FDIC Federal Register Citations

American Medical Association

May 28, 2004

Federal Deposit Insurance Corporation (FDIC) – RIN Number 3064-AC81;

Dear Sir:

The American Medical Association (AMA) appreciates the opportunity to provide
comments on the “Fair Credit Reporting Medical Information Regulations; Proposed
Rule,” Federal Register, Vol. 69, No. 82, April 28, 2004, p. 23380.

The issue of inappropriate access to personal medical information has become a growing
concern of physicians and patients as banks and other financial institutions process an
increasing number of electronic health care transactions on behalf of physicians, other
health care providers and health plans. Maintaining the privacy of identifiable patient
information remains a high priority to the AMA. Therefore, it is extremely important that
banks and other creditors do not obtain or use medical information in an inappropriate
manner.

The AMA appreciates that the agencies, in crafting this proposed rule, have attempted to
create narrow exceptions to the general rule in the Fair and Accurate Credit Transactions
Act (FACT Act) that prohibits creditors from obtaining and using medical information for
the purpose of determining a consumer’s eligibility for credit. This approach is consistent
with Congressional intent to restrict the use of medical information for making credit
decisions to only those purposes that are truly necessary and appropriate.

Comments on Specific Provisions

Sec .3 Definitions

Eligibility, or Continued Eligibility For Credit

The AMA is very concerned about the exclusion of individual business credit from the
coverage under these regulatory protections and believes such an exclusion is unjustified
by the language or intent of the FACT Act. The proposed rule defines “eligibility, or
continued eligibility for credit” as “the consumer’s qualifications or fitness to receive, or
to continue to receive credit, …, primarily for personal, family, or household purposes.”
(emphasis added). The phrase we emphasize significantly limits the protections against
use of medical information by banks to only consumer credit, leaving banks free to
discriminate against individuals seeking business credit on the basis of medical condition.

This limitation on the medical information protections is not authorized and contradicts the
plain language of the statute. The FACT Act states “a creditor shall not obtain or use
medical information … pertaining to a consumer in connection with any determination of
the consumer's eligibility, or continued eligibility, for credit.”¹ “Consumer” is defined in
the Fair Credit Reporting Act (FCRA) as an “individual.”² Thus, nothing in the FACT Act
or the FCRA limits the protections of sec. 604(g)(2) to consumer credit for personal,
family or household purposes.

In fact, such a limitation contradicts the FCRA’s definitions of “credit” and “creditor”,
which specifically refer to the definitions of those same terms under the Equal Credit
Opportunity Act (ECOA).³ The ECOA defines ‘‘credit’’ as “the right granted by a
creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to
purchase property or services and defer payment therefor.”⁴ The ECOA defines
‘‘creditor’’ in part as “any person who regularly extends, renews, or continues credit.”⁵
Neither definition is limited to consumer credit, and the ECOA clearly applies to
individual business credit.

Congress intended that individuals seeking small business credit should be protected under
the FACT Act against discrimination on the basis of medical information. The initial bills
introduced in both the House and the Senate used a more restrictive definition of “credit”
as defined in the Truth in Lending Act, a statute which is limited to consumer credit,⁶ but
were later changed to use the definition of credit and creditor under the ECOA. One of the
primary reasons for applying the ECOA definition of credit to the FCRA, instead of the
TILA definition, was to ensure that all the protection of the FCRA applied to individuals
seeking business credit. Therefore, the agencies’ limitation of the protections against use
of medical information for small business owners is contrary to Congressional intent. We
urge the agencies to broaden the definition of “eligibility, or continued eligibility for
credit” consistent with Congressional intent.

Medical Information

The proposed rule appropriately defines “medical information,” consistent with the
statutory definition in the FACT Act, as information or data, whether oral or recorded, in
any form or medium, created by or derived from a health care provider or the consumer,
that relates to (1) the past, present, or future physical, mental, or behavioral health or
condition of an individual; (2) the provision of health care to an individual; or (3) the
payment for the provision of health care to an individual. The term “medical information”
does not include the age or gender of a consumer, demographic information about the
consumer, including a consumer’s residence address or e-mail address, or any other
information about a consumer that does not relate to the physical, mental, or behavioral
health or condition of a consumer.

The agencies suggest, however, excluding from this definition information related to
medical debts that has been coded in accordance with section 604(g)(1)(C) so that it does
not reveal the specific identity of the provider or medical service rendered. Yet, the fact
that a consumer has medically-related debt constitutes “information that relates to the
payment for the provision of health care to an individual,” under the statutory definition.
Therefore, removing coded information from the definition would be an inappropriate
narrowing of the statutory definition. In addition, it would effectively remove such
information from the anti-discrimination protections in proposed section .30(c). The
result would be that creditors would be permitted to treat medical debt differently than
non-medical debt, contrary to Congressional intent. We urge the agencies not to exclude
medical information that has been coded in accordance with section 604(g)(1)(C) of the
FACT Act from the definition.

Sec. __.30(A) General Prohibition on Obtaining or Using Medical Information

The proposed regulation contains a general prohibition on obtaining or using medical
information pertaining to a consumer in connection with any determination of the
consumer’s eligibility, or continued eligibility, for credit and then creates limited
exceptions. This approach is consistent with the Act and Congressional intent that medical
information only be obtained and used for credit-related purposes when appropriate and
necessary.

The AMA is pleased that the proposed rule would appropriately define “eligibility, or
continued eligibility, for credit” as including the terms on which credit is offered. Credit
decisions include both whether or not consumers are offered credit and also the terms
under which they are offered credit.

Yet, the proposal also would exclude “any determination of whether the provisions of a
debt cancellation contract, debt suspension agreement, credit insurance product, or similar
forbearance practice or program are triggered.” Wholly excluding debt cancellation
contracts and suspension agreements from the definition of “eligibility, or continued
eligibility for credit” is an overbroad approach. Creditors should be able to obtain and use
medical information for these purposes only when it is appropriate and necessary to do so.
Any such exclusion should be limited to obtaining or using medical information of a
specific consumer in response to their claim or request.

The agencies indicate in the preamble that they do intend this provision to apply when a
particular consumer requests forbearance due to a medical condition, either formally,
through the triggering of the provisions of a debt cancellation contract, or informally (such
as through an oral request). The provision as written, however, is much broader and
would permit creditors to obtain and use medical information where it is not appropriate or
necessary to do so. Forbearance procedures and practices may be triggered by events
unrelated to medical conditions. The rule should thus permit a creditor to obtain and use medical information for forbearance procedures only where the triggering event is
medically-related.

Additionally, a “credit insurance product” is different from the other listed forbearance
practices since it involves a third party insurer as well as the creditor and the consumer.
Generally, a consumer purchases credit insurance from the insurer. The consumer informs
the insurer, not the creditor, if he or she has a claim against the credit insurance. The
insurer then pays the creditor. Therefore, it is unclear why a creditor would have a
“legitimate operational, transactional, risk” or other need to obtain and use medical
information in these circumstances. Unless such needs are adequately demonstrated,
“credit insurance” should be dropped from this provision.

In general, the AMA believes that this provision should be drafted as an exception rather
than a rule of construction.

Sec. __.30(b) Receiving Unsolicited Medical Information

The proposed rule includes a rule of construction for receiving unsolicited medical
information. Under the rule, a creditor would not obtain medical information for purposes
of paragraph __.30(a)(1) [the general prohibition on obtaining and using medical
information in connection with any determination of a consumer’s eligibility for credit] if
it:

(i) Receives medical information pertaining to a consumer in connection
with any determination of the consumer’s eligibility, or continued
eligibility, of credit without specifically requesting medical information;
and
(ii) Does not use that information in determining whether to extend or
continue to extend credit to the consumer and the terms on which credit is
offered or continued.

The agencies indicate that a creditor should not be in violation of the prohibition on
obtaining medical information when the creditor does not specifically ask for or request
such information, yet the consumer or other person provides the information to the
creditor. This seems fair as long as the provision of information by the consumer is truly
voluntary. Therefore, the rule should clarify that “without specifically requesting medical
information” means volunteered by the consumer without any pressure, prompting, or
solicitation (whether direct or indirect) by the creditor. Any type of direct or indirect
solicitation should be expressly prohibited.

In addition, the AMA believes that this provision should be drafted as an exception rather
than a rule of construction.

Sec. __.30(c) Financial Information Exception

The proposed rule creates a general exception which would permit creditors to obtain and
use medical information pertaining to a consumer in connection with a determination of
the consumer’s eligibility so long as three conditions are met:

• The information relates to debts, expenses, income, benefits collateral, or
the purpose of the loan, including the use of proceeds;
• The creditor uses the medical information in a manner and to an extent that
is no less favorable than it would use comparable information that is not
medical information in a credit transaction; and
• The creditor does not take the consumer’s physical, mental, or behavioral
health, condition or history, type of treatment, or prognosis into account as
part of any such determination.

This provision essentially permits a creditor to treat medically-related debt and income no
less favorably than other debt and income. At the same time, however, this provision
prohibits financial institutions from discriminating against the consumer on the basis of
underlying medical condition, treatment or prognosis. This generally strikes a reasonable
balance between a creditor’s need to obtain and evaluate financial information (which may
incidentally be medically-related) and the need to protect consumers from discrimination
based on their medical condition.

The only time when a creditor may need to specifically request medical information in its
initial application for credit would appear to be where credit is requested for the purpose of
financing medical products or services. Because a creditor would be permitted to request
medically-related financial information under this proposed section, the financial
information exception should be limited to those circumstances where the creditor has not
initiated the inquiry into medical information. The proposed regulation should be
amended to specify that to come within this particular exception, the creditor has not
specifically requested medical information in its initial application for credit. This would
permit creditors to request generic financial information (e.g., outstanding debts, sources
of income) while prohibiting them from specifically requesting information related to
medical debt. This approach would incorporate current practice as financial institutions
have repeatedly represented that they do not routinely request medical information in their
credit application process.

The general approach to this proposed provision should be retained - creditors should be
prohibited from treating medically-related debt and income less favorably than other debt
and income – and the non-discrimination provisions should be retained. In addition, the
title of this subparagraph indicates that it is limited to “financial information,” yet the text
of the regulation does not expressly include this limitation. This provision should be
clarified by including the limitation in the actual text of the rule.

Sec. __.30(d)(1)(i) Powers of Attorneys Exception

Proposed exception __.30(d)(1)(i) permits a creditor to obtain and use medical information
to determine whether the use of a power of attorney or legal representative is necessary
and appropriate. There are only limited circumstances, however, when it may be
appropriate for a creditor to obtain and use medical information in relation to powers of
attorney or legal representatives. Because powers of attorney can be used in non-medical
related circumstances, this exception should be amended so that it is limited to those
circumstances where the use of a power of attorney or legal representative is triggered by a
medical condition (e.g., mental incapacity) or where there is a legitimate question about
the consumer’s legal capacity to execute the underlying legal document.

Sec. __.30(d)(1)(iii) Exception for Medical Information in Consumer Reports

The agencies have not proposed a separate exception for obtaining and using consumer
reports that contain coded medical information 15 U.S.C. Sec. 1681b(g)(1)(C) [section
604(g)(1)(C) of FCRA] because they do not believe that it is necessary to propose a
separate exception. Rather, the agencies have requested comments on three alternative
theories under which consumer reports with coded medical information can be used and
obtained by creditors without a specific exception.

The AMA agrees that there should be no independent exception for consumer reports that
contain medical information. Rather, creditors only should be able to obtain and use
medical information in consumer reports to the extent that the creditor is able to meet one
of the other exceptions to the general prohibition (such as the financial information
exception or the credit for medical procedure exception).

This approach is the most appropriate interpretation of the FACT Act. The agencies
should adopt this as the general approach to interpreting sections 604(g)(1) and 604(g)(2)
of FCRA, regardless of whether the medical information is coded or uncoded.

The prohibition in section 604(g)(2) of FCRA is very broad. The delegation of authority
to the agencies makes very clear that exceptions are to be made consistent with
Congressional intent to restrict the use of medical information for inappropriate purposes.
Thus, it is appropriate to interpret section 604(g)(2) as prohibiting creditors from obtaining
and using consumer reports with medical information unless there is another independent
exception for doing so.

Legitimate uses of both coded and uncoded medical information for determining a
consumer’s eligibility for credit appear to be covered by other proposed exceptions. To
the extent a consumer report contains financial information that pertains to medical
treatment or payment, the information would be covered by the “financial information”
exception. To the extent the information is sought for the purpose of financing medical
products or services, to determine and verify the purpose(s) for the loan, exception (v)
would apply. To the extent the information is provided pursuant to consumer request, it
would be covered by the consumer request exception.

This approach is fully consistent with section 604(g)(1) of FCRA, which permits consumer
reporting agencies to furnish consumer reports in certain circumstances. This approach
would permit consumer reporting agencies to furnish consumer reports that contain
medical information either by coding the information or by obtaining a true informed
consent. It would likely encourage consumer reporting agencies to code medical
information so as not to require consumer consent.

Sec. __.30(d)(1)(v) Financing Medical Products or Services

Proposed section __.30(d)(1)(v) would permit a creditor to use and obtain medical
information for determining credit eligibility in the specific case of credit for the purpose
of financing medical products or services, and only to determine and verify the medical
purpose of a loan and the use of proceeds. These limitations are important to ensure that
medical information only be used for legitimate purposes. The AMA believes that this
approach strikes the appropriate balance between satisfying the legitimate needs of
medical finance creditors and the intent of Congress to limit the use of medical
information in credit eligibility determinations.

Section __.30(d)(2) contains examples of determining the medical purpose of the loan or
the use of proceeds. Example (i) states that it is appropriate for a creditor to confirm the
consumer’s medical eligibility to undergo that procedure with a surgeon. If the surgeon
reports that the surgery will not be performed on the consumer, the creditor may use that
information to deny the consumer’s application for credit, because the loan would not be
used for the stated purpose. Yet, the point of the inquiry is to determine whether the
patient is going to use the loan proceeds for the stated purpose. Medical eligibility is not
the appropriate standard for such an inquiry. Asking whether a patient is medically
eligible for a medical procedure would require a response that contains more information
than necessary to decide whether to approve a loan. Furthermore, a patient may be
medically eligible for, but not undergo, a procedure. The AMA believes that instead of
permitting a creditor to confirm medical eligibility, the example should permit the creditor
to verify that the procedure is to be performed.

Sec. 30(d)(1)(vi) - Consumer’s Request

Proposed exception __.30(d)(1)(vi) provides that a creditor may obtain and use medical
information if the consumer (or their legal representative) requests in writing that the
creditor use specific medical information for a specific purpose in determining the
consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s
particular circumstances. The signed written request must be on a separate document,
must describe the specific medical information that the consumer requests the creditor to
use and the specific purpose for which the information will be used.

The preamble indicates that this exception is intended to apply when the consumer initiates a request to use medical information for determining eligibility. Specifically, the preamble states:

This exception is designed to accommodate the particular medical condition
or circumstances of the individual consumer and is not intended to allow
creditors to obtain consent on a routine basis or as part of loan applications
or documentation. This exception would not be met by a form that contains
a pre-printed description of various types of medical information and the
uses to which it might be put. Instead, it contemplates an individualized
process in which the consumer informs the creditor about the specific
medical information that the consumer would like the creditor to use and for
what purpose.

The AMA believes that the intended approach is appropriate. It would ensure that the
request to use medical information is voluntary and is initiated by the consumer. As
currently written, however, the proposed rule does not reflect this intent. The intent of the
agencies should be incorporated in the actual text of the rule. In addition, the rule text
should expressly include the example cited in the preamble regarding inappropriate use of a
pre-printed form describing various medical information and potential uses.

Sec. __.30(e) - Limits on Redisclosure

Proposed paragraph (e) incorporates the statutory provision regarding the limits on
redisclosure of medical information. This provision generally provides that a creditor that
receives medical information about a consumer from a consumer reporting agency or an
affiliate is prohibited from disclosing that information to any other person, except as
necessary to carry out the purpose for which the information was initially disclosed.

The phrase in the statute “as otherwise permitted by statute, regulation, or order” is not
clear, and the rule should clarify the scope. There are two ways that the phrase could be
construed. First, the phrase could allow any activity that is not expressly prohibited by
statute, regulation, or order. Second, the phrase could allow any activity that is expressly
permitted by statute, regulation, or order. The second interpretation is the proper reading
of the law and should be reflected in the rule. Otherwise, the mere failure of a law to
prohibit conduct may be construed by some to allow that conduct.

Sec. ___.31 - Sharing Medical Information with Affiliates

The FACT Act adds a new section 603(d)(3) to FCRA which restricts the sharing of
medical-related information with affiliates if that information meets the definition of
“consumer report” in section 603(d)(1) of FCRA. Generally, certain information (such as
transaction or experience information) that is shared among affiliates is not considered to
be a consumer report under FCRA. New section 603(d)(1) provides, however, that if this
information is medical-related information, the affiliate-sharing exception will not apply
and the information will be considered to be a consumer report. Medical-related
information includes medical information, as defined in the FACT Act, as well as other
lists based on payment transactions for medical products and services.

New section 604(g)(3) provides several specific exceptions that allow creditors to disclose
medical information to affiliates according to the same rules that apply to other nonmedical
information. The section also permits the federal banking agencies to determine,
by order or regulation, that other exceptions are necessary and appropriate.

Proposed section ___.31 generally follows the statutory exceptions relating to when sharing
medical-related information with affiliates would not constitute a consumer report.
However, the AMA is concerned about the exclusions “(f)or any purpose referred to in
section 1179 of HIPAA” and as otherwise permitted by order of the appropriate agency.
These exclusions have the potential of creating large loopholes for the sharing of medical
information with affiliates

HIPAA amends the Social Security Act by adding section 1179, which provides as
follows:

To the extent that an entity is engaged in activities of a financial institution
(as defined in section 1101 of the Right to Financial Privacy Act of 1978),
or is engaged in authorizing, processing, clearing, settling, billing,
transferring, reconciling, or collecting payments, for a financial institution,
this part [the Administrative Simplification Provisions of HIPAA], and any
standard adopted under this part, shall not apply to the entity with respect to
such activities

Section 1101 of the Right to Financial Privacy Act generally defines a “financial
institution,” as any office of a bank, savings bank, card issuer, industrial loan company,
trust company, savings association, building and loan, or homestead association (including
cooperative banks), credit union, or consumer finance institution.

The U.S. Department of Health and Human Services (HHS) has not taken an official
position on whether section 1179 exempts from HIPAA any activity approved by the
Office of the Comptroller of the Currency. Yet, the American Bankers Association has
taken that position. Should this position prevail, the statutory exception which permits
creditors to share medical-related information with affiliates “for any purpose referred to
in section 1179 of HIPAA” would essentially give creditors wholesale permission to share
medical-related information for any activity. We do not believe that this result was
intended by Congress.

The agencies should advise HHS of the potential effect of the interpretation of section
1179 on creditors’ ability to share medical-related information with affiliates. The
agencies should also ensure that and official orders with respect to affiliate-sharing are
consistent with this rule and with Congressional intent.

Additional Exceptions

In addition to these statutory exceptions, the Agencies have proposed section __.31(b)(5),
which would allow creditors to share with affiliates medical-related information in
connection with a determination of the consumer’s eligibility for credit consistent with
proposed section __.30. There is no explanation as to why this proposed exception is
necessary and appropriate.

The proposed approach is overbroad, and appears inconsistent with the consent
requirements in section __.30(d)(1)(vi) of the proposed rule and section 604(g)(1)(B) of
FCRA, which were intended to ensure that consumers gave informed consent for the
sharing, obtaining and use of their medical information.

Proposed section 30(d)(1)(vi) would permit creditors to obtain and use medical information
if the consumer (or the consumer’s representative) requests in writing that the creditor use
specific medical information for a specific purpose in determining the consumer’s
eligibility, or continued eligibility, for credit. The request must be signed, describe the
specific medical information that the consumer requests the creditor to use and the specific
purpose for which the information will be used. This is to ensure that the consumer signs
an informed consent that details who is permitted to use the information, what specific
information will be used and the purpose for which it will be used.

Similarly, section 604(g)(1)(B) of FCRA permits a consumer reporting agency to furnish a
consumer report with uncoded medical information only with the specific written consent
of the consumer. Proposed section __.30(d)(1)(iii) provides that creditors would be
permitted to obtain and use medical information to the extent such information is included
in a consumer report from a consumer reporting agency where the consumer has given
consent in accordance with section 604(g)(1)(B) of FCRA. Again, this provision is
intended to ensure that the consumer has given informed consent.

These consent processes would be seriously compromised if a creditor could later share
the medical information with affiliates without any input from the consumer. We note
that specifying in a consent that information may be shared “with affiliates” does not
truly inform the consumer of the intended recipients of the information.

Proposed section ___.31(b)(5) would become significantly more problematic if the
agencies were to weaken the anti-discrimination provisions in section __.30(c) in the
final rule. Such an approach would permit creditors to share medical-related information
with affiliates and would permit both the creditors and affiliates to discriminate against
consumers based on their medical status or treatment. This improper use of medicalrelated
information would be contrary to the intent of the FACT Act.

The AMA believes that proposed section __.31(b)(5) should be deleted. At a minimum,
it should be amended to state that the exception does not apply to the extent that the
creditor has obtained medical information in a credit report furnished in accordance with
604(g)(1)(B) of FCRA or pursuant to a consumer’s request.

Conclusion

The agencies have requested comments on whether, in the final rule, they should create
any additional or different exceptions to the general prohibition against obtaining and
using medical information for making decisions about a consumer’s credit eligibility. We
do not have any additional or different exceptions to suggest beyond the comments noted
above. If, however, the financial industry requests exceptions for additional or different
practices during the comment period, the AMA believes that patients/consumers should be
given the opportunity to comment on these proposals prior to finalizing the rule.

The AMA appreciates the opportunity to provide these comments, and we look forward to
a final rule that takes these important patient protections into account.

Sincerely,

Michael D. Maves, MD, MBA

1 FCRA, § 604(g)(2), 15 U.S.C. 1681b(g)(2).
2 FRCA, § 603(c),15 U.S.C. § 1681a(c).
3 FCRA, § 603(r)(5), 15 U.S.C. § 1681a(r)(5).
4 15 U.S.C. 1691a(d).
5 15 U.S.C. § 1691a(e).
6 House Rep. No. 108-263, at 3 (2003) and S.1753, 108th Cong. (2003).