Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

BlueCross BlueShield Association

May 28, 2004

Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mail Stop 1-5
Washington, DC 20219
Docket Number 04-09

Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Docket Number R-1188

Robert E. Feldman, Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
RIN 3064-AC81

Regulation Comments, Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Docket No. 2004-16, RN 1550-AB88

Becky Baker, Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Comments on Proposed Rule, Part 717

Re: BCBSA Comments on Proposed Rule, Fair Credit Reporting — Medical Information

Dear Sir or Madam:

I am writing to submit the Blue Cross and Blue Shield Association's ("BCBSA") comments on the Fair Credit Reporting Medical Information proposed regulations ("Proposed Rule") under the Fair and Accurate Credit Transactions Act (the "FACT Act"). 69 Fed. Reg. 23380 (Apr. 28, 2004). BCBSA represents 41 independent Blue Cross and Blue Shield Plans ("Plans") that provide health coverage to 88 million — one in three — Americans.

As explained more fully below, BCBSA believes that, in general, the activities of its Plans are not subject to the consumer reporting requirements of the Fair Credit Reporting Act ("FCRA"). However, the FACT Act amends FCRA to impose new restrictions on the use of medical information in consumer reports and credit transactions. To the extent that Plans may be subject to this requirement in the future because of business product changes, we ask that the FACT Act's affirmative consent requirement be made consistent with a similar affirmative consent requirement under the medical privacy regulations issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") that would apply to the same disclosures of medical information. 45 C.F.R. Parts 160 and 164.

I. Background

The Fair Credit Reporting Act ("FCRA") applies to "consumer reports" compiled by "consumer reporting agencies." The FCRA generally defines a "consumer reporting agency" as any person who, for monetary fees, regularly engages in the practice of assembling credit or other information for the purpose of furnishing consumer reports to third parties. FCRA § 603(a)(f); 15 U.S.C. § 1681a(f). A "consumer report", in relevant part, includes any communication of information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, or character or personal characteristics used or collected in establishing the consumer's eligibility for credit or insurance. FCRA § 603(d)(1); 15 U.S.C. § 1681a(d)(1).

Prior to the FACT Act, the FCRA required a consumer reporting agency to obtain an individual's "consent" in order to furnish medical information in a consumer report for purposes of employment, credit, or insurance. FCRA § 604(g), 15 USC § 168 lb(g). The FACT Act replaces this "consent" requirement with an "affirmative consent" requirement. Act § 411(a), revising FCRA § 604(g)(1), 15 U.S.C. § 1681b(g)(1). The Proposed Rule relating to medical information does not address the new affirmative consent requirement and thus does not establish requirements for obtaining affirmative consent.1

We note that the FACT Act also amends FCRA's restrictions with respect to sharing of medical information among affiliates. Act § 411(b), adding FCRA § 603(d)(3), 15 U.S.C. § 1681a(d)(3). However, the FACT Act also provides a carve-out so that the new affiliate restrictions "shall not be construed so as to treat information as a consumer report" if the information is disclosed for a list of purposes, including any purpose permitted without authorization under the HIPAA Privacy Regulations. Act § 411(a), adding FCRA § 604(g)(3), 15 U.S.C. § 1681b(g)(3).

II. Overlap with HIPAA Privacy Regulation

Congress passed sweeping health care reform in 1996 under HIPAA. The new law addressed portability of health care coverage among health plans, nondiscrimination in eligibility and benefit requirements based on health status, and administrative simplification provisions designed to promote confidentiality of health information and efficient transfer of electronic health information among health plans and health care providers. P.L. 104-191 (Aug. 21, 1996). HIPAA required the Secretary of Health and Human Services to issue regulations governing confidentiality of individually identifiable health information. Final regulations were issued December 28, 2000. 65 Fed. Reg. 82462 (amended May 31, 2002 and August 14, 2002).

The HIPAA Privacy Regulation applies to health care providers (e.g., doctors and hospitals) and health plans, which are defined to include health insurance issuers and any other arrangement that provides or pays for the cost of medical care. 45 CFR § 160.102. The HIPAA Privacy Regulation generally requires that, for any use or disclosure of individually identifiable health information outside of treatment, payment, or health care operations (which are defined terms under the regulations), a health plan must obtain the individual's affirmative authorization. 45 CFR § 164.502(a). The regulation goes on to specify in detail the content of the authorization, including that it must be in writing and must be signed by the individual. 45 CFR § 164.508.

BCBS Plans are "health plans" under the HIPAA Privacy Regulation and must comply with the authorization requirements under the regulation for disclosures outside of treatment, payment, or health care operations. It does not appear that Plans engage in activities that also would make them subject to the medical privacy requirements of FCRA and the FACT Act — that is, it appears that they do not act in capacities that would be considered "consumer reporting agencies" providing "consumer reports" to third parties. However, given the potential breadth of the definitions of consumer reporting agencies and consumer reports, and given the possible changes in products and services Plans may offer over time, there is at least a potential for conflict between the authorization/affirmative consent requirements under the FACT Act and HIPPA Privacy Regulations. We believe this potential conflict can be properly resolved through guidance in the final FACT Act regulations governing use of medical information.

Absent clarification in the final regulations, if a disclosure of medical information requires affirmative authorization under both the HIPAA Privacy Regulation and the FACT Act, it is not clear whether a HIPAA authorization would satisfy the FACT Act consent requirement. The HIPAA Privacy Regulation provides specific detail as to the content of a HIPAA authorization, and BCBS Plans currently comply with these requirements.2 In contrast, the FACT Act only provides that the consumer reporting agency must obtain "affirmative consent," and neither the FACT Act nor the Proposed Rule provide more guidance on what the consent must include.

III. BCBSA Comment

We ask that the final regulations clarify that an authorization that is valid for purposes of the HIPAA Privacy Regulation also would satisfy the FACT Act's consent requirement. Congress already has expressed its intent to harmonize the medical information provisions in the FACT Act with the HIPAA Privacy Regulation. As noted above, under the FACT Act's amendments regarding disclosures to affiliates, Congress expressly carved out disclosures that are permitted without authorization under the HIPAA Privacy Regulation. FACT Act § 411(a), adding FCRA § 604(g)(3); 15 U.S.C. § 1681b(g)(3). In addition, the HIPAA affirmative authorization requirement, which was vetted fully in proposed rulemaking and comment periods, clearly requires informed, advance, and written consent. Thus, the HIPAA authorization should satisfy Congress' intent to protect consumers under the FACT Act's affirmative consent requirement as well. Finally, clarifying that the HIPAA authorization also would satisfy the FACT Act consent requirement would reduce potential administrative burdens of entities that may be subject to both laws, while still fully protecting consumers.

Thank you for your consideration of our comment. Please contact Christina Nyquist at 202.626.4799 if you have any questions.

Alissa Fox
Executive Director


1 The FACT Act also adds a provision generally prohibiting a creditor from obtaining or using medical information in connection with any determination of a consumer's eligibly for credit. The bulk of the Proposed Rule deals with this provision and offers examples as to when a creditor may or may not use medical information. BCBSA is not commenting on these provisions of the Proposed Rule.

2 For example, the HIPAA Privacy Regulation requires that an authorization include a description of the information to be disclosed, the name of the party permitted to make the disclosure, the name of the party to whom the information is to be disclosed, the purpose of the disclosure, an expiration date or event, and required statements related to how to revoke an authorization and the potential for information to be re-disclosed once it is furnished pursuant to the authorization. In addition, the regulation requires the authorization to be in writing and signed and dated by the individual whose information will be disclosed. 45 C.F.R. § 164.508.

Last Updated 06/03/2004

Skip Footer back to content