Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

Health Privacy Project
 

July 11, 2006

Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
Attention: Comments
550 17th Street, NW
Washington, DC 20429

RIN 1550-AB88

Dear Secretary Feldman,

The Health Privacy Project and the undersigned organizations are submitting these comments on the interim final Fair Credit Reporting Medical Information Regulations, issued in the Federal Register on June 10, 2005. The Health Privacy Project (HPP) is a 501(c)(3) nonprofit organization dedicated to raising awareness about the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and community level. The Health Privacy Project conducts research and analysis on a wide range of health privacy issues, including objective analysis of the HIPAA Privacy Rule and state health privacy laws, genetics and workplace privacy, e-health activities, and bioterrorism and public health surveillance initiatives. HPP also coordinates the Consumer Coalition for Health Privacy (CCHP), which is comprised of over 100 major organizations representing a broad range of both consumers and health care providers. A complete list of Coalition participants, as well as all of the HPP’s resources related to health privacy, can be found at our web site: www.healthprivacy.org.

Especially in light of highly-publicized information thefts, consumers are extremely anxious about how their sensitive information is collected, used, and shared. It is all the more important that Americans have some measure of confidence that their personal health information is safeguarded by any entity that has access to it. The FACT Act was an important step towards regulating how organizations other than providers access and use health information. By and large, we found both the proposed rule and the interim final rule protective of privacy. We were especially heartened that the Agencies adopted several of the suggestions we—and other organizations—put forth in order to build in stronger safeguards for consumers. While the proposed and interim final rules generally adopt the intent of congress and are protective of health privacy, some issues remain.

Background:

By amending the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACT Act) creates new restrictions on the manner in which creditors, such as banks and credit unions, can obtain and use medical information. In general, the FACT Act prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. However, creditors may obtain and use medical information for these purposes to the extent the federal banking regulators determine it is necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs.

Comments

The current definition of “medical information” should be retained, including applicability to coded information.

§ Sec.___.3 Definitions.

We are pleased that the interim final rule reflects the definition of “medical information” that was established in the proposed rule.1 In our comments on the proposed rule, we urged the Agencies to retain the proposed definition of “medical information,” and are encouraged that the Agencies chose to incorporate this version, as it effectively tracks the statutory definition and is generally broad and protective.

We also urged—based on inquiry from the Agencies—that any coded information should remain within the scope of “medical information.” It would have been inappropriate to exclude coded information from the definition, as it still reveals that the consumer has a medically-related debt. The Agencies’ decision to keep coded information under the umbrella of protection is appropriate and consistent with Congress’ intent.

The current definition of “eligibility, or continued eligibility, for credit” should be retained.

§ Sec.___.30 Obtaining or using medical information in connection with a determination of eligibility or credit.

As we pointed out in our comments on the proposed rule, including “terms on which credit is offered,” is an important protection for consumers—stipulating that medical information cannot be obtained or used for determinations of eligibility for credit or terms of credit, such as interest rates.

Creating an exception, opposed to a rule of construction, for debt forbearance and debt cancellation in the interim final rule is an improvement and should be maintained.

§ Sec.___.30 Obtaining or using medical information in connection with a determination of eligibility or credit.

In our comments on the proposed rule, we argued that the debt cancellation, debt suspension, credit insurance product, and forbearance exception established in the definition of “eligibility, or continued eligibility, for credit” (Sec.__30) was overly broad. We also argued that it should be established in the regulation as an exception, opposed to a rule of construction.

We are pleased that the Agencies agreed and created two exceptions, Sec.__30(e)(1)(vii) and (e)(1)(viii)—one that addresses forbearance and one that addresses debt cancellation and debt suspension. The Agencies also established limits for each section, clarifying that these two exceptions are bound to events that are triggered by a medical situation, as we suggested in our comments on the proposed rule.

There should be stronger limits on obtaining and using unsolicited medical information.

§ Sec.___.30(c) Rule of construction for obtaining and using unsolicited medical information.

Section ___.30(c) of the interim final rule outlines that when a creditor receives unsolicited medical information, they are not violating the law. In our comments on the proposed rule, we suggested that the provision should be strengthened, first to implement the section as an exception (opposed to a rule of construction) and, secondly, to limit the ability of creditors to indirectly solicit or encourage the sharing of medical information. In order to relieve the potential impact of any inadvertent disclosure, we also urged that unsolicited information should not be recorded or maintained, and should, rather, be destroyed.

Unfortunately, the interim final rule does not reflect our suggestions. The Agencies retained the section as a rule of construction, did not strengthen the language, and did not find it reasonable to require the destruction of personal health information. At the very least, entities should eliminate any detailed medical information that is a part of unsolicited information. For instance, the interim final rule uses the example of an entity discovering indirectly that a consumer owes a debt to a hospital. While it may be relevant that a consumer owes a debt, that the debt is owed to a hospital, in combination with the amount, potentially exposes the individual to future abuse and discrimination. Based on the examples given, it would be doable and beneficial for consumers to require entities to eliminate information that is detailed medical information. We encourage the Agencies to reconsider this issue.

New limitations on exception for power of attorney should remain.

§ Sec.___.30(c) Specific Exceptions for obtaining and using medical information

In our comments on the proposed rule, we urged the Agencies to narrow the scope of Sec.___.30(d)(1)(i), which allowed an exception to “determine whether the use of a power of attorney or legal representative is necessary and appropriate.” In the comments, we expressed our concern that the section was overly broad and could potentially apply to any number of situations, including non-medical related circumstances. We are pleased that the Agencies narrowed the scope to stipulate that the situation would be “triggered by a medical event or condition.” The section should stand.

Exception for fraud prevention and detection is overly broad.

§ Sec.___.30(e)(iv) Specific Exceptions for obtaining and using medical information.

In our comments on the proposed rule, we urged the Agencies to delete the exception for fraud prevention and detection. Section ___.30(d)(1)(iv) would permit a creditor to obtain and use medical information in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit for purposes of fraud prevention and detection.

We found the exception overly broad and unnecessary. There seem to be few circumstances when the collection and use of medical information would be necessary or appropriate for fraud prevention and detection. Furthermore, other, more specific, exceptions permit a creditor to obtain and use medical information where such use is warranted. For instance, to the extent that a creditor suspects that a power of attorney has been fraudulently obtained or used, exception Sec.___.30(d)(1)(i) would appear to apply. To the extent that a creditor suspects that the consumer is using the proceeds of a loan for financing medical products or services, exception __.30(d)(1)(v) would be applicable. And if a creditor believed that a consumer fraudulently requested loan forbearance, section __.30(e)(vii) would apply.

Unfortunately, for the most part, the Agencies retained the exception. While the language has been altered to clarify that the exception applies “to the extent necessary,” it is still an unnecessary exception and should be removed.

Conclusion

Overall, the interim final rule, like the proposed rule before it, is protective of privacy. Some of the changes the Agencies made were critical to improving the safeguards outlined in the law. At the same time, there is still an opportunity to strengthen the provisions of the rule so that they are more compatible with protecting consumers from the inappropriate collection, use, and disclosure of their personal health information. We urge you to make the privacy-strengthening changes we recommend above and to retain the privacy protective provisions in the interim final rule. As a part of this process, it is also important that the Agencies remain acutely aware that some entities are financially invested in collecting sensitive information about consumers, and each section of the law should be reviewed accordingly.

If you have any questions, please contact Emily Stewart, HPP’s Policy Analyst, at estewart@healthprivacy.org or 202-721-5614.

Thank you for your consideration.

Sincerely,

Health Privacy Project
Families USA
Georgia Rural Urban Summit
National Consumers League
AFSCME
Privacy Rights Clearinghouse
USAction
American Psychiatric Association

_______________________________

[1] The interim final rule defines “medical information” as information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to (1) the past, present, or future physical, mental, or behavioral health or condition of an individual; (2) the provision of health care to an individual; or (3) the payment for the provision of health care to an individual. The term “medical information” does not include the age or gender of a consumer, demographic information about the consumer, including a consumer’s residence address or e-mail address, or any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer.  See § Sec.__.3.


 


Last Updated 07/12/2005 Regs@fdic.gov

Skip Footer back to content