CUNA Regulatory Comment Call
June 17, 2005
Interim Final Rules on Disclosing and Using Consumers Medical Information
(Major Rule - NCUAs rule applies to federal credit unions; Federal Reserve Board has issued a separate rule that applies to state-chartered credit unions)
- The Fair and Accurate Credit Transactions (FACT) Act was enacted in December 2003 and permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). It also enhances the ability of consumers to combat identity theft, increases accuracy of credit reports, and allows consumers to exercise greater control regarding the marketing solicitations they receive.
- The FACT Act also restricts creditors from obtaining or using medical information pertaining to consumers in connection with a determination of the consumers eligibility, or continued eligibility, for credit. There are also provisions restricting the sharing of medical information with affiliates, which for credit unions would include credit union service organizations (CUSOs).
- As required under the FACT Act, the National Credit Union Administration (NCUA) and the other financial institution regulators have issued interim final rules to create exceptions to the general prohibition on obtaining or using medical information that are necessary to protect legitimate, operational, transactional, risk, consumer, and other needs, as well as exceptions to the restrictions on sharing information with affiliates.
- The interim final rule from NCUA will only apply to federal credit unions. The Federal Reserve Board (Fed) has issued a separate, but nearly identical, interim final rule that will apply these exceptions to state-chartered credit unions and others in the financial services industry that were not covered under the original, proposed interagency rules. CUNA, in its comment letter in response to the proposed rules, recognized that the exceptions in NCUAs rule would only apply to federal credit unions and urged that state-chartered credit unions also be allowed to use these exceptions. (This rule from the Fed is separate from the Fed rule that will apply the exceptions to certain banking institutions.) Click below for CUNAs comment letter for more information about CUNAs position:
- The interim final rules will be effective as of March 7, 2006. Comments on the rules will be due by July 11, 2005. Please submit your comments to CUNA by July 5, 2005.
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Senior Vice President and Associate General Counsel Mary Dunn at firstname.lastname@example.org and to Senior Assistant General Counsel Jeff Bloch at email@example.com; or mail them to Mary and Jeff in c/o CUNAs Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you have questions or would like a copy of the interim final rule. You may also access both NCUAs and the Feds rule on the Internet at the following address:
The FACT Act permanently extends the federal preemptions for credit reporting under the FCRA. It also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.
A number of new rules will be issued that will implement many of the FACT Act provisions. The FACT Act provisions requiring rules will not be effective until those rules are issued, and the rules may also delay the effective date even further.
The FACT Act also prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumers eligibility, or continued eligibility, for credit. Medical information may be obtained and used for other purposes, such as employment and insurance purposes. The FACT Act also restricts the circumstances in which credit bureaus may furnish consumer reports containing medical information about consumers. Medical information means information created by or derived from a health provider or consumer that relates to the following:
- Past, present, or future physical, mental, or behavioral condition of an individual.
- The providing of health care to an individual.
- The payment or provision of health care to an individual.
This definition does not apply to information that does not identify a specific consumer and also does not apply to other information regarding the consumer, such as age, gender, demographic information, as well as the existence or value of an insurance policy. However, the definition does include coded information, such as coded medical information that is furnished by a credit bureau.
The FACT Act requires the federal financial institution regulators, including NCUA, to issue rules that provides exceptions that are necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs. The FACT Act restrictions will not be effective until the rules providing the exceptions are also effective.
The FACT Act also restricts the sharing of medical-related information with affiliates if it meets the FCRAs definition of consumer report, which generally refers to credit or personal information used to establish eligibility for credit, employment, or a number of other purposes. Specifically, these provisions remove the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to opt-out. This includes medical information, as defined above, as well as other medical-related information, such as individualized lists or descriptions, or aggregate lists of identified consumers, based on payment transactions for medical products and services. Those receiving medical information from an affiliate or from a credit bureau are not permitted to further disclose the information, except as necessary to carry out the purposes for which the information was disclosed, or as otherwise permitted by law.
The following are exceptions that allow sharing of medical information with affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to opt-out:
- In connection with the business of insurance or annuities.
- For any purpose permitted without authorization under the Standards for Individually Identifiable Health Information issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA). This generally applies to information necessary to insure access to effective health care.
- Pursuant to the HIPAA provisions pertaining to authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments.
- As permitted under Section 502(e) of the Gramm-Leach-Bliley Act, which includes sharing of information with consent of the consumer, for fraud prevention purposes, or to process a transaction authorized by the consumer.
Affiliate is defined as a company that is related by common ownership or common corporate control with another company. For credit unions, affiliates will be CUSOs. Control will generally mean at least 67% owned by credit unions. This definition is the same that applies under NCUAs privacy notice rules.
DESCRIPTION OF THE INTERIM FINAL RULES
Obtaining and Using Medical Information in Connection with a Determination of Eligibility for Credit
The interim final rules will create exceptions to the general prohibition against obtaining or using medical information in connection with credit eligibility determinations, which include initial decisions to grant or deny credit, as well as decisions on whether to terminate an account or adjust a credit limit. The prohibition will not apply to qualifications or fitness to be offered employment, insurance products (other than a credit insurance product, which is addressed below as one of the exceptions to the general prohibition), or other non-credit products or services.
The prohibition also does not apply to authorizing, processing, or documenting a transaction on behalf of a consumer in a manner that does not involve a credit eligibility determination or apply to the maintaining or servicing of an account in a manner that does not involve a credit eligibility determination. In general, a creditor may obtain medical information if it is not obtained in connection with determining credit eligibility, as long as it is not used later in making such a determination. A creditor may also obtain such information in connection with determining credit eligibility if it is received unsolicited. Such information can be used if one of the exceptions applies, as described below.
Under the first exception to the general prohibition, a creditor may obtain and use medical information in determining credit eligibility if the following three requirements are met:
- The information is the type routinely used in making credit eligibility determinations, such as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of the proceeds. (This is more expansive than what was originally proposed, as suggested by CUNA in its comment letter in response to the proposed rules.)
- The creditor uses the information in a manner and to an extent no less favorable than it would use comparable information that is not medical information in a credit transaction. Medical expenses or income may be treated more favorably.
- The creditor does not take the consumers physical, mental, or behavioral, condition or history, type of treatment, or prognosis into account as part of any credit eligibility determination.
Here are the additional exceptions to the prohibition against obtaining or using medical information in connection with credit eligibility determinations:
- Determining whether the use of a power of attorney or legal representative that is triggered by a medical event is necessary and appropriate or whether a person has the legal capacity to contract when he or she seeks to exercise a power of attorney or act as a legal representative for another based on an asserted medical event.
- Complying with applicable requirements of local, state, or federal laws.
- Determining, at the consumers request, whether the consumer qualifies for a special credit program or credit-related assistance program. The program has to be: 1) designed to meet the special needs of consumers with medical conditions; and 2) administered under a written plan identifying those that the program is designed to benefit and outlining the procedures and standards for extending credit or providing assistance under the program.
- To the extent necessary to prevent and detect fraud. This exception is intended to be used in limited situations. Creditors using this exception should be prepared to demonstrate the necessity for obtaining and using medical information in these situations. Blanket assertions about fraud prevention and detection will not be sufficient.
- Verifying the medical purpose of a loan and use of proceeds with regard to financing of medical products or services.
- If the consumer or the consumers legal representative specifically requests that the creditor use medical information in determining credit eligibility to accommodate the consumers particular circumstances. However, the creditor is not obligated to comply with the request. Such requests may be made orally, electronically, or in writing. The creditor must document the request, and the accommodation must be consistent with safe and sound practices. The request may be made in response to a general inquiry on an application that invites the consumer to include any information that he or she would like the creditor to consider in evaluating the application. The creditor may request additional information under this exception. (This exception is more lenient than what was originally proposed, as suggested by CUNA in its comment letter in response to the proposed rules.)
- Determining whether a provision of a forbearance program that is triggered by a medical event applies to the consumer.
- Determining the eligibility of the consumer for a debt cancellation contract or debt suspension agreement if a medical event is relevant to coverage, as well as determining whether coverage provisions are triggered by a medical event.
- Determining the eligibility of the consumer for a credit insurance product if a medical event is relevant to coverage, as well as determining whether coverage provisions are triggered by a medical event.
A creditor may not use medical information to determine whether the consumer will be required to obtain a credit insurance product, debt cancellation contract, or debt suspension agreement. Also, when requesting the information, the creditor should make it clear that the request is voluntary and the information, or the refusal to provide the information, will not be used in connection with the credit request itself.
The interim final rules include many examples of the above exceptions.
Sharing Medical Information with Affiliates
The interim final rules also create two additional exceptions that permit the sharing of medical-related information among affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to opt-out:
- If the information is disclosed to an affiliate in connection with a credit eligibility determination, as permitted under these rules.
- As otherwise permitted by order of the appropriate government agency.
QUESTIONS TO CONSIDER REGARDING THE INTERIM FINAL RULES ON DISCLOSING AND USING CONSUMERS MEDICAL INFORMATION
- Because the FACT Act does not permit NCUA to provide exceptions for state-chartered credit unions, the Fed has written a separate, but nearly identical, rule to cover state-chartered credit unions and others that were not originally covered under the proposed rules. Do you agree with this approach?
- Are the exceptions outlined in the rules sufficient for you to obtain or use medical information for legitimate purposes? If not, are there additional exceptions that are necessary? Should any of the listed exceptions be changed to provide additional flexibility?
- The rules will be effective in approximately nine months. Is this time sufficient in order to comply with these requirements. If not, how much additional time is needed?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Lilly Thomas Assistant General Counsel (202) 508-6733 email@example.com
Catherine Orr Senior Regulatory Counsel (202) 508-6743 firstname.lastname@example.org