Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Federal Register Publications

FDIC Federal Register Citations



 Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations



FDIC Federal Register Citations

Health Privacy Project

May 28, 2004

Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation (FDIC)
550 17th Street, NW
Washington, DC 20429

Dear Executive Secretary Robert Feldman,

We are submitting comments on the proposed Fair Credit Reporting Medical Information Regulations. The Health Privacy Project is a 501(c)(3) nonprofit organization dedicated to raising awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and community level. The Health Privacy Project coordinates the Consumer Coalition for Health Privacy (CCHP), which is comprised of over 100 major organizations representing consumers, health care providers, and labor and disability rights advocates. A complete list of coalition participants, as well as resources about health privacy, are available at the Health Privacy Project’s website.

Background:

The Fair and Accurate Credit Transactions Act (FACT Act) creates new restrictions on the manner in which creditors, such as banks and credit unions, can obtain and use medical information. It does this through amending the Fair Credit Reporting Act (FCRA). Generally, the FACT Act prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. Creditors may, however obtain and use medical information for these purposes to the extent the federal banking regulators determine it is necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs. The regulators are to make this determination consistent with Congressional intent to restrict the use of medical information for inappropriate purposes.

Additionally, the FACT Act adds a new section to the FCRA which restricts the sharing of medical-related information with affiliates if that information otherwise meets the definition of “consumer report” the FCRA. Generally, certain information (such as transaction or experience information) that is shared among affiliates is not considered to be a consumer report under the FCRA. The new section provides, however, that if this information is medical-related information, the affiliate-sharing exception will not apply and the information will be considered to be a consumer report. Medical-related information includes medical information, as defined in the FACT Act, as well as other lists based on payment transactions for medical products and services.

The new section also provides several specific exceptions that allow creditors to disclose medical information to affiliates according to the same rules that apply to other non-medical information. The section also permits the federal banking Agencies to determine, by order or regulation, that other exceptions are necessary and appropriate.

General Comments

The proposed rule creates exceptions to the general prohibition against using and obtaining medical information and is generally consumer oriented. We encourage the Agencies to continue this framework as it is in conformity with Congressional intent to restrict the use of medical information for making credit decisions to only those purposes that are truly necessary and appropriate.

The Agencies seek comments on whether any additional or different exceptions should be included in the final regulation. We believe the proposed exceptions are sufficient to protect legitimate operational, transactional, risk and other needs consistent with Congressional intent.

In Congressional hearings leading up to the passage of the FACT Act, representatives of the industry repeatedly took the position that banks did not request and did not use medical information for consumer credit purposes. There was no substantive discussion of when the use of medical information for consumer credit decisions might be appropriate and necessary. Thus, consumers entered this rule-making procedure with little knowledge of when banks actually use medical information in making credit decisions and whether such use might be appropriate.

Through the initial proposed regulation, consumers have been given the first real opportunity to learn about some of the actual circumstances where medical information is used in making consumer credit decisions. Should additional exceptions be recommended in comments to the proposed rule, consumers should be given the specific opportunity to respond to and comment on those recommendations prior to the finalization of the rule.

We would like to point out that the comment period for these proposed rules is deficient to the extent that the proposed rule (as well as the Act) refers to the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003. That model regulation is not readily available to the public. The NAIC only sells copies of the regulation. It is essential that the Agencies make a copy of that regulation available to the public at no cost so that the public will have an opportunity to read, understand, and comment upon the consequences.

The Agencies should also be aware that provisions (no matter how limited) that allow creditors to obtain and use medical information have the potential to create a new form of consumer reporting that focuses exclusively on health information. The justification of collection health information on all consumers would be that the information can be used in some instances, as the final regulation will demonstrate. Those with an incentive to collect health information might well be beyond the scope of existing regulation and may be able to use the information for other purposes. It would be an extremely unfortunate result if a provision intended to allow extremely narrow use of medical information ended up creating a new, massively invasive consumer reporting activity for that information. The Agencies should be aware of this possibility, and they should take steps where ever possible to prevent or discourage creditors from obtaining medical information from new or unregulated sources.

Comments on Specific Sections

I. SEC .3
DEFINITIONS

Definition of “medical information”

The proposed rule defines “medical information” as information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to (1) the past, present, or future physical, mental, or behavioral health or condition of an individual; (2) the provision of health care to an individual; or (3) the payment for the provision of health care to an individual. The term “medical information” does not include the age or gender of a consumer, demographic information about the consumer, including a consumer’s residence address or e-mail address, or any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer. The proposal tracks the statutory definition of “medical information.”

This definition should be maintained. By tracking the statutory definition, the regulatory provision closely adheres to Congressional intent to give broad protection to medical information.

We believe that it would be inappropriate to exclude from the definition of “medical information,” information related to medical debts that has been coded in accordance with section 604(g)(1)(C) so that it does not reveal the specific identity of the provider or medical service rendered. Such an approach is not supported by the Act. Coded information still reveals that the consumer has a medically-related debt. The fact that a consumer has medically-related debt constitutes “information that relates to “the payment for the provision of health care to an individual,” under the statutory definition. Removing coded information from the definition would be an inappropriate narrowing of the statutory definition. Moreover, removing coded information from the definition of “medical information” would effectively remove it from the anti-discrimination protections afforded in proposed section .30(c). The result would be that creditors would be permitted to treat medical debt differently than non-medical debt. This would be contrary to Congressional intent.

Recommendation: Retain the proposed definition of medical information.

II. SEC. __.30(A)
GENERAL PROHIBITION ON OBTAINING AND USING MEDICAL INFORMATION IN CONNECTION WITH A DETERMINATION OF ELIGIBILITY FOR
CREDIT

A. Sec. __.30(a) General Prohibition

The proposed regulation contains a general prohibition on obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit and then creates limited exceptions. This approach is consistent with the Act and Congressional intent that medical information only be obtained and used for credit-related purposes when appropriate and necessary.

B. Sec. __.30(a)(2)(i) Definitions

1) Including “terms of credit” in the definition of “eligibility, or continued eligibility, for credit.”

The proposed rule defines “eligibility, or continued eligibility, for credit” as including the terms on which credit is offered. We commend this approach. The Act is designed to protect against the inappropriate use of medical information in credit decisions. This would encompass not only whether consumers are offered credit but also the terms under which they are offered credit. For example, a consumer should not have to pay a higher rate of interest due to their medical condition. Therefore, the terms on which credit is offered should be encompassed by the term “eligibility, or continued eligibility for, credit.

Recommendation: The proposed approach strongly supports Congressional intent and should be retained.

2) Excluding debt cancellation and forbearance practices from the definition of “eligibility, or continued eligibility, for credit.
The proposed rule provides that the term “eligibility, or continued eligibility, for credit” does not include:

(B) Any determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered

Wholly excluding debt cancellation contracts and suspension agreements from the definition of “eligibility, or continued eligibility for credit” is an overbroad approach. Any provision that allows creditors to obtain and use medical information in connection with debt cancellation, debt suspension, or credit insurance products or practices needs to be tied to a specific consumer and a specific need.

First, the proposed provision contains a very broad general grant of authority that would allow creditors to collect medical information on ALL consumers from multiple sources in order to have that information available if and when an issue of cancellation, suspension, or other allowable use arises with respect to a few consumers. This approach could authorize an entirely new industry of health reporting (akin to credit reporting) on consumers to support the authorized purposes. It is therefore important that any provision (whether it be a rule of construction or an exclusion) be limited to obtaining or using medical information to a triggering event of a specific consumer.

Second, the proposed provision is overbroad with respect to the purpose for which medical information may be used and obtained. Forbearance procedures and practices may be triggered by events unrelated to medical conditions. For example, a debt cancellation contract can be triggered by unemployment or divorce. There would be no need to obtain and use medical information to determine whether such a debt cancellation contract provision has been triggered. The rule should thus permit a creditor to obtain and use medical information for forbearance procedures only where the triggering event is medically-related.

Third, we note that credit insurance is different from the other listed forbearance practices since it involves a third party insurer as well as the creditor and the consumer. Generally, a consumer purchases credit insurance from the insurer. If a medical event were to trigger credit insurance the insurer would be the party to be informed of the event and would then pay the creditor. We question whether a creditor has a “legitimate operational, transactional, risk and other needs” in obtaining and using medical information in these circumstances. Unless such needs are adequately demonstrated “credit insurance” should be dropped from this provision.

Finally, the Agencies have requested comments on whether it is more appropriate to address debt cancellation and forbearance in a rule of construction or as an exception. We believe the more appropriate approach is to create a limited exception that would allow a creditor to obtain and use medical information for these purposes, rather than wholly excluding them from the definition of “eligibility, or continued eligibility, for credit.” Determining whether the provisions of a debt cancellation contract, debt suspension agreement or similar forbearance practice or program are triggered appears to be a determination of the terms on which credit is offered. These practices thus appear to fit the definition of “eligibility or continued eligibility for credit.” A provision which incorporates our suggested limitations would more appropriately be framed as an exception than a rule of construction.

Wholly excluding debt cancellation contracts and suspension agreements from the definition of “eligibility, or continued eligibility for credit” is an overbroad approach. It would have the effect of permitting creditors to obtain and use medical information in inappropriate circumstances.

Recommendations: Delete the provision related to debt forbearance from section ___.30(a)(2). Create an exception in __.30(1)(d) that permits creditors, upon a consumer’s claim, assertion, or request that the provisions of a debt cancellation contract, debt suspension agreement, or similar forbearance practice or program have been triggered by a medical or mental health condition or status to obtain and use medical information to determine whether such provisions have been triggered.

III. SEC. ___.30(b) RULE OF CONSTRUCTION FOR RECEIVING UNSOLICITED MEDICAL INFORMATION

A. Rule
The proposed rule includes a rule of construction for receiving unsolicited medical information. Under the rule, a creditor does not obtain medical information for purposes of paragraph .30(a)(1) [the general prohibition on obtaining and using medical information in connection with any determination of a consumer’s eligibility for credit] if it:

(i) Receives medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, of credit without specifically requesting medical information; and
(ii) Does not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued.

The Agencies proposed this provision because they believe that a creditor should not be seen as violating the prohibition on obtaining medical information when the creditor does not specifically ask for or request such information, yet the consumer or other person provides the information to the creditor.

We appreciate the Agencies’ concern and do not object to the general premise of the rule. However, we believe it makes more sense to include this provision as an exception instead of as a rule of construction. The preamble to the rule makes clear that obtaining and using information are two distinct activities. Yet under this proposed provision, using and obtaining information are merged into one concept.

It is preferable to consistently treat obtaining and using information as distinct activities. This is more readily accomplished by creating an exception to the general prohibition on use and disclosure.

We also believe that the regulation should clearly state that “without specifically requesting medical information” means volunteered by the consumer without any pressure, prompting, or solicitation (whether direct or indirect) by the creditor. For example, a creditor could prompt a consumer to provide medical information by saying that “we are not allowed to ask you for medical information, but you can volunteer to provide it if you choose.” This type of solicitation should be expressly prohibited. Additionally, we recommend adding a provision stating that unsolicited medical information should not be recorded or maintained, and should be destroyed.

Recommendations: Delete the proposed rule of construction. Add the following exception for receiving unsolicited medical information.

(b) Exception for receiving unsolicited medical information –(1)
In general.

(i) Medical information received by a creditor when the creditor has not specifically requested medical information and when medical information is volunteered by the consumer without any pressure, prompting, or solicitation (whether direct or indirect) by the creditor is considered to be unsolicited medical information for purposes of this section.
(ii) A creditor may obtain unsolicited medical information for purposes of paragraph (a)(1) .
(iii) A creditor may not use unsolicited medical information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued.
(iv) A creditor may not record or maintain and must destroy unsolicited medical information as soon as practical after receipt of such information.

B. EXAMPLES

We believe the proposed examples accurately reflect the intent that unsolicited medical information may be obtained without violating the prohibition, but may not be used. We suggest the following changes to make the examples conform with the provision’s being changed to an exception.

(2) EXAMPLES OF OBTAINING AND USING UNSOLICITED MEDICAL INFORMATION CONSISTENT WITH THE EXCEPTION

(i) In response to a general question regarding a consumer’s debts or expenses, a creditor receives information that the consumer has a particular medical condition. The creditor does not use that information in determining whether to extend credit to the consumer or the terms on which the credit is offered.
(ii) In conversation with the loan officer, the consumer informs the creditor that the consumer has a particular medical condition, and the creditor does not use that information in determining whether to extend credit to the consumer or the terms on which credit if offered.

IV. SEC. __.30(C) FINANCIAL INFORMATION EXCEPTION

The proposed rule creates a general “financial information” exception which permits creditors to obtain and use medical information pertaining to a consumer in connection with a determination of the consumer’s eligibility so long as three conditions are met:

• The information relates to debts, expenses, income, benefits collateral, or the purpose of the loan, including the use of proceeds;
• The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and
• The creditor does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination.

This provision essentially permits a creditor to treat medically-related debt and income no less favorably than other debt and income. However, the provision prohibits financial institutions from discriminating against the consumer on the basis of underlying medical condition, treatment or prognosis.

The primary reason consumers are opposed to financial institutions’ having access to their medical information is the concern that they will be discriminated against on the basis of the information. Congress intended to address these concerns and directed the Agencies to promulgate rules consistent with Congressional intent to restrict the use of medical information for inappropriate purposes. This proposed provision generally strikes a reasonable balance between a creditor’s need to obtain and evaluate financial information (which may incidentally be medically related) and the need to protect consumers from discrimination based on their medical condition.

The only time when a creditor may need to specifically request medical information in its initial application for credit would appear to be where credit is requested for the purpose of financing medical products or services. A creditor would be able to request such information under proposed section __.30(d)(1)(v). Proposed section .30(d)(1)(v) specifically permits a creditor to obtain and use medical information in the case of credit for the purpose of financing medical products or services, for determining and verifying the medical purpose of the loan and use of proceeds. Since a creditor could, in the appropriate circumstances, request medically-related financial information under this proposed section, it is appropriate to limit the financial information exception to those circumstances where the creditor has not initiated the inquiry into medical information.

In order to fully accomplish its goals, the proposed regulation should be amended to specify that to come within this particular exception, the creditor has not specifically requested medical information in its initial application for credit. This would permit creditors to request generic financial information (e.g., outstanding debts, sources of income) while prohibiting them from specifically requesting information related to medical debt. Furthermore, this approach seems to incorporate current practice. Financial institutions have repeatedly represented that they do not routinely request medical information in their credit application process.

Finally, while the title of this subparagraph indicates that it is limited to “financial information” the text of the regulation does not expressly include this limitation. Under general rules of statutory construction the title of a section is not controlling. This provision should be clarified by including the limitation in the actual text of the rule.

Recommendations: The general approach of this provision should be
retained. Creditors should be prohibited from treating medically-related debt and income less favorably than other debt and income. The non-discrimination provisions should remain. In addition, the following changes (in ALL CAPS) should be made

(c) Financial information exception for obtaining and using medical information
(1) In general. A creditor may obtain and use FINANCIAL INFORMATION THAT ALSO QUALIFIES AS medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as:

(i) THE CREDITOR DOES NOT SPECIFICALLY REQUEST MEDICAL INFORMATION IN THE INITIAL APPLICATION FOR CREDIT;
(ii) The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of proceeds;
(iii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and
(iv) The creditor doe not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination.

The proposed examples appropriately illustrate the rule and should be retained.

V. SEC. __.30(d)(1)(i) POWERS OF ATTORNEYS EXCEPTION

Exception __.30(d)(1)(i) permits a creditor to obtain and use medical information:
To determine whether the use of a power of attorney or legal representative is necessary and appropriate.

This provision is over broad. There are only limited circumstances when it may be appropriate for a creditor to obtain and use medical information in relation to powers of attorney or legal representatives.

There may be times when a creditor would need to determine whether the use of a power of attorney that is triggered by a medical event or condition is appropriate and necessary. However, powers of attorney can be used in non-medical related circumstances. For example, a consumer who resides in one state may execute a power of attorney to consummate a mortgage in another state. Creditors should not be permitted to obtain and use medical information in the latter circumstance.

Additionally, financial institutions may have an interest in assuring that a power of attorney or legal representative is not fraudulently obtained and may wish to verify that the consumer has the legal capacity to execute the document. Legal capacity may be tied to the consumer's medical status whether or not the power of attorney was triggered by a specific medical event.

Recommendation: This exception should be amended so that it limited to those circumstances where the use of a power of attorney or legal representative is triggered by a medical condition (e.g., mental incapacity) or where there is some question about the consumer’s legal capacity to execute the underlying legal document.

VI. EXCEPTION FOR MEDICAL INFORMATION IN CONSUMER REPORTS

Background

Exception ___.30(d)(1)(iii)) is an attempt to interpret the provisions of the FACT Act that add two new provisions of the Fair Credit Reporting Act. Section 604(g)(2) of FCRA, as amended, generally prohibits creditors from obtaining or using medical information for determining eligibility for credit except as determined to be appropriate and necessary by the Agencies. Section 604(g)(1) of FCRA, as amended, permits consumer reporting agencies, in certain circumstances, to furnish consumer reports that contain medical information.

Specifically, the section 604(g)(1) provides that a consumer reporting agency may not furnish a consumer report that contains medical information about a consumer unless:

(A) The report is furnished in connection with an insurance transaction, and the consumer affirmatively consents to the furnishing of the report;

(B) The report is furnished for employment purposes or in connection with a credit transaction, the information to be furnished is relevant to process or effect the employment or credit transaction, and the consumer provides specific written consent for the furnishing of the report that describes in clear and conspicuous language the use for which the information will be furnished; or

(C) The information to be furnished pertains solely to transactions, accounts, or balances relating to debts arising from the receipt of medical services, products, or devices, where such information, other than account status or amounts, is restricted or reported using codes that do not identify, or do not provide information sufficient to infer the specific provider or the nature of the services, products, or devices.

Comments on Proposed Approach
The Agencies appear to perceive these provisions as conflicting with each other. To reconcile these provisions, proposed exception ___.30(d)(1)(iii) permits a creditor to obtain and use medical information for determining a consumer’s eligibility for credit to the extent such information is included in a consumer report from a consumer reporting agency, in accordance with 15 U.S.C. Sec. 1681b(g)(1)(B) [section 604(g)(1)(B) of FCRA] and is used for the purpose(s) for which the consumer provided specific written consent. This would permit a creditor to obtain and use uncoded medical information in a consumer report for purposes of determining eligibility for credit.

The Agencies have not proposed a separate exception for obtaining and using consumer reports that contain coded medical information 15 U.S.C. Sec. 1681b(g)(1)(C) [section 604(g)(1)(C) of FCRA] because they do not believe that it is necessary to propose a separate exception. Rather, the Agencies have put forth different theories under which consumer reports with coded medical information can be used and obtained by creditors without a specific exception. The Agencies properly have determined that no separate exception is required for consumer reports with coded medical information. This approach should be extended to consumer reports with uncoded medical information.

The Agencies have taken the proper approach by proposing that no exception is necessary to permit creditors to obtain and use coded medical information in consumer reports furnished by consumer reporting agencies in accordance with section 604(g)(1)(C) of FCRA. Additionally, the theory that creditors who intend to use this coded medical information would be able to do so in accordance with the financial information exception in ____.30(C) seems sound.

The Agencies should adopt this as the general approach to interpreting sections 604(g)(1) and 604(g)(2), regardless of whether the medical information is coded or uncoded. There should be no independent exception for consumer reports that contain medical information. Rather, creditors only should be able to obtain and use medical information in consumer reports to the extent that the creditor is able to meet one of the other exceptions to the general prohibition (such as the financial information exception or the credit for medical procedure exception).

This approach is the most appropriate interpretation of the FACT Act. The prohibition in section 604(g)(2) is very broad. The delegation of authority to the Agencies makes very clear that exceptions are to be made consistent with Congressional intent to restrict the use of medical information for inappropriate purposes. Thus, it is appropriate to interpret section 604(g)(2) as prohibiting creditors from obtaining and using consumer reports with medical information unless there is another independent exception for doing so.

This approach is fully consistent with section 604(g)(1), which permits consumer reporting agencies to furnish consumer reports in certain circumstances. This approach would permit consumer reporting agencies to furnish consumer reports that contain medical information either by coding the information or by obtaining a true informed consent. It would encourage consumer reporting agencies to code medical information so as not to require consumer consent. Finally, this approach would allow creditors to obtain and use consumer reports containing medical information pursuant to another exception where the Agencies have determined that it is necessary and appropriate.

The theory that section 604(g)(1) should be interpreted as giving independent authorization to creditors to obtain and use consumer reports containing medical information is unsupported by the very structure of the FACT Act. Section 604(g)(1) addresses the permitted activities of consumer reporting agencies. It is intended to encourage them to code medical information in consumer reports. Section 604(g)(1) does not purport to govern the activities of creditors. It would be inappropriate to read this provision as creating independent grounds for creditors’ obtaining and using medical information. That determination is to be made under section 604(g)(2).

Moreover, creating a separate consumer report exception would allow creditors to circumvent the conditions imposed by the other exceptions. For example, under proposed __.30(d)(1)(vi), a creditor may obtain and use medical information if the consumer requests that specific medical information be used for a specific purpose. In contrast, there is no such requirement under 604(g)(1)(B). It appears that a consent under section 604(g)(1)(B) could be valid if it merely stated that a consumer consented to the furnishing of a consumer report. The consent does not have to state that the consumer report includes medical information.

In sum, a separate exception is not appropriate for obtaining and using consumer reports that contain any medical information, whether or not it is coded. Legitimate uses of both coded and uncoded medical information for determining a consumer’s eligibility for credit appear to be covered by other proposed exceptions. To the extent a consumer report contains financial information that pertains to medical treatment or payment, the information would be covered by the “financial information” exception. To the extent the information is sought for the purpose of financing medical products or services, to determine and verify the purpose(s) for the loan, exception (v) would apply. To the extent the information is provided pursuant to consumer request, it would be covered by the consumer request exception.

Recommendation: There should be no separate exception for consumer reports.

VII. FRAUD PREVENTION AND DETECTION
SEC. __.30(d)(1)(iv)

Section ___.30(d)(1)(iv) would permit a creditor to obtain and use medical information in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit for purposes of fraud prevention and detection.

This exception is over broad and is unnecessary. There seem to be few circumstances under which the use of medical information would be necessary and appropriate to fraud prevention and detection. Furthermore, other, more specific, exceptions would appear to permit a creditor to obtain and use medical information where such use is appropriate. To the extent that a creditor suspects that a power of attorney has been fraudulently obtained or used exception __.30(d)(1)(i) would appear to apply. To the extent the creditor suspects that the consumer is using the proceeds of a loan for financing medical products or services exception __.30(d)(1)(v) would apply. If a creditor believed that a consumer fraudulently requested loan forbearance, section __.30(a)(2)(B) would apply. If the purported fraud involved debt that coincidentally was medical information, it appears that exception __.30(c) would apply.

It is difficult to envision other circumstances where it would be appropriate for a creditor to use and obtain medical information for the purpose of fraud prevention and detection.

Recommendation: The separate exception for fraud prevention and detection should be deleted.

VIII. FINANCING MEDICAL PRODUCTS OR SERVICES
SEC. __.30(d)(1)(v)

A. Proposed Rule

Proposed section __.30(d)(1)(v) would permit a creditor to use and obtain medical information for determining credit eligibility in the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds.

This exception specifically applies to those creditors that finance medical products or services. The provision does not contain broad permission to obtain and use medical information. Rather, it specifically identifies the purposes for which this information can be used and obtained—only for determining and verifying the medical purpose of the loan and the use of the proceeds. These limitations are important to ensure that medical information only be used for legitimate purposes.

This approach strikes the appropriate balance between satisfying the legitimate needs of medical finance creditors and the intent of Congress to limit the use of medical information in credit eligibility determinations.

Recommendation: The provision should be retained as proposed.

B. Examples Related to Financing Medical Products or Services

Section __.30(d)(2) contains examples of determining the medical purpose of the loan or the use of proceeds. Generally, these examples are helpful in explaining the proper application of this exception.

However, example (i) should be modified. Example (i) states that it is appropriate for a creditor to confirm the consumer’s medical eligibility to undergo that procedure with a surgeon. If the surgeon reports that the surgery will not be performed on the consumer, the creditor may use that information to deny the consumer’s application for credit, because the loan would not be used for the stated purpose. The essence of the inquiry is to determine whether the patient is going to use the loan proceeds for the stated purpose. Medical eligibility is not the appropriate standard for such an inquiry. Asking whether a patient is medically eligible for a medical procedure might elicit a response that contains more information than necessary to decide whether to approve a loan. Furthermore, a patient may be medically eligible for, but not undergo, a procedure.

Recommendation: Rather than permitting a creditor to confirm medical eligibility, the example should permit the creditor to verify that the procedure is to be performed.

IX CONSUMER’S REQUEST
SEC. 30(d)(1)(vi)

Proposed Rule

Proposed exception __.30(d)(1)(vi) provides that a creditor may obtain and use medical information if the consumer (or their legal representative) requests in writing that the creditor use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances. The signed written request must be on a separate document. The request also must describe the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used.

The preamble indicates that this exception is intended to apply when the consumer initiates a request to use medical information for determining eligibility. Specifically, the preamble states:

This exception is designed to accommodate the particular medical condition or circumstances of the individual consumer and is not intended to allow creditors to obtain consent on a routine basis or as part of loan applications or documentation. This exception would not be met by a form that contains a pre-printed description of various types of medical information and the uses to which it might be put. Instead, it contemplates an individualized process in which the consumer informs the creditor about the specific medical information that the consumer would like the creditor to use and for what purpose.

The intended approach is appropriate and protects consumers’ medical information from inappropriate uses, as directed by Congress. This approach ensures that the request to use medical information is voluntary and is initiated by the consumer.

As currently written, however, the proposed rule does not reflect this intent. The intent of the Agencies should be incorporated in the actual text of the rule.

The rule should also expressly include the preamble’s example of a pre-printed form describing various medical information and the uses to which it might be used as an example of obtaining and using medical information inconsistent with the exception.

The attempt to limit the collection of information pursuant to a consumer’s request to “specific medical information for a specific purpose” may be somewhat thwarted by the authorization procedure under the Health Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This issue would arise where a consumer submits a request to a creditor to obtain and use specific medical information for a specific purpose and submits to a health care provider covered by HIPAA an authorization permitting the provider to disclose medical information to the creditor. The HIPAA rule has a general policy that a disclosure must be limited to the minimum amount of information necessary to accomplish the intended purpose of the disclosure (45 C.F.R. sec. 164.502(b)). However, the minimum necessary does not apply to a disclosure made pursuant to an individual’s authorization (45 C.F.R. sec.164.502(b)(2)(iii)). This creates a problem. A creditor may be limited in the amount and type of information that it may obtain and use, but a health care provider covered by HIPAA is under no legal obligation to limit its disclosure to the information requested by the consumer. It is quite possible, therefore, that creditors may receive medical information that is not necessary for the specific purpose requested by the consumer.

In order to address this issue, the Agencies should require creditors to immediately discard any information that they obtain that is not needed for the immediate purpose for which the request was made.

Recommendations: Retain the general approach that permits consumers to initiate requests that creditors obtain and use specific medical information for specific purposes. Amend proposed section __.30(d)(1)(vi) by inserting the following language:

CREDITORS MAY NOT REQUEST OR REQUIRE A CONSUMER TO REQUEST THAT THE CREDITOR OBTAIN OR USE MEDICAL INFORMATION UNDER THIS PROVISION ON A ROUTINE BASIS OR AS PART OF LOAN APPLICATIONS.

Include the prohibition on using pre-printed forms and questions that is currently in the preamble in the rule as an example. Require creditors to discard any medical information that they obtain that that is not needed for the immediate purpose for which the request was made.

Additional Exception for Consumer Consent
The Agencies seek comment on whether there is a need to establish an additional exception whereby a creditor could request that a consumer consent to the specific use of the consumer’s medical information. Permitting creditors to request consumer’s consent to the specific use of medical information would potentially undermine the intent of the FACT Act. It would potentially create an avenue for creditors to circumvent the requirements of the other exceptions. No additional exceptions are necessary.

It may be appropriate, in very limited circumstances, for creditors to make a request for consumer consent. For example, in the case of credit for the purpose of financing medical products or services, it may be appropriate for creditors to be able to request consent for related medical information only to the extent it is necessary to determine and verify the medial purpose of a loan and the use of the proceeds. It appears that they may already request consent under section __.30(d)(1)(v). Similarly, it may be appropriate to permit creditors to request consumer request within the parameters of the provisions addressing forbearance agreements (should the Agencies determine that these should be treated as exceptions). Again, this would be permitted by the specific exception on forbearance agreements.

Recommendation: There should be no additional exceptions permitting creditors to request or require consumer consent to obtain or use medical information.

X. LIMITS ON REDISCLOSURE
SEC. __.30(e)

Proposed paragraph (e) incorporates the statutory provision regarding the limits on redisclosure of medical information. This provision generally provides that a creditor that receives medical information about a consumer from a consumer reporting agency or an affiliate is prohibited from disclosing that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed.

Recommendation: The phrase in the statute “as otherwise permitted by statute, regulation, or order” is not clear, and the rule should clarify the scope. There are two ways that the phrase could be construed. First, the phrase could allow any activity that is not expressly prohibited by statute, regulation, or order. Second, the phrase could allow any activity that is expressly permitted by statute, regulation, or order. The second interpretation is the proper reading of the law and should be reflected in the rule. Otherwise, the mere failure of a law to prohibit conduct may be construed by some to allow that conduct.

XI. SHARING MEDICAL INFORMATION WITH AFFILIATES
SEC. ___.31

A. Background
The FACT Act adds a new section 603(d)(3) to the FCRA which restricts the sharing of medical-related information with affiliates if that information meets the definition of “consumer report” in section 603(d)(1) of the FCRA. Generally, certain information (such as transaction or experience information) that is shared among affiliates is not considered to be a consumer report under the FCRA. New section 603(d)(1) provides, however, that if this information is medical-related information, the affiliate-sharing exception will not apply and the information will be considered to be a consumer report. Medical-related information includes medical information, as defined in the FACT Act, as well as other lists based on payment transactions for medical products and services.

New section 604(g)(3) provides several specific exceptions that allow creditors to disclose medical information to affiliates according to the same rules that apply to other non-medical information. The section also permits the federal banking Agencies to determine, by order or regulation, that other exceptions are necessary and appropriate.

B. Comments on Statutory Exceptions

Proposed section ___.31 generally tracks the statutory exceptions relating to when sharing medical-related information with affiliates does not constitute a consumer report. As these exceptions are contained in the statute, they are appropriately contained in the proposed rule.

We are aware that the Agencies do not have the authority to significantly alter these exceptions. We would like to express our concern, however, with the exclusion “(f)or any purpose referred to in section 1179 of HIPAA” And as otherwise permitted by order of the appropriate agency. These exclusions have the potential of creating large loopholes for the sharing of medical information with affiliates
...
HIPAA amends the Social Security Act by adding section 1179, which provides as follows:

SEC. 1179. To the extent that an entity is engaged in activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part [the Administrative Simplification Provisions of HIPAA], and any standard adopted under this part, shall not apply to the entity with respect to such activities

Section 1101 of the Right to Financial Privacy Act generally defines a “financial institution", as any office of a bank, savings bank, card issuer, industrial loan company, trust company, savings association, building and loan, or homestead association (including cooperative banks), credit union, or consumer finance institution.

The American Bankers Association appears to take the position that section 1179 exempts any activity approved by OCC from HIPAA.3 The U.S. Department of Health and Human Services (HHS) has not taken an official position on this issue.

Should the ABA prevail in its position, the statutory exception which permits creditors to share medical-related information with affiliates “for any purpose referred to in section 1179 of HIPAA” would essentially give creditors wholesale permission to share medical-related information for any activity. It is inconceivable that this result was intended by Congress.

We also urge the Agency to ensure that its orders that affect affiliate-sharing be consistent with Congressional intent to limit sharing of medical information with affiliates.

Recommendations: The Agencies should advise HHS of the potential effect of the interpretation of section 1179 on creditors’ ability to share medical-related information with affiliates. The Agencies should also create a procedure to verify that new orders do not create new exceptions which would permit greater sharing of medical information with affiliates.

C. Comments on Proposed Exceptions Created by Rule

In addition to these statutory exceptions, the Agencies have proposed section __.31(b)(5), which would allow creditors to share with affiliates medical-related information in connection with a determination of the consumer’s eligibility for credit consistent with proposed section __.30. There is no explanation as to why the Agencies believe this proposed exception is necessary and appropriate.

The proposed approach is overbroad, and appears inconsistent with the specific conditions imposed in other provisions or the proposed rule and the FACT Act. Specifically, the proposed approach appears to be inconsistent with the consent requirements in section __.30(d)(1)(vi) of the proposed rule and section 604(g)(1)(B) of FCRA, which were intended to ensure that consumer’s gave informed consent for the sharing, obtaining and use of their medical information.

Proposed section 30(d)(1)(vi) permits creditors to obtain and use medical information if the consumer (or the consumer’s representative) requests in writing that the creditor use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit. The request must be signed, describe the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used. The intent of these requirements is to ensure that the consumer signs an informed consent that details who is permitted to use the information, what specific information will be used and the purpose for which it will be used.

Similarly, section 604(g)(1)(B) of FCRA. Section 604(g)(1)(B) of FCRA permits a consumer reporting agency to furnish a consumer report with uncoded medical information only with the specific written consent of the consumer to furnish the report to a creditor. Proposed section __.30(d)(1)(iii) provides that creditors would be permitted to obtain and use medical information to the extent such information is included in a consumer report from a consumer reporting agency where the consumer has given consent in accordance with section 604(g)(1)(B) of FCRA. Again, this provision is intended to ensure that the consumer has given informed consent.

The consent process is seriously compromised if a creditor can then turn around and share the medical information with affiliates without any input from the consumer. We note that specifying in a consent that information may be shared “with affiliates” does not truly inform the consumer of the intended recipients of the information.

Proposed section ___.31(b)(5) would become significantly more problematic if the Agencies were to weaken the anti-discrimination provisions in section __.30(c) in the final rule. Such an approach would permit creditors to share medical-related information with affiliates and would permit both the creditors and affiliates to discriminate against consumers based on their medical status or treatment. This improper use of medical-related information would be contrary to the intent of the FACT Act.

Recommendations: Proposed section __.31(b)(5) should be deleted. At a minimum it should be amended to state that the exception does not apply to the extent that the creditors has obtained medical information in a credit report furnished in accordance with 604(g)(1)(B) of FCRA or pursuant to a consumer’s request.

XII. SPECIFIC EXCEPTIONS FOR OBTAINING AND USING MEDICAL INFORMATION
SEC. ___.30(d)(vii)

Proposed section ____ .30(d)(vii) gives the Agencies the authority to add new exceptions by order to the general prohibitions on obtaining and using medical information. Subsection 604(g)(2) and (3) of FCRA as amended by the FACT Act only gives Agencies authority to issue orders regarding consumer reports. Therefore, Congress only gave authority to the Agencies to issue exceptions to obtaining and using medical information through regulations, not orders. A reasonable interpretation of the FACT Act would infer that the Agencies would be exceeding their authority by including “orders” as a means for creating exceptions.

Recommendation: Section __.30(d)(vii) should be removed from the proposed regulations.

Emily Stewart
Policy Analyst
Health Privacy Project
1120 19th St., NW 8th Floor
Washington, DC  20036

12  Proposed section __.30(a)(2)(i)(B) would exclude from the definition of “eligibility, or continued eligibility, for credit” a determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product or similar forbearance practice or program are triggered. We propose that an exception be treated for debt cancellation contracts and similar forbearance practices. Under either approach, it would appear that creditor would be able to obtain and use medical information to determine whether the debt forbearance was properly triggered or obtained through fraud.

3 See letter from the American Bankers Association to Tommy G. Thompson, Secretary U.S. Department of Health and Human Services October 24, 2003, which states in pertinent part, “…the plain language of the statute exempts from any regulations promulgated under the Administrative Simplification title, any entity engaged in the ‘activities of a financial institution.’ Nothing in section 1179 restricts the exempted activities to those involving the payment system."
Last Updated 06/01/2004 regs@fdic.gov

Last Updated: August 4, 2024