American Psychiatric Association
1000 Wilson Boulevard
Suite 1825 Arlington, VA 22209
Telephone 703.907.7300
Fax 703.907.1085
May 28, 2004
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street
NW
Washington, DC 20429-9990
Re: RIN number: RIN 1550-AB88
Dear Mr. Feldman,
We are writing you on behalf of the American Psychiatric Association
(APA) regarding the proposed Fair Credit Reporting Medical Information
Regulations. The APA is a national medical specialty society, founded
in 1844, whose over 35,000 psychiatric physician members specialize
in the diagnosis and treatment of mental and emotional illness and
substance use disorders. As such, we are concerned not only for the
welfare of our members, but also their patients. The proposed rule
creates exceptions to the general prohibition against using and obtaining
medical information and is generally consumer oriented. We encourage
the Agencies to continue this framework as it is in conformity with
Congressional intent to restrict the use of medical information for
making credit decisions to only those purposes that are truly necessary
and appropriate.
The Agencies seek comments on whether any additional or different
exceptions should be included in the final regulation. We believe the
proposed exceptions are sufficient to protect legitimate operational,
transactional, risk and other needs consistent with Congressional intent.
In Congressional hearings leading up to the passage of the FACT Act,
representatives of the industry repeatedly took the position that banks
did not request and did not use medical information for consumer credit
purposes. There was no substantive discussion of when the use of medical
information for consumer credit decisions might be appropriate and
necessary. Thus, physicians entered this rule-making procedure with
little knowledge of when banks actually use medical information in
making credit decisions and whether such use might be appropriate.
Through the initial proposed regulation, physicians have been given
the first real opportunity to learn about some of the actual circumstances
where medical information is used in making consumer credit decisions.
Should additional
exceptions be recommended in comments to the proposed rule, consumers
should be given the specific opportunity to respond to and comment
on those recommendations prior to the finalization of the rule.
We would like to point out that the comment period for these proposed
rules is deficient to the extent that the proposed rule (as well as
the Act) refers to the model Privacy of Consumer Financial and Health
Information Regulation issued by the National Association of Insurance
Commissioners, as in effect on January 1, 2003. That model regulation
is not readily available to the public. The NAIC only sells copies
of the regulation. It is essential that the Agencies make a copy of
that regulation available to the public at no cost so that the public
will have an opportunity to read, understand, and comment upon the
consequences.
The Agencies should also be aware that provisions (no matter how limited)
that allow creditors to obtain and use medical information have the
potential to create a new form of consumer reporting that focuses exclusively
on health information. The justification of collection health information
on all consumers would be that the information can be used in some
instances, as the final regulation will demonstrate. Those with an
incentive to collect health information might well be beyond the scope
of existing regulation and may be able to use the information for other
purposes. It would be an extremely unfortunate result if a provision
intended to allow extremely narrow use of medical information ended
up creating a new, massively invasive consumer reporting activity for
that information. The Agencies should be aware of this possibility,
and they should take steps where ever possible to prevent or discourage
creditors from obtaining medical information from new or unregulated
sources.
Comments on Specific Sections
I. Sec__ .3
Definitions
Definition of "medical information"
The
proposed rule defines "medical information" as information
or data, whether oral or recorded, in any form or medium, created by
or derived from a health care provider or the consumer, that relates
to (1) the past, present, or future physical, mental, or behavioral
health or condition of an individual; (2) the provision of health care
to an individual; or (3) the payment for the provision of health care
to an individual. The term "medical information" does not
include the age or gender of a consumer, demographic information about
the consumer, including a consumer's residence address or e-mail address,
or any other information about a consumer that does not relate to the
physical, mental, or behavioral health or condition of a consumer.
The proposal tracks the statutory definition of "medical information."
This definition should be maintained. By tracking the statutory definition,
the regulatory provision closely adheres to Congressional intent to
give broad protection to medical information.
We believe that it would be inappropriate to exclude from the definition
of "medical information," information related to medical
debts that has been coded in accordance with section 604(g)(1)(C) so
that it does not reveal the specific identity of the provider or medical
service rendered. Such an approach is not supported by the Act. Coded
information still reveals that the consumer has a medically-related
debt. The fact that a consumer has medically-related debt constitutes "information
that relates to "the payment for the provision of health care
to an individual," under the statutory definition. Removing coded
information from the definition would be an inappropriate narrowing
of the statutory definition. Moreover, removing coded information from
the definition of "medical information" would effectively
remove it from the anti-discrimination protections afforded in proposed
section _30(c). The result would be that creditors would be permitted
to treat medical debt differently than non-medical debt. This would
be contrary to Congressional intent.
Recommendation: Retain the proposed definition of medical information.
II. Sec__
.30(a)
General Prohibition on Obtaining and Using Medical
Information in Connection with a
Determination of Eligibility for Credit
A. Sec. _.30(a) General Prohibition
The proposed regulation contains a general prohibition on obtaining
or using medical information pertaining to a consumer in connection
with any determination of the consumer's eligibility, or continued
eligibility, for credit and then creates limited exceptions. This approach
is consistent with the Act and Congressional intent that medical information
only be obtained and used for credit-related purposes when appropriate
and necessary.
B. Sec. _ 30(a)(2)(i) Definitions
1) Including "terms of credit" in the definition of "eligibility,
or continued eligibility, for credit."
The
proposed rule defines "eligibility, or continued eligibility,
for credit" as including the terms on which credit is offered.
We commend this approach. The Act is designed to protect against the
inappropriate use of medical information in credit decisions. This
would encompass not only whether consumers are offered credit but also
the terms under which they are offered credit. For example, a consumer
should not have to pay a higher rate of interest due to their medical
condition. Therefore, the terms on which credit is offered should be
encompassed by the term "eligibility, or continued eligibility
for, credit.
Recommendation: The proposed approach strongly supports Congressional
intent and should be retained.
2) Excluding debt cancellation
and forbearance practices from the definition of "eligibility,
or continued eligibility, for credit.
The proposed rule provides
that the term "eligibility, or continued
eligibility, for credit" does not include:
(B) Any determination of whether the provisions of a debt cancellation
contract, debt suspension agreement, credit insurance product, or similar
forbearance practice or program are triggered
Wholly
excluding debt cancellation contracts and suspension agreements from
the definition of "eligibility, or continued eligibility
for credit" is an overbroad approach. Any provision that allows
creditors to obtain and use medical information in connection with
debt cancellation, debt suspension, or credit insurance products or
practices needs to be tied to a specific consumer and a specific need.
First, the proposed
provision contains a very broad general grant of authority that would
allow creditors to collect medical information
on ALL consumers from multiple sources in order to have that information
available if and when an issue of cancellation, suspension, or other
allowable use arises with respect to a few consumers. This approach
could authorize an entirely new industry of health reporting (akin
to credit reporting) on consumers to support the authorized purposes.
It is therefore important that any provision (whether it be a rule
of construction or an exclusion) be limited to obtaining or using medical
information to a triggering event of a specific consumer.
Second, the proposed provision is overbroad with respect to the purpose
for which medical information may be used and obtained. Forbearance
procedures and practices may be triggered by events unrelated to medical
conditions. For example, a debt cancellation contract can be triggered
by unemployment or divorce. There would be no need to obtain and use
medical information to determine whether such a debt cancellation contract
provision has been triggered. The rule should thus permit a creditor
to obtain and use medical information for forbearance procedures only
where the triggering event is medically-related.
Third, we note that credit
insurance is different from the other listed forbearance practices
since it involves a third party insurer as well
as the creditor and the consumer. Generally, a consumer purchases credit
insurance from the insurer. If a medical event were to trigger credit
insurance the insurer would be the party to be informed of the event
and would then pay the creditor. We question whether a creditor has
a "legitimate operational, transactional, risk and other needs" in
obtaining and using medical information in these circumstances. Unless
such needs are adequately demonstrated "credit insurance" should
be dropped from this provision.
Finally, the Agencies have
requested comments on whether it is more appropriate to address debt
cancellation and forbearance in a rule
of construction or as an exception. We believe the more appropriate
approach is to create a limited exception that would allow a creditor
to obtain and use medical information for these purposes, rather than
wholly excluding them from the definition of "eligibility, or
continued eligibility, for credit." Determining whether the provisions
of a debt cancellation contract, debt suspension agreement or similar
forbearance practice or program are triggered appears to be a determination
of the terms on which credit is offered. These practices thus appear
to fit the definition of "eligibility or continued eligibility
for
credit." A provision which incorporates our suggested limitations
would more appropriately be framed as an exception than a rule of construction.
Wholly excluding debt cancellation
contracts and suspension agreements from the definition of "eligibility, or continued eligibility
for credit" is an overbroad approach. It would have the effect
of permitting creditors to obtain and use medical information in inappropriate
circumstances.
Recommendations: Delete the provision related to debt forbearance
from section -.30(a)(2). Create an exception in _ 30(1)(d) that permits
creditors, upon a consumer's claim, assertion, or request that the
provisions of a debt cancellation contract, debt suspension agreement,
or similar forbearance practice or program have been triggered by a
medical or mental health condition or status to obtain and use medical
information to determine whether such provisions have been triggered.
III. Sec. _.30(b)
Rule of Construction for Receiving Unsolicited Medical Information
A.
Rule
The proposed rule includes a rule
of construction for receiving unsolicited medical information. Under
the rule, a creditor does not obtain medical
information for purposes of paragraph.30(a)(1) [the general prohibition
on obtaining and using medical information in connection with any determination
of a consumer's eligibility for credit] if it:
(i) Receives medical
information pertaining to a consumer in connection with any determination
of the consumer's eligibility, or continued
eligibility, of credit without specifically requesting medical information;
and
(ii) Does not use that information in determining whether to extend
or continue to extend credit to the consumer and the terms on which
credit is offered or continued.
The Agencies proposed this provision because they believe that a creditor
should not be seen as violating the prohibition on obtaining medical
information when the creditor does not specifically ask for or request
such information, yet the consumer or other person provides the information
to the creditor.
We appreciate the Agencies' concern and do not object to the general
premise of the rule. However, we believe it makes more sense to include
this provision as an exception instead of as a rule of construction.
The preamble to the rule makes clear that obtaining and using information
are two distinct activities. Yet under this proposed provision, using
and obtaining information are merged into one concept.
It is preferable to consistently treat obtaining and using information
as distinct activities. This is more readily accomplished by creating
an exception to the general prohibition on use and disclosure.
We also believe that the
regulation should clearly state that "without
specifically requesting medical information" means volunteered
by the consumer without any pressure, prompting, or solicitation (whether
direct or indirect) by the creditor. For example, a creditor could
prompt a consumer to provide medical information by saying that "we
are not allowed to ask you for
medical information, but you can volunteer to provide it if you choose." This
type of solicitation should be expressly prohibited. Additionally,
we recommend adding a provision stating that unsolicited medical information
should not be recorded or maintained, and should be destroyed.
Recommendations: Delete the proposed rule of construction. Add the
following exception for receiving unsolicited medical information.
(b) Exception for receiving unsolicited medical information -(1) In
general.
(i) Medical information received by a creditor
when the creditor has not specifically requested medical information
and when medical information
is volunteered by the consumer without any pressure, prompting, or
solicitation (whether direct or indirect) by the creditor is considered
to be unsolicited medical information for purposes of this section.
(ii) A creditor may obtain unsolicited medical information for purposes
of paragraph (a)(1) .
(iii) A creditor may not use unsolicited medical
information in determining whether to extend or continue to extend
credit to the consumer and
the terms on which credit is offered or continued.
(iv) A creditor
may not record or maintain and must destroy unsolicited medical information
as soon as practical after receipt of such information.
B. EXAMPLES
We believe the proposed examples accurately reflect the intent that
unsolicited medical information may be obtained without violating the
prohibition, but may not be used. We suggest the following changes
to make the examples conform with the provision's being changed to
an exception.
(2) Examples of obtaining and using unsolicited medical information
consistent with the exception,
(i) In response to a general question
regarding a consumer's debts or expenses, a creditor receives information
that the consumer has
a particular medical condition. The creditor does not use that
information in determining whether to extend credit to the consumer
or the terms
on which the credit is offered. (ii) In conversation with the loan
officer, the consumer informs the creditor that the consumer has
a particular medical condition, and the creditor does not use that
information
in determining whether to extend credit to the consumer or the
terms on which credit if offered.
IV. Sec.
_30(c) Financial Information Exception
The proposed rule
creates a general "financial information" exception
which permits creditors to obtain and use medical information
pertaining to a consumer in connection with a determination of
the consumer's
eligibility so long as three conditions are met:
- The information relates to debts, expenses, income, benefits
collateral, or the purpose of the loan, including the use of
proceeds;
- The creditor uses the medical information in a manner and to an extent
that is no less favorable than it would use comparable information
that is not medical information in a credit transaction; and
- The creditor does not take the consumer's physical, mental, or behavioral
health, condition or history, type of treatment, or prognosis into
account as part of any such determination.
This provision essentially permits a creditor to treat medically-related
debt and income no less favorably than other debt and income. However,
the provision prohibits financial institutions from discriminating
against the consumer on the basis of underlying medical condition,
treatment or prognosis.
The primary reason consumers are opposed to financial institutions'
having access to their medical information is the concern that they
will be discriminated against on the basis of the information. Congress
intended to address these concerns and directed the Agencies to promulgate
rules consistent with Congressional intent to restrict the use of medical
information for inappropriate purposes. This proposed provision generally
strikes a reasonable balance between a creditor's need to obtain and
evaluate financial information (which may incidentally be medically
related) and the need to protect consumers from discrimination based
on their medical condition.
The only time when a creditor may need to specifically request medical
information in its initial application for credit would appear to be
where credit is requested for the purpose of financing medical products
or services. A creditor would be able to request such information under
proposed section - 30(d)(1)(v). Proposed section .30(d)(1)(v) specifically
permits a creditor to obtain and use medical information in the case
of credit for the purpose of financing medical products or services,
for determining and verifying the medical purpose of the loan and use
of proceeds. Since a creditor could, in the appropriate circumstances,
request medically-related financial information under this proposed
section, it is appropriate to limit the financial information exception
to those circumstances where the creditor has not initiated the inquiry
into medical information.
In order to fully accomplish its goals, the proposed regulation should
be amended to specify that to come within this particular exception,
the creditor has not specifically requested medical information in
its initial application for credit. This would permit creditors to
request generic financial information (e.g., outstanding debts, sources
of income) while prohibiting them from specifically requesting information
related to medical debt. Furthermore, this approach seems to incorporate
current practice. Financial institutions have repeatedly represented
that they do not routinely request medical information in their credit
application process.
Finally, while the title of this subparagraph indicates
that it is limited to "financial information" the
text of the regulation does not expressly include this
limitation. Under general rules of
statutory construction the title of a section is not controlling. This
provision should be clarified by including the limitation in the actual
text of the rule.
Recommendations: The general approach of this provision should be
retained. Creditors should be prohibited from treating medically-related
debt and income less favorably than other debt and income. The non-discrimination
provisions should remain. In addition, the following changes (in ALL
CAPS) should be made
(c) Financial information exception for obtaining and using medical
information
(1) In general. A creditor may obtain and use FINANCIAL
INFORMATION THAT ALSO QUALIFIES AS medical information pertaining to
a consumer in connection with any determination of the consumer's eligibility,
or continued eligibility, for credit so long as:
(i) The creditor does not specifically request medical information
in the initial application for credit;
(ii) The information relates to debts, expenses, income, benefits,
collateral, or the purpose of the loan, including the use of proceeds;
(iii) The creditor uses the medical information in a manner and to
an extent that is no less favorable than it would use comparable information
that is not medical information in a credit transaction; and
(iv) The creditor doe not take the consumer's physical, mental, or
behavioral health, condition or history, type of treatment, or prognosis
into account as part of any such determination.
The proposed examples appropriately illustrate the rule and should
be retained.
V. Sec. - 30(d)(1)(i) Powers of Attorneys Exception
Exception - 30(d)(1)(i) permits a creditor to obtain and use medical
information: To determine whether the use of a power of attorney or
legal representative is necessary and appropriate.
This provision is over broad. There are only limited circumstances
when it may be appropriate for a creditor to obtain and use medical
information in relation to powers of attorney or legal representatives.
There may be times when a creditor would need to determine whether
the use of a power of attorney that is triggered by a medical event
or condition is appropriate and necessary. However, powers of attorney
can be used in non-medical related circumstances. For example, a consumer
who resides in one state may execute a power of attorney to consummate
a mortgage in another state. Creditors should not be permitted to obtain
and use medical information in the latter circumstance.
Additionally, financial institutions may have an interest in assuring
that a power of attorney or legal representative is not fraudulently
obtained and may wish to verify that the consumer has the legal capacity
to execute the document. Legal capacity may be tied to the consumer's
medical status whether or not the power of attorney was triggered by
a specific medical event.
Recommendation: This exception should be amended so that it limited
to those circumstances where the use of a power of attorney or legal
representative is triggered by a medical condition or where there is
some question about the consumer's legal capacity to execute the underlying
legal document.
VI. Exception
for Medical Information in Consumer Reports
Comments
on Proposed Approach
The Agencies appear to perceive these provisions as conflicting with
each other. To reconcile these provisions, proposed exception _.30(d)(1)(iii)
permits a creditor to obtain and use medical information for determining
a consumer's eligibility for credit to the extent such information
is included in a consumer report from a consumer reporting agency,
in accordance with 15 U.S.C. Sec. 1681b(g)(1)(B) [section 604(g)(1)(B)
of FCRA] and is used for the purpose(s) for which the consumer provided
specific written consent. This would permit a creditor to obtain and
use uncoded medical information in a consumer report for purposes of
determining eligibility for credit.
The Agencies have not proposed a separate exception for obtaining
and using consumer reports that contain coded medical information 15
U.S.C. Sec. 1681b(g)(1)(C) [section 604(g)(1)(C) of FCRA] because they
do not believe that it is necessary to propose a separate exception.
Rather, the Agencies have put forth different theories under which
consumer reports with coded medical information can be used and obtained
by creditors without a specific exception. The Agencies properly have
determined that no separate exception is required for consumer reports
with coded medical information. This approach should be extended to
consumer reports with uncoded medical information.
The Agencies have taken the proper approach by proposing that no exception
is necessary to permit creditors to obtain and use coded medical information
in consumer reports furnished by consumer reporting agencies in accordance
with section 604(g)(1)(C) of FCRA. Additionally, the theory that creditors
who intend to use this coded medical information would be able to do
so in accordance with the financial information exception in__.30(C)
seems sound.
The Agencies should adopt this as the general approach to interpreting
sections 604(g)(1) and 604(g)(2), regardless of whether the medical
information is coded or uncoded. There should be no independent exception
for consumer reports that contain medical information. Rather, creditors
only should be able to obtain and use medical information in consumer
reports to the extent that the creditor is able to meet one of the
other exceptions to the general prohibition (such as the financial
information exception or the credit for medical procedure exception).
This approach is the most appropriate interpretation of the FACT Act.
The prohibition in section 604(g)(2) is very broad. The delegation
of authority to the Agencies makes very clear that exceptions are to
be made consistent with Congressional intent to restrict the use of
medical information for inappropriate purposes. Thus, it is appropriate
to interpret section 604(g)(2) as
prohibiting creditors from obtaining and using consumer reports with
medical information unless there is another independent exception for
doing so.
This approach is fully consistent with section 604(g)(1), which permits
consumer reporting agencies to furnish consumer reports in certain
circumstances. This approach would permit consumer reporting agencies
to furnish consumer reports that contain medical information either
by coding the information or by obtaining a true informed consent.
It would encourage consumer reporting agencies to code medical information
so as not to require consumer consent. Finally, this approach would
allow creditors to obtain and use consumer reports containing medical
information pursuant to another exception where the Agencies have determined
that it is necessary and appropriate.
The theory that section 604(g)(1) should be interpreted as giving
independent authorization to creditors to obtain and use consumer reports
containing medical information is unsupported by the very structure
of the FACT Act. Section 604(g)(1) addresses the permitted activities
of consumer reporting agencies. It is intended to encourage them to
code medical information in consumer reports. Section 604(g)(1) does
not purport to govern the activities of creditors. It would be inappropriate
to read this provision as creating independent grounds for creditors'
obtaining and using medical information. That determination is to be
made under section 604(g)(2).
Moreover, creating a separate consumer report exception would allow
creditors to circumvent the conditions imposed by the other exceptions.
For example, under proposed- 30(d)(1)(vi), a creditor may obtain and
use medical information if the consumer requests that specific medical
information be used for a specific purpose. In contrast, there is no
such requirement under 604(g)(1)(B). It appears that a consent under
section 604(g)(1)(B) could be valid if it merely stated that a consumer
consented to the furnishing of a consumer report. The consent does
not have to state that the consumer report includes medical information.
In sum, a separate exception
is not appropriate for obtaining and using consumer reports that
contain any medical information, whether
or not it is coded. Legitimate uses of both coded and encoded medical
information for determining a consumer's eligibility for credit appear
to be covered by other proposed exceptions. To the extent a consumer
report contains financial information that pertains to medical treatment
or payment, the information would be covered by the "financial
information" exception. To the extent the information is sought
for the purpose of financing medical products or services, to determine
and verify the purpose(s) for the loan, exception (v) would apply.
To the extent the information is provided pursuant to consumer request,
it would be covered by the consumer request exception.
Recommendation: There should be no separate exception for consumer
reports.
VII. Fraud Prevention and Detection
Sec. - 30(d)(1)(iv)
Section __.30(d)(1)(iv) would permit a creditor to obtain and use
medical information in connection with any determination of the consumer's
eligibility, or continued eligibility, for credit for purposes of fraud
prevention and detection.
This exception
is over broad and is unnecessary. There seem to be few circumstances
under which the use of medical information would
be necessary and appropriate to fraud prevention and detection. Furthermore,
other, more specific, exceptions would appear to permit a creditor
to obtain and use medical information where such use is appropriate.
To the extent that a creditor suspects that a power of attorney has
been fraudulently obtained or used exception __.30(d)(1)(i) would
appear to apply. To the extent the creditor suspects that the consumer
is
using the proceeds of a loan for financing medical products or services
exception __.30(d)(1)(v) would apply. If a creditor believed that
a consumer fraudulently requested loan forbearance, section 30(a)(2)(B)
would apply.1 If the purported fraud involved debt that coincidentally
was medical information, it appears that exception -.30(c)
would apply.
It is difficult to envision other circumstances where it would be
appropriate for a creditor to use and obtain medical information for
the purpose of fraud prevention and detection.
Recommendation: The separate exception for fraud prevention and detection
should be deleted.
VIII. Financing
Medical Products or Services
Sec. _ 30(d)(1)(v)
A. Proposed Rule
Proposed section _ 30(d)(1)(v) would permit a creditor to use and
obtain medical information for determining credit eligibility in the
case of credit for the purpose of financing medical products or services,
to determine and verify the medical purpose of a loan and the use of
proceeds.
This exception specifically applies to those creditors that finance
medical products or services. The provision does not contain broad
permission to obtain and use medical information. Rather, it specifically
identifies the purposes for which this information can be used and
obtained-only for determining and verifying the medical purpose of
the loan and the use of the proceeds. These limitations are important
to ensure that medical information only be used for legitimate purposes.
This approach strikes the appropriate balance between satisfying the
legitimate needs of medical finance creditors and the intent of Congress
to limit the use of medical information in credit eligibility determinations.
Recommendation: The provision should be retained as proposed.
B. Examples Related to Financing Medical Products or Services
Section -.30(d)(2) contains examples of determining the medical purpose
of the loan or the use of proceeds. Generally, these examples are helpful
in explaining the proper application of this exception.
However, example (i) should be modified. Example (i) states that it
is appropriate for a creditor to confirm the consumer's medical eligibility
to undergo that procedure with a surgeon. If the surgeon reports that
the surgery will not be performed on the consumer, the creditor may
use that information to deny the consumer's application for credit,
because the loan would not be used for the stated purpose. The essence
of the inquiry is to determine whether the patient is going to use
the loan proceeds for the stated purpose. Medical eligibility is not
the appropriate standard for such an inquiry. Asking whether a patient
is medically eligible for a medical procedure might elicit a response
that contains more information than necessary to decide whether to
approve a loan. Furthermore, a patient may be medically eligible for,
but not undergo, a procedure.
Recommendation: Rather than permitting a creditor to confirm medical
eligibility, the example should permit the creditor to verify that
the procedure is to be performed.
IX Consumer's
Request
Sec. 30(d)(1)(vi)
Proposed
Rule
Proposed exception __ 30(d)(1)(vi) provides that a creditor may obtain
and use medical information if the consumer (or their legal representative)
requests in writing that the creditor use specific medical information
for a specific purpose in determining the consumer's eligibility, or
continued eligibility, for credit, to accommodate the consumer's particular
circumstances. The signed written request must be on a separate document.
The request also must describe the specific medical information that
the consumer requests the creditor to use and the specific purpose
for which the information will be used.
The preamble indicates that this exception is intended to apply when
the consumer initiates a request to use medical information for determining
eligibility. Specifically, the preamble states:
This exception is designed to accommodate the particular medical condition
or circumstances of the individual consumer and is not intended to
allow creditors to obtain consent on a routine basis or as part of
loan applications or documentation. This exception would not be met
by a form that contains a pre-printed description of various types
of medical information and the uses to which it might be put. Instead,
it contemplates an individualized process in which the consumer informs
the creditor about the specific medical information that the consumer
would like the creditor to use and for what purpose.
The intended approach is appropriate and protects consumers' medical
information from inappropriate uses, as directed by Congress. This
approach ensures that the request to use medical information is voluntary
and is initiated by the consumer.
As currently written, however, the proposed rule does not reflect
this intent. The intent of the Agencies should be incorporated in the
actual text of the rule.
The rule should also expressly include the preamble's example of a
pre-printed form describing various medical information and the uses
to which it might be used as an example of obtaining and using medical
information inconsistent with the exception.
The attempt to limit the
collection of information pursuant to a consumer's request to "specific medical information for a specific purpose" may
be somewhat thwarted by the authorization procedure under the Health
Privacy Rule issued under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). This issue would arise where a consumer submits
a request to a creditor to obtain and use specific medical information
for a specific purpose and submits to a health care provider covered
by HIPAA an authorization permitting the provider to disclose medical
information to the creditor. The HIPAA rule has a general policy that
a disclosure must be limited to the minimum amount of information necessary
to accomplish the intended purpose of the disclosure (45 C.F.R. sec.
164.502(b)). However, the minimum necessary does not apply to a disclosure
made pursuant to an individual's authorization (45 C.F.R. sec. 164.502(b)(2)(iii)).
This creates a problem. A creditor may be limited in the amount and
type of information that it may obtain and use, but a health care provider
covered by HIPAA is under no legal obligation to limit its disclosure
to the information requested by the consumer. It is quite possible,
therefore, that creditors may receive medical information that is not
necessary for the specific purpose requested by the consumer.
In order to address this issue, the Agencies should require creditors
to immediately discard any information that they obtain that is not
needed for the immediate purpose for which the request was made.
Recommendations: Retain the general approach that permits consumers
to initiate requests that creditors obtain and use specific medical
information for specific purposes.
Amend proposed section - 30(d)(1)(vi)
by inserting the following language:
Creditors may not request or require
A consumer to Request that the Creditor obtain or use medical information
under this provision on a routine basis or as part of loan applications.
Include the prohibition on using pre-printed forms and questions that
is currently in the preamble in the rule as an example. Require creditors
to discard any medical information that they obtain that that is not
needed for the immediate purpose for which the request was made.
Additional Exception for Consumer Consent
The Agencies seek comment on whether there is a need to establish
an additional exception whereby a creditor could request that a consumer
consent to the specific use of the consumer's medical information.
Permitting creditors to request consumer's consent to the specific
use of medical information would potentially undermine the intent of
the FACT Act. It would potentially create an avenue for creditors to
circumvent the requirements of the other exceptions. No additional
exceptions are necessary.
It may be appropriate, in very limited circumstances, for creditors
to make a request for consumer consent. For example, in the case of
credit for the purpose of financing medical products or services, it
may be appropriate for creditors to be able to request consent for
related medical information only to the extent it is necessary to determine
and verify the medial purpose of a loan and the use of the proceeds.
It appears that they may already request consent under section - 30(d)(1)(v).
Similarly, it may be appropriate to permit creditors to request consumers
request within the parameters of the provisions addressing forbearance
agreements (should the Agencies determine that these should be treated
as exceptions). Again, this would be permitted by the specific exception
on forbearance agreements.
Recommendation: There should be no additional exceptions permitting
creditors to request or require consumer consent to obtain or use medical
information.
X. Limits
on Redisclosure
Sec. -.30(e)
Proposed paragraph (e) incorporates the statutory provision regarding
the limits on redisclosure of medical information. This provision generally
provides that a creditor that receives medical information about a
consumer from a consumer reporting agency or an affiliate is prohibited
from disclosing that information to any other person, except as necessary
to carry out the purpose for which the information was initially disclosed.
Recommendation:
The phrase in the statute "as otherwise permitted
by statute, regulation, or order" is not clear, and the rule should
clarify the scope. There are two ways that the phrase could be construed.
First, the phrase could allow any activity that is not expressly prohibited
by statute, regulation, or order. Second, the phrase could allow any
activity that is expressly permitted by statute, regulation, or order.
The second interpretation is the proper reading of the law and should
be reflected in the rule. Otherwise, the mere failure of a law to prohibit
conduct may be construed by some to allow that conduct.
XI. Sharing
Medical Information with Affiliates
Sec. .31
Comments on Statutory Exceptions
Proposed section .31 generally tracks the statutory exceptions relating
to when sharing medical-related information with affiliates does not
constitute a consumer report.
As these exceptions are contained in the statute, they are appropriately
contained in the proposed rule.
We are aware that the Agencies
do not have the authority to significantly alter these exceptions.
We would like to express our concern, however,
with the exclusion "(f) or any purpose referred to in section
1179 of HIPAA" And as otherwise permitted by order of the appropriate
agency. These exclusions have the potential of creating large loopholes
for the sharing of medical information with affiliates
...
HIPAA amends the Social Security Act by adding section 1179, which
provides as follows:
Sec. 1179. To the extent that an entity is engaged in activities of
a financial institution (as defined in section 1101 of the Right to
Financial Privacy Act of 1978), or is engaged in authorizing, processing,
clearing, settling, billing, transferring, reconciling, or collecting
payments, for a financial institution, this part [the Administrative
Simplification Provisions of HIPAA], and any standard adopted under
this part, shall not apply to the entity with respect to such activities
Section
1101 of the Right to Financial Privacy Act generally defines a "financial institution",
as any office of a bank, savings bank, card issuer, industrial loan
company, trust company, savings
association, building and loan, or homestead association (including
cooperative banks), credit union, or consumer finance institution.
The American Bankers Association appears to take the position that
section 1179 exempts any activity approved by OCC from HIPAA.2 The
U.S. Department of Health and Human Services (HHS) has not taken an
official position on this issue.
Should the ABA prevail in
its position, the statutory exception which permits creditors to
share medical-related information with affiliates "for
any purpose referred to in section 1179 of HIPAA" would essentially
give creditors wholesale permission to share medical-related information
for any activity. It is inconceivable that this result was intended
by Congress.
We also urge the Agency to ensure that its orders that affect affiliate-sharing
be consistent with Congressional intent to limit sharing of medical
information with affiliates.
Recommendations: The Agencies should advise HHS of the potential effect
of the interpretation of section 1179 on creditors' ability to share
medical-related information with affiliates. The Agencies should also
create a procedure to verify that new orders do not create new exceptions
which would permit greater sharing of medical information with affiliates.
C. Comments
on Proposed Exceptions Created by Rule
In addition to these statutory exceptions, the Agencies have proposed
section _3 1(b)(5), which would allow creditors to share with affiliates
medical-related information in connection with a determination of the
consumer's eligibility for credit consistent with proposed section
_30. There is no explanation as to why the Agencies believe this proposed
exception is necessary and appropriate.
The proposed approach is overbroad, and appears inconsistent with
the specific conditions imposed in other provisions or the proposed
rule and the FACT Act. Specifically, the proposed approach appears
to be inconsistent with the consent requirements in section _30(d)(1)(vi)
of the proposed rule and section 604(g)(1)(B) of FCRA, which were intended
to ensure that consumer's gave informed consent for the sharing, obtaining
and use of their medical information.
Proposed section 30(d)(1)(vi) permits creditors to obtain and use
medical information if the consumer (or the consumer's representative)
requests in writing that the creditor use specific medical information
for a specific purpose in determining the consumer's eligibility, or
continued eligibility, for credit. The request must be signed, describe
the specific medical information that the consumer requests the creditor
to use and the specific purpose for which the information will be used.
The intent of these requirements is to ensure that the consumer signs
an informed consent that details who is permitted to use the information,
what specific information will be used and the purpose for which it
will be used.
Similarly, section 604(g)(1)(B) of FCRA. Section 604(g)(1)(B) of FCRA
permits a consumer reporting agency to furnish a consumer report with
uncoded medical information only with the specific written consent
of the consumer to furnish the report to a creditor. Proposed section
30(d)(1)(iii) provides that creditors would be permitted to obtain
and use medical information to the extent such information is included
in a consumer report from a consumer reporting agency where the consumer
has given consent in accordance with section 604(g)(1)(B) of FCRA.
Again, this provision is intended to ensure that the consumer has given
informed consent.
The consent process is seriously
compromised if a creditor can then turn around and share the medical
information with affiliates without
any input from the consumer. We note that specifying in a consent that
information may be shared "with affiliates" does not truly
inform the consumer of the intended recipients of the information.
Proposed section
__.3 1(b)(5) would become significantly more problematic if the Agencies
were to weaken the anti-discrimination provisions in
section _30(c) in the final rule. Such an approach would permit creditors
to share medical-related information with affiliates and would permit
both the creditors and affiliates to discriminate against consumers
based on their medical status or treatment. This improper use of medical-related
information would be contrary to the intent of the FACT Act.
Recommendations: Proposed section -.31(b)(5) should be deleted. At
a minimum it should be amended to state that the exception does not
apply to the extent that the
creditors has obtained medical information in a credit report furnished
in accordance with 604(g)(1)(B) of FCRA or pursuant to a consumer's
request.
XII. Specific
Exceptions for Obtaining and Using Medical Information
Sec.
- 30(d)(vii)
Proposed section__ .30(d)(vii)
gives the Agencies the authority to add new exceptions by order to
the general prohibitions on obtaining
and
using medical information. Subsection 604(g)(2) and (3) of FCRA as
amended by the FACT Act only gives Agencies authority to issue orders
regarding consumer reports. Therefore, Congress only gave authority
to the Agencies to issue exceptions to obtaining and using medical
information through regulations, not orders. A reasonable interpretation
of the FACT Act would infer that the Agencies would be exceeding their
authority by including "orders" as a means for creating exceptions.
Recommendation:
Section__.30(d)(vii) should be removed from the proposed regulations.
In closing, the APA appreciates the opportunity to comment on the
proposed Regulation and looks forward to the publication of a final
regulation that incorporates our suggested revisions. If you have any
questions or comments contact Nancy Trenti, Associate Director, Department
of Government Relations at 703-907-8644 or ntrenti@psych.org.
Sincerely,
James H. Scully, Jr. M.D.
Medical Director
____________________
1 Proposed section
- 30(a)(2)(i)(B) would exclude from the definition of "eligibility,
or continued eligibility, for credit" a
determination of whether the provisions of a debt cancellation contract,
debt suspension agreement, credit insurance product or similar forbearance
practice or program are triggered. We propose that an exception be
treated for debt cancellation contracts and similar forbearance practices.
Under either approach, it would appear that
creditor would be able to obtain and use medical information to determine whether
the debt forbearance was properly triggered or obtained through fraud.
2 See letter from the American Bankers Association to Tommy G. Thompson, Secretary
U.S. Department of Health and Human Services October 24, 2003, which states in
pertinent part, "...the plain language of the statute exempts from any regulations
promulgated under the Administrative Simplification title, any entity engaged
in the 'activities of a financial institution.' Nothing in section 1179 restricts
the exempted activities to those involving the payment system."