BlueCross BlueShield Association Office of the Comptroller of the Currency Jennifer J. Johnson, Secretary Robert E. Feldman, Executive Secretary Regulation Comments, Chief Counsel's Office Becky Baker, Secretary of the Board Re: BCBSA Comments on Proposed Rule, Fair Credit Reporting — Medical Information Dear Sir or Madam: I am writing to submit the Blue Cross and Blue Shield Association's ("BCBSA") comments on the Fair Credit Reporting Medical Information proposed regulations ("Proposed Rule") under the Fair and Accurate Credit Transactions Act (the "FACT Act"). 69 Fed. Reg. 23380 (Apr. 28, 2004). BCBSA represents 41 independent Blue Cross and Blue Shield Plans ("Plans") that provide health coverage to 88 million — one in three — Americans. As explained more fully below, BCBSA believes that, in general, the activities of its Plans are not subject to the consumer reporting requirements of the Fair Credit Reporting Act ("FCRA"). However, the FACT Act amends FCRA to impose new restrictions on the use of medical information in consumer reports and credit transactions. To the extent that Plans may be subject to this requirement in the future because of business product changes, we ask that the FACT Act's affirmative consent requirement be made consistent with a similar affirmative consent requirement under the medical privacy regulations issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") that would apply to the same disclosures of medical information. 45 C.F.R. Parts 160 and 164. I. Background The Fair Credit Reporting Act ("FCRA") applies to "consumer reports" compiled by "consumer reporting agencies." The FCRA generally defines a "consumer reporting agency" as any person who, for monetary fees, regularly engages in the practice of assembling credit or other information for the purpose of furnishing consumer reports to third parties. FCRA § 603(a)(f); 15 U.S.C. § 1681a(f). A "consumer report", in relevant part, includes any communication of information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, or character or personal characteristics used or collected in establishing the consumer's eligibility for credit or insurance. FCRA § 603(d)(1); 15 U.S.C. § 1681a(d)(1). Prior to the FACT Act, the FCRA required a consumer reporting agency to obtain an individual's "consent" in order to furnish medical information in a consumer report for purposes of employment, credit, or insurance. FCRA § 604(g), 15 USC § 168 lb(g). The FACT Act replaces this "consent" requirement with an "affirmative consent" requirement. Act § 411(a), revising FCRA § 604(g)(1), 15 U.S.C. § 1681b(g)(1). The Proposed Rule relating to medical information does not address the new affirmative consent requirement and thus does not establish requirements for obtaining affirmative consent.1 We note that the FACT Act also amends FCRA's restrictions with respect to sharing of medical information among affiliates. Act § 411(b), adding FCRA § 603(d)(3), 15 U.S.C. § 1681a(d)(3). However, the FACT Act also provides a carve-out so that the new affiliate restrictions "shall not be construed so as to treat information as a consumer report" if the information is disclosed for a list of purposes, including any purpose permitted without authorization under the HIPAA Privacy Regulations. Act § 411(a), adding FCRA § 604(g)(3), 15 U.S.C. § 1681b(g)(3).
II. Overlap with HIPAA Privacy Regulation Congress passed sweeping health care reform in 1996 under HIPAA. The new law addressed portability of health care coverage among health plans, nondiscrimination in eligibility and benefit requirements based on health status, and administrative simplification provisions designed to promote confidentiality of health information and efficient transfer of electronic health information among health plans and health care providers. P.L. 104-191 (Aug. 21, 1996). HIPAA required the Secretary of Health and Human Services to issue regulations governing confidentiality of individually identifiable health information. Final regulations were issued December 28, 2000. 65 Fed. Reg. 82462 (amended May 31, 2002 and August 14, 2002). The HIPAA Privacy Regulation applies to health care providers (e.g., doctors and hospitals) and health plans, which are defined to include health insurance issuers and any other arrangement that provides or pays for the cost of medical care. 45 CFR § 160.102. The HIPAA Privacy Regulation generally requires that, for any use or disclosure of individually identifiable health information outside of treatment, payment, or health care operations (which are defined terms under the regulations), a health plan must obtain the individual's affirmative authorization. 45 CFR § 164.502(a). The regulation goes on to specify in detail the content of the authorization, including that it must be in writing and must be signed by the individual. 45 CFR § 164.508. BCBS Plans are "health plans" under the HIPAA Privacy Regulation and must comply with the authorization requirements under the regulation for disclosures outside of treatment, payment, or health care operations. It does not appear that Plans engage in activities that also would make them subject to the medical privacy requirements of FCRA and the FACT Act — that is, it appears that they do not act in capacities that would be considered "consumer reporting agencies" providing "consumer reports" to third parties. However, given the potential breadth of the definitions of consumer reporting agencies and consumer reports, and given the possible changes in products and services Plans may offer over time, there is at least a potential for conflict between the authorization/affirmative consent requirements under the FACT Act and HIPPA Privacy Regulations. We believe this potential conflict can be properly resolved through guidance in the final FACT Act regulations governing use of medical information. Absent clarification in the final regulations, if a disclosure of medical information requires affirmative authorization under both the HIPAA Privacy Regulation and the FACT Act, it is not clear whether a HIPAA authorization would satisfy the FACT Act consent requirement. The HIPAA Privacy Regulation provides specific detail as to the content of a HIPAA authorization, and BCBS Plans currently comply with these requirements.2 In contrast, the FACT Act only provides that the consumer reporting agency must obtain "affirmative consent," and neither the FACT Act nor the Proposed Rule provide more guidance on what the consent must include. III. BCBSA Comment We ask that the final regulations clarify that an authorization that is valid for purposes of the HIPAA Privacy Regulation also would satisfy the FACT Act's consent requirement. Congress already has expressed its intent to harmonize the medical information provisions in the FACT Act with the HIPAA Privacy Regulation. As noted above, under the FACT Act's amendments regarding disclosures to affiliates, Congress expressly carved out disclosures that are permitted without authorization under the HIPAA Privacy Regulation. FACT Act § 411(a), adding FCRA § 604(g)(3); 15 U.S.C. § 1681b(g)(3). In addition, the HIPAA affirmative authorization requirement, which was vetted fully in proposed rulemaking and comment periods, clearly requires informed, advance, and written consent. Thus, the HIPAA authorization should satisfy Congress' intent to protect consumers under the FACT Act's affirmative consent requirement as well. Finally, clarifying that the HIPAA authorization also would satisfy the FACT Act consent requirement would reduce potential administrative burdens of entities that may be subject to both laws, while still fully protecting consumers. Thank you for your consideration of our comment. Please contact Christina Nyquist at 202.626.4799 if you have any questions. Sincerely, |
| Last Updated 06/03/2004 | regs@fdic.gov |