[ Wednesday, December 07, 2005 ]
The Gramm-Leach-Bliley Act was sort of a precursor to HIPAA in that it established rules for financial institutions to prevent them from misusing customer financial information. The basic idea germinated out of the end of the Glass-Steagall Act, a Depression-era law that prevented banks from getting into the insurance and securities business and vice versa. Banks wanted to be full-service and provide a soup-to-nuts "Chinese menu" of financial services (whoa; mixed metaphors -- and I must be hungry) to clients so that they could capture all of those fees. Witness the merger of Citibank and Travelers Insurance.
Anyhoo, the issue with dumping Glass-Steagall was the concern that banks would use the information they had on depositors to target them for insurance, or refuse them insurance based on the information they could glean from the customer's banking activity (or vice versa). So, GLB was passed to restrict how "financial institutions" could use personal information (sound familiar?). Financial institutions also have to give out notices to people whose information they hold explaining their privacy rights and what the institution can and can't do with that information (also sound familiar?).
One problem out of GLB (there's a similar problem in the Patriot Act's money-laundering and terrorist financing tracking regulations) is the definition of "financial institution." The feds didn't want to allow an easy back-door around the restrictions, so they gave a broad interpretation of what a financial institution is. Unfortunately, given how broad the interpretation is, many law firms (Jackson Walker included) determined that they might be "financial institutions," and now include in their engagement letters and other client communications a statement outlining how the information can be used. Of course, law firms have ethical restrictions keeping them from improperly disclosing client confidences, but the notice requirement would still exist if law firms were subject to GLB.
So, are law firms "financial institutions" under GLB? We thought we might be and have complied, but the DC Circuit Court of Appeals has ruled
that we aren't. Interestingly (or not), the opinion has the longest footnote I've ever seen: well over 13 pages long.
See January 12, 2006 post on state law issues.
Jeff [11:17 AM]
Blogger: HIPAA Blog - Edit your Template