CUNA Regulatory Comment Call


April 19, 2004

Proposed Rule on Disclosing and Using Consumers’ Medical Information
(Major Rule-Applies to Federal Credit Unions)

EXECUTIVE SUMMARY

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.coop and to Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule. You may also access it on the Internet at the following address:

http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/Proposed717.pdf

BACKGROUND

President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the FCRA. The new law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.

The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act:
http://www.cuna.org/reg_advocacy/member/regwatch/regwatch.html

The FACT Act prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. Medical information may be obtained and used for other purposes, such as employment and insurance purposes. The Act also restricts the circumstances in which credit bureaus may furnish consumer reports containing medical information about consumers. "Medical information" means information created by or derived from a health provider or consumer that relates to the following:

This definition does not apply to other information regarding the consumer, such as age, gender, demographic information, as well as the existence or value of an insurance policy.

The FACT Act requires the federal financial institution regulators, including NCUA, to issue rules that provides exceptions that are necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs. These rules must be issued in final form by June 4, 2004.

The FACT Act also restricts the sharing of medical-related information with affiliates if it meets the FCRA’s definition of "consumer report," which generally refers to credit or personal information used to establish eligibility for credit, employment, or a number of other purposes. Specifically, these provisions remove the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to "opt-out." This includes medical information, as defined above, as well as other medical-related information, such as individualized lists or descriptions, or aggregate lists of identified consumers, based on payment transactions for medical products and services. Those receiving medical information from an affiliate or from a credit bureau are not permitted to further disclose the information, except as necessary to carry out the purposes for which the information was disclosed, or as otherwise permitted by law.

The following are exceptions that allow sharing of medical information with affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to "opt-out:"

"Affiliate" is defined as a company that controls, is controlled by, or under common control with another company. For credit unions, affiliates will be CUSOs. "Control" will generally mean at least 67% owned by credit unions. This definition is the same that applies under NCUA’s privacy notice rules.

DESCRIPTION OF THE PROPOSED RULE

Obtaining and Using Medical Information in Connection with a Determination of Eligibility for Credit

The proposed rule will create exceptions to the general prohibition against obtaining or using medical information in connection with credit eligibility determinations, which include initial decisions to grant or deny credit, as well as decisions on whether to terminate an account or adjust a credit limit. This will cover credit primarily for personal, family, or household purposes. The prohibition will not apply to qualifications or fitness to be offered employment, insurance products, or other non-credit products or services. It will also not apply to determinations of whether coverage provisions of debt cancellation contracts, debt suspension agreements, credit insurance products, or similar forbearance products are triggered.

The prohibition also does not apply to authorizing, processing, or documenting a transaction on behalf of a consumer in a manner that does not involve a credit eligibility determination or apply to the maintaining or servicing of an account in a manner that does not involve a credit eligibility determination. In general, a creditor may obtain medical information if it is not obtained in connection with determining credit eligibility, as long as it is not used later in making such a determination. A creditor may also obtain such information in connection with determining credit eligibility if it is received unsolicited. Again, such information cannot later be used for such determinations.

Under the first exception to the general prohibition, a creditor may obtain and use medical information in determining credit eligibility if the following three requirements are met:

Here are the additional exceptions:

The proposed rule includes many examples of the above exceptions.

Sharing Medical Information with Affiliates

The proposed rule also creates two additional exceptions that permit the sharing of medical-related information among affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to "opt-out:"

QUESTIONS TO CONSIDER REGARDING THE PROPOSED RULE ON DISCLOSING AND USING CONSUMERS’ MEDICAL INFORMATION

(The Regulators have specifically requested comment on most of the issues raised in these questions.)

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com