Federal Deposit
Insurance Corporation

Healthcare Leadership Council

May 27, 2004

Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve System
20th Street and Constitution Ave., NW
Washington, DC 20551
Docket Number R-1188

Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mail Stop 1-5
Washington, DC 20219
Docket Number 04-09

Robert E. Feldman, Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
RIN 3064-AC81

Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G St., NW
Washington, DC 20552
Attention: No. 2004-16

Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428

Re: Fair Credit Reporting Medical Information Regulations/Proposed Rule

Ladies and Gentlemen:

On behalf of the Confidentiality Coalition, which is chaired by the Healthcare Leadership Council (HLC), we are submitting to you comments regarding the proposed regulations implementing the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)¹, which amends portions of the Fair Credit Reporting Act (FCRA or Act)².

HLC organized the Confidentiality Coalition more than five years ago, and it has grown to more than one hundred members, encompassing a broad spectrum of providers, payors, and other health care industry stakeholders. The Coalition supports the development and enforcement of safe and effective regulations governing the confidentiality of medical information. The Coalition is very concerned that the proposed rule, unless clarified by each of your respective agencies (the "agencies"), will likely be misinterpreted as modifying, altering, and in some cases superseding, existing federal law regarding medical information — a result that would be directly contrary to Congress' intent.

Since April 2003, the Health Insurance Portability and Accountability Act (HIPAA) privacy rule has required health care providers, plans, and clearinghouses to comply with comprehensive, national standards regarding both the use (for internal purposes) and the disclosure (to external parties, including components of their organizations not involved in the provision of health care or health benefits) of health information.³ Unfortunately, the tremendous HIPAA compliance efforts made by covered entities over the past year could be undermined or disrupted if the proposed rule remains as currently drafted: susceptible to interpretation as modifying, limiting, or prohibiting the permissible use and disclosure of health information by HIPAA covered entities, including the use and disclosure of health information by and among affiliates. Consequently, the Coalition strongly encourages the consideration of the following comments on the proposed rule.

All proposed additions to the proposed rule are indicated in italics. All proposed subtractions from the proposed rule are bracketed and struck through.

Comment 1: Clarification of the Purpose of the Proposed Rule

As an initial - and essential - matter, each agency should clarify the purpose of the proposed rule by addressing its relationship to existing medical confidentiality laws, including state laws. The FCRA, as amended, provides unambiguous guidance on this matter: the FCRA's provisions regarding the protection of medical information are not to be "construed as altering, affecting, or superseding the applicability of any other provision of Federal law relating to medical confidentiality."⁴

Moreover, the FACT Act amendments do not expressly require or even imply that FCRA be extended to regulate entities already regulated by HIPAA. HIPAA and the FCRA share similar purposes with respect to privacy: each has a separate set of regulated activities, and each is premised on similar assumptions, such as the importance of individual consent or authorization of uses. As amended, the FCRA, like HIPAA, prohibits the use or disclosure of the information to which it applies without the consent of the individual⁵ or unless authorized by the amended FCRA – even though the specific requirements of the Act regarding the form of consent (or the permissible uses) do not parallel those of the HIPAA regulation.

The FACT Act's drafters attempted to deal with concerns regarding the scope of the legislation by "carving out" from critical definitions the information and activities that already are regulated by HIPAA. In implementation, a failure to appreciate the broader HIPAA regulatory regime could lead to an inappropriate interpretation of the FACT Act language in relating the provisions of the FCRA to the provisions of HIPAA. If this resulted in enforcement activities under the FCRA that had the effect of prohibiting some disclosures of health information that are permissible disclosures under HIPAA, the result would serve only to confuse patients and HIPAA covered entities regarding permissible activities, without enhancing the protection afforded patients regarding their health information. Moreover, such a result would be contrary to the FACT Act's provision that its provisions not alter, affect, or supersede current Federal law regarding medical confidentiality (e.g., the HIPAA privacy rule).⁶

In light of the foregoing, we strongly encourage each of the regulatory agencies to adopt within Section ---.1 of their respective rules a "purpose" statement that is consistent with this statutory requirement. This statement could be incorporated into a broader purpose statement (as illustrated below in the italicized language regarding OCC's proposed purpose statement in 12 C.F.R. Sec. 41.1(a)), or could be a stand-alone statement within Section ---.1 for each of the respective agencies.

Proposed Changes Regarding Comment 1:

Section ---.41.1(a) Purpose

Current: "The purpose of this part is to establish standards for national banks in key areas of regulation regarding consumer report information and fair credit. In addition, the purpose of this part is to specify the type of information, including medical information, national banks may obtain, use, or share among affiliates. This part also contains a number of measures national banks must take to combat consumer fraud and related crimes, including identity theft."

Proposed Change: "The purpose of this part is to establish standards for national banks in key areas of regulation regarding consumer report information and fair credit. In addition, the purpose of this part is to specify the type of information, including medical information, national banks may obtain, use, or share among affiliates. This part also contains a number of measures national banks must take to combat consumer fraud and related crimes, including identity theft. Any provisions to the contrary notwithstanding, this part does not, and shall not be construed to, alter, affect, or supersede the obligations of entities that already are directly or indirectly subject to regulation with respect to the use of medical or medically-related information under the Standards for Privacy of Individually Identifiable Health Information promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (the "privacy rule"). Any use, disclosure, or other activity related to medical or medically-related information by a covered entity that is permissible under the privacy rule, shall likewise be permissible under, and not altered, affected, or superseded by, this part."

Comment 2: Permissible Disclosures by Affiliates

Our second comment concerns the proposed rule's limitations upon the communication of medical information between affiliates. Specifically, the proposed rule limits the medical information that can be in a consumer report, and significantly narrows the scope of information (other than a consumer report) that may be freely communicated among affiliates and commonly owned entities. Indeed, except for information that is disclosed for certain purposes — including for any purpose permitted without authorization under the HIPAA privacy rule⁷ — the provision permitting information to be more freely shared among affiliates and commonly owned persons does not apply, to information that is (1) medical information; (2) an individualized list or description based on the payment transactions of the consumer for medical products or services; or (3) an aggregate list of identified consumers based on payment transactions for medical products or services.⁸

Our concern is that information lawfully disclosed by a HIPAA covered entity (such as a hospital or other provider, or a health insurer or other health plan) to, for example, an affiliate of a consumer reporting agency pursuant to a specific authorization of the patient (such as an authorization to disclose health information in order to perform health outcomes research, or other activities specifically authorized by the patient), arguably could be considered "medical information" as defined and regulated by the FCRA and the proposed rule. By way of example, consider a health plan that is planning to conduct a fundraiser on behalf of a condition-specific charity. HIPAA would permit the health plan, when authorized in writing by the individual, to disclose condition-specific medical information to an affiliate (including one that also provides consumer reporting services) that would contact individuals about potential contributions to the charity. If the proposed rule were used to preclude or otherwise affect the disclosure of medical information among affiliates where specifically authorized by the individual, it would, in our view, be a very critical misinterpretation of the FCRA, as amended by the FACT Act.

A second possible misinterpretation of the FCRA, as amended, could arise where a HIPAA covered entity is an affiliate or under common ownership with a consumer reporting agency that is subject to the affiliate sharing rules of the FCRA. As noted above, the HIPAA privacy rule establishes comprehensive, national standards for the use and disclosure of health information. The privacy rule regulates not only disclosures of health information to unrelated third parties, but also regulates the use and disclosure of health information by a covered entity – such as a physician group, hospital, health plan, or a clinic - to its affiliates. Indeed, disclosures of health information among affiliates are directly and rigorously regulated by the privacy rule. For example, should commonly owned covered entities desire to treat themselves as a single covered entity for purposes of HIPAA, the affiliated entities must document such designation and comply as a single covered entity with HIPAA's requirements.⁹ Further, should a covered entity that designates itself as an "affiliated covered entity" perform multiple covered functions (for example, it is both a health care provider and a health plan), then the affiliated covered entity must comply with the HIPAA standards for each of those functions.¹⁰ Any failure to comply with these requirements would constitute a violation of HIPAA, punishable by civil and possibly criminal penalties. Likewise, any covered entity that chooses not to designate itself as an affiliated covered entity with commonly owned entities must comply with HIPAA by treating its affiliates in the same manner prescribed for disclosures to unrelated third parties. For example, if a hospital is affiliated with a health insurer, but the two do not formally designate themselves as an affiliated covered entity, then the health information of all the patients of the hospital and all the participants of the health plan will be treated under HIPAA as if the hospital and the insurer were completely unrelated parties. In our view, the sharing of medical information among participating entities that are part of an "affiliated covered entity" is regulated by the privacy rule in a manner that fully satisfies the amended FCRA's concerns regarding confidentiality, and such sharing should not also be subject to the FCRA's provisions regarding affiliate sharing. If a hospital or health plan also happens to be under common ownership with a consumer reporting agency, and if the provisions limiting the sharing of "medical information" were made applicable to the use and disclosure of health information by the health care component of the hospital or health plan, the HIPAA compliance arrangements of these entities would be thrown into jeopardy.

Consequently, we believe that any interpretation of the amended FCRA that does not permit HIPAA covered entities to use and to disclose information to affiliated entities to the full extent permitted under the privacy rule, and without implicating the FCRA's regulation of consumer reports, is not only erroneous under the terms of the FCRA, as amended, but raises unnecessary compliance burdens for entities that already are subject to HIPAA regulation with respect to the very same activity. In light of the foregoing, we strongly encourage each of the regulatory agencies to adopt within Section ---.31(b)(2) of their respective rules the language proposed below.

Proposed Changes Regarding Comment 2:

1. Section ---.31(b)(2)

Current: "For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)."

Proposed Change: [For any purpose permitted without authorization]  "As permitted
under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)."

2. As an alternative to the first proposed change for Comment 2, pursuant to the authority provided under Section ----.31(b)(6) of the proposed rule, the agency should clarify through the issuance of an appropriate order that the special restrictions on sharing medical and medical-related information with affiliates do not apply to information shared "as permitted under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)."

The Coalition believes that the recommended changes to the proposed rule are both necessary and appropriate to allow for the appropriate sharing of medical and medical-related information. For the reasons provided above, HLC strongly recommends the adoption of the proposed, modest, changes to the proposed rule, or, in the alternative, the issuance of an order by the agency, in order to ensure the effective implementation and operation of the proposed rule.

Sincerely,

Mary R. Grealy
President

¹  Public Law 108-159, 117 Stat. 1952.
²  15 U.S.C. §§ 1681-1681x.
³  Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 1936 ("HIPAA") established new federal requirements for the "administrative simplification" of the transmission, storage, use, and disclosure of health information. The HIPAA privacy rule was promulgated in the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. pts. 160 and 164.
⁴ 15 U.S.C. § 1681 b(g)(6). Under HIPAA, the federal law of medical privacy states that state laws apply unless they are specifically preempted as being contrary to and less protective of privacy than the federal standards. HIPAA § 264 (c)(2); see also 45 C.F.R. § 160.203.
⁵ 15 U.S.C. § 1681 b(g), as amended by section 411(a) of the FACT Act.
⁶ 15 U.S.C. § 1681 b(g)(6).
⁷ 15 U.S.C. § 1681b(g)(3)(B). This carve-out under the amended FCRA for information that is disclosed for purposes that are permitted without an authorization (e.g., limited disclosures for treatment, public health reporting) under the HIPAA privacy rule appears on its face not to apply to health information that is disclosed under the HIPAA privacy rule pursuant to an authorization (e.g., research, life insurance applications, employment). However, to treat the two categories of information – disclosures pursuant to an authorization, and disclosures not requiring an authorization – differently under the FCRA, when they are both legitimate and permissible disclosures under the HIPAA privacy rule, is inconsistent with HIPAA's goal of administrative simplification, and indeed will only complicate the implementation and administration of the HIPAA privacy rule.
⁸ 15 U.S.C. § 1681a(d)(3).
⁹ 45 C.F.R. § 164.504(d).
¹⁰ 45 C.F.R. § 164.504(g).