Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

[Federal Register: April 28, 2004 (Volume 69, Number 82)]
[Proposed Rules]
[Page 23379-23407]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28ap04-25]


[[Page 23379]]







-----------------------------------------------------------------------


Part V

Department of the Treasury

Office of the Comptroller of the Currency

12 CFR Part 41

Office of Thrift Supervision

12 CFR Part 571

-----------------------------------------------------------------------
Federal Reserve System

12 CFR Part 222

-----------------------------------------------------------------------
Federal Deposit Insurance Corporation

12 CFR Part 334

-----------------------------------------------------------------------
National Credit Union Administration

12 CFR Part 717

-----------------------------------------------------------------------

Fair Credit Reporting Medical Information Regulations; Proposed Rule


[[Page 23380]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 41

[Docket No. 04-09]
RIN 1557-AC85

FEDERAL RESERVE SYSTEM

12 CFR Part 222

[Regulation V; Docket No. R-1188]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 334

RIN 3064-AC81

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 571

[No. 2004-16]
RIN 1550-AB88

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 717


Fair Credit Reporting Medical Information Regulations

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); National Credit Union Administration (NCUA).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, and NCUA (Agencies) are publishing
for comment proposed regulations implementing section 411 of the Fair
and Accurate Credit Transactions Act of 2003 (FACT Act). Public Law
108-159, 117 Stat. 1952. The FACT Act substantially amends the Fair
Credit Reporting Act (FCRA or Act), 15 U.S.C. 1681 et seq. Section
411(a) of the FACT Act adds a new section 603(g)(1) to the FCRA to
restrict the circumstances under which consumer reporting agencies may
furnish consumer reports that contain medical information about
consumers. Section 411(a) of the FACT Act also adds a new section
604(g)(2) to the FCRA to prohibit creditors from obtaining or using
medical information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit. The Agencies are required to prescribe regulations that
permit creditors to obtain or use medical information for eligibility
purposes where necessary and appropriate to protect legitimate
operational, transactional, risk, consumer, and other needs, consistent
with the Congressional intent to restrict the use of medical
information for inappropriate purposes.
In addition, section 411(b) of the FACT Act adds a new section
603(d)(3) to the FCRA to restrict the sharing of medical information
and related lists or descriptions with affiliates. Specifically,
section 603(d)(3) provides that the standard exclusions from the
definition of ``consumer report'' contained in section 603(d)(2)--such
as sharing transaction or experience information about a consumer among
affiliates or sharing other information among affiliates after
providing the consumer notice and an opportunity to opt-out--do not
apply if medical-related information is disclosed to an affiliate.
Medical-related information includes medical information, an
individualized list or description based on payment transactions for
medical products or services, or an aggregate list of identified
consumers based on payment transactions for medical products or
services. The provisions of section 603(d)(3) do not apply if the
sharing falls within certain exceptions, such as in connection with the
business of insurance or annuities or for any purpose described in
section 502(e) of the Gramm-Leach-Bliley Act (GLB Act), Public Law 106-
102. Section 411(b) authorizes the Agencies to promulgate additional
exceptions by regulation or order, as determined by the Agencies to be
appropriate or necessary.
The Agencies generally provide a 60-day period for the public to
comment on the burdens associated with proposed rules. In this case,
however, the Agencies believe that a 30-day comment period is
appropriate because the statute was enacted in December 2003 and
imposes a statutory deadline for the final rule of June 4, 2004.

DATES: Comments must be received by May 28, 2004.

ADDRESSES: Comments should be directed to:
OCC: You should designate OCC in your comment and include Docket
Number 04-09. Because paper mail in the Washington, DC, area and at the
OCC may be subject to delays, please submit your comments by e-mail or
fax whenever possible. You may submit comments by any of the following
methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.

OCC Web site: http://www.occ.treas.gov. Click on

``Contact the OCC,'' scroll down and click on ``Comments on proposed
regulations.''
Fax: (202) 874-4448.
Mail: Office of the Comptroller of the Currency,
250 E Street, SW., Public Information Room, Mail Stop 1-5, Washington,
DC 20219.
Hand Delivery/Courier: 250 E Street, SW., Attn:
Public Information Room, Mail Stop 1-5, Washington, DC 20219.
Instructions: All submissions received must include the agency name
(OCC) and docket number or Regulatory Information Number (RIN) for this
notice of proposed rulemaking. In general, the OCC will enter all
comments received into the docket without change, including any
business or personal information that you provide.
Docket: For access to the docket to read
background documents or comments received you may:
View docket information in person: You may
personally inspect and photocopy docket information at the OCC's Public
Information Room, 250 E Street, SW., Washington, DC. You can make an
appointment to inspect the docket by calling (202) 874-5043.
View docket information electronically: You may
request that we send electronic copies of docket information to you via
e-mail or mail you a CD-ROM containing electronic copies by contacting
the OCC at regs.comments@occ.treas.gov.
Request copies: You may request copies of docket
information by fax at (202) 874-4448, mailing the OCC at 250 E Street,
SW., Attn: Public Information Room, Mail Stop 1-5, Washington, DC
20219, or by contacting us at (202) 874-5043.
Board: You may submit comments, identified by Docket No. R-1188, by
any of the following methods:

Agency Web site: http://www.federalreserve.gov Follow the instructions for submitting comments at http://.

http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.

Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.

E-mail: regs.comments@federalreserve.gov.
Include docket number in the subject line of the message.

[[Page 23381]]

Fax: 202/452-3819 or 202/452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of
Governors of the Federal Reserve System, 20th Street and Constitution
Avenue, NW., Washington, DC 20551.
All public comments are available from the Board's Web site at
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted,
except as necessary for technical reasons. Accordingly, your comments
will not be edited to remove any identifying or contact information.
Public comments may also be viewed electronically or on paper in Room
MP-500 of the Board's Martin Building (20th and C Streets, NW.) between
9 a.m. and 5 p.m. on weekdays.
FDIC: You may submit comments, identified by RIN number by any of
the following methods:
Agency Web site: http://www.fdic.gov/regulations/laws/federal/propose.html.
Follow instructions for
ubmitting comments on the Agency Web site.
E-Mail: Comments@FDIC.gov. Include the RIN
number in the subject line of the message.
Mail: Robert E. Feldman, Executive Secretary,
Attention: Comments, Federal Deposit Insurance Corporation, 550 17th
Street, NW., Washington, DC 20429.
Hand Delivery/Courier: Guard station at the rear
of the 550 17th Street Building (located on F Street) on business days
between 7 a.m. and 5 p.m.
Instructions: All submissions received must
include the agency name and RIN for this rulemaking. All comments
received will be posted without change to http://www.fdic.gov/regulations/laws/federal/propose.html
including any personal

information provided.
OTS: You may submit comments, identified by docket number 2004-16,
by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.

E-mail address: regs.comments@ots.treas.gov.
Please include docket number 2004-16 in the subject line of the message
and include your name and telephone number in the message.
Fax: (202) 906-6518.
Mail: Regulation Comments, Chief Counsel's
Office, Office of Thrift Supervision, 1700 G Street, NW., Washington,
DC 20552, Attention: No. 2004-xx.
Hand Delivery/Courier: Guard's Desk, East Lobby
Entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days,
Attention: Regulation Comments, Chief Counsel's Office, Attention: No.
2004-xx.
Instructions: All submissions received must include the agency name
and docket number or Regulatory Information Number (RIN) for this
rulemaking. All comments received will be posted without change to the
OTS Internet site at http://www.ots.treas.gov, including any personal

information provided.
Docket: For access to the docket to read background documents or
comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1.
In addition, you may inspect comments

at the Public Reading Room, 1700 G Street, NW., by appointment. To make
an appointment for access, call (202) 906-5922, send an e-mail to
public.info@ots.treas.gov, or send a facsimile transmission to (202)

906-7755. (Prior notice identifying the materials you will be
requesting will assist us in serving you.) We schedule appointments on
business days between 10 a.m. and 4 p.m. In most cases, appointments
will be available the next business day following the date we receive a
request.
NCUA: You may submit comments by any of the following methods
(Please send comments by one method only):
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.

NCUA Web site: http://www.ncua.gov/news/proposed_regs/proposed_regs.html.
Follow the instructions for

submitting comments.
E-mail: Address to regcomments@ncua.gov. Include
``[Your name] Comments on Proposed Rule Part 717, Fair Credit
Reporting--Medical Information'' in the e-mail subject line.
Fax: (703) 518-6319. Use the subject line
described above for e-mail.
Mail: Address to Becky Baker, Secretary of the
Board, National Credit Union Administration, 1775 Duke Street,
Alexandria, Virginia 22314-3428.
Hand Delivery/Courier: Becky Baker, Secretary of
the Board, National Credit Union Administration, 1775 Duke Street,
Alexandria, Virginia 22314-3428.

FOR FURTHER INFORMATION CONTACT:
OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael
Bylsma, Director, or Stephen Van Meter, Assistant Director, Community
and Consumer Law, (202) 874-5750; Patrick T. Tierney, Attorney,
Legislative and Regulatory Activities Division, (202) 874-5090; or
Carol Turner, Compliance Specialist, Compliance Department, (202) 874-
4858, Office of the Comptroller of the Currency, 250 E Street, SW.,
Washington, DC 20219.
Board: David A. Stein, Counsel; Minh-Duc T. Le, Ky Tran-Trong, or
Krista P. DeLargy, Senior Attorneys, Division of Consumer and Community
Affairs, (202) 452-3667 or (202) 452-2412; or Andrew Miller, Counsel,
Legal Division, (202) 452-3428, Board of Governors of the Federal
Reserve System, 20th and C Streets, NW., Washington, DC 20551.
FDIC: Robert A. Patrick, Counsel, (202) 898-3757, or Richard M.
Schwartz, Counsel, Legal Division, (202) 898-7424; David LaFleur,
Policy Analyst, (202) 898-6569, or Patricia Cashman, Senior Policy
Analyst, Division of Supervision and Consumer Protection, (202) 898-
6534, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
OTS: Elizabeth Baltierra, Program Analyst (Compliance), Compliance
Policy, (202) 906-6540; Richard Bennett, Counsel (Banking and Finance),
(202) 906-7409; or Paul Robin, Special Counsel, Regulations and
Legislation Division, (202) 906-6648, Office of Thrift Supervision,
1700 G Street, NW., Washington, DC 20552.
NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel,
(703) 518-6540, National Credit Union Administration, 1775 Duke Street,
Alexandria, VA 22314-3428.

SUPPLEMENTARY INFORMATION:

I. Background

On December 4, 2003, the President signed into law the FACT Act,
which amends the FCRA. Public Law 108-159, 117 Stat. 1952. In general,
the FACT Act contains provisions designed to enhance the ability of
consumers to combat identity theft, increase the accuracy of consumer
reports, and allow consumers to exercise greater control regarding the
type and amount of marketing solicitations they receive. Section 411 of
the FACT Act limits the ability of creditors to obtain or use, of
consumer reporting agencies to disclose, and of affiliates to share
medical information.
Section 411(a) of the FACT Act adds a new section 604(g)(1) to the
FCRA to restrict the circumstances under which consumer reporting
agencies may furnish consumer reports that contain medical information
about consumers. Specifically, under new section 604(g)(1), a consumer
reporting agency may not furnish a consumer report that contains
medical information about a consumer unless:
(1) The report is furnished in connection with an insurance
transaction, and the consumer

[[Page 23382]]

affirmatively consents to the furnishing of the report;
(2) The report is furnished for employment purposes or in
connection with a credit transaction, the information to be furnished
is relevant to process or effect the employment or credit transaction,
and the consumer provides specific written consent for the furnishing
of the report that describes in clear and conspicuous language the use
for which the information will be furnished; or
(3) The information to be furnished pertains solely to
transactions, accounts, or balances relating to debts arising from the
receipt of medical services, products, or devices, where such
information, other than account status or amounts, is restricted or
reported using codes that do not identify, or do not provide
information sufficient to infer, the specific provider or the nature of
such services, products, or devices.
Section 411(c) of the FACT Act revises the definition of ``medical
information'' in section 603(i) to mean information or data, whether
oral or recorded, in any form or medium, created by or derived from a
health care provider or the consumer, that relates to the past,
present, or future physical, mental, or behavioral health or condition
of an individual, the provision of health care to an individual, or the
payment for the provision of health care to an individual. The
definition further provides that the term ``medical information'' does
not include the age or gender of a consumer, demographic information
about the consumer, including a consumer's residence address or e-mail
address, or any other information about a consumer that does not relate
to the physical, mental, or behavioral health or condition of a
consumer, including the existence or value of any insurance policy.
Section 411(a) also amends the FCRA by adding new section 604(g)(2)
to prohibit creditors from obtaining or using medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit. Section
604(g)(2) contains two independent prohibitions--a prohibition on
obtaining medical information and a prohibition on using medical
information. The statute contains no prohibition, however, on obtaining
or using medical information other than in connection with a
determination of the consumer's eligibility, or continued eligibility,
for credit. Thus, section 604(g)(2) does not prohibit a creditor from
obtaining medical information for employment purposes, in connection
with a determination of a consumer's eligibility for an insurance
product or through processing payments for a consumer, maintaining a
consumer's account, or performing similar functions. Nevertheless, a
creditor that obtains medical information in these circumstances may
not use that information in connection with a determination of the
consumer's eligibility, or continued eligibility, for credit. For
example, medical information about a consumer obtained and used by a
creditor for employment purposes may not subsequently be used in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit. New section 604(g)(5)(A) requires
the Agencies to prescribe regulations that permit transactions that are
determined to be necessary and appropriate to protect legitimate
operational, transactional, risk, consumer, and other needs (including
administrative verification purposes), consistent with congressional
intent to restrict the use of medical information for inappropriate
purposes.
Section 411(b) of the FACT Act adds a new section 603(d)(3) to the
FCRA to restrict the sharing of medical-related information with
affiliates if that information meets the definition of ``consumer
report'' in section 603(d)(1) of the FCRA. Specifically, section
603(d)(3) provides that the standard exclusions from the definition of
``consumer report'' contained in section 603(d)(2)--such as sharing
transaction or experience information among affiliates or sharing other
eligibility information among affiliates after notice and an
opportunity to opt-out--do not apply if medical-related information is
disclosed to an affiliate. Medical-related information includes medical
information, as described above, as well as an individualized list or
description based on payment transactions for medical products or
services, and an aggregate list of identified consumers based on
payment transactions for medical products or services.
New section 604(g)(3) provides several exceptions that allow
creditors to disclose medical information to affiliates according to
the same rules that apply to other non-medical information. In
particular, section 604(g)(3) provides that medical-related information
that is transaction or experience information or that is subject to the
FCRA affiliate sharing opt-out provisions or other standard exclusions
in section 603(d)(2) may be shared with an affiliate of the creditor if
the information is disclosed to an affiliate:
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
(2) For any purpose permitted without authorization under the
Standards for Individually Identifiable Health Information promulgated
by the Department of Health and Human Services (HHS) pursuant to the
Health Insurance Portability and Accountability Act of 1996 (HIPAA);
(3) For any purpose referred to under section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act; or
(5) As otherwise determined to be necessary and appropriate, by
regulation or order, by the Federal Trade Commission (FTC), the
Agencies, or an applicable State insurance authority.
Section 604(g)(4), as added by section 411(a)(4) of the FACT Act,
also provides that any person that receives medical information from an
affiliate pursuant to an exception in section 604(g)(3) or from a
consumer reporting agency under section 604(g)(1) must not disclose
such information to any other person, except as necessary to carry out
the purpose for which the information was initially disclosed, or as
otherwise permitted by statute, regulation, or order.

II. Proposed Rule

The rule proposed by the Agencies would do two things. First, the
proposed regulations would create exceptions to the general prohibition
against obtaining or using medical information in connection with
credit eligibility determinations, as required by section 604(g)(5)(A).
The Agencies believe the proposed exceptions are necessary and
appropriate to protect legitimate operational, transactional, risk,
consumer, and other needs (including administrative verification
purposes), and are consistent with the congressional intent to restrict
the use of medical information for inappropriate purposes. Second, the
proposed regulations would, as permitted by section 604(g)(3)(C),
create additional exceptions to the special restrictions in section
603(d)(3) on sharing medical-related information with affiliates that
the Agencies believe are necessary and appropriate. The proposed
regulations are discussed in more detail in the Section-by-Section
Analysis below. The Agencies invite comment on all aspects of the
proposal.

[[Page 23383]]

III. Section-by-Section Analysis

Section ----.1 Purpose, Scope, and Effective Dates

Proposed Sec. ----.1(b)(2) describes the institutions covered by
the provisions of the regulations of each of the respective Agencies.

Section ----.2 Examples

Proposed Sec. ----.2 Discusses the Scope and Effect of the
Examples Included in the Proposed Regulation.

Section ----.3 Definitions

Proposed Sec. ----.3 contains definitions for the terms
``affiliate'' (as well as the related terms ``company'' and
``control''), ``consumer,'' ``medical information,'' and ``you.''
Affiliate
Several FCRA provisions apply to information sharing with persons
``related by common ownership or affiliated by corporate control,''
``related by common ownership or affiliated by common corporate
control,'' or ``affiliated by common ownership or common corporate
control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2).
Section 2 of the FACT Act defines the term ``affiliate'' to mean
persons that are related by common ownership or affiliated by corporate
control. Proposed paragraph (b) simplifies these various formulations
by defining ``affiliate'' to mean any company that controls, is
controlled by, or is under common control with another company. The
proposed definition is identical to the definition of ``affiliate'' in
the GLB Act privacy regulations.\1\ Consistent with the definitions in
the privacy regulations and the practical application of the FCRA, the
proposal uses a definition of ``control'' that applies exclusively to
the control of a ``company,'' and defines ``company'' to include any
corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization. See proposed
paragraphs (d) (``company'') and (i) (``control'').\2\ The definition
of ``company'' omits some entities that are ``persons'' under the
FCRA--individuals, estates, cooperatives, governments, and government
in which ``control'' could be exercised over individuals, government
agencies, and other persons that do not fit within the definition of
``company.''
---------------------------------------------------------------------------

\1\ For purposes of the proposed regulation, an ``affiliate''
includes an operating subsidiary of a bank or savings association,
and a credit union service organization that is controlled by a
federal credit union.
\2\ For purposes of the proposed regulation, NCUA will presume a
federal credit union has a controlling influence over the management
or policies of a credit union service organization if it is 67
percent owned by credit unions.
---------------------------------------------------------------------------

Medical Information
Under proposed paragraph (k), the term ``medical information''
means information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the
consumer, that relates to (1) the past, present, or future physical,
mental, or behavioral health or condition of an individual; (2) the
provision of health care to an individual; or (3) the payment for the
provision of health care to an individual. The term ``medical
information'' does not include the age or gender of a consumer,
demographic information about the consumer, including a consumer's
residence address or e-mail address, or any other information about a
consumer that does not relate to the physical, mental, or behavioral
health or condition of a consumer, including the existence or value of
any insurance policy. The proposal tracks the statutory definition of
``medical information.''
Creditors are reminded that other laws, such as the Americans with
Disabilities Act, the Fair Housing Act, the GLB Act, and other parts of
the FCRA, may limit or regulate the use, collection, and sharing of
consumer information, including medical information. In particular,
these and other laws, such as the Equal Credit Opportunity Act, also
may prohibit creditors from using certain information that is excluded
from the restrictions on obtaining or using medical information, such
as age or gender information, in determining eligibility for credit or
for other purposes.

Section ----.30 Obtaining and Using Medical Information in Connection
With a Determination of Eligibility for Credit

Section 411(a) of the FACT Act adds a broad new limitation on the
ability of creditors to obtain medical information in connection with
credit eligibility determinations or to use medical information in
connection with credit eligibility determinations. Specifically, new
section 604(g)(2) provides, that except as permitted by regulations, a
creditor shall not obtain or use medical information pertaining to a
consumer in connection with any determination of the consumer's
eligibility, or continued eligibility, for credit.
A. General Prohibition on Obtaining or Using Medical Information
Proposed Sec. ----.30 contains the rules on obtaining or using
medical information in connection with a determination of a consumer's
eligibility, or continued eligibility, for credit. Proposed paragraph
(a)(1) incorporates the general rule prohibiting creditors from
obtaining or using medical information pertaining to a consumer in
connection with any determination of a consumer's eligibility, or
continued eligibility, for credit, except as provided in the
regulations under Subpart D. The consumer's eligibility for credit
typically would be determined when an initial decision is made on
whether to grant or deny credit to the consumer. A determination of a
consumer's continued eligibility for credit may also include decisions
whether to terminate an account or adjust a credit limit following an
account review.
Proposed paragraph (a)(2) clarifies the definition of certain terms
used in Subpart D, including ``credit'' and ``creditor.'' In addition,
paragraph (a)(2) provides that the phrase ``eligibility, or continued
eligibility, for credit'' means the consumer's qualification or fitness
to receive, or continue to receive, credit, including the terms on
which credit is offered, primarily for personal, family, or household
purposes.
The paragraph also clarifies that the phrase ``eligibility, or
continued eligibility, for credit'' does not include the consumer's
qualification or fitness to be offered employment, insurance products,
or other non-credit products or services. Similarly, ``eligibility, or
continued eligibility, for credit'' does not include a determination of
whether the provisions of a debt cancellation contract, debt suspension
agreement, credit insurance product, or similar forbearance practice or
program are triggered. A forbearance practice or program may include
circumstances in which a creditor allows a consumer to skip one or more
scheduled payments because the consumer is hospitalized for a medical
condition. For example, if a consumer is hospitalized on an emergency
basis and is temporarily unable to pay his mortgage, the consumer's
daughter may contact the consumer's mortgage lender by telephone,
inform the lender of the consumer's medical condition, and request that
the lender allow the deferral of one or more payments to accommodate
the consumer's particular circumstances. The creditor's use of the
medical information provided by the consumer's daughter to defer one or
more mortgage payments to accommodate the consumer's particular
circumstances would constitute a forbearance that is beyond the scope
of the prohibition.

[[Page 23384]]

Comment is requested on whether it is more appropriate to grant an
exception to permit creditors to obtain and use medical information in
connection with debt cancellation, debt suspension, or credit insurance
products or practices, rather than issuing an interpretation that
obtaining information necessary to trigger coverage under these
products falls outside any determination of eligibility, or continued
eligibility, for credit. In addition, comment is solicited on whether a
separate exception for accommodating the particular medical condition
or circumstances of the consumer should be created in lieu of or in
addition to the interpretation that eligibility, or continued
eligibility, for credit does not include forbearance.
The proposed regulation also provides that the term ``eligibility,
or continued eligibility, for credit'' does not include authorizing,
processing, or documenting a payment or transaction on behalf of a
consumer in a manner that does not involve a determination of the
consumer's eligibility, or continued eligibility, for credit. Finally,
the term ``eligibility, or continued eligibility, for credit'' does not
include maintaining or servicing a consumer's account in a manner that
does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit.
The Agencies note that section 604(g)(2) contains two distinct
prohibitions--one on obtaining medical information and one on using
medical information. Nothing in the statute prohibits a creditor from
obtaining medical information if the information is not obtained in
connection with a determination of the consumer's eligibility, or
continued eligibility, for credit. Thus, there is no prohibition, for
example, on a creditor obtaining medical information through
authorizing, processing, or documenting a payment or transaction on
behalf of the consumer, or managing or servicing the consumer's
account. Nevertheless, a creditor that has obtained medical information
in these circumstances may not use that information in connection with
a determination of the consumer's eligibility, or continued
eligibility, for credit, unless permitted by an exception provided in
the regulations. However, there is no prohibition in section 411 of the
FACT Act on a person that is a creditor from obtaining or using medical
information for an employment purpose or in connection with a
determination of the consumer's eligibility for an insurance product.
B. Receiving Unsolicited Medical Information
Creditors may receive unsolicited medical information without
specifically asking for such information. This may occur, for example,
when a consumer informs the loan officer that she needs a loan to pay
for treatment for a particular medical condition, or when a consumer,
in response to a general request on a credit application for
information about outstanding debts, lists debts owed to hospitals and
doctors for medical services. The Agencies do not believe that a
creditor violates the prohibition on obtaining medical information when
the creditor does not specifically ask for or request such information,
yet the consumer or other person provides that information to the
creditor. However, because the statutory prohibition on obtaining
medical information could be interpreted broadly to cover circumstances
in which medical information is obtained by a creditor without asking
for it, the Agencies have proposed a rule of construction to make clear
that a creditor does not violate the prohibition on obtaining medical
information if the creditor receives unsolicited medical information.
Proposed paragraph (b) contains this rule of construction for
receiving unsolicited medical information. Under proposed paragraph
(b)(1), a creditor does not obtain medical information for purposes of
proposed paragraph (a)(1) if it receives medical information pertaining
to a consumer in connection with any determination of the consumer's
eligibility, or continued eligibility, for credit without specifically
requesting medical information, and does not use that information in
determining whether to extend credit to the consumer and the terms on
which credit is offered or continued. Paragraph (b)(2) provides
examples for guidance. The Agencies seek comment on the appropriateness
of this rule of construction and on whether this provision should be
drafted as an exception to the general prohibition, rather than as a
rule of construction.
C. Financial Information Exception for Obtaining and Using Medical
Information
As noted above, new section 604(g)(5)(A) of the Act gives the
Agencies the authority to prescribe regulations, after notice and
opportunity for comment, to permit creditors to obtain and use medical
information in connection with determinations of credit eligibility
that the Agencies determine to be necessary and appropriate to protect
legitimate operational, transactional, risk, consumer, and other needs
(including actions necessary for administrative verification purposes),
consistent with the intent of the statute to restrict the use of
medical information for inappropriate purposes. Applying this standard,
the Agencies believe it is necessary and appropriate to permit
creditors to obtain and use medical information in a number of
circumstances.
Proposed Sec. Sec. ----.30(c)-(d) contain exceptions to the
general prohibition on creditors obtaining or using medical
information. Proposed paragraph (c) contains the first exception, and
provides that a creditor may obtain and use medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit so long as
the following three elements are met. First, the information must
relate to debts, expenses, income, benefits, collateral, or the purpose
of the loan, including the use of proceeds. Second, the creditor must
use the information in a manner and to an extent no less favorable than
it would use comparable information that is not medical information in
a credit transaction. Third, the creditor must not take the consumer's
physical, mental, or behavioral health, condition or history, type of
treatment, or prognosis into account as part of any such determination
of credit eligibility. This three-part test strikes a balance between
permitting creditors to obtain and use certain medical information
about consumers when necessary and appropriate to satisfy prudent
underwriting criteria and to ensure that credit is extended in a safe
and sound manner, while restricting the use of medical information for
inappropriate purposes.
The first element of the test identifies certain types of
information, specifically debts, expenses, income, benefits,
collateral, or the purpose of the loan, that a creditor ordinarily
would obtain and evaluate in connection with making a prudent credit
decision, regardless of whether that information is medical or non-
medical information. A creditor should not be prohibited from obtaining
or using information about a debt, for example, in connection with
making a credit decision, just because that debt happens to be for
medical products or services.
The second element of the test provides that the creditor must use
the medical information in a manner and to an extent no less favorable
than it would use comparable, non-medical

[[Page 23385]]

information in a credit transaction. For example, a creditor may deny
credit to the consumer because the consumer owes a debt to a hospital
if the creditor would have denied credit to the consumer if the
consumer had owed the same amount of debt with the same payment history
to a retailer. Nothing in the rule prevents the creditor from treating
information about medical debts (or expenses or income) more favorably
than non-medical debts.
The third element of the test provides that the creditor may not
take the consumer's physical, mental, or behavioral health, condition,
or history, type of treatment, or prognosis into account as part of any
determination of the consumer's eligibility, or continued eligibility,
for credit. For example, the consumer may owe a debt to a hospital or
other facility that specializes in treating a potentially terminal
disease. While the creditor may evaluate the debt to the hospital or
facility in the same manner and to the same extent as it would evaluate
any non-medical debt, the creditor may not take into account the
consumer's individual physical, mental, or behavioral health,
condition, or history, type of treatment, or prognosis in determining
the consumer's eligibility, or continued eligibility for credit, or the
terms under which credit will be offered or continued.
The Agencies seek comment on the financial information exception
outlined in paragraph (c)(1). In particular, the Agencies seek comment
on whether each of the three parts of the exception is necessary and
whether the three parts together strike the right balance between
permitting creditors to obtain and use medical information where
necessary and appropriate to protect legitimate operational,
transactional, risk, consumer, and other needs (including actions
necessary for administrative verification purposes) and restricting the
use of medical information for inappropriate purposes.
Proposed paragraph (c)(2) provides several examples of when
creditors generally may obtain and use medical information under the
financial information exception in proposed paragraph (c)(1). These
examples in proposed paragraph (c)(2) are not exclusive. The Agencies
seek comment on all of the examples in proposed paragraph (c)(2),
including whether any of the examples should be amended or deleted, or
whether additional examples should be provided.
Proposed paragraph (c)(2)(i) provides examples of the circumstances
in which medical information would relate to debts, expenses, income,
benefits, collateral, or the purpose of the loan, including the use of
proceeds. A creditor would, for example, be able to obtain and use
medical information about--
The dollar amount, repayment terms, repayment
history, and similar information regarding medical debts that is used
to calculate, measure, or verify the repayment ability of the consumer,
the use of proceeds, or the terms for granting credit;
The value, condition, and lien status of a
medical device that is used as collateral to secure a loan;
The dollar amount and continued eligibility for
disability income or benefits related to health or a medical condition
that is relied on as a source of repayment; or
The identity of creditors to whom outstanding
medical debts are owed in connection with an application for credit,
including but not limited to a transaction involving the consolidation
of medical debts.
The Agencies propose to include five additional examples to
illustrate uses of medical information consistent and inconsistent with
the financial information exception. Proposed paragraph (c)(2)(ii)
provides examples of uses of medical information that are consistent
with the exception. The first example involves a consumer who includes
two $20,000 debts on an application for credit--one debt to a hospital
and the other to a retailer. The creditor contacts the hospital and the
retailer in order to verify the amount and payment status of the debts
and learns that both are more than 90 days past due. Any two debts of
this size that are past due would disqualify the consumer under the
creditor's established underwriting criteria. The creditor decides to
deny the application on the basis of the consumer's poor repayment
history on outstanding debts. Under these circumstances, the creditor
obtains and uses information about medical debts the same way it uses
information about non-medical debts. Accordingly, the creditor has used
medical information in a manner consistent with the exception.
In the second example, a consumer indicates on an application for a
$200,000 mortgage loan that she receives $15,000 in long-term
disability income each year from her former employer and has no other
income. Annual income of $15,000, regardless of source, would not be
sufficient to support the requested amount of credit. The creditor
denies the application on the basis that the projected debt-to-income
ratio of the consumer does not meet the creditor's underwriting
criteria. In this example, the creditor analyzes the long-term
disability income, which is medical information, the same way it would
analyze any other income information of a potential borrower.
The third example in proposed paragraph (c)(2)(ii) involves a
consumer who includes on an application for a $10,000 home equity loan
that he has a $50,000 debt to a medical facility that specializes in
treating a potentially terminal disease. The creditor contacts the
medical facility to verify the debt and obtain the repayment history
and current status of the loan, and learns that the debt is current and
that the applicant meets the income requirements of the creditor's
underwriting guidelines. The creditor grants the application. The
creditor has used medical information in accordance with the exception.
Proposed paragraph (c)(2)(iii) provides two examples of uses of
medical information that are inconsistent with the exception. The first
example involves a consumer who includes on an application for $25,000
of credit information about a $50,000 debt to a hospital. The creditor
contacts the hospital to verify the amount and payment status of the
debt and learns that the debt is current and that the consumer has no
delinquencies in her repayment history. If the existing debt were
instead owed to a home furnishing retailer, the creditor would approve
the application and extend credit based on the amount and repayment
history of the outstanding debt. The creditor, however, denies the
application because the consumer is indebted to a hospital. The
creditor has used medical information, here the identity of the medical
creditor, in a manner and to an extent that is less favorable than it
would use comparable non-medical information.
In the second example in proposed paragraph (c)(2)(iii), a consumer
meets with a loan officer of a creditor to apply for a mortgage loan.
While filling out the loan application, the consumer informs the loan
officer orally that she has a potentially terminal disease. The
consumer meets the creditor's established requirements for the
requested mortgage. The loan officer recommends to the credit committee
that the consumer be denied credit because the consumer has that
disease. The creditor has used medical information in a manner
inconsistent with the exception by taking into account the consumer's
physical, mental, or behavioral health, condition, or history, type of
treatment, or prognosis as part of a determination of

[[Page 23386]]

eligibility or continued eligibility for credit.
D. Specific Exceptions for Obtaining and Using Medical Information
Proposed paragraph (d) contains specific exceptions to the general
prohibition to allow creditors to obtain and use medical information
for a limited number of particular purposes. The Agencies request
comment on whether each of these specific exceptions is necessary and
appropriate and, if so, whether they are properly defined.
Proposed paragraph (d)(1)(i) provides that a creditor may obtain
and use medical information to determine whether the use of a power of
attorney or legal representative is necessary and appropriate. This
exception would permit a creditor to verify, in connection with a
credit eligibility determination, that the exercise of a power of
attorney or legal representative is triggered by the consumer's medical
condition.
Under proposed paragraph (d)(1)(ii), a creditor may also use
medical information to comply with applicable requirements of local,
state, or federal laws. For example, some state laws may require
creditors to consider medical information in certain circumstances to
protect populations that may be vulnerable to financial abuse by
caregivers. This exception would permit creditors to obtain and use
medical information to comply with those laws.
Proposed paragraph (d)(1)(iii) provides that a creditor may also
obtain and use medical information to the extent such information is
included in a consumer report from a consumer reporting agency in
accordance with section 604(g)(1)(B) of the FCRA, and is used for the
purpose for which the consumer provided specific written consent. As
noted above, section 411 of the FACT Act prevents consumer reporting
agencies from furnishing consumer reports containing medical
information, except under specified circumstances. Consumer reports
must be furnished with coding that blocks the identity of the provider
of medical information and the nature of the services, products, or
devices, unless a consumer provides a consumer reporting agency with
specific written consent to furnish a report to a creditor containing
uncoded medical information. This exception clarifies that a creditor
may obtain uncoded medical information from a consumer reporting agency
in accordance with section 604(g)(1)(B) of the FCRA, and use that
information for the purpose for which the consumer provided specific
written consent.
The Agencies have not proposed a separate exception for obtaining
and using consumer reports in accordance with section 604(g)(1)(C) of
the FCRA, which relates to consumer reports containing coded medical
information. The Agencies do not believe that it is necessary to
propose a separate exception.
The Agencies have considered three options that would allow
creditors to obtain and use consumer reports containing the information
described in section 604(g)(1) of the FCRA. The Agencies have
considered whether the definition of ``medical information'' may be
interpreted in a manner that would exclude the coded information that
may be furnished under section 604(g)(1)(C) of the Act. This approach
would permit all creditors to obtain consumer reports with coded
information (but not consumer reports with uncoded medical information
furnished under section 604(g)(1)(B)) and use that information in
connection with a determination of the consumer's eligibility, or
continued eligibility, for credit, even in the absence of an exception
in the regulations. This approach is based on a statutory
interpretation that such coded information would not relate to the
physical, mental, or behavioral health of the consumer, and thus, is
not medical information.
The Agencies also have considered whether section 604(g) or other
provisions of the FCRA may be interpreted in such a manner that no
exception would be necessary to permit creditors to obtain and use
medical information in consumer reports furnished by consumer reporting
agencies in accordance with section 604(g)(1). For example, the
Agencies have considered whether the broad prohibition in section
604(g)(2) on obtaining and using medical information in credit
eligibility determinations may be construed as being qualified by the
specific provisions in section 604(g)(1) that authorize consumer
reporting agencies to furnish consumer reports containing medical
information under certain limited circumstances. This possible
interpretation would be based on the Agencies' observation that (1) it
is unlikely that Congress would permit consumer reporting agencies to
furnish consumer reports containing medical information in connection
with credit transactions without permitting creditors to obtain and use
these reports, and (2) in these circumstances, Congress may well have
provided the consumer protections it deemed necessary by specifying the
limitations under which consumer reporting agencies could furnish
reports containing medical information.
The Agencies also have considered whether creditors who intend to
obtain and use this coded medical information would be able to do so in
accordance with the financial information exception in Sec. ----.30(c)
of the proposed regulations. Coded medical information relates to
medical debts, and the creditor may use debt information in making
credit eligibility determinations in a manner and to an extent that is
no less favorable than it would use comparable information that is not
medical information. In addition, because the medical information is
coded as prescribed in the FCRA, it would not provide the creditor with
specific information regarding the consumer's health, condition,
history, type of treatment, or prognosis (which may not be taken into
account under the financial information exception in proposed Sec. --
--.30(c)(1)(iii)).
The Agencies also note that the rule of construction in Sec. --
--.30(b) of the proposed regulations would enable creditors to receive
consumer reports containing coded medical information without violating
the limit on ``obtaining'' medical information prescribed by section
604(g)(2) of the FCRA, so long as they do not use that medical
information in making credit eligibility determinations.
The Agencies specifically request comment on the most appropriate
way in which to deal with information contained in consumer reports,
and related matters. In particular, comment is requested on these three
approaches.
A creditor may also obtain and use medical information for purposes
of fraud prevention and detection under proposed paragraph (d)(1)(iv).
Comment is solicited as to whether and to what extent it is necessary
for creditors to obtain and use medical information for purposes of
fraud prevention and detection in connection with the determination of
a consumer's credit eligibility and whether the exception could be
narrowed to prevent the unnecessary use of medical information without
compromising legitimate fraud prevention and detection programs.
Proposed paragraph (d)(1)(v) provides that a creditor may obtain
and use medical information in the case of credit for the purpose of
financing medical products or services to determine and verify the
medical purpose of a loan and the use of proceeds. Certain creditors
have established specialized loan programs that finance specific
medical procedures, such as vision correction

[[Page 23387]]

surgery, but not others. In such cases, the creditor may need to obtain
and use medical information in connection with determining whether the
purpose of the loan is within the scope of the creditor's established
loan program. Proposed paragraph (d)(2) provides examples of this
exception. The Agencies invite comment on whether the medical purpose
financing exception strikes the appropriate balance between satisfying
the legitimate needs of medical finance creditors and the intent of
Congress to limit the use of medical information in credit eligibility
determinations.
Proposed paragraph (d)(1)(vi) provides that a creditor may obtain
and use medical information if the consumer or the consumer's legal
representative requests in writing, on a separate document signed by
the consumer or the consumer's legal representative, that the creditor
use specific medical information for a specific purpose in determining
the consumer's eligibility, or continued eligibility, for credit, to
accommodate the consumer's particular circumstances. The signed,
written request must describe the specific medical information that the
consumer requests the creditor to use and the specific purpose for
which the information will be used. This exception is designed to
accommodate the particular medical condition or circumstances of the
individual consumer and is not intended to allow creditors to obtain
consent on a routine basis or as a part of loan applications or
documentation. This exception would not be met by a form that contains
a pre-printed description of various types of medical information and
the uses to which it might be put. Instead, it contemplates an
individualized process in which the consumer informs the creditor about
the specific medical information that the consumer would like the
creditor to use and for what purpose. Proposed paragraph (d)(3)
provides examples of this consumer request exception.
The Agencies seek comment on the need for a broader exception to
permit creditors to make a ``medical accommodation'' where individual
circumstances may warrant such an accommodation. The Agencies note that
forbearance practices and programs, as discussed in the explanation of
paragraph (a)(2) above, would permit creditors to take into account a
consumer's medical condition to defer scheduled payments or take
certain other actions on existing accounts as a medical accommodation
to the consumer. Comment is requested on whether forbearance plus the
consumer request exception provides sufficient flexibility to provide
medical accommodations to consumers.
The Agencies also request comment on whether the procedural aspects
of the consumer request exception (i.e., the request must be in
writing, on a separate form signed by the consumer or the consumer's
legal representative) would unnecessarily hinder the ability of a
creditor to make a medical accommodation where a consumer's medical
condition and financial circumstances may justify such an
accommodation, or whether these procedures are necessary to protect
consumers.
The Agencies seek comment on whether there is a need to establish
an exception for consumer consent whereby a creditor could request that
a consumer consent to the specific use of the consumer's medical
information. If so, the Agencies request specific comment on when this
exception might be used and how the exception should be fashioned to
ensure appropriate consumer protection.
Finally, proposed paragraph (d)(1)(vii) provides that a creditor
may obtain and use medical information as otherwise permitted by order
of the appropriate agency.
E. Limits on Redisclosure
Proposed paragraph (e) incorporates the statutory provision
regarding the limits on redisclosure of medical information. This
paragraph provides that a person that receives medical information
about a consumer from a consumer reporting agency or an affiliate is
prohibited from disclosing that information to any other person, except
as necessary to carry out the purposes for which the information was
initially disclosed, or as otherwise permitted by statute, regulation,
or order.
F. Request for Comment
The Agencies solicit comment on each of the proposed provisions of
Sec. ----.30. Specifically, the Agencies request comment as to whether
each of the proposed exceptions is, in fact, necessary and appropriate
to protect legitimate operational, transactional, risk, consumer, and
other needs (including actions necessary for administrative
verification purposes), and consistent with the intent of Congress to
restrict the use of medical information for inappropriate purposes.
Comment is also requested on the examples used in this section and
whether additional or different examples should be included.
The Agencies also invite comment on whether any additional or
different exceptions should be included in the final regulation.
Commenters that recommend additional or different exceptions should
explain why the exception is necessary and appropriate to protect
legitimate operational, transactional, risk, consumer, and other needs,
and is consistent with the intent of Congress to restrict the use of
medical information for inappropriate purposes.

Section ----.31 Sharing Medical Information With Affiliates

Section ----.31(a) provides that the standard exclusions from the
definition of ``consumer report'' contained in section 603(d)(2) of the
Act--including the exclusions for sharing transaction or experience
information among affiliates or sharing other eligibility information
among affiliates after notice and an opportunity to opt-out--do not
apply if medical information, an individualized list or description
based on payment transactions for medical products or services, or an
aggregate list or description based on payment transactions for medical
products or services is disclosed to an affiliate.
Paragraph (b) provides that the special restrictions on sharing the
information outlined in paragraph (a) with affiliates do not apply, and
the standard exclusions from the definition of consumer report remain
in effect, if the information is disclosed to an affiliate in certain
circumstances. Paragraph (b) incorporates the four statutory exceptions
from section 604(g)(3)(A) and (B) of the Act.
The first exception is when the information described in paragraph
(a) is shared with an affiliate in connection with the business of
insurance or annuities (including the activities described in section
18B of the model Privacy of Consumer Financial and Health Information
Regulation issued by the National Association of Insurance
Commissioners, as in effect on January 1, 2003). The second exception
is when the information described in paragraph (a) is shared with an
affiliate for any purpose permitted without authorization under the
Standards for Individually Identifiable Health Information promulgated
by the Department of Health and Human Services (HHS) pursuant to the
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The third exception is when the information described in paragraph
(a) is shared with an affiliate for any purpose referred to under
section 1179 of HIPAA. Section 1179 of HIPAA provides that to the
extent that an entity is engaged in activities of a financial
institution or is engaged in authorizing,

[[Page 23388]]

processing, clearing, settling, billing, transferring, reconciling or
collecting payments for a financial institution, the HIPAA standards
and requirements do not apply to the entity with respect to such
activities. Section 1179 also provides as an example of a use or
disclosure of information not covered by that statute, the use or
disclosure of information for authorizing, processing, clearing,
settling, billing, transferring, reconciling, or collection, a payment
for, or related to, health care premiums or health care. For purposes
of this rulemaking, the phrase ``purposes referred to under section
1179'' means, at a minimum, authorizing, processing, clearing,
settling, billing, transferring, reconciling or collecting payments.
The fourth exception is when the information described in paragraph
(a) is shared with an affiliate for any purpose described in section
502(e) of the GLB Act. The Agencies note that some of the purposes
described in section 502(e) of the GLB Act may be germane to the
sharing of information among affiliates--for example, sharing with the
consent of the consumer, for fraud prevention purposes, or as necessary
to effect, administer, or enforce a transaction requested or authorized
by the consumer--while other purposes described in section 502(e) are
not--for example, sharing information with law enforcement or
regulatory authorities.
In addition to the statutory exceptions, paragraph (b) also
contains two additional exceptions that the Agencies believe are
necessary and appropriate. Paragraph (b)(5) provides that the special
restrictions on sharing the information described in paragraph (a) with
affiliates do not apply, and the standard exclusions from the
definition of consumer report remain in effect, if the information is
disclosed to an affiliate in connection with a determination of the
consumer's eligibility, or continued eligibility, for credit consistent
with Sec. ----.30 of this subpart. The Agencies believe it is
necessary and appropriate to allow an affiliate to share medical
information with another affiliate that obtains or uses it consistent
with Sec. ----.30.
Paragraph (b)(6) provides that the special restrictions on sharing
medical-related information with affiliates do not apply if otherwise
permitted by order of the appropriate agency. This exception
incorporates the authority delegated to the Agencies by Congress to
create exceptions through orders.
The Agencies note that prohibitions on obtaining or using medical
information in Sec. ----.30 operate independent of the exceptions that
permit the sharing of that information among affiliates in accordance
with the provisions of section 603(d)(2) of the Act. For example, if a
mortgage lender has obtained and used medical information in accordance
with one of the exceptions in Sec. ----.30(c) or (d), the mortgage
lender may share that information with its credit card affiliate
without becoming a consumer reporting agency if one of the exceptions
in Sec. ----.31(b) applies. However, the credit card affiliate may not
obtain or use that information in connection with any determination of
the consumer's eligibility, or continued eligibility, for credit,
unless consistent with Sec. ----.30.
The Agencies invite comment on the exceptions included in proposed
Sec. ----.31(b). Specifically, comment is solicited on whether
additional or different exceptions are necessary and appropriate.
Additional Issues
The statute provides that the final rules shall take effect on the
later of 90 days after the rules are issued in final form, or the date
specified in the regulations. Comment is requested on whether an
effective date of 90 days after the final rules are issued is
appropriate or whether a different effective date should be
established.

III. Regulatory Analysis

Paperwork Reduction Act

In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3506; 5 CFR 1320), the Agencies reviewed the proposed rule to implement
section 411 of the Fair and Accurate Credit Transactions Act of 2003 as
required by the Office of Management and Budget. No collections of
information pursuant to the Paperwork Reduction Act are contained in
the proposed rule.

Initial Regulatory Flexibility Analysis

OCC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA)
requires an agency to either provide an Initial Regulatory Flexibility
Analysis with a proposed rule or certify that the proposed rule will
not have a significant economic impact on a substantial number of small
entities (defined for purposes of the RFA to include banks with less
than $150 million in assets).
A. Reasons for Proposed Rule
Section 411 of the FACT Act requires the OCC, together with the
other Agencies, to publish rules that are determined to be necessary
and appropriate to protect legitimate operational, transactional risk,
consumer, and other needs, including actions necessary for
administrative verification, consistent with the intent of the section
to restrict the use of medical information for inappropriate purposes,
that permit the use of medical information in connection with any
determination of a consumer's eligibility, or continued eligibility for
credit. Section 411 also authorizes the OCC to issue regulations that
are determined to be necessary and appropriate so as to exclude medical
information shared by a covered entity with an affiliate from the
definition of a consumer report in section 603(d) of the Fair Credit
Reporting Act, and to address the reuse and redisclosure of medical
information.
The OCC does not expect that this rule, if adopted, would have a
significant economic impact on small entities. The proposed rule
implements section 411 of the FACT Act and imposes only minimal
economic impact on national banks. The proposed rule would create
exceptions to the FACT Act's prohibition against national banks
obtaining and using a consumer's medical information in connection with
credit determinations. Additionally, the proposed rule would implement
the FACT Act's restrictions on the sharing of medical information among
affiliates and would include exceptions to permit the sharing of
medical information in certain circumstances. The proposed rule would
apply to all national banks that obtain or use medical information in
connection with credit determinations, regardless of bank size.
However, it is likely that small national banks, because of the nature
and size of their operations, will encounter fewer instances where they
might obtain or use medical information. Therefore, no group of
national banks, particularly small national banks, is expected to
encounter a significant economic impact. However, the OCC invites
comment on whether these assumptions are correct. Also, the OCC invites
comment on the burden that likely will result on small institutions
from this rulemaking, and has prepared the following analysis.
B. Statement of Objectives and Legal Basis
The objectives of the proposed rule are described in the
SUPPLEMENTARY INFORMATION section. In sum, the objectives are: (1) To
implement the general statutory prohibition on creditors obtaining and
using medical information in connection with credit eligibility
determinations; (2) to fulfill the statutory mandate to prescribe
regulations that permit creditors to obtain and use medical information
for eligibility purposes when necessary and

[[Page 23389]]

appropriate to protect legitimate operational, transaction, risk,
consumer, and other needs by granting exceptions; and (3) to implement
the statutory exceptions to the special restrictions on sharing medical
information with affiliates and to propose two additional exceptions
the Agencies believe may be necessary and appropriate. The legal bases
for the proposed rule are the National Bank Act found at 12 U.S.C. 1 et
seq., 24(Seventh), 481, and 484, the Depository Institutions
Deregulation and Monetary Control Act of 1980 found at 12 U.S.C. 93a,
and the Federal Deposit Insurance Act found at 12 U.S.C. 1818; and the
Fair Credit Reporting Act found at 15 U.S.C. 1681a, 1681b, and 1681s.
C. Description of Small Entities to Which the Rule Will Apply
The proposed rule would apply to 1,214 national banks, Federal
branches, and Federal agencies of foreign banks with assets under $150
million.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
The OCC does not believe that the proposed rule imposes any
reporting or any specific recordkeeping requirements within the meaning
of the RFA. Section 411 requires that all covered entities have the
ability to identify medical information as defined by the FACT Act in
order to avoid the general prohibition against obtaining or using it in
connection with any eligibility determination. This may entail some
training costs.
However, the OCC believes that training costs will be minimal for a
variety of reasons. One reason is the OCC does not believe that covered
entities presently obtain or use medical information in making credit
eligibility determinations on a broad basis. Another is that bank staff
would already be trained on complying with other laws governing
obtaining and using confidential information, including medical
information, as discussed below.
Further, entities have the option of complying with the general
statutory prohibition on obtaining and using medical information or an
applicable exception. Thus, any burden that may be associated with
complying with the exceptions can be avoided entirely by complying with
the general prohibition. The OCC contemplates that those entities that
find the exceptions to be burden reducing would opt to use them.
The OCC solicits information and comment on these assumptions. The
OCC also seeks information and comment on any costs, such as training
costs, compliance requirements, or changes in operating procedures
arising from the application of the proposed rule in addition to or
which may differ from those arising from the application of the statute
generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
The OCC is unable to identify any statutes or rules, which would
overlap or conflict with the proposed regulation. The OCC seeks comment
and information about any such statutes or rules, as well as any other
state, local, or industry rules or policies that require a covered
institution to implement business practices that would comply with the
requirements of the proposed rule.
F. Discussion of Significant Alternatives
The proposed rule creates exceptions to the general prohibition on
the use of medical information in determining the eligibility of a
consumer for an initial extension or the continuation of an extension
of credit. The proposed rule attempts to harmonize the circumstances
under which a credit reporting agency may transfer medical information
to a user of consumer reports with the ability of a financial
institution to obtain and use that information. The proposed rule also
provides exceptions, in addition to those contained in section 411,
under which a financial institution may share medical information with
an affiliate and not become a consumer reporting agency.
In developing the proposal, the Agencies considered numerous
alternatives. In particular, the Agencies considered creating a wide
variety of possible exceptions to the general prohibition on obtaining
and using medical information and numerous alternatives. A number of
these are discussed in the SUPPLEMENTARY INFORMATION, including the
following:
1. The Agencies considered clarifying through an exception that
obtaining and using medical information in connection with debt
cancellation, debt suspension, or credit insurance products or similar
forbearance practices or programs, is not prohibited, but are proposing
to clarify this point through interpretation instead;
2. The Agencies considered three options that would allow creditors
to obtain and use consumer reports containing the various types of
information described in section 604(g)(1) of the FCRA and are
soliciting comment on these approaches;
3. The Agencies considered the need for a broader exception to
permit creditors to make a ``medical accommodation'' where individual
circumstances may warrant such an accommodation; and
4. The Agencies further considered the need to establish an
exception for consumer consent whereby a creditor could request that a
consumer consent to the specific use of the consumer's medical
information.
In all these cases and others, the Agencies have described relevant
alternatives and are inviting comment on them in the SUPPLEMENTARY
INFORMATION section.
The relatively narrow scope of the exceptions proposed reflects the
statutory mandate to create only those exceptions ``determined to be
necessary and appropriate.'' While the Agencies believe that the
proposed exceptions would be among those useful to small entities as
well as large, we are not proposing a general exception that would
apply only to small entities. Comment is solicited on whether such an
exception would be necessary and appropriate and whether the risk is
different for a small entity than a large entity that medical
information obtained might be used for the type of ``inappropriate
purposes'' the statute prohibits.
The OCC welcomes comments on any significant alternatives,
consistent with the mandate in section 411 to protect the privacy of
medical information, that would minimize the impact of the proposed
rule on small entities.
Board: Subject to certain exceptions, the Regulatory Flexibility
Act (5 U.S.C. 601-612) (RFA) requires an agency to publish an initial
regulatory flexibility analysis with a proposed rule whenever the
agency is required to publish a general notice of proposed rulemaking
for a proposed rule. The SUPPLEMENTARY INFORMATION above describes the
reasons why the regulations are being proposed and the objectives and
the legal basis of the proposed rule. The SUPPLEMENTARY INFORMATION
section also describes the compliance requirements of the proposed rule
and identifies other relevant Federal rules which may duplicate or
overlap with the proposed rule. The Board, in connection with its
initial regulatory flexibility analysis, requests public comment in the
following areas.
A. Reasons for the Proposed Rule
Section 411 of the FACT Act requires the Board, together with the
other Agencies, to publish rules that are determined to be necessary
and appropriate to protect legitimate

[[Page 23390]]

operational, transactional risk, consumer, and other needs, including
actions necessary for administrative verification, consistent with the
intent of the section to restrict the use of medical information for
inappropriate purposes, that permit the use of medical information in
connection with any determination of a consumer's eligibility, or
continued eligibility for credit. It permits the Board to issue
regulations that are determined to be necessary and appropriate so as
to exclude medical information shared by a covered entity with an
affiliate from the definition of a consumer report in section 603(d) of
the FCRA, and to address the reuse and redisclosure of medical
information.
B. Statement of Objectives and Legal Basis
The SUPPLEMENTARY INFORMATION above contains this information. The
legal basis for the proposed rule is section 411 of the FACT Act.
C. Description of Small Entities to Which the Rule Applies
The proposed rule would apply to all banks that are members of the
Federal Reserve System (other than national banks), branches and
Agencies of foreign banks (other than Federal branches, Federal
Agencies, and insured State branches of foreign banks), commercial
lending companies owned or controlled by foreign banks, organizations
operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C.
601 et seq., and 611 et seq.), bank holding companies and affiliates
(other than depository institutions and consumer reporting agencies) of
such holding companies. The Board's proposed rule will apply to the
following institutions (numbers approximate): State member banks (932),
bank holding companies (5,152), holding company non-bank subsidiaries
(2,131), U.S. branches and agencies of foreign banks (289), Edge and
agreement corporations (75), for a total of approximately 8,579
institutions. The Board estimates that over 5,000 of these institutions
could be considered small institutions with assets less than $150
million.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
The Board does not believe that the proposed rule imposes any new
reporting or recordkeeping requirements, as defined in section 603 of
the RFA. Section 411 requires that all covered entities have the
ability to identify medical information as defined in order to avoid
the general prohibition against obtaining or using it in connection
with any eligibility determination. The Board believes that identifying
that information for the purpose of either using it in eligibility
determinations pursuant to the exceptions or to share the information
with affiliates places no additional compliance burdens or costs on
financial institutions.
The Board seeks information and comment on any costs, compliance
requirements, or changes in operating procedures arising from the
application of the proposed rule in addition to or which may differ
from those arising from the application of the statute generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
The Board is unable to identify any federal statutes or regulations
that would duplicate, overlap, or conflict with the proposed rule. The
Board seeks comment regarding any statues or regulations, including
state or local statutes or regulations, that would duplicate, overlap,
or conflict with the proposed rule, including particularly any that
address situations in which medical information may be: (i) Obtained or
used in connection with a determination of credit eligibility; or (ii)
shared among financial institutions and their affiliates.
F. Discussion of Significant Alternatives
The proposed rule creates exceptions to the general prohibition to
the use of medical information in determining the eligibility of a
consumer for an initial extension or the continuation of an extension
of credit. The proposed rule attempts to harmonize the circumstances
under which a credit reporting agency may transfer medical information
to a user of consumer reports with the ability of a financial
institution to obtain and use that information. The proposed rule also
provides exceptions, in addition to those contained in section 411,
under which a financial institution may share medical information with
an affiliate and not become a consumer reporting agency.
The Board welcomes comments on any significant alternatives,
consistent with the mandate in section 411 to protect the privacy of
medical information, that would minimize the impact of the proposed
rule on small entities.
FDIC: Subject to certain exceptions, the Regulatory Flexibility Act
(5 U.S.C. 601-612) (RFA) requires an agency to publish an initial
regulatory flexibility analysis with a proposed rule whenever the
agency is required to publish a general notice of proposed rulemaking
for a proposed rule. The FDIC, in connection with its initial
regulatory flexibility analysis, requests public comment in the
following areas.
A. Reasons for the Proposed Rule
Section 411 of the FACT Act requires the FDIC, together with the
other Agencies, to publish rules that are determined to be necessary
and appropriate to protect legitimate operational, transactional risk,
consumer, and other needs, including actions necessary for
administrative verification, consistent with the intent of the section
to restrict the use of medical information for inappropriate purposes,
that permit the use of medical information in connection with any
determination of a consumer's eligibility, or continued eligibility for
credit. It permits the FDIC to issue regulations that are determined to
be necessary and appropriate so as to exclude medical information
shared by a covered entity with an affiliate from the definition of a
consumer report in section 603(d) of the FCRA, and to address the reuse
and redisclosure of medical information.
B. Statement of Objectives and Legal Basis
The SUPPLEMENTARY INFORMATION above contains this information. The
legal basis for the proposed rule is section 411 of the FACT Act.
C. Description of Small Entities to Which the Rule Applies
The proposed rule would apply to all state non-member banks,
approximately 3,700 of which are small entities as defined by the RFA.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
The FDIC does not believe that the proposed rule imposes any new
reporting or recordkeeping requirements, as defined in section 603 of
the RFA. Section 411 requires that all covered entities have the
ability to identify medical information as defined in order to avoid
the general prohibition against obtaining or using it in connection
with any eligibility determination. The FDIC believes that identifying
that information for the purpose of either using it in eligibility
determinations pursuant to the exceptions or to share the information
with affiliates places no additional compliance burdens or costs on
financial institutions.

[[Page 23391]]

The FDIC seeks information and comment on any costs, compliance
requirements, or changes in operating procedures arising from the
application of the proposed rule in addition to or which may differ
from those arising from the application of the statute generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
The FDIC is unable to identify any federal statutes or regulations
that would duplicate, overlap, or conflict with the proposed rule. The
FDIC seeks comment regarding any statues or regulations, including
state or local statutes or regulations, that would duplicate, overlap,
or conflict with the proposed rule, including particularly any that
address situations in which medical information may be: (i) Obtained or
used in connection with a determination of credit eligibility; or (ii)
shared among financial institutions and their affiliates.
F. Discussion of Significant Alternatives
The proposed rule creates exceptions to the general prohibition to
the use of medical information in determining the eligibility of a
consumer for an initial extension or the continuation of an extension
of credit. The proposed rule attempts to harmonize the circumstances
under which a credit reporting agency may transfer medical information
to a user of consumer reports with the ability of a financial
institution to obtain and use that information. The proposed rule also
provides exceptions, in addition to those contained in section 411,
under which a financial institution may share medical information with
an affiliate and not become a consumer reporting agency.
The FDIC welcomes comments on any significant alternatives,
consistent with the mandate in section 411 to protect the privacy of
medical information, that would minimize the impact of the proposed
rule on small entities.
OTS: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA)
requires an agency to either provide an Initial Regulatory Flexibility
Analysis (IRFA) with a proposed rule or certify that the proposed rule
will not have a significant economic impact on a substantial number of
small entities. As discussed below, OTS does not expect that this rule,
if adopted, would have a significant economic impact on a substantial
number of small entities. Nonetheless, it is providing this IRFA.
The proposed rule implements section 411 of the FACT Act. The
proposed rule would implement the statutory prohibition on creditors
obtaining and using a consumer's medical information in connection with
credit determinations, while creating exceptions in certain
circumstances. Additionally, the proposed rule would implement the FACT
Act's restrictions on the sharing of medical information among
affiliates, while including exceptions to permit the sharing of medical
information in certain circumstances. As discussed below, the proposed
rule would apply to savings associations or their subsidiaries, savings
and loan holding companies, or affiliates of savings associations or
savings and loan holding companies other than bank holding companies,
banks, or subsidiaries of bank holding companies or banks.
OTS does not expect that this rule, if adopted, would have a
significant economic impact on a substantial number of small entities.
The general statutory prohibition on obtaining and using medical
information incorporated into the rule will only apply impact entities
that obtain or use medical information in connection with credit
determinations, regardless of size. OTS does not believe that obtaining
and using medical information for credit eligibility determinations is
a widespread practice today among creditors it regulates. Small
entities, because of the nature and size of their operations, may be
less likely than larger institutions to do so. Therefore, no group of
covered entities, particularly small ones, is expected to encounter a
significant economic impact. However, OTS invites comment whether these
assumptions are correct. OTS further invites comment on the burden that
will result on small entities from this rulemaking, and has prepared
the following analysis.
A. Reasons for the Proposed Rule
Section 411 of the FACT Act requires OTS, together with the other
Agencies, to publish rules that are determined to be necessary and
appropriate to protect legitimate operational, transactional risk,
consumer, and other needs, including actions necessary for
administrative verification, consistent with the intent of the section
to restrict the use of medical information for inappropriate purposes,
that permit the use of medical information in connection with any
determination of a consumer's eligibility, or continued eligibility for
credit. Section 411 also authorizes OTS to issue regulations that are
determined to be necessary and appropriate so as to exclude medical
information shared by a covered entity with an affiliate from the
definition of a consumer report in section 603(d) of the Fair Credit
Reporting Act, and to address the reuse and redisclosure of medical
information.
B. Statement of Objectives and Legal Basis
The objectives of the proposed rule are described in the
SUPPLEMENTARY INFORMATION section. In sum, the objectives are: (1) To
implement the general statutory prohibition on creditors obtaining and
using medical information in connection with credit eligibility
determinations, (2) to fulfill the statutory mandate to prescribe
regulations that permit creditors to obtain and use medical information
for eligibility purposes when necessary and appropriate to protect
legitimate operational, transaction, risk, consumer, and other needs by
granting exceptions, and (3) to implement the statutory exceptions to
the special restrictions on sharing medical information with affiliates
and to propose two additional exceptions the Agencies believe may be
necessary and appropriate.
The legal bases for the proposed rule are provisions of: (1) The
Home Owners' Loan Act found at 12 U.S.C. 1462a, 1463, 1464, and 1467a;
(2) the Federal Deposit Insurance Act, the Bank Protection Act, and
other banking laws found at 12 U.S.C. 1828, 1831p-1, and 1881-1884; (3)
the Fair Credit Reporting Act found at 15 U.S.C. 1681s and 1681w; and
(4) the Gramm-Leach-Bliley Act found at 15 U.S.C. 6801 and 6805(b)(1).
C. Description of Small Entities to Which the Rule Applies
Section 571.30(a)-(d) of the proposed rule would apply to those
creditors, as defined in Sec. 571.30(a)(2), that are savings
associations or their subsidiaries, savings and loan holding companies,
or affiliates of savings associations or savings and loan holding
companies other than bank holding companies, banks, or subsidiaries of
bank holding companies or banks.
Sections 571.30(e) and 571.31 of the proposed rule would apply to
all savings associations and, in accordance with 12 CFR 559.3(h)(1), to
federal savings association operating subsidiaries as well.
Small savings associations are generally defined, for RFA purposes,
as those with assets of $150 million or less. 13 CFR 121.201 (2003).
OTS calculates that of the 921 savings associations, a maximum of 479
of these are small savings associations. OTS also calculates that these
479 savings associations hold 122 subordinate

[[Page 23392]]

organizations that could possibly qualify as small entities.
With regard to savings and loan holding companies, the Small
Business Administration (SBA) prescribes size standards for various
economic activities and industries using the North American Industry
Classification System (NAICS). 13 CFR part 121. Under the SBA's
standards, companies that are primarily engaged in holding securities
of (or other equity interests in) depository institutions for the
purpose of controlling those companies are addressed at NAICS Codes
551111 and 551112 (Office of Bank Holding Companies and Office of Other
Holding Companies). Companies within this group are considered to be
small if they have annual receipts of $6 million or less. Companies
that are primarily engaged in holding the securities of depository
institutions and operating these entities are classified under NAICS
Codes 522110-522190. Companies classified in this group are considered
to be small if their total assets are less than $150 million.
In this IRFA, OTS has analyzed the impact of this rule using both
the $150 million asset size standard and the $6 million annual receipts
standard. OTS specifically requests comment on its use of these
standards. Commenters are invited to address whether these or other
size standards are appropriate.
OTS calculates that there are approximately 969 OTS-regulated
savings and loan holding companies. OTS further calculates that there
are maximum of 381 savings and loan holding companies that could
possibly qualify as small entities. OTS estimates that there are 151
small savings and loan holding companies under an asset-based
definition of $150 million or less of assets and 381 small savings and
loan holding companies under a revenue-based definition of $6 million
or less in annual receipts.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
OTS does not believe that the proposed rule imposes any new
reporting or any specific recordkeeping requirements within the meaning
of the RFA. Implicitly, however, section 411 requires that all covered
entities have the ability to identify medical information as defined by
the FACT Act in order to avoid the general prohibition against
obtaining or using it in connection with any eligibility determination.
This may entail some training costs.
However, OTS believes that training costs will be minimal for a
variety of reasons. One reason is OTS does not believe that covered
entities currently widely obtain or use medical information in making
credit eligibility determinations. Another is that staff would already
be trained on complying with other laws governing obtaining and using
confidential information, including medical information, as discussed
below.
Further, entities have the option of complying with the general
statutory prohibition on obtaining and using medical information or an
applicable exception. Thus, any additional burden that may be
associated with complying with the exceptions can be avoided entirely
by complying with the general prohibition instead. OTS contemplates
that entities that find the exceptions to be burden reducing would opt
to use them and that others would choose to comply with the general
prohibition.
OTS solicits information and comments on these assumptions. OTS
also solicits information and comment on any costs, such as training
costs, as well as compliance requirements, or changes in operating
procedures arising from the application of the proposed rule in
addition to or which may differ from those arising from the application
of the statute generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
The SUPPLEMENTARY INFORMATION section describes the compliance
requirements of the proposed rule and identifies other relevant Federal
rules that may duplicate or overlap with the proposed rule. As
discussed in the SUPPLEMENTARY INFORMATION, other laws and rules issued
under these laws, such as the Americans with Disabilities Act, the Fair
Housing Act, the Gramm-Leach-Bliley Act, and other parts of the FCRA,
may limit or regulate the use, collection, and sharing of consumer
information, including medical information. In particular, these and
other laws and rules, such as the Equal Credit Opportunity Act and
Regulation B, also may prohibit creditors from using certain
information that is excluded from the restrictions on obtaining or
using medical information, such as age or gender information, in
determining eligibility for credit or for other purposes. In this
sense, there may be some overlap between these federal statutes and
regulations and the proposed rule.
OTS seeks comment and information regarding any statues or rules,
including state or local statutes or regulations, that would duplicate,
overlap, or conflict with the proposed rule, including particularly any
that address situations in which medical information may be: (i)
Obtained or used in connection with a determination of credit
eligibility; or (ii) shared among financial institutions and their
affiliates.
F. Discussion of Significant Alternatives
The proposed rule creates exceptions to the general prohibition to
the use of medical information in determining the eligibility of a
consumer for an initial extension or the continuation of an extension
of credit. The proposed rule attempts to harmonize the circumstances
under which a credit reporting agency may transfer medical information
to a user of consumer reports with the ability of a financial
institution to obtain and use that information. The proposed rule also
provides exceptions, in addition to those contained in section 411,
under which a financial institution may share medical information with
an affiliate and not become a consumer reporting agency.
In developing the proposal, the Agencies considered numerous
alternatives. In particular, it considered a wide variety of possible
exceptions to create to the general prohibition on obtaining and using
medical information and numerous alternatives. A number of these are
discussed in the SUPPLEMENTARY INFORMATION, including the following:
1. The Agencies considered clarifying through an exception that
obtaining and using medical information in connection with debt
cancellation, debt suspension, or credit insurance products or similar
forbearance practices or programs, is not prohibited, but are proposing
to clarify this point through interpretation instead.
2. The Agencies considered three options that would allow creditors
to obtain and use consumer reports containing the various types of
information described in section 604(g)(1) of the FCRA and are
soliciting comment on these approaches.
3. The Agencies considered the need for a broader exception to
permit creditors to make a ``medical accommodation'' where individual
circumstances may warrant such an accommodation.
4. The Agencies further considered the need to establish an
exception for consumer consent whereby a creditor could request that a
consumer consent to the specific use of the consumer's medical
information.
In all these cases and others, the Agencies have described relevant
alternatives and are inviting comment on them in the SUPPLEMENTARY
INFORMATION section.

[[Page 23393]]

The relatively narrow scope of the exceptions proposed reflects the
statutory mandate to create only those exceptions ``determined to be
necessary and appropriate.'' While the Agencies believe that the
proposed exceptions would be among those useful to small entities as
well as large, we are not proposing a general exception that would
apply only to small entities. Comment is solicited on whether such an
exception would be necessary and appropriate and whether the risk is
different for a small entity than a large entity that medical
information obtained might be used for the type of ``inappropriate
purposes'' the statute prohibits.
OTS welcomes comments on any significant alternatives, consistent
with the mandate in section 411 to protect the privacy of medical
information, which would minimize the impact of the proposed rule on
small entities.
NCUA: The Regulatory Flexibility Act requires the NCUA to prepare
an analysis to describe any significant economic impact a proposed rule
may have on a substantial number of small credit unions (those under
$10 million in assets).
Section 411 of the FACT Act limits the ability of creditors to
obtain or use medical information in connection with credit eligibility
determinations and narrows when any person can share medical
information and medical-related information with affiliates without
becoming a consumer reporting agency for purposes of the FCRA. The
statute requires the NCUA and the federal banking agencies to prescribe
regulations that create exceptions to permit creditors to obtain or use
medical information in connection with credit eligibility
determinations where necessary and appropriate to protect legitimate
operational, transactional, risk, consumer, and other needs (including
administrative verification purposes), consistent with congressional
intent to restrict the use of medical information for inappropriate
purposes. Furthermore, the statute grants discretionary rulemaking
authority to the NCUA, the federal banking agencies, and the Federal
Trade Commission to create exceptions, in addition to those already
provided in the statute, to allow affiliates to share medical
information and medical-related information.
Proposed Sec. Sec. 717.30 and 717.31 of the NCUA's proposed
regulations would apply to all federal credit unions, regardless of
their size. The proposed rule would contain restrictions set forth in
section 411 of the FACT Act on federal credit unions obtaining and
using medical information in connection with credit eligibility
determinations and the sharing of medical information and medical-
related information with affiliates. The proposed regulations, however,
also would grant exceptions to the statutory limitations to allow
creditors to obtain or use medical information in enumerated situations
in connection with determinations of consumer eligibility or continued
eligibility for credit. The proposal would also enumerate the
situations in which federal credit unions would be permitted to share
medical information among affiliates.
NCUA is not aware of any other federal rules that duplicate,
overlap, or conflict with the proposed rule. NCUA specifically requests
comment on the impact of the proposed rule on small federal credit
unions.

OCC and OTS Executive Order 12866 Determination

The OCC and OTS each has determined that its portion of the
proposed rulemaking is not a significant regulatory action under
Executive Order 12866. OCC and OTS Unfunded Mandates Reform Act of 1995
Determination.

OCC Executive Order 13132 Determination

The OCC has determined that this proposal does not have any
Federalism implications, as required by Executive Order 13132.

NCUA Executive Order 13132 Determination

Executive Order 13132 encourages independent regulatory agencies to
consider the impact of their actions on state and local interests. In
adherence to fundamental federalism principles, the NCUA, an
independent regulatory agency as defined in 44 U.S.C. 3502(5),
voluntarily complies with the executive order. The proposed rule
applies only to federally chartered credit unions and would not have
substantial direct effects on the states, on the connection between the
national government and the states, or on the distribution of power and
responsibilities among the various levels of government. The NCUA has
determined that this proposed rule does not constitute a policy that
has federalism implications for purposes of the executive order.

OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law
104-4 (Unfunded Mandates Act) requires that an agency prepare a
budgetary impact statement before promulgating a rule that includes a
Federal mandate that may result in expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year. If a budgetary impact statement is
required, section 205 of the Unfunded Mandates Act also requires an
agency to identify and consider a reasonable number of regulatory
alternatives before promulgating a rule. The OCC and OTS each has
determined that this proposed rule will not result in expenditures by
State, local, and tribal governments, or by the private sector, of $100
million or more. Accordingly, neither the OCC nor the OTS has prepared
a budgetary impact statement or specifically addressed the regulatory
alternatives considered.

NCUA: The Treasury and General Government Appropriations Act, 1999--
Assessment of Federal Regulations and Policies on Families

The NCUA has determined that this proposed rule would not affect
family well-being within the meaning of section 654 of the Treasury and
General Government Appropriations Act, 1999, Public Law 105-277, 112
Stat. 2681 (1998).

NCUA: Interpretive Ruling and Policy Statement (IRPS) 87-2, as Amended
by IRPS 03-2

Under NCUA's IRPS 87-2, as amended by IRPS 03-2, the NCUA Board's
general policy is to provide a 60-day comment period for a proposed
regulation. In this case, the NCUA Board believes that a 30-day comment
period will be adequate and is appropriate given that the statutory
deadline for the final rule is June 4, 2004. NCUA IRPS 87-2, 52 FR
35231, Sept. 18, 1987, as amended by IRPS 03-2, 68 FR 31949, May 29,
2003.

OCC Community Bank Comment Request

The OCC invites your comments on the impact of this proposal on
community banks. The OCC recognizes that community banks operate with
more limited resources than larger institutions and may present a
different risk profile. Thus, the OCC specifically requests comment on
the impact of the proposal on community banks' current resources and
available personnel with the requisite expertise, and whether the goals
of the proposal could be achieved, for community banks, through an
alternative approach.

[[Page 23394]]

IV. Solicitation of Comments on Use of Plain Language

Section 722 of the GLB Act requires the Agencies \3\ to use plain
language in all proposed and final rules published after January 1,
2000. We invite your comments on how to make this proposed rule easier
to understand. For example:
---------------------------------------------------------------------------

\3\ Section 722 of the GLB Act does not apply to NCUA, but NCUA
has a similar Agency Regulatory Goal to promote clear and
understandable regulations that impose minimal regulatory burden.
---------------------------------------------------------------------------

Have we organized the material to suit your
needs? If not, how could this material be better organized?
Are the requirements in the rule clearly stated?
If not, how could the rule be more clearly stated?
Do the regulations contain technical language or
jargon that is not clear? If so, which language requires clarification?
Would a different format (grouping and order of
sections, use of headings, paragraphing) make the regulation easier to
understand? If so, what changes to the format would make the regulation
easier to understand?
Would more, but shorter, sections be better? If
so, which sections should be changed?
What else could we do to make the regulation
easier to understand?

List of Subjects

12 CFR Part 41

Banks, Banking, Consumer protection, National banks, Reporting and
recordkeeping requirements.

12 CFR Part 222

Banks, Banking, Consumer protection, Credit, Fair Credit Reporting
Act, Holding companies, Privacy, Reporting and recordkeeping
requirements, State member banks.

12 CFR Part 334

Administrative practice and procedure, Bank deposit insurance,
Banks, Banking, Reporting and recordkeeping requirements, Safety and
soundness.

12 CFR Part 571

Consumer protection, Credit, Fair Credit Reporting Act, Privacy,
Reporting and recordkeeping requirements, Savings associations.

12 CFR Part 717

Consumer protection, Credit unions, Fair credit reporting, Medical
information, Privacy, Reporting and recordkeeping requirements.

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

For the reasons set forth in the preamble, the OCC proposes to
amend Chapter I of Title 12 of the Code of Federal Regulations as
follows:
1. Add part 41 to read as follows:

PART 41--FAIR CREDIT

Subpart A--General Provisions
Sec.
41.1 Purpose and scope.
41.2 Examples.
41.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
41.30 Obtaining or using medical information in connection with a
determination of eligibility for credit.
41.31 Sharing medical information with affiliates.

Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and
1818; 15 U.S.C. 1681a, 1681b, and 1681s.

Subpart A--General Provisions


Sec. 41.1 Purpose and scope.

(a) Purpose. The purpose of this part is to establish standards for
national banks in key areas of regulation regarding consumer report
information and fair credit. In addition, the purpose of this part is
to specify the type of information, including medical information,
national banks may obtain, use, or share among affiliates. This part
also contains a number of measures national banks must take to combat
consumer fraud and related crimes, including identity theft.
(b) Scope.
(1) [Reserved]
(2) Institutions covered. Except as otherwise provided in this
part, these regulations apply to national banks, Federal branches and
Agencies of foreign banks, and their respective operating subsidiaries
that are not functionally regulated within the meaning of section
5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C.
1844(c)(5)).


Sec. 41.2 Examples.

The examples in this part are not exclusive. Compliance with an
example, to the extent applicable, constitutes compliance with this
part. Examples in a paragraph illustrate only the issue described in
the paragraph and do not illustrate any other issue that may arise in
this part.


Sec. 41.3 Definitions.

As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate means any company that controls, is controlled by, or
is under common control with another company.
(c) [Reserved]
(d) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(e) Consumer means an individual.
(f) [Reserved]
(g) [Reserved]
(h) [Reserved]
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as the OCC
determines.
(j) [Reserved]
(k) Medical information means:
(1) Information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the
consumer, that relates to:
(i) The past, present, or future physical, mental, or behavioral
health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an
individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a
consumer's residence address or e-mail address; or
(iii) Any other information about a consumer that does not relate
to the physical, mental, or behavioral health or condition of a
consumer, including the existence or value of any insurance policy.
(l) [Reserved]
(m) [Reserved]
(n) [Reserved]
* * * * *

[[Page 23395]]

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec. 41.30 Obtaining or using medical information in connection with
a determination of eligibility for credit.

(a) General prohibition on obtaining or using medical information--
(1) In general. A bank may not obtain or use medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit, except as
provided in this subpart.
(2) Definitions as used in this subpart--(i) Eligibility, or
continued eligibility, for credit means the consumer's qualification or
fitness to receive, or continue to receive, credit, including the terms
on which credit is offered, primarily for personal, family, or
household purposes. The term does not include:
(A) The consumer's qualification or fitness to be offered
employment, insurance products, or other non-credit products or
services;
(B) Any determination of whether the provisions of a debt
cancellation contract, debt suspension agreement, credit insurance
product, or similar forbearance practice or program are triggered;
(C) Authorizing, processing, or documenting a payment or
transaction on behalf of the consumer in a manner that does not involve
a determination of the consumer's eligibility, or continued
eligibility, for credit; or
(D) Maintaining or servicing the consumer's account in a manner
that does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit.
(ii) Bank means an institution that:
(A) is covered by this part in Sec. 41.1(b)(2); and
(B) is a ``creditor'' as that term is defined by section 702 of the
Equal Credit Opportunity Act (15 U.S.C. 1691a).
(iii) Credit has the same meaning as in section 702 of the Equal
Credit Opportunity Act (15 U.S.C. 1691a).
(b) Rule of construction for receiving unsolicited medical
information--(1) In general. A bank does not obtain medical information
for purposes of paragraph (a)(1) of this section if it:
(i) Receives medical information pertaining to a consumer in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit without specifically requesting
medical information; and
(ii) Does not use that information in determining whether to extend
or continue to extend credit to the consumer and the terms on which
credit is offered or continued.
(2) Examples of receiving unsolicited medical information. A bank
receives unsolicited medical information if, for example:
(i) In response to a general question regarding a consumer's debts
or expenses, the bank receives information that the consumer has a
particular medical condition and does not use that information in
determining whether to extend credit to the consumer or the terms on
which credit is offered.
(ii) In conversation with the loan officer, the consumer informs
the bank that the consumer has a particular medical condition, and the
bank does not use that information in determining whether to extend
credit to the consumer or the terms on which credit is offered.
(c) Financial information exception for obtaining and using medical
information--(1) In general. A bank may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit so long as:
(i) The information relates to debts, expenses, income, benefits,
collateral, or the purpose of the loan, including the use of proceeds;
(ii) The bank uses the medical information in a manner and to an
extent that is no less favorable than it would use comparable
information that is not medical information in a credit transaction;
and
(iii) The bank does not take the consumer's physical, mental, or
behavioral health, condition or history, type of treatment, or
prognosis into account as part of any such determination.
(2) Examples--(i) Examples of information related to debts,
expenses, income, benefits, collateral, or the purpose of the loan.
Paragraph (c)(1)(i) of this section permits a bank, for example, to
obtain and use information about:
(A) The dollar amount, repayment terms, repayment history, and
similar information regarding medical debts that is used to calculate,
measure, or verify the repayment ability of the consumer, the use of
proceeds, or the terms for granting credit;
(B) The value, condition, and lien status of a medical device that
is used as collateral to secure a loan;
(C) The dollar amount and continued eligibility for disability
income or benefits related to health or a medical condition that is
relied on as a source of repayment; or
(D) The identity of entities to whom outstanding medical debts are
owed in connection with an application for credit, including but not
limited to a transaction involving the consolidation of medical debts.
(ii) Examples of uses of medical information consistent with the
exception. (A) A consumer includes on an application for credit
information about two $20,000 debts. One debt is to a hospital; the
other debt is to a retailer. The bank contacts the hospital and the
retailer to verify the amount and payment status of the debts. The bank
learns that both debts are more than 90 days past due. Any two debts of
this size that are past due would disqualify the consumer under the
bank's established underwriting criteria. The bank denies the
application on the basis that the consumer has a poor repayment history
on outstanding debts. The bank has used medical information in a manner
and to an extent no less favorable than it would use comparable non-
medical information.
(B) A consumer indicates on an application for a $200,000 mortgage
loan that she receives $15,000 in long-term disability income each year
from her former employer and has no other income. Annual income of
$15,000, regardless of source, would not be sufficient to support the
requested amount of credit. The bank denies the application on the
basis that the projected debt-to-income ratio of the consumer does not
meet the bank's underwriting criteria. The bank has used medical
information in a manner and to an extent that is no less favorable than
it would use comparable non-medical information.
(C) A consumer includes on an application for a $10,000 home equity
loan that he has a $50,000 debt to a medical facility that specializes
in treating a potentially terminal disease. The bank contacts the
medical facility to verify the debt and obtain the repayment history
and current status of the loan. The bank learns that the debt is
current and that the applicant meets the income requirements of the
bank's underwriting guidelines. The bank grants the application. The
bank has used medical information in accordance with the exception.
(iii) Examples of uses of medical information inconsistent with the
exception.
(A) A consumer applies for $25,000 of credit and includes on the
application information about a $50,000 debt to a hospital. The bank
contacts the hospital to verify the amount and payment status

[[Page 23396]]

of the debt, and learns that the debt is current and that the consumer
has no delinquencies in her repayment history. If the existing debt
were instead owed to a home furnishing retailer, the bank would approve
the application and extend credit based on the amount and repayment
history of the outstanding debt. The bank, however, denies the
application because the consumer is indebted to a hospital. The bank
has used medical information, here the identity of the hospital, in a
manner and to an extent that is less favorable than it would use
comparable non-medical information.
(B) A consumer meets with a loan officer of a bank to apply for a
mortgage loan. While filling out the loan application, the consumer
informs the loan officer orally that she has a potentially terminal
disease. The consumer meets the bank's established requirements for the
requested mortgage. The loan officer recommends to the credit committee
that the consumer be denied credit because the consumer has that
disease. The bank has used medical information in a manner inconsistent
with the exception by taking into account the consumer's physical,
mental, or behavioral health, condition, or history, type of treatment,
or prognosis as part of a determination of eligibility or continued
eligibility for credit.
(d) Specific exceptions for obtaining and using medical
information--(1) In general. A bank may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit:
(i) To determine whether the use of a power of attorney or legal
representative is necessary and appropriate;
(ii) To comply with applicable requirements of local, state, or
federal laws;
(iii) To the extent such information is included in a consumer
report from a consumer reporting agency, in accordance with 15 U.S.C.
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
provided specific written consent;
(iv) For purposes of fraud prevention and detection;
(v) In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical purpose of a
loan and the use of proceeds;
(vi) If the consumer or the consumer's legal representative
requests in writing, on a separate form signed by the consumer or the
consumer's legal representative that the bank use specific medical
information for a specific purpose in determining the consumer's
eligibility, or continued eligibility, for credit, to accommodate the
consumer's particular circumstances. The signed written request must
describe the specific medical information that the consumer requests
the bank to use and the specific purpose for which the information will
be used; or
(vii) As otherwise permitted by order of the OCC.
(2) Examples of determining the medical purpose of the loan or the
use of proceeds. (i) If a consumer applies for $10,000 of credit for
the purpose of financing vision correction surgery, the bank may
confirm the consumer's medical eligibility to undergo that procedure
with the surgeon. If the surgeon reports that surgery will not be
performed on the consumer, the bank may use that medical information to
deny the consumer's application for credit, because the loan would not
be used for the stated purpose.
(ii) If a consumer applies for $10,000 of credit for the purpose of
financing cosmetic surgery, the bank may confirm the cost of the
procedure with the surgeon. If the surgeon reports that the cost of the
procedure is $5,000, the bank may use that medical information to offer
the consumer only $5,000 of credit.
(iii) A bank has an established medical loan program for financing
particular elective surgical procedures. The bank receives a loan
application from a consumer requesting $10,000 of credit under the
established loan program for an elective surgical procedure. The
consumer indicates on the application that the purpose of the loan is
to finance an elective surgical procedure not eligible for funding
under the guidelines of the established loan program. The bank may deny
the consumer's application because the purpose of the loan is not for a
particular procedure funded by the established loan program.
(3) Examples of obtaining and using medical information at the
request of the consumer. Consistent with safe and sound practices, and
after obtaining from the consumer a signed, written document that
describes the specific medical information that the consumer requests
the bank to use and the specific purpose for which the information will
be used, the bank may obtain and use the specific medical information
for the specific purpose described in the request:
(i) If a consumer applies for a loan and requests that the bank
consider the consumer's medical disability at the relevant time as an
explanation for adverse payment history information in his credit
report, the bank may consider such medical information in evaluating
the consumer's willingness and ability to repay the requested loan.
(ii) If a consumer applies for a loan and explains that his income
has been and will continue to be interrupted on account of a medical
condition and that he expects to repay the loan from liquidation of
assets, the bank may evaluate the application using the sale of assets
as the primary source of repayment.
(e) Limits on redisclosure of information. If the bank receives
medical information about a consumer from a consumer reporting agency
or its affiliate, the bank must not disclose that information to any
other person, except as necessary to carry out the purpose for which
the information was initially disclosed, or as otherwise permitted by
statute, regulation, or order.


Sec. 41.31 Sharing medical information with affiliates.

(a) In general. The exclusions from the term ``consumer report'' in
section 603(d)(2) of the Act that allow the sharing of information with
affiliates do not apply if the bank communicates to an affiliate:
(1) Medical information;
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
(b) Exceptions. The bank may rely on the exclusions from the term
``consumer report'' in section 603(d)(2) of the Act to communicate the
information in paragraph (a) of this section to an affiliate:
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
(2) For any purpose permitted without authorization under the
regulations promulgated by the U.S. Department of Health and Human
Services pursuant to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
(5) In connection with a determination of the consumer's
eligibility, or continued eligibility, for credit consistent with Sec.
41.30; or

[[Page 23397]]

(6) As otherwise permitted by order of the OCC.

Board of Governors of the Federal Reserve System

12 CFR Chapter II

Authority and Issuance

For the reasons set forth in the joint preamble, title 12, chapter
II, of the Code of Federal Regulations is proposed to be amended by
revising part 222 to read as follows:

PART 222--FAIR CREDIT REPORTING (REGULATION V)

1. The authority citation for part 222 is amended to read as
follows:

Authority: 15 U.S.C. 1681b and 1681s; Secs. 3 and 217, Pub. L.
108-159, 117 Stat. 1952.

2. In subpart A to part 222, the following amendments are made:
a. Section 222.1 is amended by adding a new paragraph (b).
b. Section 222.2 is added.
c. Section 222.3 is added.
3. A new subpart D is added to part 222.

Subpart A--General Provisions


Sec. 222.1 Purpose, scope, and effective dates

* * * * *
(b) Scope.
(1) [Reserved]
(2) Institutions covered. (i) Except as otherwise provided in
paragraph (b)(2) of this section, these regulations apply to banks that
are members of the Federal Reserve System (other than national banks),
branches and Agencies of foreign banks (other than Federal branches,
Federal Agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by foreign banks,
organizations operating under section 25 or 25A of the Federal Reserve
Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank holding
companies and affiliates of such holding companies.
(ii) [Reserved]
(iii) Section 222.30(a)-(d) of this part applies to persons listed
in paragraph (b)(2)(i) of this section that are creditors.
(iv) Section 222.31 of this part applies to banks that are members
of the Federal Reserve System (other than national banks), branches and
Agencies of foreign banks (other than Federal branches, Federal
Agencies, and insured State branches of foreign banks), commercial
lending companies owned or controlled by foreign banks, organizations
operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C.
601 et seq., and 611 et seq.).
* * * * *


Sec. 222.2 Examples.

The examples in this part are not exclusive. Compliance with an
example, to the extent applicable, constitutes compliance with this
part. Examples in a paragraph illustrate only the issue described in
the paragraph and do not illustrate any other issue that may arise in
this part.


Sec. 222.3 Definitions.

As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate means any company that controls, is controlled by, or
is under common control with another company.
(c) [Reserved]
(d) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(e) Consumer means an individual.
(f) [Reserved]
(g) [Reserved]
(h) [Reserved]
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as the Board
determines.
(j) [Reserved]
(k) Medical information means:
(1) Information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the
consumer, that relates to--
(i) The past, present, or future physical, mental, or behavioral
health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an
individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a
consumer's residence address or e-mail address; or
(iii) Any other information about a consumer that does not relate
to the physical, mental, or behavioral health or condition of a
consumer, including the existence or value of any insurance policy.
(l) [Reserved]
(m) [Reserved]
(n) [Reserved]
(o) You means member banks of the Federal Reserve System (other
than national banks), branches and Agencies of foreign banks (other
than Federal branches, Federal Agencies, and insured State branches of
foreign banks), commercial lending companies owned or controlled by
foreign banks, organizations operating under section 25 or 25A of the
Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank
holding companies and affiliates of such holding companies (other than
depository institutions and consumer reporting agencies).

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information
Sec.
222.30 Obtaining or using medical information in connection with a
determination of eligibility for credit.
222.31 Sharing medical information with affiliates.

Subpart D--Medical Information


Sec. 222.30 Obtaining or using medical information in connection with
a determination of eligibility for credit.

(a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit, except as
provided in this subpart.
(2) Definitions as used in this subpart--(i) Eligibility, or
continued eligibility, for credit means the consumer's qualification or
fitness to receive, or continue to receive, credit, including the terms
on which credit is offered, primarily for personal, family, or
household purposes. The term does not include:
(A) The consumer's qualification or fitness to be offered
employment, insurance products, or other non-credit products or
services;
(B) Any determination of whether the provisions of a debt
cancellation contract, debt suspension agreement, credit insurance
product, or similar forbearance practice or program are triggered;
(C) Authorizing, processing, or documenting a payment or
transaction on behalf of the consumer in a manner

[[Page 23398]]

that does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit; or
(D) Maintaining or servicing the consumer's account in a manner
that does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit.
(ii) Creditor has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(iii) Credit has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(b) Rule of construction for receiving unsolicited medical
information--(1) In general. A creditor does not obtain medical
information for purposes of paragraph (a)(1) of this section if it--
(i) Receives medical information pertaining to a consumer in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit without specifically requesting
medical information; and
(ii) Does not use that information in determining whether to extend
or continue to extend credit to the consumer and the terms on which
credit is offered or continued.
(2) Examples of receiving unsolicited medical information. A
creditor receives unsolicited medical information if, for example:
(i) In response to a general question regarding a consumer's debts
or expenses, the creditor receives information that the consumer has a
particular medical condition and does not use that information in
determining whether to extend credit to the consumer or the terms on
which credit is offered.
(ii) In conversation with the loan officer, the consumer informs
the creditor that the consumer has a particular medical condition, and
the creditor does not use that information in determining whether to
extend credit to the consumer or the terms on which credit is offered.
(c) Financial information exception for obtaining and using medical
information--(1) In general. A creditor may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit so long as:
(i) The information relates to debts, expenses, income, benefits,
collateral, or the purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to
an extent that is no less favorable than it would use comparable
information that is not medical information in a credit transaction;
and
(iii) The creditor does not take the consumer's physical, mental,
or behavioral health, condition or history, type of treatment, or
prognosis into account as part of any such determination.
(2) Examples--(i) Examples of information related to debts,
expenses, income, benefits, collateral, or the purpose of the loan.
Paragraph (c)(1)(i) of this section permits a creditor, for example, to
obtain and use information about:
(A) The dollar amount, repayment terms, repayment history, and
similar information regarding medical debts that is used to calculate,
measure, or verify the repayment ability of the consumer, the use of
proceeds, or the terms for granting credit;
(B) The value, condition, and lien status of a medical device that
is used as collateral to secure a loan;
(C) The dollar amount and continued eligibility for disability
income or benefits related to health or a medical condition that is
relied on as a source of repayment; or
(D) The identity of creditors to whom outstanding medical debts are
owed in connection with an application for credit, including but not
limited to a transaction involving the consolidation of medical debts.
(ii) Examples of uses of medical information consistent with the
exception. (A) A consumer includes on an application for credit
information about two $20,000 debts. One debt is to a hospital; the
other debt is to a retailer. The creditor contacts the hospital and the
retailer to verify the amount and payment status of the debts. The
creditor learns that both debts are more than 90 days past due. Any two
debts of this size that are past due would disqualify the consumer
under the creditor's established underwriting criteria. The creditor
denies the application on the basis that the consumer has a poor
repayment history on outstanding debts. The creditor has used medical
information in a manner and to an extent no less favorable than it
would use comparable non-medical information.
(B) A consumer indicates on an application for a $200,000 mortgage
loan that she receives $15,000 in long-term disability income each year
from her former employer and has no other income. Annual income of
$15,000, regardless of source, would not be sufficient to support the
requested amount of credit. The creditor denies the application on the
basis that the projected debt-to-income ratio of the consumer does not
meet the creditor's underwriting criteria. The creditor has used
medical information in a manner and to an extent that is no less
favorable than it would use comparable non-medical information.
(C) A consumer includes on an application for a $10,000 home equity
loan that he has a $50,000 debt to a medical facility that specializes
in treating a potentially terminal disease. The creditor contacts the
medical facility to verify the debt and obtain the repayment history
and current status of the loan. The creditor learns that the debt is
current and that the applicant meets the income requirements of the
creditor's underwriting guidelines. The creditor grants the
application. The creditor has used medical information in accordance
with the exception.
(iii) Examples of uses of medical information inconsistent with the
exception.
(A) A consumer applies for $25,000 of credit and includes on the
application information about a $50,000 debt to a hospital. The
creditor contacts the hospital to verify the amount and payment status
of the debt, and learns that the debt is current and that the consumer
has no delinquencies in her repayment history. If the existing debt
were instead owed to a home furnishing retailer, the creditor would
approve the application and extend credit based on the amount and
repayment history of the outstanding debt. The creditor, however,
denies the application because the consumer is indebted to a hospital.
The creditor has used medical information, here the identity of the
medical creditor, in a manner and to an extent that is less favorable
than it would use comparable non-medical information.
(B) A consumer meets with a loan officer of a creditor to apply for
a mortgage loan. While filling out the loan application, the consumer
informs the loan officer orally that she has a potentially terminal
disease. The consumer meets the creditor's established requirements for
the requested mortgage. The loan officer recommends to the credit
committee that the consumer be denied credit because the consumer has
that disease. The creditor has used medical information in a manner
inconsistent with the exception by taking into account the consumer's
physical, mental, or behavioral health, condition, or history, type of
treatment, or prognosis as part of a determination of eligibility or
continued eligibility for credit.
(d) Specific exceptions for obtaining and using medical
information--(1) In general. A creditor may obtain and use medical
information pertaining to a

[[Page 23399]]

consumer in connection with any determination of the consumer's
eligibility, or continued eligibility, for credit--
(i) To determine whether the use of a power of attorney or legal
representative is necessary and appropriate;
(ii) To comply with applicable requirements of local, state, or
federal laws;
(iii) To the extent such information is included in a consumer
report from a consumer reporting agency, in accordance with 15 U.S.C.
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
provided specific written consent;
(iv) For purposes of fraud prevention and detection;
(v) In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical purpose of a
loan and the use of proceeds;
(vi) If the consumer or the consumer's legal representative
requests in writing, on a separate form signed by the consumer or the
consumer's legal representative that the creditor use specific medical
information for a specific purpose in determining the consumer's
eligibility, or continued eligibility, for credit, to accommodate the
consumer's particular circumstances. The signed written request must
describe the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used; or
(vii) As otherwise permitted by order of the Board.
(2) Examples of determining the medical purpose of the loan or the
use of proceeds. (i) If a consumer applies for $10,000 of credit for
the purpose of financing vision correction surgery, the creditor may
confirm the consumer's medical eligibility to undergo that procedure
with the surgeon. If the surgeon reports that surgery will not be
performed on the consumer, the creditor may use that medical
information to deny the consumer's application for credit, because the
loan would not be used for the stated purpose.
(ii) If a consumer applies for $10,000 of credit for the purpose of
financing cosmetic surgery, the creditor may confirm the cost of the
procedure with the surgeon. If the surgeon reports that the cost of the
procedure is $5,000, the creditor may use that medical information to
offer the consumer only $5,000 of credit.
(iii) A creditor has an established medical loan program for
financing particular elective surgical procedures. The creditor
receives a loan application from a consumer requesting $10,000 of
credit under the established loan program for an elective surgical
procedure. The consumer indicates on the application that the purpose
of the loan is to finance an elective surgical procedure not eligible
for funding under the guidelines of the established loan program. The
creditor may deny the consumer's application because the purpose of the
loan is not for a particular procedure funded by the established loan
program.
(3) Examples of obtaining and using medical information at the
request of the consumer. Consistent with safe and sound practices, and
after obtaining from the consumer a signed, written document that
describes the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used, the creditor may obtain and use the specific medical
information for the specific purpose specified in the request:
(i) If a consumer applies for a loan and requests that the creditor
consider the consumer's medical disability at the relevant time as an
explanation for adverse payment history information in his credit
report, the creditor may consider such medical information in
evaluating the consumer's willingness and ability to repay the
requested loan.
(ii) If a consumer applies for a loan and explains that his income
has been and will continue to be interrupted on account of a medical
condition and that he expects to repay the loan from liquidation of
assets, the creditor may evaluate the application using the sale of
assets as the primary source of repayment.
(e) Limits on redisclosure of information. If you receive medical
information about a consumer from a consumer reporting agency or your
affiliate, you must not disclose that information to any other person,
except as necessary to carry out the purpose for which the information
was initially disclosed, or as otherwise permitted by statute,
regulation, or order.


Sec. 222.31 Sharing medical information with affiliates.

(a) In general. The exclusions from the term ``consumer report'' in
section 603(d)(2) of the Act that allow the sharing of information with
affiliates do not apply to a person described in Sec. 222.1(b)(2)(iv)
of this part if that person communicates to an affiliate
(1) Medical information;
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
(b) Exceptions. A person described in Sec. 222.1(b)(2)(iv) of this
part may rely on the exclusions from the term ``consumer report'' in
section 603(d)(2) of the Act to communicate the information in
paragraph (a) to an affiliate--
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
(2) For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
(5) In connection with a determination of the consumer's
eligibility, or continued eligibility, for credit consistent with Sec.
222.30 of this part; or
(6) As otherwise permitted by order of the Board.

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

For the reasons set forth in the joint preamble, the Federal
Deposit Insurance Corporation proposes to add part 334 of chapter III
of title 12 of the Code of Federal Regulations to read as follows:

PART 334--FAIR CREDIT REPORTING

Subpart A--General Provisions

Sec.
334.1 Purpose, scope, and effective dates.
334.2 Examples.
334.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
334.30 Obtaining or using medical information in connection with a
determination of eligibility for credit.
334.31 Sharing medical information with affiliates.

Authority: 12 U.S.C. 1819(Tenth) and 1818; 15 U.S.C. 1681b and
1681s.

[[Page 23400]]

Subpart A--General Provisions


Sec. 334.1 Purpose, scope, and effective dates.

(a) [Reserved]
(b) Scope.
(1) [Reserved]
(2) Institutions covered.
(i) Except as otherwise provided in this paragraph, these
regulations apply to banks insured by the FDIC (other than District
Banks and members of the Federal Reserve System) and insured State
branches of foreign banks and any subsidiaries and affiliates of such
entities; and other entities or persons with respect to which the FDIC
may exercise its enforcement authority under any provision of law. For
purposes of this definition, a subsidiary does not include a broker,
dealer, person providing insurance, investment company, and investment
advisor.
(ii) [Reserved]
(iii) Section 334.30 of this part applies to creditors, as defined
in Sec. 334.30(a)(2), that are subject to the jurisdiction of the
Federal Deposit Insurance Corporation under paragraph (b)(2)(i) of this
section.


Sec. 334.2 Examples.

The examples in this part are not exclusive. Compliance with an
example, to the extent applicable, constitutes compliance with this
part. Examples in a paragraph illustrate only the issue described in
the paragraph and do not illustrate any other issue that may arise in
this part.


Sec. 334.3 Definitions.

As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate means any company that controls, is controlled by, or
is under common control with another company.
(c) [Reserved]
(d) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(e) Consumer means an individual.
(f) [Reserved]
(g) [Reserved]
(h) [Reserved]
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as the Board
determines.
(j) [Reserved]
(k) Medical information means:
(1) Information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the
consumer, that relates to--
(i) The past, present, or future physical, mental, or behavioral
health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an
individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a
consumer's residence address or e-mail address; or
(iii) Any other information about a consumer that does not relate
to the physical, mental, or behavioral health or condition of a
consumer, including the existence or value of any insurance policy.
(l) [Reserved]
(m) [Reserved]
(n) [Reserved]
(o) You means banks insured by the FDIC (other than District Banks
and members of the Federal Reserve System) and insured State branches
of foreign banks and any subsidiaries and affiliates of such entities;
and other entities or persons with respect to which the FDIC may
exercise its enforcement authority under any provision of law. For
purposes of this definition, a subsidiary does not include a broker,
dealer, person providing insurance, investment company, and investment
advisor.

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec. 334.30 Obtaining or using medical information in connection with
a determination of eligibility for credit.

(a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit, except as
provided in this subpart.
(2) Definitions as used in this subpart--(i) Eligibility, or
continued eligibility, for credit means the consumer's qualification or
fitness to receive, or continue to receive, credit, including the terms
on which credit is offered, primarily for personal, family, or
household purposes. The term does not include:
(A) The consumer's qualification or fitness to be offered
employment, insurance products, or other non-credit products or
services;
(B) Any determination of whether the provisions of a debt
cancellation contract, debt suspension agreement, credit insurance
product, or similar forbearance practice or program are triggered;
(C) Authorizing, processing, or documenting a payment or
transaction on behalf of the consumer in a manner that does not involve
a determination of the consumer's eligibility, or continued
eligibility, for credit; or
(D) Maintaining or servicing the consumer's account in a manner
that does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit.
(ii) Creditor has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(iii) Credit has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(b) Rule of construction for receiving unsolicited medical
information--(1) In general. A creditor does not obtain medical
information for purposes of paragraph (a)(1) of this section if it--
(i) Receives medical information pertaining to a consumer in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit without specifically requesting
medical information; and
(ii) Does not use that information in determining whether to extend
or continue to extend credit to the consumer and the terms on which
credit is offered or continued.
(2) Examples of receiving unsolicited medical information. A
creditor receives unsolicited medical information if, for example:
(i) In response to a general question regarding a consumer's debts
or expenses, the creditor receives information that the consumer has a
particular medical condition and does not use that information in
determining whether to extend credit to the consumer or the terms on
which credit is offered.
(ii) In conversation with the loan officer, the consumer informs
the creditor that the consumer has a particular medical condition, and
the creditor does not use that information in determining whether to
extend credit to the consumer or the terms on which credit is offered.

[[Page 23401]]

(c) Financial information exception for obtaining and using medical
information--(1) In general. A creditor may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit so long as:
(i) The information relates to debts, expenses, income, benefits,
collateral, or the purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to
an extent that is no less favorable than it would use comparable
information that is not medical information in a credit transaction;
and
(iii) The creditor does not take the consumer's physical, mental,
or behavioral health, condition or history, type of treatment, or
prognosis into account as part of any such determination.
(2) Examples--(i) Examples of information related to debts,
expenses, income, benefits, collateral, or the purpose of the loan.
Paragraph (c)(1)(i) of this section permits a creditor, for example, to
obtain and use information about:
(A) The dollar amount, repayment terms, repayment history, and
similar information regarding medical debts that is used to calculate,
measure, or verify the repayment ability of the consumer, the use of
proceeds, or the terms for granting credit;
(B) The value, condition, and lien status of a medical device that
is used as collateral to secure a loan;
(C) The dollar amount and continued eligibility for disability
income or benefits related to health or a medical condition that is
relied on as a source of repayment; or
(D) The identity of creditors to whom outstanding medical debts are
owed in connection with an application for credit, including but not
limited to a transaction involving the consolidation of medical debts.
(ii) Examples of uses of medical information consistent with the
exception. (A) A consumer includes on an application for credit
information about two $20,000 debts. One debt is to a hospital; the
other debt is to a retailer. The creditor contacts the hospital and the
retailer to verify the amount and payment status of the debts. The
creditor learns that both debts are more than 90 days past due. Any two
debts of this size that are past due would disqualify the consumer
under the creditor's established underwriting criteria. The creditor
denies the application on the basis that the consumer has a poor
repayment history on outstanding debts. The creditor has used medical
information in a manner and to an extent no less favorable than it
would use comparable non-medical information.
(B) A consumer indicates on an application for a $200,000 mortgage
loan that she receives $15,000 in long-term disability income each year
from her former employer and has no other income. Annual income of
$15,000, regardless of source, would not be sufficient to support the
requested amount of credit. The creditor denies the application on the
basis that the projected debt-to-income ratio of the consumer does not
meet the creditor's underwriting criteria. The creditor has used
medical information in a manner and to an extent that is no less
favorable than it would use comparable non-medical information.
(C) A consumer includes on an application for a $10,000 home equity
loan that he has a $50,000 debt to a medical facility that specializes
in treating a potentially terminal disease. The creditor contacts the
medical facility to verify the debt and obtain the repayment history
and current status of the loan. The creditor learns that the debt is
current and that the applicant meets the income requirements of the
creditor's underwriting guidelines. The creditor grants the
application. The creditor has used medical information in accordance
with the exception.
(iii) Examples of uses of medical information inconsistent with the
exception.
(A) A consumer applies for $25,000 of credit and includes on the
application information about a $50,000 debt to a hospital. The
creditor contacts the hospital to verify the amount and payment status
of the debt, and learns that the debt is current and that the consumer
has no delinquencies in her repayment history. If the existing debt
were instead owed to a home furnishing retailer, the creditor would
approve the application and extend credit based on the amount and
repayment history of the outstanding debt. The creditor, however,
denies the application because the consumer is indebted to a hospital.
The creditor has used medical information, here the identity of the
medical creditor, in a manner and to an extent that is less favorable
than it would use comparable non-medical information.
(B) A consumer meets with a loan officer of a creditor to apply for
a mortgage loan. While filling out the loan application, the consumer
informs the loan officer orally that she has a potentially terminal
disease. The consumer meets the creditor's established requirements for
the requested mortgage. The loan officer recommends to the credit
committee that the consumer be denied credit because the consumer has
that disease. The creditor has used medical information in a manner
inconsistent with the exception by taking into account the consumer's
physical, mental, or behavioral health, condition, or history, type of
treatment, or prognosis as part of a determination of eligibility or
continued eligibility for credit.
(d) Specific exceptions for obtaining and using medical
information. (1) In general. A creditor may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit--
(i) To determine whether the use of a power of attorney or legal
representative is necessary and appropriate;
(ii) To comply with applicable requirements of local, state, or
federal laws;
(iii) To the extent such information is included in a consumer
report from a consumer reporting agency, in accordance with 15 U.S.C.
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
provided specific written consent;
(iv) For purposes of fraud prevention and detection;
(v) In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical purpose of a
loan and the use of proceeds;
(vi) If the consumer or the consumer's legal representative
requests in writing, on a separate form signed by the consumer or the
consumer's legal representative that the creditor use specific medical
information for a specific purpose in determining the consumer's
eligibility, or continued eligibility, for credit, to accommodate the
consumer's particular circumstances. The signed written request must
describe the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used; or
(vii) As otherwise permitted by order of the Board.
(2) Examples of determining the medical purpose of the loan or the
use of proceeds. (i) If a consumer applies for $10,000 of credit for
the purpose of financing vision correction surgery, the creditor may
confirm the consumer's medical eligibility to undergo that procedure
with the surgeon. If the surgeon reports that surgery will not be

[[Page 23402]]

performed on the consumer, the creditor may use that medical
information to deny the consumer's application for credit, because the
loan would not be used for the stated purpose.
(ii) If a consumer applies for $10,000 of credit for the purpose of
financing cosmetic surgery, the creditor may confirm the cost of the
procedure with the surgeon. If the surgeon reports that the cost of the
procedure is $5,000, the creditor may use that medical information to
offer the consumer only $5,000 of credit.
(iii) A creditor has an established medical loan program for
financing particular elective surgical procedures. The creditor
receives a loan application from a consumer requesting $10,000 of
credit under the established loan program for an elective surgical
procedure. The consumer indicates on the application that the purpose
of the loan is to finance an elective surgical procedure not eligible
for funding under the guidelines of the established loan program. The
creditor may deny the consumer's application because the purpose of the
loan is not for a particular procedure funded by the established loan
program.
(3) Examples of obtaining and using medical information at the
request of the consumer. Consistent with safe and sound practices, and
after obtaining from the consumer a signed, written document that
describes the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used, the creditor may obtain and use the specific medical
information for the specific purpose specified in the request:
(i) If a consumer applies for a loan and requests that the creditor
consider the consumer's medical disability at the relevant time as an
explanation for adverse payment history information in his credit
report, the creditor may consider such medical information in
evaluating the consumer's willingness and ability to repay the
requested loan.
(ii) If a consumer applies for a loan and explains that his income
has been and will continue to be interrupted on account of a medical
condition and that he expects to repay the loan from liquidation of
assets, the creditor may evaluate the application using the sale of
assets as the primary source of repayment.
(e) Limits on redisclosure of information. If you receive medical
information about a consumer from a consumer reporting agency or your
affiliate, you must not disclose that information to any other person,
except as necessary to carry out the purpose for which the information
was initially disclosed, or as otherwise permitted by statute,
regulation, or order.


Sec. 334.31 Sharing medical information with affiliates.

(a) In general. The exclusions from the term ``consumer report'' in
section 603(d)(2) of the Act that allow the sharing of information with
affiliates do not apply if you communicate to an affiliate--
(1) Medical information;
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
(b) Exceptions. You may rely on the exclusions from the term
``consumer report'' in section 603(d)(2) of the Act to communicate the
information in paragraph (a) to an affiliate--
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
(2) For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
(5) In connection with a determination of the consumer's
eligibility, or continued eligibility, for credit consistent with Sec.
334.30 of this part; or
(6) As otherwise permitted by order of the Board.

Office of Thrift Supervision

12 CFR Chapter V

Authority and Issuance

For the reasons set forth in the joint preamble, the Office of
Thrift Supervision proposes to amend chapter V of title 12 of the Code
of Federal Regulations by adding a new part 571 to read as follows:

PART 571--FAIR CREDIT REPORTING

Subpart A--General Provisions
Sec.
571.1 Purpose, scope, and effective dates.
571.2 Examples.
571.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
571.30 Obtaining or using medical information in connection with a
determination of eligibility for credit.
571.31 Sharing medical information with affiliates.

Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1,
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).

Subpart A--General Provisions


Sec. 571.1 Purpose, scope, and effective dates.

(a) [Reserved]
(b) Scope.
(1) [Reserved]
(2) Institutions covered. (i) Except as otherwise provided in this
paragraph (b)(2), this part applies to savings associations whose
deposits are insured by the Federal Deposit Insurance Corporation (and
federal savings association operating subsidiaries in accordance with
Sec. 559.3(h)(1) of this chapter).
(ii) [Reserved]
(iii) Section 571.30(a)-(d) of this part applies to creditors, as
defined in Sec. 571.30(a)(2), that are savings associations or their
subsidiaries, savings and loan holding companies, or affiliates of
savings associations or savings and loan holding companies other than
bank holding companies, banks, or subsidiaries of bank holding
companies or banks.


Sec. 571.2 Examples.

The examples in this part are not exclusive. Compliance with an
example, to the extent applicable, constitutes compliance with this
part. Examples in a paragraph illustrate only the issue described in
the paragraph and do not illustrate any other issue that may arise in
this part.


Sec. 571.3 Definitions.

As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate means any company that controls, is controlled by, or
is under common control with another company.
(c) [Reserved]
(d) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(e) Consumer means an individual.
(f) [Reserved]
(g) [Reserved]
(h) [Reserved]

[[Page 23403]]

(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as OTS
determines.
(j) [Reserved]
(k) Medical information means:
(1) Information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the
consumer, that relates to--
(i) The past, present, or future physical, mental, or behavioral
health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an
individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a
consumer's residence address or e-mail address; or
(iii) Any other information about a consumer that does not relate
to the physical, mental, or behavioral health or condition of a
consumer, including the existence or value of any insurance policy.
(l)-(n) [Reserved]
(o) You means savings associations whose deposits are insured by
the Federal Deposit Insurance Corporation (and federal savings
association operating subsidiaries in accordance with Sec. 559.3(h)(1)
of this chapter).

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec. 571.30 Obtaining or using medical information in connection with
a determination of eligibility for credit.

(a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit, except as
provided in this subpart.
(2) Definitions as used in this subpart--(i) Eligibility, or
continued eligibility, for credit means the consumer's qualification or
fitness to receive, or continue to receive, credit, including the terms
on which credit is offered, primarily for personal, family, or
household purposes. The term does not include:
(A) The consumer's qualification or fitness to be offered
employment, insurance products, or other non-credit products or
services;
(B) Any determination of whether the provisions of a debt
cancellation contract, debt suspension agreement, credit insurance
product, or similar forbearance practice or program are triggered;
(C) Authorizing, processing, or documenting a payment or
transaction on behalf of the consumer in a manner that does not involve
a determination of the consumer's eligibility, or continued
eligibility, for credit; or
(D) Maintaining or servicing the consumer's account in a manner
that does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit.
(ii) Creditor has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(iii) Credit has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(b) Rule of construction for receiving unsolicited medical
information--(1) In general. A creditor does not obtain medical
information for purposes of paragraph (a)(1) of this section if it--
(i) Receives medical information pertaining to a consumer in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit without specifically requesting
medical information; and
(ii) Does not use that information in determining whether to extend
or continue to extend credit to the consumer and the terms on which
credit is offered or continued.
(2) Examples of receiving unsolicited medical information. A
creditor receives unsolicited medical information if, for example:
(i) In response to a general question regarding a consumer's debts
or expenses, the creditor receives information that the consumer has a
particular medical condition and does not use that information in
determining whether to extend credit to the consumer or the terms on
which credit is offered.
(ii) In conversation with the loan officer, the consumer informs
the creditor that the consumer has a particular medical condition, and
the creditor does not use that information in determining whether to
extend credit to the consumer or the terms on which credit is offered.
(c) Financial information exception for obtaining and using medical
information--(1) In general. A creditor may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit so long as:
(i) The information relates to debts, expenses, income, benefits,
collateral, or the purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to
an extent that is no less favorable than it would use comparable
information that is not medical information in a credit transaction;
and
(iii) The creditor does not take the consumer's physical, mental,
or behavioral health, condition or history, type of treatment, or
prognosis into account as part of any such determination.
(2) Examples--(i) Examples of information related to debts,
expenses, income, benefits, collateral, or the purpose of the loan.
Paragraph (c)(1)(i) of this section permits a creditor, for example, to
obtain and use information about:
(A) The dollar amount, repayment terms, repayment history, and
similar information regarding medical debts that is used to calculate,
measure, or verify the repayment ability of the consumer, the use of
proceeds, or the terms for granting credit;
(B) The value, condition, and lien status of a medical device that
is used as collateral to secure a loan;
(C) The dollar amount and continued eligibility for disability
income or benefits related to health or a medical condition that is
relied on as a source of repayment; or
(D) The identity of creditors to whom outstanding medical debts are
owed in connection with an application for credit, including but not
limited to a transaction involving the consolidation of medical debts.
(ii) Examples of uses of medical information consistent with the
exception. (A) A consumer includes on an application for credit
information about two $20,000 debts. One debt is to a hospital; the
other debt is to a retailer. The creditor contacts the hospital and the
retailer to verify the amount and payment status of the debts. The
creditor learns that both debts are more than 90 days past due. Any two
debts of this size that are past due would disqualify the consumer
under the creditor's established underwriting criteria. The creditor
denies the

[[Page 23404]]

application on the basis that the consumer has a poor repayment history
on outstanding debts. The creditor has used medical information in a
manner and to an extent no less favorable than it would use comparable
non-medical information.
(B) A consumer indicates on an application for a $200,000 mortgage
loan that she receives $15,000 in long-term disability income each year
from her former employer and has no other income. Annual income of
$15,000, regardless of source, would not be sufficient to support the
requested amount of credit. The creditor denies the application on the
basis that the projected debt-to-income ratio of the consumer does not
meet the creditor's underwriting criteria. The creditor has used
medical information in a manner and to an extent that is no less
favorable than it would use comparable non-medical information.
(C) A consumer includes on an application for a $10,000 home equity
loan that he has a $50,000 debt to a medical facility that specializes
in treating a potentially terminal disease. The creditor contacts the
medical facility to verify the debt and obtain the repayment history
and current status of the loan. The creditor learns that the debt is
current and that the applicant meets the income requirements of the
creditor's underwriting guidelines. The creditor grants the
application. The creditor has used medical information in accordance
with the exception.
(iii) Examples of uses of medical information inconsistent with the
exception.
(A) A consumer applies for $25,000 of credit and includes on the
application information about a $50,000 debt to a hospital. The
creditor contacts the hospital to verify the amount and payment status
of the debt, and learns that the debt is current and that the consumer
has no delinquencies in her repayment history. If the existing debt
were instead owed to a home furnishing retailer, the creditor would
approve the application and extend credit based on the amount and
repayment history of the outstanding debt. The creditor, however,
denies the application because the consumer is indebted to a hospital.
The creditor has used medical information, here the identity of the
medical creditor, in a manner and to an extent that is less favorable
than it would use comparable non-medical information.
(B) A consumer meets with a loan officer of a creditor to apply for
a mortgage loan. While filling out the loan application, the consumer
informs the loan officer orally that she has a potentially terminal
disease. The consumer meets the creditor's established requirements for
the requested mortgage. The loan officer recommends to the credit
committee that the consumer be denied credit because the consumer has
that disease. The creditor has used medical information in a manner
inconsistent with the exception by taking into account the consumer's
physical, mental, or behavioral health, condition, or history, type of
treatment, or prognosis as part of a determination of eligibility or
continued eligibility for credit.
(d) Specific exceptions for obtaining and using medical
information--(1) In general. A creditor may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit--
(i) To determine whether the use of a power of attorney or legal
representative is necessary and appropriate;
(ii) To comply with applicable requirements of local, State, or
Federal laws;
(iii) To the extent such information is included in a consumer
report from a consumer reporting agency, in accordance with 15 U.S.C.
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
provided specific written consent;
(iv) For purposes of fraud prevention and detection;
(v) In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical purpose of a
loan and the use of proceeds;
(vi) If the consumer or the consumer's legal representative
requests in writing, on a separate form signed by the consumer or the
consumer's legal representative that the creditor use specific medical
information for a specific purpose in determining the consumer's
eligibility, or continued eligibility, for credit, to accommodate the
consumer's particular circumstances. The signed written request must
describe the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used; or
(vii) As otherwise permitted by order of the Director of OTS.
(2) Examples of determining the medical purpose of the loan or the
use of proceeds. (i) If a consumer applies for $10,000 of credit for
the purpose of financing vision correction surgery, the creditor may
confirm the consumer's medical eligibility to undergo that procedure
with the surgeon. If the surgeon reports that surgery will not be
performed on the consumer, the creditor may use that medical
information to deny the consumer's application for credit, because the
loan would not be used for the stated purpose.
(ii) If a consumer applies for $10,000 of credit for the purpose of
financing cosmetic surgery, the creditor may confirm the cost of the
procedure with the surgeon. If the surgeon reports that the cost of the
procedure is $5,000, the creditor may use that medical information to
offer the consumer only $5,000 of credit.
(iii) A creditor has an established medical loan program for
financing particular elective surgical procedures. The creditor
receives a loan application from a consumer requesting $10,000 of
credit under the established loan program for an elective surgical
procedure. The consumer indicates on the application that the purpose
of the loan is to finance an elective surgical procedure not eligible
for funding under the guidelines of the established loan program. The
creditor may deny the consumer's application because the purpose of the
loan is not for a particular procedure funded by the established loan
program.
(3) Examples of obtaining and using medical information at the
request of the consumer. Consistent with safe and sound practices, and
after obtaining from the consumer a signed, written document that
describes the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used, the creditor may obtain and use the specific medical
information for the specific purpose specified in the request:
(i) If a consumer applies for a loan and requests that the creditor
consider the consumer's medical disability at the relevant time as an
explanation for adverse payment history information in his credit
report, the creditor may consider such medical information in
evaluating the consumer's willingness and ability to repay the
requested loan.
(ii) If a consumer applies for a loan and explains that his income
has been and will continue to be interrupted on account of a medical
condition and that he expects to repay the loan from liquidation of
assets, the creditor may evaluate the application using the sale of
assets as the primary source of repayment.
(e) Limits on redisclosure of information. If you receive medical
information about a consumer from a consumer reporting agency or your
affiliate, you must not disclose that

[[Page 23405]]

information to any other person, except as necessary to carry out the
purpose for which the information was initially disclosed, or as
otherwise permitted by statute, regulation, or order.


Sec. 571.31 Sharing medical information with affiliates.

(a) In general. The exclusions from the term ``consumer report'' in
section 603(d)(2) of the Act that allow the sharing of information with
affiliates do not apply if you communicate to an affiliate--
(1) Medical information;
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
(b) Exceptions. You may rely on the exclusions from the term
``consumer report'' in section 603(d)(2) of the Act to communicate the
information in paragraph (a) of this section to an affiliate--
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
(2) For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
(5) In connection with a determination of the consumer's
eligibility, or continued eligibility, for credit consistent with Sec.
571.30 of this part; or
(6) As otherwise permitted by order of the Director of OTS.

National Credit Union Administration

For the reasons set out in the preamble, it is proposed that 12 CFR
chapter VII be amended by adding a new part 717 to read as follows:

PART 717--FAIR CREDIT REPORTING

Subpart A--General Provisions
Sec.
Sec. 717.1 Purpose, scope, and effective dates.
Sec. 717.2 Examples.
Sec. 717.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
717.30 Obtaining or using medical information in connection with a
determination of eligibility for credit.
717.31 Sharing medical information with affiliates.

Authority: 15 U.S.C. 1681b and 1681s.

Subpart A--General Provisions


Sec. 717.1 Purpose, scope, and effective dates.

(a) [Reserved]
(b) Scope.
(1) [Reserved]
(2) Institutions covered. These regulations apply to federal credit
unions.


Sec. 717.2 Examples.

The examples in this part are not exclusive. Compliance with an
example, to the extent applicable, constitutes compliance with this
part. Examples in a paragraph illustrate only the issue described in
the paragraph and do not illustrate any other issue that may arise in
this part.


Sec. 717.3 Definitions.

As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate means any company that controls, is controlled by, or
is under common control with another company. For example, an affiliate
of a federal credit union is a credit union service organization
(CUSO), as provided in 12 CFR part 712, that is controlled by the
federal credit union.
(c) [Reserved]
(d) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(e) Consumer means an individual.
(f) [Reserved]
(g) [Reserved]
(h) [Reserved]
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as the Board
determines.
(4) Example. NCUA will presume a credit union has a controlling
influence over the management or policies of a CUSO, if the CUSO is 67%
owned by credit unions.
(j) [Reserved]
(k) Medical information means:
(1) Information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the
consumer, that relates to--
(i) The past, present, or future physical, mental, or behavioral
health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an
individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a
consumer's residence address or e-mail address; or
(iii) Any other information about a consumer that does not relate
to the physical, mental, or behavioral health or condition of a
consumer, including the existence or value of any insurance policy.
(l) [Reserved]
(m) [Reserved]
(n) [Reserved]
(o) You means a federal credit union.

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec. 717.30 Obtaining or using medical information in connection with
a determination of eligibility for credit.

(a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit, except as
provided in this subpart.
(2) Definitions as used in this subpart--(i) Eligibility, or
continued eligibility, for credit means the consumer's qualification or
fitness to receive, or continue to receive, credit, including the terms
on which credit is offered, primarily for personal, family, or
household purposes. The term does not include:
(A) The consumer's qualification or fitness to be offered
employment, insurance products, or other non-credit products or
services;
(B) Any determination of whether the provisions of a debt
cancellation contract, debt suspension agreement,

[[Page 23406]]

credit insurance product, or similar forbearance practice or program
are triggered;
(C) Authorizing, processing, or documenting a payment or
transaction on behalf of the consumer in a manner that does not involve
a determination of the consumer's eligibility, or continued
eligibility, for credit; or
(D) Maintaining or servicing the consumer's account in a manner
that does not involve a determination of the consumer's eligibility, or
continued eligibility, for credit.
(ii) Creditor has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(iii) Credit has the same meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(b) Rule of construction for receiving unsolicited medical
information--(1) In general. A creditor does not obtain medical
information for purposes of paragraph (a)(1) of this section if it--
(i) Receives medical information pertaining to a consumer in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit without specifically requesting
medical information; and
(ii) Does not use that information in determining whether to extend
or continue to extend credit to the consumer and the terms on which
credit is offered or continued.
(2) Examples of receiving unsolicited medical information. A
creditor receives unsolicited medical information if, for example:
(i) In response to a general question regarding a consumer's debts
or expenses, the creditor receives information that the consumer has a
particular medical condition and does not use that information in
determining whether to extend credit to the consumer or the terms on
which credit is offered.
(ii) In conversation with the loan officer, the consumer informs
the creditor that the consumer has a particular medical condition, and
the creditor does not use that information in determining whether to
extend credit to the consumer or the terms on which credit is offered.
(c) Financial information exception for obtaining and using medical
information--
(1) In general. A creditor may obtain and use medical information
pertaining to a consumer in connection with any determination of the
consumer's eligibility, or continued eligibility, for credit so long
as:
(i) The information relates to debts, expenses, income, benefits,
collateral, or the purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to
an extent that is no less favorable than it would use comparable
information that is not medical information in a credit transaction;
and
(iii) The creditor does not take the consumer's physical, mental,
or behavioral health, condition or history, type of treatment, or
prognosis into account as part of any such determination.
(2) Examples--(i) Examples of information related to debts,
expenses, income, benefits, collateral, or the purpose of the loan.
Paragraph (c)(1)(i) of this section permits a creditor, for example, to
obtain and use information about:
(A) The dollar amount, repayment terms, repayment history, and
similar information regarding medical debts that is used to calculate,
measure, or verify the repayment ability of the consumer, the use of
proceeds, or the terms for granting credit;
(B) The value, condition, and lien status of a medical device that
is used as collateral to secure a loan;
(C) The dollar amount and continued eligibility for disability
income or benefits related to health or a medical condition that is
relied on as a source of repayment; or
(D) The identity of creditors to whom outstanding medical debts are
owed in connection with an application for credit, including but not
limited to a transaction involving the consolidation of medical debts.
(ii) Examples of uses of medical information consistent with the
exception. (A) A consumer includes on an application for credit
information about two $20,000 debts. One debt is to a hospital; the
other debt is to a retailer. The creditor contacts the hospital and the
retailer to verify the amount and payment status of the debts. The
creditor learns that both debts are more than 90 days past due. Any two
debts of this size that are past due would disqualify the consumer
under the creditor's established underwriting criteria. The creditor
denies the application on the basis that the consumer has a poor
repayment history on outstanding debts. The creditor has used medical
information in a manner and to an extent no less favorable than it
would use comparable non-medical information.
(B) A consumer indicates on an application for a $200,000 mortgage
loan that she receives $15,000 in long-term disability income each year
from her former employer and has no other income. Annual income of
$15,000, regardless of source, would not be sufficient to support the
requested amount of credit. The creditor denies the application on the
basis that the projected debt-to-income ratio of the consumer does not
meet the creditor's underwriting criteria. The creditor has used
medical information in a manner and to an extent that is no less
favorable than it would use comparable non-medical information.
(C) A consumer includes on an application for a $10,000 home equity
loan that he has a $50,000 debt to a medical facility that specializes
in treating a potentially terminal disease. The creditor contacts the
medical facility to verify the debt and obtain the repayment history
and current status of the loan. The creditor learns that the debt is
current and that the applicant meets the income requirements of the
creditor's underwriting guidelines. The creditor grants the
application. The creditor has used medical information in accordance
with the exception.
(iii) Examples of uses of medical information inconsistent with the
exception.
(A) A consumer applies for $25,000 of credit and includes on the
application information about a $50,000 debt to a hospital. The
creditor contacts the hospital to verify the amount and payment status
of the debt, and learns that the debt is current and that the consumer
has no delinquencies in her repayment history. If the existing debt
were instead owed to a home furnishing retailer, the creditor would
approve the application and extend credit based on the amount and
repayment history of the outstanding debt. The creditor, however,
denies the application because the consumer is indebted to a hospital.
The creditor has used medical information, here the identity of the
medical creditor, in a manner and to an extent that is less favorable
than it would use comparable non-medical information.
(B) A consumer meets with a loan officer of a creditor to apply for
a mortgage loan. While filling out the loan application, the consumer
informs the loan officer orally that she has a potentially terminal
disease. The consumer meets the creditor's established requirements for
the requested mortgage. The loan officer recommends to the credit
committee that the consumer be denied credit because the consumer has
that disease. The creditor has used medical information in a manner
inconsistent with the exception by taking into account the consumer's
physical, mental, or behavioral health, condition, or history, type of
treatment, or

[[Page 23407]]

prognosis as part of a determination of eligibility or continued
eligibility for credit.
(d) Specific exceptions for obtaining and using medical
information--(1) In general. A creditor may obtain and use medical
information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit--
(i) To determine whether the use of a power of attorney or legal
representative is necessary and appropriate;
(ii) To comply with applicable requirements of local, state, or
federal laws;
(iii) To the extent such information is included in a consumer
report from a consumer reporting agency, in accordance with 15 U.S.C.
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer
provided specific written consent;
(iv) For purposes of fraud prevention and detection;
(v) In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical purpose of a
loan and the use of proceeds;
(vi) If the consumer or the consumer's legal representative
requests in writing, on a separate form signed by the consumer or the
consumer's legal representative that the creditor use specific medical
information for a specific purpose in determining the consumer's
eligibility, or continued eligibility, for credit, to accommodate the
consumer's particular circumstances. The signed written request must
describe the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used; or
(vii) As otherwise permitted by order of the NCUA.
(2) Examples of determining the medical purpose of the loan or the
use of proceeds. (i) If a consumer applies for $10,000 of credit for
the purpose of financing vision correction surgery, the creditor may
confirm the consumer's medical eligibility to undergo that procedure
with the surgeon. If the surgeon reports that surgery will not be
performed on the consumer, the creditor may use that medical
information to deny the consumer's application for credit, because the
loan would not be used for the stated purpose.
(ii) If a consumer applies for $10,000 of credit for the purpose of
financing cosmetic surgery, the creditor may confirm the cost of the
procedure with the surgeon. If the surgeon reports that the cost of the
procedure is $5,000, the creditor may use that medical information to
offer the consumer only $5,000 of credit.
(iii) A creditor has an established medical loan program for
financing particular elective surgical procedures. The creditor
receives a loan application from a consumer requesting $10,000 of
credit under the established loan program for an elective surgical
procedure. The consumer indicates on the application that the purpose
of the loan is to finance an elective surgical procedure not eligible
for funding under the guidelines of the established loan program. The
creditor may deny the consumer's application because the purpose of the
loan is not for a particular procedure funded by the established loan
program.
(3) Examples of obtaining and using medical information at the
request of the consumer. Consistent with safe and sound practices, and
after obtaining from the consumer a signed, written document that
describes the specific medical information that the consumer requests
the creditor to use and the specific purpose for which the information
will be used, the creditor may obtain and use the specific medical
information for the specific purpose specified in the request:
(i) If a consumer applies for a loan and requests that the creditor
consider the consumer's medical disability at the relevant time as an
explanation for adverse payment history information in his credit
report, the creditor may consider such medical information in
evaluating the consumer's willingness and ability to repay the
requested loan.
(ii) If a consumer applies for a loan and explains that his income
has been and will continue to be interrupted on account of a medical
condition and that he expects to repay the loan from liquidation of
assets, the creditor may evaluate the application using the sale of
assets as the primary source of repayment.
(e) Limits on redisclosure of information. If you receive medical
information about a consumer from a consumer reporting agency or your
affiliate, you must not disclose that information to any other person,
except as necessary to carry out the purpose for which the information
was initially disclosed, or as otherwise permitted by statute,
regulation, or order.


Sec. 717.31 Sharing medical information with affiliates.

(a) In general. The exclusions from the term ``consumer report'' in
section 603(d)(2) of the Act that allow the sharing of information with
affiliates do not apply if you communicate to an affiliate--
(1) Medical information;
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
(b) Exceptions. You may rely on the exclusions from the term
``consumer report'' in section 603(d)(2) of the Act to communicate the
information in paragraph (a) to an affiliate--
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
(2) For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
(5) In connection with a determination of the consumer's
eligibility, or continued eligibility, for credit consistent with Sec.
717.30 of this part; or
(6) As otherwise permitted by order of the NCUA.

Dated: April 16, 2004.
John D. Hawke, Jr.,
Comptroller of the Currency.

By order of the Board of Governors of the Federal Reserve
System, April 22, 2004.
Jennifer J. Johnson,
Secretary of the Board.

Dated at Washington, DC, the 6th day of April, 2004.

By order of the Board of Directors.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

Dated: April 6, 2004.

By the Office of Thrift Supervision.
James E. Gilleran,
Director.

By the National Credit Union Administration Board on April 8,
2004.
Becky Baker,
Secretary of the Board.
[FR Doc. 04-9526 Filed 4-27-04; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-10-P; 6720-01-P; 7535-01-P

 

Last Updated 04/29/2004 regs@fdic.gov

Skip Footer back to content