EFFector Vol. 12, No. 2 Sep. 22, 1999 firstname.lastname@example.org
A Publication of the Electronic Frontier Foundation ISSN 1062-9424
IN THE 146th ISSUE OF EFFECTOR (now with over 18,000 subscribers!):
* ALERT: H.R. 10 "Confidentiality" Legislation Undermines Medical
For more information on EFF activities & alerts: http://www.eff.org
NOTE: We apologize to those of you who will not get this alert in
time. Some will, some will not, depending on mail queue processing
speeds, Net lag and intermediary server delays, etc. We've issued this
as fast as possible after gathering the necessary info.
Electronic Frontier Foundation ACTION ALERT:
H.R. 10 "Confidentiality" Legislation
Undermines Medical Privacy!
(Issued: Sept. 22, 1999; deadline: Sept. 23, 1999)
ACTION ALERT: Proposed law (US House bill H.R. 10, the "Financial
Services Act of 1999") would allow insurance institutions to share
your sensitive and personally identifiable medical information without
your knowledge or consent, to a wide variety of agencies and financial
and research entities. H.R. 10 would actually reduce existing medical
WHY YOU SHOULD CARE: The language in the provision misleadingly named
H.R. 10's "Subtitle E: Confidentiality" (and known colloquially as
"the Ganske Amendment") is riddled with loopholes that make your
private medical information available to law enforcement (with no
requirements for a warrant, only a subpoena), to vaguely defined
"research" projects, and to virtually all affiliates of insurance
companies, even banks, credit agencies, and debt collectors. (See text
and analysis at end for more detail.)
WHAT YOU CAN DO: Contact your own legislators and urge them to
pressure the conference committee to oppose the Ganske Amendment to
You can send a free fax to your Senators and Representatives (you
don't even have to know who they are) about this issue, at:
IMPORTANT: At this page you first enter your contact info, then select
"CLICK to add the congressmembers for your zipcode". Next, please
paste the following text into the middle section of the letter, where
you can add your own comments:
I urge you to IMMEDIATELY contact the conference committee and
register your opposition to the Ganske Amendment to H.R. 10, before
it is too late.
(Then add your own comments, too, if you like.) The Web-to-fax sample
letter is not up to date, and does not reflect the fact that the bill
has passed both houses of Congress and is up for final conference
committee vote on Thu., Sept. 23.
Non-US activists: There's not much you can do at this point. Probably
the best possible actions are to a) go to http://www.eff.org/congress
and follow the contact information instructions there to send a letter
to the White House (i.e., the US President), and ask that this bill be
vetoed should it pass with the Ganske provisions intact. Secondly, you
may wish to send a letter to your own national privacy commissioner,
data protection agency or other similar entity, and ask them to send a
critical communique to the US Administration regarding this
FULL TEXT: The text of the relevant section of the bill reads:
SEC. 351. CONFIDENTIALITY OF HEALTH AND MEDICAL INFORMATION.
(a) IN GENERAL- A company which underwrites or sells annuities
contracts or contracts insuring, guaranteeing, or indemnifying
against loss, harm, damage, illness, disability, or death (other
than credit-related insurance) and any subsidiary or affiliate
thereof shall maintain a practice of protecting the
confidentiality of individually identifiable customer health and
medical and genetic information and may disclose such information
(1) with the consent, or at the direction, of the customer;
(2) for insurance underwriting and reinsuring policies, account
administration, reporting, investigating, or preventing fraud or
material misrepresentation, processing premium payments,
processing insurance claims, administering insurance benefits
(including utilization review activities), providing information
to the customer's physician or other health care provider,
participating in research projects, enabling the purchase,
transfer, merger, or sale of any insurance-related business, or as
otherwise required or specifically permitted by Federal or State
(3) in connection with--
(A) the authorization, settlement, billing, processing, clearing,
transferring, reconciling, or collection of amounts charged,
debited, or otherwise paid using a debit, credit, or other payment
card or account number, or by other payment means;
(B) the transfer of receivables, accounts, or interest therein;
(C) the audit of the debit, credit, or other payment information;
(D) compliance with Federal, State, or local law;
(E) compliance with a properly authorized civil, criminal, or
regulatory investigation by Federal, State, or local authorities
as governed by the requirements of this section; or
(F) fraud protection, risk control, resolving customer disputes or
inquiries, communicating with the person to whom the information
relates, or reporting to consumer reporting agencies.
(b) STATE ACTIONS FOR VIOLATIONS- In addition to such other remedies
as are provided under State law, if the chief law enforcement officer
of a State, State insurance regulator, or an official or agency
designated by a State, has reason to believe that any person has
violated or is violating this title, the State may bring an action to
enjoin such violation in any appropriate United States district court
or in any other court of competent jurisdiction.
(c) EFFECTIVE DATE; SUNSET-
(1) EFFECTIVE DATE- Except as provided in paragraph (2),
subsection (a) shall take effect on February 1, 2000.
(2) SUNSET- Subsection (a) shall not take effect if, or shall
cease to be effective on and after the date on which, legislation
is enacted that satisfies the requirements in section 264(c)(1) of
the Health Insurance Portability and Accountability Act of 1996
(Public Law 104-191; 110 Stat. 2033).
(d) CONSULTATION- While subsection (a) is in effect, State insurance
regulatory authorities, through the National Association of Insurance
Commissioners, shall consult with the Secretary of Health and Human
Services in connection with the administration of such subsection.
ANALYSIS: Section (a) states that in general the confidentiality of
medical and genetic information shall be protected. Exceptions follow.
Subsection (a)(2) will allow medical information to be given out by
insurers to virtually any affiliated or assisting entities and also
provides for personally identifiable medical data to be used for
"research projects" without the consent of the person to whom this
intensely revealing information pertains.
Subsubsections (a)(3)(A), (C) and (F) will allow private medical
information to be given out by insurers to credit bureaus, banks, debt
Subsubsection (a)(3)(E) will allow private medical information to be
given out to law enforcement. No provisions are present that would
require a warrant before the information is disclosed. A simple
administrative subpoena or other display of supposed "authorization"
would be sufficient to obtain medical information held by insurance
EFFector is published by:
The Electronic Frontier Foundation
1550 Bryant St., Suite 725
San Francisco CA 94103-4832 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Editor: Stanton McCandlish, Program Director/Webmaster
Membership & donations: email@example.com
General EFF, legal, policy or online resources queries: firstname.lastname@example.org
Reproduction of this publication in electronic media is encouraged.
Signed articles do not necessarily represent the views of EFF. To
reproduce signed articles individually, please contact the authors for
their express permission. Press releases and EFF announcements may be
reproduced individually at will.
To subscribe to EFFector via email, send message BODY of:
to email@example.com, which will add you to a subscription list for
EFFector. To unsubscribe, send a similar message body, like so:
to the same address.
Please ask firstname.lastname@example.org to manually add you to or remove you from
the list if this does not work for some reason.
Back issues are available at:
To get the latest issue, send any message to
email@example.com (or firstname.lastname@example.org), and it will be mailed to
you automagically. You can also get: