BlueCross BlueShield Association
May 28, 2004
Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mail Stop 1-5
Washington, DC 20219
Docket Number 04-09
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve
System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Docket Number R-1188
Robert E. Feldman, Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th
Street, NW
Washington, DC 20429
RIN 3064-AC81
Regulation Comments, Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Docket No. 2004-16, RN 1550-AB88
Becky Baker, Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Comments on Proposed Rule, Part 717
Re: BCBSA
Comments on Proposed Rule, Fair Credit Reporting — Medical
Information
Dear Sir or Madam:
I am writing to
submit the Blue Cross and Blue Shield Association's ("BCBSA")
comments on the Fair Credit Reporting Medical Information proposed
regulations ("Proposed Rule") under the Fair and
Accurate Credit Transactions Act (the "FACT Act"). 69 Fed.
Reg. 23380 (Apr. 28, 2004). BCBSA represents 41 independent Blue Cross
and Blue Shield Plans ("Plans") that provide health coverage
to 88 million — one in three — Americans.
As explained more
fully below, BCBSA believes that, in general, the activities of its
Plans
are not subject to the consumer reporting requirements
of the Fair Credit Reporting Act ("FCRA"). However, the FACT
Act amends FCRA to impose new restrictions on the use of medical information
in consumer reports and credit transactions. To the extent that Plans
may be subject to this requirement in the future because of business
product
changes,
we ask that the FACT Act's affirmative consent requirement be made
consistent with a similar affirmative consent requirement
under the medical privacy regulations issued under the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA") that
would apply to the same disclosures of medical information. 45 C.F.R.
Parts 160 and 164.
I. Background
The Fair Credit
Reporting Act ("FCRA") applies to "consumer
reports" compiled by "consumer reporting agencies." The
FCRA generally defines a "consumer reporting agency" as any
person who, for monetary fees, regularly engages in the practice of
assembling credit or other information for the purpose of furnishing
consumer reports to third parties. FCRA § 603(a)(f); 15 U.S.C. § 1681a(f).
A "consumer report", in relevant part, includes any communication
of information by a consumer reporting agency bearing on a consumer's
credit worthiness, credit standing, or character or personal characteristics
used or collected in establishing the consumer's eligibility for credit
or insurance. FCRA § 603(d)(1); 15 U.S.C. § 1681a(d)(1).
Prior to the FACT
Act, the FCRA required a consumer reporting agency to obtain an individual's "consent" in order to furnish medical
information in a consumer report for purposes of employment, credit,
or insurance. FCRA § 604(g), 15 USC § 168 lb(g). The FACT
Act replaces this "consent" requirement with an "affirmative
consent" requirement. Act § 411(a), revising FCRA § 604(g)(1),
15 U.S.C. § 1681b(g)(1). The Proposed Rule relating to medical
information does not address the new affirmative consent requirement
and thus does not establish requirements for obtaining affirmative
consent.1
We note that the
FACT Act also amends FCRA's restrictions with respect to sharing
of medical
information among affiliates. Act § 411(b),
adding FCRA § 603(d)(3), 15 U.S.C. § 1681a(d)(3). However,
the FACT Act also provides a carve-out so that the new affiliate restrictions "shall
not be construed so as to treat information as a consumer report" if
the information is disclosed for a list of purposes, including any
purpose permitted without authorization under the HIPAA Privacy Regulations.
Act § 411(a), adding FCRA § 604(g)(3), 15 U.S.C. § 1681b(g)(3).
II. Overlap with HIPAA Privacy Regulation
Congress passed sweeping health care reform in 1996 under HIPAA. The
new law addressed portability of health care coverage among health
plans, nondiscrimination in eligibility and benefit requirements based
on health status, and administrative simplification provisions designed
to promote confidentiality of health information and efficient transfer
of electronic health information among health plans and health care
providers. P.L. 104-191 (Aug. 21, 1996). HIPAA required the Secretary
of Health and Human Services to issue regulations governing confidentiality
of individually identifiable health information. Final regulations
were issued December 28, 2000. 65 Fed. Reg. 82462 (amended May 31,
2002 and August 14, 2002).
The HIPAA Privacy
Regulation applies to health care providers (e.g., doctors and hospitals)
and
health plans, which are defined to include
health insurance issuers and any other arrangement that provides or
pays for the cost of medical care. 45 CFR § 160.102. The HIPAA
Privacy Regulation generally requires that, for any use or disclosure
of individually identifiable health information outside of treatment,
payment, or health care operations (which are defined terms under the
regulations), a health plan must obtain the individual's affirmative
authorization. 45 CFR § 164.502(a). The regulation goes on to
specify in detail the content of the authorization, including that
it must be in writing and must be signed by the individual. 45 CFR § 164.508.
BCBS Plans are "health plans" under the HIPAA Privacy Regulation
and must comply with the authorization requirements under the regulation
for disclosures outside of treatment, payment, or health care operations.
It does not appear that Plans engage in activities that also would
make them subject to the medical privacy requirements of FCRA and the
FACT Act — that is, it appears that they do not act in capacities
that would be considered "consumer reporting agencies" providing "consumer
reports" to third parties. However, given the potential breadth
of the definitions of consumer reporting agencies and consumer reports,
and given the possible changes in products and services Plans may offer
over time, there is at least a potential for conflict between the authorization/affirmative
consent requirements under the FACT Act and HIPPA Privacy Regulations.
We believe this potential conflict can be properly resolved through
guidance in the final FACT Act regulations governing use of medical
information.
Absent clarification
in the final regulations, if a disclosure of medical information
requires affirmative authorization under both the HIPAA
Privacy Regulation and the FACT Act, it is not clear whether a HIPAA
authorization would satisfy the FACT Act consent requirement. The HIPAA
Privacy Regulation provides specific detail as to the content of a
HIPAA authorization, and BCBS Plans currently comply with these requirements.2
In contrast, the FACT Act only provides that the consumer reporting
agency must obtain "affirmative consent," and neither the
FACT Act nor the Proposed Rule provide more guidance on what the consent
must include.
III. BCBSA Comment
We ask that the
final regulations clarify that an authorization that is valid for
purposes of the HIPAA
Privacy Regulation also would satisfy
the FACT Act's consent requirement. Congress already has expressed
its intent to harmonize the medical information provisions in the FACT
Act with the HIPAA Privacy Regulation. As noted above, under the FACT
Act's amendments regarding disclosures to affiliates, Congress expressly
carved out disclosures that are permitted without authorization under
the HIPAA Privacy Regulation. FACT Act § 411(a), adding FCRA § 604(g)(3);
15 U.S.C. § 1681b(g)(3). In addition, the HIPAA affirmative authorization
requirement, which was vetted fully in proposed rulemaking and comment
periods, clearly requires informed, advance, and written consent. Thus,
the HIPAA authorization should satisfy Congress' intent to protect
consumers under the FACT Act's affirmative consent requirement as well.
Finally, clarifying that the HIPAA authorization also would satisfy
the FACT Act consent requirement would reduce potential administrative
burdens of entities that may be subject to both laws, while still fully
protecting consumers.
Thank you for your consideration of our comment. Please contact Christina
Nyquist at 202.626.4799 if you have any questions.
Sincerely,
Alissa Fox
Executive Director
_____________________________
1 The FACT Act also adds a provision generally prohibiting
a creditor from obtaining or using medical information in connection
with any
determination of a consumer's eligibly for credit. The bulk of the
Proposed Rule deals with this provision and offers examples as to when
a creditor may or may not use medical information. BCBSA is not commenting
on these provisions of the Proposed Rule.
2 For example, the HIPAA Privacy Regulation
requires that an authorization include a description of the information
to be disclosed, the name
of the party permitted to make the disclosure, the name of the party
to whom the information is to be disclosed, the purpose of the disclosure,
an expiration date or event, and required statements related to how
to revoke an authorization and the potential for information to be
re-disclosed once it is furnished pursuant to the authorization. In
addition, the regulation requires the authorization to be in writing
and signed and dated by the individual whose information will be disclosed.
45 C.F.R. § 164.508.
|