Ms. Rebecca Richards
Electronic Commerce Task Force
U.S. Department of Commerce
International Trade Administration
Room 2009
14th and Constitution Avenue, NW
Washington, DC 20230
Re: March 17, 2000 Draft of International "Safe Harbor" Privacy Principles
Dear Ms. Richards:
I am writing on behalf of the Blue Cross and Blue Shield Association regarding the March 17, 2000 draft of the Commerce Department's International "Safe Harbor" Privacy Principles. The Blue Cross and Blue Shield Association (BCBSA) represents 48 independent Blue Cross and Blue Shield (BCBS) Plans across the country, covering 75 million Americans.
We applaud the Department of Commerce's (DOC) efforts and look forward to working with you to implement practical privacy protections that meet the Article 25 "adequacy" requirement of the European Union (EU) Directive on Data Protection (Directive). The privacy of subscribers is important to BCBS Plans and we are particularly interested in the EU Safe Harbors because BCBS subscribers enjoy the benefits of health insurance coverage while travelling or living outside of the United States (U.S.) through an innovative program called BlueCard Worldwide.
During continued negotiation on the Safe Harbors, we believe it is critical for DOC to highlight that health plans already are subject to a myriad of state and federal privacy laws and regulations. We encourage the DOC to work with the EU to recognize compliance with privacy protections under existing state and federal laws and regulations as meeting the "adequacy" requirement of the Directive.
Specifically, we recommend that the Safe Harbor Principles explicitly declare that organizations subject to the Health Insurance Portability and Accountability Act's (HIPAA) privacy standards (Public Law 104-191, August 21, 1996), the Gramm-Leach-Bliley (GLB) Act's privacy section (Public Law 106-102, November 12, 1999), or relevant state privacy statutes and regulations are deemed to meet the "adequacy" threshold.
Furthermore, health plans have been traditionally regulated by the states. We urge that enforcement of the Safe Harbor Principles on health plans be under the jurisdiction of the states. Placing health plans under the enforcement of the DOC or the Federal Trade Commission (FTC) not only creates expensive dual regulation costs and complexities for health insurers, but also would confuse, rather than facilitate consumers' understanding of their privacy rights.
We believe that BCBSA's over-riding concerns discussed above reinforce DOC's ongoing position -- that industries already well-regulated under U.S. federal and state privacy laws and regulations should be able to continue current business practices as long as they adhere to U.S. and state privacy statutes. We support the DOC's work in meeting that goal.
Success of the Safe Harbor Principles is critical to American businesses and consumers with interests in the European Union. We appreciate the opportunity to submit comments on this important issue, and we look forward to working with the Department in achieving that success. Please call Christina Nyquist at (202) 626-4799 if you have any questions.
| Sincerely,
Mary Nell Lehnhard Senior Vice President |
Board of Governors of the Federal Reserve System
National Association of Insurance Commissioners
H:\POL&REP\W01\POLICY\PRIVACY\EU Privacy\final letter on EU safe harbors e-sig 04.05.html