Home > Regulation & Examinations >
Laws & Regulations > FDIC
Federal Register Citations |
|||
FDIC Federal Register Citations Health Privacy Project July 11, 2006 Robert E. Feldman RIN 1550-AB88 Dear Secretary Feldman, The Health Privacy Project and the undersigned organizations are submitting these comments on the interim final Fair Credit Reporting Medical Information Regulations, issued in the Federal Register on June 10, 2005. The Health Privacy Project (HPP) is a 501(c)(3) nonprofit organization dedicated to raising awareness about the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and community level. The Health Privacy Project conducts research and analysis on a wide range of health privacy issues, including objective analysis of the HIPAA Privacy Rule and state health privacy laws, genetics and workplace privacy, e-health activities, and bioterrorism and public health surveillance initiatives. HPP also coordinates the Consumer Coalition for Health Privacy (CCHP), which is comprised of over 100 major organizations representing a broad range of both consumers and health care providers. A complete list of Coalition participants, as well as all of the HPPs resources related to health privacy, can be found at our web site: www.healthprivacy.org. Especially in light of highly-publicized information thefts, consumers are extremely anxious about how their sensitive information is collected, used, and shared. It is all the more important that Americans have some measure of confidence that their personal health information is safeguarded by any entity that has access to it. The FACT Act was an important step towards regulating how organizations other than providers access and use health information. By and large, we found both the proposed rule and the interim final rule protective of privacy. We were especially heartened that the Agencies adopted several of the suggestions weand other organizationsput forth in order to build in stronger safeguards for consumers. While the proposed and interim final rules generally adopt the intent of congress and are protective of health privacy, some issues remain. Background: By amending the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACT Act) creates new restrictions on the manner in which creditors, such as banks and credit unions, can obtain and use medical information. In general, the FACT Act prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumers eligibility, or continued eligibility, for credit. However, creditors may obtain and use medical information for these purposes to the extent the federal banking regulators determine it is necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs. Comments The current definition of medical information should be retained, including applicability to coded information. § Sec.___.3 Definitions. We are pleased that the interim final rule reflects the definition of medical information that was established in the proposed rule. 1 In our comments on the proposed rule, we urged the Agencies to retain the proposed definition of medical information, and are encouraged that the Agencies chose to incorporate this version, as it effectively tracks the statutory definition and is generally broad and protective.We also urgedbased on inquiry from the Agenciesthat any coded information should remain within the scope of medical information. It would have been inappropriate to exclude coded information from the definition, as it still reveals that the consumer has a medically-related debt. The Agencies decision to keep coded information under the umbrella of protection is appropriate and consistent with Congress intent. The current definition of eligibility, or continued eligibility, for credit should be retained. § Sec.___.30 Obtaining or using medical information in connection with a determination of eligibility or credit. As we pointed out in our comments on the proposed rule, including terms on which credit is offered, is an important protection for consumersstipulating that medical information cannot be obtained or used for determinations of eligibility for credit or terms of credit, such as interest rates. Creating an exception, opposed to a rule of construction, for debt forbearance and debt cancellation in the interim final rule is an improvement and should be maintained. § Sec.___.30 Obtaining or using medical information in connection with a determination of eligibility or credit. In our comments on the proposed rule, we argued that the debt cancellation, debt suspension, credit insurance product, and forbearance exception established in the definition of eligibility, or continued eligibility, for credit (Sec.__30) was overly broad. We also argued that it should be established in the regulation as an exception, opposed to a rule of construction. We are pleased that the Agencies agreed and created two exceptions, Sec.__30(e)(1)(vii) and (e)(1)(viii)one that addresses forbearance and one that addresses debt cancellation and debt suspension. The Agencies also established limits for each section, clarifying that these two exceptions are bound to events that are triggered by a medical situation, as we suggested in our comments on the proposed rule. There should be stronger limits on obtaining and using unsolicited medical information. § Sec.___.30(c) Rule of construction for obtaining and using unsolicited medical information. Section ___.30(c) of the interim final rule outlines that when a creditor receives unsolicited medical information, they are not violating the law. In our comments on the proposed rule, we suggested that the provision should be strengthened, first to implement the section as an exception (opposed to a rule of construction) and, secondly, to limit the ability of creditors to indirectly solicit or encourage the sharing of medical information. In order to relieve the potential impact of any inadvertent disclosure, we also urged that unsolicited information should not be recorded or maintained, and should, rather, be destroyed. Unfortunately, the interim final rule does not reflect our suggestions. The Agencies retained the section as a rule of construction, did not strengthen the language, and did not find it reasonable to require the destruction of personal health information. At the very least, entities should eliminate any detailed medical information that is a part of unsolicited information. For instance, the interim final rule uses the example of an entity discovering indirectly that a consumer owes a debt to a hospital. While it may be relevant that a consumer owes a debt, that the debt is owed to a hospital, in combination with the amount, potentially exposes the individual to future abuse and discrimination. Based on the examples given, it would be doable and beneficial for consumers to require entities to eliminate information that is detailed medical information. We encourage the Agencies to reconsider this issue. New limitations on exception for power of attorney should remain. § Sec.___.30(c) Specific Exceptions for obtaining and using medical information In our comments on the proposed rule, we urged the Agencies to narrow the scope of Sec.___.30(d)(1)(i), which allowed an exception to determine whether the use of a power of attorney or legal representative is necessary and appropriate. In the comments, we expressed our concern that the section was overly broad and could potentially apply to any number of situations, including non-medical related circumstances. We are pleased that the Agencies narrowed the scope to stipulate that the situation would be triggered by a medical event or condition. The section should stand. Exception for fraud prevention and detection is overly broad. § Sec.___.30(e)(iv) Specific Exceptions for obtaining and using medical information. In our comments on the proposed rule, we urged the Agencies to delete the exception for fraud prevention and detection. Section ___.30(d)(1)(iv) would permit a creditor to obtain and use medical information in connection with any determination of the consumers eligibility, or continued eligibility, for credit for purposes of fraud prevention and detection. We found the exception overly broad and unnecessary. There seem to be few circumstances when the collection and use of medical information would be necessary or appropriate for fraud prevention and detection. Furthermore, other, more specific, exceptions permit a creditor to obtain and use medical information where such use is warranted. For instance, to the extent that a creditor suspects that a power of attorney has been fraudulently obtained or used, exception Sec.___.30(d)(1)(i) would appear to apply. To the extent that a creditor suspects that the consumer is using the proceeds of a loan for financing medical products or services, exception __.30(d)(1)(v) would be applicable. And if a creditor believed that a consumer fraudulently requested loan forbearance, section __.30(e)(vii) would apply. Unfortunately, for the most part, the Agencies retained the exception. While the language has been altered to clarify that the exception applies to the extent necessary, it is still an unnecessary exception and should be removed. Conclusion Overall, the interim final rule, like the proposed rule before it, is protective of privacy. Some of the changes the Agencies made were critical to improving the safeguards outlined in the law. At the same time, there is still an opportunity to strengthen the provisions of the rule so that they are more compatible with protecting consumers from the inappropriate collection, use, and disclosure of their personal health information. We urge you to make the privacy-strengthening changes we recommend above and to retain the privacy protective provisions in the interim final rule. As a part of this process, it is also important that the Agencies remain acutely aware that some entities are financially invested in collecting sensitive information about consumers, and each section of the law should be reviewed accordingly. If you have any questions, please contact Emily Stewart, HPPs Policy Analyst, at estewart@healthprivacy.org or 202-721-5614. Thank you for your consideration. Sincerely, Health Privacy Project
|
||
Last Updated 07/12/2005 | Regs@fdic.gov |