Consumer Coalition for Health Privacy
May 28, 2004
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation (FDIC)
550 17th Street, NW
Washington, DC 20429
Dear Executive Secretary Robert Feldman,
On behalf of the Consumer Coalition for Health Privacy (CCHP), the
Health Privacy Project is submitting comments on the proposed Fair
Credit Reporting Medical Information Regulations. The Health Privacy
Project is a 501(c)(3) nonprofit organization dedicated to raising
awareness of the importance of ensuring health privacy in order to
improve health care access and quality, both on an individual and
community level. The Consumer Coalition for Health Privacy is a diverse
network of patient, disability and consumer advocacy organizations
actively engaged in the national and local debate on health privacy.
Member organizations signing onto these comments are: the Bazelon Center
for Mental Health Law, the National Organization for Rare Disorders, the
Women's Cancer Advocacy Network (WCAN), Citizen Action of New York, and
the National Coordinating Committee for Multiemployer Plans. A complete
list of coalition participants, as well as resources about health
privacy, are available at the Health Privacy Project’s website.
Background:
The Fair and Accurate Credit Transactions Act (FACT Act) creates new
restrictions on the manner in which creditors, such as banks and credit
unions, can obtain and use medical information. It does this through
amending the Fair Credit Reporting Act (FCRA). Generally, the FACT Act
prohibits creditors from obtaining or using medical information
pertaining to a consumer in connection with any determination of the
consumer’s eligibility, or continued eligibility, for credit. Creditors
may, however obtain and use medical information for these purposes to
the extent the federal banking regulators determine it is necessary and
appropriate to protect legitimate operational, transactional, risk,
consumer, and other needs. The regulators are to make this determination
consistent with Congressional intent to restrict the use of medical
information for inappropriate purposes.
Additionally, the FACT Act adds a new section to the FCRA which
restricts the sharing of medical-related information with affiliates if
that information otherwise meets the definition of “consumer report” the
FCRA. Generally, certain information (such as transaction or experience
information) that is shared among affiliates is not considered to be a
consumer report under the FCRA. The new section provides, however, that
if this information is medical-related information, the
affiliate-sharing exception will not apply and the information will be
considered to be a consumer report. Medical-related information includes
medical information, as defined in the FACT Act, as well as other lists
based on payment transactions for medical products and services.
The new section also provides several specific exceptions that allow
creditors to disclose medical information to affiliates according to the
same rules that apply to other non-medical information. The section also
permits the federal banking Agencies to determine, by order or
regulation, that other exceptions are necessary and appropriate.
General Comments
The proposed rule creates exceptions to the general prohibition
against using and obtaining medical information and is generally
consumer oriented. We encourage the Agencies to continue this framework
as it is in conformity with Congressional intent to restrict the use of
medical information for making credit decisions to only those purposes
that are truly necessary and appropriate.
The Agencies seek comments on whether any additional or different
exceptions should be included in the final regulation. We believe the
proposed exceptions are sufficient to protect legitimate operational,
transactional, risk and other needs consistent with Congressional
intent.
In Congressional hearings leading up to the passage of the FACT Act,
representatives of the industry repeatedly took the position that banks
did not request and did not use medical information for consumer credit
purposes. There was no substantive discussion of when the use of medical
information for consumer credit decisions might be appropriate and
necessary. Thus, consumers entered this rule-making procedure with
little knowledge of when banks actually use medical information in
making credit decisions and whether such use might be appropriate.
Through the initial proposed regulation, consumers have been given
the first real opportunity to learn about some of the actual
circumstances where medical information is used in making consumer
credit decisions. Should additional exceptions be recommended in
comments to the proposed rule, consumers should be given the specific
opportunity to respond to and comment on those recommendations prior to
the finalization of the rule.
We would like to point out that the comment period for these proposed
rules is deficient to the extent that the proposed rule (as well as the
Act) refers to the model Privacy of Consumer Financial and Health
Information Regulation issued by the National Association of Insurance
Commissioners, as in effect on January 1, 2003. That model regulation is
not readily available to the public. The NAIC only sells copies of the
regulation. It is essential that the Agencies make a copy of that
regulation available to the public at no cost so that the public will
have an opportunity to read, understand, and comment upon the
consequences.
The Agencies should also be aware that provisions (no matter how
limited) that allow creditors to obtain and use medical information have
the potential to create a new form of consumer reporting that focuses
exclusively on health information. The justification of collection
health information on all consumers would be that the information can be
used in some instances, as the final regulation will demonstrate. Those
with an incentive to collect health information might well be beyond the
scope of existing regulation and may be able to use the information for
other purposes. It would be an extremely unfortunate result if a
provision intended to allow extremely narrow use of medical information
ended up creating a new, massively invasive consumer reporting activity
for that information. The Agencies should be aware of this possibility,
and they should take steps where ever possible to prevent or discourage
creditors from obtaining medical information from new or unregulated
sources.
Comments on Specific Sections
I. SEC .3
DEFINITIONS
Definition of “medical information”
The proposed rule defines “medical information” as information or
data, whether oral or recorded, in any form or medium, created by or
derived from a health care provider or the consumer, that relates to (1)
the past, present, or future physical, mental, or behavioral health or
condition of an individual; (2) the provision of health care to an
individual; or (3) the payment for the provision of health care to an
individual. The term “medical information” does not include the age or
gender of a consumer, demographic information about the consumer,
including a consumer’s residence address or e-mail address, or any other
information about a consumer that does not relate to the physical,
mental, or behavioral health or condition of a consumer. The proposal
tracks the statutory definition of “medical information.”
This definition should be maintained. By tracking the statutory
definition, the regulatory provision closely adheres to Congressional
intent to give broad protection to medical information.
We believe that it would be inappropriate to exclude from the
definition of “medical information,” information related to medical
debts that has been coded in accordance with section 604(g)(1)(C) so
that it does not reveal the specific identity of the provider or medical
service rendered. Such an approach is not supported by the Act. Coded
information still reveals that the consumer has a medically-related
debt. The fact that a consumer has medically-related debt constitutes
“information that relates to “the payment for the provision of health
care to an individual,” under the statutory definition. Removing coded
information from the definition would be an inappropriate narrowing of
the statutory definition. Moreover, removing coded information from the
definition of “medical information” would effectively remove it from the
anti-discrimination protections afforded in proposed section .30(c). The
result would be that creditors would be permitted to treat medical debt
differently than non-medical debt. This would be contrary to
Congressional intent.
Recommendation: Retain the proposed definition of medical
information.
II. SEC. __.30(A)
GENERAL PROHIBITION ON OBTAINING AND USING MEDICAL INFORMATION IN
CONNECTION WITH A DETERMINATION OF ELIGIBILITY FOR
CREDIT
A. Sec. __.30(a) General Prohibition
The proposed regulation contains a general prohibition on obtaining
or using medical information pertaining to a consumer in connection with
any determination of the consumer’s eligibility, or continued
eligibility, for credit and then creates limited exceptions. This
approach is consistent with the Act and Congressional intent that
medical information only be obtained and used for credit-related
purposes when appropriate and necessary.
B. Sec. __.30(a)(2)(i) Definitions
1) Including “terms of credit” in the definition of “eligibility, or
continued eligibility, for credit.”
The proposed rule defines “eligibility, or continued eligibility, for
credit” as including the terms on which credit is offered. We commend
this approach. The Act is designed to protect against the inappropriate
use of medical information in credit decisions. This would encompass not
only whether consumers are offered credit but also the terms under which
they are offered credit. For example, a consumer should not have to pay
a higher rate of interest due to their medical condition. Therefore, the
terms on which credit is offered should be encompassed by the term
“eligibility, or continued eligibility for, credit.
Recommendation: The proposed approach strongly supports Congressional
intent and should be retained.
2) Excluding debt cancellation and forbearance practices from the
definition of “eligibility, or continued eligibility, for credit.
The proposed rule provides that the term “eligibility, or continued
eligibility, for credit” does not include:
(B) Any determination of whether the provisions of a debt cancellation
contract, debt suspension agreement, credit insurance product, or
similar forbearance practice or program are triggered
Wholly excluding debt cancellation contracts and suspension
agreements from the definition of “eligibility, or continued eligibility
for credit” is an overbroad approach. Any provision that allows
creditors to obtain and use medical information in connection with debt
cancellation, debt suspension, or credit insurance products or practices
needs to be tied to a specific consumer and a specific need.
First, the proposed provision contains a very broad general grant of
authority that would allow creditors to collect medical information on
ALL consumers from multiple sources in order to have that information
available if and when an issue of cancellation, suspension, or other
allowable use arises with respect to a few consumers. This approach
could authorize an entirely new industry of health reporting (akin to
credit reporting) on consumers to support the authorized purposes. It is
therefore important that any provision (whether it be a rule of
construction or an exclusion) be limited to obtaining or using medical
information to a triggering event of a specific consumer.
Second, the proposed provision is overbroad with respect to the
purpose for which medical information may be used and obtained.
Forbearance procedures and practices may be triggered by events
unrelated to medical conditions. For example, a debt cancellation
contract can be triggered by unemployment or divorce. There would be no
need to obtain and use medical information to determine whether such a
debt cancellation contract provision has been triggered. The rule should
thus permit a creditor to obtain and use medical information for
forbearance procedures only where the triggering event is
medically-related.
Third, we note that credit insurance is different from the other
listed forbearance practices since it involves a third party insurer as
well as the creditor and the consumer. Generally, a consumer purchases
credit insurance from the insurer. If a medical event were to trigger
credit insurance the insurer would be the party to be informed of the
event and would then pay the creditor. We question whether a creditor
has a “legitimate operational, transactional, risk and other needs” in
obtaining and using medical information in these circumstances. Unless
such needs are adequately demonstrated “credit insurance” should be
dropped from this provision.
Finally, the Agencies have requested comments on whether it is more
appropriate to address debt cancellation and forbearance in a rule of
construction or as an exception. We believe the more appropriate
approach is to create a limited exception that would allow a creditor to
obtain and use medical information for these purposes, rather than
wholly excluding them from the definition of “eligibility, or continued
eligibility, for credit.” Determining whether the provisions of a debt
cancellation contract, debt suspension agreement or similar forbearance
practice or program are triggered appears to be a determination of the
terms on which credit is offered. These practices thus appear to fit the
definition of “eligibility or continued eligibility for credit.” A
provision which incorporates our suggested limitations would more
appropriately be framed as an exception than a rule of construction.
Wholly excluding debt cancellation contracts and suspension
agreements from the definition of “eligibility, or continued eligibility
for credit” is an overbroad approach. It would have the effect of
permitting creditors to obtain and use medical information in
inappropriate circumstances.
Recommendations: Delete the provision related to debt forbearance
from section ___.30(a)(2). Create an exception in __.30(1)(d) that
permits creditors, upon a consumer’s claim, assertion, or request that
the provisions of a debt cancellation contract, debt suspension
agreement, or similar forbearance practice or program have been
triggered by a medical or mental health condition or status to obtain
and use medical information to determine whether such provisions have
been triggered.
III. SEC. ___.30(b) RULE OF CONSTRUCTION FOR RECEIVING UNSOLICITED
MEDICAL INFORMATION
A. Rule
The proposed rule includes a rule of construction for receiving
unsolicited medical information. Under the rule, a creditor does not
obtain medical information for purposes of paragraph .30(a)(1) [the
general prohibition on obtaining and using medical information in
connection with any determination of a consumer’s eligibility for
credit] if it:
(i) Receives medical information pertaining to a consumer in connection
with any determination of the consumer’s eligibility, or continued
eligibility, of credit without specifically requesting medical
information; and
(ii) Does not use that information in determining whether to extend or
continue to extend credit to the consumer and the terms on which credit
is offered or continued.
The Agencies proposed this provision because they believe that a
creditor should not be seen as violating the prohibition on obtaining
medical information when the creditor does not specifically ask for or
request such information, yet the consumer or other person provides the
information to the creditor.
We appreciate the Agencies’ concern and do not object to the general
premise of the rule. However, we believe it makes more sense to include
this provision as an exception instead of as a rule of construction. The
preamble to the rule makes clear that obtaining and using information
are two distinct activities. Yet under this proposed provision, using
and obtaining information are merged into one concept.
It is preferable to consistently treat obtaining and using
information as distinct activities. This is more readily accomplished by
creating an exception to the general prohibition on use and disclosure.
We also believe that the regulation should clearly state that
“without specifically requesting medical information” means volunteered
by the consumer without any pressure, prompting, or solicitation
(whether direct or indirect) by the creditor. For example, a creditor
could prompt a consumer to provide medical information by saying that
“we are not allowed to ask you for medical information, but you can
volunteer to provide it if you choose.” This type of solicitation should
be expressly prohibited. Additionally, we recommend adding a provision
stating that unsolicited medical information should not be recorded or
maintained, and should be destroyed.
Recommendations: Delete the proposed rule of construction. Add the
following exception for receiving unsolicited medical information.
(b) Exception for receiving unsolicited medical information –(1)
In general.
(i) Medical information received by a creditor when the creditor has
not specifically requested medical information and when medical
information is volunteered by the consumer without any pressure,
prompting, or solicitation (whether direct or indirect) by the creditor
is considered to be unsolicited medical information for purposes of this
section.
(ii) A creditor may obtain unsolicited medical information for purposes
of paragraph (a)(1) .
(iii) A creditor may not use unsolicited medical information in
determining whether to extend or continue to extend credit to the
consumer and the terms on which credit is offered or continued.
(iv) A creditor may not record or maintain and must destroy unsolicited
medical information as soon as practical after receipt of such
information.
B. EXAMPLES
We believe the proposed examples accurately reflect the intent that
unsolicited medical information may be obtained without violating the
prohibition, but may not be used. We suggest the following changes to
make the examples conform with the provision’s being changed to an
exception.
(2) EXAMPLES OF OBTAINING AND USING UNSOLICITED MEDICAL INFORMATION
CONSISTENT WITH THE EXCEPTION
(i) In response to a general question regarding a consumer’s debts or
expenses, a creditor receives information that the consumer has a
particular medical condition. The creditor does not use that information
in determining whether to extend credit to the consumer or the terms on
which the credit is offered.
(ii) In conversation with the loan officer, the consumer informs the
creditor that the consumer has a particular medical condition, and the
creditor does not use that information in determining whether to extend
credit to the consumer or the terms on which credit if offered.
IV. SEC. __.30(C) FINANCIAL INFORMATION EXCEPTION
The proposed rule creates a general “financial information” exception
which permits creditors to obtain and use medical information pertaining
to a consumer in connection with a determination of the consumer’s
eligibility so long as three conditions are met:
• The information relates to debts, expenses, income, benefits
collateral, or the purpose of the loan, including the use of proceeds;
• The creditor uses the medical information in a manner and to an extent
that is no less favorable than it would use comparable information that
is not medical information in a credit transaction; and
• The creditor does not take the consumer’s physical, mental, or
behavioral health, condition or history, type of treatment, or prognosis
into account as part of any such determination.
This provision essentially permits a creditor to treat
medically-related debt and income no less favorably than other debt and
income. However, the provision prohibits financial institutions from
discriminating against the consumer on the basis of underlying medical
condition, treatment or prognosis.
The primary reason consumers are opposed to financial institutions’
having access to their medical information is the concern that they will
be discriminated against on the basis of the information. Congress
intended to address these concerns and directed the Agencies to
promulgate rules consistent with Congressional intent to restrict the
use of medical information for inappropriate purposes. This proposed
provision generally strikes a reasonable balance between a creditor’s
need to obtain and evaluate financial information (which may
incidentally be medically related) and the need to protect consumers
from discrimination based on their medical condition.
The only time when a creditor may need to specifically request
medical information in its initial application for credit would appear
to be where credit is requested for the purpose of financing medical
products or services. A creditor would be able to request such
information under proposed section __.30(d)(1)(v). Proposed section
.30(d)(1)(v) specifically permits a creditor to obtain and use medical
information in the case of credit for the purpose of financing medical
products or services, for determining and verifying the medical purpose
of the loan and use of proceeds. Since a creditor could, in the
appropriate circumstances, request medically-related financial
information under this proposed section, it is appropriate to limit the
financial information exception to those circumstances where the
creditor has not initiated the inquiry into medical information.
In order to fully accomplish its goals, the proposed regulation
should be amended to specify that to come within this particular
exception, the creditor has not specifically requested medical
information in its initial application for credit. This would permit
creditors to request generic financial information (e.g., outstanding
debts, sources of income) while prohibiting them from specifically
requesting information related to medical debt. Furthermore, this
approach seems to incorporate current practice. Financial institutions
have repeatedly represented that they do not routinely request medical
information in their credit application process.
Finally, while the title of this subparagraph indicates that it is
limited to “financial information” the text of the regulation does not
expressly include this limitation. Under general rules of statutory
construction the title of a section is not controlling. This provision
should be clarified by including the limitation in the actual text of
the rule.
Recommendations: The general approach of this provision should be
retained. Creditors should be prohibited from treating medically-related
debt and income less favorably than other debt and income. The
non-discrimination provisions should remain. In addition, the following
changes (in ALL CAPS) should be made
(c) Financial information exception for obtaining and using medical
information
(1) In general. A creditor may obtain and use FINANCIAL INFORMATION THAT
ALSO QUALIFIES AS medical information pertaining to a consumer in
connection with any determination of the consumer’s eligibility, or
continued eligibility, for credit so long as:
(i) THE CREDITOR DOES NOT SPECIFICALLY REQUEST MEDICAL INFORMATION IN
THE INITIAL APPLICATION FOR CREDIT;
(ii) The information relates to debts, expenses, income, benefits,
collateral, or the purpose of the loan, including the use of proceeds;
(iii) The creditor uses the medical information in a manner and to an
extent that is no less favorable than it would use comparable
information that is not medical information in a credit transaction; and
(iv) The creditor doe not take the consumer’s physical, mental, or
behavioral health, condition or history, type of treatment, or prognosis
into account as part of any such determination.
The proposed examples appropriately illustrate the rule and should be
retained.
V. SEC. __.30(d)(1)(i) POWERS OF ATTORNEYS EXCEPTION
Exception __.30(d)(1)(i) permits a creditor to obtain and use medical
information:
To determine whether the use of a power of attorney or legal
representative is necessary and appropriate.
This provision is over broad. There are only limited circumstances
when it may be appropriate for a creditor to obtain and use medical
information in relation to powers of attorney or legal representatives.
There may be times when a creditor would need to determine whether
the use of a power of attorney that is triggered by a medical event or
condition is appropriate and necessary. However, powers of attorney can
be used in non-medical related circumstances. For example, a consumer
who resides in one state may execute a power of attorney to consummate a
mortgage in another state. Creditors should not be permitted to obtain
and use medical information in the latter circumstance.
Additionally, financial institutions may have an interest in assuring
that a power of attorney or legal representative is not fraudulently
obtained and may wish to verify that the consumer has the legal capacity
to execute the document. Legal capacity may be tied to the consumer's
medical status whether or not the power of attorney was triggered by a
specific medical event.
Recommendation: This exception should be amended so that it limited
to those circumstances where the use of a power of attorney or legal
representative is triggered by a medical condition (e.g., mental
incapacity) or where there is some question about the consumer’s legal
capacity to execute the underlying legal document.
VI. EXCEPTION FOR MEDICAL INFORMATION IN CONSUMER REPORTS
Background
Exception ___.30(d)(1)(iii)) is an attempt to interpret the
provisions of the FACT Act that add two new provisions of the Fair
Credit Reporting Act. Section 604(g)(2) of FCRA, as amended, generally
prohibits creditors from obtaining or using medical information for
determining eligibility for credit except as determined to be
appropriate and necessary by the Agencies. Section 604(g)(1) of FCRA, as
amended, permits consumer reporting agencies, in certain circumstances,
to furnish consumer reports that contain medical information.
Specifically, the section 604(g)(1) provides that a consumer
reporting agency may not furnish a consumer report that contains medical
information about a consumer unless:
(A) The report is furnished in connection with an insurance
transaction, and the consumer affirmatively consents to the furnishing
of the report;
(B) The report is furnished for employment purposes or in connection
with a credit transaction, the information to be furnished is relevant
to process or effect the employment or credit transaction, and the
consumer provides specific written consent for the furnishing of the
report that describes in clear and conspicuous language the use for
which the information will be furnished; or
(C) The information to be furnished pertains solely to transactions,
accounts, or balances relating to debts arising from the receipt of
medical services, products, or devices, where such information, other
than account status or amounts, is restricted or reported using codes
that do not identify, or do not provide information sufficient to infer
the specific provider or the nature of the services, products, or
devices.
Comments on Proposed Approach
The Agencies appear to perceive these provisions as conflicting with
each other. To reconcile these provisions, proposed exception
___.30(d)(1)(iii) permits a creditor to obtain and use medical
information for determining a consumer’s eligibility for credit to the
extent such information is included in a consumer report from a consumer
reporting agency, in accordance with 15 U.S.C. Sec. 1681b(g)(1)(B)
[section 604(g)(1)(B) of FCRA] and is used for the purpose(s) for which
the consumer provided specific written consent. This would permit a
creditor to obtain and use uncoded medical information in a consumer
report for purposes of determining eligibility for credit.
The Agencies have not proposed a separate exception for obtaining and
using consumer reports that contain coded medical information 15 U.S.C.
Sec. 1681b(g)(1)(C) [section 604(g)(1)(C) of FCRA] because they do not
believe that it is necessary to propose a separate exception. Rather,
the Agencies have put forth different theories under which consumer
reports with coded medical information can be used and obtained by
creditors without a specific exception. The Agencies properly have
determined that no separate exception is required for consumer reports
with coded medical information. This approach should be extended to
consumer reports with uncoded medical information.
The Agencies have taken the proper approach by proposing that no
exception is necessary to permit creditors to obtain and use coded
medical information in consumer reports furnished by consumer reporting
agencies in accordance with section 604(g)(1)(C) of FCRA. Additionally,
the theory that creditors who intend to use this coded medical
information would be able to do so in accordance with the financial
information exception in ____.30(C) seems sound.
The Agencies should adopt this as the general approach to
interpreting sections 604(g)(1) and 604(g)(2), regardless of whether the
medical information is coded or uncoded. There should be no independent
exception for consumer reports that contain medical information. Rather,
creditors only should be able to obtain and use medical information in
consumer reports to the extent that the creditor is able to meet one of
the other exceptions to the general prohibition (such as the financial
information exception or the credit for medical procedure exception).
This approach is the most appropriate interpretation of the FACT Act.
The prohibition in section 604(g)(2) is very broad. The delegation of
authority to the Agencies makes very clear that exceptions are to be
made consistent with Congressional intent to restrict the use of medical
information for inappropriate purposes. Thus, it is appropriate to
interpret section 604(g)(2) as prohibiting creditors from obtaining and
using consumer reports with medical information unless there is another
independent exception for doing so.
This approach is fully consistent with section 604(g)(1), which
permits consumer reporting agencies to furnish consumer reports in
certain circumstances. This approach would permit consumer reporting
agencies to furnish consumer reports that contain medical information
either by coding the information or by obtaining a true informed
consent. It would encourage consumer reporting agencies to code medical
information so as not to require consumer consent. Finally, this
approach would allow creditors to obtain and use consumer reports
containing medical information pursuant to another exception where the
Agencies have determined that it is necessary and appropriate.
The theory that section 604(g)(1) should be interpreted as giving
independent authorization to creditors to obtain and use consumer
reports containing medical information is unsupported by the very
structure of the FACT Act. Section 604(g)(1) addresses the permitted
activities of consumer reporting agencies. It is intended to encourage
them to code medical information in consumer reports. Section 604(g)(1)
does not purport to govern the activities of creditors. It would be
inappropriate to read this provision as creating independent grounds for
creditors’ obtaining and using medical information. That determination
is to be made under section 604(g)(2).
Moreover, creating a separate consumer report exception would allow
creditors to circumvent the conditions imposed by the other exceptions.
For example, under proposed __.30(d)(1)(vi), a creditor may obtain and
use medical information if the consumer requests that specific medical
information be used for a specific purpose. In contrast, there is no
such requirement under 604(g)(1)(B). It appears that a consent under
section 604(g)(1)(B) could be valid if it merely stated that a consumer
consented to the furnishing of a consumer report. The consent does not
have to state that the consumer report includes medical information.
In sum, a separate exception is not appropriate for obtaining and
using consumer reports that contain any medical information, whether or
not it is coded. Legitimate uses of both coded and uncoded medical
information for determining a consumer’s eligibility for credit appear
to be covered by other proposed exceptions. To the extent a consumer
report contains financial information that pertains to medical treatment
or payment, the information would be covered by the “financial
information” exception. To the extent the information is sought for the
purpose of financing medical products or services, to determine and
verify the purpose(s) for the loan, exception (v) would apply. To the
extent the information is provided pursuant to consumer request, it
would be covered by the consumer request exception.
Recommendation: There should be no separate exception for consumer
reports.
VII. FRAUD PREVENTION AND DETECTION
SEC. __.30(d)(1)(iv)
Section ___.30(d)(1)(iv) would permit a creditor to obtain and use
medical information in connection with any determination of the
consumer’s eligibility, or continued eligibility, for credit for
purposes of fraud prevention and detection.
This exception is over broad and is unnecessary. There seem to be few
circumstances under which the use of medical information would be
necessary and appropriate to fraud prevention and detection.
Furthermore, other, more specific, exceptions would appear to permit a
creditor to obtain and use medical information where such use is
appropriate. To the extent that a creditor suspects that a power of
attorney has been fraudulently obtained or used exception __.30(d)(1)(i)
would appear to apply. To the extent the creditor suspects that the
consumer is using the proceeds of a loan for financing medical products
or services exception __.30(d)(1)(v) would apply. If a creditor believed
that a consumer fraudulently requested loan forbearance, section
__.30(a)(2)(B) would apply.2 If the purported fraud involved debt that
coincidentally was medical information, it appears that exception
__.30(c) would apply.
It is difficult to envision other circumstances where it would be
appropriate for a creditor to use and obtain medical information for the
purpose of fraud prevention and detection.
Recommendation: The separate exception for fraud prevention and
detection should be deleted.
VIII. FINANCING MEDICAL PRODUCTS OR SERVICES
SEC. __.30(d)(1)(v)
A. Proposed Rule
Proposed section __.30(d)(1)(v) would permit a creditor to use and
obtain medical information for determining credit eligibility in the
case of credit for the purpose of financing medical products or
services, to determine and verify the medical purpose of a loan and the
use of proceeds.
This exception specifically applies to those creditors that finance
medical products or services. The provision does not contain broad
permission to obtain and use medical information. Rather, it
specifically identifies the purposes for which this information can be
used and obtained—only for determining and verifying the medical purpose
of the loan and the use of the proceeds. These limitations are important
to ensure that medical information only be used for legitimate purposes.
This approach strikes the appropriate balance between satisfying the
legitimate needs of medical finance creditors and the intent of Congress
to limit the use of medical information in credit eligibility
determinations.
Recommendation: The provision should be retained as proposed.
B. Examples Related to Financing Medical Products or Services
Section __.30(d)(2) contains examples of determining the medical
purpose of the loan or the use of proceeds. Generally, these examples
are helpful in explaining the proper application of this exception.
However, example (i) should be modified. Example (i) states that it
is appropriate for a creditor to confirm the consumer’s medical
eligibility to undergo that procedure with a surgeon. If the surgeon
reports that the surgery will not be performed on the consumer, the
creditor may use that information to deny the consumer’s application for
credit, because the loan would not be used for the stated purpose. The
essence of the inquiry is to determine whether the patient is going to
use the loan proceeds for the stated purpose. Medical eligibility is not
the appropriate standard for such an inquiry. Asking whether a patient
is medically eligible for a medical procedure might elicit a response
that contains more information than necessary to decide whether to
approve a loan. Furthermore, a patient may be medically eligible for,
but not undergo, a procedure.
Recommendation: Rather than permitting a creditor to confirm medical
eligibility, the example should permit the creditor to verify that the
procedure is to be performed.
IX CONSUMER’S REQUEST
SEC. 30(d)(1)(vi)
Proposed Rule
Proposed exception __.30(d)(1)(vi) provides that a creditor may
obtain and use medical information if the consumer (or their legal
representative) requests in writing that the creditor use specific
medical information for a specific purpose in determining the consumer’s
eligibility, or continued eligibility, for credit, to accommodate the
consumer’s particular circumstances. The signed written request must be
on a separate document. The request also must describe the specific
medical information that the consumer requests the creditor to use and
the specific purpose for which the information will be used.
The preamble indicates that this exception is intended to apply when
the consumer initiates a request to use medical information for
determining eligibility. Specifically, the preamble states:
This exception is designed to accommodate the particular medical
condition or circumstances of the individual consumer and is not
intended to allow creditors to obtain consent on a routine basis or as
part of loan applications or documentation. This exception would not be
met by a form that contains a pre-printed description of various types
of medical information and the uses to which it might be put. Instead,
it contemplates an individualized process in which the consumer informs
the creditor about the specific medical information that the consumer
would like the creditor to use and for what purpose.
The intended approach is appropriate and protects consumers’ medical
information from inappropriate uses, as directed by Congress. This
approach ensures that the request to use medical information is
voluntary and is initiated by the consumer.
As currently written, however, the proposed rule does not reflect
this intent. The intent of the Agencies should be incorporated in the
actual text of the rule.
The rule should also expressly include the preamble’s example of a
pre-printed form describing various medical information and the uses to
which it might be used as an example of obtaining and using medical
information inconsistent with the exception.
The attempt to limit the collection of information pursuant to a
consumer’s request to “specific medical information for a specific
purpose” may be somewhat thwarted by the authorization procedure under
the Health Privacy Rule issued under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA). This issue would arise where a
consumer submits a request to a creditor to obtain and use specific
medical information for a specific purpose and submits to a health care
provider covered by HIPAA an authorization permitting the provider to
disclose medical information to the creditor. The HIPAA rule has a
general policy that a disclosure must be limited to the minimum amount
of information necessary to accomplish the intended purpose of the
disclosure (45 C.F.R. sec. 164.502(b)). However, the minimum necessary
does not apply to a disclosure made pursuant to an individual’s
authorization (45 C.F.R. sec.164.502(b)(2)(iii)). This creates a
problem. A creditor may be limited in the amount and type of information
that it may obtain and use, but a health care provider covered by HIPAA
is under no legal obligation to limit its disclosure to the information
requested by the consumer. It is quite possible, therefore, that
creditors may receive medical information that is not necessary for the
specific purpose requested by the consumer.
In order to address this issue, the Agencies should require creditors
to immediately discard any information that they obtain that is not
needed for the immediate purpose for which the request was made.
Recommendations: Retain the general approach that permits consumers
to initiate requests that creditors obtain and use specific medical
information for specific purposes. Amend proposed section
__.30(d)(1)(vi) by inserting the following language:
CREDITORS MAY NOT REQUEST OR REQUIRE A CONSUMER TO REQUEST THAT THE
CREDITOR OBTAIN OR USE MEDICAL INFORMATION UNDER THIS PROVISION ON A
ROUTINE BASIS OR AS PART OF LOAN APPLICATIONS.
Include the prohibition on using pre-printed forms and questions that
is currently in the preamble in the rule as an example. Require
creditors to discard any medical information that they obtain that that
is not needed for the immediate purpose for which the request was made.
Additional Exception for Consumer Consent
The Agencies seek comment on whether there is a need to establish an
additional exception whereby a creditor could request that a consumer
consent to the specific use of the consumer’s medical information.
Permitting creditors to request consumer’s consent to the specific use
of medical information would potentially undermine the intent of the
FACT Act. It would potentially create an avenue for creditors to
circumvent the requirements of the other exceptions. No additional
exceptions are necessary.
It may be appropriate, in very limited circumstances, for creditors
to make a request for consumer consent. For example, in the case of
credit for the purpose of financing medical products or services, it may
be appropriate for creditors to be able to request consent for related
medical information only to the extent it is necessary to determine and
verify the medial purpose of a loan and the use of the proceeds. It
appears that they may already request consent under section
__.30(d)(1)(v). Similarly, it may be appropriate to permit creditors to
request consumer request within the parameters of the provisions
addressing forbearance agreements (should the Agencies determine that
these should be treated as exceptions). Again, this would be permitted
by the specific exception on forbearance agreements.
Recommendation: There should be no additional exceptions permitting
creditors to request or require consumer consent to obtain or use
medical information.
X. LIMITS ON REDISCLOSURE
SEC. __.30(e)
Proposed paragraph (e) incorporates the statutory provision regarding
the limits on redisclosure of medical information. This provision
generally provides that a creditor that receives medical information
about a consumer from a consumer reporting agency or an affiliate is
prohibited from disclosing that information to any other person, except
as necessary to carry out the purpose for which the information was
initially disclosed.
Recommendation: The phrase in the statute “as otherwise permitted by
statute, regulation, or order” is not clear, and the rule should clarify
the scope. There are two ways that the phrase could be construed. First,
the phrase could allow any activity that is not expressly prohibited by
statute, regulation, or order. Second, the phrase could allow any
activity that is expressly permitted by statute, regulation, or order.
The second interpretation is the proper reading of the law and should be
reflected in the rule. Otherwise, the mere failure of a law to prohibit
conduct may be construed by some to allow that conduct.
XI. SHARING MEDICAL INFORMATION WITH AFFILIATES
SEC. ___.31
A. Background
The FACT Act adds a new section 603(d)(3) to the FCRA which restricts
the sharing of medical-related information with affiliates if that
information meets the definition of “consumer report” in section
603(d)(1) of the FCRA. Generally, certain information (such as
transaction or experience information) that is shared among affiliates
is not considered to be a consumer report under the FCRA. New section
603(d)(1) provides, however, that if this information is medical-related
information, the affiliate-sharing exception will not apply and the
information will be considered to be a consumer report. Medical-related
information includes medical information, as defined in the FACT Act, as
well as other lists based on payment transactions for medical products
and services.
New section 604(g)(3) provides several specific exceptions that allow
creditors to disclose medical information to affiliates according to the
same rules that apply to other non-medical information. The section also
permits the federal banking Agencies to determine, by order or
regulation, that other exceptions are necessary and appropriate.
B. Comments on Statutory Exceptions
Proposed section ___.31 generally tracks the statutory exceptions
relating to when sharing medical-related information with affiliates
does not constitute a consumer report. As these exceptions are contained
in the statute, they are appropriately contained in the proposed rule.
We are aware that the Agencies do not have the authority to
significantly alter these exceptions. We would like to express our
concern, however, with the exclusion “(f)or any purpose referred to in
section 1179 of HIPAA” And as otherwise permitted by order of the
appropriate agency. These exclusions have the potential of creating
large loopholes for the sharing of medical information with affiliates
...
HIPAA amends the Social Security Act by adding section 1179, which
provides as follows:
SEC. 1179. To the extent that an entity is engaged in activities of a
financial institution (as defined in section 1101 of the Right to
Financial Privacy Act of 1978), or is engaged in authorizing,
processing, clearing, settling, billing, transferring, reconciling, or
collecting payments, for a financial institution, this part [the
Administrative Simplification Provisions of HIPAA], and any standard
adopted under this part, shall not apply to the entity with respect to
such activities
Section 1101 of the Right to Financial Privacy Act generally defines
a “financial institution", as any office of a bank, savings bank, card
issuer, industrial loan company, trust company, savings association,
building and loan, or homestead association (including cooperative
banks), credit union, or consumer finance institution.
The American Bankers Association appears to take the position that
section 1179 exempts any activity approved by OCC from HIPAA.3 The U.S.
Department of Health and Human Services (HHS) has not taken an official
position on this issue.
Should the ABA prevail in its position, the statutory exception which
permits creditors to share medical-related information with affiliates
“for any purpose referred to in section 1179 of HIPAA” would essentially
give creditors wholesale permission to share medical-related information
for any activity. It is inconceivable that this result was intended by
Congress.
We also urge the Agency to ensure that its orders that affect
affiliate-sharing be consistent with Congressional intent to limit
sharing of medical information with affiliates.
Recommendations: The Agencies should advise HHS of the potential
effect of the interpretation of section 1179 on creditors’ ability to
share medical-related information with affiliates. The Agencies should
also create a procedure to verify that new orders do not create new
exceptions which would permit greater sharing of medical information
with affiliates.
C. Comments on Proposed Exceptions Created by Rule
In addition to these statutory exceptions, the Agencies have proposed
section __.31(b)(5), which would allow creditors to share with
affiliates medical-related information in connection with a
determination of the consumer’s eligibility for credit consistent with
proposed section __.30. There is no explanation as to why the Agencies
believe this proposed exception is necessary and appropriate.
The proposed approach is overbroad, and appears inconsistent with the
specific conditions imposed in other provisions or the proposed rule and
the FACT Act. Specifically, the proposed approach appears to be
inconsistent with the consent requirements in section __.30(d)(1)(vi) of
the proposed rule and section 604(g)(1)(B) of FCRA, which were intended
to ensure that consumer’s gave informed consent for the sharing,
obtaining and use of their medical information.
Proposed section 30(d)(1)(vi) permits creditors to obtain and use
medical information if the consumer (or the consumer’s representative)
requests in writing that the creditor use specific medical information
for a specific purpose in determining the consumer’s eligibility, or
continued eligibility, for credit. The request must be signed, describe
the specific medical information that the consumer requests the creditor
to use and the specific purpose for which the information will be used.
The intent of these requirements is to ensure that the consumer signs an
informed consent that details who is permitted to use the information,
what specific information will be used and the purpose for which it will
be used.
Similarly, section 604(g)(1)(B) of FCRA. Section 604(g)(1)(B) of FCRA
permits a consumer reporting agency to furnish a consumer report with
uncoded medical information only with the specific written consent of
the consumer to furnish the report to a creditor. Proposed section
__.30(d)(1)(iii) provides that creditors would be permitted to obtain
and use medical information to the extent such information is included
in a consumer report from a consumer reporting agency where the consumer
has given consent in accordance with section 604(g)(1)(B) of FCRA.
Again, this provision is intended to ensure that the consumer has given
informed consent.
The consent process is seriously compromised if a creditor can then
turn around and share the medical information with affiliates without
any input from the consumer. We note that specifying in a consent that
information may be shared “with affiliates” does not truly inform the
consumer of the intended recipients of the information.
Proposed section ___.31(b)(5) would become significantly more
problematic if the Agencies were to weaken the anti-discrimination
provisions in section __.30(c) in the final rule. Such an approach would
permit creditors to share medical-related information with affiliates
and would permit both the creditors and affiliates to discriminate
against consumers based on their medical status or treatment. This
improper use of medical-related information would be contrary to the
intent of the FACT Act.
Recommendations: Proposed section __.31(b)(5) should be deleted. At a
minimum it should be amended to state that the exception does not apply
to the extent that the creditors has obtained medical information in a
credit report furnished in accordance with 604(g)(1)(B) of FCRA or
pursuant to a consumer’s request.
XII. SPECIFIC EXCEPTIONS FOR OBTAINING AND USING MEDICAL INFORMATION
SEC. ___.30(d)(vii)
Proposed section ____ .30(d)(vii) gives the Agencies the authority to
add new exceptions by order to the general prohibitions on obtaining and
using medical information. Subsection 604(g)(2) and (3) of FCRA as
amended by the FACT Act only gives Agencies authority to issue orders
regarding consumer reports. Therefore, Congress only gave authority to
the Agencies to issue exceptions to obtaining and using medical
information through regulations, not orders. A reasonable interpretation
of the FACT Act would infer that the Agencies would be exceeding their
authority by including “orders” as a means for creating exceptions.
Recommendation: Section __.30(d)(vii) should be removed from the
proposed regulations.
Emily Stewart
Policy Analyst
Health Privacy Project
1120 19th Street, NW 8th Floor
Washington, DC 20036
2 Proposed section __.30(a)(2)(i)(B) would exclude from
the definition of “eligibility, or continued eligibility, for credit” a
determination of whether the provisions of a debt cancellation contract,
debt suspension agreement, credit insurance product or similar
forbearance practice or program are triggered. We propose that an
exception be treated for debt cancellation contracts and similar
forbearance practices. Under either approach, it would appear that
creditor would be able to obtain and use medical information to
determine whether the debt forbearance was properly triggered or
obtained through fraud.
3 See letter from the American Bankers Association to
Tommy G. Thompson, Secretary U.S. Department of Health and Human
Services October 24, 2003, which states in pertinent part, “…the plain
language of the statute exempts from any regulations promulgated under
the Administrative Simplification title, any entity engaged in the
‘activities of a financial institution.’ Nothing in section 1179
restricts the exempted activities to those involving the payment system.
|