CUNA Regulatory Comment Call

June 17, 2005

Interim Final Rules on Disclosing and Using Consumers’ Medical Information

(Major Rule - NCUA’s rule applies to federal credit unions; Federal Reserve Board has issued a separate rule that applies to state-chartered credit unions)

EXECUTIVE SUMMARY

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Senior Vice President and Associate General Counsel Mary Dunn at mdunn@cuna.coop and to Senior Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you have questions or would like a copy of the interim final rule. You may also access both NCUA’s and the Fed’s rule on the Internet at the following address:

http://www.federalreserve.gov/boarddocs/press/bcreg/2005/20050606/attachment.pdf

BACKGROUND

The FACT Act permanently extends the federal preemptions for credit reporting under the FCRA. It also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.

A number of new rules will be issued that will implement many of the FACT Act provisions. The FACT Act provisions requiring rules will not be effective until those rules are issued, and the rules may also delay the effective date even further.

The FACT Act also prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. Medical information may be obtained and used for other purposes, such as employment and insurance purposes. The FACT Act also restricts the circumstances in which credit bureaus may furnish consumer reports containing medical information about consumers. “Medical information” means information created by or derived from a health provider or consumer that relates to the following:

This definition does not apply to information that does not identify a specific consumer and also does not apply to other information regarding the consumer, such as age, gender, demographic information, as well as the existence or value of an insurance policy. However, the definition does include coded information, such as coded medical information that is furnished by a credit bureau.

The FACT Act requires the federal financial institution regulators, including NCUA, to issue rules that provides exceptions that are necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs. The FACT Act restrictions will not be effective until the rules providing the exceptions are also effective.

The FACT Act also restricts the sharing of medical-related information with affiliates if it meets the FCRA’s definition of “consumer report,” which generally refers to credit or personal information used to establish eligibility for credit, employment, or a number of other purposes. Specifically, these provisions remove the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to “opt-out.” This includes medical information, as defined above, as well as other medical-related information, such as individualized lists or descriptions, or aggregate lists of identified consumers, based on payment transactions for medical products and services. Those receiving medical information from an affiliate or from a credit bureau are not permitted to further disclose the information, except as necessary to carry out the purposes for which the information was disclosed, or as otherwise permitted by law.

The following are exceptions that allow sharing of medical information with affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to “opt-out:”

“Affiliate” is defined as a company that is related by common ownership or common corporate control with another company. For credit unions, affiliates will be CUSOs. “Control” will generally mean at least 67% owned by credit unions. This definition is the same that applies under NCUA’s privacy notice rules.

DESCRIPTION OF THE INTERIM FINAL RULES

Obtaining and Using Medical Information in Connection with a Determination of Eligibility for Credit

The interim final rules will create exceptions to the general prohibition against obtaining or using medical information in connection with credit eligibility determinations, which include initial decisions to grant or deny credit, as well as decisions on whether to terminate an account or adjust a credit limit. The prohibition will not apply to qualifications or fitness to be offered employment, insurance products (other than a credit insurance product, which is addressed below as one of the exceptions to the general prohibition), or other non-credit products or services.

The prohibition also does not apply to authorizing, processing, or documenting a transaction on behalf of a consumer in a manner that does not involve a credit eligibility determination or apply to the maintaining or servicing of an account in a manner that does not involve a credit eligibility determination. In general, a creditor may obtain medical information if it is not obtained in connection with determining credit eligibility, as long as it is not used later in making such a determination. A creditor may also obtain such information in connection with determining credit eligibility if it is received unsolicited. Such information can be used if one of the exceptions applies, as described below.

Under the first exception to the general prohibition, a creditor may obtain and use medical information in determining credit eligibility if the following three requirements are met:

Here are the additional exceptions to the prohibition against obtaining or using medical information in connection with credit eligibility determinations:

A creditor may not use medical information to determine whether the consumer will be required to obtain a credit insurance product, debt cancellation contract, or debt suspension agreement. Also, when requesting the information, the creditor should make it clear that the request is voluntary and the information, or the refusal to provide the information, will not be used in connection with the credit request itself.

The interim final rules include many examples of the above exceptions.

Sharing Medical Information with Affiliates

The interim final rules also create two additional exceptions that permit the sharing of medical-related information among affiliates under the standard FCRA exceptions, such as the sharing of transactional or experience information among affiliates or the sharing of certain other information after providing consumers with the opportunity to “opt-out:”

QUESTIONS TO CONSIDER REGARDING THE INTERIM FINAL RULES ON DISCLOSING AND USING CONSUMERS’ MEDICAL INFORMATION

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Lilly Thomas • Assistant General Counsel • (202) 508-6733 • lthomas@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com