Page 1       TOP OF DOC


Tuesday, June 17, 2003
U.S. House of Representatives,
Subcommittee on Financial Institutions and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
    The subcommittee met, pursuant to call, at 10:09 a.m., in Room 2128, Rayburn House Office Building, Hon. Spencer Bachus [chairman of the subcommittee] presiding.
    Present: Representatives Bachus, LaTourette, Kelly, Ryun, Gillmor, Biggert, Hart, Tiberi, Hensarling, Barrett, Oxley (ex officio), Sanders, Maloney, Watt, Sherman, Moore, Velaquez, Hooley, Lucas of Kentucky, Crowley, McCarthy, and Emanuel. Representative Pete Sessions was also in attendance.
    Chairman BACHUS. [Presiding.] Good morning. The Subcommittee on Financial Institutions will come to order.
    Our hearing today is the fifth in a series of hearings the subcommittee is holding on FCRA. We previously held hearings covering the importance of the national uniform credit system to consumers and to the economy, and more specifically how the Fair Credit Reporting Act helps consumers obtain more affordable mortgages and credit in a timely and efficient manner.
    Today, we will hear how FCRA regulates employee background checks and the collection and use of health information or medical information. This hearing consists of two panels. The first panel will focus on the application of FCRA to employee screening and other background checks. Witnesses will include various business groups, human resource managers and private investigators.
 Page 2       PREV PAGE       TOP OF DOC
    The second panel will examine how medical information is collected and used for various financial products, including a discussion on the prohibition of the use of health or medical information in the credit-granting process. Panelists will include representatives of life and health insurance companies, the banking industry, and independent experts.
    While we usually think of FCRA in the context of credit information, it also applies to background checks for employees. For example, information collected for an employer by a third party about an employee's criminal record, driving record, educational record or prior employment history in some instances falls within FCRA's coverage. The 1996 amendments to FCRA established consumer protections for employee background screening.
    Some of these include consumer consent before a prospective employer may obtain a consumer report, disclosure of the report to the consumer once it is completed, and notice to the consumer of his rights before taking adverse action based on the report. Many employers conduct background checks of their employees as a safety precaution. Moreover, according to a 2002 Harris poll, a majority of Americans support their employers's conducting detailed background checks.
    Congress has mandated background checks for many workers in the financial services industries, as well as for nuclear, airport and childcare businesses. The number of worker background checks has dramatically increased since 9-11 due to heightened security concerns. As a result, mandatory background checks are now required for workers at ports and for those who transport hazardous chemicals.
    Because background checks are becoming commonplace, one issue we need to review today is the FTC's staff Vail opinion letter. It makes it much more difficult for employers to conduct background checks or investigations of their employees. Under the Vail letter, if an employer believes that an employee is engaged in workplace misconduct such as committing sexual harassment, racial discrimination or embezzling funds or other criminal activity, the employer cannot hire an independent third party investigator without getting the employee suspected wrongdoer's consent and telling him about the investigation and how the investigation will be conducted. That makes absolutely no sense. If you are trying to catch a criminal, why warn him in advance?
 Page 3       PREV PAGE       TOP OF DOC
    Strangely, employers can investigate alleged misconduct without following any of the Vail letter requirements if they do so internally. The Vail letter makes it unworkable to hire an outside unbiased party to do an impartial investigation. Even the FTC admits the law should be fixed.
    Our second panel will discuss medical information, health information, and how the FCRA and other state and federal laws govern its use.
    The FCRA prohibits consumer reporting agencies from furnishing reports containing medical information without the consumer's consent. Congress passed another law, the Health Insurance Portability and Accountability Act of 1996 which limits the sharing of health information by health care plans and providers. In addition, the States have various laws governing insurance companies in the use and sharing of health information by those companies.
    The second panel will help us understand whether there are gaps in the convergence of these laws and whether financial providers are using such information, and if they are, whether they should be prevented from using an individual's medical or health information in any way or in an inappropriate way.
    I want to express my gratitude to Chairman Oxley for his leadership in these FCRA hearings. I want to commend Ranking Member Frank and Mr. Sanders for working with the staff, with me, and with Chairman Oxley on FCRA reauthorization. I note that for the second week in a row we have accommodated all of the minority witness requests.
    The Chair now recognizes the ranking member of the subcommittee, Mr. Sanders, for his opening statement.
    [The prepared statement of Hon. Spencer Bachus can be found on page 52 in the appendix.]
    Mr. SANDERS. Thank you very much, Mr. Chairman, for holding this important hearing. I very much appreciate all of our witnesses being with us today.
 Page 4       PREV PAGE       TOP OF DOC
    This hearing will focus on the role of the Fair Credit Reporting Act in employee background checks and the collection of medical information. These are important matters that must be carefully scrutinized by this subcommittee. Before we delve into these issues, Mr. Chairman, I would like to briefly highlight the testimony of two of our witnesses from last week's hearing.
    Mr. Chairman, as I recall, you raised a number of concerns about my support for consumers to receive a free copy of their credit reports at least once a year from all three of the credit bureaus. It should come as no surprise that all of the major consumer groups in this country support that view, including U.S. PIRG, the Consumer Federation of America, Consumers Union, and the National Consumer Law Center.
    Yet what the chairman and some of the members of the subcommittee might not have heard clearly is that according to the testimony we received last week, that view is also shared by the America's Community Bankers and the Independent Community Bankers of America. I think that it is important that they are coming on board in order to make sure that all Americans receive a free credit report.
    Let me turn for a moment to today's hearing. First, the issue of employee background checks, Mr. Chairman, under the Fair Credit Reporting Act. Companies can turn down job applicants because of the credit history contained in their credit reports, including large student loan debt, high credit card payments, a big auto loan, or a heavy mortgage bill. Even worse, job applicants who have errors in their credit reports as a result of identity theft are being denied employment. In most instances, by the time these errors are taken off the job applicant's credit report, the job they are applying for has already been filled by another person.
    Mr. Chairman, this raises troubling questions for the subcommittee. One, should a young person who has accumulated $30,000 or more in student loan debt be denied a job in favor of someone who was fortunate enough to have wealthy parents to pay for their college education?
 Page 5       PREV PAGE       TOP OF DOC
    According to a May 26, 2003 article in The State newspaper in Columbia, South Carolina, ''Ayana Woodson, a recent business administration and finance graduate from Howard University in Washington, DC learned this the hard way. 'These are jobs I have not gotten because of my credit,' said Woodson, now carrying a $25,000 college debt, 'I just assumed after I graduated I would have this high-paying job and would be able to pay it off,' she said. It is like a double-edged sword. I take out this loan so I can get a job, but it may be the very reason to keep me from getting a job.''
    Mr. Chairman, according to the U.S. Department of Education, the average student loan debt has nearly doubled over the past 8 years to close to $17,000. I think we can all agree that people who had to go into debt to get through college should not be forced to lose job opportunities because of that debt.
    Secondly, should employers be allowed to deny employment opportunities to job applicants due to errors contained in their credit reports? I do not think so, but according to a March 3, 2003 article in Investment Dealers Digest, ''If you want to work for Goldman Sachs, your name had better be squeaky clean. All it takes is one blemish on your credit history to prohibit employment there. At least that is what one secretarial job candidate recently found out the hard way, and she is not alone. Like many young people at age 24, Kate ran up significant debt on a Citibank credit card. She was unable to pay it off quickly, and the account was ultimately sent to collection.
    ''Over the next 9 years, she gradually paid down the debt, satisfying it completely by 2002. The problem was the collection agency failed to report this to the credit agencies, and the account showed up on Goldman's credit check-a-mistake for which the collection agency took full responsibility and promised to put it into writing in 30 to 60 days, but would gladly relay orally to Goldman. But according to Kate, Goldman's background checker told her the firm would not accept an oral explanation and needed it in writing.''
 Page 6       PREV PAGE       TOP OF DOC
    To make a long story short, this young lady has a hard time with jobs. Mr. Chairman, I do not believe job applicants should be turned down from their jobs because of errors contained in their credit report.
    Finally, we will be looking today at the Fair Credit Reporting Act in the collection of medical information. I have two concerns on this issue. First, we need to make it clear that banks and insurance companies cannot use medical information to deny consumers credit or insurance. Banks should not be allowed to use the fact that you have cancer to increase the interest rate on your credit card. Insurance companies should not be allowed to use the fact that you have diabetes to raise your premiums on your renter's insurance.
    Mr. Chairman, thank you very much for calling this important hearing. I look forward to hearing from the witnesses.
    Chairman BACHUS. Thank you, Mr. Sanders.
    Chairman Oxley?
    Mr. OXLEY. Thank you, Mr. Chairman. Let me thank you for your leadership on this important issue of FCRA as we continue the series of hearings. You have done yeoman work and we appreciate all that you have done.
    I am pleased to announce that last Thursday another federal regulator came out in support of reauthorization of the national uniform standards for FCRA. Don Powell, the chairman of the FDIC, who testified before this committee, said he believes it is necessary to make permanent the preemptions in the FCRA in order to ensure no negative economic impact. Mr. Powell joins the Treasury Secretary, the chairman of the Fed, and the Conference of State Bank Supervisors in support of reauthorizing uniform FCRA standards.
    I also just received a report by the independent Congressional Research Service analyzing a critical consumer benefit of the FCRA, and that is increased labor mobility. CRS found that mobility is an important barometer to judge the importance of having a national credit reporting system. No surprise, the U.S. is one of the most mobile societies, with 14.5 percent of the population moving in any given year, and lower-income individuals more likely to move than higher-income groups. It is our national uniform credit system that makes this mobility possible and gives us a further competitive edge over the rest of the world.
 Page 7       PREV PAGE       TOP OF DOC
    Throughout modern history, national economies have risen and fallen based in large part on the flexibility and mobility of labor and management. American consumers and workers enjoy unprecedented mobility in part because of our uniform national credit standards.
    Today's hearing looks at two particular aspects of uniform standards under FCRA. The first panel will address the use of FCRA in employee background screening. Even before 9-11, Americans had become increasingly concerned about ensuring their safety on the job from individual predators with criminal records.
    Homicide was the second leading cause of occupational fatalities in 2001, and the recent wave of corporate scandals has highlighted the need to keep out bad actors at all levels of the American workplace. Congress has been calling for expanded background checks for a number of sensitive jobs and courts have been imposing more liability on businesses that do not perform adequate background checks.
    Unfortunately, an interpretation of FCRA by the Federal Trade Commission, known as the Vail letter, undermines the ability of businesses to protect their employees and consumers. The Vail letter prohibits employers from using outside third parties to investigate employee misconduct unless they first notify the wrongdoer of the precise investigation, get his consent, and ultimately give him a copy of the investigative report.
    How do you investigate a CEO, for example, who is embezzling funds if you have to first get his permission and give him time to cover up his actions? How do you get victims to cooperate with a sexual or racial harassment inquiry if they know their identities will not be protected? You don't, and that is why the FTC's interpretation is at best problematic. Ironically, a company can perform an employee investigation without these requirements, but only by doing it internally without any of the protections of an outside, unbiased, and professional third party. The Vail letter is simply impractical.
    Subcommittee Chairman Bachus and I wrote to the FTC last term asking the Commission to change its views, and we support efforts by the members here today to correct this problem.
 Page 8       PREV PAGE       TOP OF DOC
    On our second panel, we will receive testimony on the use of medical information in the credit-granting process and the interplay between various federal and state health privacy laws. I share the concerns of many of my colleagues that medical information may require special protections to prevent its improper use or theft, and I look forward to our witnesses's views on the appropriate balance of national consumer standards on this issue. Once again, I would like to thank the chairman for his leadership and the continued bipartisan cooperation of our ranking subcommittee and full committee members, Mr. Sanders and Mr. Frank.
    I yield back.
    [The prepared statement of Hon. Michael G. Oxley can be found on page 55 in the appendix.]
    Chairman BACHUS. Thank you.
    The gentleman from North Carolina?
    Mr. WATT. Thank you, Mr. Chairman.
    I had intended not to say anything, but my chairman provoked me to say something to balance at least one thing, not necessarily to contradict what he is saying, but to thank you for having this hearing today and the series of hearings, because of the difficulty of these issues.
    While the chairman is right to have the governing agency bring these employment background checks and medical information under its jurisdiction, it may be presenting some problems. The other side of that is if they are not under somebody's supervision, then they have the capacity to collect erroneous misinformation on people, and not be subject to any kind of oversight.
    So we have got to figure out a way to allow them to provide the valuable service that they provide to employers, but do it in a way that makes sure they are regulated and that they answer to somebody and that they are accountable for collecting information that is not correct and viable. That is the difficulty. I am not arguing with the concern that the chairman of the full committee and the chairman of the subcommittee raised in the letter you wrote, but if they are not regulated under the Fair Credit Reporting Act, then who is going to regulate them, I guess, is the question; and how do they get regulated and how do we keep employees or prospective employees from having their employment possibilities adversely affected by information that may not even be correct?
 Page 9       PREV PAGE       TOP OF DOC
    That is the difficult balance this committee has to deal with. It is for that reason that we have witnesses here to enlighten us about how we walk that balance and get to a result that is fair, both to employers and the agencies that report information to them about people's criminal records and medical records and sexual harassment in prior venues, or what have you, yet make sure that that information is correct and defensible; and if it is not, that somebody is held accountable for it.
    So I thank the chairman. I did not take the time to argue with him about this, but more to point out the difficulty of the balance and the requirement that this committee has as we go forward.
    With that, I will yield back, unless the chairman wants me to give him the last word. I am always willing to give my chairman the last word.
    I yield back.
    Chairman BACHUS. Thank you.
    I have a unanimous consent request, and that is that without objection the gentleman from Texas, Mr. Sessions, may be recognized for the purpose of making an opening statement and for the purpose of questioning witnesses under the five-minute rule after all members of the subcommittee and the committee have been recognized. Is there objection? Hearing none, I would ask the gentleman from Texas, who is a cosponsor of H.R. 1543 which addresses the Vail letter, if he has an opening statement.
    Mr. SESSIONS. I thank the chairman and appreciate you allowing me to be here today. I have got to be on the floor in a few minutes, when they are ready for the new rule.
    Mr. Chairman, I would like to thank you for inviting me to join you at this hearing on the Fair Credit Reporting Act, FCRA, as it pertains to employee background checks and the collection of medical information. I am pleased to be rejoining the chairman and my esteemed former colleagues on the Financial Services Committee to discuss an issue that has long been of great interest to me.
 Page 10       PREV PAGE       TOP OF DOC
    I would also like to thank my colleague from Alabama, the Chairman, for scheduling this important hearing, for your strong leadership on the issue, and for your diligent oversight on all aspects of FCRA. Certainly, Chairman Bachus's efforts are commendable, and by holding this hearing today he will help Congress to take the first step toward making the workplace a better and safer place for all working Americans.
    Mr. Chairman, in order to provide a historical context to this hearing, I would like to recount briefly the events that have brought us here today. In 1999, the staff of the Federal Trade Commission issued an opinion known as the Vail opinion, concluding that outside consultants who perform investigations of alleged employee misconduct are considered to be credit reporting agencies.
    As a result, outside consultants and the employees who hire them to help ensure unbiased workplace safety are subject to a number of burdensome and unintended restrictions on their ability to perform these investigations safely, professionally, and efficiently. Accordingly, they are hampered in performing many kinds of workplace investigations, including employee complaints of sexual harassment, discrimination and threats of violence. For the last few Congresses, I have introduced legislation to fix this problem by removing the FCRA requirements for investigations of suspected misconduct related to employment and to compliance with existing laws and preexisting written policies of the employer.
    This proposed legislation also respects the rights of the subject of the workplace search, while removing employers from the onerous and potentially dangerous requirement to notify their subject prior to beginning an investigation. The removal of this requirement is important because it prevents violence from employees, from giving them time to cover their tracks, or to initiate intimidation against coworkers who make or corroborate complaints, and are an integral part to ensuring the veracity of data included in these complaints.
    Mr. Chairman, back in 1997 when a constituent brought the problems to me that she was having as a result of the Vail opinion, I was shocked to learn that federal law requires an employer who suspects that an employee is dealing drugs or engaged in other misconduct at the workplace to ask that employee's permission before beginning an investigation.
 Page 11       PREV PAGE       TOP OF DOC
    Furthermore, I was greatly dismayed to find that federal law would also require that the same employer to provide to a potentially violent employee with a report identifying the coworker who made or who corroborated those allegations of wrongdoing, making those helpful employees who were only trying to make the workplace safer a target for violence or retribution, and placing themselves in harm.
    This important legislation that I have introduced removes requirements of the federal Fair Credit Reporting Act solely for the purpose of having unbiased third party professional investigations of illegal or unsafe activities in the workplace. These limited activities include drug use or the sale of drugs, violence, sexual harassment, employee discrimination, job safety or health violations, and criminal activities including theft, embezzlement, sabotage, arson, patient or elderly abuse, and child abuse.
    I believe that it is critical for Congress to pass this legislation in order to make our workplaces safer, to stop illegal activities such as drug dealing, and to identify dangerous employees so that they can be provided with treatment before violence occurs. This legislation offers Congress the opportunity to replace illegal and dangerous activities in the workplace with investigation and remediation. I think that this is precisely the goal for which we should all be striving.
    I also would like to thank the panel that is before us, many of whom have come from all over the country to share their experiences with the Vail opinion and FCRA with us today. I look forward to hearing their testimony on the issue.
    I would also like to thank the 16 members of Congress on both sides of the aisle who have cosponsored this bipartisan legislation. I want to thank you, Mr. Chairman, for your leadership, and I appreciate the time you have given me today.
    [The prepared statement of Hon. Pete Sessions can be found on page 58 in the appendix.]
 Page 12       PREV PAGE       TOP OF DOC
    Chairman BACHUS. Thank you.
    Are there any other members wishing to make an opening statement? If not, I would like to welcome our first panel, which deals with the role of FCRA in employee background checks. Our panelists consist of, from my left, Mr. Christopher P. Reynolds, partner in the law firm of Morgan, Lewis and Bockius, on behalf of the U.S. Chamber of Commerce. I noted that you were a U.S. Attorney for the Southern District of New York.
    Mr. REYNOLDS. Mr. Chairman, I would hasten to say that I was an assistant U.S. Attorney for the Southern District.
    Chairman BACHUS. Assistant U.S. attorney, and dealt with many cases involving employee and employment matters.
    Mr. REYNOLDS. Yes, I did, Mr. Chairman.
    Chairman BACHUS. Our second panelist is Mr. Harold Morgan, senior vice president, human resources, at Bally Total Fitness Corporation, on behalf of the Labor Policy Association, and previously with Hyatt Corporation where you were director of employee and labor relations. Our third panelist, at the request of Mr. Sanders, is Mr. Lewis Maltby, president of the National Workrights Institute. We welcome you, Mr. Maltby. Mr. Sanders also requested the testimony of Ms. Margaret Plummer, director of operations for Bashen Consulting. We welcome you as a panelist.
    Our final panelist on the first panel is Mr. Eddy McClain, chairman of Krout and Schneider, on behalf of the National Council of Investigation and Security Services. Mr. McClain, you are a former private investigator on work-related investigations?
    Mr. MCCLAIN. Yes, sir.
    Chairman BACHUS. So we welcome you.
    At this time, Mr. Reynolds, we would recognize you for your opening statement.
 Page 13       PREV PAGE       TOP OF DOC


    Mr. REYNOLDS. Thank you, Mr. Chairman, and distinguished members of the subcommittee. Good morning.
    I am grateful to you for the privilege of testifying before you today. In the interests of time and with your permission, I will summarize my written testimony. My purpose today is to testify on behalf of the U.S. Chamber of Commerce regarding FCRA's affect on employee background checks and employer investigations into workplace conduct.
    I do that on the basis of my experience as a partner at Morgan, Lewis and Bockius representing employers in litigation, investigations, and providing advice and guidance; as a member of the American Bar Association's Labor Section and Equal Employment Opportunity Committee; and as also a member of the Securities Industry Association's Legal Division.
    Mr. Chairman, the reauthorization of FCRA's uniform standards provisions is terribly important to the members of the Chamber and to the efficient functioning of the national credit system. Without those standards, we would be faced with a complex and confusing web of conflicting state standards that could only impede the availability of credit and limit the access of small businesses to the credit that will help them grow and survive tough economic times. We urge this committee at a minimum to preserve those standards.
    The two issues that also concern the Chamber beyond reauthorization would be the background check issue and the workplace investigation issue. Concerning background checks, our primary concern is not with existing law, but with the possibility that new provisions will be added, provisions that hurt an employer's ability to ensure workplace integrity and workplace safety by obtaining reliable job-related information compelled by business necessity on applicants and employees.
 Page 14       PREV PAGE       TOP OF DOC
    Now, employers use these background checks to make sure their workplaces are safe and secure. We need them. A recent study by the Avert Internet-based screening firm found that 24 percent of 1.8 million applications in the year 2000 were submitted with misleading or negative information. The Society for Human Resources Management found in a 1998 survey that 45 percent of employers found that an applicant had lied concerning their criminal record. Many states impose on employers the potential liability for negligently hiring someone who is a danger to the safety and security of the workplace. Background checks allow us to avoid that liability and fulfill our legal duty.
    Against the painful backdrop of September 11, the public and this government also increasingly expect employers to use background checks. According to a Harris interactive poll in 2002, 53 percent of employees want their employers to conduct more detailed background checks of applicants and coworkers to ensure safety. In this session alone, Congress has introduced 21 different bills requiring background checks for workers. It is a clear signal that the government expects employers to use them.
    The Chamber understands and appreciates that there is a necessary and welcome balance between workplace security and privacy. We believe that the existing FCRA provisions of consent, notice and disclosure provide that balance. We also believe that the nation's existing equal employment laws provide a ready remedy for any company or employer that abuses background checks for discriminatory purpose. We also note the numerous State laws that restrict or limit the ability of employers to use information in background checks improperly.
    If you do make changes to FCRA on the background check issue beyond its reauthorization, we urge you to allow employers who use contract workers to have access to the contractor's background check information without converting that contractor into a consumer reporting agency. There are many safety-sensitive industries that use contract workers and the underlying employer needs that information to ensure safety.
 Page 15       PREV PAGE       TOP OF DOC
    Now, with your permission, Mr. Chairman, let me echo your previous comments on the Vail letter. The issue is simple. The FTC through the Vail letter has thrown up a roadblock to the effective use of workplace investigations of employee misconduct. We understand that the FTC will not retract that letter unless Congress acts. The Chamber urges that action.
    Employers are instructed by statute in the case of Sarbanes-Oxley; instructed by the Supreme Court in the case of the Faragher-Ellerth precedent; and by regulations of the Equal Employment Opportunity Commission to conduct thorough, effective and objective investigations. Often, the only effective way to do that is through an outside firm or investigator. Under Vail, there is a requirement for notice and consent provisions that would require almost immediate notice to the object of that investigation. That fundamentally guts the investigation's effectiveness. Just a quick example. Say that I receive a request to investigate a senior executive for a sexual harassment complaint. Under the Vail letter, I am obligated to advise that senior executive before I begin my investigation that he or she might be the object of a complaint, and therefore that is going to constrict greatly the ability to find out what happened and take appropriate remedial action. There is simply no way to satisfy both Vail and the need to investigate effectively workplace conduct.
    Against that backdrop of increased corporate responsibility for self-monitoring, we believe that this choice must be resolved the way Congress intended under Sarbanes-Oxley, the way the Supreme Court dictated in Faragher-Ellerth, and the way the EEOC's guidance has laid out in favor of effective investigations. The Chamber believes that H.R. 1543 is the right step to address that concern and we urge its passage.
    Mr. Chairman, thank you.

    [The prepared statement of Christopher P. Reynolds can be found on page 121 in the appendix.]
 Page 16       PREV PAGE       TOP OF DOC

    Chairman BACHUS. Thank you very much, Mr. Reynolds, for that testimony.
    Mr. Morgan?


    Mr. MORGAN. Thank you very much. Do not worry. I will not be asking the members of the committee to do exercises before we begin the testimony today.
    This morning, I have two simple and basic messages regarding FCRA. The first is please do not make it any harder to keep our workplaces safe. And two, if possible, please help us to make it easier to keep our workplaces safe.
    I am sure the original intent and the purpose for expanding FCRA to include background checks was to ensure that potential employees were guaranteed certain rights and privileges if their backgrounds were checks. I am sure the same thought applies to investigations in the workplace. However, the actual on-the-job reality of FCRA makes it increasingly difficult to maintain a safe workplace.
    Many individual states have added to these restrictions on top of FCRA. The FCRA regulations, in addition to the additional State laws, really cut to the heart of workplace safety. The fact of life today is that every critical public or stakeholder that has anything to do with our operations expects me to run a safe workplace. The duty and trust and obligation of maintaining this safe workplace is even more difficult in businesses such as mine where you have large amounts of employees, a lot of employee turnover, and where you are dealing with customers on a minute-to-minute basis.
 Page 17       PREV PAGE       TOP OF DOC
    So by way of introduction, this is the overview of where we are coming from on FCRA. But what is at the heart of the problem? The problem is that to make hiring decisions with increasingly more difficult limits and restrictions on what we cannot and can look at is unrealistic and is increasingly compromising workplace safety. For instance, should I hire someone to be a childcare attendant who has several arrests, but no convictions for child molestation? Should I hire a salesperson who has information regarding credit cards and financial information about a potential customer, but who has a deferred adjudication for fraud? Should I hire a personal trainer who has been arrested for assault and battery, but has pled down to a misdemeanor, or who has a conviction that is over seven years old? The problem with FCRA and the additional State laws is that I cannot use this information in making employment decisions.
    Congressmen and congresswomen, I believe that this is playing roulette with the safety of everyone involved in the workplace. Employers cannot be subject to courtroom standards in order to keep their workplaces safe. The reality of life is that I should not hire the personal trainer with several arrests, but no convictions, and I should not hire the childcare attendant who has pled down to a misdemeanor for child molestation. Nevertheless, FCRA and the State laws suggest that I should not consider any of this information in making my employment decision.
    The other issue, which Mr. Reynolds has covered, is Vail. Very simply, this makes it difficult to conduct investigations in the workplace, which all of you would agree is something that should be done and should be done in a fair and consistent manner. Vail only results in a chilling effect on people coming forward regarding workplace misconduct and problems that are going on in the workplace. Investigations should be able to be done and proceed in a way that does not limit us and that affords all people involved a great deal of confidentiality.
    As I said in the beginning, please help us to make workplaces safer. In order to do that, I would suggest five key issues. First, please allow us to look at criminal backgrounds without any time limitations. Second, please allow us to consider arrests in looking at the totality of an individual's background regarding their suitability to work in a particular place. As long as we are within the EEOC guidelines, the burden of proof beyond a reasonable doubt should not be a standard that applies in the workplace.
 Page 18       PREV PAGE       TOP OF DOC
    Three, please give us access to national databases so that we do not have to go to thousands of jurisdictions to see if someone should or should not be an employee regarding what they have done in their past. Please give us a safe harbor from more restrictive State laws, provided that FCRA is adhered to from a regulation standpoint. And fifth, please allow us to conduct any and all investigations regarding workplace misconduct in a confidential manner and not subject to FCRA.
    Last and certainly to highlight this issue, in 1999, as all of us are aware, several terrorists tried to come through the Canadian border to blow up the LAX airport in celebration of the millennium. The identities that these folks were using were partially stolen out of databases of my company. Now, we have since closed up that issue regarding our databases.
    The employee that was involved in selling off these identities to the terrorists had a complete criminal background screen that I conducted; was drug tested; and every attempt was made to make sure that this employee, like all of my employees, were safe in the workplace. Nevertheless, those identities were sold and those identities were given to the terrorists that were fortunately caught before they were able to set up a bomb at LAX airport.
    The point is this: It is difficult enough to make decisions about the unknown and about what may happen in the workplace. Please at least let us make decisions regarding what is known.

    [The prepared statement of Harold Morgan can be found on page 82 in the appendix.]

    Chairman BACHUS. Thank you very much.
    Our next witness is Mr. Lewis Maltby. Mr. Maltby, I mentioned that you were with the National Workrights Institute. I did not mention that you were the founder of that Institute, so we very much welcome your testimony. We know you as a nationally recognized expert on employee rights in the workplace.
 Page 19       PREV PAGE       TOP OF DOC


    Mr. MALTBY. Thank you, Mr. Chairman, and thank you for inviting me to be here this morning.
    Let me say from the very beginning, I have no problem, no objection to pre-hire investigations. I have three school-age children. Every morning, I put them on a school bus. I do not want anyone behind the wheel of that school bus with DUI convictions.
    But it is not always that simple. There are many situations in which pre-hire investigations occur in ways that simply are not fair and do not help anyone. For example, at least 2.5 million people every year are required to take so-called honesty tests to get a job. There is nothing wrong with employers wanting to hire honest people, but honesty tests fail at least four honest people for every dishonest person they screen out. That is a very high price for a lot of honest people to pay for businesses to get a dubious advantage at best.
    Personality tests are extremely common. They are not inherently wrong. Someone who would do very well in a laid-back Silicon Valley company might not do so well in a very straight-laced Wall Street firm. But some of the questions on these tests I would not ask my wife. There are questions about your religious belief, your sex life, even your bathroom habits on some of these common personality tests. With all due respect to Mr. Reynolds, I do not know why you have to ask an employee about their bathroom habits to tell if they are going to be a productive and safe employee.
    I mentioned criminal records checks. There are many cases where that is totally appropriate, like the one with my children. On the other hand, there are many employers in America today that will not hire a person for any job at any time in their lives if they have ever been convicted of anything. You could be, and sometimes are, denied a job as a 40-year-old electrician because when you were 19 you shoplifted a CD. There is something wrong when employers go to that incredible unreasonable extreme.
 Page 20       PREV PAGE       TOP OF DOC
    The worst part of all of this is the way the information is being used. If this information were being used as something to inform the judgment of a seasoned HR professional, I would not be so concerned. But what is happening is, the machines are taking over. The test results are trumping the evaluation and the judgment of the HR professional. If the honest test says you are dishonest, I don't care if you are a nun, and this is a real case, the HR person cannot say, ''Well, the test is obviously wrong.'' They can't and they don't. If the test says you are dishonest or you don't fit or anything else, you are simply out. That is not the way things ought to be done.
    Regarding the Vail letter, let me not belabor the obvious, except to say Mr. Morgan and Mr. Reynolds are right. There is a problem here. As a civil rights lawyer, I want to see investigations of alleged sexual harassment or racial harassment or other civil rights violations conducted quickly, thoroughly and effectively, and the Vail letter as it stands is an obstacle. The real question is, how do we fix the obstacle? Mr. Sessions has certainly taken us the first step in that direction. It is clearly surreal, maybe that is too kind, to say we have to tip off the person we are investigating and get their permission before we conduct an investigation.
    But that is not the entire situation we have to deal with. What if, for example, the employee is innocent? Perhaps the investigation clears them. Shouldn't they be told after the investigation is over that they were investigated and they were cleared, and being shown a copy of the report? Is it really fair that that report should follow them for the rest of their career, or at least their career at this company, and they don't even know it happened? I do not think so.
    For example, what if there never was any genuine suspicion of wrongdoing? Pretext investigations are not common, but they happen. We do not want a law that says that a company can investigate somebody whose real offense is trying to organize a union on the pretext they have stolen a pencil. The law ought to require that there be a genuine suspicion of wrongdoing before the investigation starts in the first place. And whatever minimal standards the FCRA contains about fairness and accuracy in conducting the investigation and compiling the report should not be lost either.
 Page 21       PREV PAGE       TOP OF DOC
    I know that none of those problems were intended to be created by Mr. Sessions's bill, but we need to do more than just simply crudely yank criminal investigations in the workplace out from under the FCRA. It has to be done in a more nuanced, thoughtful fashion. Mr. Sessions's bill is the first step, but it is not the only step.
    From having looked at the issues, I see nothing here that people of good will and intelligence could not resolve, given discussion. We have already had some discussions on these matters and I am confident that if allowed to continue we could reach a resolution that would accomplish Congressman Sessions's objectives and the concerns of people like me in the civil rights world.
    Thank you.

    [The prepared statement of Lewis Maltby can be found on page 60 in the appendix.]

    Chairman BACHUS. Thank you, Mr. Maltby.
    We would also welcome coming together on this issue. We are also optimistic that we can do that.
    Ms. Plummer, I previously recognized you. You actually manage EEOC claims, risk management services, quality assurance, and consultant supervision for Bashen. I noted that you practiced business and employment law with the firm of Randolph, Hunter in Greenville, South Carolina, so you also have litigation experience in employment matters. We welcome you.


 Page 22       PREV PAGE       TOP OF DOC
    Ms. PLUMMER. Thank you very much, and also thank you to the members of the subcommittee for having us here today.
    Bashen Consulting is a minority-owned human resources consulting firm that has conducted thousands of employment discrimination, harassment and ethics investigations for companies nationwide. I thank you for allowing us to participate in these important discussions regarding the role of the FCRA in employment-related investigations.
    The Federal Trade Commission's interpretation of the FCRA as expressed in the 1999 Vail opinion letter will have a chilling effect on the efforts of employers to prevent and correct unethical discriminatory and harassing behavior in the workplace.
    In 1998, the Supreme Court profoundly changed the workplace harassment landscape. It became clear that for employers to protect themselves, they must implement effective policies and complaint procedures, conduct prompt and thorough investigations of employee complaints, and take remedial action. Today, courts and government agencies charged with enforcing civil rights legislation examine not only the fundamental question of whether unlawful conduct occurred, but the quality and integrity of the employer's investigation of the alleged conduct.
    Many employers naturally seek the experience and expertise of qualified third parties to thoroughly and impartially investigate employee concerns. Countless companies, especially small companies, do not have the internal resources or skills to investigate employee complaints. In many situations, companies hire third parties to ensure that maximum credibility is given to the investigation, often due to the sensitive nature of the allegations or the high-level position of the alleged wrongdoer.
    I recently conducted an investigation for a large corporation in which a human resources staff member complained that he was discriminated against based on his national origin when he was denied a promotion. The company would have been placed in the untenable position of having its human resources department police itself if the investigation was conducted in-house.
 Page 23       PREV PAGE       TOP OF DOC
    The HR department recognized its potential conflict of interest, and more importantly the appearance of a conflict if the investigation failed to support the staff member's claim. The company hired Bashen Consulting to ensure the integrity of the investigation. However, according to the FTC this company would be subject to increased liabilities and requirements because they hired experts in the field instead of investigating the complaint internally.
    Under the FTC's interpretation, companies striving to comply with civil rights legislation must now decide between the risk of uncapped damages under the FCRA if they request an investigation, and the limited damages available under civil rights laws if they fail to investigate at all. Companies would also be required to obtain a written authorization by the alleged wrongdoer to conduct the investigation. The notion that an accused harasser must consent to an investigation of his inappropriate behavior is contrary to common sense.
    More alarming is the detrimental effect the FTC's interpretation of the FCRA poses for employees. The law would require the company to provide the alleged wrongdoer with a complete copy of the investigative report. These reports identify witnesses and the information each provided, and producing it would irreparably compromise the confidentiality of the investigation.
    Absent assurances of confidentiality, the FCRA will create a chilling effect on witnesses's willing participation in the investigatory process. Many victims will be too intimidated to complain, thus undermining the expressed intent of all workplace civil rights legislation. The impact of applying the FCRA to employment investigations is monumental. It would erode the great strides companies have made toward eliminating discrimination and harassment.
    H.R. 1543 will remove these roadblocks to progress by excluding workplace investigations from the FCRA's purview. We commend Representatives Sessions and Jackson Lee for their leadership on this issue and urge you to amend the FCRA accordingly.
    Thank you.
 Page 24       PREV PAGE       TOP OF DOC

    [The prepared statement of Margaret Plummer can be found on page 105 in the appendix.]

    Chairman BACHUS. Thank you very much.
    Mr. McClain, we note that you have lectured at UCLA and other California colleges and universities, so this ought to be a piece of cake, after doing that.


    Mr. MCCLAIN. Thank you, Mr. Chairman. Thank you to the committee.
    I am chairman of Krout and Schneider, which is a 76-year-old firm, but I have only been a licensed investigator for 47 years. I am appearing today on behalf of the National Council of Investigation and Security Services, NCISS, which represents investigative and protective service companies and their state trade associations throughout the United States. We appreciate the opportunity to discuss the FCRA.
    Besides many small-and mid-size employers, even many Fortune 100 firms hire third parties for their expertise and impartiality. The FTC says any person who regularly conducts employment investigations is a consumer reporting agency under the law. We agree that is what the law says, even before Vail, but we believe that investigators of workplace misconduct should not be designated as consumer reporting agencies and the reports should not be classified as consumer reports.
 Page 25       PREV PAGE       TOP OF DOC
    The 1996 amendments to the FCRA have substantially set back progress, as Ms. Plummer said, on sexual harassment and discrimination. The EEOC recommends prompt, thorough and impartial investigation of sexual harassment, but the Act provides no explanation or suggestion of what an employer should do if an accused person refuses to give his or her permission to be investigated.
    Regarding violence, when an employee exhibits symptoms of derangement, the last thing the employer wants to do is ask the employee for permission to investigate him. My firm is often hired to assist employers to deal with potentially violent employees. It is not uncommon to have little or no background information in a personnel file.
    In addition to public records and surveillance, we need to conduct covert neighborhood interviews. Neighbors are often aware of suspicious activity, proclivity toward firearms ownership, and even knowledge of explosives. Since the 1996 amendments, the report of such an investigation would be considered an investigative consumer report and it would be unlawful for the employer to order such an investigation without disclosure and permission. The ramifications of advising such an employee that he is going to be investigated, then giving him a report of what witnesses said about him are obvious.
    Many business failures are the result of employee theft. When businesses fail, employees lose their jobs. These are the same employees the FCRA is supposed to protect. Investigation of embezzlement requires stealth and expertise. Embezzlers are usually in the best position to cover their tracks.
    Yet before an employer can hire an outside expert to investigate embezzlement, written permission must be obtained. Illicit drugs are a scourge on our society. Seven percent of American workers use drugs on the job, but the FCRA makes it very difficult to ferret out drug dealers from the workplace.
    Regarding intellectual property and trade secret theft, prior to the 1996 amendments employers were able to hire impartial experts to covertly conduct sensitive investigations that would not be possible today. For example, my firm was engaged to investigate an alleged theft of trade secrets by a Fortune 100 defense contractor. Using a combination of public record information, surveillance and undercover techniques, we were able to determine the facts.
 Page 26       PREV PAGE       TOP OF DOC
    A salesman, marketing manager and a production chief had conspired with a scientist to form a competing company that was bidding on the same government contracts. Although one conspirator left our client's employ, he was fed information by the other two who remained as moles. Not only were the scientific secrets being disclosed, but bidding information allowing the competitor to slightly undercut their pricing on closed bids. This successful prosecution would have been nearly impossible if our client had to notify the culprits in advance of the investigation.
    Conversations with witnesses are considered to be interviews and our report to be an investigative consumer report. The employer must advise the accused of the nature and scope of the investigation, and before taking any adverse action against an employee, a complete unedited copy of the report must be provided to the employee no matter how felonious their behavior. Since the advent of the 1996 amendments, many of our labor lawyer clients have advised their clients not to risk investigations, even in the face of significant losses or danger to coworkers. The reason is the attorneys do not wish to provide subjects with a copy of the investigative consumer report.
    We strongly support Representative Sessions's H.R. 1543. This bipartisan measure would make clear the investigations of employee misconduct are exempt from the disclosure and authorization requirements, while still providing protections for consumers and employees. H.R. 1543 does not change the permission requirement for access to credit reports. It also would require that after taking adverse action against an employee, an employer must provide a summary containing the nature and substance of the communication upon which the action is based.
    At the FTC, former Chairman Pitofsky recommended Congress consider a legislative change to remedy the unintended consequences of the 1996 amendments. Last month, Howard Beales made the same recommendation to this committee. We hope action will finally be taken.
 Page 27       PREV PAGE       TOP OF DOC
    Thank you for your attention.

    [The prepared statement of Eddy McClain can be found on page 63 in the appendix.]

    Chairman BACHUS. I thank the gentleman.
    My first question, Ms. Plummer. Prior to the FTC letter, was there any indication that Congress intended the Fair Credit Reporting Act to apply to workplace discrimination or harassment investigations?
    Ms. PLUMMER. There is no indication whatsoever, either in the intent or purposes section of the statute or within the contents of the statute.
    Chairman BACHUS. Thank you.
    Mr. Reynolds, you testified that the Vail letter makes it virtually impossible to use third party investigators, particularly since failure to comply with FCRA can result in unlimited liability, including punitive damages. And yet in many cases, employers lack the resources, skills and fairness to do those investigations in-house. What do these employers end up doing?
    Mr. REYNOLDS. Mr. Chairman, those employers are caught between a rock and a hard place in fulfilling the mandates of the regulatory schemes that I mentioned earlier and Supreme Court precedent. Often they make the choice, a tough choice, but the choice to protect their employees and to do the investigation nonetheless in a way that allows for the safety and integrity of the workplace. Employers should not be put to that choice by the Vail letter.
    Chairman BACHUS. Thank you.
    In your opening statement you mentioned Sarbanes-Oxley and some of the requirements of that Act. If a company finds itself in a potential Enron-WorldCom-type situation and decides that it needs to investigate some top management for financial impropriety, does the Vail letter pose a problem?
 Page 28       PREV PAGE       TOP OF DOC
    Mr. REYNOLDS. The Vail letter poses a significant problem. Under Sarbanes-Oxley, often corporate boards and management will reach out, and are in fact encouraged to reach out to third party objective investigators. Under the Vail letter, once that investigation begins, even before the investigation begins, consent has to be obtained from the subject or object of that investigation. As Mr. McClain has testified, that has the effect of completely negating the ability to gain a fair and complete picture of the facts, which is precisely what Sarbanes-Oxley went to.
    Chairman BACHUS. Thank you.
    Mr. Morgan, suppose you want to investigate the head manager of a fitness center, how does FTC's Vail letter make it more difficult?
    Mr. MORGAN. I would have to inform them and get consent prior to that occurring. In a lot of cases, there are things going on that you don't wish them to know about or you don't wish them to know because they could cover their tracks. If someone was stealing money from the facility or if that particular manager was sexually harassing one of my employees, I would certainly want an investigation done in a way that I could get all the information before I made a fair and balanced decision.
    Chairman BACHUS. Okay, thank you.
    Mr. McClain, if a third party investigator uncovers significant evidence of employee wrongdoing, such as racial or sexual harassment, what stops the wrongdoer from disputing every item, particularly the testimony of the victims?
    Mr. MCCLAIN. Nothing would stop him, Mr. Chairman. One of the major problems that I have with on the sexual harassment issue is when we get an assignment like that from a client, the first thing that we do is we ask our client to get permission from not only the accused, but also the accuser. The reason is we want to establish the credibility of the accuser and oftentimes, not as often as the other way, but sometimes people do conspire to give false information.
 Page 29       PREV PAGE       TOP OF DOC
    So talk about a chilling effect, when someone, take a fairly new employee who is in the probationary basis trying hard to hang onto their job and is being hit on by a supervisor, so they reluctantly go to management, to HR, because they have heard that they should report this kind of activity. So they reluctantly go forth and report this, and then management has to turn around and ask their permission to investigate them. Of course, any other witnesses that would come forth, we investigate them, too, because we need to know who all the players are and try to determine what their interests are to be impartial and fair.
    So it just doesn't work. As I said before, what do we do when someone refuses to give permission to be investigated? The employer is within his rights to terminate him for failure to cooperate with an investigation, but that in itself could be unfair. Maybe the person does not want to agree just on general principles. So it creates many unintended consequences, I believe.
    Chairman BACHUS. In fact, I think two or three of the panelists mentioned the EEOC, which actually asks us to protect the identity or protect the witnesses. But under this FTC letter, actually, you cannot protect their identities. In fact, you go to the wrongdoer and give him this information which could actually expose them to danger.
    Mr. MCCLAIN. Some people think it is a hit list.
    Chairman BACHUS. Okay, a very good point.
    Mr. Maltby, you testified about the bill introduced by Representative Sessions and other members as a step in the right direction, I believe, but not a complete solution. What additional changes would you recommend, particularly since employers can avoid any FCRA requirements simply be conducting investigations in-house?
    Mr. MALTBY. Mr. Chairman, if I could give you a complete and thorough set of standards for how to get the guilty without violating the rights of the innocent, I would be a much smarter man than I am. I can mention two or three critical points. One is we need to have protection against pretext investigations. They are not common, but they do occur. It is not clear that Congressman Sessions's bill addresses that issue.
 Page 30       PREV PAGE       TOP OF DOC
    We need to have people be able to see the results of the investigation, possibly with certain information redacted, at whatever time is appropriate. You obviously cannot show someone, especially if they are guilty, the results of the investigation in mid-stream, but at some point the investigation is over. There is nothing left to compromise and the employee, guilty or innocent, ought to be able to see the report, again possibly with certain information redacted.
    There are provisions, I believe, in the Fair Credit Reporting Act, not terribly strong, to be sure, but I believe they exist, that set some sort of minimal standards for the fairness of the process and the accuracy of information. Those would be lost if we took employee investigations completely out from under the jurisdiction of the FCRA. I do not think anyone wants to do that.
    I would be happy to submit additional suggestions to the Chair in a very short time, if I might have permission to do that.
    Chairman BACHUS. Thank you, and we would welcome that.
    At this time, the gentleman from North Carolina, Mr. Watt.
    Mr. WATT. Thank you, Mr. Chairman.
    I would welcome a copy of Mr. Maltby's follow-up also. Mr. Maltby, you seem to be a little outnumbered on this panel.
    Mr. MALTBY. I am not, Congressman.
    Mr. WATT. Not necessarily. I am trying to find common ground here, rather than trying to score points about who is right and who is wrong, because there is some right, as you acknowledged, on both sides of this issue.
    So that I can explore that common ground, let me talk to Mr. Reynolds and Mr. Morgan for a little bit here, about their reactions to the things that Mr. Maltby has proposed. He, as I was jotting down what he said, agrees that the prior consent requirement of Vail is probably not a good thing. I think most people would probably agree with that. I take it you all agree with that.
 Page 31       PREV PAGE       TOP OF DOC
    Mr. REYNOLDS. Yes, Congressman.
    Mr. WATT. Check one for common ground there.
    On pretext investigations, he thinks there ought to be some explicit protection that says you cannot use criminal or other background information as a pretext to try to eliminate somebody. What do you think about that?
    Mr. REYNOLDS. Congressman, there are already provisions in existing law to cover that.
    Mr. WATT. What law?
    Mr. REYNOLDS. For example, under Title VII, if an employer were to use a criminal background check as a pretext where the real purpose, for example, was to discriminate, that would clearly violate Title VII.
    Mr. WATT. So what you are saying is we just need to reconcile EEOC Title VII and the Fair Credit Reporting. Is that an explicit provision or is that case law?
    Mr. REYNOLDS. That is case law, and it is commonly held case law that has been in place since the 1970s.
    Mr. WATT. And you agree with that, so if we could figure out some way to get those things consistent, you would be happy with that?
    Mr. REYNOLDS. Congressman, I believe they are already consistent. Title VII is in existence. The case law is quite explicit.
    Mr. WATT. Okay, but if we made it explicit under Fair Credit Reporting that you cannot do pretext, would that be something you and Mr. Morgan would object to?
    Mr. REYNOLDS. At least from my standpoint, Congressman, I believe the pretext issue is covered completely by both Title VII and the courts and I do not see a need to add to the provisions of FCRA in order to address that issue.
    Mr. WATT. Okay, well, I think you are missing my point. You have one law that doesn't say anything about it, and another law that says something explicit about it, at least in case law, and you all are testifying that there is a conflict here. Couldn't we reconcile that by simply making it explicit? That is the question I am asking. I am looking for common ground here. Am I missing something here?
 Page 32       PREV PAGE       TOP OF DOC
    Ms. Plummer, would I be chasing the wrong dog if I tried to just make explicit what Mr. Reynolds says is already over there somewhere in another area, but if we just put it in Fair Credit Reporting, would that be okay with you?
    Ms. PLUMMER. No, it would not be okay.
    Mr. WATT. Okay, then why wouldn't it be okay?
    Ms. PLUMMER. The effect of doing that would be to muddy the waters because Title VII and the case law that follows it do completely cover the issue of pretext based on protected class status. If you then add that to the FCRA, you are simply adding yet another burden, yet another interpretation that has to be made of that law.
    Mr. WATT. But Mr. Reynolds just told me that I am not adding anything because FCRA is already subject to Title VII. So why would I care about making that explicit?
    Ms. PLUMMER. You would not be adding anything to the rights of the employees or to the citizens, but you would be adding yet another layer of judicial interpretation of the statute that employers would have to combat. As we can see here, the language in the existing statute has brought us all here today. So my concern if we attempt or Congress attempts to clarify pretext in the FCRA, it will lead to confusion.
    Mr. WATT. Mr. Maltby, what do you say to this? I am trying to be an honest broker here and walk down the middle.
    Mr. MALTBY. Congressman, I would not say you are chasing the wrong dog, but I would say you are missing a lot of the pack.
    Mr. WATT. Okay. Go ahead.
    Mr. MALTBY. I actually think Mr. Reynolds is correct.
    Mr. WATT. All right.
    Mr. MALTBY. If the investigation is a pretext for getting the black employee out of the workplace because of some sort of racial bias, I think he may be right; that that is already adequately addressed by Title VII. But that is one of 100 possible reasons for pretext.
 Page 33       PREV PAGE       TOP OF DOC
    What if the real reason for launching the investigation is because the person is organizing a union, or they are a woman who does not like the way women are being treated in the company and they are starting to make some noise about it, or because you just don't like the guy, or because he is gay in a jurisdiction where that is not protected by law? There are 100 reasons to launch a pretext investigation. One of them may be covered, but the other 99 are not protected.
    Mr. WATT. What about this copy of the report in some redacted form at some appropriate time? Mr. Reynolds, do you think if somebody is investigating me and I am found to not have any problem; I am investigated and you have found nothing. Do you think it is okay if I get the report at some point, that maybe then I can take it to another employer and say, look, this one turned me down after they found that I was not guilty; maybe you will consider me positively.
    Mr. REYNOLDS. Congressman, let me at the outset just caution the use of the words ''innocence'' and ''guilt.'' In the context of workplace investigations, the employer is not the government. They do not make findings of whether someone has violated a statute. This is important for this reason. What Mr. Maltby may suggest in his comments, the provision of the report et cetera, those are certainly potentially due process protections, but they are due process protections that are better suited to the context of governmental action in a criminal prosecution.
    In this context, you have an employer whose obligation is to make the best possible judgment based on the best possible investigation they can do. They are not held to the standards of reasonable doubt, nor should a question of innocence or guilt be at issue. The real question is whether or not the employer can do an effective investigation to determine whether or not the company's policies have been violated, and sometimes those policies are broader and more expansive at the employer's option than law.
 Page 34       PREV PAGE       TOP OF DOC
    So under those circumstances, to get to your question, Congressman, my answer would be that there are many circumstances where it would not be appropriate to mandate that the employer provide a copy of the report. One quick example, there are many instances in which the investigation is about a current employee's actions vis-a-vis another current employee. It is the employer's obligation to make sure that the complaining employee is not retaliated against. We would not want to be in a position of creating the atmosphere, the conditions for retaliation.
    Mr. WATT. I think that is what Mr. Maltby was trying to redact, I assume. I do not think we would have any problem with that.
    Okay, I think what you all have succeeded in doing is showing us how difficult this area is. Mr. McClain is going to clarify it for us.
    Mr. MCCLAIN. Thank you, Mr. Watt. I would just like to comment on some of these issues.
    With regard to providing a copy of the report, Section 609 of the FCRA does provide for discovery. So even if Representative Sessions's bill were enacted, anybody that wanted to dispute their termination still has the ability to get a complete copy of that report usually under a confidentiality agreement supervised by the court. That is the way they do it, so they can get a copy.
    Mr. WATT. I have to be in litigation before I can get a copy of it?
    Mr. MCCLAIN. Well, there are reasons for that. The court can protect the witnesses, for instance. If there is some indication that the names of those witnesses should not be just handed over, so then they use the attorneys for insulation. The other thing, regarding Mr. Maltby's statement, talk about unfairness, some employers, and I do not have any hard and proof evidence of this, but I do believe that sometimes because employers are unable to do a thorough investigation without telling everyone, because of the Fair Credit Reporting Act, I think they sometimes think that the easier way, and it is certainly cheaper than hiring me, the easier way is to just get rid of the suspect; find another reason to get rid of him. Now, that is unfairness and that is an indirect result of a law that is supposed to be protecting these same employees.
 Page 35       PREV PAGE       TOP OF DOC
    Mr. WATT. I think Mr. Morgan wants to say something. I have run out of time myself, but maybe the Chair will let you respond.
    Mr. MORGAN. Congressman, in a lot of workplaces, the reality is that there are sometimes small groups of employees. My stores, which would not be untypical, usually employ 50 employees. With a 50-employee work group, even providing a redacted document, it will be obvious who did this and that would create additional workplace problems that I would really be concerned with.
    Also, regarding Mr. Maltby's comments, if someone was organizing, I cannot fire someone as a pretext under the National Labor Relations Act. And also, if there were a history of discrimination that was going on, I would be subject to a patterns and practice suit under EEOC for that. So there really are a lot of protections out there already.
    Chairman BACHUS. At this time, I am going to ask Mr. Tiberi to take the chair, and I am going to recognize Mr. Crowley, the gentleman from New York, for questions.
    Mr. CROWLEY. I thank the Chairman.
    My staff is telling me the second round of panelists is going to have more difficult issues, and it is interesting to hear about the Vail letter and the FTC, that this seems to be an issue that needs to be worked on a great deal more. So I appreciate the testimony of all of you here today.
    I thank Mr. Watt for his line of questioning as well. I think it amply demonstrated that there is a need to really clarify what the intent is.
    I just want to move to another area, and that is concerning the seven criteria. Mr. McClain, if I can direct the question to you, and then if the other members of the panel could respond in some way, I would appreciate it. The consumer credit report certainly includes information about a consumer's credit worthiness, credit standing, and credit capacity, and then four other categories: character, general reputation, personal characteristics, and mode of living.
 Page 36       PREV PAGE       TOP OF DOC
    I understand that for the most part, the financial services industry generally looks at the issue of credit worthiness, credit standing and credit capacity for granting or denial of credit. The terms ''character, general reputation, personal characteristics and mode of living'' are used more in investigatory reports that are governed by the FCRA.
    As these four criteria are not defined at all under 15 U.S. Code, I was wondering if you would both define these terms as you believe they are used, as well as let the committee know if these are important criteria. And if so, should they be defined in statute to prevent such a broad swath of information from being used in investigatory and/or credit reports under FCRA?
    Mr. MCCLAIN. I think further definition would always be helpful. I am not sure to what extent you can do that. The FTC has taken the position, and I don't think wrongfully, that pretty much in any report it is very difficult to have a report that does not encompass one or more of those definitions.
    So I do not know if a further definition might help, but I think the big issue is whether or not these types of reports should be consumer reports. I believe rather than trying to define all of these things further, if we just made it clear in the law that these types of investigative reports are not covered by the FCRA, I think that would be appropriate.
    Many of the investigations that we do, we do not necessarily run credit reports. Credit reports contain information that would be very helpful on embezzlement investigations, particularly when you are looking for someone who is living beyond their means. It is a flag that indicates you might be on the right track. But in every instance, the Sessions bill would not change that. You would still have to have the consumer's written permission before you could run a credit report. So we would be able to do other types of investigations, but we would not be able to run credit reports. I hope I was responsive to your question.
    Mr. CROWLEY. Would you be in favor of the status quo, then, leaving the seven criteria and those four particularly that I mentioned at the end, intact?
 Page 37       PREV PAGE       TOP OF DOC
    Mr. MCCLAIN. We have learned to live with and understand what they mean, provided that this general category of misconduct investigation is excluded, and it clearly indicates that it is not a consumer report, then those definitions would not affect misconduct investigations, but they would still affect all of the other investigations.
    I do not have any problem with preemployment. We have learned to live with that. I think most of the employers have learned to get applicants's permission before they investigate them. That is not a problem. It is when you have an existing employee who is malfeasant in some respect that you have to investigate. Therein lies the problem.
    Mr. CROWLEY. In all four of these, character, general reputation, personal characteristics, mode of living, are these all opinions that you derive from information that is given to you? For instance, personal characteristics and general reputation, how would you define that?
    Mr. MCCLAIN. Well, the FTC can say that just about anything we do, I mean, if I go down and check Superior Court records on someone and they say that that record check is going to possibly indicate the mode of living or the characteristics, so I do not know how else to get around that.
    Mr. TIBERI. [Presiding.] The gentleman's time has expired.
    The gentlelady from New York is recognized for five minutes.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman, and thank you to all the members of the panel for the information that will help us embarking on this comprehensive reauthorization of the legislation that is before us.
    Mr. Maltby, employers obviously collect an abundance of data regarding their employees. Some of the data, such as salary, is furnished to credit reporting agencies and plays an integral part in the credit-granting process. Outside of salary and tenure data, what sort of data to employers do employers systematically collect on their employees?
 Page 38       PREV PAGE       TOP OF DOC
    Mr. MALTBY. It obviously varies a great deal from employer to employer. But if I think back to the days when I was a corporate general counsel and had responsibility for the HR function, I cannot think of a great deal that I could not find out about one of our employees if I were to take a very careful look through the personnel file. There is almost nothing that I could imagine that would not be in there.
    Ms. VELAZQUEZ. How do employers use this information? Do they furnish this data to credit reporting agencies?
    Mr. MALTBY. Ma'am, I really do not know that for sure. My assumption would be that if the employee had applied for the loan and the employer knew the employee had applied for the loan, the employer would provide any information that appeared to be relevant, but that is strictly an impression on my part. I really do not have any hard data to back that up.
    Ms. VELAZQUEZ. Mr. Morgan, given your HR experience, could you please comment on this as well?
    Mr. MORGAN. Yes. We would only give out information to an agency if I had written permission from the employee to do that. Under normal circumstances, I am not gathering data up and giving it out to anyone. As a matter of fact, I see it as one of my great responsibilities to the employees to not do that.
    So generally speaking, I would only give out any information as long as I had a release from the employee. That also would go for reference checks. The reality of life today is that reference checks do not exist because no employers are giving out any information.
    Ms. VELAZQUEZ. Thank you.
    I would like to ask this question of Ms. Plummer and Mr. Maltby. I understand the restrictions that the Vail letter imposes on employers. Employers must provide an employee with notice that they are being investigated, and also must secure their consent before an investigator can begin their investigation.
 Page 39       PREV PAGE       TOP OF DOC
    I also understand that these restrictions can prevent outside consultants from conducting an effective investigation. What risks to the employee do external private investigators pose to employees? In your experience, is there a need for enhanced protections when a third party conducts these employee investigations?
    Mr. MALTBY. Ma'am, I would not go so far as to say that there are no concerns for having an outside third party investigator, but in general it is probably better off if there is a third party investigator. There are just too many possibilities for bias or intimidation in an internal investigation, particularly if the person being accused is fairly far up the corporate food chain.
    Again, I would not want to make that as a blanket recommendation, but my blood does not run cold when I hear that a firm has brought in an outside investigator, assuming they are a competent professional firm. It might be better to bring in someone from the outside who does not have all the potential for bias that an inside party might have.
    Ms. VELAZQUEZ. Ms. Plummer?
    Ms. PLUMMER. There are no enhanced concerns for the employee when a third party is brought in to investigate. In fact, it improves, as Mr. Maltby just expressed, the possibility of an impartial and fair investigation. In fact, it is to the employee's benefit to have somebody from outside the company come in to investigate for just that purpose.
    Ms. VELAZQUEZ. Thank you.
    Thank you, Mr. Chairman.
    Mr. TIBERI. Thank you.
    I would like to thank the panelists from our first panel for testifying today, and ask the second panel to be seated for their testimony. Thank you very much.
    Thank you all for coming today. I will introduce the second panel, starting from my left, working to my right: Mr. Chris Petersen, attorney with Morris, Manning and Martin, LLP, on behalf of the Health Insurance Association of America; Mrs. Roberta Meyer, Senior Counsel, American Council of Life Insurers; Mr. Marc Rotenberg, Executive Director, Electronic Piracy Information Center; Ms. Joy Pritts, Assistant Research Professor, Health Policy Institute, Georgetown University; and last but not least, Mr. Edward L. Yingling, Executive Vice President, American Bankers Association.
 Page 40       PREV PAGE       TOP OF DOC
    Thank you all for being here today. I would like to remind all of you that you have 5 minutes to give us your testimony, and it will be followed by questions from those who remain here today. I would like to start with Mr. Petersen. Thank you for being here.


    Mr. PETERSEN. Thank you very much, Mr. Chairman, members of the subcommittee.
    My name is Chris Petersen. I am a partner with the law firm of Morris, Manning and Martin. Today I am testifying on behalf of the Health Insurance Association of America. The HIAA is the nation's most prominent trade association representing the private health insurance system. Its nearly 300 members provide the full array of health insurance products, including medical expense, long-term care, dental, disability and supplemental coverage to over 100 million Americans.
    My written statement focuses on the continuum of federal and state privacy laws and the interplay among those various laws. In my oral testimony, I will examine these additional privacy laws, in conjunction with the Fair Credit Reporting Act, limiting health insurers' ability to disclose information. As the committee is aware, important provisions of the FCRA are up for reauthorization. The HIAA supports the reauthorization of the Fair Credit Reporting Act.
    The HIPAA privacy rule is the first of these many privacy laws that health insurers must comply with. The rule provides that those insurers that meet the definition of a health plan may not use or disclose protected health information except as permitted or required by the privacy rule. In addition, the privacy rule provides for six instances under which a health plan is permitted to use or disclose information. Most relevant for today's discussion are the permitted uses and disclosures for treatment, payment and health care operations, and those uses and disclosures made pursuant to an authorization.
 Page 41       PREV PAGE       TOP OF DOC
    Health care operations encompass uses and disclosures necessary to administer a health plan's business and provide benefits to covered individuals. Many of the health plan's routine uses would fall under this provision. However, disclosing to a financial institution for that institution's operations would not fall under the health care operations exception. As a result, the HIPAA privacy rule would not allow a health plan to disclose health information to another financial institution without that individual's signed authorization for purposes of that financial institution to make credit decisions regarding the individual that is the subject of the information.
    The HIPAA privacy rule also provides the privacy standards requirements under the rule. State laws are preempted if they are contrary to the HIPAA privacy rule. Therefore, we have to also look at state privacy laws to determine how they interact and regulate the ability of a health insurer to disclose financial information or health information.
    In 1999, Congress enacted the Gramm-Leach-Bliley Act establishing a statutory framework for all financial institutions to use in disclosing information. The National Association of Insurance Commissioners adopted a model law regulating Gramm-Leach-Bliley disclosures by health insurers at the State level to provide guidance for State insurance departments in regulating this important area.
    That model regulation governs financial disclosures, but the State insurance departments went further than the federal law as they also regulate disclosures regarding health insurance information. Insurance entities may not rely on the opt-out rule of the Gramm-Leach-Bliley Act to disclose nonpublic personal health information. Instead, insurance entities must either have the individual's written authorization to disclose the information, or the disclosure must be allowed under the regulation's permitted exceptions.
    Generally, the regulation allows an insurance entity to disclose information in order to service a transaction that a consumer requests, or to conduct insurance functions, or to make disclosures that are in the public good. This regulation was drafted with industry, regulatory and consumer input, and I believe those exceptions, once again, would not allow an insurance entity to disclose health information to another financial institution for the purpose of that financial institution making credit decisions.
 Page 42       PREV PAGE       TOP OF DOC
    In 1982, the NAIC adopted a comprehensive privacy model. This also regulates insurance institutions and requires that an insurer must have an authorization in order to disclose financial or medical information or personal characteristics information, as we discussed earlier. Once again, you can disclose for insurance functions, but you cannot disclose for purposes to another institution for that institution's credit-making decisions without an authorization.
    Finally, there are a whole array of State privacy laws that govern sensitive health information, for lack of a better term. These laws are additional protections for specific types of information. As you look at the HIPAA privacy rule, insurers have to once again make a decision: Do these laws provide greater privacy protections, and limit the scope and uses and disclosures of health information? If so, health plans must comply with these laws as well.
    In conclusion, a whole array of laws would prevent health plans and health insurers from disclosing medical information for credit purposes.
    Thank you.

    [The prepared statement of L. Chris Petersen can be found on page 96 in the appendix.]

    Mr. TIBERI. Thank you.
    Ms. Meyer?


    Mrs. MEYER. Thank you, Mr. Chairman, and members of the subcommittee. I am very pleased to be here to testify before you today on behalf of the American Council of Life Insurers, the principal trade association for life insurance companies. Our members sell life insurance, disability income insurance, long-term care insurance, and also provide annuities.
 Page 43       PREV PAGE       TOP OF DOC
    Life insurers have a very long history of trading highly sensitive information, including our policyholders's medical information, in a highly professional and appropriate manner. Life insurers collect and use this information in order to serve their existing customers. At the same time, life insurers support very strict protections relating to the confidentiality of the medical records. Accordingly, we strongly support prohibiting the sharing of medical information in connection with the extension of credit.
    Today, I am going to very briefly explain why life insurers collect medical information and why it is so important to the life insurance process. I will very briefly provide an overview of ACLI's policy on medical records confidentiality, and then again touch on the key elements of the numerous federal and state privacy laws that do in fact provide very comprehensive protection to life insurers's policyholder medical records. In today's world, life insurance protection is more important than ever. In order to continue to make insurance products and services widely available at the lowest possible cost, life insurers must have access to medical information. The risk classification process, which is based in large part on medical information, provides the fundamental framework for the current private system of insurance. In fact, it is largely this process which has made it possible for insurers to make their products widely available to American consumers today.
    ACLI's privacy policy, as I said before, provides for very, very strict limits on insurers's ability to both obtain and disclose consumer medical information. The principles also support a prohibition on the sharing of policyholders's medical information with a financial institution for purposes of determining eligibility for credit, even if in fact that financial institution is an affiliate of the insurer.
    I would now like to speak very quickly to the various federal and State laws. Mr. Petersen has spoken to some of them already, so I will just touch very briefly on the key elements of those provisions. First, under the Fair Credit Reporting Act, medical information may be a consumer report because it does in fact bear on the consumer's personal characteristics and is used as a factor in determining an individual's eligibility for insurance. However, medical information is afforded special status under the FCRA.
 Page 44       PREV PAGE       TOP OF DOC
    Medical information can be disclosed by a consumer reporting agency to an insurer only in connection with an insurance transaction and only with the consumer's consent. Insurers believe that the FCRA is critical to their business. It in fact facilitates widespread availability and affordability of insurance today.
    ACLI member companies also strongly support the privacy provisions of the Gramm-Leach-Bliley Act. As Mr. Petersen has already indicated, medical information under that Act is treated as nonpublic personal information, and may only be disclosed by a financial institution provided the individual is given notice of the sharing and given the opportunity to opt out of the sharing.
    The only circumstances under which notice and opt-out do not need to be provided is when the information is shared for operational insurance business functional purposes or in connection with joint marketing agreement. In fact, state privacy laws generally go further than this and require insurers to obtain an opt-in for the sharing of medical information.
    In fact, when the National Association of Insurance Commissioners and the States were first developing and then adopting the State laws to enforce and implement the Gramm-Leach-Bliley Act, the ACLI member companies strongly expressed the view that medical information should be afforded increased protection, given its highly sensitive nature.
    Both with the NAIC and throughout the country, as the States have considered adoption of the NAIC model, Gramm-Leach-Bliley confidentiality regulation, the ACLI has firmly expressed its support for the privacy provisions, medical records provisions of that regulation, which provide that in fact before a policyholder's medical information may be disclosed, there has to be obtained by the insurer the authorization or the opt-in of the individual.
    Similarly, the old NAIC model privacy act, as it is called, which was enacted before Gramm-Leach-Bliley, would require the opt-in of an individual before his or her medical information could be shared with a non-affiliated third party, unless in fact the information was again being shared for operational insurance business functions.
 Page 45       PREV PAGE       TOP OF DOC
    Mr. TIBERI. If you could wrap up, Ms. Meyer.
    Mrs. MEYER. I can. Thank you very much.
    The HIPAA rule, similarly, even though the HIPAA rule does not directly impact on life and disability income insurers, it would in fact require that a health care provider obtain the consent of the individual before an individual's medical records may be disclosed to a life or disability income insurer.
    Finally, Mr. Chairman, we appreciate the opportunity to testify today. We strongly support strict medical records privacy protections, and would strongly support a prohibition on the sharing of medical information for purposes of determination of eligibility for credit.
    Thank you.

    [The prepared statement of Roberta B. Meyer can be found on page 72 in the appendix.]

    Mr. TIBERI. Thank you.
    Mr. Rotenberg?


    Mr. ROTENBERG. Thank you very much, Mr. Chairman, members of the committee.
    My name is Mark Rotenberg. I am Executive Director of the Electronic Privacy Information Center. I have taught information privacy law for many years at Georgetown. I also chair the American Bar Association's Committee on Privacy and Information Security, although I am testifying today on behalf of myself and not on behalf of the ABA. Also with me this morning are Chris Hoofnagle, Deputy Counsel at EPIC, and Anna Slomovic, our Senior Fellow.
 Page 46       PREV PAGE       TOP OF DOC
    I am very grateful to you and the members of the committee for looking at the issue of medical record privacy. This is clearly one of the top privacy concerns for consumers in the United States. I think the particular challenge that you face this morning is trying to understand the relationship between three different regulatory regimes, and whether or not they adequately safeguard the privacy of medical records, particularly when they may be made available to employers.
    Now, the HIPAA privacy rules, which have been discussed earlier, do a good job of providing privacy protection for covered entities, which are typically the health care plans. But the HHS understood that HIPAA could not be generally extended to employers, and that protection for that type of use of personal information would have to be found elsewhere.
    The Fair Credit Reporting Act, while it recognizes certain protections for medical information, does not in fact go as far as the HIPAA rules, which set out a separate category of protected health information. The Gramm-Leach-Bliley rules do not speak directly to the protection of medical record information. Other means were needed to try to safeguard the protection of medical information after passage of Gramm-Leach-Bliley.
    Where does that leave us today? I would like you to consider the following scenario. Imagine a prospective employee who is seeking a job and the employer asks this person to provide consent for access to the credit report, which is done increasingly today, both through standard employment practices and also through obligations imposed by federal statute. The employee, believing she has a fine credit report and that there is nothing there that would produce an adverse determination, signs the consent.
    Now, it turns out that the credit report may in fact provide information from which the employer could infer medical care or medical services that she has received because, for example, she has obtained credit from a neonatal clinic for fertility drugs, an expensive procedure and something where people might quite likely obtain credit and establish what would be considered on the credit report a trade line. From this, the employer may be able to infer some information about her intent to have children.
 Page 47       PREV PAGE       TOP OF DOC
    As a general matter in employment law, it would be improper to use that information in the employment determination, but it is an example of how information could be made available through a credit report to an employer that the HIPAA rule would otherwise try to protect, but could not protect in this instance because the employer is not in fact a covered entity under the HIPAA rules.
    Now, I think there are legislative approaches to try to solve this problem. But I want to suggest to you more generally, particularly in the context of the Fair Credit Reporting Act and the many issues that you are considering in this session, that it is particularly important to understand the role that the States play in safeguarding the right of privacy. I think we have been a little bit too quick over the last few years to look for national uniform solutions that effectively restrict the ability of State regulators to safeguard the interests of consumers when these types of issues arise.
    Returning again, for example, to the example of medical privacy under Gramm-Leach-Bliley, this was a problem that was dealt with by the National Association of Insurance Commissioners. It was in fact the NAIC model guidelines promulgated after Gramm-Leach-Bliley that provided a framework for good state regulations intended to safeguard the privacy of medical information that GLB did not otherwise cover.
    But more generally, if you look at the development of privacy law in the United States over the last 30 years, invariably what you see is that Congress passes a baseline standard to provide a basic level of protection to protect privacy interests for consumers across the country, and allows the States to regulate upwards, to provide more protection when they identify new problems that perhaps Washington cannot get to as quickly.
    Sometimes the State efforts succeed, in which case they will be followed by other States. Sometimes the State efforts fail, in which case they will be disregarded. I think this is precisely what is meant by the concept of the States being the laboratories of democracy.
 Page 48       PREV PAGE       TOP OF DOC
    So I would urge you today as you consider medical privacy issues in the context of financial services, and more broadly the importance of the Fair Credit Reporting Act, that you safeguard the ability of the States to protect the interests of consumers. I think it would be a mistake to allow the preemption loophole to be extended beyond this Congress.
    Thank you very much.

    [The prepared statement of Marc Rotenberg can be found on page 146 in the appendix.]

    Mr. TIBERI. Thank you, sir.
    Ms. Pritts?


    Ms. PRITTS. Good morning, Mr. Chairman and members of the Subcommittee on Financial Institutions. I would like to thank you for this opportunity to testify today on medical information and how it is protected in the financial services area.
    I would like to incorporate everything that Mr. Rotenberg just said into my testimony, because I think he said it so well. But I would also like to emphasize that this is an area that consumers are very concerned about. They do not want their medical information shared in the financial service area without their advance permission.
    In particular, there is a Gallup survey which was done in the year 2000 which showed that fully 95 percent of Americans said they did not want their banks to have access to medical record information without their advance permission. This is a consistent trend, too. It is not something that has just happened. It is consistent. It is persistent. People are concerned.
 Page 49       PREV PAGE       TOP OF DOC
    There is no question that those in the financial service industry collect and use medical information for legitimate uses in a variety of different contexts. From the written testimony that was submitted, many of those in the financial services industry say that they believe, and as we have heard earlier from Ms. Meyer, that they believe that it is improper to use in particular health information for credit purposes.
    These are important policies that the financial services trade associations have in place and many do subscribe to them, but policies are not enough. The consumer cannot enforce the policy. You cannot take it to court. More important, I think, is also the fact that policies can change. Fifteen years ago, you would have never seen an insurer using a credit score for underwriting purposes. There are many instances in which health information can lead people to financial distress, so what is to prevent in the future from people using health information for credit purposes? What we really need are adequate legal protections. The time to put them into place is now, before the sharing of this type of information is used consistently as a business practice for determining credit purposes and for other purposes that medical information really was not intended.
    One of the things that we really saw when the HIPAA privacy regulations were being drafted was a very persistent problem that people had been using health information for a long time in manners that health care consumers really did not understand and know about. Yet because it had become an established business practice, it was in many ways difficult to control it. The horse was out of the barn and there was no getting it back.
    The problem I see is that the laws that we have today are inadequate. There are a lot of them, but there still are a number of loopholes. For one thing, they do not cover everyone who holds and uses health information in a commercial-type context. They set different standards and they are often inadequate for using and sharing health information. And where they overlap, there is confusion as to which law prevails. It is that last point, which I think is fairly confusing to a lot of people, but which I also find to be fairly disturbing.
 Page 50       PREV PAGE       TOP OF DOC
    I think that the FCRA and GLBA, the Gramm-Leach-Bliley Act, are particularly problematic from a health consumer's point of view. They govern the sharing of financial information which can, by implication, and often does include medical information in the financial services industry.
    The Gramm-Leach-Bliley Act allows the sharing of financial information, including medical information, among affiliates without the permission of the consumer. It does provide for notice, but as anybody who has received the scores of privacy notices from financial institutions knows, those notices are often incomprehensible.
    This type of sharing of health information is precisely the activity that consumers have repeatedly and strongly said they do not want. They do not want insurers and banks looking at it and then asking them after the fact whether this is something that they really would permit.
    The states have stepped up to the plate. They have filled a lot of these gaps, particularly in the health insurance area. They have been very, very much advanced as to protections that they offer. But the concern is that these laws are subject to attack.
    In particular, the problem here lies, and this is a very kind of wonky discussion I am going to launch into, but the problem lies with the fact that GLBA has essentially two preemption provisions. It allows states to have stronger laws, but then it also incorporates all the provisions of the Fair Credit Reporting Act. The Fair Credit Reporting Act has a provision that prohibits states from enacting laws with respect to the exchange of information sharing among affiliates.
    There have been a number of articles in some trade association magazines and law reviews that say what this effectively does is prevent States from requiring, for instance, an opt-in for the sharing of affiliate information. We think that this really needs to be clarified and the time to clarify it is now. There is no need to wait for a court to make that sort of decision.
 Page 51       PREV PAGE       TOP OF DOC
    In summation, I would say that health care consumers prefer and demand that they have an opt-in for sharing of medical information, including information among affiliates; that the Fair Credit Reporting Act preemption provision should be allowed to expire, it is merely causing confusion; and that the Congress needs to clarify when you have these three different statutes, HIPAA, Gramm-Leach-Bliley and the Fair Credit Reporting Act, where they overlap, and there is some confusion as to which one is going to prevail, because that is not in the Congressional Record whatsoever.
    Thank you.

    [The prepared statement of Joy Pitts can be found on page 113 in the appendix.]

    Mr. TIBERI. Thank you.
    Mr. Yingling?


    Mr. YINGLING. Thank you, Mr. Chairman.
    The ABA appreciates the subcommittee's holding hearings on the Fair Credit Reporting Act and the issue of protecting consumer information, including medical information. Before I address medical privacy specifically, I would like to briefly outline the philosophy of the banking industry regarding the use of information and the importance of preserving FCRA for our economy.
    First, the cornerstone of banking is preserving the trust of our customers. That only can be accomplished by protection and responsible use of information. Not only is protecting privacy the right thing to do, the highly competitive financial market demands it. No bank can be successful without having a strong reputation for protecting the confidentiality of consumer information.
 Page 52       PREV PAGE       TOP OF DOC
    Second, we do believe preserving a national credit reporting system is critical to the U.S. economy. The strength and resiliency of the U.S. economy is linked to the efficiency of consumer credit markets. U.S. consumers have access to more credit, from more sources, and at lower cost than consumers anywhere else in the world.
    What makes this possible is a nationwide, seamless, and reliable system of credit reporting. Such a system would be impossible without the Fair Credit Reporting Act. For consumers, it means they can walk into an auto dealership and drive off with a new car within an hour. They can move across the country and open a banking account without hassle. They can quickly refinance their mortgage loan from lenders across the country to take advantage of falling interest rates.
    As is pointed out in a study cited in my testimony, one of the more remarkable achievements of the FCRA is the increased access to credit for lower-income households. By enabling complete and accurate credit histories, FCRA has helped extend credit to millions of Americans who otherwise might not have been able to get it. Simply put, the U.S. credit system works and is the envy of the world. The reauthorization of FCRA, and in particular the preemption of State laws which assures a national, consistent and complete system, is very important.
    Turning to medical information, it is obvious that such information is at the top of the list of personal information that consumers worry about. Three years ago, we convened a select group of bankers to work on privacy issues. Regarding medical privacy, the task force believed it important to reassure the public that, to the extent banks possess medical information on a customer, it will be held sacred.
    Concern has been expressed that lenders might use medical information obtained elsewhere in making a credit decision. ABA's position is that such use of medical information in a credit decision, obtained without the knowledge and consent of the borrower, is just plain wrong.
 Page 53       PREV PAGE       TOP OF DOC
    There are, of course, a limited number of instances where medical information is directly relevant, for example in loans to sole proprietorships or small businesses where the franchise value of the firm hinges on one or two key individuals. In such cases, insurance on the key individuals might be required.
    In those instances, the prospective borrower will know what information is required and can expressly consent to it being obtained and used. Otherwise, the lender should not need such medical information. Finally, any such information obtained should be kept strictly confidential by the lender.
    Mr. Chairman, we appreciate the opportunity to testify today, and I would be happy to answer any questions.

    [The prepared statement of Edward L. Yingling can be found on page 162 in the appendix.]

    Mr. TIBERI. I don't think I have ever seen that before. You have 1 minute and 20 seconds to spare.
    Mr. YINGLING. I am the last guy before lunch.
    Mr. TIBERI. Thank you, Mr. Yingling.
    Thank you, panel, for your testimony today.
    I am going to defer my 5 minutes for questioning. I am going to call on the gentlelady from New York for 5 minutes.
    Mrs. KELLY. Thank you.
    We have been talking today about the use of information that is collected with regard to people. I would like to just ask anyone on the panel, who is collecting this? Where do you go to get this information? There was at one time a situation I recall, for instance with medical information, there was only one company that carried it. It was all in one massive computer, so everybody went there to get that information. Where do you go to get this information about people?
 Page 54       PREV PAGE       TOP OF DOC
    Mr. PETERSEN. Health insurers typically get most of their information first, from an application and/or a claim. So that would be the starting base. Some of the insurance industry would use a clearinghouse that you are referring to. A lot of the health insurance industry does not use that clearinghouse because of the cost-benefit analysis.
    So for health insurers, it would be primarily the application process. Then they would get an authorization, and they have to get an authorization both under State law and federal law, to collect information from other sources. Those sources would be identified in the authorization. It would be primarily providers, other insurers, and maybe in some limited circumstances this clearinghouse that you are referring to.
    Claim information, if it is a claim, that information generally would come first from the claim submitted by the individual, but most generally from the providers themselves.
    Mrs. KELLY. In that clearinghouse that you are talking about, where they hold the information, does a consumer have the opportunity to change medical information?
    Mr. PETERSEN. Once again, I am speaking from the perspective of health insurers, both under the National Association of Insurance Commissioners's 1982 NAIC Act, people have a right to access and amend their information. The clearinghouse would be one of the covered entities under that Act.
    Now, that Act is only in 16 states. It was the first comprehensive privacy attempt at the State level. A lot of very significant population states have it, but it is only 16 states. The HIPAA privacy rule would allow you to get access and amend your information, so you would have access to the information that the health insurer had, and if the health insurer disclosed it, you would have to correct the information down the disclosure chain.
    Mrs. KELLY. How complicated is that? How easy is it to find out who has your information?
 Page 55       PREV PAGE       TOP OF DOC
    Mr. PETERSEN. Once again, from the health insurance perspective, you have to make an accounting of disclosures, both under HIPAA and under the 1981 Act. So if you made disclosures to those kinds of entities, you would have to tell them they had it, and if you made a correction, you would have to tell them you made a correction. If you wanted a correction and me, the insurance company, disagreed, you would have to allow that individual to put something in the record stating that you disagreed with the failure to make the correction.
    This is all fairly recent, though, so it is not well-tested as to how well it works, to be quite honest, under the HIPAA rule because April was the effective date, so we do not know how well it works, but they have a process, I think, to address concerns of the past in that area.
    Mrs. KELLY. Thank you.
    Ms. Pritts, do you want to speak to that?
    Ms. PRITTS. Yes. I think that your original inquiry was directed towards the Medical Information Bureau. Is that correct? The Medical Information Bureau is essentially like a credit reporting agency for health information. It is a national bureau that I believe other insurers, other than health insurers, can rely on for obtaining more or less the status of health information for individuals.
    MIB reached an agreement with the Federal Trade Commission a number of years ago that its reports would be considered to be consumer reports. So individuals have the right now to obtain a copy of their report from MIB, much as they would a credit report from a credit reporting agency, for a fee of I think it is $8.50 now. They can review that information and they can request that that information be corrected if it is inaccurate. They can try to supplement that record if it is incomplete.
    As a matter of practice, people who have actually attempted to use this process have met with mixed degrees of satisfaction with it.
 Page 56       PREV PAGE       TOP OF DOC
    Mrs. KELLY. What I am really driving at is if you are in the process of questioning your medical record that someone else is holding, and a financial institution is also getting some of that information, is that then flagged to the financial institution so that the financial institution knows that there is a question about something on your record? There are some things on people's records that they simply do not want others to know, and yet you must sign, in certain situations, you feel you must sign a disclosure form.
    So my question is, if you are in the process of questioning the great computers in the sky that hold all of this information about your credit and your medical records, then how is that transmitted to you as institutions for your use so that you know that these are issues that are at question?
    Ms. PRITTS. Under HIPAA, what happens is, as Mr. Petersen was explaining, the individual has the right, first of all, to look at their own health information, and we would urge health consumers to do that so you have an idea before you sign one of those authorization forms what exactly your financial institution would be receiving. If you see something in there that you think is erroneous, under HIPAA you can ask your doctor to correct that information.
    Now, there are a number of circumstances under which they do not have to do that. What they do is, the patient can also submit a statement saying, ''I still think that this information is wrong.'' At that point, the health care provider is supposed to forward that, either they correct it or they deny it, and we are going to assume that the patient has supplemented and said, ''I still disagree with you.'' At that point, they are supposed to forward that information on to places like perhaps a financial institution.
    If a patient has said, ''Look, I am worried; I think this information might be getting into my credit report,'' they would have to identify them as somebody that this information should be forwarded to.
 Page 57       PREV PAGE       TOP OF DOC
    Mrs. KELLY. I am out of time, but I hope you will give me my own time to further pursue this a bit.
    Thank you.
    Mr. TIBERI. Mr. Lucas?
    Mr. LUCAS OF KENTUCKY. Thank you, Mr. Chairman.
    I have found this testimony very enlightening. In my prior life for some 32 years, I was involved in insurance underwriting and also banking, so I am a little conflicted here about some of the things that I hear.
    I can see, Mr. Yingling, from the bankers's standpoint, particularly the analysis used of a small business owner, this medical information is very relevant in making a credit decision. I also can appreciate from the fact of people wanting privacy that there is some information that may get out there that they do not want people to know, that is not relevant to the decision.
    I guess from a public policy standpoint, I think that we need to reauthorize the preemption. But I would be interested in what kinds of things we could do to tweak this so we could hopefully make everybody reasonably comfortable, because as it is now, we have some problems. So does anybody want to take a shot at that?
    Mr. YINGLING. Congressman, I would just say that the only time in the credit-granting process that we believe medical information ought to be used is where two criteria are met. One is that it is relevant; and two, that you get the express consent of the potential borrower.
    Now, this is really tight. It is not just a tight criteria. It is not opt-in. It means that for this specific transaction only, you are going to get the permission of the borrower to get specific information, so that the borrower would have the ability to say, for example in Ms. Kelly's question, ''You are not going to some third party that has all this information in a computer. You can go to my insurance company and make sure I have an insurance policy. I will show you the insurance policy that protects you in case I die and I am the franchise.''
 Page 58       PREV PAGE       TOP OF DOC
    Or in rare instances, where there is a specific health question, you can go to my doctor and get specific information. But it seems to me that you have a real governor here in that the borrower has the ability to say, ''Yes, I will give you the information and I will only give you that specific information, and here is where we are going to agree to go get it.''
    Mr. LUCAS OF KENTUCKY. What if you had a situation of a small business owner and he found out that he was terminally ill. So he thought, ''Well, I will go to my bank and get this line of credit set up that will help my wayward son who is not that good a businessman; I will get this set up for him.'' And you know about the information, you find out about it, but he has withheld it. What do you do in a situation like that, where you know, you have gotten that information, but he has not given you that information? How do you deal with that?
    Mr. YINGLING. Well, I think that would depend on how you get it. I do not think the lender has the right to go out and ask for the information without the permission of the borrower. I guess you could conceive of a small town where everybody knows it and so it is common knowledge that there is a health problem or some other problem. I guess from my point of view, it is hard to say the banker could not act on that general knowledge. But the lender should not be in a position of going out and fishing without the permission of the borrower.
    Mr. LUCAS OF KENTUCKY. Okay. Any other thoughts?
    Mr. ROTENBERG. Well, Congressman, I think you put it very well. It is a public policy issue. Certainly, one of the things that privacy laws try to do is to allow people to participate in the marketplace, to obtain credit, to pursue employment, without being required to disclose a great deal of personal information, because many people would rightly feel that if they were forced to say everything about themselves, they might choose not to go for the loan or they might choose not to try to get the job.
 Page 59       PREV PAGE       TOP OF DOC
    I have always believed the privacy laws are actually good for the economy because they give people the safety and assurance that they can pursue economic opportunity without having to disclose a lot of personal information. Now, I think in the years ahead, this problem is going to become quite a bit more serious. Diagnostics are becoming more precise, more advanced. There has been more commercialization of this information. It is easier for employers to get access to. Our health care system is being radically transformed by new technology.
    I think it is very much appropriate for the Congress at this point to draw some lines and to say the information that might be appropriate in the diagnostic setting in the delivery of medical care for an individual is not necessarily information that we should make available to employers, even though they may be interested.
    Let us be honest on this point as well. Employers would probably like to know a great deal about their employees. But I think it is very appropriate for Congress in those situations to say, that person is your employee; they are not your patients, and there is only certain information that you are going to learn about that person.
    Mr. LUCAS OF KENTUCKY. Okay. Anybody else?
    Mrs. MEYER. I might say on behalf of the life insurers that we believe that extension of the FCRA affiliate-sharing provisions is absolutely critical. Just as the FCRA has made it possible for credit to be widely available in the United States, it has also very much facilitated the availability and the affordability of life insurance products across the country.
    It is essential, as I stated in my testimony, that insurers be able to obtain and use medical information in order to assess risk, in order to make life insurance products widely available and affordable. At the same time, we recognize and very much appreciate consumers's particular concerns about medical information. For that reason, we do in fact support laws and regulations that would actually impose strict requirements and limits on our ability to in fact obtain and disclose this information. We very much support a prohibition on the sharing of medical information to determine credit.
 Page 60       PREV PAGE       TOP OF DOC
    Mr. LUCAS OF KENTUCKY. Thank you.
    Mrs. MEYER. Thank you.
    Mr. TIBERI. Thank you. The gentleman's time has expired.
    I am going to recognize the gentleman from Ohio for 5 minutes.
    Mr. LATOURETTE. Thank you, Mr. Chairman.
    Mr. Petersen, I apologize. I was not in the room for your testimony, but I have read it and I have a question that has nothing to do with fair credit reporting, and just wonder, as a representative of the health insurance industry, if you have an observation.
    When I talk to the small business folks in my district about the implementation of HIPAA and the law of unintended consequences, they are describing a situation that because, not that they want to root around in their employees's medical information, but because when they approach a health insurer they can only share or know so much information. They are finding that their insurance premiums are dramatically increasing because the insurance company is not aware of the risk that they are being asked to insure. Is that a reasonable observation by these people?
    Mr. PETERSEN. It is difficult. First off, for your small employers, I feel for them because I represent large insurers who have the absolutely same responsibilities as very small employers, and individual doctors. They all have to comply with this very large rule, and not all of them can afford to hire attorneys. So it is a very difficult problem.
    There is one problem about how you share information as an employer. The rule sets up group health plans, plan sponsors and employer requirements, all for the separate sharing of information. Unless you provide notices and put in policies and procedures, you may have restrictions on your ability to obtain and/or disclose information.
    I have heard of situations where small employers are finding it difficult to sometimes have one health plan disclose to the other health plan, or just to get the information generally and to disclose. From a health insurance perspective, if you do not have the information, a conservative underwriting approach is to, unfortunately, consider that it is probably bad.
 Page 61       PREV PAGE       TOP OF DOC
    There has been some state activity. A few states are now enacting laws requiring one health plan to give it directly to the other health plan, so that the employer is not in the middle. They can just tell the one insurance company, give my information to the other insurance company. I think those types of laws will help address it, but it is a 50-state problem.
    Mr. LATOURETTE. Thank you.
    Mr. Rotenberg, I was in the room for your testimony and I heard you talk about a credit report of a prospective employer that might have some billing or a credit application for fertility. I think you said that the employer could not make an inference, which would be improper in the employment setting anyway.
    But couldn't the same inference be drawn, since we are talking about inferences, by an employer who was interviewing a woman who was 22 years old who just got married, from the fact that on her credit report there was testing for fertility, that she may want to in the foreseeable future start a family?
    In both of those inferences, if you reach the conclusion that she was desiring to get pregnant, that would not, under the laws already on the books, be a disqualifier. It would be an impermissible reason to disqualify someone for employment. Is there a better example or a greater danger that you see than the one that you cited to us in your testimony?
    Mr. ROTENBERG. Congressman, I actually think the example is a fairly good one because it is a medical service that is increasingly likely to appear on credit payments. In fact, when the Federal Reserve took a look at credit reports, they were very interested in their study of February 2003 this year to find a very large number of credit payments related to medical services.
    So we could go into a bit more detail. We could imagine certain types of clinics that provide help for people with stigmatizing conditions. But I think the critical point is that there is information made available today through the credit report that would otherwise be covered under HIPAA, but for the fact that the employer is not a covered entity under HIPAA. That is the statutory problem.
 Page 62       PREV PAGE       TOP OF DOC
    Mr. LATOURETTE. And Ms. Pritts, as I read your testimony, there was a reference that I did not hear you talk about, but there was apparently a banking executive that served on his county health board, is that right?, and you cite that as an example of bankers using medical information for making credit decisions.
    My question is, based upon your study of HIPAA, wouldn't the conduct of, I assume it is a fellow, but this banker prior to 1993 be a violation of HIPAA today? And if not, why not?
    Ms. PRITTS. He is not a health care provider, and it is not clear where he was getting his health information from. He was serving on a board, I believe. It is not clear whether that registry would be a covered entity under HIPAA, because of the definition of health care provider.
    Mr. LATOURETTE. Okay. But you would agree with me if in fact the information was being supplied by a health care provider, that it would be covered, and your answer is that it would?
    Ms. PRITTS. Well, if it is supplied by the health care provider to a registry, it then becomes uncovered by HIPAA, so then it is not protected.
    Mr. LATOURETTE. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. TIBERI. Thank you.
    Mr. Crowley is recognized for 5 minutes.
    Mr. CROWLEY. Thank you, Mr. Chairman.
    Let me just take Mr. Rotenberg's example to another level. I would ask Mr. Petersen and Ms. Meyer or Ms. Pritts to chime in.
    If an individual were to obtain the TB test or an AIDS test or even a mammogram and pay for that using a credit card, would it be possible for that information then to be shared with affiliates? If so, is that possibly exposing what we determine as risky behavior in one's personal behavior that could be used against them to deny them insurance, both health and PC? Or even taking it to a further extent, is it possible that information could be used to deny them employment?
 Page 63       PREV PAGE       TOP OF DOC
    Mr. PETERSEN. I will take the first shot at the question. The mere fact that they charged the information from a health insurance perspective, if they then submitted that charge to the health insurer for reimbursement, that would become protected health information and would be subject to all the protections I described.
    The 1982 Act, you asked earlier about avocation, lifestyle, reputation, the 1982 Act of the NAIC provides special protections for that information as well. They essentially treat it for health purposes like marketing. So if you inferred something from that, you also could not share that for marketing with a third party.
    Mr. CROWLEY. What if you are an affiliate with the company?
    Mr. PETERSEN. You have limitations under HIPAA about how you can share protected health information from marketing. You can share it to do upgrades to existing products, for instance, but very limited ability to use that. So if you just had that claim information, I think you would be restricted on how you could use it within the internal, even within affiliates, or internal uses. So you would have limitations on how you could do it.
    Under HIPAA, if it was not a part of the hybrid entity, for instance if you had an affiliate that was a life company, you could not disclose at all to the life affiliate. It would have to be health to health, and for limited ways to share it for marketing.
    Now, on the other hand, of course, if it was something that came up in the application process, so you paid for it with your credit card, but it came up in the application process, then the health insurance company could use that information.
    Mr. CROWLEY. They could use it. Well, then, Ms. Meyer, would you like to respond?
    Mrs. MEYER. Yes, thank you.
    If in fact you are talking about the bank sharing information with an insurance affiliate. Under the Fair Credit Reporting Act in fact that probably would be an experience in transaction information, so that the bank could share it with the life insurance affiliate. Although, I have got to tell you, I am hard-pressed to think of an actual situation where a bank would be sharing information of that nature, of a charge with a life insurance company.
 Page 64       PREV PAGE       TOP OF DOC
    But say in fact the life insurance company did get the information, then once the life insurance company gets the information, then it would first, I cannot even think of the real-world where it would get it, so that it would even be an issue, because I cannot imagine they get that information in connection with underwriting.
    But if in fact an insurer ever did get the information, then the whole ambit of all the body of laws dealing with insurer's ability to disclose information would come into play, notably the NAIC model regulation, which requires an opt-in for the sharing of medical information, unless it is for an insurance business function, or the old NAIC model Act, which again requires an opt-in. Then you would possibly get into the Fair Credit Reporting Act, which would probably require an opt-out for the sharing.
    But in fact, insurers that do business all over the country adhere to the NAIC model Act and regulation, essentially in all States in which they do business. So that essentially ends up being the law of the land. But again, getting to the very beginning, I am hard-pressed to think of a situation where a life insurer would actually be getting that type of information from a bank.
    Mr. CROWLEY. You may be hard-pressed, but it not inconceivable that something like that could happen in the future.
    Mrs. MEYER. I just don't know how.
    Mr. CROWLEY. We don't know where this is going, actually. Things are evolving in terms of information and the need for more information to make decisions based on one's personal life, especially risky business.
    Mrs. MEYER. I guess conceivably, but that flow of information is something that I have not seen.
    Mr. CROWLEY. Difficult. Okay, Mr. Chairman, just one more question, if I could, for Mr. Yingling.
 Page 65       PREV PAGE       TOP OF DOC
    I missed your opening statement, but it was pointed out to me by my staff that it says, ''With respect to the banks, medical information should only be used for the express purpose for which it is provided and should not be shared without the express consent of the consumer.'' Are you advocating a system of opt-in for health information, as opposed to opt-out?
    Mr. YINGLING. As I mentioned in a previous answer, I don't think it really is opt-in. I think it is stricter than opt-in. An opt-in regime could be a general approval to seek information or to use information, and it could be prospective and cover additional transactions.
    When we say with the approval and consent of the potential borrower, what we mean is a specific approval of the information that is needed for the application in front of you, so to speak. So it actually I think is stricter than opt-in.
    Mr. CROWLEY. Thank you.
    I thank the chairman.
    Mr. TIBERI. Thank you. The gentleman's time has expired.
    Without objection, the gentleman from Illinois, Mr. Emanuel, may be recognized for the purpose of questioning witnesses under the 5-minute rule. Do I hear an objection? Not hearing an objection, Mr. Emanuel? Mr. Emanuel is recognized for 5 minutes.
    Mr. EMANUEL. Mr. Chairman, thank you. As a member of the full committee, I ask unanimous consent to ask questions. Thank you.
    First of all, thank you for holding this hearing and putting this panel together. To follow up on this set of questions and your answer, I think we are at a critical point in finding a balance here that allows commerce and information to flow freely, but also give consumers a certain level of protection in this storm that they have a safe harbor. As you said, it is more strict than opt-in or opt-out. I actually am working on a bill creating a blackout as it relates to medical information.
 Page 66       PREV PAGE       TOP OF DOC
    We have to create, I think, for consumers, because it touches on what Ms. Pritts said earlier as it relates to information, what consumers most care about is their medical privacy. If you look at it as a set of issues, you go down the ladder of what they care about, at least in the data and the research I have seen, and obviously I am dealing with five experts here who may show counter-data, but medical information is what they care most about in the sense that they feel vulnerable and they feel that their privacy has been violated, and then forces greater than they can control and have access to things about them that are not relevant.
    With that, and again the world we live in is changing by the time we deal with this, and we are trying to set up some set of rules going forward that do not allow the different legislation that we have passed in the past, at least to set a clear mark of what the rules of the road are going forward.
    Let me ask a question, and this is for anybody, so have at it. I have a set of questions. What are some of the scenarios that could occur if the existing loopholes are not closed as we try to explore different scenarios? And is there a chance for widespread abuse here? I have some follow-up questions after that, so does anybody want to just take at it?
    Mr. ROTENBERG. Congressman, I return to the original purposes of the Fair Credit Reporting Act. It was an extraordinary law at the time it was passed in 1970. Senator Proxmire and others came together. People became aware that a lot of derogatory information about individuals was being gathered up and being used in an adverse way. The information was inaccurate. We would call it today probably defamatory. It kept people out of jobs. It kept people from getting loans.
    The Fair Credit Reporting Act was passed to create stable transparent markets that consumers could participate in by ensuring accuracy and fairness and privacy. I think what happens, as you describe, as the technology gets ahead of us and some of the new business practices get ahead of us, we get back in some ways to where we were back in the 1960s, where there is the risk that inaccurate information, defamatory information will produce bad consequences.
 Page 67       PREV PAGE       TOP OF DOC
    I think Congress was very wise in 1970 to deal with the problem then. I think you are going to have to deal with it today with new technology and with new business practices.
    Mr. PETERSEN. I think from the health insurance perspective, it is very difficult to think of any loopholes that actually exist as the HIPAA rule interacts with the State laws. Our firm conducted an analysis of how the HIPAA privacy rule interplays with all 50 State insurance codes. That analysis is over 600 pages, and I am assuming a non-lawyer could do it in 400 pages or however many extra words we might add to it. It is still a very lengthy analysis. State law, from a health insurance perspective, adds a lot of additional layers of privacy protections.
    Now, it is very difficult as a national carrier to interact with all those, so sometimes preemption might be good. But you look at, as I said in my testimony, you have two NAIC models; you have the HIPAA rule; and then you have sort of sensitive information, reproductive rights, genetic testing, mental health, substance abuse, a variety of information that states have deemed to be extra-sensitive, and they have passed additional laws on the uses and disclosures. So I think from a health insurance perspective, almost all bases have been covered.
    Mr. EMANUEL. Okay.
    Mrs. MEYER. I think from the perspective of life insurers, which are in a slightly different position than health insurers because they are not directly subject to the HIPAA rule, life insurers's and disability income insurers's ability to obtain medical information is very much determined by the HIPAA rule, which would not permit health care providers to give information to life insurers and disability income insurers without their providing the authorization of the individual.
    So you take all of the others, the Fair Credit Reporting Act, Gramm-Leach-Bliley, the HIPAA rule and all of the State privacy rules, and again the combination, the fitting of all these rules together in effect operates in the same way, because both life insurers's ability to get the information and then to disclose the information is covered by the combination of all of these rules.
 Page 68       PREV PAGE       TOP OF DOC
    Mr. EMANUEL. Did you want to say something?
    Ms. PRITTS. Yes. I think HIPAA protects health privacy fairly well in the context of health insurance, but HIPAA is not comprehensive. It only covers health care providers and only if they do certain kinds of transactions, a health care clearinghouse, and health plans. So it does not cover everybody.
    The other point I want to make is that we have heard repeatedly today how important the State laws have been in filling in the gaps at the federal level. They are particularly important with insurance, because that is traditionally governed at the State level. To the extent there is this ambiguity in GLBA and FCRA about whether the States can go as far as they want to go, I really think that needs to be clarified.
    Mr. EMANUEL. One question is, and if you have the life of a member as I do, with office hours in grocery stores, meeting people, doing constituent work, making it easier for people. My day is, and it is a pathetic life, maybe; I do it on Saturday. You meet people. You try to make office hours easier. And I don't think consumers have any idea that on a credit background, health information is accessible. Maybe from the insurance side, but I will tell you from the general public, I would be interested if, from your own background and your own research, your own knowledge of the public, whether you think they know that health information is accessible on a credit background check.
    Mr. TIBERI. The gentleman's time has expired, but please answer the question.
    Mr. EMANUEL. Thank you, Mr. Chairman.
    Mr. YINGLING. If I could comment, I am sure I am oversimplifying here, but the expansion that we are talking about here is due to the Fair Credit Reporting Act covering a whole bunch of different types of reporting agencies.
    If you are talking about the basic credit reporting system, when a bank looks at an application and goes and gets a credit report, they do not have medical information in that report. When people are doing employment checks, they go to a different type of reporting agency where they get that kind of information. I think it is important to make that distinction.
 Page 69       PREV PAGE       TOP OF DOC
    I am a little concerned if we start trying to deal with issues that just go through basically the payment system or the traditional credit card system where all you have is something that says a payment was made to the Yingling Clinic, and that is all that is in there, or a late payment was made to the Yingling Clinic. Then to ask the reporting system somehow or other to make a distinction between whether the Yingling Clinic is a health clinic or a doctor clinic or a golf clinic, and people who have seen me play golf know that it is not, when you are dealing with millions and millions of transactions with one little piece of information. I do not think you want to require those kinds of reports, or in the situation of those kinds of reports, to have people sit there manually and try and figure out what the Yingling Clinic is.
    Mr. EMANUEL. Thank you, Mr. Chairman.
    Mr. TIBERI. Thank you.
    The gentlelady from New York is recognized for 5 minutes.
    Mrs. MALONEY. Thank you very much.
    I would like to follow up on the questioning of my colleague, Mr. Emanuel. I agree that certainly health information and privacy information and medical information is one of the most sensitive areas this committee deals with. I would like to go back to some of the testimony by Mr. Rotenberg, in which he talked about the availability of medical information in credit reports and the ability to infer a person's medical history based on this information. He cited studies by the Consumer Federation and the Federal Reserve on this point.
    I would like to ask the panel, beginning with Mr. Rotenberg, do you know of any companies that are using this information to make conclusions about people's medical history and base credit decisions on such information, not just late payment, but medical history? You could say payments to a clinic; you could infer they have cancer or whatever. So starting with you, Mr. Rotenberg, and if anyone else would like to comment.
    Mr. ROTENBERG. Congresswoman, the quick answer to your question is no, we have not been able to identify organizations that have used this information in an adverse way. I want to say two things, though, on this point. First of all, that the problem has recently come to light. The Consumer Federation of America report is from December of last year; the Federal Reserve Board report is February of this year.
 Page 70       PREV PAGE       TOP OF DOC
    Secondly, I think it will take further investigation to actually find those instances where these kinds of determinations are made. But having looked at the report from the Federal Reserve Board, it seems apparent, it was at least apparent to them that medical record information can now be obtained from a credit report.
    Mrs. MALONEY. Has anyone else on the panel, do any of you know of any business that has used this information in an adverse way? Any other members of the panel?
    I would like to follow up and ask, do you, Mr. Rotenberg, or anyone else on the panel, believe that employers are using this information to base employment decisions on people's health? People look at credit reports for employment decisions also.
    Mr. ROTENBERG. Well, I suspect that an employer with access to this information would consider it. Now, as I also indicated in my earlier statement, certain types of determinations, for example a prospective pregnancy, would not be a permissible factor in an employment determination. Nonetheless, under the HIPAA guidelines, which would prevent people from getting access to this information, without those safeguards applying to employers who get access in effect to the same information through the credit report, they can now make judgments about AIDS trials and TB and so forth. I think it is a problem that the committee will need to look at more closely.
    Mrs. MALONEY. Yes.
    Mr. PETERSEN. I was going to say from a HIPAA perspective, employers that provide group health plans, their group health plan is treated just like a health insurer under HIPAA. So if in the context of providing benefits to their employees, if they receive protected health information that identifies the individual, they are subject to all of the same rules as a health insurer. So they could not use the information received in that context to make employment decisions. I think Mr. Rotenberg was talking about information where you could infer health status.
 Page 71       PREV PAGE       TOP OF DOC
    Mr. ROTENBERG. Just to clarify if I might, Mr. Petersen is describing the information obtained by virtue of the health plan, which is correctly covered under HIPAA. I am talking about the information that is obtained from the credit report that the employer might access as part of an employment determination, which would not be covered under HIPAA.
    Mr. PETERSEN. That is correct, yes.
    Mr. YINGLING. I just want to add again that when we use the term ''credit report,'' we may think that we are talking about the credit report a bank gets. It is technically a credit report because it is all covered by the Fair Credit Reporting Act, but when a lender gets a credit report, they do not get that information. All they get is the payments and the late payments and your credit history. They do not get the medical information. When you are an employer, you are going to a different type of entity, and that is where you may be getting some of this medical information.
    Mrs. MALONEY. But as I understand it from Mr. Rotenberg's testimony, just getting the payment history can infer medical conditions. Is that what you were saying?
    Mr. ROTENBERG. To be precise, it is the trade line information that would indicate, for example, an outstanding debt to a clinic. That information would be made available to the employer through a credit report, and that is the type of information that is being made more widely accessible today.
    Mrs. MALONEY. And you were implying that you could gain information just from the credit report on a person's health.
    Mr. ROTENBERG. Yes, exactly.
    Mrs. MALONEY. And a health condition, if you are making a payment to a cancer clinic, obviously you probably have cancer, that type of thing. What specifically did the Federal Reserve say about this? Could you elaborate?
 Page 72       PREV PAGE       TOP OF DOC
    Mr. ROTENBERG. Well, I have the Federal Reserve report in front of me, and I would be happy to provide it to the committee, perhaps as an attachment to my testimony. But I will just read one sentence, and this is under a heading ''collection agency accounts.'' I am reading from the report of the Federal Reserve, February of this year: ''Information on noncredit-related bills and collections such as those for unpaid medical services is reported to credit reporting companies by collection agencies. In addition, collection on some credit-related accounts also are reported directly by collection agencies.''
    So the Federal Reserve, this is a very good study, it is a non-political study. They were simply trying to understand how the credit report is generated, where does the information come from. They seem to be interested in the fact that a significant amount of information, in fact on page 69 of the report, they indicate that approximately 52 percent of transactions relate to medical payment. So this is I think very interesting.
    Mrs. MALONEY. Yes. My time is up. I thank all the panelists.
    Mr. TIBERI. The gentlelady's time has expired.
    We will go for a second round of questioning between the three of us, if both of you would like to stay.
    Mr. Yingling, just following up on this line of questioning from the last two questioners, let's say a customer of one of your banks has a checking account and is writing a check to the Ohio State cancer clinic, or is a credit cardholder with one of your banks and goes to a grocery store pharmacy and purchases medication that is for mental illness or something. Typically, how is that information protected for a consumer?
    Mr. YINGLING. Typically, all the payment system information is protected. There is no distinction, I don't think, made with medical versus any other type of information. It is protected through normal security measures. If you look at Gramm-Leach-Bliley, there are specific provisions in there that require that banking institutions have security that protects all this type of private information.
 Page 73       PREV PAGE       TOP OF DOC
    Quite frankly, it is moving through the computers so fast that I don't think any human looks at it unless it is an exception item. I believe that our task force was pretty clear in the Statement that it made in its report that is quoted at the end of my testimony. It said that none of that type of information should be gathered or should be used for any purpose other than making sure that the checks are paid and the accounts are reconciled.
    Mr. TIBERI. In terms of the wording, ''should be'' or ''cannot be'' used? Can you comment on that?
    Mr. YINGLING. Well, I don't make law, so I can't say ''cannot.'' But I recommend ''cannot'' should be used. If you chose to make it ''cannot,'' you could make it ''cannot.'' However you would have to have an exception to cover all those instances, and we have been talking about one example, which is the key-man insurance on a small business. You would have to have many exceptions, but even in those exceptions it would only be with the express consent of the potential borrower.
    So I think the better way to phrase it so you do not have to get into the business of trying to foresee every exception, which is impossible, would be to say it can only be used with the express consent of the customer.
    Mr. TIBERI. But to your knowledge, your membership does not abuse that customer relationship now, to your knowledge?
    Mr. YINGLING. No, not to my knowledge. It is hard to foresee instances where it would be worth the candle to try to do it, quite frankly. There are lots of instances where you do get medical information. Another one, for example, is we do a lot of trust work, and quite often when you are setting up a trust, if you have a child that has medical problems or mental problems, you would want that banker working with you to set up the trust, to understand that. You want the person running the trust to have the authority to make decisions about when additional medical care is needed or not needed. But those are the exceptions, and again it is for that express purpose and that purpose only.
 Page 74       PREV PAGE       TOP OF DOC
    Mr. TIBERI. In your testimony earlier, you mentioned the State preemption of the FCRA is important for us to re-extend or extend. Can you explain or delve into why that is important and, in your mind, what would happen if it is not extended?
    Mr. YINGLING. Well, part of that is to go into all the benefits of the Fair Credit Reporting Act, which I won't do, but there are just huge benefits, one of which is the way it helps low-and moderate-income individuals obtain loans. There is a remarkable chart in this study that shows the incredible growth in the availability of credit to low-income people since the passage of the Fair Credit Reporting Act.
    I was interested in Chairman Oxley's comment, which is another aspect of this, about the incredible mobility we have for people to move and to get jobs, which is so important to our economy, and that is in part due to the Fair Credit Reporting Act.
    Specifically in answer to your question, I think the best way to frame it is to give you an example that came to my attention recently when I was talking to the CEO of a small bank down in the southern part of Virginia. She was saying, because we all know California is very active in this area, ''You mean to say that if I have a son or daughter of one of my long-term customers who goes to California as a student, that I am going to be subject to California law?''
    Well, you carry that out. Suppose it was a graduate student that moved to California. The first thing this community bank would have to do is apparently track all their customers to figure out if they had moved. Then they would have to figure out, well, this is a graduate student. Are they a resident of California or a resident of Virginia? Are they subject to California law now or not? And then if they are subject to California law, they would have to have somebody explain to them all the nuances of what they could collect and what they could report on the credit card loan and the auto loan to that son or daughter.
    Now, there is almost no way for them to do that other than to have a lawyer on hand in every state that can tell that community bank how you cover that person. The end result is, they will not report on that person. They cannot afford to report on that person.
 Page 75       PREV PAGE       TOP OF DOC
    That means if that person has problems and does not make payments, that is not going to be reported. On the other hand, maybe with this graduate student, the only loans he or she has ever had were the credit card and the automobile loan, and now that is not reported, so the student has no credit history.
    So you can see how the whole system can start to break down if you do not have one national law that this Virginia banker can plug into.
    Mr. TIBERI. Thank you.
    Unfortunately, my time has expired. I will recognize Mr. Crowley for 5 minutes.
    Mr. CROWLEY. Mr. Yingling, I understand that while health information is not allowed on credit reports, affiliate sharing is often exempt from FCRA privacy rules. So as banks and insurance companies, and this goes back somewhat to my original question, become more affiliated, could this information flow between affiliates, particularly these new brands of banks that are buying and marketing health insurance plans, could that information flow between?
    And who would govern the privacy of this health information, HIPAA, FCRA or no entity? And where is this distinction codified in the law, as I don't think anyone wants to see this end up in the courts for many years of litigation to sort out these issues, especially as it pertains to such important issues as the issue of one's personal privacy?
    Mr. YINGLING. I think the simple answer is if you had a bank that chose to violate all the principles of trust of their customers and to take medical information and give it to an affiliate, it could do it. There is nothing illegal about it.
    Mr. CROWLEY. So you think the pressure of the market would come to bear, advertisement by other competitors?
    Mr. YINGLING. I think that would be a major factor. We believe it is wrong to do it, but if you are asking me, is there a law that prevents it at this moment in time, the answer is no, sir, there is not.
 Page 76       PREV PAGE       TOP OF DOC
    Mr. CROWLEY. Would anyone else like to comment on it?
    Mr. PETERSEN. There are rules against the flow in the opposite direction. So in that situation you described, if a bank were to purchase a health insurance health plan, the bank evidently can flow information to the health plan. The health plan could not flow information to the bank under the HIPAA privacy rule of 1982 and the NAIC Act article five.
    So you would have restrictions of the information flowing the other way, and you would have to have an authorization for the health plan to release that information to the bank. Most of this sensitive information will be within the health plan.
    Mr. CROWLEY. Ms. Meyer?
    Mrs. MEYER. I was just going to say, to the extent there ever would be that flow from the bank in another direction, it would seem to me that both the Fair Credit Reporting Act and GLB itself would govern those disclosures and require at least an opt-out in that situation. Although again, it seems a stretch.
    Mr. CROWLEY. I keep coming back to those difficult stretches for you, don't I, Ms. Meyer?
    Just to show you how I think. I thank you.
    Would you like to respond, Ms. Pritts?
    Ms. PRITTS. Yes, I would like to just go back to the one point that I think we continually miss, which is that Congress in enacting HIPAA and in enacting Gramm-Leach-Bliley subsequently, never really indicates who is on first.
    The Fair Credit Reporting Act was passed I think in 1990. The amendments to the Fair Credit Reporting Act were in 1996. HIPAA was in 1996. HIPAA does not say anything about the Fair Credit Reporting Act. HIPAA hardly says anything about how you protect health information, in all honesty, the statute.
 Page 77       PREV PAGE       TOP OF DOC
    Subsequently, you have the Gramm-Leach-Bliley Act, which was enacted after HIPAA, and very detailed. It does not mention HIPAA. Subsequent to that, then, you have the actual promulgation of the HIPAA privacy regulations, which are very detailed. But if you actually go through an implied repeal analysis, first of all you should not have to do that. We should have some indication from Congress as to what law governs if there is an overlap. It is an easy thing to fix, and it is something that we should not be relying on the court for.
    Mr. CROWLEY. Thank you.
    I thank the chairman. I have other questions, but I will submit them in writing for an answer.
    Mr. TIBERI. Ms. Meyer, you were going to comment, it looked like?
    Mrs. MEYER. Actually, I was going to say that in fact insurance companies for a number of years have been dealing with the meshing of all of these rules together. It is because of the fact that there is this meshing, we see that it is going to be so critical to reauthorize the preemption provisions of the Fair Credit Reporting Act, so in fact there will be certainty as to what the rules are.
    Mr. TIBERI. The gentleman from New York's time has expired.
    I would like to thank all the witnesses for being here today. The record will be open for 30 days for members to submit any additional testimony or comments or questions.
    The hearing is now adjourned.
    [Whereupon, at 1:03 p.m., the subcommittee was adjourned.]