Metropolitan Life Insurance Company is abusing the average citizen’s inability to read legalese. This article details their process to circumvent privacy laws, customers’ expectations, and associated responsibilities for itself and its many affiliated companies. I discovered this last year when trying to sign up for the State of Illinois Employee’s optional Life Insurance.
Most importantly, the “Authorization” form that MetLife requires all applicants for life insurance coverage to sign asserts that private health data disclosed to or by MetLife may no longer be covered by federal and state laws and regulations. This is morally outrageous, operationally inexcusable, and would be stricken down by any sensible judge if it reaches court. See the actual document below.
There are several big problems with MetLife’s several “Notices” relating to privacy (and their lack of care about it) as well, but my main contention is with the Authorization form.
Is the State of Illinois CMS complicit in this violation of privacy? Or did they just fail due diligence?
During my saga of trying to speak with someone with authority or responsibility for this problem, either at MetLife or at the University of Illinois Benefits Office, or the State of Illinois Central Management Services, I eventually had this very telling exchange over the phone. I had finally been called back by a Supervisor named Alyssa in the MetLife Statement of Health Unit. I summarized what led me to ask for the Supervisor.
Me: “I have spoken with several of your agents about the legal problem in this Authorization form. Each time I explain the problem, I first get their trained and memorized answer, such as…”
1st-Tier Agent: “I’m sorry, the Authorization form must be signed to proceed with your application for coverage.”
But then after I patiently re-stated the problem and get them to actually read their own form, I eventually got a response like:
Agent: “Hmm. I’ve never noticed that before. Strange. I’m not sure why it says that, but we’re not authorized to change the form.”
Me: “I was sent to the MetLife Legal department a few days ago, and they were useless. They directed me back to your unit again.”
Supervisor Alyssa: “I’m sorry you’ve had such a difficult time trying to get your concerns answered.”
Me: (later in conversation) “I’m still trying to find out who wrote this Agreement and no one at MetLife has any clue or authority. I also want to know how the bid/contract negotiators at the State of Illinois would have allowed these terms when MetLife bid to become our new group life contract provider.”
Supervisor Alyssa: “They probably never saw this form.” [That sends up a red flag, doesn’t it?!]
Me: “That’s a problem then. Either the State didn’t perform due diligence in awarding the bid or MetLife has intentionally snuck these terms in after the fact to bypass the legal review that should have occurred on behalf of State employees.”
[UPDATE: Later I noticed that CMS own website links directly to a ‘Statement of Health’ Form that contains a substantially similar Agreement. So CMS is aware of the document and was therefore negligent — none of the inexcusably-broad permissions were removed to protect State of Illinois Employees.]
After some more discussion, with me pressing again for an answer that justifies the most problematic clause’s existence in the Agreement…
Supervisor Alyssa: “I agree that it doesn’t make sense. I don’t know any legitimate reason this exception needs to be there. I can’t justify why this is in the Agreement. I’ll talk with some others here to review this.”
Case still unresolved — MetLife still violating privacy
Nothing has yet been resolved so I don’t have the optional group-rate life coverage that I deserve as a State of Illinois Employee. Conversely, thousands of MetLife customers (whether in Illinois or elsewhere) are having their health privacy rights abused by MetLife and affiliates.
That’s why I’m publishing this to get the word out to others.
Exhibit A: MetLife’s Authorization To Violate Our Privacy Form:
[Problematic clauses highlighted.] The yellow sections are all unnecessarily broad, overreaching the scope of information sources and types being gathered for MetLife’s use. But the red-highlighted area is the most problematic. Read it in entirety, and notice it concludes with a requirement that applicants must relinquish (unspecified) privacy protections given by Federal and state laws and regulations.
Exhibit B: The MetLife “Privacy Notice”
The Privacy Notice is written with cleverly deceptive phrases to make it seem as though they are doing something beyond the requirements of law to protect our privacy, but that is clearly not the case. To begin with, it’s a “notice”, not an agreement, guarantee, nor even a policy. Even if there were any substantive guarantee of privacy here, it would be moot due to the final paragraph. This allows them to rewrite the Privacy Notice at any time and make it apply to all current and former customers without any provision for opting out or rejecting any new terms.
But, as with the binding “Authorization” above, many sections here clearly show that MetLife’s standard operating procedures are to spread all the information they have about anyone (even non-customers) to as many affiliates, contractors, MIB, or even potential business partners any time they can exploit information their own advantage and profit, without any regard to the ethical illegitimacy of sharing that information. The open-ended and broadly inclusive phrasing of other companies and agencies with whom they will gladly violate our privacy is virtually unlimited. Worse, there is no policy, guarantee, or limitations on what those many unnamed affiliated organizations will or will not do with our health and related information that should also be secured with strong privacy. Section 2 deceptively appears to provide some protections, but there are so many exceptions and vague clauses in this whole document it’s merely deceptive. Consider, for example in Section 2, that “…use it only to meet our business needs” allows all sorts of leveraging and exploiting information in their other businesses and partnerships that have no ethical right to any of our health information. In other words, there are no real protections, transitive or otherwise.
Further, current, prospective, and future customers have no mechanism to opt out of or limit this sharing, nor even to be assured of getting a complete list of all the places their information has spread. The only vague provision for opting out is when information is used specifically for marketing purposes.
