another 
financial institution for the purpose of that financial 
institution making credit decisions.
    In 1982, the NAIC adopted a comprehensive privacy model. 
This also regulates insurance institutions and requires that an 
insurer must have an authorization in order to disclose 
financial or medical information or personal characteristics 
information, as we discussed earlier. Once again, you can 
disclose for insurance functions, but you cannot disclose for 
purposes to another institution for that institution's credit-
making decisions without an authorization.
    Finally, there are a whole array of State privacy laws that 
govern sensitive health information, for lack of a better term. 
These laws are additional protections for specific types of 
information. As you look at the HIPAA privacy rule, insurers 
have to once again make a decision: Do these laws provide 
greater privacy protections, and limit the scope and uses and 
disclosures of health information? If so, health plans must 
comply with these laws as well.
    In conclusion, a whole array of laws would prevent health 
plans and health insurers from disclosing medical information 
for credit purposes.
    Thank you.
    [The prepared statement of L. Chris Petersen can be found 
on page 96 in the appendix.]
    Mr. Tiberi. Thank you.
    Ms. Meyer?

STATEMENT OF ROBERTA MEYER, SENIOR COUNSEL, AMERICAN COUNCIL OF 
                         LIFE INSURERS

    Mrs. Meyer. Thank you, Mr. Chairman, and members of the 
subcommittee. I am very pleased to be here to testify before 
you today on behalf of the American Council of Life Insurers, 
the principal trade association for life insurance companies. 
Our members sell life insurance, disability income insurance, 
long-term care insurance, and also provide annuities.
    Life insurers have a very long history of trading highly 
sensitive information, including our policyholders's medical 
information, in a highly professional and appropriate manner. 
Life insurers collect and use this information in order to 
serve their existing customers. At the same time, life insurers 
support very strict protections relating to the confidentiality 
of the medical records. Accordingly, we strongly support 
prohibiting the sharing of medical information in connection 
with the extension of credit.
    Today, I am going to very briefly explain why life insurers 
collect medical information and why it is so important to the 
life insurance process. I will very briefly provide an overview 
of ACLI's policy on medical records confidentiality, and then 
again touch on the key elements of the numerous federal and 
state privacy laws that do in fact provide very comprehensive 
protection to life insurers's policyholder medical records. In 
today's world, life insurance protection is more important than 
ever. In order to continue to make insurance products and 
services widely available at the lowest possible cost, life 
insurers must have access to medical information. The risk 
classification process, which is based in large part on medical 
information, provides the fundamental framework for the current 
private system of insurance. In fact, it is largely this 
process which has made it possible for insurers to make their 
products widely available to American consumers today.
    ACLI's privacy policy, as I said before, provides for very, 
very strict limits on insurers's ability to both obtain and 
disclose consumer medical information. The principles also 
support a prohibition on the sharing of policyholders's medical 
information with a financial institution for purposes of 
determining eligibility for credit, even if in fact that 
financial institution is an affiliate of the insurer.
    I would now like to speak very quickly to the various 
federal and State laws. Mr. Petersen has spoken to some of them 
already, so I will just touch very briefly on the key elements 
of those provisions. First, under the Fair Credit Reporting 
Act, medical information may be a consumer report because it 
does in fact bear on the consumer's personal characteristics 
and is used as a factor in determining an individual's 
eligibility for insurance. However, medical information is 
afforded special status under the FCRA.
    Medical information can be disclosed by a consumer 
reporting agency to an insurer only in connection with an 
insurance transaction and only with the consumer's consent. 
Insurers believe that the FCRA is critical to their business. 
It in fact facilitates widespread availability and 
affordability of insurance today.
    ACLI member companies also strongly support the privacy 
provisions of the Gramm-Leach-Bliley Act. As Mr. Petersen has 
already indicated, medical information under that Act is 
treated as nonpublic personal information, and may only be 
disclosed by a financial institution provided the individual is 
given notice of the sharing and given the opportunity to opt 
out of the sharing.
    The only circumstances under which notice and opt-out do 
not need to be provided is when the information is shared for 
operational insurance business functional purposes or in 
connection with joint marketing agreement. In fact, state 
privacy laws generally go further than this and require 
insurers to obtain an opt-in for the sharing of medical 
information.
    In fact, when the National Association of Insurance 
Commissioners and the States were first developing and then 
adopting the State laws to enforce and implement the Gramm-
Leach-Bliley Act, the ACLI member companies strongly expressed 
the view that medical information should be afforded increased 
protection, given its highly sensitive nature.
    Both with the NAIC and throughout the country, as the 
States have considered adoption of the NAIC model, Gramm-Leach-
Bliley confidentiality regulation, the ACLI has firmly 
expressed its support for the privacy provisions, medical 
records provisions of that regulation, which provide that in 
fact before a policyholder's medical information may be 
disclosed, there has to be obtained by the insurer the 
authorization or the opt-in of the individual.
    Similarly, the old NAIC model privacy act, as it is called, 
which was enacted before Gramm-Leach-Bliley, would require the 
opt-in of an individual before his or her medical information 
could be shared with a non-affiliated third party, unless in 
fact the information was again being shared for operational 
insurance business functions.
    Mr. Tiberi. If you could wrap up, Ms. Meyer.
    Mrs. Meyer. I can. Thank you very much.
    The HIPAA rule, similarly, even though the HIPAA rule does 
not directly impact on life and disability income insurers, it 
would in fact require that a health care provider obtain the 
consent of the individual before an individual's medical 
records may be disclosed to a life or disability income 
insurer.
    Finally, Mr. Chairman, we appreciate the opportunity to 
testify today. We strongly support strict medical records 
privacy protections, and would strongly support a prohibition 
on the sharing of medical information for purposes of 
determination of eligibility for credit.
    Thank you.
    [The prepared statement of Roberta B. Meyer can be found on 
page 72 in the appendix.]
    Mr. Tiberi. Thank you.
    Mr. Rotenberg?

  STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
                   PRIVACY INFORMATION CENTER

    Mr. Rotenberg. Thank you very much, Mr. Chairman, members 
of the committee.
    My name is Mark Rotenberg. I am Executive Director of the 
Electronic Privacy Information Center. I have taught 
information privacy law for many years at Georgetown. I also 
chair the American Bar Association's Committee on Privacy and 
Information Security, although I am testifying today on behalf 
of myself and not on behalf of the ABA. Also with me this 
morning are Chris Hoofnagle, Deputy Counsel at EPIC, and Anna 
Slomovic, our Senior Fellow.
    I am very grateful to you and the members of the committee 
for looking at the issue of medical record privacy. This is 
clearly one of the top privacy concerns for consumers in the 
United States. I think the particular challenge that you face 
this morning is trying to understand the relationship between 
three different regulatory regimes, and whether or not they 
adequately safeguard the privacy of medical records, 
particularly when they may be made available to employers.
    Now, the HIPAA privacy rules, which have been discussed 
earlier, do a good job of providing privacy protection for 
covered entities, which are typically the health care plans. 
But the HHS understood that HIPAA could not be generally 
extended to employers, and that protection for that type of use 
of personal information would have to be found elsewhere.
    The Fair Credit Reporting Act, while it recognizes certain 
protections for medical information, does not in fact go as far 
as the HIPAA rules, which set out a separate category of 
protected health information. The Gramm-Leach-Bliley rules do 
not speak directly to the protection of medical record 
information. Other means were needed to try to safeguard the 
protection of medical information after passage of Gramm-Leach-
Bliley.
    Where does that leave us today? I would like you to 
consider the following scenario. Imagine a prospective employee 
who is seeking a job and the employer asks this person to 
provide consent for access to the credit report, which is done 
increasingly today, both through standard employment practices 
and also through obligations imposed by federal statute. The 
employee, believing she has a fine credit report and that there 
is nothing there that would produce an adverse determination, 
signs the consent.
    Now, it turns out that the credit report may in fact 
provide information from which the employer could infer medical 
care or medical services that she has received because, for 
example, she has obtained credit from a neonatal clinic for 
fertility drugs, an expensive procedure and something where 
people might quite likely obtain credit and establish what 
would be considered on the credit report a trade line. From 
this, the employer may be able to infer some information about 
her intent to have children.
    As a general matter in employment law, it would be improper 
to use that information in the employment determination, but it 
is an example of how information could be made available 
through a credit report to an employer that the HIPAA rule 
would otherwise try to protect, but could not protect in this 
instance because the employer is not in fact a covered entity 
under the HIPAA rules.
    Now, I think there are legislative approaches to try to 
solve this problem. But I want to suggest to you more 
generally, particularly in the context of the Fair Credit 
Reporting Act and the many issues that you are considering in 
this session, that it is particularly important to understand 
the role that the States play in safeguarding the right of 
privacy. I think we have been a little bit too quick over the 
last few years to look for national uniform solutions that 
effectively restrict the ability of State regulators to 
safeguard the interests of consumers when these types of issues 
arise.
    Returning again, for example, to the example of medical 
privacy under Gramm-Leach-Bliley, this was a problem that was 
dealt with by the National Association of Insurance 
Commissioners. It was in fact the NAIC model guidelines 
promulgated after Gramm-Leach-Bliley that provided a framework 
for good state regulations intended to safeguard the privacy of 
medical information that GLB did not otherwise cover.
    But more generally, if you look at the development of 
privacy law in the United States over the last 30 years, 
invariably what you see is that Congress passes a baseline 
standard to provide a basic level of protection to protect 
privacy interests for consumers across the country, and allows 
the States to regulate upwards, to provide more protection when 
they identify new problems that perhaps Washington cannot get 
to as quickly.
    Sometimes the State efforts succeed, in which case they 
will be followed by other States. Sometimes the State efforts 
fail, in which case they will be disregarded. I think this is 
precisely what is meant by the concept of the States being the 
laboratories of democracy.
    So I would urge you today as you consider medical privacy 
issues in the context of financial services, and more broadly 
the importance of the Fair Credit Reporting Act, that you 
safeguard the ability of the States to protect the interests of 
consumers. I think it would be a mistake to allow the 
preemption loophole to be extended beyond this Congress.
    Thank you very much.
    [The prepared statement of Marc Rotenberg can be found on 
page 146 in the appendix.]
    Mr. Tiberi. Thank you, sir.
    Ms. Pritts?

 STATEMENT OF JOY PRITTS, ASSISTANT RESEARCH PROFESSOR, HEALTH 
            POLICY INSTITUTE, GEORGETOWN UNIVERSITY

    Ms. Pritts. Good morning, Mr. Chairman and members of the 
Subcommittee on Financial Institutions. I would like to thank 
you for this opportunity to testify today on medical 
information and how it is protected in the financial services 
area.
    I would like to incorporate everything that Mr. Rotenberg 
just said into my testimony, because I think he said it so 
well. But I would also like to emphasize that this is an area 
that consumers are very concerned about. They do not want their 
medical information shared in the financial service area 
without their advance permission.
    In particular, there is a Gallup survey which was done in 
the year 2000 which showed that fully 95 percent of Americans 
said they did not want their banks to have access to medical 
record information without their advance permission. This is a 
consistent trend, too. It is not something that has just 
happened. It is consistent. It is persistent. People are 
concerned.
    There is no question that those in the financial service 
industry collect and use medical information for legitimate 
uses in a variety of different contexts. From the written 
testimony that was submitted, many of those in the financial 
services industry say that they believe, and as we have heard 
earlier from Ms. Meyer, that they believe that it is improper 
to use in particular health information for credit purposes.
    These are important policies that the financial services 
trade associations have in place and many do subscribe to them, 
but policies are not enough. The consumer cannot enforce the 
policy. You cannot take it to court. More important, I think, 
is also the fact that policies can change. Fifteen years ago, 
you would have never seen an insurer using a credit score for 
underwriting purposes. There are many instances in which health 
information can lead people to financial distress, so what is 
to prevent in the future from people using health information 
for credit purposes? What we really need are adequate legal 
protections. The time to put them into place is now, before the 
sharing of this type of information is used consistently as a 
business practice for determining credit purposes and for other 
purposes that medical information really was not intended.
    One of the things that we really saw when the HIPAA privacy 
regulations were being drafted was a very persistent problem 
that people had been using health information for a long time 
in manners that health care consumers really did not understand 
and know about. Yet because it had become an established 
business practice, it was in many ways difficult to control it. 
The horse was out of the barn and there was no getting it back.
    The problem I see is that the laws that we have today are 
inadequate. There are a lot of them, but there still are a 
number of loopholes. For one thing, they do not cover everyone 
who holds and uses health information in a commercial-type 
context. They set different standards and they are often 
inadequate for using and sharing health information. And where 
they overlap, there is confusion as to which law prevails. It 
is that last point, which I think is fairly confusing to a lot 
of people, but which I also find to be fairly disturbing.
    I think that the FCRA and GLBA, the Gramm-Leach-Bliley Act, 
are particularly problematic from a health consumer's point of 
view. They govern the sharing of financial information which 
can, by implication, and often does include medical information 
in the financial services industry.
    The Gramm-Leach-Bliley Act allows the sharing of financial 
information, including medical information, among affiliates 
without the permission of the consumer. It does provide for 
notice, but as anybody who has received the scores of privacy 
notices from financial institutions knows, those notices are 
often incomprehensible.
    This type of sharing of health information is precisely the 
activity that consumers have repeatedly and strongly said they 
do not want. They do not want insurers and banks looking at it 
and then asking them after the fact whether this is something 
that they really would permit.
    The states have stepped up to the plate. They have filled a 
lot of these gaps, particularly in the health insurance area. 
They have been very, very much advanced as to protections that 
they offer. But the concern is that these laws are subject to 
attack.
    In particular, the problem here lies, and this is a very 
kind of wonky discussion I am going to launch into, but the 
problem lies with the fact that GLBA has essentially two 
preemption provisions. It allows states to have stronger laws, 
but then it also incorporates all the provisions of the Fair 
Credit Reporting Act. The Fair Credit Reporting Act has a 
provision that prohibits states from enacting laws with respect 
to the exchange of information sharing among affiliates.
    There have been a number of articles in some trade 
association magazines and law reviews that say what this 
effectively does is prevent States from requiring, for 
instance, an opt-in for the sharing of affiliate information. 
We think that this really needs to be clarified and the time to 
clarify it is now. There is no need to wait for a court to make 
that sort of decision.
    In summation, I would say that health care consumers prefer 
and demand that they have an opt-in for sharing of medical 
information, including information among affiliates; that the 
Fair Credit Reporting Act preemption provision should be 
allowed to expire, it is merely causing confusion; and that the 
Congress needs to clarify when you have these three different 
statutes, HIPAA, Gramm-Leach-Bliley and the Fair Credit 
Reporting Act, where they overlap, and there is some confusion 
as to which one is going to prevail, because that is not in the 
Congressional Record whatsoever.
    Thank you.
    [The prepared statement of Joy Pitts can be found on page 
113 in the appendix.]
    Mr. Tiberi. Thank you.
    Mr. Yingling?

    STATEMENT OF EDWARD YINGLING, EXECUTIVE VICE PRESIDENT, 
                  AMERICAN BANKERS ASSOCIATION

    Mr. Yingling. Thank you, Mr. Chairman.
    The ABA appreciates the subcommittee's holding hearings on 
the Fair Credit Reporting Act and the issue of protecting 
consumer information, including medical information. Before I 
address medical privacy specifically, I would like to briefly 
outline the philosophy of the banking industry regarding the 
use of information and the importance of preserving FCRA for 
our economy.
    First, the cornerstone of banking is preserving the trust 
of our customers. That only can be accomplished by protection 
and responsible use of information. Not only is protecting 
privacy the right thing to do, the highly competitive financial 
market demands it. No bank can be successful without having a 
strong reputation for protecting the confidentiality of 
consumer information.
    Second, we do believe preserving a national credit 
reporting system is critical to the U.S. economy. The strength 
and resiliency of the U.S. economy is linked to the efficiency 
of consumer credit markets. U.S. consumers have access to more 
credit, from more sources, and at lower cost than consumers 
anywhere else in the world.
    What makes this possible is a nationwide, seamless, and 
reliable system of credit reporting. Such a system would be 
impossible without the Fair Credit Reporting Act. For 
consumers, it means they can walk into an auto dealership and 
drive off with a new car within an hour. They can move across 
the country and open a banking account without hassle. They can 
quickly refinance their mortgage loan from lenders across the 
country to take advantage of falling interest rates.
    As is pointed out in a study cited in my testimony, one of 
the more remarkable achievements of the FCRA is the increased 
access to credit for lower-income households. By enabling 
complete and accurate credit histories, FCRA has helped extend 
credit to millions of Americans who otherwise might not have 
been able to get it. Simply put, the U.S. credit system works 
and is the envy of the world. The reauthorization of FCRA, and 
in particular the preemption of State laws which assures a 
national, consistent and complete system, is very important.
    Turning to medical information, it is obvious that such 
information is at the top of the list of personal information 
that consumers worry about. Three years ago, we convened a 
select group of bankers to work on privacy issues. Regarding 
medical privacy, the task force believed it important to 
reassure the public that, to the extent banks possess medical 
information on a customer, it will be held sacred.
    Concern has been expressed that lenders might use medical 
information obtained elsewhere in making a credit decision. 
ABA's position is that such use of medical information in a 
credit decision, obtained without the knowledge and consent of 
the borrower, is just plain wrong.
    There are, of course, a limited number of instances where 
medical information is directly relevant, for example in loans 
to sole proprietorships or small businesses where the franchise 
value of the firm hinges on one or two key individuals. In such 
cases, insurance on the key individuals might be required.
    In those instances, the prospective borrower will know what 
information is required and can expressly consent to it being 
obtained and used. Otherwise, the lender should not need such 
medical information. Finally, any such information obtained 
should be kept strictly confidential by the lender.
    Mr. Chairman, we appreciate the opportunity to testify 
today, and I would be happy to answer any questions.
    [The prepared statement of Edward L. Yingling can be found 
on page 162 in the appendix.]
    Mr. Tiberi. I don't think I have ever seen that before. You 
have 1 minute and 20 seconds to spare.
    Mr. Yingling. I am the last guy before lunch.
    [LAUGHTER]
    Mr. Tiberi. Thank you, Mr. Yingling.
    Thank you, panel, for your testimony today.
    I am going to defer my 5 minutes for questioning. I am 
going to call on the gentlelady from New York for 5 minutes.
    Mrs. Kelly. Thank you.
    We have been talking today about the use of information 
that is collected with regard to people. I would like to just 
ask anyone on the panel, who is collecting this? Where do you 
go to get this information? There was at one time a situation I 
recall, for instance with medical information, there was only 
one company that carried it. It was all in one massive 
computer, so everybody went there to get that information. 
Where do you go to get this information about people?
    Mr. Petersen. Health insurers typically get most of their 
information first, from an application and/or a claim. So that 
would be the starting base. Some of the insurance industry 
would use a clearinghouse that you are referring to. A lot of 
the health insurance industry does not use that clearinghouse 
because of the cost-benefit analysis.
    So for health insurers, it would be primarily the 
application process. Then they would get an authorization, and 
they have to get an authorization both under State law and 
federal law, to collect information from other sources. Those 
sources would be identified in the authorization. It would be 
primarily providers, other insurers, and maybe in some limited 
circumstances this clearinghouse that you are referring to.
    Claim information, if it is a claim, that information 
generally would come first from the claim submitted by the 
individual, but most generally from the providers themselves.
    Mrs. Kelly. In that clearinghouse that you are talking 
about, where they hold the information, does a consumer have 
the opportunity to change medical information?
    Mr. Petersen. Once again, I am speaking from the 
perspective of health insurers, both under the National 
Association of Insurance Commissioners's 1982 NAIC Act, people 
have a right to access and amend their information. The 
clearinghouse would be one of the covered entities under that 
Act.
    Now, that Act is only in 16 states. It was the first 
comprehensive privacy attempt at the State level. A lot of very 
significant population states have it, but it is only 16 
states. The HIPAA privacy rule would allow you to get access 
and amend your information, so you would have access to the 
information that the health insurer had, and if the health 
insurer disclosed it, you would have to correct the information 
down the disclosure chain.
    Mrs. Kelly. How complicated is that? How easy is it to find 
out who has your information?
    Mr. Petersen. Once again, from the health insurance 
perspective, you have to make an accounting of disclosures, 
both under HIPAA and under the 1981 Act. So if you made 
disclosures to those kinds of entities, you would have to tell 
them they had it, and if you made a correction, you would have 
to tell them you made a correction. If you wanted a correction 
and me, the insurance company, disagreed, you would have to 
allow that individual to put something in the record stating 
that you disagreed with the failure to make the correction.
    This is all fairly recent, though, so it is not well-tested 
as to how well it works, to be quite honest, under the HIPAA 
rule because April was the effective date, so we do not know 
how well it works, but they have a process, I think, to address 
concerns of the past in that area.
    Mrs. Kelly. Thank you.
    Ms. Pritts, do you want to speak to that?
    Ms. Pritts. Yes. I think that your original inquiry was 
directed towards the Medical Information Bureau. Is that 
correct? The Medical Information Bureau is essentially like a 
credit reporting agency for health information. It is a 
national bureau that I believe other insurers, other than 
health insurers, can rely on for obtaining more or less the 
status of health information for individuals.
    MIB reached an agreement with the Federal Trade Commission 
a number of years ago that its reports would be considered to 
be consumer reports. So individuals have the right now to 
obtain a copy of their report from MIB, much as they would a 
credit report from a credit reporting agency, for a fee of I 
think it is $8.50 now. They can review that information and 
they can request that that information be corrected if it is 
inaccurate. They can try to supplement that record if it is 
incomplete.
    As a matter of practice, people who have actually attempted 
to use this process have met with mixed degrees of satisfaction 
with it.
    Mrs. Kelly. What I am really driving at is if you are in 
the process of questioning your medical record that someone 
else is holding, and a financial institution is also getting 
some of that information, is that then flagged to the financial 
institution so that the financial institution knows that there 
is a question about something on your record? There are some 
things on people's records that they simply do not want others 
to know, and yet you must sign, in certain situations, you feel 
you must sign a disclosure form.
    So my question is, if you are in the process of questioning 
the great computers in the sky that hold all of this 
information about your credit and your medical records, then 
how is that transmitted to you as institutions for your use so 
that you know that these are issues that are at question?
    Ms. Pritts. Under HIPAA, what happens is, as Mr. Petersen 
was explaining, the individual has the right, first of all, to 
look at their own health information, and we would urge health 
consumers to do that so you have an idea before you sign one of 
those authorization forms what exactly your financial 
institution would be receiving. If you see something in there 
that you think is erroneous, under HIPAA you can ask your 
doctor to correct that information.
    Now, there are a number of circumstances under which they 
do not have to do that. What they do is, the patient can also 
submit a statement saying, ``I still think that this 
information is wrong.'' At that point, the health care provider 
is supposed to forward that, either they correct it or they 
deny it, and we are going to assume that the patient has 
supplemented and said, ``I still disagree with you.'' At that 
point, they are supposed to forward that information on to 
places like perhaps a financial institution.
    If a patient has said, ``Look, I am worried; I think this 
information might be getting into my credit report,'' they 
would have to identify them as somebody that this information 
should be forwarded to.
    Mrs. Kelly. I am out of time, but I hope you will give me 
my own time to further pursue this a bit.
    Thank you.
    Mr. Tiberi. Mr. Lucas?
    Mr. Lucas of Kentucky. Thank you, Mr. Chairman.
    I have found this testimony very enlightening. In my prior 
life for some 32 years, I was involved in insurance 
underwriting and also banking, so I am a little conflicted here 
about some of the things that I hear.
    I can see, Mr. Yingling, from the bankers's standpoint, 
particularly the analysis used of a small business owner, this 
medical information is very relevant in making a credit 
decision. I also can appreciate from the fact of people wanting 
privacy that there is some information that may get out there 
that they do not want people to know, that is not relevant to 
the decision.
    I guess from a public policy standpoint, I think that we 
need to reauthorize the preemption. But I would be interested 
in what kinds of things we could do to tweak this so we could 
hopefully make everybody reasonably comfortable, because as it 
is now, we have some problems. So does anybody want to take a 
shot at that?
    Mr. Yingling. Congressman, I would just say that the only 
time in the credit-granting process that we believe medical 
information ought to be used is where two criteria are met. One 
is that it is relevant; and two, that you get the express 
consent of the potential borrower.
    Now, this is really tight. It is not just a tight criteria. 
It is not opt-in. It means that for this specific transaction 
only, you are going to get the permission of the borrower to 
get specific information, so that the borrower would have the 
ability to say, for example in Ms. Kelly's question, ``You are 
not going to some third party that has all this information in 
a computer. You can go to my insurance company and make sure I 
have an insurance policy. I will show you the insurance policy 
that protects you in case I die and I am the franchise.''
    Or in rare instances, where there is a specific health 
question, you can go to my doctor and get specific information. 
But it seems to me that you have a real governor here in that 
the borrower has the ability to say, ``Yes, I will give you the 
information and I will only give you that specific information, 
and here is where we are going to agree to go get it.''
    Mr. Lucas of Kentucky. What if you had a situation of a 
small business owner and he found out that he was terminally 
ill. So he thought, ``Well, I will go to my bank and get this 
line of credit set up that will help my wayward son who is not 
that good a businessman; I will get this set up for him.'' And 
you know about the information, you find out about it, but he 
has withheld it. What do you do in a situation like that, where 
you know, you have gotten that information, but he has not 
given you that information? How do you deal with that?
    Mr. Yingling. Well, I think that would depend on how you 
get it. I do not think the lender has the right to go out and 
ask for the information without the permission of the borrower. 
I guess you could conceive of a small town where everybody 
knows it and so it is common knowledge that there is a health 
problem or some other problem. I guess from my point of view, 
it is hard to say the banker could not act on that general 
knowledge. But the lender should not be in a position of going 
out and fishing without the permission of the borrower.
    Mr. Lucas of Kentucky. Okay. Any other thoughts?
    Mr. Rotenberg. Well, Congressman, I think you put it very 
well. It is a public policy issue. Certainly, one of the things 
that privacy laws try to do is to allow people to participate 
in the marketplace, to obtain credit, to pursue employment, 
without being required to disclose a great deal of personal 
information, because many people would rightly feel that if 
they were forced to say everything about themselves, they might 
choose not to go for the loan or they might choose not to try 
to get the job.
    I have always believed the privacy laws are actually good 
for the economy because they give people the safety and 
assurance that they can pursue economic opportunity without 
having to disclose a lot of personal information. Now, I think 
in the years ahead, this problem is going to become quite a bit 
more serious. Diagnostics are becoming more precise, more 
advanced. There has been more commercialization of this 
information. It is easier for employers to get access to. Our 
health care system is being radically transformed by new 
technology.
    I think it is very much appropriate for the Congress at 
this point to draw some lines and to say the information that 
might be appropriate in the diagnostic setting in the delivery 
of medical care for an individual is not necessarily 
information that we should make available to employers, even 
though they may be interested.
    Let us be honest on this point as well. Employers would 
probably like to know a great deal about their employees. But I 
think it is very appropriate for Congress in those situations 
to say, that person is your employee; they are not your 
patients, and there is only certain information that you are 
going to learn about that person.
    Mr. Lucas of Kentucky. Okay. Anybody else?
    Mrs. Meyer. I might say on behalf of the life insurers that 
we believe that extension of the FCRA affiliate-sharing 
provisions is absolutely critical. Just as the FCRA has made it 
possible for credit to be widely available in the United 
States, it has also very much facilitated the availability and 
the affordability of life insurance products across the 
country.
    It is essential, as I stated in my testimony, that insurers 
be able to obtain and use medical information in order to 
assess risk, in order to make life insurance products widely 
available and affordable. At the same time, we recognize and 
very much appreciate consumers's particular concerns about 
medical information. For that reason, we do in fact support 
laws and regulations that would actually impose strict 
requirements and limits on our ability to in fact obtain and 
disclose this information. We very much support a prohibition 
on the sharing of medical information to determine credit.
    Mr. Lucas of Kentucky. Thank you.
    Mrs. Meyer. Thank you.
    Mr. Tiberi. Thank you. The gentleman's time has expired.
    I am going to recognize the gentleman from Ohio for 5 
minutes.
    Mr. LaTourette. Thank you, Mr. Chairman.
    Mr. Petersen, I apologize. I was not in the room for your 
testimony, but I have read it and I have a question that has 
nothing to do with fair credit reporting, and just wonder, as a 
representative of the health insurance industry, if you have an 
observation.
    When I talk to the small business folks in my district 
about the implementation of HIPAA and the law of unintended 
consequences, they are describing a situation that because, not 
that they want to root around in their employees's medical 
information, but because when they approach a health insurer 
they can only share or know so much information. They are 
finding that their insurance premiums are dramatically 
increasing because the insurance company is not aware of the 
risk that they are being asked to insure. Is that a reasonable 
observation by these people?
    Mr. Petersen. It is difficult. First off, for your small 
employers, I feel for them because I represent large insurers 
who have the absolutely same responsibilities as very small 
employers, and individual doctors. They all have to comply with 
this very large rule, and not all of them can afford to hire 
attorneys. So it is a very difficult problem.
    There is one problem about how you share information as an 
employer. The rule sets up group health plans, plan sponsors 
and employer requirements, all for the separate sharing of 
information. Unless you provide notices and put in policies and 
procedures, you may have restrictions on your ability to obtain 
and/or disclose information.
    I have heard of situations where small employers are 
finding it difficult to sometimes have one health plan disclose 
to the other health plan, or just to get the information 
generally and to disclose. From a health insurance perspective, 
if you do not have the information, a conservative underwriting 
approach is to, unfortunately, consider that it is probably 
bad.
    There has been some state activity. A few states are now 
enacting laws requiring one health plan to give it directly to 
the other health plan, so that the employer is not in the 
middle. They can just tell the one insurance company, give my 
information to the other insurance company. I think those types 
of laws will help address it, but it is a 50-state problem.
    Mr. LaTourette. Thank you.
    Mr. Rotenberg, I was in the room for your testimony and I 
heard you talk about a credit report of a prospective employer 
that might have some billing or a credit application for 
fertility. I think you said that the employer could not make an 
inference, which would be improper in the employment setting 
anyway.
    But couldn't the same inference be drawn, since we are 
talking about inferences, by an employer who was interviewing a 
woman who was 22 years old who just got married, from the fact 
that on her credit report there was testing for fertility, that 
she may want to in the foreseeable future start a family?
    In both of those inferences, if you reach the conclusion 
that she was desiring to get pregnant, that would not, under 
the laws already on the books, be a disqualifier. It would be 
an impermissible reason to disqualify someone for employment. 
Is there a better example or a greater danger that you see than 
the one that you cited to us in your testimony?
    Mr. Rotenberg. Congressman, I actually think the example is 
a fairly good one because it is a medical service that is 
increasingly likely to appear on credit payments. In fact, when 
the Federal Reserve took a look at credit reports, they were 
very interested in their study of February 2003 this year to 
find a very large number of credit payments related to medical 
services.
    So we could go into a bit more detail. We could imagine 
certain types of clinics that provide help for people with 
stigmatizing conditions. But I think the critical point is that 
there is information made available today through the credit 
report that would otherwise be covered under HIPAA, but for the 
fact that the employer is not a covered entity under HIPAA. 
That is the statutory problem.
    Mr. LaTourette. And Ms. Pritts, as I read your testimony, 
there was a reference that I did not hear you talk about, but 
there was apparently a banking executive that served on his 
county health board, is that right?, and you cite that as an 
example of bankers using medical information for making credit 
decisions.
    My question is, based upon your study of HIPAA, wouldn't 
the conduct of, I assume it is a fellow, but this banker prior 
to 1993 be a violation of HIPAA today? And if not, why not?
    Ms. Pritts. He is not a health care provider, and it is not 
clear where he was getting his health information from. He was 
serving on a board, I believe. It is not clear whether that 
registry would be a covered entity under HIPAA, because of the 
definition of health care provider.
    Mr. LaTourette. Okay. But you would agree with me if in 
fact the information was being supplied by a health care 
provider, that it would be covered, and your answer is that it 
would?
    Ms. Pritts. Well, if it is supplied by the health care 
provider to a registry, it then becomes uncovered by HIPAA, so 
then it is not protected.
    Mr. LaTourette. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Tiberi. Thank you.
    Mr. Crowley is recognized for 5 minutes.
    Mr. Crowley. Thank you, Mr. Chairman.
    Let me just take Mr. Rotenberg's example to another level. 
I would ask Mr. Petersen and Ms. Meyer or Ms. Pritts to chime 
in.
    If an individual were to obtain the TB test or an AIDS test 
or even a mammogram and pay for that using a credit card, would 
it be possible for that information then to be shared with 
affiliates? If so, is that possibly exposing what we determine 
as risky behavior in one's personal behavior that could be used 
against them to deny them insurance, both health and PC? Or 
even taking it to a further extent, is it possible that 
information could be used to deny them employment?
    Mr. Petersen. I will take the first shot at the question. 
The mere fact that they charged the information from a health 
insurance perspective, if they then submitted that charge to 
the health insurer for reimbursement, that would become 
protected health information and would be subject to all the 
protections I described.
    The 1982 Act, you asked earlier about avocation, lifestyle, 
reputation, the 1982 Act of the NAIC provides special 
protections for that information as well. They essentially 
treat it for health purposes like marketing. So if you inferred 
something from that, you also could not share that for 
marketing with a third party.
    Mr. Crowley. What if you are an affiliate with the company?
    Mr. Petersen. You have limitations under HIPAA about how 
you can share protected health information from marketing. You 
can share it to do upgrades to existing products, for instance, 
but very limited ability to use that. So if you just had that 
claim information, I think you would be restricted on how you 
could use it within the internal, even within affiliates, or 
internal uses. So you would have limitations on how you could 
do it.
    Under HIPAA, if it was not a part of the hybrid entity, for 
instance if you had an affiliate that was a life company, you 
could not disclose at all to the life affiliate. It would have 
to be health to health, and for limited ways to share it for 
marketing.
    Now, on the other hand, of course, if it was something that 
came up in the application process, so you paid for it with 
your credit card, but it came up in the application process, 
then the health insurance company could use that information.
    Mr. Crowley. They could use it. Well, then, Ms. Meyer, 
would you like to respond?
    Mrs. Meyer. Yes, thank you.
    If in fact you are talking about the bank sharing 
information with an insurance affiliate. Under the Fair Credit 
Reporting Act in fact that probably would be an experience in 
transaction information, so that the bank could share it with 
the life insurance affiliate. Although, I have got to tell you, 
I am hard-pressed to think of an actual situation where a bank 
would be sharing information of that nature, of a charge with a 
life insurance company.
    But say in fact the life insurance company did get the 
information, then once the life insurance company gets the 
information, then it would first, I cannot even think of the 
real-world where it would get it, so that it would even be an 
issue, because I cannot imagine they get that information in 
connection with underwriting.
    But if in fact an insurer ever did get the information, 
then the whole ambit of all the body of laws dealing with 
insurer's ability to disclose information would come into play, 
notably the NAIC model regulation, which requires an opt-in for 
the sharing of medical information, unless it is for an 
insurance business function, or the old NAIC model Act, which 
again requires an opt-in. Then you would possibly get into the 
Fair Credit Reporting Act, which would probably require an opt-
out for the sharing.
    But in fact, insurers that do business all over the country 
adhere to the NAIC model Act and regulation, essentially in all 
States in which they do business. So that essentially ends up 
being the law of the land. But again, getting to the very 
beginning, I am hard-pressed to think of a situation where a 
life insurer would actually be getting that type of information 
from a bank.
    Mr. Crowley. You may be hard-pressed, but it not 
inconceivable that something like that could happen in the 
future.
    Mrs. Meyer. I just don't know how.
    Mr. Crowley. We don't know where this is going, actually. 
Things are evolving in terms of information and the need for 
more information to make decisions based on one's personal 
life, especially risky business.
    Mrs. Meyer. I guess conceivably, but that flow of 
information is something that I have not seen.
    Mr. Crowley. Difficult. Okay, Mr. Chairman, just one more 
question, if I could, for Mr. Yingling.
    I missed your opening statement, but it was pointed out to 
me by my staff that it says, ``With respect to the banks, 
medical information should only be used for the express purpose 
for which it is provided and should not be shared without the 
express consent of the consumer.'' Are you advocating a system 
of opt-in for health information, as opposed to opt-out?
    Mr. Yingling. As I mentioned in a previous answer, I don't 
think it really is opt-in. I think it is stricter than opt-in. 
An opt-in regime could be a general approval to seek 
information or to use information, and it could be prospective 
and cover additional transactions.
    When we say with the approval and consent of the potential 
borrower, what we mean is a specific approval of the 
information that is needed for the application in front of you, 
so to speak. So it actually I think is stricter than opt-in.
    Mr. Crowley. Thank you.
    I thank the chairman.
    Mr. Tiberi. Thank you. The gentleman's time has expired.
    Without objection, the gentleman from Illinois, Mr. 
Emanuel, may be recognized for the purpose of questioning 
witnesses under the 5-minute rule. Do I hear an objection? Not 
hearing an objection, Mr. Emanuel? Mr. Emanuel is recognized 
for 5 minutes.
    Mr. Emanuel. Mr. Chairman, thank you. As a member of the 
full committee, I ask unanimous consent to ask questions. Thank 
you.
    First of all, thank you for holding this hearing and 
putting this panel together. To follow up on this set of 
questions and your answer, I think we are at a critical point 
in finding a balance here that allows commerce and information 
to flow freely, but also give consumers a certain level of 
protection in this storm that they have a safe harbor. As you 
said, it is more strict than opt-in or opt-out. I actually am 
working on a bill creating a blackout as it relates to medical 
information.
    We have to create, I think, for consumers, because it 
touches on what Ms. Pritts said earlier as it relates to 
information, what consumers most care about is their medical 
privacy. If you look at it as a set of issues, you go down the 
ladder of what they care about, at least in the data and the 
research I have seen, and obviously I am dealing with five 
experts here who may show counter-data, but medical information 
is what they care most about in the sense that they feel 
vulnerable and they feel that their privacy has been violated, 
and then forces greater than they can control and have access 
to things about them that are not relevant.
    With that, and again the world we live in is changing by 
the time we deal with this, and we are trying to set up some 
set of rules going forward that do not allow the different 
legislation that we have passed in the past, at least to set a 
clear mark of what the rules of the road are going forward.
    Let me ask a question, and this is for anybody, so have at 
it. I have a set of questions. What are some of the scenarios 
that could occur if the existing loopholes are not closed as we 
try to explore different scenarios? And is there a chance for 
widespread abuse here? I have some follow-up questions after 
that, so does anybody want to just take at it?
    Mr. Rotenberg. Congressman, I return to the original 
purposes of the Fair Credit Reporting Act. It was an 
extraordinary law at the time it was passed in 1970. Senator 
Proxmire and others came together. People became aware that a 
lot of derogatory information about individuals was being 
gathered up and being used in an adverse way. The information 
was inaccurate. We would call it today probably defamatory. It 
kept people out of jobs. It kept people from getting loans.
    The Fair Credit Reporting Act was passed to create stable 
transparent markets that consumers could participate in by 
ensuring accuracy and fairness and privacy. I think what 
happens, as you describe, as the technology gets ahead of us 
and some of the new business practices get ahead of us, we get 
back in some ways to where we were back in the 1960s, where 
there is the risk that inaccurate information, defamatory 
information will produce bad consequences.
    I think Congress was very wise in 1970 to deal with the 
problem then. I think you are going to have to deal with it 
today with new technology and with new business practices.
    Mr. Petersen. I think from the health insurance 
perspective, it is very difficult to think of any loopholes 
that actually exist as the HIPAA rule interacts with the State 
laws. Our firm conducted an analysis of how the HIPAA privacy 
rule interplays with all 50 State insurance codes. That 
analysis is over 600 pages, and I am assuming a non-lawyer 
could do it in 400 pages or however many extra words we might 
add to it. It is still a very lengthy analysis. State law, from 
a health insurance perspective, adds a lot of additional layers 
of privacy protections.
    Now, it is very difficult as a national carrier to interact 
with all those, so sometimes preemption might be good. But you 
look at, as I said in my testimony, you have two NAIC models; 
you have the HIPAA rule; and then you have sort of sensitive 
information, reproductive rights, genetic testing, mental 
health, substance abuse, a variety of information that states 
have deemed to be extra-sensitive, and they have passed 
additional laws on the uses and disclosures. So I think from a 
health insurance perspective, almost all bases have been 
covered.
    Mr. Emanuel. Okay.
    Mrs. Meyer. I think from the perspective of life insurers, 
which are in a slightly different position than health insurers 
because they are not directly subject to the HIPAA rule, life 
insurers's and disability income insurers's ability to obtain 
medical information is very much determined by the HIPAA rule, 
which would not permit health care providers to give 
information to life insurers and disability income insurers 
without their providing the authorization of the individual.
    So you take all of the others, the Fair Credit Reporting 
Act, Gramm-Leach-Bliley, the HIPAA rule and all of the State 
privacy rules, and again the combination, the fitting of all 
these rules together in effect operates in the same way, 
because both life insurers's ability to get the information and 
then to disclose the information is covered by the combination 
of all of these rules.
    Mr. Emanuel. Did you want to say something?
    Ms. Pritts. Yes. I think HIPAA protects health privacy 
fairly well in the context of health insurance, but HIPAA is 
not comprehensive. It only covers health care providers and 
only if they do certain kinds of transactions, a health care 
clearinghouse, and health plans. So it does not cover 
everybody.
    The other point I want to make is that we have heard 
repeatedly today how important the State laws have been in 
filling in the gaps at the federal level. They are particularly 
important with insurance, because that is traditionally 
governed at the State level. To the extent there is this 
ambiguity in GLBA and FCRA about whether the States can go as 
far as they want to go, I really think that needs to be 
clarified.
    Mr. Emanuel. One question is, and if you have the life of a 
member as I do, with office hours in grocery stores, meeting 
people, doing constituent work, making it easier for people. My 
day is, and it is a pathetic life, maybe; I do it on Saturday. 
You meet people. You try to make office hours easier. And I 
don't think consumers have any idea that on a credit 
background, health information is accessible. Maybe from the 
insurance side, but I will tell you from the general public, I 
would be interested if, from your own background and your own 
research, your own knowledge of the public, whether you think 
they know that health information is accessible on a credit 
background check.
    Mr. Tiberi. The gentleman's time has expired, but please 
answer the question.
    Mr. Emanuel. Thank you, Mr. Chairman.
    Mr. Yingling. If I could comment, I am sure I am 
oversimplifying here, but the expansion that we are talking 
about here is due to the Fair Credit Reporting Act covering a 
whole bunch of different types of reporting agencies.
    If you are talking about the basic credit reporting system, 
when a bank looks at an application and goes and gets a credit 
report, they do not have medical information in that report. 
When people are doing employment checks, they go to a different 
type of reporting agency where they get that kind of 
information. I think it is important to make that distinction.
    I am a little concerned if we start trying to deal with 
issues that just go through basically the payment system or the 
traditional credit card system where all you have is something 
that says a payment was made to the Yingling Clinic, and that 
is all that is in there, or a late payment was made to the 
Yingling Clinic. Then to ask the reporting system somehow or 
other to make a distinction between whether the Yingling Clinic 
is a health clinic or a doctor clinic or a golf clinic, and 
people who have seen me play golf know that it is not, when you 
are dealing with millions and millions of transactions with one 
little piece of information. I do not think you want to require 
those kinds of reports, or in the situation of those kinds of 
reports, to have people sit there manually and try and figure 
out what the Yingling Clinic is.
    Mr. Emanuel. Thank you, Mr. Chairman.
    Mr. Tiberi. Thank you.
    The gentlelady from New York is recognized for 5 minutes.
    Mrs. Maloney. Thank you very much.
    I would like to follow up on the questioning of my 
colleague, Mr. Emanuel. I agree that certainly health 
information and privacy information and medical information is 
one of the most sensitive areas this committee deals with. I 
would like to go back to some of the testimony by Mr. 
Rotenberg, in which he talked about the availability of medical 
information in credit reports and the ability to infer a 
person's medical history based on this information. He cited 
studies by the Consumer Federation and the Federal Reserve on 
this point.
    I would like to ask the panel, beginning with Mr. 
Rotenberg, do you know of any companies that are using this 
information to make conclusions about people's medical history 
and base credit decisions on such information, not just late 
payment, but medical history? You could say payments to a 
clinic; you could infer they have cancer or whatever. So 
starting with you, Mr. Rotenberg, and if anyone else would like 
to comment.
    Mr. Rotenberg. Congresswoman, the quick answer to your 
question is no, we have not been able to identify organizations 
that have used this information in an adverse way. I want to 
say two things, though, on this point. First of all, that the 
problem has recently come to light. The Consumer Federation of 
America report is from December of last year; the Federal 
Reserve Board report is February of this year.
    Secondly, I think it will take further investigation to 
actually find those instances where these kinds of 
determinations are made. But having looked at the report from 
the Federal Reserve Board, it seems apparent, it was at least 
apparent to them that medical record information can now be 
obtained from a credit report.
    Mrs. Maloney. Has anyone else on the panel, do any of you 
know of any business that has used this information in an 
adverse way? Any other members of the panel?
    I would like to follow up and ask, do you, Mr. Rotenberg, 
or anyone else on the panel, believe that employers are using 
this information to base employment decisions on people's 
health? People look at credit reports for employment decisions 
also.
    Mr. Rotenberg. Well, I suspect that an employer with access 
to this information would consider it. Now, as I also indicated 
in my earlier statement, certain types of determinations, for 
example a prospective pregnancy, would not be a permissible 
factor in an employment determination. Nonetheless, under the 
HIPAA guidelines, which would prevent people from getting 
access to this information, without those safeguards applying 
to employers who get access in effect to the same information 
through the credit report, they can now make judgments about 
AIDS trials and TB and so forth. I think it is a problem that 
the committee will need to look at more closely.
    Mrs. Maloney. Yes.
    Mr. Petersen. I was going to say from a HIPAA perspective, 
employers that provide group health plans, their group health 
plan is treated just like a health insurer under HIPAA. So if 
in the context of providing benefits to their employees, if 
they receive protected health information that identifies the 
individual, they are subject to all of the same rules as a 
health insurer. So they could not use the information received 
in that context to make employment decisions. I think Mr. 
Rotenberg was talking about information where you could infer 
health status.
    Mr. Rotenberg. Just to clarify if I might, Mr. Petersen is 
describing the information obtained by virtue of the health 
plan, which is correctly covered under HIPAA. I am talking 
about the information that is obtained from the credit report 
that the employer might access as part of an employment 
determination, which would not be covered under HIPAA.
    Mr. Petersen. That is correct, yes.
    Mr. Yingling. I just want to add again that when we use the 
term ``credit report,'' we may think that we are talking about 
the credit report a bank gets. It is technically a credit 
report because it is all covered by the Fair Credit Reporting 
Act, but when a lender gets a credit report, they do not get 
that information. All they get is the payments and the late 
payments and your credit history. They do not get the medical 
information. When you are an employer, you are going to a 
different type of entity, and that is where you may be getting 
some of this medical information.
    Mrs. Maloney. But as I understand it from Mr. Rotenberg's 
testimony, just getting the payment history can infer medical 
conditions. Is that what you were saying?
    Mr. Rotenberg. To be precise, it is the trade line 
information that would indicate, for example, an outstanding 
debt to a clinic. That information would be made available to 
the employer through a credit report, and that is the type of 
information that is being made more widely accessible today.
    Mrs. Maloney. And you were implying that you could gain 
information just from the credit report on a person's health.
    Mr. Rotenberg. Yes, exactly.
    Mrs. Maloney. And a health condition, if you are making a 
payment to a cancer clinic, obviously you probably have cancer, 
that type of thing. What specifically did the Federal Reserve 
say about this? Could you elaborate?
    Mr. Rotenberg. Well, I have the Federal Reserve report in 
front of me, and I would be happy to provide it to the 
committee, perhaps as an attachment to my testimony. But I will 
just read one sentence, and this is under a heading 
``collection agency accounts.'' I am reading from the report of 
the Federal Reserve, February of this year: ``Information on 
noncredit-related bills and collections such as those for 
unpaid medical services is reported to credit reporting 
companies by collection agencies. In addition, collection on 
some credit-related accounts also are reported directly by 
collection agencies.''
    So the Federal Reserve, this is a very good study, it is a 
non-political study. They were simply trying to understand how 
the credit report is generated, where does the information come 
from. They seem to be interested in the fact that a significant 
amount of information, in fact on page 69 of the report, they 
indicate that approximately 52 percent of transactions relate 
to medical payment. So this is I think very interesting.
    Mrs. Maloney. Yes. My time is up. I thank all the 
panelists.
    Mr. Tiberi. The gentlelady's time has expired.
    We will go for a second round of questioning between the 
three of us, if both of you would like to stay.
    Mr. Yingling, just following up on this line of questioning 
from the last two questioners, let's say a customer of one of 
your banks has a checking account and is writing a check to the 
Ohio State cancer clinic, or is a credit cardholder with one of 
your banks and goes to a grocery store pharmacy and purchases 
medication that is for mental illness or something. Typically, 
how is that information protected for a consumer?
    Mr. Yingling. Typically, all the payment system information 
is protected. There is no distinction, I don't think, made with 
medical versus any other type of information. It is protected 
through normal security measures. If you look at Gramm-Leach-
Bliley, there are specific provisions in there that require 
that banking institutions have security that protects all this 
type of private information.
    Quite frankly, it is moving through the computers so fast 
that I don't think any human looks at it unless it is an 
exception item. I believe that our task force was pretty clear 
in the Statement that it made in its report that is quoted at 
the end of my testimony. It said that none of that type of 
information should be gathered or should be used for any 
purpose other than making sure that the checks are paid and the 
accounts are reconciled.
    Mr. Tiberi. In terms of the wording, ``should be'' or 
``cannot be'' used? Can you comment on that?
    Mr. Yingling. Well, I don't make law, so I can't say 
``cannot.'' But I recommend ``cannot'' should be used. If you 
chose to make it ``cannot,'' you could make it ``cannot.'' 
However you would have to have an exception to cover all those 
instances, and we have been talking about one example, which is 
the key-man insurance on a small business. You would have to 
have many exceptions, but even in those exceptions it would 
only be with the express consent of the potential borrower.
    So I think the better way to phrase it so you do not have 
to get into the business of trying to foresee every exception, 
which is impossible, would be to say it can only be used with 
the express consent of the customer.
    Mr. Tiberi. But to your knowledge, your membership does not 
abuse that customer relationship now, to your knowledge?
    Mr. Yingling. No, not to my knowledge. It is hard to 
foresee instances where it would be worth the candle to try to 
do it, quite frankly. There are lots of instances where you do 
get medical information. Another one, for example, is we do a 
lot of trust work, and quite often when you are setting up a 
trust, if you have a child that has medical problems or mental 
problems, you would want that banker working with you to set up 
the trust, to understand that. You want the person running the 
trust to have the authority to make decisions about when 
additional medical care is needed or not needed. But those are 
the exceptions, and again it is for that express purpose and 
that purpose only.
    Mr. Tiberi. In your testimony earlier, you mentioned the 
State preemption of the FCRA is important for us to re-extend 
or extend. Can you explain or delve into why that is important 
and, in your mind, what would happen if it is not extended?
    Mr. Yingling. Well, part of that is to go into all the 
benefits of the Fair Credit Reporting Act, which I won't do, 
but there are just huge benefits, one of which is the way it 
helps low-and moderate-income individuals obtain loans. There 
is a remarkable chart in this study that shows the incredible 
growth in the availability of credit to low-income people since 
the passage of the Fair Credit Reporting Act.
    I was interested in Chairman Oxley's comment, which is 
another aspect of this, about the incredible mobility we have 
for people to move and to get jobs, which is so important to 
our economy, and that is in part due to the Fair Credit 
Reporting Act.
    Specifically in answer to your question, I think the best 
way to frame it is to give you an example that came to my 
attention recently when I was talking to the CEO of a small 
bank down in the southern part of Virginia. She was saying, 
because we all know California is very active in this area, 
``You mean to say that if I have a son or daughter of one of my 
long-term customers who goes to California as a student, that I 
am going to be subject to California law?''
    Well, you carry that out. Suppose it was a graduate student 
that moved to California. The first thing this community bank 
would have to do is apparently track all their customers to 
figure out if they had moved. Then they would have to figure 
out, well, this is a graduate student. Are they a resident of 
California or a resident of Virginia? Are they subject to 
California law now or not? And then if they are subject to 
California law, they would have to have somebody explain to 
them all the nuances of what they could collect and what they 
could report on the credit card loan and the auto loan to that 
son or daughter.
    Now, there is almost no way for them to do that other than 
to have a lawyer on hand in every state that can tell that 
community bank how you cover that person. The end result is, 
they will not report on that person. They cannot afford to 
report on that person.
    That means if that person has problems and does not make 
payments, that is not going to be reported. On the other hand, 
maybe with this graduate student, the only loans he or she has 
ever had were the credit card and the automobile loan, and now 
that is not reported, so the student has no credit history.
    So you can see how the whole system can start to break down 
if you do not have one national law that this Virginia banker 
can plug into.
    Mr. Tiberi. Thank you.
    Unfortunately, my time has expired. I will recognize Mr. 
Crowley for 5 minutes.
    Mr. Crowley. Mr. Yingling, I understand that while health 
information is not allowed on credit reports, affiliate sharing 
is often exempt from FCRA privacy rules. So as banks and 
insurance companies, and this goes back somewhat to my original 
question, become more affiliated, could this information flow 
between affiliates, particularly these new brands of banks that 
are buying and marketing health insurance plans, could that 
information flow between?
    And who would govern the privacy of this health 
information, HIPAA, FCRA or no entity? And where is this 
distinction codified in the law, as I don't think anyone wants 
to see this end up in the courts for many years of litigation 
to sort out these issues, especially as it pertains to such 
important issues as the issue of one's personal privacy?
    Mr. Yingling. I think the simple answer is if you had a 
bank that chose to violate all the principles of trust of their 
customers and to take medical information and give it to an 
affiliate, it could do it. There is nothing illegal about it.
    Mr. Crowley. So you think the pressure of the market would 
come to bear, advertisement by other competitors?
    Mr. Yingling. I think that would be a major factor. We 
believe it is wrong to do it, but if you are asking me, is 
there a law that prevents it at this moment in time, the answer 
is no, sir, there is not.
    Mr. Crowley. Would anyone else like to comment on it?
    Mr. Petersen. There are rules against the flow in the 
opposite direction. So in that situation you described, if a 
bank were to purchase a health insurance health plan, the bank 
evidently can flow information to the health plan. The health 
plan could not flow information to the bank under the HIPAA 
privacy rule of 1982 and the NAIC Act article five.
    So you would have restrictions of the information flowing 
the other way, and you would have to have an authorization for 
the health plan to release that information to the bank. Most 
of this sensitive information will be within the health plan.
    Mr. Crowley. Ms. Meyer?
    Mrs. Meyer. I was just going to say, to the extent there 
ever would be that flow from the bank in another direction, it 
would seem to me that both the Fair Credit Reporting Act and 
GLB itself would govern those disclosures and require at least 
an opt-out in that situation. Although again, it seems a 
stretch.
    Mr. Crowley. I keep coming back to those difficult 
stretches for you, don't I, Ms. Meyer?
    [LAUGHTER]
    Just to show you how I think. I thank you.
    Would you like to respond, Ms. Pritts?
    Ms. Pritts. Yes, I would like to just go back to the one 
point that I think we continually miss, which is that Congress 
in enacting HIPAA and in enacting Gramm-Leach-Bliley 
subsequently, never really indicates who is on first.
    The Fair Credit Reporting Act was passed I think in 1990. 
The amendments to the Fair Credit Reporting Act were in 1996. 
HIPAA was in 1996. HIPAA does not say anything about the Fair 
Credit Reporting Act. HIPAA hardly says anything about how you 
protect health information, in all honesty, the statute.
    Subsequently, you have the Gramm-Leach-Bliley Act, which 
was enacted after HIPAA, and very detailed. It does not mention 
HIPAA. Subsequent to that, then, you have the actual 
promulgation of the HIPAA privacy regulations, which are very 
detailed. But if you actually go through an implied repeal 
analysis, first of all you should not have to do that. We 
should have some indication from Congress as to what law 
governs if there is an overlap. It is an easy thing to fix, and 
it is something that we should not be relying on the court for.
    Mr. Crowley. Thank you.
    I thank the chairman. I have other questions, but I will 
submit them in writing for an answer.
    Mr. Tiberi. Ms. Meyer, you were going to comment, it looked 
like?
    Mrs. Meyer. Actually, I was going to say that in fact 
insurance companies for a number of years have been dealing 
with the meshing of all of these rules together. It is because 
of the fact that there is this meshing, we see that it is going 
to be so critical to reauthorize the preemption provisions of 
the Fair Credit Reporting Act, so in fact there will be 
certainty as to what the rules are.
    Mr. Tiberi. The gentleman from New York's time has expired.
    I would like to thank all the witnesses for being here 
today. The record will be open for 30 days for members to 
submit any additional testimony or comments or questions.
    The hearing is now adjourned.
    [Whereupon, at 1:03 p.m., the subcommittee was adjourned.]


                            A P P E N D I X



                             June 17, 2003
[GRAPHIC] [TIFF OMITTED] T1543.001

[GRAPHIC] [TIFF OMITTED] T1543.002

[GRAPHIC] [TIFF OMITTED] T1543.003

[GRAPHIC] [TIFF OMITTED] T1543.004

[GRAPHIC] [TIFF OMITTED] T1543.005

[GRAPHIC] [TIFF OMITTED] T1543.006

[GRAPHIC] [TIFF OMITTED] T1543.007

[GRAPHIC] [TIFF OMITTED] T1543.008

[GRAPHIC] [TIFF OMITTED] T1543.009

[GRAPHIC] [TIFF OMITTED] T1543.010

[GRAPHIC] [TIFF OMITTED] T1543.011

[GRAPHIC] [TIFF OMITTED] T1543.012

[GRAPHIC] [TIFF OMITTED] T1543.013

[GRAPHIC] [TIFF OMITTED] T1543.014

[GRAPHIC] [TIFF OMITTED] T1543.015

[GRAPHIC] [TIFF OMITTED] T1543.016

[GRAPHIC] [TIFF OMITTED] T1543.017

[GRAPHIC] [TIFF OMITTED] T1543.018

[GRAPHIC] [TIFF OMITTED] T1543.019

[GRAPHIC] [TIFF OMITTED] T1543.020

[GRAPHIC] [TIFF OMITTED] T1543.021

[GRAPHIC] [TIFF OMITTED] T1543.022

[GRAPHIC] [TIFF OMITTED] T1543.023

[GRAPHIC] [TIFF OMITTED] T1543.024

[GRAPHIC] [TIFF OMITTED] T1543.025

[GRAPHIC] [TIFF OMITTED] T1543.026

[GRAPHIC] [TIFF OMITTED] T1543.027

[GRAPHIC] [TIFF OMITTED] T1543.028

[GRAPHIC] [TIFF OMITTED] T1543.029

[GRAPHIC] [TIFF OMITTED] T1543.030

[GRAPHIC] [TIFF OMITTED] T1543.031

[GRAPHIC] [TIFF OMITTED] T1543.032

[GRAPHIC] [TIFF OMITTED] T1543.033

[GRAPHIC] [TIFF OMITTED] T1543.034

[GRAPHIC] [TIFF OMITTED] T1543.035

[GRAPHIC] [TIFF OMITTED] T1543.036

[GRAPHIC] [TIFF OMITTED] T1543.037

[GRAPHIC] [TIFF OMITTED] T1543.038

[GRAPHIC] [TIFF OMITTED] T1543.039

[GRAPHIC] [TIFF OMITTED] T1543.040

[GRAPHIC] [TIFF OMITTED] T1543.041

[GRAPHIC] [TIFF OMITTED] T1543.042

[GRAPHIC] [TIFF OMITTED] T1543.043

[GRAPHIC] [TIFF OMITTED] T1543.044

[GRAPHIC] [TIFF OMITTED] T1543.045

[GRAPHIC] [TIFF OMITTED] T1543.046

[GRAPHIC] [TIFF OMITTED] T1543.047

[GRAPHIC] [TIFF OMITTED] T1543.048

[GRAPHIC] [TIFF OMITTED] T1543.049

[GRAPHIC] [TIFF OMITTED] T1543.050

[GRAPHIC] [TIFF OMITTED] T1543.051

[GRAPHIC] [TIFF OMITTED] T1543.052

[GRAPHIC] [TIFF OMITTED] T1543.053

[GRAPHIC] [TIFF OMITTED] T1543.054

[GRAPHIC] [TIFF OMITTED] T1543.055

[GRAPHIC] [TIFF OMITTED] T1543.056

[GRAPHIC] [TIFF OMITTED] T1543.057

[GRAPHIC] [TIFF OMITTED] T1543.058

[GRAPHIC] [TIFF OMITTED] T1543.059

[GRAPHIC] [TIFF OMITTED] T1543.060

[GRAPHIC] [TIFF OMITTED] T1543.061

[GRAPHIC] [TIFF OMITTED] T1543.062

[GRAPHIC] [TIFF OMITTED] T1543.063

[GRAPHIC] [TIFF OMITTED] T1543.064

[GRAPHIC] [TIFF OMITTED] T1543.065

[GRAPHIC] [TIFF OMITTED] T1543.066

[GRAPHIC] [TIFF OMITTED] T1543.067

[GRAPHIC] [TIFF OMITTED] T1543.068

[GRAPHIC] [TIFF OMITTED] T1543.069

[GRAPHIC] [TIFF OMITTED] T1543.070

[GRAPHIC] [TIFF OMITTED] T1543.071

[GRAPHIC] [TIFF OMITTED] T1543.072

[GRAPHIC] [TIFF OMITTED] T1543.073

[GRAPHIC] [TIFF OMITTED] T1543.074

[GRAPHIC] [TIFF OMITTED] T1543.075

[GRAPHIC] [TIFF OMITTED] T1543.076

[GRAPHIC] [TIFF OMITTED] T1543.077

[GRAPHIC] [TIFF OMITTED] T1543.078

[GRAPHIC] [TIFF OMITTED] T1543.079

[GRAPHIC] [TIFF OMITTED] T1543.080

[GRAPHIC] [TIFF OMITTED] T1543.081

[GRAPHIC] [TIFF OMITTED] T1543.082

[GRAPHIC] [TIFF OMITTED] T1543.083

[GRAPHIC] [TIFF OMITTED] T1543.084

[GRAPHIC] [TIFF OMITTED] T1543.085

[GRAPHIC] [TIFF OMITTED] T1543.086

[GRAPHIC] [TIFF OMITTED] T1543.087

[GRAPHIC] [TIFF OMITTED] T1543.088

[GRAPHIC] [TIFF OMITTED] T1543.089

[GRAPHIC] [TIFF OMITTED] T1543.090

[GRAPHIC] [TIFF OMITTED] T1543.091

[GRAPHIC] [TIFF OMITTED] T1543.092

[GRAPHIC] [TIFF OMITTED] T1543.093

[GRAPHIC] [TIFF OMITTED] T1543.094

[GRAPHIC] [TIFF OMITTED] T1543.095

[GRAPHIC] [TIFF OMITTED] T1543.096

[GRAPHIC] [TIFF OMITTED] T1543.097

[GRAPHIC] [TIFF OMITTED] T1543.098

[GRAPHIC] [TIFF OMITTED] T1543.099

[GRAPHIC] [TIFF OMITTED] T1543.100

[GRAPHIC] [TIFF OMITTED] T1543.101

[GRAPHIC] [TIFF OMITTED] T1543.102

[GRAPHIC] [TIFF OMITTED] T1543.103

[GRAPHIC] [TIFF OMITTED] T1543.104

[GRAPHIC] [TIFF OMITTED] T1543.105

[GRAPHIC] [TIFF OMITTED] T1543.106

[GRAPHIC] [TIFF OMITTED] T1543.107

[GRAPHIC] [TIFF OMITTED] T1543.108

[GRAPHIC] [TIFF OMITTED] T1543.109

[GRAPHIC] [TIFF OMITTED] T1543.110

[GRAPHIC] [TIFF OMITTED] T1543.111

[GRAPHIC] [TIFF OMITTED] T1543.112

[GRAPHIC] [TIFF OMITTED] T1543.113

[GRAPHIC] [TIFF OMITTED] T1543.114

[GRAPHIC] [TIFF OMITTED] T1543.115

[GRAPHIC] [TIFF OMITTED] T1543.116

[GRAPHIC] [TIFF OMITTED] T1543.117

[GRAPHIC] [TIFF OMITTED] T1543.118

[GRAPHIC] [TIFF OMITTED] T1543.119

[GRAPHIC] [TIFF OMITTED] T1543.120

[GRAPHIC] [TIFF OMITTED] T1543.121

[GRAPHIC] [TIFF OMITTED] T1543.122

[GRAPHIC] [TIFF OMITTED] T1543.123

[GRAPHIC] [TIFF OMITTED] T1543.124

[GRAPHIC] [TIFF OMITTED] T1543.125

[GRAPHIC] [TIFF OMITTED] T1543.126

[GRAPHIC] [TIFF OMITTED] T1543.127

[GRAPHIC] [TIFF OMITTED] T1543.128

[GRAPHIC] [TIFF OMITTED] T1543.129

[GRAPHIC] [TIFF OMITTED] T1543.130

[GRAPHIC] [TIFF OMITTED] T1543.131

[GRAPHIC] [TIFF OMITTED] T1543.132

[GRAPHIC] [TIFF OMITTED] T1543.133

[GRAPHIC] [TIFF OMITTED] T1543.134

[GRAPHIC] [TIFF OMITTED] T1543.135

[GRAPHIC] [TIFF OMITTED] T1543.136

[GRAPHIC] [TIFF OMITTED] T1543.137

[GRAPHIC] [TIFF OMITTED] T1543.138

[GRAPHIC] [TIFF OMITTED] T1543.139

[GRAPHIC] [TIFF OMITTED] T1543.140

[GRAPHIC] [TIFF OMITTED] T1543.141

[GRAPHIC] [TIFF OMITTED] T1543.142

[GRAPHIC] [TIFF OMITTED] T1543.143

[GRAPHIC] [TIFF OMITTED] T1543.144

[GRAPHIC] [TIFF OMITTED] T1543.145

[GRAPHIC] [TIFF OMITTED] T1543.146

[GRAPHIC] [TIFF OMITTED] T1543.147

[GRAPHIC] [TIFF OMITTED] T1543.148

[GRAPHIC] [TIFF OMITTED] T1543.149

[GRAPHIC] [TIFF OMITTED] T1543.150

[GRAPHIC] [TIFF OMITTED] T1543.151

[GRAPHIC] [TIFF OMITTED] T1543.152

[GRAPHIC] [TIFF OMITTED] T1543.153

[GRAPHIC] [TIFF OMITTED] T1543.154

[GRAPHIC] [TIFF OMITTED] T1543.155

[GRAPHIC] [TIFF OMITTED] T1543.156

[GRAPHIC] [TIFF OMITTED] T1543.157

[GRAPHIC] [TIFF OMITTED] T1543.158

[GRAPHIC] [TIFF OMITTED] T1543.159

[GRAPHIC] [TIFF OMITTED] T1543.160

[GRAPHIC] [TIFF OMITTED] T1543.161

[GRAPHIC] [TIFF OMITTED] T1543.162

[GRAPHIC] [TIFF OMITTED] T1543.163

