CUNA Regulatory Comment Call
April 19, 2004
Proposed Rule on Disclosing and Using Consumers’ Medical Information
(Major Rule-Applies to Federal Credit Unions)
EXECUTIVE SUMMARY
- The Fair and Accurate Credit Transactions (FACT) Act was enacted this past December and permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). It also enhances the ability of consumers to combat identity theft, increases accuracy of credit reports, and allows consumers to exercise greater control regarding the marketing solicitations they receive.
- The FACT Act also restricts creditors from obtaining or using medical information pertaining to consumers in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit. There are also provisions restricting the sharing of medical information with affiliates, which for credit unions would include credit union service organizations (CUSOs).
- As required under the FACT Act, NCUA and the other financial institution regulators have issued a proposed rule to create exceptions to the general prohibition on obtaining or using medical information that are necessary to protect legitimate, operational, transactional, risk, consumer, and other needs, as well as exceptions to the restrictions on sharing information with affiliates.
- The proposed rule will only apply to federal credit unions. The exceptions will not at this time apply to state-chartered credit unions. CUNA is working with the regulators to ensure that state-chartered credit unions will also benefit from these exceptions.
- Comments are due by May 28, 2004. Please submit your comments to CUNA by May 19, 2004.
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.coop and to Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule. You may also access it on the Internet at the following address:
http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/Proposed717.pdf
BACKGROUND
President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the FCRA. The new law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.
The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for
a special issue of RegWatch that describes the significant provisions of the FACT Act:
http://www.cuna.org/reg_advocacy/member/regwatch/regwatch.html
The FACT Act prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. Medical information may be obtained and used for other purposes, such as employment and insurance purposes. The Act also restricts the circumstances in which credit bureaus may furnish consumer reports containing medical information about consumers. "Medical information" means information created by or derived from a health provider or consumer that relates to the following:
- Past, present, or future physical, mental, or behavioral condition of an individual.
- The providing of health care to an individual.
- The payment or provision of health care to an individual.
This definition does not apply to other information regarding the consumer, such as age, gender, demographic information, as well as the existence or value of an insurance policy.
The FACT Act requires the federal financial institution regulators, including NCUA, to issue rules that provides exceptions that are necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs. These rules must be issued in final form by June 4, 2004.
The FACT Act also restricts the sharing of medical-related information with affiliates if it meets the FCRA’s definition of "consumer report," which generally refers to credit or personal information used to establish eligibility for credit, employment, or a number of other purposes. Specifically, these provisions remove the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to "opt-out." This includes medical information, as defined above, as well as other medical-related information, such as individualized lists or descriptions, or aggregate lists of identified consumers, based on payment transactions for medical products and services. Those receiving medical information from an affiliate or from a credit bureau are not permitted to further disclose the information, except as necessary to carry out the purposes for which the information was disclosed, or as otherwise permitted by law.
The following are exceptions that allow sharing of medical information with affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to "opt-out:"
- In connection with the business of insurance or annuities.
- For any purpose permitted without authorization under the Standards for Individually Identifiable Health Information issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA). This generally applies to information necessary to insure access to effective health care.
- Pursuant to the HIPAA provisions pertaining to authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments.
- As permitted under Section 502(e) of the Gramm-Leach-Bliley Act, which includes sharing of information with consent of the consumer, for fraud prevention purposes, or to process a transaction authorized by the consumer.
- As otherwise permitted by regulation or order.
"Affiliate" is defined as a company that controls, is controlled by, or under common control with another company. For credit unions, affiliates will be CUSOs. "Control" will generally mean at least 67% owned by credit unions. This definition is the same that applies under NCUA’s privacy notice rules.
DESCRIPTION OF THE PROPOSED RULE
Obtaining and Using Medical Information in Connection with a Determination of Eligibility for Credit
The proposed rule will create exceptions to the general prohibition against obtaining or using medical information in connection with credit eligibility determinations, which include initial decisions to grant or deny credit, as well as decisions on whether to terminate an account or adjust a credit limit. This will cover credit primarily for personal, family, or household purposes. The prohibition will not apply to qualifications or fitness to be offered employment, insurance products, or other non-credit products or services. It will also not apply to determinations of whether coverage provisions of debt cancellation contracts, debt suspension agreements, credit insurance products, or similar forbearance products are triggered.
The prohibition also does not apply to authorizing, processing, or documenting a transaction on behalf of a consumer in a manner that does not involve a credit eligibility determination or apply to the maintaining or servicing of an account in a manner that does not involve a credit eligibility determination. In general, a creditor may obtain medical information if it is not obtained in connection with determining credit eligibility, as long as it is not used later in making such a determination. A creditor may also obtain such information in connection with determining credit eligibility if it is received unsolicited. Again, such information cannot later be used for such determinations.
Under the first exception to the general prohibition, a creditor may obtain and use medical information in determining credit eligibility if the following three requirements are met:
- The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of the proceeds.
- The creditor uses the information in a manner and to an extent no less favorable than it would use comparable information that is not medical information in a credit transaction. Medical expenses or income may be treated more favorably.
- The creditor does not take the consumer’s physical, mental, or behavioral, condition or history, type of treatment, or prognosis into account as part of any credit eligibility determination.
Here are the additional exceptions:
- Determining whether the use of a power of attorney or legal representative is necessary and appropriate.
- Complying with applicable requirements of local, state, or federal laws.
- When such information is included in a consumer report from a credit bureau, as permitted under the FCRA, and is used for the purpose for which the consumer provided written consent.
- For fraud prevention and detection.
- Verifying the medical purpose of a loan and use of proceeds with regard to financing of medical products or services.
- If the consumer or the consumer’s legal representative requests in writing, on a separate form signed by the consumer or legal representative, that the creditor use specific medical information in determining credit eligibility to accommodate the consumer’s particular circumstances. The request must describe the specific medical information and the specific purpose for which it will be used. This exception is not intended to be used on a routine basis and does not allow for forms with preprinted descriptions of medical information and purposes for which it may used.
- As otherwise permitted by order of the appropriate government agency, such as NCUA.
The proposed rule includes many examples of the above exceptions.
Sharing Medical Information with Affiliates
The proposed rule also creates two additional exceptions that permit the sharing of medical-related information among affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to "opt-out:"
- If the information is disclosed to an affiliate in connection with a credit eligibility determination, as permitted under these proposed rules.
- As otherwise permitted by order of the appropriate government agency.
QUESTIONS TO CONSIDER REGARDING THE PROPOSED RULE ON DISCLOSING AND USING CONSUMERS’ MEDICAL INFORMATION
(The Regulators have specifically requested comment on most of the issues raised in these questions.)
- With regard to obtaining and using medical information in connection with triggering
coverage under debt cancellation, debt suspension, or credit insurance products, is it more
appropriate to grant an exception from the restrictions regarding medical information or is
it preferable that such circumstances be interpreted as not related to a credit eligibility
determination? Should a separate exception be created allowing creditors to accommodate
medical conditions and circumstances that is in lieu of, or in addition to, the exception
that triggers this coverage or does this current exception, along with the consumer request
exception, provide enough flexibility to provide such accommodations?
- Under the proposed rule, creditors are permitted to obtain unsolicited medical information,
as long as it is not used for credit determinations. This is provided as a "rule of construction"
or interpretation that this is not covered under the FACT Act restrictions. Would it be more
appropriate to include this as an exception or as a "rule of construction?"
- Creditors will be able to obtain and use medical information in determining credit eligibility
if the following three requirements are met:
- The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of the proceeds.
- The creditor uses the information in a manner and to an extent no less favorable than it would use comparable information that is not medical information in a credit transaction. Medical expenses or income may be treated more favorably.
- The creditor does not take the consumer’s physical, mental, or behavioral, condition or history, type of treatment, or prognosis into account as part of any credit eligibility determination.
- The proposed rule contains a number of examples to illustrate these exceptions. Should any of them
be amended or deleted? Should additional examples be provided?
- A separate exception has not been proposed with regard to obtaining and using information from
consumer reports containing coded information. The regulators have offered the following three reasons
such an exception may not be necessary:
- The term "medical information" can be interpreted to exclude coded information
- Credit bureaus are authorized to provide such information so it should be permissible for creditors to obtain it.
- Since the information is coded, which means it does not provide specific health information, and relates to debts, it could be considered under the exception that allows use of such information in a manner no less favorable than non-medical information.
- To what extent is it necessary for you to obtain and use medical information for purposes
of fraud prevention and detection in connection with credit eligibility determinations? Can
the exception be narrowed to prevent unnecessary use of the information without compromising
fraud prevention and detection efforts?
- For the consumer request exception, the request must be in writing and on a separate form
signed by the consumer or the consumer’s legal representative. Are these requirements
necessary or do they hinder the ability of creditors to make medical accommodations?
- Should an additional exception be included for consumer consent in which a creditor could
request the consumer to consent to the specific use of medical information? When would this
exception be used and how could it be drafted to ensure appropriate consumer protections?
- With regard to the sharing of medical information with affiliates, are there any additional
or different exceptions that should be included?
- The effective date of the final rule regarding the sharing of medical information will
be June 4, 2004. Is this appropriate or should a different effective date be established?
- Other comments?
|
Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com |
