Department of Health and Human Service
Office of the Assistant Secretary,
Planning and Evaluation
200 Independence Avenue, SW
Washington DC, 20201
March 31, 2000
Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 5th Street NW
Washington DC 20549-0609
The following are our comments on the proposed regulations issued February 2, 2000, by the Office of the Comptroller of the Currency to implement Title V of P. L. 106-102, the Gramm-Leach-Bliley Act (hereinafter, referred to as "the G-L-B Act" or "the statute"). These comments address only the proposed rules' implications for the privacy of the health information covered by the statute and these proposed rules. We ask that the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and the Office of Thrift Supervision (hereinafter, the "Agencies") clarify the interaction of these regulations with the regulations to be published under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), by further explaining their conclusions that the rules overlap but do not conflict.
Health insurers, life insurers, and other companies that hold health information may be financial institutions or affiliates covered by the statute. Banks may also hold such information (e.g., collected as part of a loan application). Some of these companies (e.g., health insurers) will be covered by the privacy regulations proposed under the Health Insurance Portability and Accountability Act (HIPAA) to be published in final later this year (hereinafter, the "HIPAA regulation"). Other companies (e.g., workers compensation and life insurers) will not be covered by the HIPAA regulations, but have been included in the health privacy bills proposed in the Congress. Other companies (e.g., banks) would likely not be entities covered by the HIPAA regulations and any health privacy legislation.
This overlapping coverage creates, at the least, the possibility of confusion as to the requirements that apply, among those sectors of the health care industry regulated by both laws. Indeed, this Department received a number of public comments to this effect in the recently concluded public comment period on the proposed HIPAA regulations. Moreover, while the G-L-B construct was designed with financial information in mind, it was not designed to address the health care industry or personal health information. We are thus of the view that it is critically important to clarify the interaction of the two sets of privacy requirements, for those entities subject to both, and, in particular, to ensure that health information is covered by the HIPAA framework to the maximum extent possible.
This can be accomplished by adding to the regulation further explanation of the Agencies' interpretation of how the two regulations interact.1 In the preamble, the Agencies note that:
"The recently proposed Department of Health and Human Services regulations that implement the Health Insurance Portability and Accountability Act of 1996 would, if adopted in final form, limit the circumstances under which medical information may be disclosed."
We agree with this analysis. Due, however, to the potential for entities covered by both regulations to use the fact of dual coverage to attempt to evade responsibilities imposed by either or both regulations, and because this analysis applies to all privacy policies in these regulations (not just those regarding disclosures of information), we recommend that the Agencies further clarify that the regulations may overlap, but will not conflict. Specifically, the preamble to the final regulation should include the following statement:
"Where an entity is covered by the standards and requirements promulgated under the authority of sections of 262 and 264 of Public Law 104-191, and also covered by these regulations, nothing in these regulations shall limit that entity's responsibility to comply with the standards and requirements promulgated under the authority of sections of 262 and 264 of Public Law 104-191."
In addition, we ask that the text of the final regulation include corresponding language.
Under the statute, health information may be treated separately under these regulations. The Agencies note that the proposed rules "do not prohibit an institution from establishing different privacy policies and practices for different categories of consumers, customers, or products, so long as each particular consumer or customer receives a notice that is accurate with respect to him or her." (F.R. Vol. 65, No. 35, p.8775) The differences between the health sector and thefinancial services sector, and the existence of the HIPAA regulations, more than justify this separate approach for health information.
We welcome the opportunity to meet with the Agencies to discuss these issues.
Deputy Assistant Secretary, Health Policy
Office of the Assistant Secretary for Planning and Evaluation
Department of Health and Human Services
1 Because the legislative history on the question of the interaction between the statute and HIPAA is not clear, courts could give substantial deference to the Agencies' interpretation.