![[Join EFF]](/Icons/home/joineff.gif){kind=icon}
![[Act Now]](/Icons/home/actnowHI.gif){kind=icon}
![[Sign Up]](/Icons/home/signup.gif){kind=icon}
![[About EFF]](/Icons/home/abouteff.gif){kind=icon}
Subtitle E--Confidentiality
SEC. 351. CONFIDENTIALITY OF HEALTH AND MEDICAL INFORMATION.
(a) IN GENERAL- A company which underwrites or sells annuities contracts or contracts insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death (other than credit-related insurance) and any subsidiary or affiliate thereof shall maintain a practice of protecting the confidentiality of individually identifiable customer health and medical and genetic information and may disclose such information only--
(1) with the consent, or at the direction, of the customer;
(2) for insurance underwriting and reinsuring policies, account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), providing information to the customer's physician or other health care provider, participating in research projects, enabling the purchase, transfer, merger, or sale of any insurance-related business, or as otherwise required or specifically permitted by Federal or State law; or
(3) in connection with--
(A) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card or account number, or by other payment means;
(B) the transfer of receivables, accounts, or interest therein;
(C) the audit of the debit, credit, or other payment information;
(D) compliance with Federal, State, or local law;
(E) compliance with a properly authorized civil, criminal, or regulatory investigation by Federal, State, or local authorities as governed by the requirements of this section; or
(F) fraud protection, risk control, resolving customer disputes or inquiries, communicating with the person to whom the information relates, or reporting to consumer reporting agencies.
(b) STATE ACTIONS FOR VIOLATIONS- In addition to such other remedies as are provided under State law, if the chief law enforcement officer of a State, State insurance regulator, or an official or agency designated by a State, has reason to believe that any person has violated or is violating this title, the State may bring an action to enjoin such violation in any appropriate United States district court or in any other court of competent jurisdiction.
(c) EFFECTIVE DATE; SUNSET-
(1) EFFECTIVE DATE- Except as provided in paragraph (2), subsection (a) shall take effect on February 1, 2000.
(2) SUNSET- Subsection (a) shall not take effect if, or shall cease to be effective on and after the date on which, legislation is enacted that satisfies the requirements in section 264(c)(1) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 2033).
(d) CONSULTATION- While subsection (a) is in effect, State insurance regulatory authorities, through the National Association of Insurance Commissioners, shall consult with the Secretary of Health and Human Services in connection with the adminis tration of such subsection.
[end excerpt]
ANALYSIS: Section (a) states that in general the confidentiality of medical and genetic information shall be protected. Exceptions follow.
Subsection (a)(2) will allow medical information to be given out by insurers to virtually any affiliated or assisting entities and also provides for personally identifiable medical data to be used for "research projects" without the consent of the person to whom this intensely revealing information pertains.
Subsubsections (a)(3)(A), (C) and (F) will allow private medical information to be given out by insurers to credit bureaus, banks, debt settlement entities.
Subsubsection (a)(3)(E) will allow private medical information to be given out to law enforcement. No provisions are present that would require a warrant before the information is disclosed. A simple administrative subpoena or other display of supposed "authorization" would be sufficient to obtain medical information held by insurance companies.
Please send any questions or comments to webmaster@eff.org
