[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
THE ROLE OF FCRA IN EMPLOYEE
BACKGROUND CHECKS AND THE
COLLECTION OF MEDICAL INFORMATION
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
FINANCIAL INSTITUTIONS AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
JUNE 17, 2003
__________
Printed for the use of the Committee on Financial Services
Serial No. 108-38
91-543 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
HOUSE COMMITTEE ON FINANCIAL SERVICES
MICHAEL G. OXLEY, Ohio, Chairman
JAMES A. LEACH, Iowa BARNEY FRANK, Massachusetts
DOUG BEREUTER, Nebraska PAUL E. KANJORSKI, Pennsylvania
RICHARD H. BAKER, Louisiana MAXINE WATERS, California
SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware LUIS V. GUTIERREZ, Illinois
PETER T. KING, New York NYDIA M. VELAZQUEZ, New York
EDWARD R. ROYCE, California MELVIN L. WATT, North Carolina
FRANK D. LUCAS, Oklahoma GARY L. ACKERMAN, New York
ROBERT W. NEY, Ohio DARLENE HOOLEY, Oregon
SUE W. KELLY, New York, Vice Chair JULIA CARSON, Indiana
RON PAUL, Texas BRAD SHERMAN, California
PAUL E. GILLMOR, Ohio GREGORY W. MEEKS, New York
JIM RYUN, Kansas BARBARA LEE, California
STEVEN C. LaTOURETTE, Ohio JAY INSLEE, Washington
DONALD A. MANZULLO, Illinois DENNIS MOORE, Kansas
WALTER B. JONES, Jr., North CHARLES A. GONZALEZ, Texas
Carolina MICHAEL E. CAPUANO, Massachusetts
DOUG OSE, California HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois RUBEN HINOJOSA, Texas
MARK GREEN, Wisconsin KEN LUCAS, Kentucky
PATRICK J. TOOMEY, Pennsylvania JOSEPH CROWLEY, New York
CHRISTOPHER SHAYS, Connecticut WM. LACY CLAY, Missouri
JOHN B. SHADEGG, Arizona STEVE ISRAEL, New York
VITO FOSSELLA, New York MIKE ROSS, Arkansas
GARY G. MILLER, California CAROLYN McCARTHY, New York
MELISSA A. HART, Pennsylvania JOE BACA, California
SHELLEY MOORE CAPITO, West Virginia JIM MATHESON, Utah
PATRICK J. TIBERI, Ohio STEPHEN F. LYNCH, Massachusetts
MARK R. KENNEDY, Minnesota ARTUR DAVIS, Alabama
TOM FEENEY, Florida RAHM EMANUEL, Illinois
JEB HENSARLING, Texas BRAD MILLER, North Carolina
SCOTT GARRETT, New Jersey DAVID SCOTT, Georgia
TIM MURPHY, Pennsylvania
GINNY BROWN-WAITE, Florida BERNARD SANDERS, Vermont
J. GRESHAM BARRETT, South Carolina
KATHERINE HARRIS, Florida
RICK RENZI, Arizona
Robert U. Foster, III, Staff Director
Subcommittee on Financial Institutions and Consumer Credit
SPENCER BACHUS, Alabama, Chairman
STEVEN C. LaTOURETTE, Ohio, Vice BERNARD SANDERS, Vermont
Chairman CAROLYN B. MALONEY, New York
DOUG BEREUTER, Nebraska MELVIN L. WATT, North Carolina
RICHARD H. BAKER, Louisiana GARY L. ACKERMAN, New York
MICHAEL N. CASTLE, Delaware BRAD SHERMAN, California
EDWARD R. ROYCE, California GREGORY W. MEEKS, New York
FRANK D. LUCAS, Oklahoma LUIS V. GUTIERREZ, Illinois
SUE W. KELLY, New York DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio CHARLES A. GONZALEZ, Texas
JIM RYUN, Kansas PAUL E. KANJORSKI, Pennsylvania
WALTER B. JONES, Jr, North Carolina MAXINE WATERS, California
JUDY BIGGERT, Illinois DARLENE HOOLEY, Oregon
PATRICK J. TOOMEY, Pennsylvania JULIA CARSON, Indiana
VITO FOSSELLA, New York HAROLD E. FORD, Jr., Tennessee
MELISSA A. HART, Pennsylvania RUBEN HINOJOSA, Texas
SHELLEY MOORE CAPITO, West Virginia KEN LUCAS, Kentucky
PATRICK J. TIBERI, Ohio JOSEPH CROWLEY, New York
MARK R. KENNEDY, Minnesota STEVE ISRAEL, New York
TOM FEENEY, Florida MIKE ROSS, Arkansas
JEB HENSARLING, Texas CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey ARTUR DAVIS, Alabama
TIM MURPHY, Pennsylvania
GINNY BROWN-WAITE, Florida
J. GRESHAM BARRETT, South Carolina
RICK RENZI, Arizona
C O N T E N T S
----------
Page
Hearing held on:
June 17, 2003................................................ 1
Appendix:
June 17, 2003................................................ 51
WITNESSES
Tuesday, June 17, 2003
Maltby, Lewis, President, National Workrights Institute.......... 13
McClain, Eddy, Chairman, Krout & Schneider, Inc., on behalf of
the National Council of Investigation and Security Services.... 16
Meyer, Roberta B., Senior Counsel, American Council of Life
Insurers....................................................... 28
Morgan, Harold, Senior Vice President, Human Resources, Bally
Total Fitness Corporation, on behalf of the Labor Policy
Association.................................................... 11
Petersen, L. Chris, Attorney, Morris, Manning & Martin, LLP, on
behalf of the Health Insurance Association of America.......... 26
Plummer, Margaret, Director of Operations, Bashen Consulting..... 14
Pritts, Joy, Assistant Research Professor, Health Policy
Institute, Georgetown University............................... 31
Reynolds, Christopher P., Partner, Morgan, Lewis and Bockius,
LLP, on behalf of the U.S. Chamber of Commerce................. 9
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center, Adjunct Professor, Georgetown University
Law Center..................................................... 30
Yingling, Edward L., Executive Vice President, American Bankers
Association.................................................... 33
APPENDIX
Prepared statements:
Bachus, Hon. Spencer......................................... 52
Oxley, Hon. Michael G........................................ 55
Gillmor, Hon. Paul E......................................... 57
Sessions, Hon. Pete.......................................... 58
Maltby, Lewis................................................ 60
McClain, Eddy................................................ 63
Meyer, Roberta B............................................. 72
Morgan, Harold............................................... 82
Petersen, L. Chris........................................... 96
Plummer, Margaret............................................ 105
Pritts, Joy.................................................. 113
Reynolds, Christopher P...................................... 121
Rotenberg, Marc.............................................. 146
Yingling, Edward L........................................... 162
Additional Material Submitted for the Record
The Impact of National Credit Reporting Under the Fair Credit
Reporting Act, Financial Services Coordinating Council......... 169
THE ROLE OF FCRA IN EMPLOYEE
BACKGROUND CHECKS AND THE
COLLECTION OF MEDICAL INFORMATION
----------
Tuesday, June 17, 2003
U.S. House of Representatives,
Subcommittee on Financial Institutions and Consumer
Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to call, at 10:09 a.m., in
Room 2128, Rayburn House Office Building, Hon. Spencer Bachus
[chairman of the subcommittee] presiding.
Present: Representatives Bachus, LaTourette, Kelly, Ryun,
Gillmor, Biggert, Hart, Tiberi, Hensarling, Barrett, Oxley (ex
officio), Sanders, Maloney, Watt, Sherman, Moore, Velaquez,
Hooley, Lucas of Kentucky, Crowley, McCarthy, and Emanuel.
Representative Pete Sessions was also in attendance.
Chairman Bachus. [Presiding.] Good morning. The
Subcommittee on Financial Institutions will come to order.
Our hearing today is the fifth in a series of hearings the
subcommittee is holding on FCRA. We previously held hearings
covering the importance of the national uniform credit system
to consumers and to the economy, and more specifically how the
Fair Credit Reporting Act helps consumers obtain more
affordable mortgages and credit in a timely and efficient
manner.
Today, we will hear how FCRA regulates employee background
checks and the collection and use of health information or
medical information. This hearing consists of two panels. The
first panel will focus on the application of FCRA to employee
screening and other background checks. Witnesses will include
various business groups, human resource managers and private
investigators.
The second panel will examine how medical information is
collected and used for various financial products, including a
discussion on the prohibition of the use of health or medical
information in the credit-granting process. Panelists will
include representatives of life and health insurance companies,
the banking industry, and independent experts.
While we usually think of FCRA in the context of credit
information, it also applies to background checks for
employees. For example, information collected for an employer
by a third party about an employee's criminal record, driving
record, educational record or prior employment history in some
instances falls within FCRA's coverage. The 1996 amendments to
FCRA established consumer protections for employee background
screening.
Some of these include consumer consent before a prospective
employer may obtain a consumer report, disclosure of the report
to the consumer once it is completed, and notice to the
consumer of his rights before taking adverse action based on
the report. Many employers conduct background checks of their
employees as a safety precaution. Moreover, according to a 2002
Harris poll, a majority of Americans support their employers's
conducting detailed background checks.
Congress has mandated background checks for many workers in
the financial services industries, as well as for nuclear,
airport and childcare businesses. The number of worker
background checks has dramatically increased since 9-11 due to
heightened security concerns. As a result, mandatory background
checks are now required for workers at ports and for those who
transport hazardous chemicals.
Because background checks are becoming commonplace, one
issue we need to review today is the FTC's staff Vail opinion
letter. It makes it much more difficult for employers to
conduct background checks or investigations of their employees.
Under the Vail letter, if an employer believes that an employee
is engaged in workplace misconduct such as committing sexual
harassment, racial discrimination or embezzling funds or other
criminal activity, the employer cannot hire an independent
third party investigator without getting the employee suspected
wrongdoer's consent and telling him about the investigation and
how the investigation will be conducted. That makes absolutely
no sense. If you are trying to catch a criminal, why warn him
in advance?
Strangely, employers can investigate alleged misconduct
without following any of the Vail letter requirements if they
do so internally. The Vail letter makes it unworkable to hire
an outside unbiased party to do an impartial investigation.
Even the FTC admits the law should be fixed.
Our second panel will discuss medical information, health
information, and how the FCRA and other state and federal laws
govern its use.
The FCRA prohibits consumer reporting agencies from
furnishing reports containing medical information without the
consumer's consent. Congress passed another law, the Health
Insurance Portability and Accountability Act of 1996 which
limits the sharing of health information by health care plans
and providers. In addition, the States have various laws
governing insurance companies in the use and sharing of health
information by those companies.
The second panel will help us understand whether there are
gaps in the convergence of these laws and whether financial
providers are using such information, and if they are, whether
they should be prevented from using an individual's medical or
health information in any way or in an inappropriate way.
I want to express my gratitude to Chairman Oxley for his
leadership in these FCRA hearings. I want to commend Ranking
Member Frank and Mr. Sanders for working with the staff, with
me, and with Chairman Oxley on FCRA reauthorization. I note
that for the second week in a row we have accommodated all of
the minority witness requests.
The Chair now recognizes the ranking member of the
subcommittee, Mr. Sanders, for his opening statement.
[The prepared statement of Hon. Spencer Bachus can be found
on page 52 in the appendix.]
Mr. Sanders. Thank you very much, Mr. Chairman, for holding
this important hearing. I very much appreciate all of our
witnesses being with us today.
This hearing will focus on the role of the Fair Credit
Reporting Act in employee background checks and the collection
of medical information. These are important matters that must
be carefully scrutinized by this subcommittee. Before we delve
into these issues, Mr. Chairman, I would like to briefly
highlight the testimony of two of our witnesses from last
week's hearing.
Mr. Chairman, as I recall, you raised a number of concerns
about my support for consumers to receive a free copy of their
credit reports at least once a year from all three of the
credit bureaus. It should come as no surprise that all of the
major consumer groups in this country support that view,
including U.S. PIRG, the Consumer Federation of America,
Consumers Union, and the National Consumer Law Center.
Yet what the chairman and some of the members of the
subcommittee might not have heard clearly is that according to
the testimony we received last week, that view is also shared
by the America's Community Bankers and the Independent
Community Bankers of America. I think that it is important that
they are coming on board in order to make sure that all
Americans receive a free credit report.
Let me turn for a moment to today's hearing. First, the
issue of employee background checks, Mr. Chairman, under the
Fair Credit Reporting Act. Companies can turn down job
applicants because of the credit history contained in their
credit reports, including large student loan debt, high credit
card payments, a big auto loan, or a heavy mortgage bill. Even
worse, job applicants who have errors in their credit reports
as a result of identity theft are being denied employment. In
most instances, by the time these errors are taken off the job
applicant's credit report, the job they are applying for has
already been filled by another person.
Mr. Chairman, this raises troubling questions for the
subcommittee. One, should a young person who has accumulated
$30,000 or more in student loan debt be denied a job in favor
of someone who was fortunate enough to have wealthy parents to
pay for their college education?
According to a May 26, 2003 article in The State newspaper
in Columbia, South Carolina, ``Ayana Woodson, a recent business
administration and finance graduate from Howard University in
Washington, DC learned this the hard way. 'These are jobs I
have not gotten because of my credit,' said Woodson, now
carrying a $25,000 college debt, 'I just assumed after I
graduated I would have this high-paying job and would be able
to pay it off,' she said. It is like a double-edged sword. I
take out this loan so I can get a job, but it may be the very
reason to keep me from getting a job.''
Mr. Chairman, according to the U.S. Department of
Education, the average student loan debt has nearly doubled
over the past 8 years to close to $17,000. I think we can all
agree that people who had to go into debt to get through
college should not be forced to lose job opportunities because
of that debt.
Secondly, should employers be allowed to deny employment
opportunities to job applicants due to errors contained in
their credit reports? I do not think so, but according to a
March 3, 2003 article in Investment Dealers Digest, ``If you
want to work for Goldman Sachs, your name had better be squeaky
clean. All it takes is one blemish on your credit history to
prohibit employment there. At least that is what one
secretarial job candidate recently found out the hard way, and
she is not alone. Like many young people at age 24, Kate ran up
significant debt on a Citibank credit card. She was unable to
pay it off quickly, and the account was ultimately sent to
collection.
``Over the next 9 years, she gradually paid down the debt,
satisfying it completely by 2002. The problem was the
collection agency failed to report this to the credit agencies,
and the account showed up on Goldman's credit check-a-mistake
for which the collection agency took full responsibility and
promised to put it into writing in 30 to 60 days, but would
gladly relay orally to Goldman. But according to Kate,
Goldman's background checker told her the firm would not accept
an oral explanation and needed it in writing.''
To make a long story short, this young lady has a hard time
with jobs. Mr. Chairman, I do not believe job applicants should
be turned down from their jobs because of errors contained in
their credit report.
Finally, we will be looking today at the Fair Credit
Reporting Act in the collection of medical information. I have
two concerns on this issue. First, we need to make it clear
that banks and insurance companies cannot use medical
information to deny consumers credit or insurance. Banks should
not be allowed to use the fact that you have cancer to increase
the interest rate on your credit card. Insurance companies
should not be allowed to use the fact that you have diabetes to
raise your premiums on your renter's insurance.
Mr. Chairman, thank you very much for calling this
important hearing. I look forward to hearing from the
witnesses.
Chairman Bachus. Thank you, Mr. Sanders.
Chairman Oxley?
Mr. Oxley. Thank you, Mr. Chairman. Let me thank you for
your leadership on this important issue of FCRA as we continue
the series of hearings. You have done yeoman work and we
appreciate all that you have done.
I am pleased to announce that last Thursday another federal
regulator came out in support of reauthorization of the
national uniform standards for FCRA. Don Powell, the chairman
of the FDIC, who testified before this committee, said he
believes it is necessary to make permanent the preemptions in
the FCRA in order to ensure no negative economic impact. Mr.
Powell joins the Treasury Secretary, the chairman of the Fed,
and the Conference of State Bank Supervisors in support of
reauthorizing uniform FCRA standards.
I also just received a report by the independent
Congressional Research Service analyzing a critical consumer
benefit of the FCRA, and that is increased labor mobility. CRS
found that mobility is an important barometer to judge the
importance of having a national credit reporting system. No
surprise, the U.S. is one of the most mobile societies, with
14.5 percent of the population moving in any given year, and
lower-income individuals more likely to move than higher-income
groups. It is our national uniform credit system that makes
this mobility possible and gives us a further competitive edge
over the rest of the world.
Throughout modern history, national economies have risen
and fallen based in large part on the flexibility and mobility
of labor and management. American consumers and workers enjoy
unprecedented mobility in part because of our uniform national
credit standards.
Today's hearing looks at two particular aspects of uniform
standards under FCRA. The first panel will address the use of
FCRA in employee background screening. Even before 9-11,
Americans had become increasingly concerned about ensuring
their safety on the job from individual predators with criminal
records.
Homicide was the second leading cause of occupational
fatalities in 2001, and the recent wave of corporate scandals
has highlighted the need to keep out bad actors at all levels
of the American workplace. Congress has been calling for
expanded background checks for a number of sensitive jobs and
courts have been imposing more liability on businesses that do
not perform adequate background checks.
Unfortunately, an interpretation of FCRA by the Federal
Trade Commission, known as the Vail letter, undermines the
ability of businesses to protect their employees and consumers.
The Vail letter prohibits employers from using outside third
parties to investigate employee misconduct unless they first
notify the wrongdoer of the precise investigation, get his
consent, and ultimately give him a copy of the investigative
report.
How do you investigate a CEO, for example, who is
embezzling funds if you have to first get his permission and
give him time to cover up his actions? How do you get victims
to cooperate with a sexual or racial harassment inquiry if they
know their identities will not be protected? You don't, and
that is why the FTC's interpretation is at best problematic.
Ironically, a company can perform an employee investigation
without these requirements, but only by doing it internally
without any of the protections of an outside, unbiased, and
professional third party. The Vail letter is simply
impractical.
Subcommittee Chairman Bachus and I wrote to the FTC last
term asking the Commission to change its views, and we support
efforts by the members here today to correct this problem.
On our second panel, we will receive testimony on the use
of medical information in the credit-granting process and the
interplay between various federal and state health privacy
laws. I share the concerns of many of my colleagues that
medical information may require special protections to prevent
its improper use or theft, and I look forward to our
witnesses's views on the appropriate balance of national
consumer standards on this issue. Once again, I would like to
thank the chairman for his leadership and the continued
bipartisan cooperation of our ranking subcommittee and full
committee members, Mr. Sanders and Mr. Frank.
I yield back.
[The prepared statement of Hon. Michael G. Oxley can be
found on page 55 in the appendix.]
Chairman Bachus. Thank you.
The gentleman from North Carolina?
Mr. Watt. Thank you, Mr. Chairman.
I had intended not to say anything, but my chairman
provoked me to say something to balance at least one thing, not
necessarily to contradict what he is saying, but to thank you
for having this hearing today and the series of hearings,
because of the difficulty of these issues.
While the chairman is right to have the governing agency
bring these employment background checks and medical
information under its jurisdiction, it may be presenting some
problems. The other side of that is if they are not under
somebody's supervision, then they have the capacity to collect
erroneous misinformation on people, and not be subject to any
kind of oversight.
So we have got to figure out a way to allow them to provide
the valuable service that they provide to employers, but do it
in a way that makes sure they are regulated and that they
answer to somebody and that they are accountable for collecting
information that is not correct and viable. That is the
difficulty. I am not arguing with the concern that the chairman
of the full committee and the chairman of the subcommittee
raised in the letter you wrote, but if they are not regulated
under the Fair Credit Reporting Act, then who is going to
regulate them, I guess, is the question; and how do they get
regulated and how do we keep employees or prospective employees
from having their employment possibilities adversely affected
by information that may not even be correct?
That is the difficult balance this committee has to deal
with. It is for that reason that we have witnesses here to
enlighten us about how we walk that balance and get to a result
that is fair, both to employers and the agencies that report
information to them about people's criminal records and medical
records and sexual harassment in prior venues, or what have
you, yet make sure that that information is correct and
defensible; and if it is not, that somebody is held accountable
for it.
So I thank the chairman. I did not take the time to argue
with him about this, but more to point out the difficulty of
the balance and the requirement that this committee has as we
go forward.
With that, I will yield back, unless the chairman wants me
to give him the last word. I am always willing to give my
chairman the last word.
[LAUGHTER]
I yield back.
Chairman Bachus. Thank you.
I have a unanimous consent request, and that is that
without objection the gentleman from Texas, Mr. Sessions, may
be recognized for the purpose of making an opening statement
and for the purpose of questioning witnesses under the five-
minute rule after all members of the subcommittee and the
committee have been recognized. Is there objection? Hearing
none, I would ask the gentleman from Texas, who is a cosponsor
of H.R. 1543 which addresses the Vail letter, if he has an
opening statement.
Mr. Sessions. I thank the chairman and appreciate you
allowing me to be here today. I have got to be on the floor in
a few minutes, when they are ready for the new rule.
Mr. Chairman, I would like to thank you for inviting me to
join you at this hearing on the Fair Credit Reporting Act,
FCRA, as it pertains to employee background checks and the
collection of medical information. I am pleased to be rejoining
the chairman and my esteemed former colleagues on the Financial
Services Committee to discuss an issue that has long been of
great interest to me.
I would also like to thank my colleague from Alabama, the
Chairman, for scheduling this important hearing, for your
strong leadership on the issue, and for your diligent oversight
on all aspects of FCRA. Certainly, Chairman Bachus's efforts
are commendable, and by holding this hearing today he will help
Congress to take the first step toward making the workplace a
better and safer place for all working Americans.
Mr. Chairman, in order to provide a historical context to
this hearing, I would like to recount briefly the events that
have brought us here today. In 1999, the staff of the Federal
Trade Commission issued an opinion known as the Vail opinion,
concluding that outside consultants who perform investigations
of alleged employee misconduct are considered to be credit
reporting agencies.
As a result, outside consultants and the employees who hire
them to help ensure unbiased workplace safety are subject to a
number of burdensome and unintended restrictions on their
ability to perform these investigations safely, professionally,
and efficiently. Accordingly, they are hampered in performing
many kinds of workplace investigations, including employee
complaints of sexual harassment, discrimination and threats of
violence. For the last few Congresses, I have introduced
legislation to fix this problem by removing the FCRA
requirements for investigations of suspected misconduct related
to employment and to compliance with existing laws and
preexisting written policies of the employer.
This proposed legislation also respects the rights of the
subject of the workplace search, while removing employers from
the onerous and potentially dangerous requirement to notify
their subject prior to beginning an investigation. The removal
of this requirement is important because it prevents violence
from employees, from giving them time to cover their tracks, or
to initiate intimidation against coworkers who make or
corroborate complaints, and are an integral part to ensuring
the veracity of data included in these complaints.
Mr. Chairman, back in 1997 when a constituent brought the
problems to me that she was having as a result of the Vail
opinion, I was shocked to learn that federal law requires an
employer who suspects that an employee is dealing drugs or
engaged in other misconduct at the workplace to ask that
employee's permission before beginning an investigation.
Furthermore, I was greatly dismayed to find that federal
law would also require that the same employer to provide to a
potentially violent employee with a report identifying the
coworker who made or who corroborated those allegations of
wrongdoing, making those helpful employees who were only trying
to make the workplace safer a target for violence or
retribution, and placing themselves in harm.
This important legislation that I have introduced removes
requirements of the federal Fair Credit Reporting Act solely
for the purpose of having unbiased third party professional
investigations of illegal or unsafe activities in the
workplace. These limited activities include drug use or the
sale of drugs, violence, sexual harassment, employee
discrimination, job safety or health violations, and criminal
activities including theft, embezzlement, sabotage, arson,
patient or elderly abuse, and child abuse.
I believe that it is critical for Congress to pass this
legislation in order to make our workplaces safer, to stop
illegal activities such as drug dealing, and to identify
dangerous employees so that they can be provided with treatment
before violence occurs. This legislation offers Congress the
opportunity to replace illegal and dangerous activities in the
workplace with investigation and remediation. I think that this
is precisely the goal for which we should all be striving.
I also would like to thank the panel that is before us,
many of whom have come from all over the country to share their
experiences with the Vail opinion and FCRA with us today. I
look forward to hearing their testimony on the issue.
I would also like to thank the 16 members of Congress on
both sides of the aisle who have cosponsored this bipartisan
legislation. I want to thank you, Mr. Chairman, for your
leadership, and I appreciate the time you have given me today.
[The prepared statement of Hon. Pete Sessions can be found
on page 58 in the appendix.]
Chairman Bachus. Thank you.
Are there any other members wishing to make an opening
statement? If not, I would like to welcome our first panel,
which deals with the role of FCRA in employee background
checks. Our panelists consist of, from my left, Mr. Christopher
P. Reynolds, partner in the law firm of Morgan, Lewis and
Bockius, on behalf of the U.S. Chamber of Commerce. I noted
that you were a U.S. Attorney for the Southern District of New
York.
Mr. Reynolds. Mr. Chairman, I would hasten to say that I
was an assistant U.S. Attorney for the Southern District.
Chairman Bachus. Assistant U.S. attorney, and dealt with
many cases involving employee and employment matters.
Mr. Reynolds. Yes, I did, Mr. Chairman.
Chairman Bachus. Our second panelist is Mr. Harold Morgan,
senior vice president, human resources, at Bally Total Fitness
Corporation, on behalf of the Labor Policy Association, and
previously with Hyatt Corporation where you were director of
employee and labor relations. Our third panelist, at the
request of Mr. Sanders, is Mr. Lewis Maltby, president of the
National Workrights Institute. We welcome you, Mr. Maltby. Mr.
Sanders also requested the testimony of Ms. Margaret Plummer,
director of operations for Bashen Consulting. We welcome you as
a panelist.
Our final panelist on the first panel is Mr. Eddy McClain,
chairman of Krout and Schneider, on behalf of the National
Council of Investigation and Security Services. Mr. McClain,
you are a former private investigator on work-related
investigations?
Mr. McClain. Yes, sir.
Chairman Bachus. So we welcome you.
At this time, Mr. Reynolds, we would recognize you for your
opening statement.
STATEMENT OF CHRISTOPHER P. REYNOLDS, PARTNER, MORGAN, LEWIS
AND BOCKIUS, LLP ON BEHALF OF THE U.S. CHAMBER OF COMMERCE
Mr. Reynolds. Thank you, Mr. Chairman, and distinguished
members of the subcommittee. Good morning.
I am grateful to you for the privilege of testifying before
you today. In the interests of time and with your permission, I
will summarize my written testimony. My purpose today is to
testify on behalf of the U.S. Chamber of Commerce regarding
FCRA's affect on employee background checks and employer
investigations into workplace conduct.
I do that on the basis of my experience as a partner at
Morgan, Lewis and Bockius representing employers in litigation,
investigations, and providing advice and guidance; as a member
of the American Bar Association's Labor Section and Equal
Employment Opportunity Committee; and as also a member of the
Securities Industry Association's Legal Division.
Mr. Chairman, the reauthorization of FCRA's uniform
standards provisions is terribly important to the members of
the Chamber and to the efficient functioning of the national
credit system. Without those standards, we would be faced with
a complex and confusing web of conflicting state standards that
could only impede the availability of credit and limit the
access of small businesses to the credit that will help them
grow and survive tough economic times. We urge this committee
at a minimum to preserve those standards.
The two issues that also concern the Chamber beyond
reauthorization would be the background check issue and the
workplace investigation issue. Concerning background checks,
our primary concern is not with existing law, but with the
possibility that new provisions will be added, provisions that
hurt an employer's ability to ensure workplace integrity and
workplace safety by obtaining reliable job-related information
compelled by business necessity on applicants and employees.
Now, employers use these background checks to make sure
their workplaces are safe and secure. We need them. A recent
study by the Avert Internet-based screening firm found that 24
percent of 1.8 million applications in the year 2000 were
submitted with misleading or negative information. The Society
for Human Resources Management found in a 1998 survey that 45
percent of employers found that an applicant had lied
concerning their criminal record. Many states impose on
employers the potential liability for negligently hiring
someone who is a danger to the safety and security of the
workplace. Background checks allow us to avoid that liability
and fulfill our legal duty.
Against the painful backdrop of September 11, the public
and this government also increasingly expect employers to use
background checks. According to a Harris interactive poll in
2002, 53 percent of employees want their employers to conduct
more detailed background checks of applicants and coworkers to
ensure safety. In this session alone, Congress has introduced
21 different bills requiring background checks for workers. It
is a clear signal that the government expects employers to use
them.
The Chamber understands and appreciates that there is a
necessary and welcome balance between workplace security and
privacy. We believe that the existing FCRA provisions of
consent, notice and disclosure provide that balance. We also
believe that the nation's existing equal employment laws
provide a ready remedy for any company or employer that abuses
background checks for discriminatory purpose. We also note the
numerous State laws that restrict or limit the ability of
employers to use information in background checks improperly.
If you do make changes to FCRA on the background check
issue beyond its reauthorization, we urge you to allow
employers who use contract workers to have access to the
contractor's background check information without converting
that contractor into a consumer reporting agency. There are
many safety-sensitive industries that use contract workers and
the underlying employer needs that information to ensure
safety.
Now, with your permission, Mr. Chairman, let me echo your
previous comments on the Vail letter. The issue is simple. The
FTC through the Vail letter has thrown up a roadblock to the
effective use of workplace investigations of employee
misconduct. We understand that the FTC will not retract that
letter unless Congress acts. The Chamber urges that action.
Employers are instructed by statute in the case of
Sarbanes-Oxley; instructed by the Supreme Court in the case of
the Faragher-Ellerth precedent; and by regulations of the Equal
Employment Opportunity Commission to conduct thorough,
effective and objective investigations. Often, the only
effective way to do that is through an outside firm or
investigator. Under Vail, there is a requirement for notice and
consent provisions that would require almost immediate notice
to the object of that investigation. That fundamentally guts
the investigation's effectiveness. Just a quick example. Say
that I receive a request to investigate a senior executive for
a sexual harassment complaint. Under the Vail letter, I am
obligated to advise that senior executive before I begin my
investigation that he or she might be the object of a
complaint, and therefore that is going to constrict greatly the
ability to find out what happened and take appropriate remedial
action. There is simply no way to satisfy both Vail and the
need to investigate effectively workplace conduct.
Against that backdrop of increased corporate responsibility
for self-monitoring, we believe that this choice must be
resolved the way Congress intended under Sarbanes-Oxley, the
way the Supreme Court dictated in Faragher-Ellerth, and the way
the EEOC's guidance has laid out in favor of effective
investigations. The Chamber believes that H.R. 1543 is the
right step to address that concern and we urge its passage.
Mr. Chairman, thank you.
[The prepared statement of Christopher P. Reynolds can be
found on page 121 in the appendix.]
Chairman Bachus. Thank you very much, Mr. Reynolds, for
that testimony.
Mr. Morgan?
STATEMENT OF HAROLD MORGAN, SENIOR VICE PRESIDENT, HUMAN
RESOURCES, BALLY TOTAL FITNESS CORPORATION, ON BEHALF OF THE
LABOR POLICY ASSOCIATION
Mr. Morgan. Thank you very much. Do not worry. I will not
be asking the members of the committee to do exercises before
we begin the testimony today.
[LAUGHTER]
This morning, I have two simple and basic messages
regarding FCRA. The first is please do not make it any harder
to keep our workplaces safe. And two, if possible, please help
us to make it easier to keep our workplaces safe.
I am sure the original intent and the purpose for expanding
FCRA to include background checks was to ensure that potential
employees were guaranteed certain rights and privileges if
their backgrounds were checks. I am sure the same thought
applies to investigations in the workplace. However, the actual
on-the-job reality of FCRA makes it increasingly difficult to
maintain a safe workplace.
Many individual states have added to these restrictions on
top of FCRA. The FCRA regulations, in addition to the
additional State laws, really cut to the heart of workplace
safety. The fact of life today is that every critical public or
stakeholder that has anything to do with our operations expects
me to run a safe workplace. The duty and trust and obligation
of maintaining this safe workplace is even more difficult in
businesses such as mine where you have large amounts of
employees, a lot of employee turnover, and where you are
dealing with customers on a minute-to-minute basis.
So by way of introduction, this is the overview of where we
are coming from on FCRA. But what is at the heart of the
problem? The problem is that to make hiring decisions with
increasingly more difficult limits and restrictions on what we
cannot and can look at is unrealistic and is increasingly
compromising workplace safety. For instance, should I hire
someone to be a childcare attendant who has several arrests,
but no convictions for child molestation? Should I hire a
salesperson who has information regarding credit cards and
financial information about a potential customer, but who has a
deferred adjudication for fraud? Should I hire a personal
trainer who has been arrested for assault and battery, but has
pled down to a misdemeanor, or who has a conviction that is
over seven years old? The problem with FCRA and the additional
State laws is that I cannot use this information in making
employment decisions.
Congressmen and congresswomen, I believe that this is
playing roulette with the safety of everyone involved in the
workplace. Employers cannot be subject to courtroom standards
in order to keep their workplaces safe. The reality of life is
that I should not hire the personal trainer with several
arrests, but no convictions, and I should not hire the
childcare attendant who has pled down to a misdemeanor for
child molestation. Nevertheless, FCRA and the State laws
suggest that I should not consider any of this information in
making my employment decision.
The other issue, which Mr. Reynolds has covered, is Vail.
Very simply, this makes it difficult to conduct investigations
in the workplace, which all of you would agree is something
that should be done and should be done in a fair and consistent
manner. Vail only results in a chilling effect on people coming
forward regarding workplace misconduct and problems that are
going on in the workplace. Investigations should be able to be
done and proceed in a way that does not limit us and that
affords all people involved a great deal of confidentiality.
As I said in the beginning, please help us to make
workplaces safer. In order to do that, I would suggest five key
issues. First, please allow us to look at criminal backgrounds
without any time limitations. Second, please allow us to
consider arrests in looking at the totality of an individual's
background regarding their suitability to work in a particular
place. As long as we are within the EEOC guidelines, the burden
of proof beyond a reasonable doubt should not be a standard
that applies in the workplace.
Three, please give us access to national databases so that
we do not have to go to thousands of jurisdictions to see if
someone should or should not be an employee regarding what they
have done in their past. Please give us a safe harbor from more
restrictive State laws, provided that FCRA is adhered to from a
regulation standpoint. And fifth, please allow us to conduct
any and all investigations regarding workplace misconduct in a
confidential manner and not subject to FCRA.
Last and certainly to highlight this issue, in 1999, as all
of us are aware, several terrorists tried to come through the
Canadian border to blow up the LAX airport in celebration of
the millennium. The identities that these folks were using were
partially stolen out of databases of my company. Now, we have
since closed up that issue regarding our databases.
The employee that was involved in selling off these
identities to the terrorists had a complete criminal background
screen that I conducted; was drug tested; and every attempt was
made to make sure that this employee, like all of my employees,
were safe in the workplace. Nevertheless, those identities were
sold and those identities were given to the terrorists that
were fortunately caught before they were able to set up a bomb
at LAX airport.
The point is this: It is difficult enough to make decisions
about the unknown and about what may happen in the workplace.
Please at least let us make decisions regarding what is known.
[The prepared statement of Harold Morgan can be found on
page 82 in the appendix.]
Chairman Bachus. Thank you very much.
Our next witness is Mr. Lewis Maltby. Mr. Maltby, I
mentioned that you were with the National Workrights Institute.
I did not mention that you were the founder of that Institute,
so we very much welcome your testimony. We know you as a
nationally recognized expert on employee rights in the
workplace.
STATEMENT OF LEWIS MALTBY, PRESIDENT, NATIONAL WORKRIGHTS
INSTITUTE
Mr. Maltby. Thank you, Mr. Chairman, and thank you for
inviting me to be here this morning.
Let me say from the very beginning, I have no problem, no
objection to pre-hire investigations. I have three school-age
children. Every morning, I put them on a school bus. I do not
want anyone behind the wheel of that school bus with DUI
convictions.
But it is not always that simple. There are many situations
in which pre-hire investigations occur in ways that simply are
not fair and do not help anyone. For example, at least 2.5
million people every year are required to take so-called
honesty tests to get a job. There is nothing wrong with
employers wanting to hire honest people, but honesty tests fail
at least four honest people for every dishonest person they
screen out. That is a very high price for a lot of honest
people to pay for businesses to get a dubious advantage at
best.
Personality tests are extremely common. They are not
inherently wrong. Someone who would do very well in a laid-back
Silicon Valley company might not do so well in a very straight-
laced Wall Street firm. But some of the questions on these
tests I would not ask my wife. There are questions about your
religious belief, your sex life, even your bathroom habits on
some of these common personality tests. With all due respect to
Mr. Reynolds, I do not know why you have to ask an employee
about their bathroom habits to tell if they are going to be a
productive and safe employee.
I mentioned criminal records checks. There are many cases
where that is totally appropriate, like the one with my
children. On the other hand, there are many employers in
America today that will not hire a person for any job at any
time in their lives if they have ever been convicted of
anything. You could be, and sometimes are, denied a job as a
40-year-old electrician because when you were 19 you shoplifted
a CD. There is something wrong when employers go to that
incredible unreasonable extreme.
The worst part of all of this is the way the information is
being used. If this information were being used as something to
inform the judgment of a seasoned HR professional, I would not
be so concerned. But what is happening is, the machines are
taking over. The test results are trumping the evaluation and
the judgment of the HR professional. If the honest test says
you are dishonest, I don't care if you are a nun, and this is a
real case, the HR person cannot say, ``Well, the test is
obviously wrong.'' They can't and they don't. If the test says
you are dishonest or you don't fit or anything else, you are
simply out. That is not the way things ought to be done.
Regarding the Vail letter, let me not belabor the obvious,
except to say Mr. Morgan and Mr. Reynolds are right. There is a
problem here. As a civil rights lawyer, I want to see
investigations of alleged sexual harassment or racial
harassment or other civil rights violations conducted quickly,
thoroughly and effectively, and the Vail letter as it stands is
an obstacle. The real question is, how do we fix the obstacle?
Mr. Sessions has certainly taken us the first step in that
direction. It is clearly surreal, maybe that is too kind, to
say we have to tip off the person we are investigating and get
their permission before we conduct an investigation.
But that is not the entire situation we have to deal with.
What if, for example, the employee is innocent? Perhaps the
investigation clears them. Shouldn't they be told after the
investigation is over that they were investigated and they were
cleared, and being shown a copy of the report? Is it really
fair that that report should follow them for the rest of their
career, or at least their career at this company, and they
don't even know it happened? I do not think so.
For example, what if there never was any genuine suspicion
of wrongdoing? Pretext investigations are not common, but they
happen. We do not want a law that says that a company can
investigate somebody whose real offense is trying to organize a
union on the pretext they have stolen a pencil. The law ought
to require that there be a genuine suspicion of wrongdoing
before the investigation starts in the first place. And
whatever minimal standards the FCRA contains about fairness and
accuracy in conducting the investigation and compiling the
report should not be lost either.
I know that none of those problems were intended to be
created by Mr. Sessions's bill, but we need to do more than
just simply crudely yank criminal investigations in the
workplace out from under the FCRA. It has to be done in a more
nuanced, thoughtful fashion. Mr. Sessions's bill is the first
step, but it is not the only step.
From having looked at the issues, I see nothing here that
people of good will and intelligence could not resolve, given
discussion. We have already had some discussions on these
matters and I am confident that if allowed to continue we could
reach a resolution that would accomplish Congressman Sessions's
objectives and the concerns of people like me in the civil
rights world.
Thank you.
[The prepared statement of Lewis Maltby can be found on
page 60 in the appendix.]
Chairman Bachus. Thank you, Mr. Maltby.
We would also welcome coming together on this issue. We are
also optimistic that we can do that.
Ms. Plummer, I previously recognized you. You actually
manage EEOC claims, risk management services, quality
assurance, and consultant supervision for Bashen. I noted that
you practiced business and employment law with the firm of
Randolph, Hunter in Greenville, South Carolina, so you also
have litigation experience in employment matters. We welcome
you.
STATEMENT OF MARGARET PLUMMER, DIRECTOR OF OPERATIONS, BASHEN
CONSULTING
Ms. Plummer. Thank you very much, and also thank you to the
members of the subcommittee for having us here today.
Bashen Consulting is a minority-owned human resources
consulting firm that has conducted thousands of employment
discrimination, harassment and ethics investigations for
companies nationwide. I thank you for allowing us to
participate in these important discussions regarding the role
of the FCRA in employment-related investigations.
The Federal Trade Commission's interpretation of the FCRA
as expressed in the 1999 Vail opinion letter will have a
chilling effect on the efforts of employers to prevent and
correct unethical discriminatory and harassing behavior in the
workplace.
In 1998, the Supreme Court profoundly changed the workplace
harassment landscape. It became clear that for employers to
protect themselves, they must implement effective policies and
complaint procedures, conduct prompt and thorough
investigations of employee complaints, and take remedial
action. Today, courts and government agencies charged with
enforcing civil rights legislation examine not only the
fundamental question of whether unlawful conduct occurred, but
the quality and integrity of the employer's investigation of
the alleged conduct.
Many employers naturally seek the experience and expertise
of qualified third parties to thoroughly and impartially
investigate employee concerns. Countless companies, especially
small companies, do not have the internal resources or skills
to investigate employee complaints. In many situations,
companies hire third parties to ensure that maximum credibility
is given to the investigation, often due to the sensitive
nature of the allegations or the high-level position of the
alleged wrongdoer.
I recently conducted an investigation for a large
corporation in which a human resources staff member complained
that he was discriminated against based on his national origin
when he was denied a promotion. The company would have been
placed in the untenable position of having its human resources
department police itself if the investigation was conducted in-
house.
The HR department recognized its potential conflict of
interest, and more importantly the appearance of a conflict if
the investigation failed to support the staff member's claim.
The company hired Bashen Consulting to ensure the integrity of
the investigation. However, according to the FTC this company
would be subject to increased liabilities and requirements
because they hired experts in the field instead of
investigating the complaint internally.
Under the FTC's interpretation, companies striving to
comply with civil rights legislation must now decide between
the risk of uncapped damages under the FCRA if they request an
investigation, and the limited damages available under civil
rights laws if they fail to investigate at all. Companies would
also be required to obtain a written authorization by the
alleged wrongdoer to conduct the investigation. The notion that
an accused harasser must consent to an investigation of his
inappropriate behavior is contrary to common sense.
More alarming is the detrimental effect the FTC's
interpretation of the FCRA poses for employees. The law would
require the company to provide the alleged wrongdoer with a
complete copy of the investigative report. These reports
identify witnesses and the information each provided, and
producing it would irreparably compromise the confidentiality
of the investigation.
Absent assurances of confidentiality, the FCRA will create
a chilling effect on witnesses's willing participation in the
investigatory process. Many victims will be too intimidated to
complain, thus undermining the expressed intent of all
workplace civil rights legislation. The impact of applying the
FCRA to employment investigations is monumental. It would erode
the great strides companies have made toward eliminating
discrimination and harassment.
H.R. 1543 will remove these roadblocks to progress by
excluding workplace investigations from the FCRA's purview. We
commend Representatives Sessions and Jackson Lee for their
leadership on this issue and urge you to amend the FCRA
accordingly.
Thank you.
[The prepared statement of Margaret Plummer can be found on
page 105 in the appendix.]
Chairman Bachus. Thank you very much.
Mr. McClain, we note that you have lectured at UCLA and
other California colleges and universities, so this ought to be
a piece of cake, after doing that.
STATEMENT OF EDDY MCCLAIN, CHAIRMAN, KROUT & SCHNEIDER, INC.,
ON BEHALF OF THE NATIONAL COUNCIL OF INVESTIGATION AND SECURITY
SERVICES
Mr. McClain. Thank you, Mr. Chairman. Thank you to the
committee.
I am chairman of Krout and Schneider, which is a 76-year-
old firm, but I have only been a licensed investigator for 47
years. I am appearing today on behalf of the National Council
of Investigation and Security Services, NCISS, which represents
investigative and protective service companies and their state
trade associations throughout the United States. We appreciate
the opportunity to discuss the FCRA.
Besides many small-and mid-size employers, even many
Fortune 100 firms hire third parties for their expertise and
impartiality. The FTC says any person who regularly conducts
employment investigations is a consumer reporting agency under
the law. We agree that is what the law says, even before Vail,
but we believe that investigators of workplace misconduct
should not be designated as consumer reporting agencies and the
reports should not be classified as consumer reports.
The 1996 amendments to the FCRA have substantially set back
progress, as Ms. Plummer said, on sexual harassment and
discrimination. The EEOC recommends prompt, thorough and
impartial investigation of sexual harassment, but the Act
provides no explanation or suggestion of what an employer
should do if an accused person refuses to give his or her
permission to be investigated.
Regarding violence, when an employee exhibits symptoms of
derangement, the last thing the employer wants to do is ask the
employee for permission to investigate him. My firm is often
hired to assist employers to deal with potentially violent
employees. It is not uncommon to have little or no background
information in a personnel file.
In addition to public records and surveillance, we need to
conduct covert neighborhood interviews. Neighbors are often
aware of suspicious activity, proclivity toward firearms
ownership, and even knowledge of explosives. Since the 1996
amendments, the report of such an investigation would be
considered an investigative consumer report and it would be
unlawful for the employer to order such an investigation
without disclosure and permission. The ramifications of
advising such an employee that he is going to be investigated,
then giving him a report of what witnesses said about him are
obvious.
Many business failures are the result of employee theft.
When businesses fail, employees lose their jobs. These are the
same employees the FCRA is supposed to protect. Investigation
of embezzlement requires stealth and expertise. Embezzlers are
usually in the best position to cover their tracks.
Yet before an employer can hire an outside expert to
investigate embezzlement, written permission must be obtained.
Illicit drugs are a scourge on our society. Seven percent of
American workers use drugs on the job, but the FCRA makes it
very difficult to ferret out drug dealers from the workplace.
Regarding intellectual property and trade secret theft,
prior to the 1996 amendments employers were able to hire
impartial experts to covertly conduct sensitive investigations
that would not be possible today. For example, my firm was
engaged to investigate an alleged theft of trade secrets by a
Fortune 100 defense contractor. Using a combination of public
record information, surveillance and undercover techniques, we
were able to determine the facts.
A salesman, marketing manager and a production chief had
conspired with a scientist to form a competing company that was
bidding on the same government contracts. Although one
conspirator left our client's employ, he was fed information by
the other two who remained as moles. Not only were the
scientific secrets being disclosed, but bidding information
allowing the competitor to slightly undercut their pricing on
closed bids. This successful prosecution would have been nearly
impossible if our client had to notify the culprits in advance
of the investigation.
Conversations with witnesses are considered to be
interviews and our report to be an investigative consumer
report. The employer must advise the accused of the nature and
scope of the investigation, and before taking any adverse
action against an employee, a complete unedited copy of the
report must be provided to the employee no matter how felonious
their behavior. Since the advent of the 1996 amendments, many
of our labor lawyer clients have advised their clients not to
risk investigations, even in the face of significant losses or
danger to coworkers. The reason is the attorneys do not wish to
provide subjects with a copy of the investigative consumer
report.
We strongly support Representative Sessions's H.R. 1543.
This bipartisan measure would make clear the investigations of
employee misconduct are exempt from the disclosure and
authorization requirements, while still providing protections
for consumers and employees. H.R. 1543 does not change the
permission requirement for access to credit reports. It also
would require that after taking adverse action against an
employee, an employer must provide a summary containing the
nature and substance of the communication upon which the action
is based.
At the FTC, former Chairman Pitofsky recommended Congress
consider a legislative change to remedy the unintended
consequences of the 1996 amendments. Last month, Howard Beales
made the same recommendation to this committee. We hope action
will finally be taken.
Thank you for your attention.
[The prepared statement of Eddy McClain can be found on
page 63 in the appendix.]
Chairman Bachus. I thank the gentleman.
My first question, Ms. Plummer. Prior to the FTC letter,
was there any indication that Congress intended the Fair Credit
Reporting Act to apply to workplace discrimination or
harassment investigations?
Ms. Plummer. There is no indication whatsoever, either in
the intent or purposes section of the statute or within the
contents of the statute.
Chairman Bachus. Thank you.
Mr. Reynolds, you testified that the Vail letter makes it
virtually impossible to use third party investigators,
particularly since failure to comply with FCRA can result in
unlimited liability, including punitive damages. And yet in
many cases, employers lack the resources, skills and fairness
to do those investigations in-house. What do these employers
end up doing?
Mr. Reynolds. Mr. Chairman, those employers are caught
between a rock and a hard place in fulfilling the mandates of
the regulatory schemes that I mentioned earlier and Supreme
Court precedent. Often they make the choice, a tough choice,
but the choice to protect their employees and to do the
investigation nonetheless in a way that allows for the safety
and integrity of the workplace. Employers should not be put to
that choice by the Vail letter.
Chairman Bachus. Thank you.
In your opening statement you mentioned Sarbanes-Oxley and
some of the requirements of that Act. If a company finds itself
in a potential Enron-WorldCom-type situation and decides that
it needs to investigate some top management for financial
impropriety, does the Vail letter pose a problem?
Mr. Reynolds. The Vail letter poses a significant problem.
Under Sarbanes-Oxley, often corporate boards and management
will reach out, and are in fact encouraged to reach out to
third party objective investigators. Under the Vail letter,
once that investigation begins, even before the investigation
begins, consent has to be obtained from the subject or object
of that investigation. As Mr. McClain has testified, that has
the effect of completely negating the ability to gain a fair
and complete picture of the facts, which is precisely what
Sarbanes-Oxley went to.
Chairman Bachus. Thank you.
Mr. Morgan, suppose you want to investigate the head
manager of a fitness center, how does FTC's Vail letter make it
more difficult?
Mr. Morgan. I would have to inform them and get consent
prior to that occurring. In a lot of cases, there are things
going on that you don't wish them to know about or you don't
wish them to know because they could cover their tracks. If
someone was stealing money from the facility or if that
particular manager was sexually harassing one of my employees,
I would certainly want an investigation done in a way that I
could get all the information before I made a fair and balanced
decision.
Chairman Bachus. Okay, thank you.
Mr. McClain, if a third party investigator uncovers
significant evidence of employee wrongdoing, such as racial or
sexual harassment, what stops the wrongdoer from disputing
every item, particularly the testimony of the victims?
Mr. McClain. Nothing would stop him, Mr. Chairman. One of
the major problems that I have with on the sexual harassment
issue is when we get an assignment like that from a client, the
first thing that we do is we ask our client to get permission
from not only the accused, but also the accuser. The reason is
we want to establish the credibility of the accuser and
oftentimes, not as often as the other way, but sometimes people
do conspire to give false information.
So talk about a chilling effect, when someone, take a
fairly new employee who is in the probationary basis trying
hard to hang onto their job and is being hit on by a
supervisor, so they reluctantly go to management, to HR,
because they have heard that they should report this kind of
activity. So they reluctantly go forth and report this, and
then management has to turn around and ask their permission to
investigate them. Of course, any other witnesses that would
come forth, we investigate them, too, because we need to know
who all the players are and try to determine what their
interests are to be impartial and fair.
So it just doesn't work. As I said before, what do we do
when someone refuses to give permission to be investigated? The
employer is within his rights to terminate him for failure to
cooperate with an investigation, but that in itself could be
unfair. Maybe the person does not want to agree just on general
principles. So it creates many unintended consequences, I
believe.
Chairman Bachus. In fact, I think two or three of the
panelists mentioned the EEOC, which actually asks us to protect
the identity or protect the witnesses. But under this FTC
letter, actually, you cannot protect their identities. In fact,
you go to the wrongdoer and give him this information which
could actually expose them to danger.
Mr. McClain. Some people think it is a hit list.
Chairman Bachus. Okay, a very good point.
Mr. Maltby, you testified about the bill introduced by
Representative Sessions and other members as a step in the
right direction, I believe, but not a complete solution. What
additional changes would you recommend, particularly since
employers can avoid any FCRA requirements simply be conducting
investigations in-house?
Mr. Maltby. Mr. Chairman, if I could give you a complete
and thorough set of standards for how to get the guilty without
violating the rights of the innocent, I would be a much smarter
man than I am. I can mention two or three critical points. One
is we need to have protection against pretext investigations.
They are not common, but they do occur. It is not clear that
Congressman Sessions's bill addresses that issue.
We need to have people be able to see the results of the
investigation, possibly with certain information redacted, at
whatever time is appropriate. You obviously cannot show
someone, especially if they are guilty, the results of the
investigation in mid-stream, but at some point the
investigation is over. There is nothing left to compromise and
the employee, guilty or innocent, ought to be able to see the
report, again possibly with certain information redacted.
There are provisions, I believe, in the Fair Credit
Reporting Act, not terribly strong, to be sure, but I believe
they exist, that set some sort of minimal standards for the
fairness of the process and the accuracy of information. Those
would be lost if we took employee investigations completely out
from under the jurisdiction of the FCRA. I do not think anyone
wants to do that.
I would be happy to submit additional suggestions to the
Chair in a very short time, if I might have permission to do
that.
Chairman Bachus. Thank you, and we would welcome that.
At this time, the gentleman from North Carolina, Mr. Watt.
Mr. Watt. Thank you, Mr. Chairman.
I would welcome a copy of Mr. Maltby's follow-up also. Mr.
Maltby, you seem to be a little outnumbered on this panel.
Mr. Maltby. I am not, Congressman.
Mr. Watt. Not necessarily. I am trying to find common
ground here, rather than trying to score points about who is
right and who is wrong, because there is some right, as you
acknowledged, on both sides of this issue.
So that I can explore that common ground, let me talk to
Mr. Reynolds and Mr. Morgan for a little bit here, about their
reactions to the things that Mr. Maltby has proposed. He, as I
was jotting down what he said, agrees that the prior consent
requirement of Vail is probably not a good thing. I think most
people would probably agree with that. I take it you all agree
with that.
Mr. Reynolds. Yes, Congressman.
Mr. Watt. Check one for common ground there.
On pretext investigations, he thinks there ought to be some
explicit protection that says you cannot use criminal or other
background information as a pretext to try to eliminate
somebody. What do you think about that?
Mr. Reynolds. Congressman, there are already provisions in
existing law to cover that.
Mr. Watt. What law?
Mr. Reynolds. For example, under Title VII, if an employer
were to use a criminal background check as a pretext where the
real purpose, for example, was to discriminate, that would
clearly violate Title VII.
Mr. Watt. So what you are saying is we just need to
reconcile EEOC Title VII and the Fair Credit Reporting. Is that
an explicit provision or is that case law?
Mr. Reynolds. That is case law, and it is commonly held
case law that has been in place since the 1970s.
Mr. Watt. And you agree with that, so if we could figure
out some way to get those things consistent, you would be happy
with that?
Mr. Reynolds. Congressman, I believe they are already
consistent. Title VII is in existence. The case law is quite
explicit.
Mr. Watt. Okay, but if we made it explicit under Fair
Credit Reporting that you cannot do pretext, would that be
something you and Mr. Morgan would object to?
Mr. Reynolds. At least from my standpoint, Congressman, I
believe the pretext issue is covered completely by both Title
VII and the courts and I do not see a need to add to the
provisions of FCRA in order to address that issue.
Mr. Watt. Okay, well, I think you are missing my point. You
have one law that doesn't say anything about it, and another
law that says something explicit about it, at least in case
law, and you all are testifying that there is a conflict here.
Couldn't we reconcile that by simply making it explicit? That
is the question I am asking. I am looking for common ground
here. Am I missing something here?
Ms. Plummer, would I be chasing the wrong dog if I tried to
just make explicit what Mr. Reynolds says is already over there
somewhere in another area, but if we just put it in Fair Credit
Reporting, would that be okay with you?
Ms. Plummer. No, it would not be okay.
Mr. Watt. Okay, then why wouldn't it be okay?
Ms. Plummer. The effect of doing that would be to muddy the
waters because Title VII and the case law that follows it do
completely cover the issue of pretext based on protected class
status. If you then add that to the FCRA, you are simply adding
yet another burden, yet another interpretation that has to be
made of that law.
Mr. Watt. But Mr. Reynolds just told me that I am not
adding anything because FCRA is already subject to Title VII.
So why would I care about making that explicit?
Ms. Plummer. You would not be adding anything to the rights
of the employees or to the citizens, but you would be adding
yet another layer of judicial interpretation of the statute
that employers would have to combat. As we can see here, the
language in the existing statute has brought us all here today.
So my concern if we attempt or Congress attempts to clarify
pretext in the FCRA, it will lead to confusion.
Mr. Watt. Mr. Maltby, what do you say to this? I am trying
to be an honest broker here and walk down the middle.
Mr. Maltby. Congressman, I would not say you are chasing
the wrong dog, but I would say you are missing a lot of the
pack.
Mr. Watt. Okay. Go ahead.
Mr. Maltby. I actually think Mr. Reynolds is correct.
Mr. Watt. All right.
Mr. Maltby. If the investigation is a pretext for getting
the black employee out of the workplace because of some sort of
racial bias, I think he may be right; that that is already
adequately addressed by Title VII. But that is one of 100
possible reasons for pretext.
What if the real reason for launching the investigation is
because the person is organizing a union, or they are a woman
who does not like the way women are being treated in the
company and they are starting to make some noise about it, or
because you just don't like the guy, or because he is gay in a
jurisdiction where that is not protected by law? There are 100
reasons to launch a pretext investigation. One of them may be
covered, but the other 99 are not protected.
Mr. Watt. What about this copy of the report in some
redacted form at some appropriate time? Mr. Reynolds, do you
think if somebody is investigating me and I am found to not
have any problem; I am investigated and you have found nothing.
Do you think it is okay if I get the report at some point, that
maybe then I can take it to another employer and say, look,
this one turned me down after they found that I was not guilty;
maybe you will consider me positively.
Mr. Reynolds. Congressman, let me at the outset just
caution the use of the words ``innocence'' and ``guilt.'' In
the context of workplace investigations, the employer is not
the government. They do not make findings of whether someone
has violated a statute. This is important for this reason. What
Mr. Maltby may suggest in his comments, the provision of the
report et cetera, those are certainly potentially due process
protections, but they are due process protections that are
better suited to the context of governmental action in a
criminal prosecution.
In this context, you have an employer whose obligation is
to make the best possible judgment based on the best possible
investigation they can do. They are not held to the standards
of reasonable doubt, nor should a question of innocence or
guilt be at issue. The real question is whether or not the
employer can do an effective investigation to determine whether
or not the company's policies have been violated, and sometimes
those policies are broader and more expansive at the employer's
option than law.
So under those circumstances, to get to your question,
Congressman, my answer would be that there are many
circumstances where it would not be appropriate to mandate that
the employer provide a copy of the report. One quick example,
there are many instances in which the investigation is about a
current employee's actions vis-a-vis another current employee.
It is the employer's obligation to make sure that the
complaining employee is not retaliated against. We would not
want to be in a position of creating the atmosphere, the
conditions for retaliation.
Mr. Watt. I think that is what Mr. Maltby was trying to
redact, I assume. I do not think we would have any problem with
that.
Okay, I think what you all have succeeded in doing is
showing us how difficult this area is. Mr. McClain is going to
clarify it for us.
Mr. McClain. Thank you, Mr. Watt. I would just like to
comment on some of these issues.
With regard to providing a copy of the report, Section 609
of the FCRA does provide for discovery. So even if
Representative Sessions's bill were enacted, anybody that
wanted to dispute their termination still has the ability to
get a complete copy of that report usually under a
confidentiality agreement supervised by the court. That is the
way they do it, so they can get a copy.
Mr. Watt. I have to be in litigation before I can get a
copy of it?
Mr. McClain. Well, there are reasons for that. The court
can protect the witnesses, for instance. If there is some
indication that the names of those witnesses should not be just
handed over, so then they use the attorneys for insulation. The
other thing, regarding Mr. Maltby's statement, talk about
unfairness, some employers, and I do not have any hard and
proof evidence of this, but I do believe that sometimes because
employers are unable to do a thorough investigation without
telling everyone, because of the Fair Credit Reporting Act, I
think they sometimes think that the easier way, and it is
certainly cheaper than hiring me, the easier way is to just get
rid of the suspect; find another reason to get rid of him. Now,
that is unfairness and that is an indirect result of a law that
is supposed to be protecting these same employees.
Mr. Watt. I think Mr. Morgan wants to say something. I have
run out of time myself, but maybe the Chair will let you
respond.
Mr. Morgan. Congressman, in a lot of workplaces, the
reality is that there are sometimes small groups of employees.
My stores, which would not be untypical, usually employ 50
employees. With a 50-employee work group, even providing a
redacted document, it will be obvious who did this and that
would create additional workplace problems that I would really
be concerned with.
Also, regarding Mr. Maltby's comments, if someone was
organizing, I cannot fire someone as a pretext under the
National Labor Relations Act. And also, if there were a history
of discrimination that was going on, I would be subject to a
patterns and practice suit under EEOC for that. So there really
are a lot of protections out there already.
Chairman Bachus. At this time, I am going to ask Mr. Tiberi
to take the chair, and I am going to recognize Mr. Crowley, the
gentleman from New York, for questions.
Mr. Crowley. I thank the Chairman.
My staff is telling me the second round of panelists is
going to have more difficult issues, and it is interesting to
hear about the Vail letter and the FTC, that this seems to be
an issue that needs to be worked on a great deal more. So I
appreciate the testimony of all of you here today.
I thank Mr. Watt for his line of questioning as well. I
think it amply demonstrated that there is a need to really
clarify what the intent is.
I just want to move to another area, and that is concerning
the seven criteria. Mr. McClain, if I can direct the question
to you, and then if the other members of the panel could
respond in some way, I would appreciate it. The consumer credit
report certainly includes information about a consumer's credit
worthiness, credit standing, and credit capacity, and then four
other categories: character, general reputation, personal
characteristics, and mode of living.
I understand that for the most part, the financial services
industry generally looks at the issue of credit worthiness,
credit standing and credit capacity for granting or denial of
credit. The terms ``character, general reputation, personal
characteristics and mode of living'' are used more in
investigatory reports that are governed by the FCRA.
As these four criteria are not defined at all under 15 U.S.
Code, I was wondering if you would both define these terms as
you believe they are used, as well as let the committee know if
these are important criteria. And if so, should they be defined
in statute to prevent such a broad swath of information from
being used in investigatory and/or credit reports under FCRA?
Mr. McClain. I think further definition would always be
helpful. I am not sure to what extent you can do that. The FTC
has taken the position, and I don't think wrongfully, that
pretty much in any report it is very difficult to have a report
that does not encompass one or more of those definitions.
So I do not know if a further definition might help, but I
think the big issue is whether or not these types of reports
should be consumer reports. I believe rather than trying to
define all of these things further, if we just made it clear in
the law that these types of investigative reports are not
covered by the FCRA, I think that would be appropriate.
Many of the investigations that we do, we do not
necessarily run credit reports. Credit reports contain
information that would be very helpful on embezzlement
investigations, particularly when you are looking for someone
who is living beyond their means. It is a flag that indicates
you might be on the right track. But in every instance, the
Sessions bill would not change that. You would still have to
have the consumer's written permission before you could run a
credit report. So we would be able to do other types of
investigations, but we would not be able to run credit reports.
I hope I was responsive to your question.
Mr. Crowley. Would you be in favor of the status quo, then,
leaving the seven criteria and those four particularly that I
mentioned at the end, intact?
Mr. McClain. We have learned to live with and understand
what they mean, provided that this general category of
misconduct investigation is excluded, and it clearly indicates
that it is not a consumer report, then those definitions would
not affect misconduct investigations, but they would still
affect all of the other investigations.
I do not have any problem with preemployment. We have
learned to live with that. I think most of the employers have
learned to get applicants's permission before they investigate
them. That is not a problem. It is when you have an existing
employee who is malfeasant in some respect that you have to
investigate. Therein lies the problem.
Mr. Crowley. In all four of these, character, general
reputation, personal characteristics, mode of living, are these
all opinions that you derive from information that is given to
you? For instance, personal characteristics and general
reputation, how would you define that?
Mr. McClain. Well, the FTC can say that just about anything
we do, I mean, if I go down and check Superior Court records on
someone and they say that that record check is going to
possibly indicate the mode of living or the characteristics, so
I do not know how else to get around that.
Mr. Tiberi. [Presiding.] The gentleman's time has expired.
The gentlelady from New York is recognized for five
minutes.
Ms. Velazquez. Thank you, Mr. Chairman, and thank you to
all the members of the panel for the information that will help
us embarking on this comprehensive reauthorization of the
legislation that is before us.
Mr. Maltby, employers obviously collect an abundance of
data regarding their employees. Some of the data, such as
salary, is furnished to credit reporting agencies and plays an
integral part in the credit-granting process. Outside of salary
and tenure data, what sort of data to employers do employers
systematically collect on their employees?
Mr. Maltby. It obviously varies a great deal from employer
to employer. But if I think back to the days when I was a
corporate general counsel and had responsibility for the HR
function, I cannot think of a great deal that I could not find
out about one of our employees if I were to take a very careful
look through the personnel file. There is almost nothing that I
could imagine that would not be in there.
Ms. Velazquez. How do employers use this information? Do
they furnish this data to credit reporting agencies?
Mr. Maltby. Ma'am, I really do not know that for sure. My
assumption would be that if the employee had applied for the
loan and the employer knew the employee had applied for the
loan, the employer would provide any information that appeared
to be relevant, but that is strictly an impression on my part.
I really do not have any hard data to back that up.
Ms. Velazquez. Mr. Morgan, given your HR experience, could
you please comment on this as well?
Mr. Morgan. Yes. We would only give out information to an
agency if I had written permission from the employee to do
that. Under normal circumstances, I am not gathering data up
and giving it out to anyone. As a matter of fact, I see it as
one of my great responsibilities to the employees to not do
that.
So generally speaking, I would only give out any
information as long as I had a release from the employee. That
also would go for reference checks. The reality of life today
is that reference checks do not exist because no employers are
giving out any information.
Ms. Velazquez. Thank you.
I would like to ask this question of Ms. Plummer and Mr.
Maltby. I understand the restrictions that the Vail letter
imposes on employers. Employers must provide an employee with
notice that they are being investigated, and also must secure
their consent before an investigator can begin their
investigation.
I also understand that these restrictions can prevent
outside consultants from conducting an effective investigation.
What risks to the employee do external private investigators
pose to employees? In your experience, is there a need for
enhanced protections when a third party conducts these employee
investigations?
Mr. Maltby. Ma'am, I would not go so far as to say that
there are no concerns for having an outside third party
investigator, but in general it is probably better off if there
is a third party investigator. There are just too many
possibilities for bias or intimidation in an internal
investigation, particularly if the person being accused is
fairly far up the corporate food chain.
Again, I would not want to make that as a blanket
recommendation, but my blood does not run cold when I hear that
a firm has brought in an outside investigator, assuming they
are a competent professional firm. It might be better to bring
in someone from the outside who does not have all the potential
for bias that an inside party might have.
Ms. Velazquez. Ms. Plummer?
Ms. Plummer. There are no enhanced concerns for the
employee when a third party is brought in to investigate. In
fact, it improves, as Mr. Maltby just expressed, the
possibility of an impartial and fair investigation. In fact, it
is to the employee's benefit to have somebody from outside the
company come in to investigate for just that purpose.
Ms. Velazquez. Thank you.
Thank you, Mr. Chairman.
Mr. Tiberi. Thank you.
I would like to thank the panelists from our first panel
for testifying today, and ask the second panel to be seated for
their testimony. Thank you very much.
Thank you all for coming today. I will introduce the second
panel, starting from my left, working to my right: Mr. Chris
Petersen, attorney with Morris, Manning and Martin, LLP, on
behalf of the Health Insurance Association of America; Mrs.
Roberta Meyer, Senior Counsel, American Council of Life
Insurers; Mr. Marc Rotenberg, Executive Director, Electronic
Piracy Information Center; Ms. Joy Pritts, Assistant Research
Professor, Health Policy Institute, Georgetown University; and
last but not least, Mr. Edward L. Yingling, Executive Vice
President, American Bankers Association.
Thank you all for being here today. I would like to remind
all of you that you have 5 minutes to give us your testimony,
and it will be followed by questions from those who remain here
today. I would like to start with Mr. Petersen. Thank you for
being here.
STATEMENT OF L. CHRIS PETERSEN, ATTORNEY, MORRIS, MANNING &
MARTIN, LLP, ON BEHALF OF THE HEALTH INSURANCE ASSOCIATION OF
AMERICA
Mr. Petersen. Thank you very much, Mr. Chairman, members of
the subcommittee.
My name is Chris Petersen. I am a partner with the law firm
of Morris, Manning and Martin. Today I am testifying on behalf
of the Health Insurance Association of America. The HIAA is the
nation's most prominent trade association representing the
private health insurance system. Its nearly 300 members provide
the full array of health insurance products, including medical
expense, long-term care, dental, disability and supplemental
coverage to over 100 million Americans.
My written statement focuses on the continuum of federal
and state privacy laws and the interplay among those various
laws. In my oral testimony, I will examine these additional
privacy laws, in conjunction with the Fair Credit Reporting
Act, limiting health insurers' ability to disclose information.
As the committee is aware, important provisions of the FCRA are
up for reauthorization. The HIAA supports the reauthorization
of the Fair Credit Reporting Act.
The HIPAA privacy rule is the first of these many privacy
laws that health insurers must comply with. The rule provides
that those insurers that meet the definition of a health plan
may not use or disclose protected health information except as
permitted or required by the privacy rule. In addition, the
privacy rule provides for six instances under which a health
plan is permitted to use or disclose information. Most relevant
for today's discussion are the permitted uses and disclosures
for treatment, payment and health care operations, and those
uses and disclosures made pursuant to an authorization.
Health care operations encompass uses and disclosures
necessary to administer a health plan's business and provide
benefits to covered individuals. Many of the health plan's
routine uses would fall under this provision. However,
disclosing to a financial institution for that institution's
operations would not fall under the health care operations
exception. As a result, the HIPAA privacy rule would not allow
a health plan to disclose health information to another
financial institution without that individual's signed
authorization for purposes of that financial institution to
make credit decisions regarding the individual that is the
subject of the information.
The HIPAA privacy rule also provides the privacy standards
requirements under the rule. State laws are preempted if they
are contrary to the HIPAA privacy rule. Therefore, we have to
also look at state privacy laws to determine how they interact
and regulate the ability of a health insurer to disclose
financial information or health information.
In 1999, Congress enacted the Gramm-Leach-Bliley Act
establishing a statutory framework for all financial
institutions to use in disclosing information. The National
Association of Insurance Commissioners adopted a model law
regulating Gramm-Leach-Bliley disclosures by health insurers at
the State level to provide guidance for State insurance
departments in regulating this important area.
That model regulation governs financial disclosures, but
the State insurance departments went further than the federal
law as they also regulate disclosures regarding health
insurance information. Insurance entities may not rely on the
opt-out rule of the Gramm-Leach-Bliley Act to disclose
nonpublic personal health information. Instead, insurance
entities must either have the individual's written
authorization to disclose the information, or the disclosure
must be allowed under the regulation's permitted exceptions.
Generally, the regulation allows an insurance entity to
disclose information in order to service a transaction that a
consumer requests, or to conduct insurance functions, or to
make disclosures that are in the public good. This regulation
was drafted with industry, regulatory and consumer input, and I
believe those exceptions, once again, would not allow an
insurance entity to disclose health information to another
financial institution for the purpose of that financial
institution making credit decisions.
In 1982, the NAIC adopted a comprehensive privacy model.
This also regulates insurance institutions and requires that an
insurer must have an authorization in order to disclose
financial or medical information or personal characteristics
information, as we discussed earlier. Once again, you can
disclose for insurance functions, but you cannot disclose for
purposes to another institution for that institution's credit-
making decisions without an authorization.
Finally, there are a whole array of State privacy laws that
govern sensitive health information, for lack of a better term.
These laws are additional protections for specific types of
information. As you look at the HIPAA privacy rule, insurers
have to once again make a decision: Do these laws provide
greater privacy protections, and limit the scope and uses and
disclosures of health information? If so, health plans must
comply with these laws as well.
In conclusion, a whole array of laws would prevent health
plans and health insurers from disclosing medical information
for credit purposes.
Thank you.
[The prepared statement of L. Chris Petersen can be found
on page 96 in the appendix.]
Mr. Tiberi. Thank you.
Ms. Meyer?
STATEMENT OF ROBERTA MEYER, SENIOR COUNSEL, AMERICAN COUNCIL OF
LIFE INSURERS
Mrs. Meyer. Thank you, Mr. Chairman, and members of the
subcommittee. I am very pleased to be here to testify before
you today on behalf of the American Council of Life Insurers,
the principal trade association for life insurance companies.
Our members sell life insurance, disability income insurance,
long-term care insurance, and also provide annuities.
Life insurers have a very long history of trading highly
sensitive information, including our policyholders's medical
information, in a highly professional and appropriate manner.
Life insurers collect and use this information in order to
serve their existing customers. At the same time, life insurers
support very strict protections relating to the confidentiality
of the medical records. Accordingly, we strongly support
prohibiting the sharing of medical information in connection
with the extension of credit.
Today, I am going to very briefly explain why life insurers
collect medical information and why it is so important to the
life insurance process. I will very briefly provide an overview
of ACLI's policy on medical records confidentiality, and then
again touch on the key elements of the numerous federal and
state privacy laws that do in fact provide very comprehensive
protection to life insurers's policyholder medical records. In
today's world, life insurance protection is more important than
ever. In order to continue to make insurance products and
services widely available at the lowest possible cost, life
insurers must have access to medical information. The risk
classification process, which is based in large part on medical
information, provides the fundamental framework for the current
private system of insurance. In fact, it is largely this
process which has made it possible for insurers to make their
products widely available to American consumers today.
ACLI's privacy policy, as I said before, provides for very,
very strict limits on insurers's ability to both obtain and
disclose consumer medical information. The principles also
support a prohibition on the sharing of policyholders's medical
information with a financial institution for purposes of
determining eligibility for credit, even if in fact that
financial institution is an affiliate of the insurer.
I would now like to speak very quickly to the various
federal and State laws. Mr. Petersen has spoken to some of them
already, so I will just touch very briefly on the key elements
of those provisions. First, under the Fair Credit Reporting
Act, medical information may be a consumer report because it
does in fact bear on the consumer's personal characteristics
and is used as a factor in determining an individual's
eligibility for insurance. However, medical information is
afforded special status under the FCRA.
Medical information can be disclosed by a consumer
reporting agency to an insurer only in connection with an
insurance transaction and only with the consumer's consent.
Insurers believe that the FCRA is critical to their business.
It in fact facilitates widespread availability and
affordability of insurance today.
ACLI member companies also strongly support the privacy
provisions of the Gramm-Leach-Bliley Act. As Mr. Petersen has
already indicated, medical information under that Act is
treated as nonpublic personal information, and may only be
disclosed by a financial institution provided the individual is
given notice of the sharing and given the opportunity to opt
out of the sharing.
The only circumstances under which notice and opt-out do
not need to be provided is when the information is shared for
operational insurance business functional purposes or in
connection with joint marketing agreement. In fact, state
privacy laws generally go further than this and require
insurers to obtain an opt-in for the sharing of medical
information.
In fact, when the National Association of Insurance
Commissioners and the States were first developing and then
adopting the State laws to enforce and implement the Gramm-
Leach-Bliley Act, the ACLI member companies strongly expressed
the view that medical information should be afforded increased
protection, given its highly sensitive nature.
Both with the NAIC and throughout the country, as the
States have considered adoption of the NAIC model, Gramm-Leach-
Bliley confidentiality regulation, the ACLI has firmly
expressed its support for the privacy provisions, medical
records provisions of that regulation, which provide that in
fact before a policyholder's medical information may be
disclosed, there has to be obtained by the insurer the
authorization or the opt-in of the individual.
Similarly, the old NAIC model privacy act, as it is called,
which was enacted before Gramm-Leach-Bliley, would require the
opt-in of an individual before his or her medical information
could be shared with a non-affiliated third party, unless in
fact the information was again being shared for operational
insurance business functions.
Mr. Tiberi. If you could wrap up, Ms. Meyer.
Mrs. Meyer. I can. Thank you very much.
The HIPAA rule, similarly, even though the HIPAA rule does
not directly impact on life and disability income insurers, it
would in fact require that a health care provider obtain the
consent of the individual before an individual's medical
records may be disclosed to a life or disability income
insurer.
Finally, Mr. Chairman, we appreciate the opportunity to
testify today. We strongly support strict medical records
privacy protections, and would strongly support a prohibition
on the sharing of medical information for purposes of
determination of eligibility for credit.
Thank you.
[The prepared statement of Roberta B. Meyer can be found on
page 72 in the appendix.]
Mr. Tiberi. Thank you.
Mr. Rotenberg?
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Rotenberg. Thank you very much, Mr. Chairman, members
of the committee.
My name is Mark Rotenberg. I am Executive Director of the
Electronic Privacy Information Center. I have taught
information privacy law for many years at Georgetown. I also
chair the American Bar Association's Committee on Privacy and
Information Security, although I am testifying today on behalf
of myself and not on behalf of the ABA. Also with me this
morning are Chris Hoofnagle, Deputy Counsel at EPIC, and Anna
Slomovic, our Senior Fellow.
I am very grateful to you and the members of the committee
for looking at the issue of medical record privacy. This is
clearly one of the top privacy concerns for consumers in the
United States. I think the particular challenge that you face
this morning is trying to understand the relationship between
three different regulatory regimes, and whether or not they
adequately safeguard the privacy of medical records,
particularly when they may be made available to employers.
Now, the HIPAA privacy rules, which have been discussed
earlier, do a good job of providing privacy protection for
covered entities, which are typically the health care plans.
But the HHS understood that HIPAA could not be generally
extended to employers, and that protection for that type of use
of personal information would have to be found elsewhere.
The Fair Credit Reporting Act, while it recognizes certain
protections for medical information, does not in fact go as far
as the HIPAA rules, which set out a separate category of
protected health information. The Gramm-Leach-Bliley rules do
not speak directly to the protection of medical record
information. Other means were needed to try to safeguard the
protection of medical information after passage of Gramm-Leach-
Bliley.
Where does that leave us today? I would like you to
consider the following scenario. Imagine a prospective employee
who is seeking a job and the employer asks this person to
provide consent for access to the credit report, which is done
increasingly today, both through standard employment practices
and also through obligations imposed by federal statute. The
employee, believing she has a fine credit report and that there
is nothing there that would produce an adverse determination,
signs the consent.
Now, it turns out that the credit report may in fact
provide information from which the employer could infer medical
care or medical services that she has received because, for
example, she has obtained credit from a neonatal clinic for
fertility drugs, an expensive procedure and something where
people might quite likely obtain credit and establish what
would be considered on the credit report a trade line. From
this, the employer may be able to infer some information about
her intent to have children.
As a general matter in employment law, it would be improper
to use that information in the employment determination, but it
is an example of how information could be made available
through a credit report to an employer that the HIPAA rule
would otherwise try to protect, but could not protect in this
instance because the employer is not in fact a covered entity
under the HIPAA rules.
Now, I think there are legislative approaches to try to
solve this problem. But I want to suggest to you more
generally, particularly in the context of the Fair Credit
Reporting Act and the many issues that you are considering in
this session, that it is particularly important to understand
the role that the States play in safeguarding the right of
privacy. I think we have been a little bit too quick over the
last few years to look for national uniform solutions that
effectively restrict the ability of State regulators to
safeguard the interests of consumers when these types of issues
arise.
Returning again, for example, to the example of medical
privacy under Gramm-Leach-Bliley, this was a problem that was
dealt with by the National Association of Insurance
Commissioners. It was in fact the NAIC model guidelines
promulgated after Gramm-Leach-Bliley that provided a framework
for good state regulations intended to safeguard the privacy of
medical information that GLB did not otherwise cover.
But more generally, if you look at the development of
privacy law in the United States over the last 30 years,
invariably what you see is that Congress passes a baseline
standard to provide a basic level of protection to protect
privacy interests for consumers across the country, and allows
the States to regulate upwards, to provide more protection when
they identify new problems that perhaps Washington cannot get
to as quickly.
Sometimes the State efforts succeed, in which case they
will be followed by other States. Sometimes the State efforts
fail, in which case they will be disregarded. I think this is
precisely what is meant by the concept of the States being the
laboratories of democracy.
So I would urge you today as you consider medical privacy
issues in the context of financial services, and more broadly
the importance of the Fair Credit Reporting Act, that you
safeguard the ability of the States to protect the interests of
consumers. I think it would be a mistake to allow the
preemption loophole to be extended beyond this Congress.
Thank you very much.
[The prepared statement of Marc Rotenberg can be found on
page 146 in the appendix.]
Mr. Tiberi. Thank you, sir.
Ms. Pritts?
STATEMENT OF JOY PRITTS, ASSISTANT RESEARCH PROFESSOR, HEALTH
POLICY INSTITUTE, GEORGETOWN UNIVERSITY
Ms. Pritts. Good morning, Mr. Chairman and members of the
Subcommittee on Financial Institutions. I would like to thank
you for this opportunity to testify today on medical
information and how it is protected in the financial services
area.
I would like to incorporate everything that Mr. Rotenberg
just said into my testimony, because I think he said it so
well. But I would also like to emphasize that this is an area
that consumers are very concerned about. They do not want their
medical information shared in the financial service area
without their advance permission.
In particular, there is a Gallup survey which was done in
the year 2000 which showed that fully 95 percent of Americans
said they did not want their banks to have access to medical
record information without their advance permission. This is a
consistent trend, too. It is not something that has just
happened. It is consistent. It is persistent. People are
concerned.
There is no question that those in the financial service
industry collect and use medical information for legitimate
uses in a variety of different contexts. From the written
testimony that was submitted, many of those in the financial
services industry say that they believe, and as we have heard
earlier from Ms. Meyer, that they believe that it is improper
to use in particular health information for credit purposes.
These are important policies that the financial services
trade associations have in place and many do subscribe to them,
but policies are not enough. The consumer cannot enforce the
policy. You cannot take it to court. More important, I think,
is also the fact that policies can change. Fifteen years ago,
you would have never seen an insurer using a credit score for
underwriting purposes. There are many instances in which health
information can lead people to financial distress, so what is
to prevent in the future from people using health information
for credit purposes? What we really need are adequate legal
protections. The time to put them into place is now, before the
sharing of this type of information is used consistently as a
business practice for determining credit purposes and for other
purposes that medical information really was not intended.
One of the things that we really saw when the HIPAA privacy
regulations were being drafted was a very persistent problem
that people had been using health information for a long time
in manners that health care consumers really did not understand
and know about. Yet because it had become an established
business practice, it was in many ways difficult to control it.
The horse was out of the barn and there was no getting it back.
The problem I see is that the laws that we have today are
inadequate. There are a lot of them, but there still are a
number of loopholes. For one thing, they do not cover everyone
who holds and uses health information in a commercial-type
context. They set different standards and they are often
inadequate for using and sharing health information. And where
they overlap, there is confusion as to which law prevails. It
is that last point, which I think is fairly confusing to a lot
of people, but which I also find to be fairly disturbing.
I think that the FCRA and GLBA, the Gramm-Leach-Bliley Act,
are particularly problematic from a health consumer's point of
view. They govern the sharing of financial information which
can, by implication, and often does include medical information
in the financial services industry.
The Gramm-Leach-Bliley Act allows the sharing of financial
information, including medical information, among affiliates
without the permission of the consumer. It does provide for
notice, but as anybody who has received the scores of privacy
notices from financial institutions knows, those notices are
often incomprehensible.
This type of sharing of health information is precisely the
activity that consumers have repeatedly and strongly said they
do not want. They do not want insurers and banks looking at it
and then asking them after the fact whether this is something
that they really would permit.
The states have stepped up to the plate. They have filled a
lot of these gaps, particularly in the health insurance area.
They have been very, very much advanced as to protections that
they offer. But the concern is that these laws are subject to
attack.
In particular, the problem here lies, and this is a very
kind of wonky discussion I am going to launch into, but the
problem lies with the fact that GLBA has essentially two
preemption provisions. It allows states to have stronger laws,
but then it also incorporates all the provisions of the Fair
Credit Reporting Act. The Fair Credit Reporting Act has a
provision that prohibits states from enacting laws with respect
to the exchange of information sharing among affiliates.
There have been a number of articles in some trade
association magazines and law reviews that say what this
effectively does is prevent States from requiring, for
instance, an opt-in for the sharing of affiliate information.
We think that this really needs to be clarified and the time to
clarify it is now. There is no need to wait for a court to make
that sort of decision.
In summation, I would say that health care consumers prefer
and demand that they have an opt-in for sharing of medical
information, including information among affiliates; that the
Fair Credit Reporting Act preemption provision should be
allowed to expire, it is merely causing confusion; and that the
Congress needs to clarify when you have these three different
statutes, HIPAA, Gramm-Leach-Bliley and the Fair Credit
Reporting Act, where they overlap, and there is some confusion
as to which one is going to prevail, because that is not in the
Congressional Record whatsoever.
Thank you.
[The prepared statement of Joy Pitts can be found on page
113 in the appendix.]
Mr. Tiberi. Thank you.
Mr. Yingling?
STATEMENT OF EDWARD YINGLING, EXECUTIVE VICE PRESIDENT,
AMERICAN BANKERS ASSOCIATION
Mr. Yingling. Thank you, Mr. Chairman.
The ABA appreciates the subcommittee's holding hearings on
the Fair Credit Reporting Act and the issue of protecting
consumer information, including medical information. Before I
address medical privacy specifically, I would like to briefly
outline the philosophy of the banking industry regarding the
use of information and the importance of preserving FCRA for
our economy.
First, the cornerstone of banking is preserving the trust
of our customers. That only can be accomplished by protection
and responsible use of information. Not only is protecting
privacy the right thing to do, the highly competitive financial
market demands it. No bank can be successful without having a
strong reputation for protecting the confidentiality of
consumer information.
Second, we do believe preserving a national credit
reporting system is critical to the U.S. economy. The strength
and resiliency of the U.S. economy is linked to the efficiency
of consumer credit markets. U.S. consumers have access to more
credit, from more sources, and at lower cost than consumers
anywhere else in the world.
What makes this possible is a nationwide, seamless, and
reliable system of credit reporting. Such a system would be
impossible without the Fair Credit Reporting Act. For
consumers, it means they can walk into an auto dealership and
drive off with a new car within an hour. They can move across
the country and open a banking account without hassle. They can
quickly refinance their mortgage loan from lenders across the
country to take advantage of falling interest rates.
As is pointed out in a study cited in my testimony, one of
the more remarkable achievements of the FCRA is the increased
access to credit for lower-income households. By enabling
complete and accurate credit histories, FCRA has helped extend
credit to millions of Americans who otherwise might not have
been able to get it. Simply put, the U.S. credit system works
and is the envy of the world. The reauthorization of FCRA, and
in particular the preemption of State laws which assures a
national, consistent and complete system, is very important.
Turning to medical information, it is obvious that such
information is at the top of the list of personal information
that consumers worry about. Three years ago, we convened a
select group of bankers to work on privacy issues. Regarding
medical privacy, the task force believed it important to
reassure the public that, to the extent banks possess medical
information on a customer, it will be held sacred.
Concern has been expressed that lenders might use medical
information obtained elsewhere in making a credit decision.
ABA's position is that such use of medical information in a
credit decision, obtained without the knowledge and consent of
the borrower, is just plain wrong.
There are, of course, a limited number of instances where
medical information is directly relevant, for example in loans
to sole proprietorships or small businesses where the franchise
value of the firm hinges on one or two key individuals. In such
cases, insurance on the key individuals might be required.
In those instances, the prospective borrower will know what
information is required and can expressly consent to it being
obtained and used. Otherwise, the lender should not need such
medical information. Finally, any such information obtained
should be kept strictly confidential by the lender.
Mr. Chairman, we appreciate the opportunity to testify
today, and I would be happy to answer any questions.
[The prepared statement of Edward L. Yingling can be found
on page 162 in the appendix.]
Mr. Tiberi. I don't think I have ever seen that before. You
have 1 minute and 20 seconds to spare.
Mr. Yingling. I am the last guy before lunch.
[LAUGHTER]
Mr. Tiberi. Thank you, Mr. Yingling.
Thank you, panel, for your testimony today.
I am going to defer my 5 minutes for questioning. I am
going to call on the gentlelady from New York for 5 minutes.
Mrs. Kelly. Thank you.
We have been talking today about the use of information
that is collected with regard to people. I would like to just
ask anyone on the panel, who is collecting this? Where do you
go to get this information? There was at one time a situation I
recall, for instance with medical information, there was only
one company that carried it. It was all in one massive
computer, so everybody went there to get that information.
Where do you go to get this information about people?
Mr. Petersen. Health insurers typically get most of their
information first, from an application and/or a claim. So that
would be the starting base. Some of the insurance industry
would use a clearinghouse that you are referring to. A lot of
the health insurance industry does not use that clearinghouse
because of the cost-benefit analysis.
So for health insurers, it would be primarily the
application process. Then they would get an authorization, and
they have to get an authorization both under State law and
federal law, to collect information from other sources. Those
sources would be identified in the authorization. It would be
primarily providers, other insurers, and maybe in some limited
circumstances this clearinghouse that you are referring to.
Claim information, if it is a claim, that information
generally would come first from the claim submitted by the
individual, but most generally from the providers themselves.
Mrs. Kelly. In that clearinghouse that you are talking
about, where they hold the information, does a consumer have
the opportunity to change medical information?
Mr. Petersen. Once again, I am speaking from the
perspective of health insurers, both under the National
Association of Insurance Commissioners's 1982 NAIC Act, people
have a right to access and amend their information. The
clearinghouse would be one of the covered entities under that
Act.
Now, that Act is only in 16 states. It was the first
comprehensive privacy attempt at the State level. A lot of very
significant population states have it, but it is only 16
states. The HIPAA privacy rule would allow you to get access
and amend your information, so you would have access to the
information that the health insurer had, and if the health
insurer disclosed it, you would have to correct the information
down the disclosure chain.
Mrs. Kelly. How complicated is that? How easy is it to find
out who has your information?
Mr. Petersen. Once again, from the health insurance
perspective, you have to make an accounting of disclosures,
both under HIPAA and under the 1981 Act. So if you made
disclosures to those kinds of entities, you would have to tell
them they had it, and if you made a correction, you would have
to tell them you made a correction. If you wanted a correction
and me, the insurance company, disagreed, you would have to
allow that individual to put something in the record stating
that you disagreed with the failure to make the correction.
This is all fairly recent, though, so it is not well-tested
as to how well it works, to be quite honest, under the HIPAA
rule because April was the effective date, so we do not know
how well it works, but they have a process, I think, to address
concerns of the past in that area.
Mrs. Kelly. Thank you.
Ms. Pritts, do you want to speak to that?
Ms. Pritts. Yes. I think that your original inquiry was
directed towards the Medical Information Bureau. Is that
correct? The Medical Information Bureau is essentially like a
credit reporting agency for health information. It is a
national bureau that I believe other insurers, other than
health insurers, can rely on for obtaining more or less the
status of health information for individuals.
MIB reached an agreement with the Federal Trade Commission
a number of years ago that its reports would be considered to
be consumer reports. So individuals have the right now to
obtain a copy of their report from MIB, much as they would a
credit report from a credit reporting agency, for a fee of I
think it is $8.50 now. They can review that information and
they can request that that information be corrected if it is
inaccurate. They can try to supplement that record if it is
incomplete.
As a matter of practice, people who have actually attempted
to use this process have met with mixed degrees of satisfaction
with it.
Mrs. Kelly. What I am really driving at is if you are in
the process of questioning your medical record that someone
else is holding, and a financial institution is also getting
some of that information, is that then flagged to the financial
institution so that the financial institution knows that there
is a question about something on your record? There are some
things on people's records that they simply do not want others
to know, and yet you must sign, in certain situations, you feel
you must sign a disclosure form.
So my question is, if you are in the process of questioning
the great computers in the sky that hold all of this
information about your credit and your medical records, then
how is that transmitted to you as institutions for your use so
that you know that these are issues that are at question?
Ms. Pritts. Under HIPAA, what happens is, as Mr. Petersen
was explaining, the individual has the right, first of all, to
look at their own health information, and we would urge health
consumers to do that so you have an idea before you sign one of
those authorization forms what exactly your financial
institution would be receiving. If you see something in there
that you think is erroneous, under HIPAA you can ask your
doctor to correct that information.
Now, there are a number of circumstances under which they
do not have to do that. What they do is, the patient can also
submit a statement saying, ``I still think that this
information is wrong.'' At that point, the health care provider
is supposed to forward that, either they correct it or they
deny it, and we are going to assume that the patient has
supplemented and said, ``I still disagree with you.'' At that
point, they are supposed to forward that information on to
places like perhaps a financial institution.
If a patient has said, ``Look, I am worried; I think this
information might be getting into my credit report,'' they
would have to identify them as somebody that this information
should be forwarded to.
Mrs. Kelly. I am out of time, but I hope you will give me
my own time to further pursue this a bit.
Thank you.
Mr. Tiberi. Mr. Lucas?
Mr. Lucas of Kentucky. Thank you, Mr. Chairman.
I have found this testimony very enlightening. In my prior
life for some 32 years, I was involved in insurance
underwriting and also banking, so I am a little conflicted here
about some of the things that I hear.
I can see, Mr. Yingling, from the bankers's standpoint,
particularly the analysis used of a small business owner, this
medical information is very relevant in making a credit
decision. I also can appreciate from the fact of people wanting
privacy that there is some information that may get out there
that they do not want people to know, that is not relevant to
the decision.
I guess from a public policy standpoint, I think that we
need to reauthorize the preemption. But I would be interested
in what kinds of things we could do to tweak this so we could
hopefully make everybody reasonably comfortable, because as it
is now, we have some problems. So does anybody want to take a
shot at that?
Mr. Yingling. Congressman, I would just say that the only
time in the credit-granting process that we believe medical
information ought to be used is where two criteria are met. One
is that it is relevant; and two, that you get the express
consent of the potential borrower.
Now, this is really tight. It is not just a tight criteria.
It is not opt-in. It means that for this specific transaction
only, you are going to get the permission of the borrower to
get specific information, so that the borrower would have the
ability to say, for example in Ms. Kelly's question, ``You are
not going to some third party that has all this information in
a computer. You can go to my insurance company and make sure I
have an insurance policy. I will show you the insurance policy
that protects you in case I die and I am the franchise.''
Or in rare instances, where there is a specific health
question, you can go to my doctor and get specific information.
But it seems to me that you have a real governor here in that
the borrower has the ability to say, ``Yes, I will give you the
information and I will only give you that specific information,
and here is where we are going to agree to go get it.''
Mr. Lucas of Kentucky. What if you had a situation of a
small business owner and he found out that he was terminally
ill. So he thought, ``Well, I will go to my bank and get this
line of credit set up that will help my wayward son who is not
that good a businessman; I will get this set up for him.'' And
you know about the information, you find out about it, but he
has withheld it. What do you do in a situation like that, where
you know, you have gotten that information, but he has not
given you that information? How do you deal with that?
Mr. Yingling. Well, I think that would depend on how you
get it. I do not think the lender has the right to go out and
ask for the information without the permission of the borrower.
I guess you could conceive of a small town where everybody
knows it and so it is common knowledge that there is a health
problem or some other problem. I guess from my point of view,
it is hard to say the banker could not act on that general
knowledge. But the lender should not be in a position of going
out and fishing without the permission of the borrower.
Mr. Lucas of Kentucky. Okay. Any other thoughts?
Mr. Rotenberg. Well, Congressman, I think you put it very
well. It is a public policy issue. Certainly, one of the things
that privacy laws try to do is to allow people to participate
in the marketplace, to obtain credit, to pursue employment,
without being required to disclose a great deal of personal
information, because many people would rightly feel that if
they were forced to say everything about themselves, they might
choose not to go for the loan or they might choose not to try
to get the job.
I have always believed the privacy laws are actually good
for the economy because they give people the safety and
assurance that they can pursue economic opportunity without
having to disclose a lot of personal information. Now, I think
in the years ahead, this problem is going to become quite a bit
more serious. Diagnostics are becoming more precise, more
advanced. There has been more commercialization of this
information. It is easier for employers to get access to. Our
health care system is being radically transformed by new
technology.
I think it is very much appropriate for the Congress at
this point to draw some lines and to say the information that
might be appropriate in the diagnostic setting in the delivery
of medical care for an individual is not necessarily
information that we should make available to employers, even
though they may be interested.
Let us be honest on this point as well. Employers would
probably like to know a great deal about their employees. But I
think it is very appropriate for Congress in those situations
to say, that person is your employee; they are not your
patients, and there is only certain information that you are
going to learn about that person.
Mr. Lucas of Kentucky. Okay. Anybody else?
Mrs. Meyer. I might say on behalf of the life insurers that
we believe that extension of the FCRA affiliate-sharing
provisions is absolutely critical. Just as the FCRA has made it
possible for credit to be widely available in the United
States, it has also very much facilitated the availability and
the affordability of life insurance products across the
country.
It is essential, as I stated in my testimony, that insurers
be able to obtain and use medical information in order to
assess risk, in order to make life insurance products widely
available and affordable. At the same time, we recognize and
very much appreciate consumers's particular concerns about
medical information. For that reason, we do in fact support
laws and regulations that would actually impose strict
requirements and limits on our ability to in fact obtain and
disclose this information. We very much support a prohibition
on the sharing of medical information to determine credit.
Mr. Lucas of Kentucky. Thank you.
Mrs. Meyer. Thank you.
Mr. Tiberi. Thank you. The gentleman's time has expired.
I am going to recognize the gentleman from Ohio for 5
minutes.
Mr. LaTourette. Thank you, Mr. Chairman.
Mr. Petersen, I apologize. I was not in the room for your
testimony, but I have read it and I have a question that has
nothing to do with fair credit reporting, and just wonder, as a
representative of the health insurance industry, if you have an
observation.
When I talk to the small business folks in my district
about the implementation of HIPAA and the law of unintended
consequences, they are describing a situation that because, not
that they want to root around in their employees's medical
information, but because when they approach a health insurer
they can only share or know so much information. They are
finding that their insurance premiums are dramatically
increasing because the insurance company is not aware of the
risk that they are being asked to insure. Is that a reasonable
observation by these people?
Mr. Petersen. It is difficult. First off, for your small
employers, I feel for them because I represent large insurers
who have the absolutely same responsibilities as very small
employers, and individual doctors. They all have to comply with
this very large rule, and not all of them can afford to hire
attorneys. So it is a very difficult problem.
There is one problem about how you share information as an
employer. The rule sets up group health plans, plan sponsors
and employer requirements, all for the separate sharing of
information. Unless you provide notices and put in policies and
procedures, you may have restrictions on your ability to obtain
and/or disclose information.
I have heard of situations where small employers are
finding it difficult to sometimes have one health plan disclose
to the other health plan, or just to get the information
generally and to disclose. From a health insurance perspective,
if you do not have the information, a conservative underwriting
approach is to, unfortunately, consider that it is probably
bad.
There has been some state activity. A few states are now
enacting laws requiring one health plan to give it directly to
the other health plan, so that the employer is not in the
middle. They can just tell the one insurance company, give my
information to the other insurance company. I think those types
of laws will help address it, but it is a 50-state problem.
Mr. LaTourette. Thank you.
Mr. Rotenberg, I was in the room for your testimony and I
heard you talk about a credit report of a prospective employer
that might have some billing or a credit application for
fertility. I think you said that the employer could not make an
inference, which would be improper in the employment setting
anyway.
But couldn't the same inference be drawn, since we are
talking about inferences, by an employer who was interviewing a
woman who was 22 years old who just got married, from the fact
that on her credit report there was testing for fertility, that
she may want to in the foreseeable future start a family?
In both of those inferences, if you reach the conclusion
that she was desiring to get pregnant, that would not, under
the laws already on the books, be a disqualifier. It would be
an impermissible reason to disqualify someone for employment.
Is there a better example or a greater danger that you see than
the one that you cited to us in your testimony?
Mr. Rotenberg. Congressman, I actually think the example is
a fairly good one because it is a medical service that is
increasingly likely to appear on credit payments. In fact, when
the Federal Reserve took a look at credit reports, they were
very interested in their study of February 2003 this year to
find a very large number of credit payments related to medical
services.
So we could go into a bit more detail. We could imagine
certain types of clinics that provide help for people with
stigmatizing conditions. But I think the critical point is that
there is information made available today through the credit
report that would otherwise be covered under HIPAA, but for the
fact that the employer is not a covered entity under HIPAA.
That is the statutory problem.
Mr. LaTourette. And Ms. Pritts, as I read your testimony,
there was a reference that I did not hear you talk about, but
there was apparently a banking executive that served on his
county health board, is that right?, and you cite that as an
example of bankers using medical information for making credit
decisions.
My question is, based upon your study of HIPAA, wouldn't
the conduct of, I assume it is a fellow, but this banker prior
to 1993 be a violation of HIPAA today? And if not, why not?
Ms. Pritts. He is not a health care provider, and it is not
clear where he was getting his health information from. He was
serving on a board, I believe. It is not clear whether that
registry would be a covered entity under HIPAA, because of the
definition of health care provider.
Mr. LaTourette. Okay. But you would agree with me if in
fact the information was being supplied by a health care
provider, that it would be covered, and your answer is that it
would?
Ms. Pritts. Well, if it is supplied by the health care
provider to a registry, it then becomes uncovered by HIPAA, so
then it is not protected.
Mr. LaTourette. Thank you very much.
Thank you, Mr. Chairman.
Mr. Tiberi. Thank you.
Mr. Crowley is recognized for 5 minutes.
Mr. Crowley. Thank you, Mr. Chairman.
Let me just take Mr. Rotenberg's example to another level.
I would ask Mr. Petersen and Ms. Meyer or Ms. Pritts to chime
in.
If an individual were to obtain the TB test or an AIDS test
or even a mammogram and pay for that using a credit card, would
it be possible for that information then to be shared with
affiliates? If so, is that possibly exposing what we determine
as risky behavior in one's personal behavior that could be used
against them to deny them insurance, both health and PC? Or
even taking it to a further extent, is it possible that
information could be used to deny them employment?
Mr. Petersen. I will take the first shot at the question.
The mere fact that they charged the information from a health
insurance perspective, if they then submitted that charge to
the health insurer for reimbursement, that would become
protected health information and would be subject to all the
protections I described.
The 1982 Act, you asked earlier about avocation, lifestyle,
reputation, the 1982 Act of the NAIC provides special
protections for that information as well. They essentially
treat it for health purposes like marketing. So if you inferred
something from that, you also could not share that for
marketing with a third party.
Mr. Crowley. What if you are an affiliate with the company?
Mr. Petersen. You have limitations under HIPAA about how
you can share protected health information from marketing. You
can share it to do upgrades to existing products, for instance,
but very limited ability to use that. So if you just had that
claim information, I think you would be restricted on how you
could use it within the internal, even within affiliates, or
internal uses. So you would have limitations on how you could
do it.
Under HIPAA, if it was not a part of the hybrid entity, for
instance if you had an affiliate that was a life company, you
could not disclose at all to the life affiliate. It would have
to be health to health, and for limited ways to share it for
marketing.
Now, on the other hand, of course, if it was something that
came up in the application process, so you paid for it with
your credit card, but it came up in the application process,
then the health insurance company could use that information.
Mr. Crowley. They could use it. Well, then, Ms. Meyer,
would you like to respond?
Mrs. Meyer. Yes, thank you.
If in fact you are talking about the bank sharing
information with an insurance affiliate. Under the Fair Credit
Reporting Act in fact that probably would be an experience in
transaction information, so that the bank could share it with
the life insurance affiliate. Although, I have got to tell you,
I am hard-pressed to think of an actual situation where a bank
would be sharing information of that nature, of a charge with a
life insurance company.
But say in fact the life insurance company did get the
information, then once the life insurance company gets the
information, then it would first, I cannot even think of the
real-world where it would get it, so that it would even be an
issue, because I cannot imagine they get that information in
connection with underwriting.
But if in fact an insurer ever did get the information,
then the whole ambit of all the body of laws dealing with
insurer's ability to disclose information would come into play,
notably the NAIC model regulation, which requires an opt-in for
the sharing of medical information, unless it is for an
insurance business function, or the old NAIC model Act, which
again requires an opt-in. Then you would possibly get into the
Fair Credit Reporting Act, which would probably require an opt-
out for the sharing.
But in fact, insurers that do business all over the country
adhere to the NAIC model Act and regulation, essentially in all
States in which they do business. So that essentially ends up
being the law of the land. But again, getting to the very
beginning, I am hard-pressed to think of a situation where a
life insurer would actually be getting that type of information
from a bank.
Mr. Crowley. You may be hard-pressed, but it not
inconceivable that something like that could happen in the
future.
Mrs. Meyer. I just don't know how.
Mr. Crowley. We don't know where this is going, actually.
Things are evolving in terms of information and the need for
more information to make decisions based on one's personal
life, especially risky business.
Mrs. Meyer. I guess conceivably, but that flow of
information is something that I have not seen.
Mr. Crowley. Difficult. Okay, Mr. Chairman, just one more
question, if I could, for Mr. Yingling.
I missed your opening statement, but it was pointed out to
me by my staff that it says, ``With respect to the banks,
medical information should only be used for the express purpose
for which it is provided and should not be shared without the
express consent of the consumer.'' Are you advocating a system
of opt-in for health information, as opposed to opt-out?
Mr. Yingling. As I mentioned in a previous answer, I don't
think it really is opt-in. I think it is stricter than opt-in.
An opt-in regime could be a general approval to seek
information or to use information, and it could be prospective
and cover additional transactions.
When we say with the approval and consent of the potential
borrower, what we mean is a specific approval of the
information that is needed for the application in front of you,
so to speak. So it actually I think is stricter than opt-in.
Mr. Crowley. Thank you.
I thank the chairman.
Mr. Tiberi. Thank you. The gentleman's time has expired.
Without objection, the gentleman from Illinois, Mr.
Emanuel, may be recognized for the purpose of questioning
witnesses under the 5-minute rule. Do I hear an objection? Not
hearing an objection, Mr. Emanuel? Mr. Emanuel is recognized
for 5 minutes.
Mr. Emanuel. Mr. Chairman, thank you. As a member of the
full committee, I ask unanimous consent to ask questions. Thank
you.
First of all, thank you for holding this hearing and
putting this panel together. To follow up on this set of
questions and your answer, I think we are at a critical point
in finding a balance here that allows commerce and information
to flow freely, but also give consumers a certain level of
protection in this storm that they have a safe harbor. As you
said, it is more strict than opt-in or opt-out. I actually am
working on a bill creating a blackout as it relates to medical
information.
We have to create, I think, for consumers, because it
touches on what Ms. Pritts said earlier as it relates to
information, what consumers most care about is their medical
privacy. If you look at it as a set of issues, you go down the
ladder of what they care about, at least in the data and the
research I have seen, and obviously I am dealing with five
experts here who may show counter-data, but medical information
is what they care most about in the sense that they feel
vulnerable and they feel that their privacy has been violated,
and then forces greater than they can control and have access
to things about them that are not relevant.
With that, and again the world we live in is changing by
the time we deal with this, and we are trying to set up some
set of rules going forward that do not allow the different
legislation that we have passed in the past, at least to set a
clear mark of what the rules of the road are going forward.
Let me ask a question, and this is for anybody, so have at
it. I have a set of questions. What are some of the scenarios
that could occur if the existing loopholes are not closed as we
try to explore different scenarios? And is there a chance for
widespread abuse here? I have some follow-up questions after
that, so does anybody want to just take at it?
Mr. Rotenberg. Congressman, I return to the original
purposes of the Fair Credit Reporting Act. It was an
extraordinary law at the time it was passed in 1970. Senator
Proxmire and others came together. People became aware that a
lot of derogatory information about individuals was being
gathered up and being used in an adverse way. The information
was inaccurate. We would call it today probably defamatory. It
kept people out of jobs. It kept people from getting loans.
The Fair Credit Reporting Act was passed to create stable
transparent markets that consumers could participate in by
ensuring accuracy and fairness and privacy. I think what
happens, as you describe, as the technology gets ahead of us
and some of the new business practices get ahead of us, we get
back in some ways to where we were back in the 1960s, where
there is the risk that inaccurate information, defamatory
information will produce bad consequences.
I think Congress was very wise in 1970 to deal with the
problem then. I think you are going to have to deal with it
today with new technology and with new business practices.
Mr. Petersen. I think from the health insurance
perspective, it is very difficult to think of any loopholes
that actually exist as the HIPAA rule interacts with the State
laws. Our firm conducted an analysis of how the HIPAA privacy
rule interplays with all 50 State insurance codes. That
analysis is over 600 pages, and I am assuming a non-lawyer
could do it in 400 pages or however many extra words we might
add to it. It is still a very lengthy analysis. State law, from
a health insurance perspective, adds a lot of additional layers
of privacy protections.
Now, it is very difficult as a national carrier to interact
with all those, so sometimes preemption might be good. But you
look at, as I said in my testimony, you have two NAIC models;
you have the HIPAA rule; and then you have sort of sensitive
information, reproductive rights, genetic testing, mental
health, substance abuse, a variety of information that states
have deemed to be extra-sensitive, and they have passed
additional laws on the uses and disclosures. So I think from a
health insurance perspective, almost all bases have been
covered.
Mr. Emanuel. Okay.
Mrs. Meyer. I think from the perspective of life insurers,
which are in a slightly different position than health insurers
because they are not directly subject to the HIPAA rule, life
insurers's and disability income insurers's ability to obtain
medical information is very much determined by the HIPAA rule,
which would not permit health care providers to give
information to life insurers and disability income insurers
without their providing the authorization of the individual.
So you take all of the others, the Fair Credit Reporting
Act, Gramm-Leach-Bliley, the HIPAA rule and all of the State
privacy rules, and again the combination, the fitting of all
these rules together in effect operates in the same way,
because both life insurers's ability to get the information and
then to disclose the information is covered by the combination
of all of these rules.
Mr. Emanuel. Did you want to say something?
Ms. Pritts. Yes. I think HIPAA protects health privacy
fairly well in the context of health insurance, but HIPAA is
not comprehensive. It only covers health care providers and
only if they do certain kinds of transactions, a health care
clearinghouse, and health plans. So it does not cover
everybody.
The other point I want to make is that we have heard
repeatedly today how important the State laws have been in
filling in the gaps at the federal level. They are particularly
important with insurance, because that is traditionally
governed at the State level. To the extent there is this
ambiguity in GLBA and FCRA about whether the States can go as
far as they want to go, I really think that needs to be
clarified.
Mr. Emanuel. One question is, and if you have the life of a
member as I do, with office hours in grocery stores, meeting
people, doing constituent work, making it easier for people. My
day is, and it is a pathetic life, maybe; I do it on Saturday.
You meet people. You try to make office hours easier. And I
don't think consumers have any idea that on a credit
background, health information is accessible. Maybe from the
insurance side, but I will tell you from the general public, I
would be interested if, from your own background and your own
research, your own knowledge of the public, whether you think
they know that health information is accessible on a credit
background check.
Mr. Tiberi. The gentleman's time has expired, but please
answer the question.
Mr. Emanuel. Thank you, Mr. Chairman.
Mr. Yingling. If I could comment, I am sure I am
oversimplifying here, but the expansion that we are talking
about here is due to the Fair Credit Reporting Act covering a
whole bunch of different types of reporting agencies.
If you are talking about the basic credit reporting system,
when a bank looks at an application and goes and gets a credit
report, they do not have medical information in that report.
When people are doing employment checks, they go to a different
type of reporting agency where they get that kind of
information. I think it is important to make that distinction.
I am a little concerned if we start trying to deal with
issues that just go through basically the payment system or the
traditional credit card system where all you have is something
that says a payment was made to the Yingling Clinic, and that
is all that is in there, or a late payment was made to the
Yingling Clinic. Then to ask the reporting system somehow or
other to make a distinction between whether the Yingling Clinic
is a health clinic or a doctor clinic or a golf clinic, and
people who have seen me play golf know that it is not, when you
are dealing with millions and millions of transactions with one
little piece of information. I do not think you want to require
those kinds of reports, or in the situation of those kinds of
reports, to have people sit there manually and try and figure
out what the Yingling Clinic is.
Mr. Emanuel. Thank you, Mr. Chairman.
Mr. Tiberi. Thank you.
The gentlelady from New York is recognized for 5 minutes.
Mrs. Maloney. Thank you very much.
I would like to follow up on the questioning of my
colleague, Mr. Emanuel. I agree that certainly health
information and privacy information and medical information is
one of the most sensitive areas this committee deals with. I
would like to go back to some of the testimony by Mr.
Rotenberg, in which he talked about the availability of medical
information in credit reports and the ability to infer a
person's medical history based on this information. He cited
studies by the Consumer Federation and the Federal Reserve on
this point.
I would like to ask the panel, beginning with Mr.
Rotenberg, do you know of any companies that are using this
information to make conclusions about people's medical history
and base credit decisions on such information, not just late
payment, but medical history? You could say payments to a
clinic; you could infer they have cancer or whatever. So
starting with you, Mr. Rotenberg, and if anyone else would like
to comment.
Mr. Rotenberg. Congresswoman, the quick answer to your
question is no, we have not been able to identify organizations
that have used this information in an adverse way. I want to
say two things, though, on this point. First of all, that the
problem has recently come to light. The Consumer Federation of
America report is from December of last year; the Federal
Reserve Board report is February of this year.
Secondly, I think it will take further investigation to
actually find those instances where these kinds of
determinations are made. But having looked at the report from
the Federal Reserve Board, it seems apparent, it was at least
apparent to them that medical record information can now be
obtained from a credit report.
Mrs. Maloney. Has anyone else on the panel, do any of you
know of any business that has used this information in an
adverse way? Any other members of the panel?
I would like to follow up and ask, do you, Mr. Rotenberg,
or anyone else on the panel, believe that employers are using
this information to base employment decisions on people's
health? People look at credit reports for employment decisions
also.
Mr. Rotenberg. Well, I suspect that an employer with access
to this information would consider it. Now, as I also indicated
in my earlier statement, certain types of determinations, for
example a prospective pregnancy, would not be a permissible
factor in an employment determination. Nonetheless, under the
HIPAA guidelines, which would prevent people from getting
access to this information, without those safeguards applying
to employers who get access in effect to the same information
through the credit report, they can now make judgments about
AIDS trials and TB and so forth. I think it is a problem that
the committee will need to look at more closely.
Mrs. Maloney. Yes.
Mr. Petersen. I was going to say from a HIPAA perspective,
employers that provide group health plans, their group health
plan is treated just like a health insurer under HIPAA. So if
in the context of providing benefits to their employees, if
they receive protected health information that identifies the
individual, they are subject to all of the same rules as a
health insurer. So they could not use the information received
in that context to make employment decisions. I think Mr.
Rotenberg was talking about information where you could infer
health status.
Mr. Rotenberg. Just to clarify if I might, Mr. Petersen is
describing the information obtained by virtue of the health
plan, which is correctly covered under HIPAA. I am talking
about the information that is obtained from the credit report
that the employer might access as part of an employment
determination, which would not be covered under HIPAA.
Mr. Petersen. That is correct, yes.
Mr. Yingling. I just want to add again that when we use the
term ``credit report,'' we may think that we are talking about
the credit report a bank gets. It is technically a credit
report because it is all covered by the Fair Credit Reporting
Act, but when a lender gets a credit report, they do not get
that information. All they get is the payments and the late
payments and your credit history. They do not get the medical
information. When you are an employer, you are going to a
different type of entity, and that is where you may be getting
some of this medical information.
Mrs. Maloney. But as I understand it from Mr. Rotenberg's
testimony, just getting the payment history can infer medical
conditions. Is that what you were saying?
Mr. Rotenberg. To be precise, it is the trade line
information that would indicate, for example, an outstanding
debt to a clinic. That information would be made available to
the employer through a credit report, and that is the type of
information that is being made more widely accessible today.
Mrs. Maloney. And you were implying that you could gain
information just from the credit report on a person's health.
Mr. Rotenberg. Yes, exactly.
Mrs. Maloney. And a health condition, if you are making a
payment to a cancer clinic, obviously you probably have cancer,
that type of thing. What specifically did the Federal Reserve
say about this? Could you elaborate?
Mr. Rotenberg. Well, I have the Federal Reserve report in
front of me, and I would be happy to provide it to the
committee, perhaps as an attachment to my testimony. But I will
just read one sentence, and this is under a heading
``collection agency accounts.'' I am reading from the report of
the Federal Reserve, February of this year: ``Information on
noncredit-related bills and collections such as those for
unpaid medical services is reported to credit reporting
companies by collection agencies. In addition, collection on
some credit-related accounts also are reported directly by
collection agencies.''
So the Federal Reserve, this is a very good study, it is a
non-political study. They were simply trying to understand how
the credit report is generated, where does the information come
from. They seem to be interested in the fact that a significant
amount of information, in fact on page 69 of the report, they
indicate that approximately 52 percent of transactions relate
to medical payment. So this is I think very interesting.
Mrs. Maloney. Yes. My time is up. I thank all the
panelists.
Mr. Tiberi. The gentlelady's time has expired.
We will go for a second round of questioning between the
three of us, if both of you would like to stay.
Mr. Yingling, just following up on this line of questioning
from the last two questioners, let's say a customer of one of
your banks has a checking account and is writing a check to the
Ohio State cancer clinic, or is a credit cardholder with one of
your banks and goes to a grocery store pharmacy and purchases
medication that is for mental illness or something. Typically,
how is that information protected for a consumer?
Mr. Yingling. Typically, all the payment system information
is protected. There is no distinction, I don't think, made with
medical versus any other type of information. It is protected
through normal security measures. If you look at Gramm-Leach-
Bliley, there are specific provisions in there that require
that banking institutions have security that protects all this
type of private information.
Quite frankly, it is moving through the computers so fast
that I don't think any human looks at it unless it is an
exception item. I believe that our task force was pretty clear
in the Statement that it made in its report that is quoted at
the end of my testimony. It said that none of that type of
information should be gathered or should be used for any
purpose other than making sure that the checks are paid and the
accounts are reconciled.
Mr. Tiberi. In terms of the wording, ``should be'' or
``cannot be'' used? Can you comment on that?
Mr. Yingling. Well, I don't make law, so I can't say
``cannot.'' But I recommend ``cannot'' should be used. If you
chose to make it ``cannot,'' you could make it ``cannot.''
However you would have to have an exception to cover all those
instances, and we have been talking about one example, which is
the key-man insurance on a small business. You would have to
have many exceptions, but even in those exceptions it would
only be with the express consent of the potential borrower.
So I think the better way to phrase it so you do not have
to get into the business of trying to foresee every exception,
which is impossible, would be to say it can only be used with
the express consent of the customer.
Mr. Tiberi. But to your knowledge, your membership does not
abuse that customer relationship now, to your knowledge?
Mr. Yingling. No, not to my knowledge. It is hard to
foresee instances where it would be worth the candle to try to
do it, quite frankly. There are lots of instances where you do
get medical information. Another one, for example, is we do a
lot of trust work, and quite often when you are setting up a
trust, if you have a child that has medical problems or mental
problems, you would want that banker working with you to set up
the trust, to understand that. You want the person running the
trust to have the authority to make decisions about when
additional medical care is needed or not needed. But those are
the exceptions, and again it is for that express purpose and
that purpose only.
Mr. Tiberi. In your testimony earlier, you mentioned the
State preemption of the FCRA is important for us to re-extend
or extend. Can you explain or delve into why that is important
and, in your mind, what would happen if it is not extended?
Mr. Yingling. Well, part of that is to go into all the
benefits of the Fair Credit Reporting Act, which I won't do,
but there are just huge benefits, one of which is the way it
helps low-and moderate-income individuals obtain loans. There
is a remarkable chart in this study that shows the incredible
growth in the availability of credit to low-income people since
the passage of the Fair Credit Reporting Act.
I was interested in Chairman Oxley's comment, which is
another aspect of this, about the incredible mobility we have
for people to move and to get jobs, which is so important to
our economy, and that is in part due to the Fair Credit
Reporting Act.
Specifically in answer to your question, I think the best
way to frame it is to give you an example that came to my
attention recently when I was talking to the CEO of a small
bank down in the southern part of Virginia. She was saying,
because we all know California is very active in this area,
``You mean to say that if I have a son or daughter of one of my
long-term customers who goes to California as a student, that I
am going to be subject to California law?''
Well, you carry that out. Suppose it was a graduate student
that moved to California. The first thing this community bank
would have to do is apparently track all their customers to
figure out if they had moved. Then they would have to figure
out, well, this is a graduate student. Are they a resident of
California or a resident of Virginia? Are they subject to
California law now or not? And then if they are subject to
California law, they would have to have somebody explain to
them all the nuances of what they could collect and what they
could report on the credit card loan and the auto loan to that
son or daughter.
Now, there is almost no way for them to do that other than
to have a lawyer on hand in every state that can tell that
community bank how you cover that person. The end result is,
they will not report on that person. They cannot afford to
report on that person.
That means if that person has problems and does not make
payments, that is not going to be reported. On the other hand,
maybe with this graduate student, the only loans he or she has
ever had were the credit card and the automobile loan, and now
that is not reported, so the student has no credit history.
So you can see how the whole system can start to break down
if you do not have one national law that this Virginia banker
can plug into.
Mr. Tiberi. Thank you.
Unfortunately, my time has expired. I will recognize Mr.
Crowley for 5 minutes.
Mr. Crowley. Mr. Yingling, I understand that while health
information is not allowed on credit reports, affiliate sharing
is often exempt from FCRA privacy rules. So as banks and
insurance companies, and this goes back somewhat to my original
question, become more affiliated, could this information flow
between affiliates, particularly these new brands of banks that
are buying and marketing health insurance plans, could that
information flow between?
And who would govern the privacy of this health
information, HIPAA, FCRA or no entity? And where is this
distinction codified in the law, as I don't think anyone wants
to see this end up in the courts for many years of litigation
to sort out these issues, especially as it pertains to such
important issues as the issue of one's personal privacy?
Mr. Yingling. I think the simple answer is if you had a
bank that chose to violate all the principles of trust of their
customers and to take medical information and give it to an
affiliate, it could do it. There is nothing illegal about it.
Mr. Crowley. So you think the pressure of the market would
come to bear, advertisement by other competitors?
Mr. Yingling. I think that would be a major factor. We
believe it is wrong to do it, but if you are asking me, is
there a law that prevents it at this moment in time, the answer
is no, sir, there is not.
Mr. Crowley. Would anyone else like to comment on it?
Mr. Petersen. There are rules against the flow in the
opposite direction. So in that situation you described, if a
bank were to purchase a health insurance health plan, the bank
evidently can flow information to the health plan. The health
plan could not flow information to the bank under the HIPAA
privacy rule of 1982 and the NAIC Act article five.
So you would have restrictions of the information flowing
the other way, and you would have to have an authorization for
the health plan to release that information to the bank. Most
of this sensitive information will be within the health plan.
Mr. Crowley. Ms. Meyer?
Mrs. Meyer. I was just going to say, to the extent there
ever would be that flow from the bank in another direction, it
would seem to me that both the Fair Credit Reporting Act and
GLB itself would govern those disclosures and require at least
an opt-out in that situation. Although again, it seems a
stretch.
Mr. Crowley. I keep coming back to those difficult
stretches for you, don't I, Ms. Meyer?
[LAUGHTER]
Just to show you how I think. I thank you.
Would you like to respond, Ms. Pritts?
Ms. Pritts. Yes, I would like to just go back to the one
point that I think we continually miss, which is that Congress
in enacting HIPAA and in enacting Gramm-Leach-Bliley
subsequently, never really indicates who is on first.
The Fair Credit Reporting Act was passed I think in 1990.
The amendments to the Fair Credit Reporting Act were in 1996.
HIPAA was in 1996. HIPAA does not say anything about the Fair
Credit Reporting Act. HIPAA hardly says anything about how you
protect health information, in all honesty, the statute.
Subsequently, you have the Gramm-Leach-Bliley Act, which
was enacted after HIPAA, and very detailed. It does not mention
HIPAA. Subsequent to that, then, you have the actual
promulgation of the HIPAA privacy regulations, which are very
detailed. But if you actually go through an implied repeal
analysis, first of all you should not have to do that. We
should have some indication from Congress as to what law
governs if there is an overlap. It is an easy thing to fix, and
it is something that we should not be relying on the court for.
Mr. Crowley. Thank you.
I thank the chairman. I have other questions, but I will
submit them in writing for an answer.
Mr. Tiberi. Ms. Meyer, you were going to comment, it looked
like?
Mrs. Meyer. Actually, I was going to say that in fact
insurance companies for a number of years have been dealing
with the meshing of all of these rules together. It is because
of the fact that there is this meshing, we see that it is going
to be so critical to reauthorize the preemption provisions of
the Fair Credit Reporting Act, so in fact there will be
certainty as to what the rules are.
Mr. Tiberi. The gentleman from New York's time has expired.
I would like to thank all the witnesses for being here
today. The record will be open for 30 days for members to
submit any additional testimony or comments or questions.
The hearing is now adjourned.
[Whereupon, at 1:03 p.m., the subcommittee was adjourned.]
A P P E N D I X
June 17, 2003
[GRAPHIC] [TIFF OMITTED] T1543.001
[GRAPHIC] [TIFF OMITTED] T1543.002
[GRAPHIC] [TIFF OMITTED] T1543.003
[GRAPHIC] [TIFF OMITTED] T1543.004
[GRAPHIC] [TIFF OMITTED] T1543.005
[GRAPHIC] [TIFF OMITTED] T1543.006
[GRAPHIC] [TIFF OMITTED] T1543.007
[GRAPHIC] [TIFF OMITTED] T1543.008
[GRAPHIC] [TIFF OMITTED] T1543.009
[GRAPHIC] [TIFF OMITTED] T1543.010
[GRAPHIC] [TIFF OMITTED] T1543.011
[GRAPHIC] [TIFF OMITTED] T1543.012
[GRAPHIC] [TIFF OMITTED] T1543.013
[GRAPHIC] [TIFF OMITTED] T1543.014
[GRAPHIC] [TIFF OMITTED] T1543.015
[GRAPHIC] [TIFF OMITTED] T1543.016
[GRAPHIC] [TIFF OMITTED] T1543.017
[GRAPHIC] [TIFF OMITTED] T1543.018
[GRAPHIC] [TIFF OMITTED] T1543.019
[GRAPHIC] [TIFF OMITTED] T1543.020
[GRAPHIC] [TIFF OMITTED] T1543.021
[GRAPHIC] [TIFF OMITTED] T1543.022
[GRAPHIC] [TIFF OMITTED] T1543.023
[GRAPHIC] [TIFF OMITTED] T1543.024
[GRAPHIC] [TIFF OMITTED] T1543.025
[GRAPHIC] [TIFF OMITTED] T1543.026
[GRAPHIC] [TIFF OMITTED] T1543.027
[GRAPHIC] [TIFF OMITTED] T1543.028
[GRAPHIC] [TIFF OMITTED] T1543.029
[GRAPHIC] [TIFF OMITTED] T1543.030
[GRAPHIC] [TIFF OMITTED] T1543.031
[GRAPHIC] [TIFF OMITTED] T1543.032
[GRAPHIC] [TIFF OMITTED] T1543.033
[GRAPHIC] [TIFF OMITTED] T1543.034
[GRAPHIC] [TIFF OMITTED] T1543.035
[GRAPHIC] [TIFF OMITTED] T1543.036
[GRAPHIC] [TIFF OMITTED] T1543.037
[GRAPHIC] [TIFF OMITTED] T1543.038
[GRAPHIC] [TIFF OMITTED] T1543.039
[GRAPHIC] [TIFF OMITTED] T1543.040
[GRAPHIC] [TIFF OMITTED] T1543.041
[GRAPHIC] [TIFF OMITTED] T1543.042
[GRAPHIC] [TIFF OMITTED] T1543.043
[GRAPHIC] [TIFF OMITTED] T1543.044
[GRAPHIC] [TIFF OMITTED] T1543.045
[GRAPHIC] [TIFF OMITTED] T1543.046
[GRAPHIC] [TIFF OMITTED] T1543.047
[GRAPHIC] [TIFF OMITTED] T1543.048
[GRAPHIC] [TIFF OMITTED] T1543.049
[GRAPHIC] [TIFF OMITTED] T1543.050
[GRAPHIC] [TIFF OMITTED] T1543.051
[GRAPHIC] [TIFF OMITTED] T1543.052
[GRAPHIC] [TIFF OMITTED] T1543.053
[GRAPHIC] [TIFF OMITTED] T1543.054
[GRAPHIC] [TIFF OMITTED] T1543.055
[GRAPHIC] [TIFF OMITTED] T1543.056
[GRAPHIC] [TIFF OMITTED] T1543.057
[GRAPHIC] [TIFF OMITTED] T1543.058
[GRAPHIC] [TIFF OMITTED] T1543.059
[GRAPHIC] [TIFF OMITTED] T1543.060
[GRAPHIC] [TIFF OMITTED] T1543.061
[GRAPHIC] [TIFF OMITTED] T1543.062
[GRAPHIC] [TIFF OMITTED] T1543.063
[GRAPHIC] [TIFF OMITTED] T1543.064
[GRAPHIC] [TIFF OMITTED] T1543.065
[GRAPHIC] [TIFF OMITTED] T1543.066
[GRAPHIC] [TIFF OMITTED] T1543.067
[GRAPHIC] [TIFF OMITTED] T1543.068
[GRAPHIC] [TIFF OMITTED] T1543.069
[GRAPHIC] [TIFF OMITTED] T1543.070
[GRAPHIC] [TIFF OMITTED] T1543.071
[GRAPHIC] [TIFF OMITTED] T1543.072
[GRAPHIC] [TIFF OMITTED] T1543.073
[GRAPHIC] [TIFF OMITTED] T1543.074
[GRAPHIC] [TIFF OMITTED] T1543.075
[GRAPHIC] [TIFF OMITTED] T1543.076
[GRAPHIC] [TIFF OMITTED] T1543.077
[GRAPHIC] [TIFF OMITTED] T1543.078
[GRAPHIC] [TIFF OMITTED] T1543.079
[GRAPHIC] [TIFF OMITTED] T1543.080
[GRAPHIC] [TIFF OMITTED] T1543.081
[GRAPHIC] [TIFF OMITTED] T1543.082
[GRAPHIC] [TIFF OMITTED] T1543.083
[GRAPHIC] [TIFF OMITTED] T1543.084
[GRAPHIC] [TIFF OMITTED] T1543.085
[GRAPHIC] [TIFF OMITTED] T1543.086
[GRAPHIC] [TIFF OMITTED] T1543.087
[GRAPHIC] [TIFF OMITTED] T1543.088
[GRAPHIC] [TIFF OMITTED] T1543.089
[GRAPHIC] [TIFF OMITTED] T1543.090
[GRAPHIC] [TIFF OMITTED] T1543.091
[GRAPHIC] [TIFF OMITTED] T1543.092
[GRAPHIC] [TIFF OMITTED] T1543.093
[GRAPHIC] [TIFF OMITTED] T1543.094
[GRAPHIC] [TIFF OMITTED] T1543.095
[GRAPHIC] [TIFF OMITTED] T1543.096
[GRAPHIC] [TIFF OMITTED] T1543.097
[GRAPHIC] [TIFF OMITTED] T1543.098
[GRAPHIC] [TIFF OMITTED] T1543.099
[GRAPHIC] [TIFF OMITTED] T1543.100
[GRAPHIC] [TIFF OMITTED] T1543.101
[GRAPHIC] [TIFF OMITTED] T1543.102
[GRAPHIC] [TIFF OMITTED] T1543.103
[GRAPHIC] [TIFF OMITTED] T1543.104
[GRAPHIC] [TIFF OMITTED] T1543.105
[GRAPHIC] [TIFF OMITTED] T1543.106
[GRAPHIC] [TIFF OMITTED] T1543.107
[GRAPHIC] [TIFF OMITTED] T1543.108
[GRAPHIC] [TIFF OMITTED] T1543.109
[GRAPHIC] [TIFF OMITTED] T1543.110
[GRAPHIC] [TIFF OMITTED] T1543.111
[GRAPHIC] [TIFF OMITTED] T1543.112
[GRAPHIC] [TIFF OMITTED] T1543.113
[GRAPHIC] [TIFF OMITTED] T1543.114
[GRAPHIC] [TIFF OMITTED] T1543.115
[GRAPHIC] [TIFF OMITTED] T1543.116
[GRAPHIC] [TIFF OMITTED] T1543.117
[GRAPHIC] [TIFF OMITTED] T1543.118
[GRAPHIC] [TIFF OMITTED] T1543.119
[GRAPHIC] [TIFF OMITTED] T1543.120
[GRAPHIC] [TIFF OMITTED] T1543.121
[GRAPHIC] [TIFF OMITTED] T1543.122
[GRAPHIC] [TIFF OMITTED] T1543.123
[GRAPHIC] [TIFF OMITTED] T1543.124
[GRAPHIC] [TIFF OMITTED] T1543.125
[GRAPHIC] [TIFF OMITTED] T1543.126
[GRAPHIC] [TIFF OMITTED] T1543.127
[GRAPHIC] [TIFF OMITTED] T1543.128
[GRAPHIC] [TIFF OMITTED] T1543.129
[GRAPHIC] [TIFF OMITTED] T1543.130
[GRAPHIC] [TIFF OMITTED] T1543.131
[GRAPHIC] [TIFF OMITTED] T1543.132
[GRAPHIC] [TIFF OMITTED] T1543.133
[GRAPHIC] [TIFF OMITTED] T1543.134
[GRAPHIC] [TIFF OMITTED] T1543.135
[GRAPHIC] [TIFF OMITTED] T1543.136
[GRAPHIC] [TIFF OMITTED] T1543.137
[GRAPHIC] [TIFF OMITTED] T1543.138
[GRAPHIC] [TIFF OMITTED] T1543.139
[GRAPHIC] [TIFF OMITTED] T1543.140
[GRAPHIC] [TIFF OMITTED] T1543.141
[GRAPHIC] [TIFF OMITTED] T1543.142
[GRAPHIC] [TIFF OMITTED] T1543.143
[GRAPHIC] [TIFF OMITTED] T1543.144
[GRAPHIC] [TIFF OMITTED] T1543.145
[GRAPHIC] [TIFF OMITTED] T1543.146
[GRAPHIC] [TIFF OMITTED] T1543.147
[GRAPHIC] [TIFF OMITTED] T1543.148
[GRAPHIC] [TIFF OMITTED] T1543.149
[GRAPHIC] [TIFF OMITTED] T1543.150
[GRAPHIC] [TIFF OMITTED] T1543.151
[GRAPHIC] [TIFF OMITTED] T1543.152
[GRAPHIC] [TIFF OMITTED] T1543.153
[GRAPHIC] [TIFF OMITTED] T1543.154
[GRAPHIC] [TIFF OMITTED] T1543.155
[GRAPHIC] [TIFF OMITTED] T1543.156
[GRAPHIC] [TIFF OMITTED] T1543.157
[GRAPHIC] [TIFF OMITTED] T1543.158
[GRAPHIC] [TIFF OMITTED] T1543.159
[GRAPHIC] [TIFF OMITTED] T1543.160
[GRAPHIC] [TIFF OMITTED] T1543.161
[GRAPHIC] [TIFF OMITTED] T1543.162
[GRAPHIC] [TIFF OMITTED] T1543.163
�