The two most recent principal statutory enactments protecting an individual's right to privacy regarding personal information are the proposed privacy rule issued by the Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Title V of the Gramm-Leach-Bliley Act (GLB) of 1999. HIPAA covers medical information and GLB covers personal financial information disclosed by financial institutions. Both limit the unconsented dissemination of individually identifiable information.

To a large degree, HIPAA, as implemented in the proposed privacy regulations of HHS, and GLB, as implemented in the Federal Trade Commission's regulations (which are the only regulations that potentially intersect with HIPAA), take different approaches to information protection. HIPAA covers only individually identifiable health information, and its protection may be limited to information that has been electronically transmitted or maintained. GLB covers only personally identifiable financial information, and its protection is limited to information provided by individuals who obtain financial products or services for personal, family, or household use. Under GLB, only disclosures to nonaffiliated entities without notice and consent of the individual are forbidden, while HIPAA has no exemption for affiliated entities.

Both statutes provide exceptions and safe harbors, but the exceptions allow unconsented disclosure for different purposes--HIPAA mainly for certain medical treatment, payment, and operational purposes, and GLB for certain financial purposes. HIPAA covers only certain classes of health-related institutions, but the proposed implementing rules broadly require those institutions to extend restrictions to other institutions by agreements with "business partners" to whom the information is disclosed. GLB, at least under the implementing FTC regulations, imposes its restrictions on certain businesses that receive protected information from financial institutions.

Perhaps the most important difference, especially from the consumer's point of view, is that HIPAA requires institutions to obtain affirmative consent from individuals to waive certain protections of the act ("opt-in" to disclosure), while GLB has an "opt-out" approach under which consent for disclosure to other entities can be obtained if the affected consumers do not opt out of an institution's policy of disclosing their information.

The possibility that, due to the vagueness of the coverage of these acts, certain institutions such as health insurers and HMOs might be subject to both sets of rules has caused considerable concern. The result would be the confusing and complicated need to adhere to both sets of regulations, sometimes for the same information, thereby maintaining double and inconsistent privacy policies or creating a single hybrid privacy policy incorporating the most stringent features of both statutes.

Whatever else can be said about this proposed extension of medical information privacy rules to financial institutions, we may at least hope that it is a step toward coordinating the disparate federal statutes and rules on medical and financial information.

Conversely, privacy advocates, fearing narrow construction of both acts, have expressed the concern that medical information obtained by institutions not squarely covered by either act--or medical information that is not deemed to be personal financial information under GLB--will escape both sets of protections. The FTC has acknowledged such potential confusion in the preamble to its implementing regulations by stating that its regulations will likely be modified once the privacy rule promulgated under HIPAA becomes final. However, it is unclear how the FTC regulations will be amended.

A significant clarifying piece of proposed legislation, which may prove to be the forerunner of general privacy standardizing legislation, was introduced in the House of Representatives in June 2000. Sponsored by Rep. James A. Leach, R-Iowa, one of the co-sponsors of GLB, the proposal is called the Medical Financial Privacy Protection Act (MFPPA).

The MFPPA is a hybrid. It grafts HIPAA-like protection for medical records on to the GLB act. It covers individually identifiable health information that may come into the hands of a financial institution, including insurance companies.

One of the possible constructions of GLB is that any information that comes into the hands of a financial institution from an individual obtaining financial services or products is considered financial information covered by GLB. The MFPPA would settle that issue in favor of such a broad construction and also would give medical information more protection than GLB accords financial information.

The protection accorded individually identifiable medical information under the MFPPA that is in the hands of financial institutions would be the HIPAA-style "opt-in" protection rather than the GLB "opt-out." The individual involved would have to say "yes" rather than merely refrain from saying "no" in order to permit disclosure.

The MFPPA would forbid disclosure not only to nonaffiliated third parties, as under GLB, but also to affiliates, in conformity with HIPAA. This point resolves a sore point among privacy advocates critical of GLB.

Consumers would also obtain the right to inspect, copy, and correct their health information, a HIPAA-like protection. Other special provisions of the MFPPA are that financial institutions could not use health information in deciding whether to lend money or extend credit to a consumer without an "opt-in" from the consumer. Special protection is given to information concerning mental health by requiring separate and specific consent to its disclosure.

Showing its intended conformity with HIPAA, the MFPPA specifically disclaims any modification, limitation or supersedure of HIPAA, or the privacy rule promulgated under HIPAA.

Whatever else can be said about this proposed extension of medical information privacy rules to financial institutions, we may at least hope that it is a step toward coordinating the disparate federal statutes and rules on medical and financial information. While the details of the statutes and their regulations are so numerous and extensive that their coordination would require the wholesale rewriting of one or both of them, enactment of the MFPPA would give impetus to the regulators and the courts to produce a set of rules that is as coordinated as possible.

David Rabinowitz (drabinowitz@mosessinger.com) is a partner with Moses & Singer LLP in New York City. He is the chair of the Litigation Practice Group and one of the co-chairs for the firm's eHealth Law Practice. Linda Abdel-Malek is a senior associate in the Healthcare Group.