Privacy Developments Continue to Raise Substantial Compliance Issues
Privacy remains one of the primary issues being addressed by regulators and legislators this year, raising substantial ongoing compliance and risk management issues for health care companies and a wide range of financial services entities, including both traditional financial institutions and insurers. Because of the attention that is being focused on these issues by both regulatory authorities and the media, privacy risks are increasing at a dramatic level, and a wide range of potential litigation may emerge.
For the health care industry in particular, there are three ongoing developments worth following over the next few months. First, the Health Privacy Project, an institute affiliated with Georgetown University, released the results of a study indicating that health care web sites often do not follow their own published privacy statements. The major findings of this report are:
- Visitors to health web sites are not anonymous, even if they think they are;
- Health Web sites recognize consumers' concern about the privacy of their personal health information and have made efforts to establish privacy policies; however, the policies fall short of truly safeguarding consumers;
- There is inconsistency between the privacy policies and the actual practices of health web sites;
- Consumers are using health web sites to manage their health better, but their personal health information may not be adequately protected; and
- Health web sites with privacy policies that disclaim liability for the actions of third parties on the site negate those very policies.
Second, the regulatory authorities responsible for implementing the Gramm-Leach-Bliley Act, modernizing the financial services industry, have begun to release draft regulations for the privacy provisions of that statute. The Federal Reserve Board released a draft of the proposed regulations in early February, and the remaining agencies (including the Comptroller of the Currency, the FDIC and the Securities and Exchange Commission) are expected to release their own versions shortly. The preliminary reports indicate that the regulations will be essentially uniform throughout the agencies. There is an enormous reach to these regulations. According to a recent speech by Laurence Meyer, one of the Governors of the Federal Reserve Board:
Most observers do not yet understand that the privacy provisions apply to any company engaged in financial services – whether or not affiliated with a bank. Every finance company, insurance company or agency, securities dealer or broker, and even travel agency is covered by the privacy provision of [the Gramm-Leach-Bliley Act.] [emphasis added].
Third, HHS is receiving an avalanche of comments of the proposed rules for the confidentiality of electronic medical records. As these comments are being prepared and analyzed, the key areas of controversy involve the following areas, each of which has significant risk management implications:
- The requirements that will be imposed on "business partners” of health care providers and health plans;
- Whether patients have (or should be given) an effective right to enforce their privacy as the "third-party beneficiaries” of privacy agreements;
- What "security levels” will be imposed on confidential data;
- Whether all medical information, not just electronic records, will be encompassed within the regulations; and
- Whether law firms will be treated as "business partners” and, if so, how this will affect privilege issues.
Last, the true wild card in the privacy debate is Congress. There is mounting pressure for Congressional intervention, and both parties recently have formed "Privacy Caucuses” to examine privacy policies. Will Congress step in to modify the HHS regulations? With all of this change, and the new activity at state legislatures to strengthen the federal protections, carriers insuring affected industries may wish to include a review of privacy practices as a component of risk assessment.