| [Federal Register: April 28, 2004 (Volume 69, Number
            82)][Proposed Rules]
 [Page 23379-23407]
 From the Federal Register Online via GPO Access [wais.access.gpo.gov]
 [DOCID:fr28ap04-25]
 [[Page 23379]]
  
 
 
 
 
 -----------------------------------------------------------------------
 Part V
 Department of the Treasury Office of the Comptroller of the Currency 12 CFR Part 41 Office of Thrift Supervision 12 CFR Part 571 -----------------------------------------------------------------------Federal Reserve System
 12 CFR Part 222 -----------------------------------------------------------------------Federal Deposit Insurance Corporation
 12 CFR Part 334 -----------------------------------------------------------------------National Credit Union Administration
 12 CFR Part 717 ----------------------------------------------------------------------- Fair Credit Reporting Medical Information Regulations; Proposed
            Rule [[Page 23380]]
 -----------------------------------------------------------------------
 DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 41 [Docket No. 04-09]RIN 1557-AC85
 FEDERAL RESERVE SYSTEM 12 CFR Part 222 [Regulation V; Docket No. R-1188] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 334 RIN 3064-AC81 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 571 [No. 2004-16]RIN 1550-AB88
 NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Part 717  Fair Credit Reporting Medical Information Regulations
 AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal
 Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
 Treasury (OTS); National Credit Union Administration (NCUA).
 ACTION: Notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: The OCC, Board, FDIC, OTS, and NCUA (Agencies) are publishing for comment proposed regulations implementing section 411 of the
              Fair
 and Accurate Credit Transactions Act of 2003 (FACT Act). Public Law
 108-159, 117 Stat. 1952. The FACT Act substantially amends the Fair
 Credit Reporting Act (FCRA or Act), 15 U.S.C. 1681 et seq. Section
 411(a) of the FACT Act adds a new section 603(g)(1) to the FCRA to
 restrict the circumstances under which consumer reporting agencies
            may
 furnish consumer reports that contain medical information about
 consumers. Section 411(a) of the FACT Act also adds a new section
 604(g)(2) to the FCRA to prohibit creditors from obtaining or using
 medical information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit. The Agencies are required to prescribe regulations that
 permit creditors to obtain or use medical information for eligibility
 purposes where necessary and appropriate to protect legitimate
 operational, transactional, risk, consumer, and other needs, consistent
 with the Congressional intent to restrict the use of medical
 information for inappropriate purposes.
 In addition, section 411(b) of the FACT Act adds a new section
 603(d)(3) to the FCRA to restrict the sharing of medical information
 and related lists or descriptions with affiliates. Specifically,
 section 603(d)(3) provides that the standard exclusions from the
 definition of ``consumer report'' contained in section 603(d)(2)--such
 as sharing transaction or experience information about a consumer among
 affiliates or sharing other information among affiliates after
 providing the consumer notice and an opportunity to opt-out--do not
 apply if medical-related information is disclosed to an affiliate.
 Medical-related information includes medical information, an
 individualized list or description based on payment transactions for
 medical products or services, or an aggregate list of identified
 consumers based on payment transactions for medical products or
 services. The provisions of section 603(d)(3) do not apply if the
 sharing falls within certain exceptions, such as in connection with the
 business of insurance or annuities or for any purpose described in
 section 502(e) of the Gramm-Leach-Bliley Act (GLB Act), Public Law 106-
 102. Section 411(b) authorizes the Agencies to promulgate additional
 exceptions by regulation or order, as determined by the Agencies to be
 appropriate or necessary.
 The Agencies generally provide a 60-day period for the public to
 comment on the burdens associated with proposed rules. In this case,
 however, the Agencies believe that a 30-day comment period is
 appropriate because the statute was enacted in December 2003 and
 imposes a statutory deadline for the final rule of June 4, 2004.
 DATES: Comments must be received by May 28, 2004. ADDRESSES: Comments should be directed to:OCC: You should designate OCC in your comment and include Docket
 Number 04-09. Because paper mail in the Washington, DC, area and at the
 OCC may be subject to delays, please submit your comments by e-mail or
 fax whenever possible. You may submit comments by any of the following
 methods:
 Federal eRulemaking Portal: http://www.regulations.gov.
 Follow the instructions for submitting comments.
  OCC Web site: http://www.occ.treas.gov. Click on  ``Contact the OCC,'' scroll down and click on ``Comments on proposed regulations.''
 Fax: (202) 874-4448.
 Mail: Office of the Comptroller of the Currency,
 250 E Street, SW., Public Information Room, Mail Stop 1-5, Washington,
 DC 20219.
 Hand Delivery/Courier: 250 E Street, SW., Attn:
 Public Information Room, Mail Stop 1-5, Washington, DC 20219.
 Instructions: All submissions received must include the agency name
 (OCC) and docket number or Regulatory Information Number (RIN) for this
 notice of proposed rulemaking. In general, the OCC will enter all
 comments received into the docket without change, including any
 business or personal information that you provide.
 Docket: For access to the docket to read
 background documents or comments received you may:
 View docket information in person: You may
 personally inspect and photocopy docket information at the OCC's Public
 Information Room, 250 E Street, SW., Washington, DC. You can make an
 appointment to inspect the docket by calling (202) 874-5043.
 View docket information electronically: You may
 request that we send electronic copies of docket information to you via
 e-mail or mail you a CD-ROM containing electronic copies by contacting
 the OCC at regs.comments@occ.treas.gov.
 Request copies: You may request copies of docket
 information by fax at (202) 874-4448, mailing the OCC at 250 E Street,
 SW., Attn: Public Information Room, Mail Stop 1-5, Washington, DC
 20219, or by contacting us at (202) 874-5043.
 Board: You may submit comments, identified by Docket No. R-1188, by
 any of the following methods:
 
 Agency Web site: http://www.federalreserve.gov Follow the instructions for
  submitting comments at http://.
 http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.  Federal eRulemaking Portal: http://www.regulations.gov.Follow the instructions for submitting comments.
  E-mail: regs.comments@federalreserve.gov. Include docket number in the subject line of the message.
 [[Page 23381]]  Fax: 202/452-3819 or 202/452-3102.Mail: Jennifer J. Johnson, Secretary, Board of
 Governors of the Federal Reserve System, 20th Street and Constitution
 Avenue, NW., Washington, DC 20551.
 All public comments are available from the Board's Web site at
 http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, except as necessary for technical reasons. Accordingly, your comments
 will not be edited to remove any identifying or contact information.
 Public comments may also be viewed electronically or on paper in
            Room
 MP-500 of the Board's Martin Building (20th and C Streets, NW.) between
 9 a.m. and 5 p.m. on weekdays.
 FDIC: You may submit comments, identified by RIN number by any of
 the following methods:
 Agency Web site: http://www.fdic.gov/regulations/laws/federal/propose.html.
 Follow instructions for ubmitting
  comments on the Agency Web site.
 E-Mail: Comments@FDIC.gov. Include the RIN
 number in the subject line of the message.
 Mail: Robert E. Feldman, Executive Secretary,
 Attention: Comments, Federal Deposit Insurance Corporation, 550 17th
 Street, NW., Washington, DC 20429.
 Hand Delivery/Courier: Guard station at the rear
 of the 550 17th Street Building (located on F Street) on business days
 between 7 a.m. and 5 p.m.
 Instructions: All submissions received must
 include the agency name and RIN for this rulemaking. All comments
 received will be posted without change to http://www.fdic.gov/regulations/laws/federal/propose.html
 including any personal
 information provided.OTS: You may submit comments, identified by docket number 2004-16,
 by any of the following methods:
 Federal eRulemaking Portal: http://www.regulations.gov.
 Follow the instructions for submitting comments.
  E-mail address: regs.comments@ots.treas.gov. Please include docket number 2004-16 in the subject line of the message
 and include your name and telephone number in the message.
 Fax: (202) 906-6518.
 Mail: Regulation Comments, Chief Counsel's
 Office, Office of Thrift Supervision, 1700 G Street, NW., Washington,
 DC 20552, Attention: No. 2004-xx.
 Hand Delivery/Courier: Guard's Desk, East Lobby
 Entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days,
 Attention: Regulation Comments, Chief Counsel's Office, Attention: No.
 2004-xx.
 Instructions: All submissions received must include the agency name
 and docket number or Regulatory Information Number (RIN) for this
 rulemaking. All comments received will be posted without change to the
 OTS Internet site at http://www.ots.treas.gov, including any personal
 information provided.Docket: For access to the docket to read background documents or
 comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1.
 In addition, you may inspect comments
 at the Public Reading Room, 1700 G Street, NW., by appointment.
            To make an appointment for access, call (202) 906-5922, send an e-mail to
 public.info@ots.treas.gov, or send a facsimile transmission to (202)
 906-7755. (Prior notice identifying the materials you will be requesting will assist us in serving you.) We schedule appointments
              on
 business days between 10 a.m. and 4 p.m. In most cases, appointments
 will be available the next business day following the date we receive
            a
 request.
 NCUA: You may submit comments by any of the following methods
 (Please send comments by one method only):
 Federal eRulemaking Portal: http://www.regulations.gov.
 Follow the instructions for submitting comments.
  NCUA Web site: http://www.ncua.gov/news/proposed_regs/proposed_regs.html.Follow the instructions for
 submitting comments.E-mail: Address to regcomments@ncua.gov. Include
 ``[Your name] Comments on Proposed Rule Part 717, Fair Credit
 Reporting--Medical Information'' in the e-mail subject line.
 Fax: (703) 518-6319. Use the subject line
 described above for e-mail.
 Mail: Address to Becky Baker, Secretary of the
 Board, National Credit Union Administration, 1775 Duke Street,
 Alexandria, Virginia 22314-3428.
 Hand Delivery/Courier: Becky Baker, Secretary of
 the Board, National Credit Union Administration, 1775 Duke Street,
 Alexandria, Virginia 22314-3428.
 FOR FURTHER INFORMATION CONTACT:OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael
 Bylsma, Director, or Stephen Van Meter, Assistant Director, Community
 and Consumer Law, (202) 874-5750; Patrick T. Tierney, Attorney,
 Legislative and Regulatory Activities Division, (202) 874-5090; or
 Carol Turner, Compliance Specialist, Compliance Department, (202) 874-
 4858, Office of the Comptroller of the Currency, 250 E Street, SW.,
 Washington, DC 20219.
 Board: David A. Stein, Counsel; Minh-Duc T. Le, Ky Tran-Trong, or
 Krista P. DeLargy, Senior Attorneys, Division of Consumer and Community
 Affairs, (202) 452-3667 or (202) 452-2412; or Andrew Miller, Counsel,
 Legal Division, (202) 452-3428, Board of Governors of the Federal
 Reserve System, 20th and C Streets, NW., Washington, DC 20551.
 FDIC: Robert A. Patrick, Counsel, (202) 898-3757, or Richard M.
 Schwartz, Counsel, Legal Division, (202) 898-7424; David LaFleur,
 Policy Analyst, (202) 898-6569, or Patricia Cashman, Senior Policy
 Analyst, Division of Supervision and Consumer Protection, (202) 898-
 6534, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
 Washington, DC 20429.
 OTS: Elizabeth Baltierra, Program Analyst (Compliance), Compliance
 Policy, (202) 906-6540; Richard Bennett, Counsel (Banking and Finance),
 (202) 906-7409; or Paul Robin, Special Counsel, Regulations and
 Legislation Division, (202) 906-6648, Office of Thrift Supervision,
 1700 G Street, NW., Washington, DC 20552.
 NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel,
 (703) 518-6540, National Credit Union Administration, 1775 Duke Street,
 Alexandria, VA 22314-3428.
 SUPPLEMENTARY INFORMATION: I. Background  On December 4, 2003, the President signed into law the FACT Act, which amends the FCRA. Public Law 108-159, 117 Stat. 1952. In general,
 the FACT Act contains provisions designed to enhance the ability
            of
 consumers to combat identity theft, increase the accuracy of consumer
 reports, and allow consumers to exercise greater control regarding
            the
 type and amount of marketing solicitations they receive. Section
            411 of
 the FACT Act limits the ability of creditors to obtain or use, of
 consumer reporting agencies to disclose, and of affiliates to share
 medical information.
 Section 411(a) of the FACT Act adds a new section 604(g)(1) to the
 FCRA to restrict the circumstances under which consumer reporting
 agencies may furnish consumer reports that contain medical information
 about consumers. Specifically, under new section 604(g)(1), a consumer
 reporting agency may not furnish a consumer report that contains
 medical information about a consumer unless:
 (1) The report is furnished in connection with an insurance
 transaction, and the consumer
 [[Page 23382]] affirmatively consents to the furnishing of the report;(2) The report is furnished for employment purposes or in
 connection with a credit transaction, the information to be furnished
 is relevant to process or effect the employment or credit transaction,
 and the consumer provides specific written consent for the furnishing
 of the report that describes in clear and conspicuous language the use
 for which the information will be furnished; or
 (3) The information to be furnished pertains solely to
 transactions, accounts, or balances relating to debts arising from the
 receipt of medical services, products, or devices, where such
 information, other than account status or amounts, is restricted or
 reported using codes that do not identify, or do not provide
 information sufficient to infer, the specific provider or the nature of
 such services, products, or devices.
 Section 411(c) of the FACT Act revises the definition of ``medical
 information'' in section 603(i) to mean information or data, whether
 oral or recorded, in any form or medium, created by or derived from a
 health care provider or the consumer, that relates to the past,
 present, or future physical, mental, or behavioral health or condition
 of an individual, the provision of health care to an individual, or the
 payment for the provision of health care to an individual. The
 definition further provides that the term ``medical information'' does
 not include the age or gender of a consumer, demographic information
 about the consumer, including a consumer's residence address or e-mail
 address, or any other information about a consumer that does not relate
 to the physical, mental, or behavioral health or condition of a
 consumer, including the existence or value of any insurance policy.
 Section 411(a) also amends the FCRA by adding new section 604(g)(2)
 to prohibit creditors from obtaining or using medical information
 pertaining to a consumer in connection with any determination of the
 consumer's eligibility, or continued eligibility, for credit. Section
 604(g)(2) contains two independent prohibitions--a prohibition on
 obtaining medical information and a prohibition on using medical
 information. The statute contains no prohibition, however, on obtaining
 or using medical information other than in connection with a
 determination of the consumer's eligibility, or continued eligibility,
 for credit. Thus, section 604(g)(2) does not prohibit a creditor from
 obtaining medical information for employment purposes, in connection
 with a determination of a consumer's eligibility for an insurance
 product or through processing payments for a consumer, maintaining a
 consumer's account, or performing similar functions. Nevertheless, a
 creditor that obtains medical information in these circumstances may
 not use that information in connection with a determination of the
 consumer's eligibility, or continued eligibility, for credit. For
 example, medical information about a consumer obtained and used by a
 creditor for employment purposes may not subsequently be used in
 connection with any determination of the consumer's eligibility, or
 continued eligibility, for credit. New section 604(g)(5)(A) requires
 the Agencies to prescribe regulations that permit transactions that are
 determined to be necessary and appropriate to protect legitimate
 operational, transactional, risk, consumer, and other needs (including
 administrative verification purposes), consistent with congressional
 intent to restrict the use of medical information for inappropriate
 purposes.
 Section 411(b) of the FACT Act adds a new section 603(d)(3) to the
 FCRA to restrict the sharing of medical-related information with
 affiliates if that information meets the definition of ``consumer
 report'' in section 603(d)(1) of the FCRA. Specifically, section
 603(d)(3) provides that the standard exclusions from the definition of
 ``consumer report'' contained in section 603(d)(2)--such as sharing
 transaction or experience information among affiliates or sharing other
 eligibility information among affiliates after notice and an
 opportunity to opt-out--do not apply if medical-related information is
 disclosed to an affiliate. Medical-related information includes medical
 information, as described above, as well as an individualized list or
 description based on payment transactions for medical products or
 services, and an aggregate list of identified consumers based on
 payment transactions for medical products or services.
 New section 604(g)(3) provides several exceptions that allow
 creditors to disclose medical information to affiliates according to
 the same rules that apply to other non-medical information. In
 particular, section 604(g)(3) provides that medical-related information
 that is transaction or experience information or that is subject to the
 FCRA affiliate sharing opt-out provisions or other standard exclusions
 in section 603(d)(2) may be shared with an affiliate of the creditor if
 the information is disclosed to an affiliate:
 (1) In connection with the business of insurance or annuities
 (including the activities described in section 18B of the model Privacy
 of Consumer Financial and Health Information Regulation issued by the
 National Association of Insurance Commissioners, as in effect on
 January 1, 2003);
 (2) For any purpose permitted without authorization under the
 Standards for Individually Identifiable Health Information promulgated
 by the Department of Health and Human Services (HHS) pursuant to the
 Health Insurance Portability and Accountability Act of 1996 (HIPAA);
 (3) For any purpose referred to under section 1179 of HIPAA;
 (4) For any purpose described in section 502(e) of the Gramm-Leach-
 Bliley Act; or
 (5) As otherwise determined to be necessary and appropriate, by
 regulation or order, by the Federal Trade Commission (FTC), the
 Agencies, or an applicable State insurance authority.
 Section 604(g)(4), as added by section 411(a)(4) of the FACT Act,
 also provides that any person that receives medical information from an
 affiliate pursuant to an exception in section 604(g)(3) or from a
 consumer reporting agency under section 604(g)(1) must not disclose
 such information to any other person, except as necessary to carry out
 the purpose for which the information was initially disclosed, or as
 otherwise permitted by statute, regulation, or order.
 II. Proposed Rule  The rule proposed by the Agencies would do two things. First, the proposed regulations would create exceptions to the general prohibition
 against obtaining or using medical information in connection with
 credit eligibility determinations, as required by section 604(g)(5)(A).
 The Agencies believe the proposed exceptions are necessary and
 appropriate to protect legitimate operational, transactional, risk,
 consumer, and other needs (including administrative verification
 purposes), and are consistent with the congressional intent to restrict
 the use of medical information for inappropriate purposes. Second,
            the
 proposed regulations would, as permitted by section 604(g)(3)(C),
 create additional exceptions to the special restrictions in section
 603(d)(3) on sharing medical-related information with affiliates
            that
 the Agencies believe are necessary and appropriate. The proposed
 regulations are discussed in more detail in the Section-by-Section
 Analysis below. The Agencies invite comment on all aspects of the
 proposal.
 [[Page 23383]] III. Section-by-Section Analysis Section ----.1 Purpose, Scope, and Effective Dates  Proposed Sec. ----.1(b)(2) describes the institutions covered by the provisions of the regulations of each of the respective Agencies.
 Section ----.2 Examples  Proposed Sec. ----.2 Discusses the Scope and Effect of the Examples Included in the Proposed Regulation.
 Section ----.3 Definitions  Proposed Sec. ----.3 contains definitions for the terms ``affiliate'' (as well as the related terms ``company'' and
 ``control''), ``consumer,'' ``medical information,'' and ``you.''
 Affiliate
 Several FCRA provisions apply to information sharing with persons
 ``related by common ownership or affiliated by corporate control,''
 ``related by common ownership or affiliated by common corporate
 control,'' or ``affiliated by common ownership or common corporate
 control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2).
 Section 2 of the FACT Act defines the term ``affiliate'' to mean
 persons that are related by common ownership or affiliated by corporate
 control. Proposed paragraph (b) simplifies these various formulations
 by defining ``affiliate'' to mean any company that controls, is
 controlled by, or is under common control with another company. The
 proposed definition is identical to the definition of ``affiliate'' in
 the GLB Act privacy regulations.\1\ Consistent with the definitions in
 the privacy regulations and the practical application of the FCRA, the
 proposal uses a definition of ``control'' that applies exclusively to
 the control of a ``company,'' and defines ``company'' to include any
 corporation, limited liability company, business trust, general or
 limited partnership, association, or similar organization. See proposed
 paragraphs (d) (``company'') and (i) (``control'').\2\ The definition
 of ``company'' omits some entities that are ``persons'' under the
 FCRA--individuals, estates, cooperatives, governments, and government
 in which ``control'' could be exercised over individuals, government
 agencies, and other persons that do not fit within the definition of
 ``company.''
 ---------------------------------------------------------------------------
  \1\ For purposes of the proposed regulation, an ``affiliate'' includes an operating subsidiary of a bank or savings association,
 and a credit union service organization that is controlled by a
 federal credit union.
 \2\ For purposes of the proposed regulation, NCUA will presume a
 federal credit union has a controlling influence over the management
 or policies of a credit union service organization if it is 67
 percent owned by credit unions.
 ---------------------------------------------------------------------------
 Medical InformationUnder proposed paragraph (k), the term ``medical information''
 means information or data, whether oral or recorded, in any form or
 medium, created by or derived from a health care provider or the
 consumer, that relates to (1) the past, present, or future physical,
 mental, or behavioral health or condition of an individual; (2) the
 provision of health care to an individual; or (3) the payment for the
 provision of health care to an individual. The term ``medical
 information'' does not include the age or gender of a consumer,
 demographic information about the consumer, including a consumer's
 residence address or e-mail address, or any other information about a
 consumer that does not relate to the physical, mental, or behavioral
 health or condition of a consumer, including the existence or value of
 any insurance policy. The proposal tracks the statutory definition of
 ``medical information.''
 Creditors are reminded that other laws, such as the Americans with
 Disabilities Act, the Fair Housing Act, the GLB Act, and other parts of
 the FCRA, may limit or regulate the use, collection, and sharing of
 consumer information, including medical information. In particular,
 these and other laws, such as the Equal Credit Opportunity Act, also
 may prohibit creditors from using certain information that is excluded
 from the restrictions on obtaining or using medical information, such
 as age or gender information, in determining eligibility for credit or
 for other purposes.
 Section ----.30 Obtaining and Using Medical Information in Connection With a Determination of Eligibility for Credit
  Section 411(a) of the FACT Act adds a broad new limitation on the ability of creditors to obtain medical information in connection
              with
 credit eligibility determinations or to use medical information in
 connection with credit eligibility determinations. Specifically,
            new
 section 604(g)(2) provides, that except as permitted by regulations,
            a
 creditor shall not obtain or use medical information pertaining to
            a
 consumer in connection with any determination of the consumer's
 eligibility, or continued eligibility, for credit.
 A. General Prohibition on Obtaining or Using Medical Information
 Proposed Sec. ----.30 contains the rules on obtaining or using
 medical information in connection with a determination of a consumer's
 eligibility, or continued eligibility, for credit. Proposed paragraph
 (a)(1) incorporates the general rule prohibiting creditors from
 obtaining or using medical information pertaining to a consumer in
 connection with any determination of a consumer's eligibility, or
 continued eligibility, for credit, except as provided in the
 regulations under Subpart D. The consumer's eligibility for credit
 typically would be determined when an initial decision is made on
 whether to grant or deny credit to the consumer. A determination of a
 consumer's continued eligibility for credit may also include decisions
 whether to terminate an account or adjust a credit limit following an
 account review.
 Proposed paragraph (a)(2) clarifies the definition of certain terms
 used in Subpart D, including ``credit'' and ``creditor.'' In addition,
 paragraph (a)(2) provides that the phrase ``eligibility, or continued
 eligibility, for credit'' means the consumer's qualification or fitness
 to receive, or continue to receive, credit, including the terms on
 which credit is offered, primarily for personal, family, or household
 purposes.
 The paragraph also clarifies that the phrase ``eligibility, or
 continued eligibility, for credit'' does not include the consumer's
 qualification or fitness to be offered employment, insurance products,
 or other non-credit products or services. Similarly, ``eligibility, or
 continued eligibility, for credit'' does not include a determination of
 whether the provisions of a debt cancellation contract, debt suspension
 agreement, credit insurance product, or similar forbearance practice or
 program are triggered. A forbearance practice or program may include
 circumstances in which a creditor allows a consumer to skip one or more
 scheduled payments because the consumer is hospitalized for a medical
 condition. For example, if a consumer is hospitalized on an emergency
 basis and is temporarily unable to pay his mortgage, the consumer's
 daughter may contact the consumer's mortgage lender by telephone,
 inform the lender of the consumer's medical condition, and request that
 the lender allow the deferral of one or more payments to accommodate
 the consumer's particular circumstances. The creditor's use of the
 medical information provided by the consumer's daughter to defer one or
 more mortgage payments to accommodate the consumer's particular
 circumstances would constitute a forbearance that is beyond the scope
 of the prohibition.
 [[Page 23384]]  Comment is requested on whether it is more appropriate to grant
            an exception to permit creditors to obtain and use medical information
            in
 connection with debt cancellation, debt suspension, or credit insurance
 products or practices, rather than issuing an interpretation that
 obtaining information necessary to trigger coverage under these
 products falls outside any determination of eligibility, or continued
 eligibility, for credit. In addition, comment is solicited on whether
            a
 separate exception for accommodating the particular medical condition
 or circumstances of the consumer should be created in lieu of or
            in
 addition to the interpretation that eligibility, or continued
 eligibility, for credit does not include forbearance.
 The proposed regulation also provides that the term ``eligibility,
 or continued eligibility, for credit'' does not include authorizing,
 processing, or documenting a payment or transaction on behalf of a
 consumer in a manner that does not involve a determination of the
 consumer's eligibility, or continued eligibility, for credit. Finally,
 the term ``eligibility, or continued eligibility, for credit'' does not
 include maintaining or servicing a consumer's account in a manner that
 does not involve a determination of the consumer's eligibility, or
 continued eligibility, for credit.
 The Agencies note that section 604(g)(2) contains two distinct
 prohibitions--one on obtaining medical information and one on using
 medical information. Nothing in the statute prohibits a creditor from
 obtaining medical information if the information is not obtained in
 connection with a determination of the consumer's eligibility, or
 continued eligibility, for credit. Thus, there is no prohibition, for
 example, on a creditor obtaining medical information through
 authorizing, processing, or documenting a payment or transaction on
 behalf of the consumer, or managing or servicing the consumer's
 account. Nevertheless, a creditor that has obtained medical information
 in these circumstances may not use that information in connection with
 a determination of the consumer's eligibility, or continued
 eligibility, for credit, unless permitted by an exception provided in
 the regulations. However, there is no prohibition in section 411 of the
 FACT Act on a person that is a creditor from obtaining or using medical
 information for an employment purpose or in connection with a
 determination of the consumer's eligibility for an insurance product.
 B. Receiving Unsolicited Medical Information
 Creditors may receive unsolicited medical information without
 specifically asking for such information. This may occur, for example,
 when a consumer informs the loan officer that she needs a loan to pay
 for treatment for a particular medical condition, or when a consumer,
 in response to a general request on a credit application for
 information about outstanding debts, lists debts owed to hospitals and
 doctors for medical services. The Agencies do not believe that a
 creditor violates the prohibition on obtaining medical information when
 the creditor does not specifically ask for or request such information,
 yet the consumer or other person provides that information to the
 creditor. However, because the statutory prohibition on obtaining
 medical information could be interpreted broadly to cover circumstances
 in which medical information is obtained by a creditor without asking
 for it, the Agencies have proposed a rule of construction to make clear
 that a creditor does not violate the prohibition on obtaining medical
 information if the creditor receives unsolicited medical information.
 Proposed paragraph (b) contains this rule of construction for
 receiving unsolicited medical information. Under proposed paragraph
 (b)(1), a creditor does not obtain medical information for purposes of
 proposed paragraph (a)(1) if it receives medical information pertaining
 to a consumer in connection with any determination of the consumer's
 eligibility, or continued eligibility, for credit without specifically
 requesting medical information, and does not use that information in
 determining whether to extend credit to the consumer and the terms on
 which credit is offered or continued. Paragraph (b)(2) provides
 examples for guidance. The Agencies seek comment on the appropriateness
 of this rule of construction and on whether this provision should be
 drafted as an exception to the general prohibition, rather than as a
 rule of construction.
 C. Financial Information Exception for Obtaining and Using Medical
 Information
 As noted above, new section 604(g)(5)(A) of the Act gives the
 Agencies the authority to prescribe regulations, after notice and
 opportunity for comment, to permit creditors to obtain and use medical
 information in connection with determinations of credit eligibility
 that the Agencies determine to be necessary and appropriate to protect
 legitimate operational, transactional, risk, consumer, and other needs
 (including actions necessary for administrative verification purposes),
 consistent with the intent of the statute to restrict the use of
 medical information for inappropriate purposes. Applying this standard,
 the Agencies believe it is necessary and appropriate to permit
 creditors to obtain and use medical information in a number of
 circumstances.
 Proposed Sec. Sec. ----.30(c)-(d) contain exceptions to the
 general prohibition on creditors obtaining or using medical
 information. Proposed paragraph (c) contains the first exception, and
 provides that a creditor may obtain and use medical information
 pertaining to a consumer in connection with any determination of the
 consumer's eligibility, or continued eligibility, for credit so long as
 the following three elements are met. First, the information must
 relate to debts, expenses, income, benefits, collateral, or the purpose
 of the loan, including the use of proceeds. Second, the creditor must
 use the information in a manner and to an extent no less favorable than
 it would use comparable information that is not medical information in
 a credit transaction. Third, the creditor must not take the consumer's
 physical, mental, or behavioral health, condition or history, type of
 treatment, or prognosis into account as part of any such determination
 of credit eligibility. This three-part test strikes a balance between
 permitting creditors to obtain and use certain medical information
 about consumers when necessary and appropriate to satisfy prudent
 underwriting criteria and to ensure that credit is extended in a safe
 and sound manner, while restricting the use of medical information for
 inappropriate purposes.
 The first element of the test identifies certain types of
 information, specifically debts, expenses, income, benefits,
 collateral, or the purpose of the loan, that a creditor ordinarily
 would obtain and evaluate in connection with making a prudent credit
 decision, regardless of whether that information is medical or non-
 medical information. A creditor should not be prohibited from obtaining
 or using information about a debt, for example, in connection with
 making a credit decision, just because that debt happens to be for
 medical products or services.
 The second element of the test provides that the creditor must use
 the medical information in a manner and to an extent no less favorable
 than it would use comparable, non-medical
 [[Page 23385]] information in a credit transaction. For example, a creditor may
            deny credit to the consumer because the consumer owes a debt to a hospital
 if the creditor would have denied credit to the consumer if the
 consumer had owed the same amount of debt with the same payment history
 to a retailer. Nothing in the rule prevents the creditor from treating
 information about medical debts (or expenses or income) more favorably
 than non-medical debts.
 The third element of the test provides that the creditor may not
 take the consumer's physical, mental, or behavioral health, condition,
 or history, type of treatment, or prognosis into account as part of any
 determination of the consumer's eligibility, or continued eligibility,
 for credit. For example, the consumer may owe a debt to a hospital or
 other facility that specializes in treating a potentially terminal
 disease. While the creditor may evaluate the debt to the hospital or
 facility in the same manner and to the same extent as it would evaluate
 any non-medical debt, the creditor may not take into account the
 consumer's individual physical, mental, or behavioral health,
 condition, or history, type of treatment, or prognosis in determining
 the consumer's eligibility, or continued eligibility for credit, or the
 terms under which credit will be offered or continued.
 The Agencies seek comment on the financial information exception
 outlined in paragraph (c)(1). In particular, the Agencies seek comment
 on whether each of the three parts of the exception is necessary and
 whether the three parts together strike the right balance between
 permitting creditors to obtain and use medical information where
 necessary and appropriate to protect legitimate operational,
 transactional, risk, consumer, and other needs (including actions
 necessary for administrative verification purposes) and restricting the
 use of medical information for inappropriate purposes.
 Proposed paragraph (c)(2) provides several examples of when
 creditors generally may obtain and use medical information under the
 financial information exception in proposed paragraph (c)(1). These
 examples in proposed paragraph (c)(2) are not exclusive. The Agencies
 seek comment on all of the examples in proposed paragraph (c)(2),
 including whether any of the examples should be amended or deleted, or
 whether additional examples should be provided.
 Proposed paragraph (c)(2)(i) provides examples of the circumstances
 in which medical information would relate to debts, expenses, income,
 benefits, collateral, or the purpose of the loan, including the use of
 proceeds. A creditor would, for example, be able to obtain and use
 medical information about--
 The dollar amount, repayment terms, repayment
 history, and similar information regarding medical debts that is used
 to calculate, measure, or verify the repayment ability of the consumer,
 the use of proceeds, or the terms for granting credit;
 The value, condition, and lien status of a
 medical device that is used as collateral to secure a loan;
 The dollar amount and continued eligibility for
 disability income or benefits related to health or a medical condition
 that is relied on as a source of repayment; or
 The identity of creditors to whom outstanding
 medical debts are owed in connection with an application for credit,
 including but not limited to a transaction involving the consolidation
 of medical debts.
 The Agencies propose to include five additional examples to
 illustrate uses of medical information consistent and inconsistent with
 the financial information exception. Proposed paragraph (c)(2)(ii)
 provides examples of uses of medical information that are consistent
 with the exception. The first example involves a consumer who includes
 two $20,000 debts on an application for credit--one debt to a hospital
 and the other to a retailer. The creditor contacts the hospital and the
 retailer in order to verify the amount and payment status of the debts
 and learns that both are more than 90 days past due. Any two debts of
 this size that are past due would disqualify the consumer under the
 creditor's established underwriting criteria. The creditor decides to
 deny the application on the basis of the consumer's poor repayment
 history on outstanding debts. Under these circumstances, the creditor
 obtains and uses information about medical debts the same way it uses
 information about non-medical debts. Accordingly, the creditor has used
 medical information in a manner consistent with the exception.
 In the second example, a consumer indicates on an application for a
 $200,000 mortgage loan that she receives $15,000 in long-term
 disability income each year from her former employer and has no other
 income. Annual income of $15,000, regardless of source, would not be
 sufficient to support the requested amount of credit. The creditor
 denies the application on the basis that the projected debt-to-income
 ratio of the consumer does not meet the creditor's underwriting
 criteria. In this example, the creditor analyzes the long-term
 disability income, which is medical information, the same way it would
 analyze any other income information of a potential borrower.
 The third example in proposed paragraph (c)(2)(ii) involves a
 consumer who includes on an application for a $10,000 home equity loan
 that he has a $50,000 debt to a medical facility that specializes in
 treating a potentially terminal disease. The creditor contacts the
 medical facility to verify the debt and obtain the repayment history
 and current status of the loan, and learns that the debt is current and
 that the applicant meets the income requirements of the creditor's
 underwriting guidelines. The creditor grants the application. The
 creditor has used medical information in accordance with the exception.
 Proposed paragraph (c)(2)(iii) provides two examples of uses of
 medical information that are inconsistent with the exception. The first
 example involves a consumer who includes on an application for $25,000
 of credit information about a $50,000 debt to a hospital. The creditor
 contacts the hospital to verify the amount and payment status of the
 debt and learns that the debt is current and that the consumer has no
 delinquencies in her repayment history. If the existing debt were
 instead owed to a home furnishing retailer, the creditor would approve
 the application and extend credit based on the amount and repayment
 history of the outstanding debt. The creditor, however, denies the
 application because the consumer is indebted to a hospital. The
 creditor has used medical information, here the identity of the medical
 creditor, in a manner and to an extent that is less favorable than it
 would use comparable non-medical information.
 In the second example in proposed paragraph (c)(2)(iii), a consumer
 meets with a loan officer of a creditor to apply for a mortgage loan.
 While filling out the loan application, the consumer informs the loan
 officer orally that she has a potentially terminal disease. The
 consumer meets the creditor's established requirements for the
 requested mortgage. The loan officer recommends to the credit committee
 that the consumer be denied credit because the consumer has that
 disease. The creditor has used medical information in a manner
 inconsistent with the exception by taking into account the consumer's
 physical, mental, or behavioral health, condition, or history, type of
 treatment, or prognosis as part of a determination of
 [[Page 23386]] eligibility or continued eligibility for credit.D. Specific Exceptions for Obtaining and Using Medical Information
 Proposed paragraph (d) contains specific exceptions to the general
 prohibition to allow creditors to obtain and use medical information
 for a limited number of particular purposes. The Agencies request
 comment on whether each of these specific exceptions is necessary and
 appropriate and, if so, whether they are properly defined.
 Proposed paragraph (d)(1)(i) provides that a creditor may obtain
 and use medical information to determine whether the use of a power of
 attorney or legal representative is necessary and appropriate. This
 exception would permit a creditor to verify, in connection with a
 credit eligibility determination, that the exercise of a power of
 attorney or legal representative is triggered by the consumer's medical
 condition.
 Under proposed paragraph (d)(1)(ii), a creditor may also use
 medical information to comply with applicable requirements of local,
 state, or federal laws. For example, some state laws may require
 creditors to consider medical information in certain circumstances to
 protect populations that may be vulnerable to financial abuse by
 caregivers. This exception would permit creditors to obtain and use
 medical information to comply with those laws.
 Proposed paragraph (d)(1)(iii) provides that a creditor may also
 obtain and use medical information to the extent such information is
 included in a consumer report from a consumer reporting agency in
 accordance with section 604(g)(1)(B) of the FCRA, and is used for the
 purpose for which the consumer provided specific written consent. As
 noted above, section 411 of the FACT Act prevents consumer reporting
 agencies from furnishing consumer reports containing medical
 information, except under specified circumstances. Consumer reports
 must be furnished with coding that blocks the identity of the provider
 of medical information and the nature of the services, products, or
 devices, unless a consumer provides a consumer reporting agency with
 specific written consent to furnish a report to a creditor containing
 uncoded medical information. This exception clarifies that a creditor
 may obtain uncoded medical information from a consumer reporting agency
 in accordance with section 604(g)(1)(B) of the FCRA, and use that
 information for the purpose for which the consumer provided specific
 written consent.
 The Agencies have not proposed a separate exception for obtaining
 and using consumer reports in accordance with section 604(g)(1)(C) of
 the FCRA, which relates to consumer reports containing coded medical
 information. The Agencies do not believe that it is necessary to
 propose a separate exception.
 The Agencies have considered three options that would allow
 creditors to obtain and use consumer reports containing the information
 described in section 604(g)(1) of the FCRA. The Agencies have
 considered whether the definition of ``medical information'' may be
 interpreted in a manner that would exclude the coded information that
 may be furnished under section 604(g)(1)(C) of the Act. This approach
 would permit all creditors to obtain consumer reports with coded
 information (but not consumer reports with uncoded medical information
 furnished under section 604(g)(1)(B)) and use that information in
 connection with a determination of the consumer's eligibility, or
 continued eligibility, for credit, even in the absence of an exception
 in the regulations. This approach is based on a statutory
 interpretation that such coded information would not relate to the
 physical, mental, or behavioral health of the consumer, and thus, is
 not medical information.
 The Agencies also have considered whether section 604(g) or other
 provisions of the FCRA may be interpreted in such a manner that no
 exception would be necessary to permit creditors to obtain and use
 medical information in consumer reports furnished by consumer reporting
 agencies in accordance with section 604(g)(1). For example, the
 Agencies have considered whether the broad prohibition in section
 604(g)(2) on obtaining and using medical information in credit
 eligibility determinations may be construed as being qualified by the
 specific provisions in section 604(g)(1) that authorize consumer
 reporting agencies to furnish consumer reports containing medical
 information under certain limited circumstances. This possible
 interpretation would be based on the Agencies' observation that (1) it
 is unlikely that Congress would permit consumer reporting agencies to
 furnish consumer reports containing medical information in connection
 with credit transactions without permitting creditors to obtain and use
 these reports, and (2) in these circumstances, Congress may well have
 provided the consumer protections it deemed necessary by specifying the
 limitations under which consumer reporting agencies could furnish
 reports containing medical information.
 The Agencies also have considered whether creditors who intend to
 obtain and use this coded medical information would be able to do so in
 accordance with the financial information exception in Sec. ----.30(c)
 of the proposed regulations. Coded medical information relates to
 medical debts, and the creditor may use debt information in making
 credit eligibility determinations in a manner and to an extent that is
 no less favorable than it would use comparable information that is not
 medical information. In addition, because the medical information is
 coded as prescribed in the FCRA, it would not provide the creditor with
 specific information regarding the consumer's health, condition,
 history, type of treatment, or prognosis (which may not be taken into
 account under the financial information exception in proposed Sec. --
 --.30(c)(1)(iii)).
 The Agencies also note that the rule of construction in Sec. --
 --.30(b) of the proposed regulations would enable creditors to receive
 consumer reports containing coded medical information without violating
 the limit on ``obtaining'' medical information prescribed by section
 604(g)(2) of the FCRA, so long as they do not use that medical
 information in making credit eligibility determinations.
 The Agencies specifically request comment on the most appropriate
 way in which to deal with information contained in consumer reports,
 and related matters. In particular, comment is requested on these three
 approaches.
 A creditor may also obtain and use medical information for purposes
 of fraud prevention and detection under proposed paragraph (d)(1)(iv).
 Comment is solicited as to whether and to what extent it is necessary
 for creditors to obtain and use medical information for purposes of
 fraud prevention and detection in connection with the determination of
 a consumer's credit eligibility and whether the exception could be
 narrowed to prevent the unnecessary use of medical information without
 compromising legitimate fraud prevention and detection programs.
 Proposed paragraph (d)(1)(v) provides that a creditor may obtain
 and use medical information in the case of credit for the purpose of
 financing medical products or services to determine and verify the
 medical purpose of a loan and the use of proceeds. Certain creditors
 have established specialized loan programs that finance specific
 medical procedures, such as vision correction
 [[Page 23387]] surgery, but not others. In such cases, the creditor may need to
            obtain and use medical information in connection with determining whether
            the
 purpose of the loan is within the scope of the creditor's established
 loan program. Proposed paragraph (d)(2) provides examples of this
 exception. The Agencies invite comment on whether the medical purpose
 financing exception strikes the appropriate balance between satisfying
 the legitimate needs of medical finance creditors and the intent
            of
 Congress to limit the use of medical information in credit eligibility
 determinations.
 Proposed paragraph (d)(1)(vi) provides that a creditor may obtain
 and use medical information if the consumer or the consumer's legal
 representative requests in writing, on a separate document signed by
 the consumer or the consumer's legal representative, that the creditor
 use specific medical information for a specific purpose in determining
 the consumer's eligibility, or continued eligibility, for credit, to
 accommodate the consumer's particular circumstances. The signed,
 written request must describe the specific medical information that the
 consumer requests the creditor to use and the specific purpose for
 which the information will be used. This exception is designed to
 accommodate the particular medical condition or circumstances of the
 individual consumer and is not intended to allow creditors to obtain
 consent on a routine basis or as a part of loan applications or
 documentation. This exception would not be met by a form that contains
 a pre-printed description of various types of medical information and
 the uses to which it might be put. Instead, it contemplates an
 individualized process in which the consumer informs the creditor about
 the specific medical information that the consumer would like the
 creditor to use and for what purpose. Proposed paragraph (d)(3)
 provides examples of this consumer request exception.
 The Agencies seek comment on the need for a broader exception to
 permit creditors to make a ``medical accommodation'' where individual
 circumstances may warrant such an accommodation. The Agencies note that
 forbearance practices and programs, as discussed in the explanation of
 paragraph (a)(2) above, would permit creditors to take into account a
 consumer's medical condition to defer scheduled payments or take
 certain other actions on existing accounts as a medical accommodation
 to the consumer. Comment is requested on whether forbearance plus the
 consumer request exception provides sufficient flexibility to provide
 medical accommodations to consumers.
 The Agencies also request comment on whether the procedural aspects
 of the consumer request exception (i.e., the request must be in
 writing, on a separate form signed by the consumer or the consumer's
 legal representative) would unnecessarily hinder the ability of a
 creditor to make a medical accommodation where a consumer's medical
 condition and financial circumstances may justify such an
 accommodation, or whether these procedures are necessary to protect
 consumers.
 The Agencies seek comment on whether there is a need to establish
 an exception for consumer consent whereby a creditor could request that
 a consumer consent to the specific use of the consumer's medical
 information. If so, the Agencies request specific comment on when this
 exception might be used and how the exception should be fashioned to
 ensure appropriate consumer protection.
 Finally, proposed paragraph (d)(1)(vii) provides that a creditor
 may obtain and use medical information as otherwise permitted by order
 of the appropriate agency.
 E. Limits on Redisclosure
 Proposed paragraph (e) incorporates the statutory provision
 regarding the limits on redisclosure of medical information. This
 paragraph provides that a person that receives medical information
 about a consumer from a consumer reporting agency or an affiliate is
 prohibited from disclosing that information to any other person, except
 as necessary to carry out the purposes for which the information was
 initially disclosed, or as otherwise permitted by statute, regulation,
 or order.
 F. Request for Comment
 The Agencies solicit comment on each of the proposed provisions of
 Sec. ----.30. Specifically, the Agencies request comment as to whether
 each of the proposed exceptions is, in fact, necessary and appropriate
 to protect legitimate operational, transactional, risk, consumer, and
 other needs (including actions necessary for administrative
 verification purposes), and consistent with the intent of Congress to
 restrict the use of medical information for inappropriate purposes.
 Comment is also requested on the examples used in this section and
 whether additional or different examples should be included.
 The Agencies also invite comment on whether any additional or
 different exceptions should be included in the final regulation.
 Commenters that recommend additional or different exceptions should
 explain why the exception is necessary and appropriate to protect
 legitimate operational, transactional, risk, consumer, and other needs,
 and is consistent with the intent of Congress to restrict the use of
 medical information for inappropriate purposes.
 Section ----.31 Sharing Medical Information With Affiliates  Section ----.31(a) provides that the standard exclusions from the definition of ``consumer report'' contained in section 603(d)(2)
              of the
 Act--including the exclusions for sharing transaction or experience
 information among affiliates or sharing other eligibility information
 among affiliates after notice and an opportunity to opt-out--do not
 apply if medical information, an individualized list or description
 based on payment transactions for medical products or services, or
            an
 aggregate list or description based on payment transactions for medical
 products or services is disclosed to an affiliate.
 Paragraph (b) provides that the special restrictions on sharing the
 information outlined in paragraph (a) with affiliates do not apply, and
 the standard exclusions from the definition of consumer report remain
 in effect, if the information is disclosed to an affiliate in certain
 circumstances. Paragraph (b) incorporates the four statutory exceptions
 from section 604(g)(3)(A) and (B) of the Act.
 The first exception is when the information described in paragraph
 (a) is shared with an affiliate in connection with the business of
 insurance or annuities (including the activities described in section
 18B of the model Privacy of Consumer Financial and Health Information
 Regulation issued by the National Association of Insurance
 Commissioners, as in effect on January 1, 2003). The second exception
 is when the information described in paragraph (a) is shared with an
 affiliate for any purpose permitted without authorization under the
 Standards for Individually Identifiable Health Information promulgated
 by the Department of Health and Human Services (HHS) pursuant to the
 Health Insurance Portability and Accountability Act of 1996 (HIPAA).
 The third exception is when the information described in paragraph
 (a) is shared with an affiliate for any purpose referred to under
 section 1179 of HIPAA. Section 1179 of HIPAA provides that to the
 extent that an entity is engaged in activities of a financial
 institution or is engaged in authorizing,
 [[Page 23388]] processing, clearing, settling, billing, transferring, reconciling
            or collecting payments for a financial institution, the HIPAA standards
 and requirements do not apply to the entity with respect to such
 activities. Section 1179 also provides as an example of a use or
 disclosure of information not covered by that statute, the use or
 disclosure of information for authorizing, processing, clearing,
 settling, billing, transferring, reconciling, or collection, a payment
 for, or related to, health care premiums or health care. For purposes
 of this rulemaking, the phrase ``purposes referred to under section
 1179'' means, at a minimum, authorizing, processing, clearing,
 settling, billing, transferring, reconciling or collecting payments.
 The fourth exception is when the information described in paragraph
 (a) is shared with an affiliate for any purpose described in section
 502(e) of the GLB Act. The Agencies note that some of the purposes
 described in section 502(e) of the GLB Act may be germane to the
 sharing of information among affiliates--for example, sharing with the
 consent of the consumer, for fraud prevention purposes, or as necessary
 to effect, administer, or enforce a transaction requested or authorized
 by the consumer--while other purposes described in section 502(e) are
 not--for example, sharing information with law enforcement or
 regulatory authorities.
 In addition to the statutory exceptions, paragraph (b) also
 contains two additional exceptions that the Agencies believe are
 necessary and appropriate. Paragraph (b)(5) provides that the special
 restrictions on sharing the information described in paragraph (a) with
 affiliates do not apply, and the standard exclusions from the
 definition of consumer report remain in effect, if the information is
 disclosed to an affiliate in connection with a determination of the
 consumer's eligibility, or continued eligibility, for credit consistent
 with Sec. ----.30 of this subpart. The Agencies believe it is
 necessary and appropriate to allow an affiliate to share medical
 information with another affiliate that obtains or uses it consistent
 with Sec. ----.30.
 Paragraph (b)(6) provides that the special restrictions on sharing
 medical-related information with affiliates do not apply if otherwise
 permitted by order of the appropriate agency. This exception
 incorporates the authority delegated to the Agencies by Congress to
 create exceptions through orders.
 The Agencies note that prohibitions on obtaining or using medical
 information in Sec. ----.30 operate independent of the exceptions that
 permit the sharing of that information among affiliates in accordance
 with the provisions of section 603(d)(2) of the Act. For example, if a
 mortgage lender has obtained and used medical information in accordance
 with one of the exceptions in Sec. ----.30(c) or (d), the mortgage
 lender may share that information with its credit card affiliate
 without becoming a consumer reporting agency if one of the exceptions
 in Sec. ----.31(b) applies. However, the credit card affiliate may not
 obtain or use that information in connection with any determination of
 the consumer's eligibility, or continued eligibility, for credit,
 unless consistent with Sec. ----.30.
 The Agencies invite comment on the exceptions included in proposed
 Sec. ----.31(b). Specifically, comment is solicited on whether
 additional or different exceptions are necessary and appropriate.
 Additional Issues
 The statute provides that the final rules shall take effect on the
 later of 90 days after the rules are issued in final form, or the date
 specified in the regulations. Comment is requested on whether an
 effective date of 90 days after the final rules are issued is
 appropriate or whether a different effective date should be
 established.
 III. Regulatory Analysis Paperwork Reduction Act  In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320), the Agencies reviewed the proposed rule to implement
 section 411 of the Fair and Accurate Credit Transactions Act of 2003
            as
 required by the Office of Management and Budget. No collections of
 information pursuant to the Paperwork Reduction Act are contained
            in
 the proposed rule.
 Initial Regulatory Flexibility Analysis  OCC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires an agency to either provide an Initial Regulatory Flexibility
 Analysis with a proposed rule or certify that the proposed rule will
 not have a significant economic impact on a substantial number of
            small
 entities (defined for purposes of the RFA to include banks with less
 than $150 million in assets).
 A. Reasons for Proposed Rule
 Section 411 of the FACT Act requires the OCC, together with the
 other Agencies, to publish rules that are determined to be necessary
 and appropriate to protect legitimate operational, transactional risk,
 consumer, and other needs, including actions necessary for
 administrative verification, consistent with the intent of the section
 to restrict the use of medical information for inappropriate purposes,
 that permit the use of medical information in connection with any
 determination of a consumer's eligibility, or continued eligibility for
 credit. Section 411 also authorizes the OCC to issue regulations that
 are determined to be necessary and appropriate so as to exclude medical
 information shared by a covered entity with an affiliate from the
 definition of a consumer report in section 603(d) of the Fair Credit
 Reporting Act, and to address the reuse and redisclosure of medical
 information.
 The OCC does not expect that this rule, if adopted, would have a
 significant economic impact on small entities. The proposed rule
 implements section 411 of the FACT Act and imposes only minimal
 economic impact on national banks. The proposed rule would create
 exceptions to the FACT Act's prohibition against national banks
 obtaining and using a consumer's medical information in connection with
 credit determinations. Additionally, the proposed rule would implement
 the FACT Act's restrictions on the sharing of medical information among
 affiliates and would include exceptions to permit the sharing of
 medical information in certain circumstances. The proposed rule would
 apply to all national banks that obtain or use medical information in
 connection with credit determinations, regardless of bank size.
 However, it is likely that small national banks, because of the nature
 and size of their operations, will encounter fewer instances where they
 might obtain or use medical information. Therefore, no group of
 national banks, particularly small national banks, is expected to
 encounter a significant economic impact. However, the OCC invites
 comment on whether these assumptions are correct. Also, the OCC invites
 comment on the burden that likely will result on small institutions
 from this rulemaking, and has prepared the following analysis.
 B. Statement of Objectives and Legal Basis
 The objectives of the proposed rule are described in the
 SUPPLEMENTARY INFORMATION section. In sum, the objectives are: (1) To
 implement the general statutory prohibition on creditors obtaining and
 using medical information in connection with credit eligibility
 determinations; (2) to fulfill the statutory mandate to prescribe
 regulations that permit creditors to obtain and use medical information
 for eligibility purposes when necessary and
 [[Page 23389]] appropriate to protect legitimate operational, transaction, risk, consumer, and other needs by granting exceptions; and (3) to implement
 the statutory exceptions to the special restrictions on sharing medical
 information with affiliates and to propose two additional exceptions
 the Agencies believe may be necessary and appropriate. The legal
            bases
 for the proposed rule are the National Bank Act found at 12 U.S.C.
            1 et
 seq., 24(Seventh), 481, and 484, the Depository Institutions
 Deregulation and Monetary Control Act of 1980 found at 12 U.S.C.
            93a,
 and the Federal Deposit Insurance Act found at 12 U.S.C. 1818; and
            the
 Fair Credit Reporting Act found at 15 U.S.C. 1681a, 1681b, and 1681s.
 C. Description of Small Entities to Which the Rule Will Apply
 The proposed rule would apply to 1,214 national banks, Federal
 branches, and Federal agencies of foreign banks with assets under $150
 million.
 D. Projected Reporting, Recordkeeping and Other Compliance Requirements
 The OCC does not believe that the proposed rule imposes any
 reporting or any specific recordkeeping requirements within the meaning
 of the RFA. Section 411 requires that all covered entities have the
 ability to identify medical information as defined by the FACT Act in
 order to avoid the general prohibition against obtaining or using it in
 connection with any eligibility determination. This may entail some
 training costs.
 However, the OCC believes that training costs will be minimal for a
 variety of reasons. One reason is the OCC does not believe that covered
 entities presently obtain or use medical information in making credit
 eligibility determinations on a broad basis. Another is that bank staff
 would already be trained on complying with other laws governing
 obtaining and using confidential information, including medical
 information, as discussed below.
 Further, entities have the option of complying with the general
 statutory prohibition on obtaining and using medical information or an
 applicable exception. Thus, any burden that may be associated with
 complying with the exceptions can be avoided entirely by complying with
 the general prohibition. The OCC contemplates that those entities that
 find the exceptions to be burden reducing would opt to use them.
 The OCC solicits information and comment on these assumptions. The
 OCC also seeks information and comment on any costs, such as training
 costs, compliance requirements, or changes in operating procedures
 arising from the application of the proposed rule in addition to or
 which may differ from those arising from the application of the statute
 generally.
 E. Identification of Duplicative, Overlapping, or Conflicting Federal
 Rules
 The OCC is unable to identify any statutes or rules, which would
 overlap or conflict with the proposed regulation. The OCC seeks comment
 and information about any such statutes or rules, as well as any other
 state, local, or industry rules or policies that require a covered
 institution to implement business practices that would comply with the
 requirements of the proposed rule.
 F. Discussion of Significant Alternatives
 The proposed rule creates exceptions to the general prohibition on
 the use of medical information in determining the eligibility of a
 consumer for an initial extension or the continuation of an extension
 of credit. The proposed rule attempts to harmonize the circumstances
 under which a credit reporting agency may transfer medical information
 to a user of consumer reports with the ability of a financial
 institution to obtain and use that information. The proposed rule also
 provides exceptions, in addition to those contained in section 411,
 under which a financial institution may share medical information with
 an affiliate and not become a consumer reporting agency.
 In developing the proposal, the Agencies considered numerous
 alternatives. In particular, the Agencies considered creating a wide
 variety of possible exceptions to the general prohibition on obtaining
 and using medical information and numerous alternatives. A number of
 these are discussed in the SUPPLEMENTARY INFORMATION, including the
 following:
 1. The Agencies considered clarifying through an exception that
 obtaining and using medical information in connection with debt
 cancellation, debt suspension, or credit insurance products or similar
 forbearance practices or programs, is not prohibited, but are proposing
 to clarify this point through interpretation instead;
 2. The Agencies considered three options that would allow creditors
 to obtain and use consumer reports containing the various types of
 information described in section 604(g)(1) of the FCRA and are
 soliciting comment on these approaches;
 3. The Agencies considered the need for a broader exception to
 permit creditors to make a ``medical accommodation'' where individual
 circumstances may warrant such an accommodation; and
 4. The Agencies further considered the need to establish an
 exception for consumer consent whereby a creditor could request that a
 consumer consent to the specific use of the consumer's medical
 information.
 In all these cases and others, the Agencies have described relevant
 alternatives and are inviting comment on them in the SUPPLEMENTARY
 INFORMATION section.
 The relatively narrow scope of the exceptions proposed reflects the
 statutory mandate to create only those exceptions ``determined to be
 necessary and appropriate.'' While the Agencies believe that the
 proposed exceptions would be among those useful to small entities as
 well as large, we are not proposing a general exception that would
 apply only to small entities. Comment is solicited on whether such an
 exception would be necessary and appropriate and whether the risk is
 different for a small entity than a large entity that medical
 information obtained might be used for the type of ``inappropriate
 purposes'' the statute prohibits.
 The OCC welcomes comments on any significant alternatives,
 consistent with the mandate in section 411 to protect the privacy of
 medical information, that would minimize the impact of the proposed
 rule on small entities.
 Board: Subject to certain exceptions, the Regulatory Flexibility
 Act (5 U.S.C. 601-612) (RFA) requires an agency to publish an initial
 regulatory flexibility analysis with a proposed rule whenever the
 agency is required to publish a general notice of proposed rulemaking
 for a proposed rule. The SUPPLEMENTARY INFORMATION above describes the
 reasons why the regulations are being proposed and the objectives and
 the legal basis of the proposed rule. The SUPPLEMENTARY INFORMATION
 section also describes the compliance requirements of the proposed rule
 and identifies other relevant Federal rules which may duplicate or
 overlap with the proposed rule. The Board, in connection with its
 initial regulatory flexibility analysis, requests public comment in the
 following areas.
 A. Reasons for the Proposed Rule
 Section 411 of the FACT Act requires the Board, together with the
 other Agencies, to publish rules that are determined to be necessary
 and appropriate to protect legitimate
 [[Page 23390]] operational, transactional risk, consumer, and other needs, including actions necessary for administrative verification, consistent with
              the
 intent of the section to restrict the use of medical information
            for
 inappropriate purposes, that permit the use of medical information
            in
 connection with any determination of a consumer's eligibility, or
 continued eligibility for credit. It permits the Board to issue
 regulations that are determined to be necessary and appropriate so
            as
 to exclude medical information shared by a covered entity with an
 affiliate from the definition of a consumer report in section 603(d)
            of
 the FCRA, and to address the reuse and redisclosure of medical
 information.
 B. Statement of Objectives and Legal Basis
 The SUPPLEMENTARY INFORMATION above contains this information. The
 legal basis for the proposed rule is section 411 of the FACT Act.
 C. Description of Small Entities to Which the Rule Applies
 The proposed rule would apply to all banks that are members of the
 Federal Reserve System (other than national banks), branches and
 Agencies of foreign banks (other than Federal branches, Federal
 Agencies, and insured State branches of foreign banks), commercial
 lending companies owned or controlled by foreign banks, organizations
 operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C.
 601 et seq., and 611 et seq.), bank holding companies and affiliates
 (other than depository institutions and consumer reporting agencies) of
 such holding companies. The Board's proposed rule will apply to the
 following institutions (numbers approximate): State member banks (932),
 bank holding companies (5,152), holding company non-bank subsidiaries
 (2,131), U.S. branches and agencies of foreign banks (289), Edge and
 agreement corporations (75), for a total of approximately 8,579
 institutions. The Board estimates that over 5,000 of these institutions
 could be considered small institutions with assets less than $150
 million.
 D. Projected Reporting, Recordkeeping and Other Compliance Requirements
 The Board does not believe that the proposed rule imposes any new
 reporting or recordkeeping requirements, as defined in section 603 of
 the RFA. Section 411 requires that all covered entities have the
 ability to identify medical information as defined in order to avoid
 the general prohibition against obtaining or using it in connection
 with any eligibility determination. The Board believes that identifying
 that information for the purpose of either using it in eligibility
 determinations pursuant to the exceptions or to share the information
 with affiliates places no additional compliance burdens or costs on
 financial institutions.
 The Board seeks information and comment on any costs, compliance
 requirements, or changes in operating procedures arising from the
 application of the proposed rule in addition to or which may differ
 from those arising from the application of the statute generally.
 E. Identification of Duplicative, Overlapping, or Conflicting Federal
 Rules
 The Board is unable to identify any federal statutes or regulations
 that would duplicate, overlap, or conflict with the proposed rule. The
 Board seeks comment regarding any statues or regulations, including
 state or local statutes or regulations, that would duplicate, overlap,
 or conflict with the proposed rule, including particularly any that
 address situations in which medical information may be: (i) Obtained or
 used in connection with a determination of credit eligibility; or (ii)
 shared among financial institutions and their affiliates.
 F. Discussion of Significant Alternatives
 The proposed rule creates exceptions to the general prohibition to
 the use of medical information in determining the eligibility of a
 consumer for an initial extension or the continuation of an extension
 of credit. The proposed rule attempts to harmonize the circumstances
 under which a credit reporting agency may transfer medical information
 to a user of consumer reports with the ability of a financial
 institution to obtain and use that information. The proposed rule also
 provides exceptions, in addition to those contained in section 411,
 under which a financial institution may share medical information with
 an affiliate and not become a consumer reporting agency.
 The Board welcomes comments on any significant alternatives,
 consistent with the mandate in section 411 to protect the privacy of
 medical information, that would minimize the impact of the proposed
 rule on small entities.
 FDIC: Subject to certain exceptions, the Regulatory Flexibility Act
 (5 U.S.C. 601-612) (RFA) requires an agency to publish an initial
 regulatory flexibility analysis with a proposed rule whenever the
 agency is required to publish a general notice of proposed rulemaking
 for a proposed rule. The FDIC, in connection with its initial
 regulatory flexibility analysis, requests public comment in the
 following areas.
 A. Reasons for the Proposed Rule
 Section 411 of the FACT Act requires the FDIC, together with the
 other Agencies, to publish rules that are determined to be necessary
 and appropriate to protect legitimate operational, transactional risk,
 consumer, and other needs, including actions necessary for
 administrative verification, consistent with the intent of the section
 to restrict the use of medical information for inappropriate purposes,
 that permit the use of medical information in connection with any
 determination of a consumer's eligibility, or continued eligibility for
 credit. It permits the FDIC to issue regulations that are determined to
 be necessary and appropriate so as to exclude medical information
 shared by a covered entity with an affiliate from the definition of a
 consumer report in section 603(d) of the FCRA, and to address the reuse
 and redisclosure of medical information.
 B. Statement of Objectives and Legal Basis
 The SUPPLEMENTARY INFORMATION above contains this information. The
 legal basis for the proposed rule is section 411 of the FACT Act.
 C. Description of Small Entities to Which the Rule Applies
 The proposed rule would apply to all state non-member banks,
 approximately 3,700 of which are small entities as defined by the RFA.
 D. Projected Reporting, Recordkeeping and Other Compliance Requirements
 The FDIC does not believe that the proposed rule imposes any new
 reporting or recordkeeping requirements, as defined in section 603 of
 the RFA. Section 411 requires that all covered entities have the
 ability to identify medical information as defined in order to avoid
 the general prohibition against obtaining or using it in connection
 with any eligibility determination. The FDIC believes that identifying
 that information for the purpose of either using it in eligibility
 determinations pursuant to the exceptions or to share the information
 with affiliates places no additional compliance burdens or costs on
 financial institutions.
 [[Page 23391]]  The FDIC seeks information and comment on any costs, compliance requirements, or changes in operating procedures arising from the
 application of the proposed rule in addition to or which may differ
 from those arising from the application of the statute generally.
 E. Identification of Duplicative, Overlapping, or Conflicting Federal
 Rules
 The FDIC is unable to identify any federal statutes or regulations
 that would duplicate, overlap, or conflict with the proposed rule. The
 FDIC seeks comment regarding any statues or regulations, including
 state or local statutes or regulations, that would duplicate, overlap,
 or conflict with the proposed rule, including particularly any that
 address situations in which medical information may be: (i) Obtained or
 used in connection with a determination of credit eligibility; or (ii)
 shared among financial institutions and their affiliates.
 F. Discussion of Significant Alternatives
 The proposed rule creates exceptions to the general prohibition to
 the use of medical information in determining the eligibility of a
 consumer for an initial extension or the continuation of an extension
 of credit. The proposed rule attempts to harmonize the circumstances
 under which a credit reporting agency may transfer medical information
 to a user of consumer reports with the ability of a financial
 institution to obtain and use that information. The proposed rule also
 provides exceptions, in addition to those contained in section 411,
 under which a financial institution may share medical information with
 an affiliate and not become a consumer reporting agency.
 The FDIC welcomes comments on any significant alternatives,
 consistent with the mandate in section 411 to protect the privacy of
 medical information, that would minimize the impact of the proposed
 rule on small entities.
 OTS: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA)
 requires an agency to either provide an Initial Regulatory Flexibility
 Analysis (IRFA) with a proposed rule or certify that the proposed rule
 will not have a significant economic impact on a substantial number of
 small entities. As discussed below, OTS does not expect that this rule,
 if adopted, would have a significant economic impact on a substantial
 number of small entities. Nonetheless, it is providing this IRFA.
 The proposed rule implements section 411 of the FACT Act. The
 proposed rule would implement the statutory prohibition on creditors
 obtaining and using a consumer's medical information in connection with
 credit determinations, while creating exceptions in certain
 circumstances. Additionally, the proposed rule would implement the FACT
 Act's restrictions on the sharing of medical information among
 affiliates, while including exceptions to permit the sharing of medical
 information in certain circumstances. As discussed below, the proposed
 rule would apply to savings associations or their subsidiaries, savings
 and loan holding companies, or affiliates of savings associations or
 savings and loan holding companies other than bank holding companies,
 banks, or subsidiaries of bank holding companies or banks.
 OTS does not expect that this rule, if adopted, would have a
 significant economic impact on a substantial number of small entities.
 The general statutory prohibition on obtaining and using medical
 information incorporated into the rule will only apply impact entities
 that obtain or use medical information in connection with credit
 determinations, regardless of size. OTS does not believe that obtaining
 and using medical information for credit eligibility determinations is
 a widespread practice today among creditors it regulates. Small
 entities, because of the nature and size of their operations, may be
 less likely than larger institutions to do so. Therefore, no group of
 covered entities, particularly small ones, is expected to encounter a
 significant economic impact. However, OTS invites comment whether these
 assumptions are correct. OTS further invites comment on the burden that
 will result on small entities from this rulemaking, and has prepared
 the following analysis.
 A. Reasons for the Proposed Rule
 Section 411 of the FACT Act requires OTS, together with the other
 Agencies, to publish rules that are determined to be necessary and
 appropriate to protect legitimate operational, transactional risk,
 consumer, and other needs, including actions necessary for
 administrative verification, consistent with the intent of the section
 to restrict the use of medical information for inappropriate purposes,
 that permit the use of medical information in connection with any
 determination of a consumer's eligibility, or continued eligibility for
 credit. Section 411 also authorizes OTS to issue regulations that are
 determined to be necessary and appropriate so as to exclude medical
 information shared by a covered entity with an affiliate from the
 definition of a consumer report in section 603(d) of the Fair Credit
 Reporting Act, and to address the reuse and redisclosure of medical
 information.
 B. Statement of Objectives and Legal Basis
 The objectives of the proposed rule are described in the
 SUPPLEMENTARY INFORMATION section. In sum, the objectives are: (1) To
 implement the general statutory prohibition on creditors obtaining and
 using medical information in connection with credit eligibility
 determinations, (2) to fulfill the statutory mandate to prescribe
 regulations that permit creditors to obtain and use medical information
 for eligibility purposes when necessary and appropriate to protect
 legitimate operational, transaction, risk, consumer, and other needs by
 granting exceptions, and (3) to implement the statutory exceptions to
 the special restrictions on sharing medical information with affiliates
 and to propose two additional exceptions the Agencies believe may be
 necessary and appropriate.
 The legal bases for the proposed rule are provisions of: (1) The
 Home Owners' Loan Act found at 12 U.S.C. 1462a, 1463, 1464, and 1467a;
 (2) the Federal Deposit Insurance Act, the Bank Protection Act, and
 other banking laws found at 12 U.S.C. 1828, 1831p-1, and 1881-1884; (3)
 the Fair Credit Reporting Act found at 15 U.S.C. 1681s and 1681w; and
 (4) the Gramm-Leach-Bliley Act found at 15 U.S.C. 6801 and 6805(b)(1).
 C. Description of Small Entities to Which the Rule Applies
 Section 571.30(a)-(d) of the proposed rule would apply to those
 creditors, as defined in Sec. 571.30(a)(2), that are savings
 associations or their subsidiaries, savings and loan holding companies,
 or affiliates of savings associations or savings and loan holding
 companies other than bank holding companies, banks, or subsidiaries of
 bank holding companies or banks.
 Sections 571.30(e) and 571.31 of the proposed rule would apply to
 all savings associations and, in accordance with 12 CFR 559.3(h)(1), to
 federal savings association operating subsidiaries as well.
 Small savings associations are generally defined, for RFA purposes,
 as those with assets of $150 million or less. 13 CFR 121.201 (2003).
 OTS calculates that of the 921 savings associations, a maximum of 479
 of these are small savings associations. OTS also calculates that these
 479 savings associations hold 122 subordinate
 [[Page 23392]] organizations that could possibly qualify as small entities.With regard to savings and loan holding companies, the Small
 Business Administration (SBA) prescribes size standards for various
 economic activities and industries using the North American Industry
 Classification System (NAICS). 13 CFR part 121. Under the SBA's
 standards, companies that are primarily engaged in holding securities
 of (or other equity interests in) depository institutions for the
 purpose of controlling those companies are addressed at NAICS Codes
 551111 and 551112 (Office of Bank Holding Companies and Office of Other
 Holding Companies). Companies within this group are considered to be
 small if they have annual receipts of $6 million or less. Companies
 that are primarily engaged in holding the securities of depository
 institutions and operating these entities are classified under NAICS
 Codes 522110-522190. Companies classified in this group are considered
 to be small if their total assets are less than $150 million.
 In this IRFA, OTS has analyzed the impact of this rule using both
 the $150 million asset size standard and the $6 million annual receipts
 standard. OTS specifically requests comment on its use of these
 standards. Commenters are invited to address whether these or other
 size standards are appropriate.
 OTS calculates that there are approximately 969 OTS-regulated
 savings and loan holding companies. OTS further calculates that there
 are maximum of 381 savings and loan holding companies that could
 possibly qualify as small entities. OTS estimates that there are 151
 small savings and loan holding companies under an asset-based
 definition of $150 million or less of assets and 381 small savings and
 loan holding companies under a revenue-based definition of $6 million
 or less in annual receipts.
 D. Projected Reporting, Recordkeeping and Other Compliance Requirements
 OTS does not believe that the proposed rule imposes any new
 reporting or any specific recordkeeping requirements within the meaning
 of the RFA. Implicitly, however, section 411 requires that all covered
 entities have the ability to identify medical information as defined by
 the FACT Act in order to avoid the general prohibition against
 obtaining or using it in connection with any eligibility determination.
 This may entail some training costs.
 However, OTS believes that training costs will be minimal for a
 variety of reasons. One reason is OTS does not believe that covered
 entities currently widely obtain or use medical information in making
 credit eligibility determinations. Another is that staff would already
 be trained on complying with other laws governing obtaining and using
 confidential information, including medical information, as discussed
 below.
 Further, entities have the option of complying with the general
 statutory prohibition on obtaining and using medical information or an
 applicable exception. Thus, any additional burden that may be
 associated with complying with the exceptions can be avoided entirely
 by complying with the general prohibition instead. OTS contemplates
 that entities that find the exceptions to be burden reducing would opt
 to use them and that others would choose to comply with the general
 prohibition.
 OTS solicits information and comments on these assumptions. OTS
 also solicits information and comment on any costs, such as training
 costs, as well as compliance requirements, or changes in operating
 procedures arising from the application of the proposed rule in
 addition to or which may differ from those arising from the application
 of the statute generally.
 E. Identification of Duplicative, Overlapping, or Conflicting Federal
 Rules
 The SUPPLEMENTARY INFORMATION section describes the compliance
 requirements of the proposed rule and identifies other relevant Federal
 rules that may duplicate or overlap with the proposed rule. As
 discussed in the SUPPLEMENTARY INFORMATION, other laws and rules issued
 under these laws, such as the Americans with Disabilities Act, the Fair
 Housing Act, the Gramm-Leach-Bliley Act, and other parts of the FCRA,
 may limit or regulate the use, collection, and sharing of consumer
 information, including medical information. In particular, these and
 other laws and rules, such as the Equal Credit Opportunity Act and
 Regulation B, also may prohibit creditors from using certain
 information that is excluded from the restrictions on obtaining or
 using medical information, such as age or gender information, in
 determining eligibility for credit or for other purposes. In this
 sense, there may be some overlap between these federal statutes and
 regulations and the proposed rule.
 OTS seeks comment and information regarding any statues or rules,
 including state or local statutes or regulations, that would duplicate,
 overlap, or conflict with the proposed rule, including particularly any
 that address situations in which medical information may be: (i)
 Obtained or used in connection with a determination of credit
 eligibility; or (ii) shared among financial institutions and their
 affiliates.
 F. Discussion of Significant Alternatives
 The proposed rule creates exceptions to the general prohibition to
 the use of medical information in determining the eligibility of a
 consumer for an initial extension or the continuation of an extension
 of credit. The proposed rule attempts to harmonize the circumstances
 under which a credit reporting agency may transfer medical information
 to a user of consumer reports with the ability of a financial
 institution to obtain and use that information. The proposed rule also
 provides exceptions, in addition to those contained in section 411,
 under which a financial institution may share medical information with
 an affiliate and not become a consumer reporting agency.
 In developing the proposal, the Agencies considered numerous
 alternatives. In particular, it considered a wide variety of possible
 exceptions to create to the general prohibition on obtaining and using
 medical information and numerous alternatives. A number of these are
 discussed in the SUPPLEMENTARY INFORMATION, including the following:
 1. The Agencies considered clarifying through an exception that
 obtaining and using medical information in connection with debt
 cancellation, debt suspension, or credit insurance products or similar
 forbearance practices or programs, is not prohibited, but are proposing
 to clarify this point through interpretation instead.
 2. The Agencies considered three options that would allow creditors
 to obtain and use consumer reports containing the various types of
 information described in section 604(g)(1) of the FCRA and are
 soliciting comment on these approaches.
 3. The Agencies considered the need for a broader exception to
 permit creditors to make a ``medical accommodation'' where individual
 circumstances may warrant such an accommodation.
 4. The Agencies further considered the need to establish an
 exception for consumer consent whereby a creditor could request that a
 consumer consent to the specific use of the consumer's medical
 information.
 In all these cases and others, the Agencies have described relevant
 alternatives and are inviting comment on them in the SUPPLEMENTARY
 INFORMATION section.
 [[Page 23393]]  The relatively narrow scope of the exceptions proposed reflects
            the statutory mandate to create only those exceptions ``determined to
            be
 necessary and appropriate.'' While the Agencies believe that the
 proposed exceptions would be among those useful to small entities
            as
 well as large, we are not proposing a general exception that would
 apply only to small entities. Comment is solicited on whether such
            an
 exception would be necessary and appropriate and whether the risk
            is
 different for a small entity than a large entity that medical
 information obtained might be used for the type of ``inappropriate
 purposes'' the statute prohibits.
 OTS welcomes comments on any significant alternatives, consistent
 with the mandate in section 411 to protect the privacy of medical
 information, which would minimize the impact of the proposed rule on
 small entities.
 NCUA: The Regulatory Flexibility Act requires the NCUA to prepare
 an analysis to describe any significant economic impact a proposed rule
 may have on a substantial number of small credit unions (those under
 $10 million in assets).
 Section 411 of the FACT Act limits the ability of creditors to
 obtain or use medical information in connection with credit eligibility
 determinations and narrows when any person can share medical
 information and medical-related information with affiliates without
 becoming a consumer reporting agency for purposes of the FCRA. The
 statute requires the NCUA and the federal banking agencies to prescribe
 regulations that create exceptions to permit creditors to obtain or use
 medical information in connection with credit eligibility
 determinations where necessary and appropriate to protect legitimate
 operational, transactional, risk, consumer, and other needs (including
 administrative verification purposes), consistent with congressional
 intent to restrict the use of medical information for inappropriate
 purposes. Furthermore, the statute grants discretionary rulemaking
 authority to the NCUA, the federal banking agencies, and the Federal
 Trade Commission to create exceptions, in addition to those already
 provided in the statute, to allow affiliates to share medical
 information and medical-related information.
 Proposed Sec. Sec. 717.30 and 717.31 of the NCUA's proposed
 regulations would apply to all federal credit unions, regardless of
 their size. The proposed rule would contain restrictions set forth in
 section 411 of the FACT Act on federal credit unions obtaining and
 using medical information in connection with credit eligibility
 determinations and the sharing of medical information and medical-
 related information with affiliates. The proposed regulations, however,
 also would grant exceptions to the statutory limitations to allow
 creditors to obtain or use medical information in enumerated situations
 in connection with determinations of consumer eligibility or continued
 eligibility for credit. The proposal would also enumerate the
 situations in which federal credit unions would be permitted to share
 medical information among affiliates.
 NCUA is not aware of any other federal rules that duplicate,
 overlap, or conflict with the proposed rule. NCUA specifically requests
 comment on the impact of the proposed rule on small federal credit
 unions.
 OCC and OTS Executive Order 12866 Determination  The OCC and OTS each has determined that its portion of the proposed rulemaking is not a significant regulatory action under
 Executive Order 12866. OCC and OTS Unfunded Mandates Reform Act of
            1995
 Determination.
 OCC Executive Order 13132 Determination  The OCC has determined that this proposal does not have any Federalism implications, as required by Executive Order 13132.
 NCUA Executive Order 13132 Determination  Executive Order 13132 encourages independent regulatory agencies
            to consider the impact of their actions on state and local interests.
            In
 adherence to fundamental federalism principles, the NCUA, an
 independent regulatory agency as defined in 44 U.S.C. 3502(5),
 voluntarily complies with the executive order. The proposed rule
 applies only to federally chartered credit unions and would not have
 substantial direct effects on the states, on the connection between
            the
 national government and the states, or on the distribution of power
            and
 responsibilities among the various levels of government. The NCUA
            has
 determined that this proposed rule does not constitute a policy that
 has federalism implications for purposes of the executive order.
 OCC and OTS Unfunded Mandates Reform Act of 1995 Determination  Section 202 of the Unfunded Mandates Reform Act of 1995, Public
            Law 104-4 (Unfunded Mandates Act) requires that an agency prepare a
 budgetary impact statement before promulgating a rule that includes
            a
 Federal mandate that may result in expenditure by State, local, and
 tribal governments, in the aggregate, or by the private sector, of
            $100
 million or more in any one year. If a budgetary impact statement
            is
 required, section 205 of the Unfunded Mandates Act also requires
            an
 agency to identify and consider a reasonable number of regulatory
 alternatives before promulgating a rule. The OCC and OTS each has
 determined that this proposed rule will not result in expenditures
            by
 State, local, and tribal governments, or by the private sector, of
            $100
 million or more. Accordingly, neither the OCC nor the OTS has prepared
 a budgetary impact statement or specifically addressed the regulatory
 alternatives considered.
 NCUA: The Treasury and General Government Appropriations Act, 1999--Assessment of Federal Regulations and Policies on Families
  The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury
              and
 General Government Appropriations Act, 1999, Public Law 105-277,
            112
 Stat. 2681 (1998).
 NCUA: Interpretive Ruling and Policy Statement (IRPS) 87-2, as Amended by IRPS 03-2
  Under NCUA's IRPS 87-2, as amended by IRPS 03-2, the NCUA Board's general policy is to provide a 60-day comment period for a proposed
 regulation. In this case, the NCUA Board believes that a 30-day comment
 period will be adequate and is appropriate given that the statutory
 deadline for the final rule is June 4, 2004. NCUA IRPS 87-2, 52 FR
 35231, Sept. 18, 1987, as amended by IRPS 03-2, 68 FR 31949, May
            29,
 2003.
 OCC Community Bank Comment Request  The OCC invites your comments on the impact of this proposal on community banks. The OCC recognizes that community banks operate
              with
 more limited resources than larger institutions and may present a
 different risk profile. Thus, the OCC specifically requests comment
            on
 the impact of the proposal on community banks' current resources
            and
 available personnel with the requisite expertise, and whether the
            goals
 of the proposal could be achieved, for community banks, through an
 alternative approach.
 [[Page 23394]] IV. Solicitation of Comments on Use of Plain Language  Section 722 of the GLB Act requires the Agencies \3\ to use plain language in all proposed and final rules published after January
              1,
 2000. We invite your comments on how to make this proposed rule easier
 to understand. For example:
 ---------------------------------------------------------------------------
  \3\ Section 722 of the GLB Act does not apply to NCUA, but NCUA has a similar Agency Regulatory Goal to promote clear and
 understandable regulations that impose minimal regulatory burden.
 ---------------------------------------------------------------------------
  Have we organized the material to suit your needs? If not, how could this material be better organized?
 Are the requirements in the rule clearly stated?
 If not, how could the rule be more clearly stated?
 Do the regulations contain technical language or
 jargon that is not clear? If so, which language requires clarification?
 Would a different format (grouping and order of
 sections, use of headings, paragraphing) make the regulation easier to
 understand? If so, what changes to the format would make the regulation
 easier to understand?
 Would more, but shorter, sections be better? If
 so, which sections should be changed?
 What else could we do to make the regulation
 easier to understand?
 List of Subjects 12 CFR Part 41  Banks, Banking, Consumer protection, National banks, Reporting
            and recordkeeping requirements.
 12 CFR Part 222  Banks, Banking, Consumer protection, Credit, Fair Credit Reporting Act, Holding companies, Privacy, Reporting and recordkeeping
 requirements, State member banks.
 12 CFR Part 334  Administrative practice and procedure, Bank deposit insurance, Banks, Banking, Reporting and recordkeeping requirements, Safety
              and
 soundness.
 12 CFR Part 571  Consumer protection, Credit, Fair Credit Reporting Act, Privacy, Reporting and recordkeeping requirements, Savings associations.
 12 CFR Part 717  Consumer protection, Credit unions, Fair credit reporting, Medical information, Privacy, Reporting and recordkeeping requirements.
 Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance  For the reasons set forth in the preamble, the OCC proposes to amend Chapter I of Title 12 of the Code of Federal Regulations as
 follows:
 1. Add part 41 to read as follows:
 PART 41--FAIR CREDIT Subpart A--General ProvisionsSec.
 41.1 Purpose and scope.
 41.2 Examples.
 41.3 Definitions.
 Subpart B--[Reserved]
 Subpart C--[Reserved]
 Subpart D--Medical Information
 41.30 Obtaining or using medical information in connection with a
 determination of eligibility for credit.
 41.31 Sharing medical information with affiliates.
  Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and 1818; 15 U.S.C. 1681a, 1681b, and 1681s.
 Subpart A--General Provisions Sec. 41.1 Purpose and scope.
  (a) Purpose. The purpose of this part is to establish standards
            for national banks in key areas of regulation regarding consumer report
 information and fair credit. In addition, the purpose of this part
            is
 to specify the type of information, including medical information,
 national banks may obtain, use, or share among affiliates. This part
 also contains a number of measures national banks must take to combat
 consumer fraud and related crimes, including identity theft.
 (b) Scope.
 (1) [Reserved]
 (2) Institutions covered. Except as otherwise provided in this
 part, these regulations apply to national banks, Federal branches and
 Agencies of foreign banks, and their respective operating subsidiaries
 that are not functionally regulated within the meaning of section
 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C.
 1844(c)(5)).
 Sec. 41.2 Examples.
  The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this
 part. Examples in a paragraph illustrate only the issue described
            in
 the paragraph and do not illustrate any other issue that may arise
            in
 this part.
 Sec. 41.3 Definitions.
  As used in this part, unless the context requires otherwise:(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
 seq.).
 (b) Affiliate means any company that controls, is controlled by, or
 is under common control with another company.
 (c) [Reserved]
 (d) Company means any corporation, limited liability company,
 business trust, general or limited partnership, association, or similar
 organization.
 (e) Consumer means an individual.
 (f) [Reserved]
 (g) [Reserved]
 (h) [Reserved]
 (i) Control of a company means:
 (1) Ownership, control, or power to vote 25 percent or more of the
 outstanding shares of any class of voting security of the company,
 directly or indirectly, or acting through one or more other persons;
 (2) Control in any manner over the election of a majority of the
 directors, trustees, or general partners (or individuals exercising
 similar functions) of the company; or
 (3) The power to exercise, directly or indirectly, a controlling
 influence over the management or policies of the company, as the OCC
 determines.
 (j) [Reserved]
 (k) Medical information means:
 (1) Information or data, whether oral or recorded, in any form or
 medium, created by or derived from a health care provider or the
 consumer, that relates to:
 (i) The past, present, or future physical, mental, or behavioral
 health or condition of an individual;
 (ii) The provision of health care to an individual; or
 (iii) The payment for the provision of health care to an
 individual.
 (2) The term does not include:
 (i) The age or gender of a consumer;
 (ii) Demographic information about the consumer, including a
 consumer's residence address or e-mail address; or
 (iii) Any other information about a consumer that does not relate
 to the physical, mental, or behavioral health or condition of a
 consumer, including the existence or value of any insurance policy.
 (l) [Reserved]
 (m) [Reserved]
 (n) [Reserved]
 * * * * *
 [[Page 23395]] Subpart B--[Reserved] Subpart C--[Reserved] Subpart D--Medical Information Sec. 41.30 Obtaining or using medical information in connection with
 a determination of eligibility for credit.
  (a) General prohibition on obtaining or using medical information--(1) In general. A bank may not obtain or use medical information
 pertaining to a consumer in connection with any determination of
            the
 consumer's eligibility, or continued eligibility, for credit, except
            as
 provided in this subpart.
 (2) Definitions as used in this subpart--(i) Eligibility, or
 continued eligibility, for credit means the consumer's qualification or
 fitness to receive, or continue to receive, credit, including the terms
 on which credit is offered, primarily for personal, family, or
 household purposes. The term does not include:
 (A) The consumer's qualification or fitness to be offered
 employment, insurance products, or other non-credit products or
 services;
 (B) Any determination of whether the provisions of a debt
 cancellation contract, debt suspension agreement, credit insurance
 product, or similar forbearance practice or program are triggered;
 (C) Authorizing, processing, or documenting a payment or
 transaction on behalf of the consumer in a manner that does not involve
 a determination of the consumer's eligibility, or continued
 eligibility, for credit; or
 (D) Maintaining or servicing the consumer's account in a manner
 that does not involve a determination of the consumer's eligibility, or
 continued eligibility, for credit.
 (ii) Bank means an institution that:
 (A) is covered by this part in Sec. 41.1(b)(2); and
 (B) is a ``creditor'' as that term is defined by section 702 of the
 Equal Credit Opportunity Act (15 U.S.C. 1691a).
 (iii) Credit has the same meaning as in section 702 of the Equal
 Credit Opportunity Act (15 U.S.C. 1691a).
 (b) Rule of construction for receiving unsolicited medical
 information--(1) In general. A bank does not obtain medical information
 for purposes of paragraph (a)(1) of this section if it:
 (i) Receives medical information pertaining to a consumer in
 connection with any determination of the consumer's eligibility, or
 continued eligibility, for credit without specifically requesting
 medical information; and
 (ii) Does not use that information in determining whether to extend
 or continue to extend credit to the consumer and the terms on which
 credit is offered or continued.
 (2) Examples of receiving unsolicited medical information. A bank
 receives unsolicited medical information if, for example:
 (i) In response to a general question regarding a consumer's debts
 or expenses, the bank receives information that the consumer has a
 particular medical condition and does not use that information in
 determining whether to extend credit to the consumer or the terms on
 which credit is offered.
 (ii) In conversation with the loan officer, the consumer informs
 the bank that the consumer has a particular medical condition, and the
 bank does not use that information in determining whether to extend
 credit to the consumer or the terms on which credit is offered.
 (c) Financial information exception for obtaining and using medical
 information--(1) In general. A bank may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit so long as:
 (i) The information relates to debts, expenses, income, benefits,
 collateral, or the purpose of the loan, including the use of proceeds;
 (ii) The bank uses the medical information in a manner and to an
 extent that is no less favorable than it would use comparable
 information that is not medical information in a credit transaction;
 and
 (iii) The bank does not take the consumer's physical, mental, or
 behavioral health, condition or history, type of treatment, or
 prognosis into account as part of any such determination.
 (2) Examples--(i) Examples of information related to debts,
 expenses, income, benefits, collateral, or the purpose of the loan.
 Paragraph (c)(1)(i) of this section permits a bank, for example, to
 obtain and use information about:
 (A) The dollar amount, repayment terms, repayment history, and
 similar information regarding medical debts that is used to calculate,
 measure, or verify the repayment ability of the consumer, the use of
 proceeds, or the terms for granting credit;
 (B) The value, condition, and lien status of a medical device that
 is used as collateral to secure a loan;
 (C) The dollar amount and continued eligibility for disability
 income or benefits related to health or a medical condition that is
 relied on as a source of repayment; or
 (D) The identity of entities to whom outstanding medical debts are
 owed in connection with an application for credit, including but not
 limited to a transaction involving the consolidation of medical debts.
 (ii) Examples of uses of medical information consistent with the
 exception. (A) A consumer includes on an application for credit
 information about two $20,000 debts. One debt is to a hospital; the
 other debt is to a retailer. The bank contacts the hospital and the
 retailer to verify the amount and payment status of the debts. The bank
 learns that both debts are more than 90 days past due. Any two debts of
 this size that are past due would disqualify the consumer under the
 bank's established underwriting criteria. The bank denies the
 application on the basis that the consumer has a poor repayment history
 on outstanding debts. The bank has used medical information in a manner
 and to an extent no less favorable than it would use comparable non-
 medical information.
 (B) A consumer indicates on an application for a $200,000 mortgage
 loan that she receives $15,000 in long-term disability income each year
 from her former employer and has no other income. Annual income of
 $15,000, regardless of source, would not be sufficient to support the
 requested amount of credit. The bank denies the application on the
 basis that the projected debt-to-income ratio of the consumer does not
 meet the bank's underwriting criteria. The bank has used medical
 information in a manner and to an extent that is no less favorable than
 it would use comparable non-medical information.
 (C) A consumer includes on an application for a $10,000 home equity
 loan that he has a $50,000 debt to a medical facility that specializes
 in treating a potentially terminal disease. The bank contacts the
 medical facility to verify the debt and obtain the repayment history
 and current status of the loan. The bank learns that the debt is
 current and that the applicant meets the income requirements of the
 bank's underwriting guidelines. The bank grants the application. The
 bank has used medical information in accordance with the exception.
 (iii) Examples of uses of medical information inconsistent with the
 exception.
 (A) A consumer applies for $25,000 of credit and includes on the
 application information about a $50,000 debt to a hospital. The bank
 contacts the hospital to verify the amount and payment status
 [[Page 23396]] of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt
 were instead owed to a home furnishing retailer, the bank would approve
 the application and extend credit based on the amount and repayment
 history of the outstanding debt. The bank, however, denies the
 application because the consumer is indebted to a hospital. The bank
 has used medical information, here the identity of the hospital,
            in a
 manner and to an extent that is less favorable than it would use
 comparable non-medical information.
 (B) A consumer meets with a loan officer of a bank to apply for a
 mortgage loan. While filling out the loan application, the consumer
 informs the loan officer orally that she has a potentially terminal
 disease. The consumer meets the bank's established requirements for the
 requested mortgage. The loan officer recommends to the credit committee
 that the consumer be denied credit because the consumer has that
 disease. The bank has used medical information in a manner inconsistent
 with the exception by taking into account the consumer's physical,
 mental, or behavioral health, condition, or history, type of treatment,
 or prognosis as part of a determination of eligibility or continued
 eligibility for credit.
 (d) Specific exceptions for obtaining and using medical
 information--(1) In general. A bank may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit:
 (i) To determine whether the use of a power of attorney or legal
 representative is necessary and appropriate;
 (ii) To comply with applicable requirements of local, state, or
 federal laws;
 (iii) To the extent such information is included in a consumer
 report from a consumer reporting agency, in accordance with 15 U.S.C.
 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
 provided specific written consent;
 (iv) For purposes of fraud prevention and detection;
 (v) In the case of credit for the purpose of financing medical
 products or services, to determine and verify the medical purpose of a
 loan and the use of proceeds;
 (vi) If the consumer or the consumer's legal representative
 requests in writing, on a separate form signed by the consumer or the
 consumer's legal representative that the bank use specific medical
 information for a specific purpose in determining the consumer's
 eligibility, or continued eligibility, for credit, to accommodate the
 consumer's particular circumstances. The signed written request must
 describe the specific medical information that the consumer requests
 the bank to use and the specific purpose for which the information will
 be used; or
 (vii) As otherwise permitted by order of the OCC.
 (2) Examples of determining the medical purpose of the loan or the
 use of proceeds. (i) If a consumer applies for $10,000 of credit for
 the purpose of financing vision correction surgery, the bank may
 confirm the consumer's medical eligibility to undergo that procedure
 with the surgeon. If the surgeon reports that surgery will not be
 performed on the consumer, the bank may use that medical information to
 deny the consumer's application for credit, because the loan would not
 be used for the stated purpose.
 (ii) If a consumer applies for $10,000 of credit for the purpose of
 financing cosmetic surgery, the bank may confirm the cost of the
 procedure with the surgeon. If the surgeon reports that the cost of the
 procedure is $5,000, the bank may use that medical information to offer
 the consumer only $5,000 of credit.
 (iii) A bank has an established medical loan program for financing
 particular elective surgical procedures. The bank receives a loan
 application from a consumer requesting $10,000 of credit under the
 established loan program for an elective surgical procedure. The
 consumer indicates on the application that the purpose of the loan is
 to finance an elective surgical procedure not eligible for funding
 under the guidelines of the established loan program. The bank may deny
 the consumer's application because the purpose of the loan is not for a
 particular procedure funded by the established loan program.
 (3) Examples of obtaining and using medical information at the
 request of the consumer. Consistent with safe and sound practices, and
 after obtaining from the consumer a signed, written document that
 describes the specific medical information that the consumer requests
 the bank to use and the specific purpose for which the information will
 be used, the bank may obtain and use the specific medical information
 for the specific purpose described in the request:
 (i) If a consumer applies for a loan and requests that the bank
 consider the consumer's medical disability at the relevant time as an
 explanation for adverse payment history information in his credit
 report, the bank may consider such medical information in evaluating
 the consumer's willingness and ability to repay the requested loan.
 (ii) If a consumer applies for a loan and explains that his income
 has been and will continue to be interrupted on account of a medical
 condition and that he expects to repay the loan from liquidation of
 assets, the bank may evaluate the application using the sale of assets
 as the primary source of repayment.
 (e) Limits on redisclosure of information. If the bank receives
 medical information about a consumer from a consumer reporting agency
 or its affiliate, the bank must not disclose that information to any
 other person, except as necessary to carry out the purpose for which
 the information was initially disclosed, or as otherwise permitted by
 statute, regulation, or order.
 Sec. 41.31 Sharing medical information with affiliates.
  (a) In general. The exclusions from the term ``consumer report''
            in section 603(d)(2) of the Act that allow the sharing of information
            with
 affiliates do not apply if the bank communicates to an affiliate:
 (1) Medical information;
 (2) An individualized list or description based on the payment
 transactions of the consumer for medical products or services; or
 (3) An aggregate list of identified consumers based on payment
 transactions for medical products or services.
 (b) Exceptions. The bank may rely on the exclusions from the term
 ``consumer report'' in section 603(d)(2) of the Act to communicate the
 information in paragraph (a) of this section to an affiliate:
 (1) In connection with the business of insurance or annuities
 (including the activities described in section 18B of the model Privacy
 of Consumer Financial and Health Information Regulation issued by the
 National Association of Insurance Commissioners, as in effect on
 January 1, 2003);
 (2) For any purpose permitted without authorization under the
 regulations promulgated by the U.S. Department of Health and Human
 Services pursuant to the Health Insurance Portability and
 Accountability Act of 1996 (HIPAA);
 (3) For any purpose referred to in section 1179 of HIPAA;
 (4) For any purpose described in section 502(e) of the Gramm-Leach-
 Bliley Act;
 (5) In connection with a determination of the consumer's
 eligibility, or continued eligibility, for credit consistent with Sec.
 41.30; or
 [[Page 23397]]  (6) As otherwise permitted by order of the OCC. Board of Governors of the Federal Reserve System 12 CFR Chapter II Authority and Issuance  For the reasons set forth in the joint preamble, title 12, chapter II, of the Code of Federal Regulations is proposed to be amended
              by
 revising part 222 to read as follows:
 PART 222--FAIR CREDIT REPORTING (REGULATION V)  1. The authority citation for part 222 is amended to read as follows:
  Authority: 15 U.S.C. 1681b and 1681s; Secs. 3 and 217, Pub. L. 108-159, 117 Stat. 1952.
  2. In subpart A to part 222, the following amendments are made:a. Section 222.1 is amended by adding a new paragraph (b).
 b. Section 222.2 is added.
 c. Section 222.3 is added.
 3. A new subpart D is added to part 222.
 Subpart A--General Provisions Sec. 222.1 Purpose, scope, and effective dates
 * * * * *(b) Scope.
 (1) [Reserved]
 (2) Institutions covered. (i) Except as otherwise provided in
 paragraph (b)(2) of this section, these regulations apply to banks that
 are members of the Federal Reserve System (other than national banks),
 branches and Agencies of foreign banks (other than Federal branches,
 Federal Agencies, and insured State branches of foreign banks),
 commercial lending companies owned or controlled by foreign banks,
 organizations operating under section 25 or 25A of the Federal Reserve
 Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank holding
 companies and affiliates of such holding companies.
 (ii) [Reserved]
 (iii) Section 222.30(a)-(d) of this part applies to persons listed
 in paragraph (b)(2)(i) of this section that are creditors.
 (iv) Section 222.31 of this part applies to banks that are members
 of the Federal Reserve System (other than national banks), branches and
 Agencies of foreign banks (other than Federal branches, Federal
 Agencies, and insured State branches of foreign banks), commercial
 lending companies owned or controlled by foreign banks, organizations
 operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C.
 601 et seq., and 611 et seq.).
 * * * * *
 Sec. 222.2 Examples.
  The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this
 part. Examples in a paragraph illustrate only the issue described
            in
 the paragraph and do not illustrate any other issue that may arise
            in
 this part.
 Sec. 222.3 Definitions.
  As used in this part, unless the context requires otherwise:(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
 seq.).
 (b) Affiliate means any company that controls, is controlled by, or
 is under common control with another company.
 (c) [Reserved]
 (d) Company means any corporation, limited liability company,
 business trust, general or limited partnership, association, or similar
 organization.
 (e) Consumer means an individual.
 (f) [Reserved]
 (g) [Reserved]
 (h) [Reserved]
 (i) Control of a company means:
 (1) Ownership, control, or power to vote 25 percent or more of the
 outstanding shares of any class of voting security of the company,
 directly or indirectly, or acting through one or more other persons;
 (2) Control in any manner over the election of a majority of the
 directors, trustees, or general partners (or individuals exercising
 similar functions) of the company; or
 (3) The power to exercise, directly or indirectly, a controlling
 influence over the management or policies of the company, as the Board
 determines.
 (j) [Reserved]
 (k) Medical information means:
 (1) Information or data, whether oral or recorded, in any form or
 medium, created by or derived from a health care provider or the
 consumer, that relates to--
 (i) The past, present, or future physical, mental, or behavioral
 health or condition of an individual;
 (ii) The provision of health care to an individual; or
 (iii) The payment for the provision of health care to an
 individual.
 (2) The term does not include:
 (i) The age or gender of a consumer;
 (ii) Demographic information about the consumer, including a
 consumer's residence address or e-mail address; or
 (iii) Any other information about a consumer that does not relate
 to the physical, mental, or behavioral health or condition of a
 consumer, including the existence or value of any insurance policy.
 (l) [Reserved]
 (m) [Reserved]
 (n) [Reserved]
 (o) You means member banks of the Federal Reserve System (other
 than national banks), branches and Agencies of foreign banks (other
 than Federal branches, Federal Agencies, and insured State branches of
 foreign banks), commercial lending companies owned or controlled by
 foreign banks, organizations operating under section 25 or 25A of the
 Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank
 holding companies and affiliates of such holding companies (other than
 depository institutions and consumer reporting agencies).
 Subpart B--[Reserved] Subpart C--[Reserved] Subpart D--Medical InformationSec.
 222.30 Obtaining or using medical information in connection with
            a
 determination of eligibility for credit.
 222.31 Sharing medical information with affiliates.
 Subpart D--Medical Information Sec. 222.30 Obtaining or using medical information in connection
              with
 a determination of eligibility for credit.
  (a) General prohibition on obtaining or using medical information--(1) In general. A creditor may not obtain or use medical information
 pertaining to a consumer in connection with any determination of
            the
 consumer's eligibility, or continued eligibility, for credit, except
            as
 provided in this subpart.
 (2) Definitions as used in this subpart--(i) Eligibility, or
 continued eligibility, for credit means the consumer's qualification or
 fitness to receive, or continue to receive, credit, including the terms
 on which credit is offered, primarily for personal, family, or
 household purposes. The term does not include:
 (A) The consumer's qualification or fitness to be offered
 employment, insurance products, or other non-credit products or
 services;
 (B) Any determination of whether the provisions of a debt
 cancellation contract, debt suspension agreement, credit insurance
 product, or similar forbearance practice or program are triggered;
 (C) Authorizing, processing, or documenting a payment or
 transaction on behalf of the consumer in a manner
 [[Page 23398]] that does not involve a determination of the consumer's eligibility,
            or continued eligibility, for credit; or
 (D) Maintaining or servicing the consumer's account in a manner
 that does not involve a determination of the consumer's eligibility, or
 continued eligibility, for credit.
 (ii) Creditor has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (iii) Credit has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (b) Rule of construction for receiving unsolicited medical
 information--(1) In general. A creditor does not obtain medical
 information for purposes of paragraph (a)(1) of this section if it--
 (i) Receives medical information pertaining to a consumer in
 connection with any determination of the consumer's eligibility, or
 continued eligibility, for credit without specifically requesting
 medical information; and
 (ii) Does not use that information in determining whether to extend
 or continue to extend credit to the consumer and the terms on which
 credit is offered or continued.
 (2) Examples of receiving unsolicited medical information. A
 creditor receives unsolicited medical information if, for example:
 (i) In response to a general question regarding a consumer's debts
 or expenses, the creditor receives information that the consumer has a
 particular medical condition and does not use that information in
 determining whether to extend credit to the consumer or the terms on
 which credit is offered.
 (ii) In conversation with the loan officer, the consumer informs
 the creditor that the consumer has a particular medical condition, and
 the creditor does not use that information in determining whether to
 extend credit to the consumer or the terms on which credit is offered.
 (c) Financial information exception for obtaining and using medical
 information--(1) In general. A creditor may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit so long as:
 (i) The information relates to debts, expenses, income, benefits,
 collateral, or the purpose of the loan, including the use of proceeds;
 (ii) The creditor uses the medical information in a manner and to
 an extent that is no less favorable than it would use comparable
 information that is not medical information in a credit transaction;
 and
 (iii) The creditor does not take the consumer's physical, mental,
 or behavioral health, condition or history, type of treatment, or
 prognosis into account as part of any such determination.
 (2) Examples--(i) Examples of information related to debts,
 expenses, income, benefits, collateral, or the purpose of the loan.
 Paragraph (c)(1)(i) of this section permits a creditor, for example, to
 obtain and use information about:
 (A) The dollar amount, repayment terms, repayment history, and
 similar information regarding medical debts that is used to calculate,
 measure, or verify the repayment ability of the consumer, the use of
 proceeds, or the terms for granting credit;
 (B) The value, condition, and lien status of a medical device that
 is used as collateral to secure a loan;
 (C) The dollar amount and continued eligibility for disability
 income or benefits related to health or a medical condition that is
 relied on as a source of repayment; or
 (D) The identity of creditors to whom outstanding medical debts are
 owed in connection with an application for credit, including but not
 limited to a transaction involving the consolidation of medical debts.
 (ii) Examples of uses of medical information consistent with the
 exception. (A) A consumer includes on an application for credit
 information about two $20,000 debts. One debt is to a hospital; the
 other debt is to a retailer. The creditor contacts the hospital and the
 retailer to verify the amount and payment status of the debts. The
 creditor learns that both debts are more than 90 days past due. Any two
 debts of this size that are past due would disqualify the consumer
 under the creditor's established underwriting criteria. The creditor
 denies the application on the basis that the consumer has a poor
 repayment history on outstanding debts. The creditor has used medical
 information in a manner and to an extent no less favorable than it
 would use comparable non-medical information.
 (B) A consumer indicates on an application for a $200,000 mortgage
 loan that she receives $15,000 in long-term disability income each year
 from her former employer and has no other income. Annual income of
 $15,000, regardless of source, would not be sufficient to support the
 requested amount of credit. The creditor denies the application on the
 basis that the projected debt-to-income ratio of the consumer does not
 meet the creditor's underwriting criteria. The creditor has used
 medical information in a manner and to an extent that is no less
 favorable than it would use comparable non-medical information.
 (C) A consumer includes on an application for a $10,000 home equity
 loan that he has a $50,000 debt to a medical facility that specializes
 in treating a potentially terminal disease. The creditor contacts the
 medical facility to verify the debt and obtain the repayment history
 and current status of the loan. The creditor learns that the debt is
 current and that the applicant meets the income requirements of the
 creditor's underwriting guidelines. The creditor grants the
 application. The creditor has used medical information in accordance
 with the exception.
 (iii) Examples of uses of medical information inconsistent with the
 exception.
 (A) A consumer applies for $25,000 of credit and includes on the
 application information about a $50,000 debt to a hospital. The
 creditor contacts the hospital to verify the amount and payment status
 of the debt, and learns that the debt is current and that the consumer
 has no delinquencies in her repayment history. If the existing debt
 were instead owed to a home furnishing retailer, the creditor would
 approve the application and extend credit based on the amount and
 repayment history of the outstanding debt. The creditor, however,
 denies the application because the consumer is indebted to a hospital.
 The creditor has used medical information, here the identity of the
 medical creditor, in a manner and to an extent that is less favorable
 than it would use comparable non-medical information.
 (B) A consumer meets with a loan officer of a creditor to apply for
 a mortgage loan. While filling out the loan application, the consumer
 informs the loan officer orally that she has a potentially terminal
 disease. The consumer meets the creditor's established requirements for
 the requested mortgage. The loan officer recommends to the credit
 committee that the consumer be denied credit because the consumer has
 that disease. The creditor has used medical information in a manner
 inconsistent with the exception by taking into account the consumer's
 physical, mental, or behavioral health, condition, or history, type of
 treatment, or prognosis as part of a determination of eligibility or
 continued eligibility for credit.
 (d) Specific exceptions for obtaining and using medical
 information--(1) In general. A creditor may obtain and use medical
 information pertaining to a
 [[Page 23399]] consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit--
 (i) To determine whether the use of a power of attorney or legal
 representative is necessary and appropriate;
 (ii) To comply with applicable requirements of local, state, or
 federal laws;
 (iii) To the extent such information is included in a consumer
 report from a consumer reporting agency, in accordance with 15 U.S.C.
 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
 provided specific written consent;
 (iv) For purposes of fraud prevention and detection;
 (v) In the case of credit for the purpose of financing medical
 products or services, to determine and verify the medical purpose of a
 loan and the use of proceeds;
 (vi) If the consumer or the consumer's legal representative
 requests in writing, on a separate form signed by the consumer or the
 consumer's legal representative that the creditor use specific medical
 information for a specific purpose in determining the consumer's
 eligibility, or continued eligibility, for credit, to accommodate the
 consumer's particular circumstances. The signed written request must
 describe the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used; or
 (vii) As otherwise permitted by order of the Board.
 (2) Examples of determining the medical purpose of the loan or the
 use of proceeds. (i) If a consumer applies for $10,000 of credit for
 the purpose of financing vision correction surgery, the creditor may
 confirm the consumer's medical eligibility to undergo that procedure
 with the surgeon. If the surgeon reports that surgery will not be
 performed on the consumer, the creditor may use that medical
 information to deny the consumer's application for credit, because the
 loan would not be used for the stated purpose.
 (ii) If a consumer applies for $10,000 of credit for the purpose of
 financing cosmetic surgery, the creditor may confirm the cost of the
 procedure with the surgeon. If the surgeon reports that the cost of the
 procedure is $5,000, the creditor may use that medical information to
 offer the consumer only $5,000 of credit.
 (iii) A creditor has an established medical loan program for
 financing particular elective surgical procedures. The creditor
 receives a loan application from a consumer requesting $10,000 of
 credit under the established loan program for an elective surgical
 procedure. The consumer indicates on the application that the purpose
 of the loan is to finance an elective surgical procedure not eligible
 for funding under the guidelines of the established loan program. The
 creditor may deny the consumer's application because the purpose of the
 loan is not for a particular procedure funded by the established loan
 program.
 (3) Examples of obtaining and using medical information at the
 request of the consumer. Consistent with safe and sound practices, and
 after obtaining from the consumer a signed, written document that
 describes the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used, the creditor may obtain and use the specific medical
 information for the specific purpose specified in the request:
 (i) If a consumer applies for a loan and requests that the creditor
 consider the consumer's medical disability at the relevant time as an
 explanation for adverse payment history information in his credit
 report, the creditor may consider such medical information in
 evaluating the consumer's willingness and ability to repay the
 requested loan.
 (ii) If a consumer applies for a loan and explains that his income
 has been and will continue to be interrupted on account of a medical
 condition and that he expects to repay the loan from liquidation of
 assets, the creditor may evaluate the application using the sale of
 assets as the primary source of repayment.
 (e) Limits on redisclosure of information. If you receive medical
 information about a consumer from a consumer reporting agency or your
 affiliate, you must not disclose that information to any other person,
 except as necessary to carry out the purpose for which the information
 was initially disclosed, or as otherwise permitted by statute,
 regulation, or order.
 Sec. 222.31 Sharing medical information with affiliates.
  (a) In general. The exclusions from the term ``consumer report''
            in section 603(d)(2) of the Act that allow the sharing of information
            with
 affiliates do not apply to a person described in Sec. 222.1(b)(2)(iv)
 of this part if that person communicates to an affiliate
 (1) Medical information;
 (2) An individualized list or description based on the payment
 transactions of the consumer for medical products or services; or
 (3) An aggregate list of identified consumers based on payment
 transactions for medical products or services.
 (b) Exceptions. A person described in Sec. 222.1(b)(2)(iv) of this
 part may rely on the exclusions from the term ``consumer report'' in
 section 603(d)(2) of the Act to communicate the information in
 paragraph (a) to an affiliate--
 (1) In connection with the business of insurance or annuities
 (including the activities described in section 18B of the model Privacy
 of Consumer Financial and Health Information Regulation issued by the
 National Association of Insurance Commissioners, as in effect on
 January 1, 2003);
 (2) For any purpose permitted without authorization under the
 regulations promulgated by the Department of Health and Human Services
 pursuant to the Health Insurance Portability and Accountability Act of
 1996 (HIPAA);
 (3) For any purpose referred to in section 1179 of HIPAA;
 (4) For any purpose described in section 502(e) of the Gramm-Leach-
 Bliley Act;
 (5) In connection with a determination of the consumer's
 eligibility, or continued eligibility, for credit consistent with Sec.
 222.30 of this part; or
 (6) As otherwise permitted by order of the Board.
 Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance  For the reasons set forth in the joint preamble, the Federal Deposit Insurance Corporation proposes to add part 334 of chapter
              III
 of title 12 of the Code of Federal Regulations to read as follows:
 PART 334--FAIR CREDIT REPORTING Subpart A--General Provisions Sec.334.1 Purpose, scope, and effective dates.
 334.2 Examples.
 334.3 Definitions.
 Subpart B--[Reserved]
 Subpart C--[Reserved]
 Subpart D--Medical Information
 334.30 Obtaining or using medical information in connection with
            a
 determination of eligibility for credit.
 334.31 Sharing medical information with affiliates.
  Authority: 12 U.S.C. 1819(Tenth) and 1818; 15 U.S.C. 1681b and 1681s.
 [[Page 23400]] Subpart A--General Provisions Sec. 334.1 Purpose, scope, and effective dates.
  (a) [Reserved](b) Scope.
 (1) [Reserved]
 (2) Institutions covered.
 (i) Except as otherwise provided in this paragraph, these
 regulations apply to banks insured by the FDIC (other than District
 Banks and members of the Federal Reserve System) and insured State
 branches of foreign banks and any subsidiaries and affiliates of such
 entities; and other entities or persons with respect to which the FDIC
 may exercise its enforcement authority under any provision of law. For
 purposes of this definition, a subsidiary does not include a broker,
 dealer, person providing insurance, investment company, and investment
 advisor.
 (ii) [Reserved]
 (iii) Section 334.30 of this part applies to creditors, as defined
 in Sec. 334.30(a)(2), that are subject to the jurisdiction of the
 Federal Deposit Insurance Corporation under paragraph (b)(2)(i) of this
 section.
 Sec. 334.2 Examples.
  The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this
 part. Examples in a paragraph illustrate only the issue described
            in
 the paragraph and do not illustrate any other issue that may arise
            in
 this part.
 Sec. 334.3 Definitions.
  As used in this part, unless the context requires otherwise:(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
 seq.).
 (b) Affiliate means any company that controls, is controlled by, or
 is under common control with another company.
 (c) [Reserved]
 (d) Company means any corporation, limited liability company,
 business trust, general or limited partnership, association, or similar
 organization.
 (e) Consumer means an individual.
 (f) [Reserved]
 (g) [Reserved]
 (h) [Reserved]
 (i) Control of a company means:
 (1) Ownership, control, or power to vote 25 percent or more of the
 outstanding shares of any class of voting security of the company,
 directly or indirectly, or acting through one or more other persons;
 (2) Control in any manner over the election of a majority of the
 directors, trustees, or general partners (or individuals exercising
 similar functions) of the company; or
 (3) The power to exercise, directly or indirectly, a controlling
 influence over the management or policies of the company, as the Board
 determines.
 (j) [Reserved]
 (k) Medical information means:
 (1) Information or data, whether oral or recorded, in any form or
 medium, created by or derived from a health care provider or the
 consumer, that relates to--
 (i) The past, present, or future physical, mental, or behavioral
 health or condition of an individual;
 (ii) The provision of health care to an individual; or
 (iii) The payment for the provision of health care to an
 individual.
 (2) The term does not include:
 (i) The age or gender of a consumer;
 (ii) Demographic information about the consumer, including a
 consumer's residence address or e-mail address; or
 (iii) Any other information about a consumer that does not relate
 to the physical, mental, or behavioral health or condition of a
 consumer, including the existence or value of any insurance policy.
 (l) [Reserved]
 (m) [Reserved]
 (n) [Reserved]
 (o) You means banks insured by the FDIC (other than District Banks
 and members of the Federal Reserve System) and insured State branches
 of foreign banks and any subsidiaries and affiliates of such entities;
 and other entities or persons with respect to which the FDIC may
 exercise its enforcement authority under any provision of law. For
 purposes of this definition, a subsidiary does not include a broker,
 dealer, person providing insurance, investment company, and investment
 advisor.
 Subpart B--[Reserved] Subpart C--[Reserved] Subpart D--Medical Information Sec. 334.30 Obtaining or using medical information in connection
              with
 a determination of eligibility for credit.
  (a) General prohibition on obtaining or using medical information--(1) In general. A creditor may not obtain or use medical information
 pertaining to a consumer in connection with any determination of
            the
 consumer's eligibility, or continued eligibility, for credit, except
            as
 provided in this subpart.
 (2) Definitions as used in this subpart--(i) Eligibility, or
 continued eligibility, for credit means the consumer's qualification or
 fitness to receive, or continue to receive, credit, including the terms
 on which credit is offered, primarily for personal, family, or
 household purposes. The term does not include:
 (A) The consumer's qualification or fitness to be offered
 employment, insurance products, or other non-credit products or
 services;
 (B) Any determination of whether the provisions of a debt
 cancellation contract, debt suspension agreement, credit insurance
 product, or similar forbearance practice or program are triggered;
 (C) Authorizing, processing, or documenting a payment or
 transaction on behalf of the consumer in a manner that does not involve
 a determination of the consumer's eligibility, or continued
 eligibility, for credit; or
 (D) Maintaining or servicing the consumer's account in a manner
 that does not involve a determination of the consumer's eligibility, or
 continued eligibility, for credit.
 (ii) Creditor has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (iii) Credit has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (b) Rule of construction for receiving unsolicited medical
 information--(1) In general. A creditor does not obtain medical
 information for purposes of paragraph (a)(1) of this section if it--
 (i) Receives medical information pertaining to a consumer in
 connection with any determination of the consumer's eligibility, or
 continued eligibility, for credit without specifically requesting
 medical information; and
 (ii) Does not use that information in determining whether to extend
 or continue to extend credit to the consumer and the terms on which
 credit is offered or continued.
 (2) Examples of receiving unsolicited medical information. A
 creditor receives unsolicited medical information if, for example:
 (i) In response to a general question regarding a consumer's debts
 or expenses, the creditor receives information that the consumer has a
 particular medical condition and does not use that information in
 determining whether to extend credit to the consumer or the terms on
 which credit is offered.
 (ii) In conversation with the loan officer, the consumer informs
 the creditor that the consumer has a particular medical condition, and
 the creditor does not use that information in determining whether to
 extend credit to the consumer or the terms on which credit is offered.
 [[Page 23401]]  (c) Financial information exception for obtaining and using medical information--(1) In general. A creditor may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit so long as:
 (i) The information relates to debts, expenses, income, benefits,
 collateral, or the purpose of the loan, including the use of proceeds;
 (ii) The creditor uses the medical information in a manner and to
 an extent that is no less favorable than it would use comparable
 information that is not medical information in a credit transaction;
 and
 (iii) The creditor does not take the consumer's physical, mental,
 or behavioral health, condition or history, type of treatment, or
 prognosis into account as part of any such determination.
 (2) Examples--(i) Examples of information related to debts,
 expenses, income, benefits, collateral, or the purpose of the loan.
 Paragraph (c)(1)(i) of this section permits a creditor, for example, to
 obtain and use information about:
 (A) The dollar amount, repayment terms, repayment history, and
 similar information regarding medical debts that is used to calculate,
 measure, or verify the repayment ability of the consumer, the use of
 proceeds, or the terms for granting credit;
 (B) The value, condition, and lien status of a medical device that
 is used as collateral to secure a loan;
 (C) The dollar amount and continued eligibility for disability
 income or benefits related to health or a medical condition that is
 relied on as a source of repayment; or
 (D) The identity of creditors to whom outstanding medical debts are
 owed in connection with an application for credit, including but not
 limited to a transaction involving the consolidation of medical debts.
 (ii) Examples of uses of medical information consistent with the
 exception. (A) A consumer includes on an application for credit
 information about two $20,000 debts. One debt is to a hospital; the
 other debt is to a retailer. The creditor contacts the hospital and the
 retailer to verify the amount and payment status of the debts. The
 creditor learns that both debts are more than 90 days past due. Any two
 debts of this size that are past due would disqualify the consumer
 under the creditor's established underwriting criteria. The creditor
 denies the application on the basis that the consumer has a poor
 repayment history on outstanding debts. The creditor has used medical
 information in a manner and to an extent no less favorable than it
 would use comparable non-medical information.
 (B) A consumer indicates on an application for a $200,000 mortgage
 loan that she receives $15,000 in long-term disability income each year
 from her former employer and has no other income. Annual income of
 $15,000, regardless of source, would not be sufficient to support the
 requested amount of credit. The creditor denies the application on the
 basis that the projected debt-to-income ratio of the consumer does not
 meet the creditor's underwriting criteria. The creditor has used
 medical information in a manner and to an extent that is no less
 favorable than it would use comparable non-medical information.
 (C) A consumer includes on an application for a $10,000 home equity
 loan that he has a $50,000 debt to a medical facility that specializes
 in treating a potentially terminal disease. The creditor contacts the
 medical facility to verify the debt and obtain the repayment history
 and current status of the loan. The creditor learns that the debt is
 current and that the applicant meets the income requirements of the
 creditor's underwriting guidelines. The creditor grants the
 application. The creditor has used medical information in accordance
 with the exception.
 (iii) Examples of uses of medical information inconsistent with the
 exception.
 (A) A consumer applies for $25,000 of credit and includes on the
 application information about a $50,000 debt to a hospital. The
 creditor contacts the hospital to verify the amount and payment status
 of the debt, and learns that the debt is current and that the consumer
 has no delinquencies in her repayment history. If the existing debt
 were instead owed to a home furnishing retailer, the creditor would
 approve the application and extend credit based on the amount and
 repayment history of the outstanding debt. The creditor, however,
 denies the application because the consumer is indebted to a hospital.
 The creditor has used medical information, here the identity of the
 medical creditor, in a manner and to an extent that is less favorable
 than it would use comparable non-medical information.
 (B) A consumer meets with a loan officer of a creditor to apply for
 a mortgage loan. While filling out the loan application, the consumer
 informs the loan officer orally that she has a potentially terminal
 disease. The consumer meets the creditor's established requirements for
 the requested mortgage. The loan officer recommends to the credit
 committee that the consumer be denied credit because the consumer has
 that disease. The creditor has used medical information in a manner
 inconsistent with the exception by taking into account the consumer's
 physical, mental, or behavioral health, condition, or history, type of
 treatment, or prognosis as part of a determination of eligibility or
 continued eligibility for credit.
 (d) Specific exceptions for obtaining and using medical
 information. (1) In general. A creditor may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit--
 (i) To determine whether the use of a power of attorney or legal
 representative is necessary and appropriate;
 (ii) To comply with applicable requirements of local, state, or
 federal laws;
 (iii) To the extent such information is included in a consumer
 report from a consumer reporting agency, in accordance with 15 U.S.C.
 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
 provided specific written consent;
 (iv) For purposes of fraud prevention and detection;
 (v) In the case of credit for the purpose of financing medical
 products or services, to determine and verify the medical purpose of a
 loan and the use of proceeds;
 (vi) If the consumer or the consumer's legal representative
 requests in writing, on a separate form signed by the consumer or the
 consumer's legal representative that the creditor use specific medical
 information for a specific purpose in determining the consumer's
 eligibility, or continued eligibility, for credit, to accommodate the
 consumer's particular circumstances. The signed written request must
 describe the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used; or
 (vii) As otherwise permitted by order of the Board.
 (2) Examples of determining the medical purpose of the loan or the
 use of proceeds. (i) If a consumer applies for $10,000 of credit for
 the purpose of financing vision correction surgery, the creditor may
 confirm the consumer's medical eligibility to undergo that procedure
 with the surgeon. If the surgeon reports that surgery will not be
 [[Page 23402]] performed on the consumer, the creditor may use that medical information to deny the consumer's application for credit, because
              the
 loan would not be used for the stated purpose.
 (ii) If a consumer applies for $10,000 of credit for the purpose of
 financing cosmetic surgery, the creditor may confirm the cost of the
 procedure with the surgeon. If the surgeon reports that the cost of the
 procedure is $5,000, the creditor may use that medical information to
 offer the consumer only $5,000 of credit.
 (iii) A creditor has an established medical loan program for
 financing particular elective surgical procedures. The creditor
 receives a loan application from a consumer requesting $10,000 of
 credit under the established loan program for an elective surgical
 procedure. The consumer indicates on the application that the purpose
 of the loan is to finance an elective surgical procedure not eligible
 for funding under the guidelines of the established loan program. The
 creditor may deny the consumer's application because the purpose of the
 loan is not for a particular procedure funded by the established loan
 program.
 (3) Examples of obtaining and using medical information at the
 request of the consumer. Consistent with safe and sound practices, and
 after obtaining from the consumer a signed, written document that
 describes the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used, the creditor may obtain and use the specific medical
 information for the specific purpose specified in the request:
 (i) If a consumer applies for a loan and requests that the creditor
 consider the consumer's medical disability at the relevant time as an
 explanation for adverse payment history information in his credit
 report, the creditor may consider such medical information in
 evaluating the consumer's willingness and ability to repay the
 requested loan.
 (ii) If a consumer applies for a loan and explains that his income
 has been and will continue to be interrupted on account of a medical
 condition and that he expects to repay the loan from liquidation of
 assets, the creditor may evaluate the application using the sale of
 assets as the primary source of repayment.
 (e) Limits on redisclosure of information. If you receive medical
 information about a consumer from a consumer reporting agency or your
 affiliate, you must not disclose that information to any other person,
 except as necessary to carry out the purpose for which the information
 was initially disclosed, or as otherwise permitted by statute,
 regulation, or order.
 Sec. 334.31 Sharing medical information with affiliates.
  (a) In general. The exclusions from the term ``consumer report''
            in section 603(d)(2) of the Act that allow the sharing of information
            with
 affiliates do not apply if you communicate to an affiliate--
 (1) Medical information;
 (2) An individualized list or description based on the payment
 transactions of the consumer for medical products or services; or
 (3) An aggregate list of identified consumers based on payment
 transactions for medical products or services.
 (b) Exceptions. You may rely on the exclusions from the term
 ``consumer report'' in section 603(d)(2) of the Act to communicate the
 information in paragraph (a) to an affiliate--
 (1) In connection with the business of insurance or annuities
 (including the activities described in section 18B of the model Privacy
 of Consumer Financial and Health Information Regulation issued by the
 National Association of Insurance Commissioners, as in effect on
 January 1, 2003);
 (2) For any purpose permitted without authorization under the
 regulations promulgated by the Department of Health and Human Services
 pursuant to the Health Insurance Portability and Accountability Act of
 1996 (HIPAA);
 (3) For any purpose referred to in section 1179 of HIPAA;
 (4) For any purpose described in section 502(e) of the Gramm-Leach-
 Bliley Act;
 (5) In connection with a determination of the consumer's
 eligibility, or continued eligibility, for credit consistent with Sec.
 334.30 of this part; or
 (6) As otherwise permitted by order of the Board.
 Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance  For the reasons set forth in the joint preamble, the Office of Thrift Supervision proposes to amend chapter V of title 12 of the
              Code
 of Federal Regulations by adding a new part 571 to read as follows:
 PART 571--FAIR CREDIT REPORTING Subpart A--General ProvisionsSec.
 571.1 Purpose, scope, and effective dates.
 571.2 Examples.
 571.3 Definitions.
 Subpart B--[Reserved]
 Subpart C--[Reserved]
 Subpart D--Medical Information
 571.30 Obtaining or using medical information in connection with
            a
 determination of eligibility for credit.
 571.31 Sharing medical information with affiliates.
  Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).
 Subpart A--General Provisions Sec. 571.1 Purpose, scope, and effective dates.
  (a) [Reserved](b) Scope.
 (1) [Reserved]
 (2) Institutions covered. (i) Except as otherwise provided in this
 paragraph (b)(2), this part applies to savings associations whose
 deposits are insured by the Federal Deposit Insurance Corporation (and
 federal savings association operating subsidiaries in accordance with
 Sec. 559.3(h)(1) of this chapter).
 (ii) [Reserved]
 (iii) Section 571.30(a)-(d) of this part applies to creditors, as
 defined in Sec. 571.30(a)(2), that are savings associations or their
 subsidiaries, savings and loan holding companies, or affiliates of
 savings associations or savings and loan holding companies other than
 bank holding companies, banks, or subsidiaries of bank holding
 companies or banks.
 Sec. 571.2 Examples.
  The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this
 part. Examples in a paragraph illustrate only the issue described
            in
 the paragraph and do not illustrate any other issue that may arise
            in
 this part.
 Sec. 571.3 Definitions.
  As used in this part, unless the context requires otherwise:(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
 seq.).
 (b) Affiliate means any company that controls, is controlled by, or
 is under common control with another company.
 (c) [Reserved]
 (d) Company means any corporation, limited liability company,
 business trust, general or limited partnership, association, or similar
 organization.
 (e) Consumer means an individual.
 (f) [Reserved]
 (g) [Reserved]
 (h) [Reserved]
 [[Page 23403]]  (i) Control of a company means:(1) Ownership, control, or power to vote 25 percent or more of the
 outstanding shares of any class of voting security of the company,
 directly or indirectly, or acting through one or more other persons;
 (2) Control in any manner over the election of a majority of the
 directors, trustees, or general partners (or individuals exercising
 similar functions) of the company; or
 (3) The power to exercise, directly or indirectly, a controlling
 influence over the management or policies of the company, as OTS
 determines.
 (j) [Reserved]
 (k) Medical information means:
 (1) Information or data, whether oral or recorded, in any form or
 medium, created by or derived from a health care provider or the
 consumer, that relates to--
 (i) The past, present, or future physical, mental, or behavioral
 health or condition of an individual;
 (ii) The provision of health care to an individual; or
 (iii) The payment for the provision of health care to an
 individual.
 (2) The term does not include:
 (i) The age or gender of a consumer;
 (ii) Demographic information about the consumer, including a
 consumer's residence address or e-mail address; or
 (iii) Any other information about a consumer that does not relate
 to the physical, mental, or behavioral health or condition of a
 consumer, including the existence or value of any insurance policy.
 (l)-(n) [Reserved]
 (o) You means savings associations whose deposits are insured by
 the Federal Deposit Insurance Corporation (and federal savings
 association operating subsidiaries in accordance with Sec. 559.3(h)(1)
 of this chapter).
 Subpart B--[Reserved] Subpart C--[Reserved] Subpart D--Medical Information Sec. 571.30 Obtaining or using medical information in connection
              with
 a determination of eligibility for credit.
  (a) General prohibition on obtaining or using medical information--(1) In general. A creditor may not obtain or use medical information
 pertaining to a consumer in connection with any determination of
            the
 consumer's eligibility, or continued eligibility, for credit, except
            as
 provided in this subpart.
 (2) Definitions as used in this subpart--(i) Eligibility, or
 continued eligibility, for credit means the consumer's qualification or
 fitness to receive, or continue to receive, credit, including the terms
 on which credit is offered, primarily for personal, family, or
 household purposes. The term does not include:
 (A) The consumer's qualification or fitness to be offered
 employment, insurance products, or other non-credit products or
 services;
 (B) Any determination of whether the provisions of a debt
 cancellation contract, debt suspension agreement, credit insurance
 product, or similar forbearance practice or program are triggered;
 (C) Authorizing, processing, or documenting a payment or
 transaction on behalf of the consumer in a manner that does not involve
 a determination of the consumer's eligibility, or continued
 eligibility, for credit; or
 (D) Maintaining or servicing the consumer's account in a manner
 that does not involve a determination of the consumer's eligibility, or
 continued eligibility, for credit.
 (ii) Creditor has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (iii) Credit has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (b) Rule of construction for receiving unsolicited medical
 information--(1) In general. A creditor does not obtain medical
 information for purposes of paragraph (a)(1) of this section if it--
 (i) Receives medical information pertaining to a consumer in
 connection with any determination of the consumer's eligibility, or
 continued eligibility, for credit without specifically requesting
 medical information; and
 (ii) Does not use that information in determining whether to extend
 or continue to extend credit to the consumer and the terms on which
 credit is offered or continued.
 (2) Examples of receiving unsolicited medical information. A
 creditor receives unsolicited medical information if, for example:
 (i) In response to a general question regarding a consumer's debts
 or expenses, the creditor receives information that the consumer has a
 particular medical condition and does not use that information in
 determining whether to extend credit to the consumer or the terms on
 which credit is offered.
 (ii) In conversation with the loan officer, the consumer informs
 the creditor that the consumer has a particular medical condition, and
 the creditor does not use that information in determining whether to
 extend credit to the consumer or the terms on which credit is offered.
 (c) Financial information exception for obtaining and using medical
 information--(1) In general. A creditor may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit so long as:
 (i) The information relates to debts, expenses, income, benefits,
 collateral, or the purpose of the loan, including the use of proceeds;
 (ii) The creditor uses the medical information in a manner and to
 an extent that is no less favorable than it would use comparable
 information that is not medical information in a credit transaction;
 and
 (iii) The creditor does not take the consumer's physical, mental,
 or behavioral health, condition or history, type of treatment, or
 prognosis into account as part of any such determination.
 (2) Examples--(i) Examples of information related to debts,
 expenses, income, benefits, collateral, or the purpose of the loan.
 Paragraph (c)(1)(i) of this section permits a creditor, for example, to
 obtain and use information about:
 (A) The dollar amount, repayment terms, repayment history, and
 similar information regarding medical debts that is used to calculate,
 measure, or verify the repayment ability of the consumer, the use of
 proceeds, or the terms for granting credit;
 (B) The value, condition, and lien status of a medical device that
 is used as collateral to secure a loan;
 (C) The dollar amount and continued eligibility for disability
 income or benefits related to health or a medical condition that is
 relied on as a source of repayment; or
 (D) The identity of creditors to whom outstanding medical debts are
 owed in connection with an application for credit, including but not
 limited to a transaction involving the consolidation of medical debts.
 (ii) Examples of uses of medical information consistent with the
 exception. (A) A consumer includes on an application for credit
 information about two $20,000 debts. One debt is to a hospital; the
 other debt is to a retailer. The creditor contacts the hospital and the
 retailer to verify the amount and payment status of the debts. The
 creditor learns that both debts are more than 90 days past due. Any two
 debts of this size that are past due would disqualify the consumer
 under the creditor's established underwriting criteria. The creditor
 denies the
 [[Page 23404]] application on the basis that the consumer has a poor repayment
            history on outstanding debts. The creditor has used medical information in
            a
 manner and to an extent no less favorable than it would use comparable
 non-medical information.
 (B) A consumer indicates on an application for a $200,000 mortgage
 loan that she receives $15,000 in long-term disability income each year
 from her former employer and has no other income. Annual income of
 $15,000, regardless of source, would not be sufficient to support the
 requested amount of credit. The creditor denies the application on the
 basis that the projected debt-to-income ratio of the consumer does not
 meet the creditor's underwriting criteria. The creditor has used
 medical information in a manner and to an extent that is no less
 favorable than it would use comparable non-medical information.
 (C) A consumer includes on an application for a $10,000 home equity
 loan that he has a $50,000 debt to a medical facility that specializes
 in treating a potentially terminal disease. The creditor contacts the
 medical facility to verify the debt and obtain the repayment history
 and current status of the loan. The creditor learns that the debt is
 current and that the applicant meets the income requirements of the
 creditor's underwriting guidelines. The creditor grants the
 application. The creditor has used medical information in accordance
 with the exception.
 (iii) Examples of uses of medical information inconsistent with the
 exception.
 (A) A consumer applies for $25,000 of credit and includes on the
 application information about a $50,000 debt to a hospital. The
 creditor contacts the hospital to verify the amount and payment status
 of the debt, and learns that the debt is current and that the consumer
 has no delinquencies in her repayment history. If the existing debt
 were instead owed to a home furnishing retailer, the creditor would
 approve the application and extend credit based on the amount and
 repayment history of the outstanding debt. The creditor, however,
 denies the application because the consumer is indebted to a hospital.
 The creditor has used medical information, here the identity of the
 medical creditor, in a manner and to an extent that is less favorable
 than it would use comparable non-medical information.
 (B) A consumer meets with a loan officer of a creditor to apply for
 a mortgage loan. While filling out the loan application, the consumer
 informs the loan officer orally that she has a potentially terminal
 disease. The consumer meets the creditor's established requirements for
 the requested mortgage. The loan officer recommends to the credit
 committee that the consumer be denied credit because the consumer has
 that disease. The creditor has used medical information in a manner
 inconsistent with the exception by taking into account the consumer's
 physical, mental, or behavioral health, condition, or history, type of
 treatment, or prognosis as part of a determination of eligibility or
 continued eligibility for credit.
 (d) Specific exceptions for obtaining and using medical
 information--(1) In general. A creditor may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit--
 (i) To determine whether the use of a power of attorney or legal
 representative is necessary and appropriate;
 (ii) To comply with applicable requirements of local, State, or
 Federal laws;
 (iii) To the extent such information is included in a consumer
 report from a consumer reporting agency, in accordance with 15 U.S.C.
 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
 provided specific written consent;
 (iv) For purposes of fraud prevention and detection;
 (v) In the case of credit for the purpose of financing medical
 products or services, to determine and verify the medical purpose of a
 loan and the use of proceeds;
 (vi) If the consumer or the consumer's legal representative
 requests in writing, on a separate form signed by the consumer or the
 consumer's legal representative that the creditor use specific medical
 information for a specific purpose in determining the consumer's
 eligibility, or continued eligibility, for credit, to accommodate the
 consumer's particular circumstances. The signed written request must
 describe the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used; or
 (vii) As otherwise permitted by order of the Director of OTS.
 (2) Examples of determining the medical purpose of the loan or the
 use of proceeds. (i) If a consumer applies for $10,000 of credit for
 the purpose of financing vision correction surgery, the creditor may
 confirm the consumer's medical eligibility to undergo that procedure
 with the surgeon. If the surgeon reports that surgery will not be
 performed on the consumer, the creditor may use that medical
 information to deny the consumer's application for credit, because the
 loan would not be used for the stated purpose.
 (ii) If a consumer applies for $10,000 of credit for the purpose of
 financing cosmetic surgery, the creditor may confirm the cost of the
 procedure with the surgeon. If the surgeon reports that the cost of the
 procedure is $5,000, the creditor may use that medical information to
 offer the consumer only $5,000 of credit.
 (iii) A creditor has an established medical loan program for
 financing particular elective surgical procedures. The creditor
 receives a loan application from a consumer requesting $10,000 of
 credit under the established loan program for an elective surgical
 procedure. The consumer indicates on the application that the purpose
 of the loan is to finance an elective surgical procedure not eligible
 for funding under the guidelines of the established loan program. The
 creditor may deny the consumer's application because the purpose of the
 loan is not for a particular procedure funded by the established loan
 program.
 (3) Examples of obtaining and using medical information at the
 request of the consumer. Consistent with safe and sound practices, and
 after obtaining from the consumer a signed, written document that
 describes the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used, the creditor may obtain and use the specific medical
 information for the specific purpose specified in the request:
 (i) If a consumer applies for a loan and requests that the creditor
 consider the consumer's medical disability at the relevant time as an
 explanation for adverse payment history information in his credit
 report, the creditor may consider such medical information in
 evaluating the consumer's willingness and ability to repay the
 requested loan.
 (ii) If a consumer applies for a loan and explains that his income
 has been and will continue to be interrupted on account of a medical
 condition and that he expects to repay the loan from liquidation of
 assets, the creditor may evaluate the application using the sale of
 assets as the primary source of repayment.
 (e) Limits on redisclosure of information. If you receive medical
 information about a consumer from a consumer reporting agency or your
 affiliate, you must not disclose that
 [[Page 23405]] information to any other person, except as necessary to carry out
            the purpose for which the information was initially disclosed, or as
 otherwise permitted by statute, regulation, or order.
 Sec. 571.31 Sharing medical information with affiliates.
  (a) In general. The exclusions from the term ``consumer report''
            in section 603(d)(2) of the Act that allow the sharing of information
            with
 affiliates do not apply if you communicate to an affiliate--
 (1) Medical information;
 (2) An individualized list or description based on the payment
 transactions of the consumer for medical products or services; or
 (3) An aggregate list of identified consumers based on payment
 transactions for medical products or services.
 (b) Exceptions. You may rely on the exclusions from the term
 ``consumer report'' in section 603(d)(2) of the Act to communicate the
 information in paragraph (a) of this section to an affiliate--
 (1) In connection with the business of insurance or annuities
 (including the activities described in section 18B of the model Privacy
 of Consumer Financial and Health Information Regulation issued by the
 National Association of Insurance Commissioners, as in effect on
 January 1, 2003);
 (2) For any purpose permitted without authorization under the
 regulations promulgated by the Department of Health and Human Services
 pursuant to the Health Insurance Portability and Accountability Act of
 1996 (HIPAA);
 (3) For any purpose referred to in section 1179 of HIPAA;
 (4) For any purpose described in section 502(e) of the Gramm-Leach-
 Bliley Act;
 (5) In connection with a determination of the consumer's
 eligibility, or continued eligibility, for credit consistent with Sec.
 571.30 of this part; or
 (6) As otherwise permitted by order of the Director of OTS.
 National Credit Union Administration  For the reasons set out in the preamble, it is proposed that 12
            CFR chapter VII be amended by adding a new part 717 to read as follows:
 PART 717--FAIR CREDIT REPORTING Subpart A--General ProvisionsSec.
 Sec. 717.1 Purpose, scope, and effective dates.
 Sec. 717.2 Examples.
 Sec. 717.3 Definitions.
 Subpart B--[Reserved]
 Subpart C--[Reserved]
 Subpart D--Medical Information
 717.30 Obtaining or using medical information in connection with
            a
 determination of eligibility for credit.
 717.31 Sharing medical information with affiliates.
  Authority: 15 U.S.C. 1681b and 1681s. Subpart A--General Provisions Sec. 717.1 Purpose, scope, and effective dates.
  (a) [Reserved](b) Scope.
 (1) [Reserved]
 (2) Institutions covered. These regulations apply to federal credit
 unions.
 Sec. 717.2 Examples.
  The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this
 part. Examples in a paragraph illustrate only the issue described
            in
 the paragraph and do not illustrate any other issue that may arise
            in
 this part.
 Sec. 717.3 Definitions.
  As used in this part, unless the context requires otherwise:(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
 seq.).
 (b) Affiliate means any company that controls, is controlled by, or
 is under common control with another company. For example, an affiliate
 of a federal credit union is a credit union service organization
 (CUSO), as provided in 12 CFR part 712, that is controlled by the
 federal credit union.
 (c) [Reserved]
 (d) Company means any corporation, limited liability company,
 business trust, general or limited partnership, association, or similar
 organization.
 (e) Consumer means an individual.
 (f) [Reserved]
 (g) [Reserved]
 (h) [Reserved]
 (i) Control of a company means:
 (1) Ownership, control, or power to vote 25 percent or more of the
 outstanding shares of any class of voting security of the company,
 directly or indirectly, or acting through one or more other persons;
 (2) Control in any manner over the election of a majority of the
 directors, trustees, or general partners (or individuals exercising
 similar functions) of the company; or
 (3) The power to exercise, directly or indirectly, a controlling
 influence over the management or policies of the company, as the Board
 determines.
 (4) Example. NCUA will presume a credit union has a controlling
 influence over the management or policies of a CUSO, if the CUSO is 67%
 owned by credit unions.
 (j) [Reserved]
 (k) Medical information means:
 (1) Information or data, whether oral or recorded, in any form or
 medium, created by or derived from a health care provider or the
 consumer, that relates to--
 (i) The past, present, or future physical, mental, or behavioral
 health or condition of an individual;
 (ii) The provision of health care to an individual; or
 (iii) The payment for the provision of health care to an
 individual.
 (2) The term does not include:
 (i) The age or gender of a consumer;
 (ii) Demographic information about the consumer, including a
 consumer's residence address or e-mail address; or
 (iii) Any other information about a consumer that does not relate
 to the physical, mental, or behavioral health or condition of a
 consumer, including the existence or value of any insurance policy.
 (l) [Reserved]
 (m) [Reserved]
 (n) [Reserved]
 (o) You means a federal credit union.
 Subpart B--[Reserved] Subpart C--[Reserved] Subpart D--Medical Information Sec. 717.30 Obtaining or using medical information in connection
              with
 a determination of eligibility for credit.
  (a) General prohibition on obtaining or using medical information--(1) In general. A creditor may not obtain or use medical information
 pertaining to a consumer in connection with any determination of
            the
 consumer's eligibility, or continued eligibility, for credit, except
            as
 provided in this subpart.
 (2) Definitions as used in this subpart--(i) Eligibility, or
 continued eligibility, for credit means the consumer's qualification or
 fitness to receive, or continue to receive, credit, including the terms
 on which credit is offered, primarily for personal, family, or
 household purposes. The term does not include:
 (A) The consumer's qualification or fitness to be offered
 employment, insurance products, or other non-credit products or
 services;
 (B) Any determination of whether the provisions of a debt
 cancellation contract, debt suspension agreement,
 [[Page 23406]] credit insurance product, or similar forbearance practice or program are triggered;
 (C) Authorizing, processing, or documenting a payment or
 transaction on behalf of the consumer in a manner that does not involve
 a determination of the consumer's eligibility, or continued
 eligibility, for credit; or
 (D) Maintaining or servicing the consumer's account in a manner
 that does not involve a determination of the consumer's eligibility, or
 continued eligibility, for credit.
 (ii) Creditor has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (iii) Credit has the same meaning as in section 702 of the Equal
 Credit Opportunity Act, 15 U.S.C. 1691a.
 (b) Rule of construction for receiving unsolicited medical
 information--(1) In general. A creditor does not obtain medical
 information for purposes of paragraph (a)(1) of this section if it--
 (i) Receives medical information pertaining to a consumer in
 connection with any determination of the consumer's eligibility, or
 continued eligibility, for credit without specifically requesting
 medical information; and
 (ii) Does not use that information in determining whether to extend
 or continue to extend credit to the consumer and the terms on which
 credit is offered or continued.
 (2) Examples of receiving unsolicited medical information. A
 creditor receives unsolicited medical information if, for example:
 (i) In response to a general question regarding a consumer's debts
 or expenses, the creditor receives information that the consumer has a
 particular medical condition and does not use that information in
 determining whether to extend credit to the consumer or the terms on
 which credit is offered.
 (ii) In conversation with the loan officer, the consumer informs
 the creditor that the consumer has a particular medical condition, and
 the creditor does not use that information in determining whether to
 extend credit to the consumer or the terms on which credit is offered.
 (c) Financial information exception for obtaining and using medical
 information--
 (1) In general. A creditor may obtain and use medical information
 pertaining to a consumer in connection with any determination of the
 consumer's eligibility, or continued eligibility, for credit so long
 as:
 (i) The information relates to debts, expenses, income, benefits,
 collateral, or the purpose of the loan, including the use of proceeds;
 (ii) The creditor uses the medical information in a manner and to
 an extent that is no less favorable than it would use comparable
 information that is not medical information in a credit transaction;
 and
 (iii) The creditor does not take the consumer's physical, mental,
 or behavioral health, condition or history, type of treatment, or
 prognosis into account as part of any such determination.
 (2) Examples--(i) Examples of information related to debts,
 expenses, income, benefits, collateral, or the purpose of the loan.
 Paragraph (c)(1)(i) of this section permits a creditor, for example, to
 obtain and use information about:
 (A) The dollar amount, repayment terms, repayment history, and
 similar information regarding medical debts that is used to calculate,
 measure, or verify the repayment ability of the consumer, the use of
 proceeds, or the terms for granting credit;
 (B) The value, condition, and lien status of a medical device that
 is used as collateral to secure a loan;
 (C) The dollar amount and continued eligibility for disability
 income or benefits related to health or a medical condition that is
 relied on as a source of repayment; or
 (D) The identity of creditors to whom outstanding medical debts are
 owed in connection with an application for credit, including but not
 limited to a transaction involving the consolidation of medical debts.
 (ii) Examples of uses of medical information consistent with the
 exception. (A) A consumer includes on an application for credit
 information about two $20,000 debts. One debt is to a hospital; the
 other debt is to a retailer. The creditor contacts the hospital and the
 retailer to verify the amount and payment status of the debts. The
 creditor learns that both debts are more than 90 days past due. Any two
 debts of this size that are past due would disqualify the consumer
 under the creditor's established underwriting criteria. The creditor
 denies the application on the basis that the consumer has a poor
 repayment history on outstanding debts. The creditor has used medical
 information in a manner and to an extent no less favorable than it
 would use comparable non-medical information.
 (B) A consumer indicates on an application for a $200,000 mortgage
 loan that she receives $15,000 in long-term disability income each year
 from her former employer and has no other income. Annual income of
 $15,000, regardless of source, would not be sufficient to support the
 requested amount of credit. The creditor denies the application on the
 basis that the projected debt-to-income ratio of the consumer does not
 meet the creditor's underwriting criteria. The creditor has used
 medical information in a manner and to an extent that is no less
 favorable than it would use comparable non-medical information.
 (C) A consumer includes on an application for a $10,000 home equity
 loan that he has a $50,000 debt to a medical facility that specializes
 in treating a potentially terminal disease. The creditor contacts the
 medical facility to verify the debt and obtain the repayment history
 and current status of the loan. The creditor learns that the debt is
 current and that the applicant meets the income requirements of the
 creditor's underwriting guidelines. The creditor grants the
 application. The creditor has used medical information in accordance
 with the exception.
 (iii) Examples of uses of medical information inconsistent with the
 exception.
 (A) A consumer applies for $25,000 of credit and includes on the
 application information about a $50,000 debt to a hospital. The
 creditor contacts the hospital to verify the amount and payment status
 of the debt, and learns that the debt is current and that the consumer
 has no delinquencies in her repayment history. If the existing debt
 were instead owed to a home furnishing retailer, the creditor would
 approve the application and extend credit based on the amount and
 repayment history of the outstanding debt. The creditor, however,
 denies the application because the consumer is indebted to a hospital.
 The creditor has used medical information, here the identity of the
 medical creditor, in a manner and to an extent that is less favorable
 than it would use comparable non-medical information.
 (B) A consumer meets with a loan officer of a creditor to apply for
 a mortgage loan. While filling out the loan application, the consumer
 informs the loan officer orally that she has a potentially terminal
 disease. The consumer meets the creditor's established requirements for
 the requested mortgage. The loan officer recommends to the credit
 committee that the consumer be denied credit because the consumer has
 that disease. The creditor has used medical information in a manner
 inconsistent with the exception by taking into account the consumer's
 physical, mental, or behavioral health, condition, or history, type of
 treatment, or
 [[Page 23407]] prognosis as part of a determination of eligibility or continued eligibility for credit.
 (d) Specific exceptions for obtaining and using medical
 information--(1) In general. A creditor may obtain and use medical
 information pertaining to a consumer in connection with any
 determination of the consumer's eligibility, or continued eligibility,
 for credit--
 (i) To determine whether the use of a power of attorney or legal
 representative is necessary and appropriate;
 (ii) To comply with applicable requirements of local, state, or
 federal laws;
 (iii) To the extent such information is included in a consumer
 report from a consumer reporting agency, in accordance with 15 U.S.C.
 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
 provided specific written consent;
 (iv) For purposes of fraud prevention and detection;
 (v) In the case of credit for the purpose of financing medical
 products or services, to determine and verify the medical purpose of a
 loan and the use of proceeds;
 (vi) If the consumer or the consumer's legal representative
 requests in writing, on a separate form signed by the consumer or the
 consumer's legal representative that the creditor use specific medical
 information for a specific purpose in determining the consumer's
 eligibility, or continued eligibility, for credit, to accommodate the
 consumer's particular circumstances. The signed written request must
 describe the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used; or
 (vii) As otherwise permitted by order of the NCUA.
 (2) Examples of determining the medical purpose of the loan or the
 use of proceeds. (i) If a consumer applies for $10,000 of credit for
 the purpose of financing vision correction surgery, the creditor may
 confirm the consumer's medical eligibility to undergo that procedure
 with the surgeon. If the surgeon reports that surgery will not be
 performed on the consumer, the creditor may use that medical
 information to deny the consumer's application for credit, because the
 loan would not be used for the stated purpose.
 (ii) If a consumer applies for $10,000 of credit for the purpose of
 financing cosmetic surgery, the creditor may confirm the cost of the
 procedure with the surgeon. If the surgeon reports that the cost of the
 procedure is $5,000, the creditor may use that medical information to
 offer the consumer only $5,000 of credit.
 (iii) A creditor has an established medical loan program for
 financing particular elective surgical procedures. The creditor
 receives a loan application from a consumer requesting $10,000 of
 credit under the established loan program for an elective surgical
 procedure. The consumer indicates on the application that the purpose
 of the loan is to finance an elective surgical procedure not eligible
 for funding under the guidelines of the established loan program. The
 creditor may deny the consumer's application because the purpose of the
 loan is not for a particular procedure funded by the established loan
 program.
 (3) Examples of obtaining and using medical information at the
 request of the consumer. Consistent with safe and sound practices, and
 after obtaining from the consumer a signed, written document that
 describes the specific medical information that the consumer requests
 the creditor to use and the specific purpose for which the information
 will be used, the creditor may obtain and use the specific medical
 information for the specific purpose specified in the request:
 (i) If a consumer applies for a loan and requests that the creditor
 consider the consumer's medical disability at the relevant time as an
 explanation for adverse payment history information in his credit
 report, the creditor may consider such medical information in
 evaluating the consumer's willingness and ability to repay the
 requested loan.
 (ii) If a consumer applies for a loan and explains that his income
 has been and will continue to be interrupted on account of a medical
 condition and that he expects to repay the loan from liquidation of
 assets, the creditor may evaluate the application using the sale of
 assets as the primary source of repayment.
 (e) Limits on redisclosure of information. If you receive medical
 information about a consumer from a consumer reporting agency or your
 affiliate, you must not disclose that information to any other person,
 except as necessary to carry out the purpose for which the information
 was initially disclosed, or as otherwise permitted by statute,
 regulation, or order.
 Sec. 717.31 Sharing medical information with affiliates.
  (a) In general. The exclusions from the term ``consumer report''
            in section 603(d)(2) of the Act that allow the sharing of information
            with
 affiliates do not apply if you communicate to an affiliate--
 (1) Medical information;
 (2) An individualized list or description based on the payment
 transactions of the consumer for medical products or services; or
 (3) An aggregate list of identified consumers based on payment
 transactions for medical products or services.
 (b) Exceptions. You may rely on the exclusions from the term
 ``consumer report'' in section 603(d)(2) of the Act to communicate the
 information in paragraph (a) to an affiliate--
 (1) In connection with the business of insurance or annuities
 (including the activities described in section 18B of the model Privacy
 of Consumer Financial and Health Information Regulation issued by the
 National Association of Insurance Commissioners, as in effect on
 January 1, 2003);
 (2) For any purpose permitted without authorization under the
 regulations promulgated by the Department of Health and Human Services
 pursuant to the Health Insurance Portability and Accountability Act of
 1996 (HIPAA);
 (3) For any purpose referred to in section 1179 of HIPAA;
 (4) For any purpose described in section 502(e) of the Gramm-Leach-
 Bliley Act;
 (5) In connection with a determination of the consumer's
 eligibility, or continued eligibility, for credit consistent with Sec.
 717.30 of this part; or
 (6) As otherwise permitted by order of the NCUA.
  Dated: April 16, 2004.John D. Hawke, Jr.,
 Comptroller of the Currency.
  By order of the Board of Governors of the Federal Reserve System, April 22, 2004.
 Jennifer J. Johnson,
 Secretary of the Board.
  Dated at Washington, DC, the 6th day of April, 2004.  By order of the Board of Directors. Federal Deposit Insurance Corporation.Robert E. Feldman,
 Executive Secretary.
  Dated: April 6, 2004.  By the Office of Thrift Supervision.James E. Gilleran,
 Director.
  By the National Credit Union Administration Board on April 8, 2004.
 Becky Baker,
 Secretary of the Board.
 [FR Doc. 04-9526 Filed 4-27-04; 8:45 am]
 BILLING CODE 4810-33-P; 6210-01-P; 6714-10-P; 6720-01-P; 7535-01-P
               |