Heather M. Morlang, J.D., LL.M. Candidate
The privacy penumbra, a patchwork of protection created by weaving various legal sources, has unfolded as a premier concern before both financial and healthcare industries. As privacy’s legal sources are diverse, so too are the statutes that now blanket these services. From the 1974 Federal Privacy Act to the present Health Insurance Portability and Accountability Act regulations, privacy is largely a function of statutory definition. As our federal and state legislatures attempt to enwrap more services into the penumbra, one industry appears to slip from the privacy cover. This essay suggests that our newest privacy legislation falls short of covering the viatical industry, and recommends that our representatives reassess statutory definitions to ensure that patients, albeit they at the end-of-life, receive equal privacy protection.
The viatical industry launched during the 1980s as venture capitalists devised a method to provide not only Acquired Immune Deficiency Syndrome patients with cash needed to fund expensive experimental treatments but also themselves with lucrative profits. (See Miriam R. Albert, Symposium, Selling Death Short: The Regulatory and Policy Implications of Viatical Settlements, 61 Alb. L. Rev. 1013, 1013n.1, 1017-18 (1998)). Today, the industry continues to expand in scope, targeting patients with cardiovascular disease, cancer, Multiple Sclerosis, Lou Gerhig’s Disease, Alzheimer’s Disease, and Leukemia. The purpose of the industry is to offer patients with a six-month to one-year life expectancy a settlement in which the patient exchanges any type of life insurance policy for a lump-sum cash payment that can be applied to any purpose whether medical or personal. (See Albert, supra at 1019-20). The industry is characterized by self-funded companies, brokerage companies, and syndicate companies. (See Fiona M. Jones, Comment, The Viatical Settlement Industry: The Regulatory Scheme and its Implications for the Future of the Industry, 6 Conn. Ins. L. J. 477, 480-81 (2000)). Transacting almost 322 million dollars in policies in 1995, the viatical companies are estimated to reach 644 million dollars in 2004. (See Joy D. Kosiewicz, Comment, Death for Sale: A Call to Regulate the Viatical Settlement Industry, 48 Case W. Res. L. Rev. 701, 701n.2 (1998)).
Viatical companies require medical information from settlement seekers not only to ascertain the value of the settlement offer, based on life expectancy, but also to prevent fraud by those who would offer a bogus policy and false medical record in quest of tax-sheltered cash. (See 26 U.S.C. § 101(g)(2)-(3) (1997) (excluding certain settlements from inclusion in gross income)). Because medical information is used in viatical settlements, the question becomes how does the industry maintain the privacy of its settlement seekers? This issue is especially important as commentators suggest that investors may stalk an insured to monitor his or her death process, or may even go so far as to consider homicide to expedite a return on an investment. (See Kathy M. Kristof, It’s dicey--think you can make money with a viatical settlement? Don’t bet on it., Chicago Tribune, March 1, 2000, available at 2000 WL 3641132).
Because our nation employs federalism, the logical first step in an analysis is to examine federal law. Many laws scattered throughout the United States Code mandate medical information privacy. However, these laws more often than not apply only to government actors. (See, e.g., 38 U.S.C. § 7332(a)(1) (1991) (addressing military veterans); 10 U.S.C. § 1102(a) (1998) (investigating Department of Defense quality assurance claims)). Even the 1974 Federal Privacy Act’s scope is limited to "any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government … or any independent regulatory agency." (5 U.S.C. § 552(f)(1) (1974)). The viatical industry is not a government actor and thus not covered by such federal statutes. Moreover, case precedent holds that viatical settlements are neither securities within the meaning of the Securities Act of 1933 nor insurance contracts with McCarran-Ferguson Act exemption. (See S.E.C. v. Life Partner, Inc., 87 F.3d 536, 542 (C.A.D.C. 1996)). As older federal statutes appear to leave the industry uncovered, scholars might assume that the new federal privacy legislation would bring the viatical companies in-line with current national policy. However, a close inspection of the new definitions may not affirm such a presumption.
The Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. No. 104-191, 110 Stat. 2033 (1996)) targets health plans, healthcare clearinghouses, and healthcare providers who transmit any health information. (See 45 C.F.R. § 160.103 (2000)). Viatical settlements may not fit neatly into the definition of a health plan because the settlement is not an insurance contract and sums awarded are not required to be used for medical care. Further, these companies may not fit neatly into the definition of healthcare clearinghouse because they may receive medical information directly from the patient and may not then process the information from a "nonstandard format" into "standard data elements." 45 C.F.R. § 160.103 (2000). Finally, a viatical company arguably may not be a healthcare provider because the purpose of the industry may be to transact a settlement rather than furnish, bill, or pay for healthcare as part of the "normal course of business." Id. Thus, attempts to wedge the viatical industry into HIPAA are feasible but will require hyper-creative legal argument. Certainly, the result is subject to doubt, leaving settlement seekers on unstable footing to assert privacy claims.
The same is true for an attempt to bootstrap the viatical industry by the Gramm-Leach-Bliley Financial Modernization Act (Pub. L. No. 106-102, 113 Stat. 1338 (1999)). Viatical companies may not satisfy the definition of "financial institution" under Title V, Section 509 of the Act because at least one court has held that viatical settlements are not securities. Life Partners, Inc., 87 F.3d at 542. While self-funded and brokerage viatical companies appear to slip from the cover of the Act because they do not perform an activity defined as "financial in nature" under Section 4(k) of the Bank Holding Company Act of 1956, the syndicate viatical companies, at most, skate the edge of the Act by selling instruments "representing interests in pools of assets permissible for a bank to hold directly." 16 C.F.R. § 313.1 (2000); 12 U.S.C. § 1843(k) (1956); 12 C.F.R. § 211.5(d) (2000); 12 C.F.R. § 225.28 (2000).
If the HIPAA and Gramm-Leach-Bliley Act, tailored for privacy protection and intended to be far-reaching, ironically leave an entire industry uncovered, where then can terminally ill patients acquire privacy protection for the information they submit to viatical companies? Likely, settlement seekers will have to hunt respective state law to find any existing shelter.
Turning to the states, the Texas 77th Legislature, for example, passed Senate Bill 11 (2001 Tex. Gen. Laws 1511) on June 17, 2001. The Bill created Chapter 181 of the Texas Health and Safety Code to expand HIPAA privacy protection inside state boarders. According to Section 1 of Senate Bill 11, a covered entity is "any person who for commercial, financial, or professional gain … engages, in whole or in part … in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." At first glance, a viatical company appears to fit neatly into this definition.
However, Texas Senate Bill 11 also created Texas Health and Safety Code Section 181.051 that provides for partial exemption; a licensee as defined in Article 28B.01 of the Texas Insurance Code is exempt from Senate Bill 11, except for Subchapter D prohibited acts regarding reidentified information and marketing uses of information. Section 2 of Senate Bill 11 details that under Chapter 28B of the Insurance Code a licensee is a "person who holds or is required to hold a license, registration, certificate of authority, of other authority under this code or another insurance law of this state" (emphasis added). Applying Senate Bill 11 to the viatical industry, it appears that the companies fall within the partial exemption as licensees under the Texas Insurance Code. (See Tex. Ins. Code art. 3.50-6A § 2 (Vernon 1999) (noting the purpose of the article is "to register persons engaged in the business of viatical settlements" and empowering the commissioner to adopt rules regarding payment of an annual fee in connection with registration)).
Because Texas’s own privacy legislation partially exempts the viatical industry, settlement seekers must scrutinize (1) the Texas Occupations Code, which states that "any person who receives information from confidential communications or records … may not disclose the information except to the extent that disclosure is consistent with the authorized purpose for which the information was first obtained" (Tex. Occ. Code § 159.002(a) (Vernon 1999)); (2) the Texas Health and Safety Code, which indicates that "a person that possesses or has knowledge of a test result may not release or disclose the test result or allow the test result to become known, except as provided" (Tex. Health & Safety Code § 81.103 (Vernon 1999)); and (3) the Texas Administrative Code, which states that "all medical, financial, or personal information solicited or obtained by a viatical settlement company or broker … is confidential and shall not be disclosed in any form to any person" (28 Tex. Admin. Code § 3.1710 (2000)).
If the federal legislature does not provide for privacy in viatical settlements, then the task shifts to the states. Texas viatical settlement seekers are fortunate to have the minimum protections of the Texas Administrative Code; many states do not regulate privacy in the viatical industry. Based on student-survey, as of October 2001 only twenty-nine of fifty states require some level of confidentiality in viatical settlements. These states include: Alaska, Arkansas, California, Connecticut, Delaware, Florida, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Minnesota, Mississippi, Montana, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Texas, Vermont, Virginia, Washington, and Wisconsin (citations omitted).
Thus, the quantity and quality of privacy protection may vary to a large degree across the nation. Moreover, patients may transact business across state lines whereby privacy issues can be swallowed by conflict of law and jurisdiction matters. As HIPAA reflects a public policy to unify our approach to healthcare privacy, it seems more appropriate to include the viatical industry in the larger pieces of legislation by amending definitions, rather than to leave terminally ill patients hunting for privacy needles among various state statutory haystacks.
Copyright©2001 Heather M. Morlang