Fair Credit Regulation Restricts Use of Medical Information
- “Medical Information”
- Examples of Not Evaluating Credit
- Unsolicited Medical Information
- Financial Information Exception
- Permitted Gathering of Financial Information
- Proper Financial Use of Medical Information
- Improper Use of Medical Information
- Other Permitted Exceptions
- Proper Use of Exceptions
- Limits on Re-disclosure
- Affiliate Sharing
Fair Credit Regulation Restricts Use of Medical Information
In June 2005 the Federal regulatory agencies issued an “interim final” rule narrowly limiting the situations in which creditors can obtain and use medical information about a consumer in connection with credit decisions. This “interim final” rule was originally intended to take effect in March 2006. However, on November 22 the agencies replaced it with a revised “final” rule, which now will become effective on April 1, 2006.
As an extreme example of what the rule covers, assume that a consumer is applying for a home equity loan, and has good credit, good income and adequate collateral. If the applicant tells the lender that he/she has terminal cancer, the lender cannot use that information as part of the loan decision.
If another situation, an applicant may have large medical bills outstanding, but the creditor must view them no more adversely than a non-medical debt of similar amount, terms, payment history, etc. If the applicant is seriously past due on medical bills, this should be viewed just as negatively as being past due on any other debt; but the other way around, if the customer is absolutely paying as agreed on medical bills, this may help to establish “good” credit history and should be viewed as favorably as a good performance record on non-medical debt.
I will outline the regulation’s provisions, adding some comments of my own.
Section 411 of the FACT Act narrowly limits a creditor’s ability to obtain or use medical information about a consumer in connection with a determination of a consumer’s eligibility, or continued eligibility, for credit. To carry out the purpose of the statute, the banking agencies’ regulation now creates a list of necessary and appropriate exceptions in which a creditor is permitted to consider medical information. Generally, the exceptions deal with (1) medical information that the creditor provides voluntarily and that is used in permitted ways, (2) medical information not used in an evaluation of credit, or (3) medical information that the consumer specifically asks the consumer to consider in relation to a special medically-related lending program or forbearance program.
For technical reasons, each of the regulatory agencies has adopted a separate regulation covering only the groups of lenders that are under that specific agency’s jurisdiction; but all of the agencies have adopted the same language, and all lenders will become subject to the same provisions. (The only difference is in which agency’s regulations apply to the particular lender, and where those provisions will be codified in the Code of Federal Regulations.)
For national banks, the OCC regulation applies, and is found in 12 C.F.R. Section 41. For Fed-member state banks, the Federal Reserve regulation is the one to look at, found in 12 C.F.R. Section 222. Non-Fed-member state banks are subject to the FDIC version of the regulation, found at 12 C.F.R. Section 334. The OTS regulation, applicable to savings associations, is in 12 C.F.R. Section 571. The NCUA regulation, which applies to federally-chartered credit unions, is in 12 C.F.R. Section 717. State-chartered credit unions, as well as all non-depository lenders (including health care providers, finance companies and car dealers) will be regulated on these matters by the Federal Trade Commission (FTC). (A bank buying dealer paper, for example, will want to make sure that its dealers are complying with this regulation.)
For simplicity, I will discuss only the OCC version of the regulation; but all subsections are numbered the same in each regulator’s version of the regulation. For example, subsection 41.30 (OCC) reads the same as subsection 222.30 (Fed) and subsection 571.30 (FDIC). Only the number before the decimal changes from one agency’s version to another.
2. “Medical Information”
The regulation defines “medical information” at subsection 41.3(k) to include “information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer,” provided that it falls within one of the following three subject areas: “(i) The past, present, or future physical, mental or behavioral health or condition of an individual; (ii) The provision of health care to an individual; or (iii) The payment for the provision of health care to an individual.” The regulation copies this definition straight out of Section 411 of the FACT Act.
Some limited bits of information probably don’t qualify as “medical information” (a) because the source of the information is not what the definition requires, or (b) because the subject of the information is too general or vague to be definitely medical. But it doesn’t take much to become “medical information.”
For example, “I haven’t been feeling well for months,” or “I’ve been taking a lot of pain pills” is an example of medical information, because (although vague) it comes directly from the individual and relates to physical health. (It states no specific condition but clearly suggests the existence of some health problem.)
By contrast, consider a situation where a teller says to the loan officer, “I saw Jeremy yesterday and he looked pretty bad. He seems to have really gone downhill fast.” This is not medical information if based only on observations by the teller, because no information came directly or indirectly from Jeremy (the customer), nor from a health care provider. But if the teller said to Jeremy, “You don’t look very well” and he responded, “I have been really sick,” this is medical information (because coming from the individual).
What if someone else is repeating to you what the sick individual has said? For example, the loan officer sees Jeremy’s wife in the bank and asks, “Has Jeremy been sick?” The wife says, “He tells me nearly every day that he doesn’t feel very good,” or “The doctor told him he can’t go back to work any time soon.” Because the health-related information provided by the wife basically repeats what either Jeremy or his doctor has said, the wife’s response is “derived from” the consumer or from the health care provider. Thus, a third party’s statements potentially can be “medical information.”
Now let’s consider examples of the three specific sub-categories of information. First, if a teller states to the loan officer, “Dr. Smith says John and everyone in his family have the flu,” this is “medical information” because it describes a physical health condition–and derives (indirectly) from a doctor. (It also implies “provision of health care,” another sub-category.) Second, if the customer says “I haven’t been feeling well lately, but I’m seeing Dr. Smith,” this is “medical information” because it describes “provision of health care,” and comes directly from the consumer. (It also implies the existence of a physical condition, another sub-category.) Third, if a consumer says to the loan officer, “My payment was late this month because I had to pay for some X-rays at the emergency room,” this is “medical information” because it comes from the consumer and mentions “payment for the provision of health care.” (It also mentions “provision of health care,” another sub-category).
But let’s take it a step further. The bank processes one of Mary’s checks that is payable to a doctor, and notices that the memo line says, “Office visit.” This is apparently “medical information” because the check is “information . . . in any form or medium . . . created by . . . the consumer” that relates to “the payment for the provision of health care to an individual.” (Even a check evidencing payment for what may have been only a standard checkup with no medical condition discovered is probably “medical information.”)
The statutory definition of “medical information” is quite broad, but the statute also directs the regulatory agencies to create various “exceptions,” to avoid unnecessary burdens on creditors or unintended outcomes. These exceptions (discussed later) allow creditors to obtain and use “medical information” in various situations—generally where doing so will actually help the consumer.
3. Examples of Not Evaluating Credit
Subsection 41.30(b)(2)(iii) lists the three following situations, in which, although a creditor is obtaining or using “medical information,” the activity does not fall within the regulation’s coverage—because there is a legitimate purpose not involving an evaluation of the consumer’s “eligibility, or continued eligibility for credit”:
“(A) Any determination of the consumer’s qualification or fitness for employment, insurance (other than a credit insurance product), or other non-credit products or services;
“(B) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit: or
“(C) Maintaining or servicing the customer’s account in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit.”
As indicated by paragraph (A), above, the FACT Act and the new regulation are concerned with the use of “medical information” only in connection with evaluating “credit,” and not in connection with employment decisions. In some circumstances, considering “medical information” in connection with employment could be discriminatory, but that’s governed by other law, not the FACT Act. Particularly when a job requires mobility or physical strength, “medical information” may legitimately be relevant in hiring. But the FACT Act does not address the employment scenario at all.
Some creditors (including banks) are licensed to sell regular life insurance policies (not credit insurance) and health insurance. These types of insurance are underwritten based on the consumer’s medical information. Paragraph (A) makes clear that considering medical information in this way is not prohibited.
Paragraph (B), above, recognizes that a creditor (including a bank) may hold one or more deposit accounts belonging to the same consumer. Because even a consumer’s check payable to a medical provider can represent “medical information,” the bank’s normal activity in processing checks drawn on that customer’s account may indirectly involve “obtaining and using” medical information—although not for a purpose related to credit. Paragraph (B) clarifies that an activity such as processing checks is not restricted by the regulation, unless the creditor tries to use medical information from that source to evaluate the consumer’s eligibility, or continued eligibility, for credit. (Even without a deposit account, a consumer could have an equity line of credit that is accessed by writing checks. He could use some of those checks to pay medical bills, resulting in medical information becoming accessible to the creditor.)
To restate this, any check activity may cause “medical information” to pass through the creditor’s hands, but the mere processing of checks is not covered by the regulation unless, for example, the creditor notices a check payable to “XYZ Cancer Treatment Center” and starts using that information for another purpose—considering whether it should extend or renew a loan to this consumer based on what it has accidentally noticed concerning cancer.
Paragraph (C), above, clarifies that a lender may gain certain medical information in administering a loan that, however, it does not use in evaluating credit or continuing eligibility for credit. As long as the creditor does not “cross the line” in what it does with the information, the mere awareness of the information, or use of the information for non-credit-decision purposes, does not trigger the regulation’s provisions.
For example, a consumer comes in to make a monthly loan payment (on a timely basis) and states in passing that he is now receiving disability checks. Or a loan officer calls a home-equity-line customer to verify an address change for some new checks that can be written on the credit line, and learns (without asking) that the customer has been on sick leave for a month. These examples of “medical information,” gained in connection with administration of the loan, are not covered by the regulation so long as the creditor does not use the information to evaluate credit. The creditor has learned of a medical problem, but if the loan is current and the lender does not re-evaluate the loan based on the information that is learned, the situation is not covered by the regulation.
As discussed later, the regulation does not totally forbid the use of medical information in evaluating a loan. Rather, if medical information will be used to evaluate credit, the regulation strictly limits in what manner that information can be used. As the previous examples illustrate, a lender doesn’t need to get to the restrictions on use of medical information, if what the lender is doing with “medical information” is incidental and does not involve an evaluation of credit.
4. Unsolicited Medical Information
Section 41.30(c) discusses what to do if a lender requests general information in connection with evaluating eligibility for credit, and receives unsolicited “medical information” without specifically requesting it.
In Section 41.30(c)(3), the regulation gives three examples of how a creditor might (permissibly) receive unsolicited “medical information”:
(a) The creditor asks in a general way (in an application or verbally) about a consumer’s debts or expenses, and is told by the consumer that he owes a debt to a hospital.
(b) In talking with a loan officer, the consumer discloses that he has a particular medical condition. (For example, when a loan officer asks about the purpose of a loan, the loan officer says, “I need to have some surgery.” Or as the consumer is making a loan payment that is 15 days late, he tells the loan officer, “I hurt my back and I have been off work.”)
(c) A lender pulls a credit report in connection with a loan application, and receives “medical information” in the credit report without specifically requesting medical information.
In the examples just given, the creditor will not violate the regulation by receiving medical information that was not specifically requested. Instead the relevant question is, “What should or can a creditor do with unsolicited medical information, once it receives it?” (It’s hard for the bank to pretend that it never learned the unsolicited information; but it’s possible to avoid using the information in a manner unfair to the consumer.)
In Section 41.30(d) and (e)—discussed below–some narrow exceptions allow a creditor to deliberately obtain and use “medical information” concerning a consumer for limited purposes in evaluating the consumer’s eligibility, or continued eligibility, for credit. If a creditor would be allowed to directly solicit “medical information,” within the limited permitted purposes set out in Section 41.30(d) or (e), that creditor would also be entitled to use unsolicited “medical information” for the same permitted purposes. Stated from the opposite standpoint, if a creditor would not be permitted to deliberately obtain and use “medical information” for a particular purpose, then unsolicited “medical information” that is voluntarily provided to the creditor also cannot be used for that particular purpose—particularly if it’s to the consumer’s disadvantage.
5. Financial Information Exception
The “financial information exception” in Section 41.30(d) does allow a creditor to obtain and use “medical information” in connection with evaluating credit, if the creditor uses the obtained information only as if it were financial information that is not medically related. Three specific conditions must be met for the “financial information exception” to apply:
(i) The information (although medically related) falls into one of the categories routinely used in evaluating credit eligibility, such as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan;
(ii) The creditor uses the information to evaluate credit in a way no less favorable than it would use comparable, non-medical information; and
(iii) The creditor does not take the consumer’s physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis into account as part of any such determination.
6. Permitted Gathering of Financial Information
Section 41.30(d)(2) gives examples of types of information routinely used in making credit eligibility determinations (information that a creditor is permitted to obtain and use, although—as addressed by the regulation–this information also happens to be medically related):
“(A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts [the same information that a creditor would legitimately consider on a non-medical debt] to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit;
“(B) The value, condition, and lien status of a medical device that may serve as collateral to secure a loan [just as the creditor would consider similar factors on an item of non-medical collateral];
“(C) The dollar amount and continued eligibility for disability income [Social Security disability, private disability insurance, V.A. benefits, etc.], workers’ compensation income, or other benefits related to health or a medical condition that is relied on as a source of repayment [so that the creditor can verify the income, if the consumer lists this as income]; or
“(D) The identity of creditors to whom outstanding medical debts are owed [doctors, hospitals, medical labs, etc.] in connection with an application for credit, including but not limited to, a transaction involving the consolidation of medical debts.”
7. Proper Financial Use of Medical Information
In Section 41.30(d)(ii) the regulation gives three examples of how medical information could legitimately be used by a creditor, if treated the same as other financial information:
(A) If the consumer has a $20,000 medical bill that happens to be 90 days past due, the creditor can include the medical bill in total liabilities and evaluate the bill just like a $20,000 non-medical debt that is 90 days past due. (The past-due medical bill gets treated like non-medical debt in determining net worth, debt service capacity, and repayment history.)
(B) If the consumer applies for a $200,000 mortgage, and lists $15,000 in annual long-term disability income (with no other income), the creditor should fully consider the amount of income that the consumer lists (even though medically-related), but still will turn down the application because $15,000 of income, regardless of source, is not enough to support the requested loan.
(C) A consumer applying for a $10,000 home equity line discloses that he has a $50,000 debt to a medical facility specializing in cancer or some other potentially terminal disease. The creditor checks out the debt, verifies the amount, and determines that it is performing as agreed—which actually establishes good payment history. The consumer meets all of the creditor’s income requirements and other underwriting criteria, so the loan should be approved.
(In this case, the creditor must treat medical-related bills exactly like other financial debt. The creditor avoids forming conclusions about whether the consumer’s illness may be terminal, or whether the consumer will be able to continue to maintain the repayment schedule in the future if medical conditions get worse. Like any other loan, the creditor looks at credit history, and present net worth and income, but avoids speculating about future factors that haven’t happened yet. With respect to any borrower, many things could happen in the future to change his/her financial circumstances for the worse. The regulation simply prevents the creditor from focusing negatively on medical circumstances, pushing the analysis back instead onto standard legitimate financial indicators.)
8. Improper Use of Medical Information
Section 41.30(d) (2) (iii) is at the very heart of the regulation, listing examples of how a creditor cannot use medical information:
(A) A consumer applies for a $25,000 bank loan and lists a $50,000 debt to a hospital. The creditor contacts the hospital, verifying that the amount owed is correct and that the customer has made all payments as agreed. Although the bank would not turn down a similar loan applicant who has non-medical debt of $50,000, with similar payments and similar history, the creditor turns down the applicant because he owes money to a hospital. (The creditor has violated the regulation by using medical information incorrectly. The creditor cannot legally evaluate medically-related financial information more negatively than non-medically-related financial information.)
[Comment: A consumer who is actually strong enough financially to service a $50,000 hospital debt as agreed and to qualify financially for $25,000 of new debt is not likely to be treated unfavorably by a bank.]
(B) During the process of applying for a mortgage loan, the consumer tells the loan officer about a potentially terminal disease. Based on net worth, income and credit history, the consumer meets all of the creditor’s standard qualifications for the loan. However, the loan officer recommends, and the loan committee agrees, that the mortgage application should be turned down because of the potentially terminal disease. (This violates the regulation head-on. It is precisely what the regulation and the FACT Act are designed to prevent.)[Comment: If the bank offers 30-year mortgage loans and the customer applies for one, the possibility that the customer might not live very long because of a medical condition cannot be taken into account. The example is fairly extreme—and maybe unlikely–because a terminally ill consumer will usually not be thinking about buying a new home or taking out a new mortgage loan. A refinancing, however, might make some sense. For example, a consumer with substantial equity in a home might apply for a long-term mortgage to pay for needed surgery, or might want to consolidate debts to lower her total monthly payments, in light of rough times ahead.] [A person with life insurance might think it is logical to incur mortgage debt, with the thought that insurance will pay it off. Without any life insurance, a consumer normally would not be motivated to incur a large debt (secured by the equity in his home) in the midst of a major illness, because the house would almost certainly have to be sold to satisfy the loan after the consumer dies. If the consumer applies for unsecured debt in this situation, he might be turned down based on normal credit factors. So I’m not sure how many loans a bank will actually be required to make to consumers with a major illness, even after the regulation takes effect.] [Unless a person’s major illness occurs suddenly, his net worth, income and credit history may have already deteriorated before he seeks a mortgage loan, and these unfavorable trends could add up to a legitimate and proper “financial” reason for denying the consumer’s loan application, completely apart from the existence of a medical condition. At the opposite extreme, as suggested earlier, if the consumer’s net worth, sources of income and credit history are so strong that there is no basis to deny the loan, then perhaps the bank is fairly well protected anyway.] [The regulation applies to all credit evaluations of individuals, including “business purpose.” If the individual’s credit factors meet minimum standards, the bank cannot deny his application based on health. Possibly the value of an individual’s business will deteriorate strongly without him alive to operate it, but the bank cannot deny a loan related to his sole proprietorship based just on medical condition.]
(C) A consumer with an apparent medical condition (using a wheelchair or oxygen tank, for example) applies for a home equity loan, and qualifies. However, the loan officer recommends to the loan committee, and the loan committee agrees, that credit should not be extended (because of the medical condition) unless the consumer purchases credit insurance or debt-cancellation coverage in connection with the loan. Consumers without a medical condition typically would not be required to obtain such coverage. (The creditor has visually gathered medical information and has used that information improperly in evaluating credit.)[Even if the consumer is in a wheelchair, with such severe emphysema that he hardly can talk, the creditor cannot consider the medical condition in evaluating a credit application. Nor can the creditor impose special conditions (such as a requirement to obtain credit insurance) that would not apply to other applicants of similar credit quality. However, if the consumer’s medical condition has resulted in credit quality problems or diminished income, these financial results of a medical condition can properly be considered in evaluating eligibility for credit.]
9. Other Permitted Exceptions
Section 41.30(e) lists nine specific exceptions that allow a creditor to obtain and use medical information (in the particular narrow circumstances) in determining a consumer’s eligibility, or continued eligibility, for credit:
(i) To determine whether a power of attorney effective upon occurrence of a medical condition is now appropriate for use in connection with a credit transaction because the medical condition exists (or not);
(ii) To comply with requirements of law [for example, reporting suspected elder abuse related to a loan, or apparent fiduciary misconduct relating to a loan for the benefit of an incapacitated person];
(iii) In response to the consumer’s request, to determine whether the consumer qualifies for a special credit program or special assistance program (outlined in a written plan) that is designed to meet special needs of consumers with medical conditions [for example, a low-rate mortgage loan program, or a closing-cost waiver plan, for consumers with certain medical conditions];
(iv) To prevent or detect fraud;
(v) To determine and verify the medical purpose and use of proceeds of a loan intended to finance medical products or services;
(vi) At the consumer’s (or his legal representative’s) specific request (if documented by the creditor), to determine the consumer’s eligibility, or continued eligibility, for credit to accommodate the consumer’s particular medical-related circumstances;
(vii) To determine whether provisions of the lender’s special forbearance practice or program triggered by a medical condition or event would apply to a consumer;
(viii) To determine the consumer’s eligibility for, or the triggering of, a debt cancellation contract, if the applicable medical condition or event would be a triggering event for benefits under the contract; or
(ix) To determine the consumer’s eligibility for, or the triggering of, a credit insurance product, if the applicable medical condition or event would be a triggering event for provision of benefits under the contract.
Generally the exceptions listed above use medical information either (1) to help or protect the consumer in connection with credit, or (2) to protect the creditor’s legitimate non-medical concerns relating to credit.
10. Proper Use of Exceptions
In Section 41.30(e) (2)-(5), the regulation provides several examples of proper use of some of the “medical information” exceptions listed above:
(e)(2) Working through mortgage lenders, a non-profit organization subsidizes down payments for disabled veterans purchasing a home. The consumer wants to participate. The non-profit organization requires a creditor to obtain medical-related information to verify the consumer’s eligibility. The creditor then must forward this information to the organization. If there is no violation of fair lending laws, the creditor may obtain and use information about the consumer’s medical condition and disability in determining whether the consumer qualifies for the assistance program.
(e)(3)(i) To verify the medical purpose of a loan, or the use of proceeds, a creditor calls a surgeon to make sure that the consumer is a candidate for vision-correction surgery and that the cost will be equal to or greater than a $10,000 line of credit to be obtained for this purpose. If the surgeon reports that there will be no surgery, this is medical-related information that can properly be used to deny the credit application, because the stated use of proceeds is false.
(e)(3)(ii) If the consumer applies for a $10,000 loan for plastic surgery, the creditor is allowed to confirm the cost of the surgery. If the surgery will cost only $5,000, the bank may use this medical information to offer the consumer only $5,000 of credit.
(e)(4)(i) A loan applicant specifically asks the creditor to consider the consumer’s medical disability during a certain period as an explanation for adverse payment history in his credit report. The creditor may consider this medical information in evaluating the consumer’s willingness and ability to repay the requested loan. However, the creditor also may decide to use its normal underwriting criteria, ignoring the medical explanation. A creditor cannot then treat the consumer’s application less favorably than normal just because the consumer asked the creditor to specially consider the consumer’s medical history.[The fact that a consumer voluntarily reveals his medical history as an explanation of credit history (for example, a long battle with cancer) cannot then be turned against the consumer by the creditor as a reason for considering the consumer’s application less favorably.]
(e)(4)(ii) A consumer applies for a loan by telephone and explains that his income has been and will continue to be interrupted by a medical condition. He expects to repay the loan by liquidating assets, rather than from income. (The loan is to provide cash flow in the meanwhile.) Consistent with safety and soundness, the creditor may, but need not, evaluate the application using sale of assets as the primary source of repayment. In any event, the creditor should document for the file that the consumer asked the creditor to consider his medical condition in evaluating whether liquidation of assets is an appropriate primary method of repayment.
(e)(4)(iii) The creditor’s loan application has a section where the consumer can provide “any other information that you would like us to consider in evaluating your application.” If the consumer provides medical information in this space (such as “I was off work for three months with a broken hip”), the creditor may consider that medical information in connection with the application or may ignore it.
(e)(4)(iv) The consumer specifically requests that the creditor use medical information in determining the consumer’s eligibility for credit, and gives the creditor medical information for this purpose. If the creditor needs additional information concerning the consumer’s circumstances, the creditor then may request, obtain and use additional medical information, as necessary, (a) to verify the information that the consumer has provided, or (b) to determine whether to make an accommodation for the consumer. The consumer can always decide not to provide additional information, withdraw the request for special accommodation, and then be considered under the creditor’s normal underwriting criteria.
(e)(4)(v) If a consumer completes a credit application that is not for special medical-purpose credit, and the creditor’s standard form requests medical information from the consumer, or automatically authorizes the creditor to obtain medical information in connection with evaluating the consumer’s eligibility for credit, this is not a voluntary disclosure of medical information by the consumer, and does not authorize the creditor to use medical information in evaluating the consumer’s eligibility for credit.
(e)(5) A creditor has a program allowing consumers who will be hospitalized to defer payments as needed for up to three months, provided that the loan has been outstanding for more than a year and has not previously been in default. A consumer is hospitalized and does not make her payment for a particular month. In attempting to contact her, the creditor speaks with an adult child, who informs the creditor that the consumer is hospitalized and unable to pay the bill at this time. Based upon medical information provided by the child (who technically is not the mother’s legal representative), the creditor decides to defer payments for up to three months, without penalty. The mother did not specifically apply for or request forbearance (and may have been unable to do so). Nevertheless, a creditor can grant forbearance without request. Because the creditor obtained and used medical information to determine whether its medically-triggered forbearance program would apply, it has acted properly, within one of the regulation’s specific exceptions.
11. Limits on Re-disclosure
As provided in Section 41.31(b), if a creditor receives medical information about a consumer from a credit bureau or from an affiliate, the creditor must not disclose that information to any other person, except to carry out the purpose for which the medical information was first disclosed, or as permitted by law, regulation or court order.[For example, if the consumer’s loan file is properly subpoenaed in connection with a divorce case or a collection lawsuit, the creditor would be obligated to furnish a copy of the file, although it may include medical information. The FACT Act limits use of medical information in connection with evaluating eligibility for credit, but does not override laws enacted for other purposes.]
12. Affiliate Sharing
Section 603(d) (2) of the Fair Credit Reporting Act (15 U.S.C. Section 1681a (d) (2)) generally allows a bank or other company to share information with an affiliate, if the shared information relates only to transactions or experiences between the consumer and the entity sharing the information.
However, the new “medical information” regulation imposes a restriction on this previously-allowed sharing of information between affiliates, by prohibiting the creditor from automatically sharing with its affiliate (1) medical information, (2) a list or description of the consumer’s payment transactions relating to medical products or services, or (3) an aggregate list of customers who have payment transactions for medical products or services.
A creditor that has been in the habit of giving its transaction history with a consumer to affiliates will now need to be careful to remove any medically-related information before sharing the remaining information.
However, even this prohibition contains a few exceptions that allow sharing of medical information with affiliates in limited circumstances (as set out in Section 41.32(c):
(1) Sharing of medical information with the affiliate (relating only to the creditor’s own transactions or experiences with the consumer) in connection with the business of insurance of annuities (for example, in connection with the sale of credit insurance related to a loan, where the insurance application is taken through an affiliated insurance agency);
(2) Sharing medical information for any purpose permitted under the Federal Department of Human Services regulation issued to implement HIPAA;
(3) Sharing information for any purpose referred to in Section 1179 of HIPAA (42 U.S.C. Section 1320d-8), which relates to health care billing and health care payment processing activities, including the business of processing checks, electronic payments or card-based payments, some or all of which may be health insurance premiums or health care payments;
(4) For any purpose described in Section 502(e) of the Gramm-Leach-Bliley Act, which is similar to the list of disclosure exceptions included in the Privacy regulation, including among other provisions (1) “disclosure authorized by the consumer,” and (2) the “servicing exception” (doing what’s necessary to carry out or administer any transaction requested or authorized by the consumer);
(5) Sharing information as necessary in connection with a determination of the consumer’s eligibility for credit, consistent with Section 41.30 (discussed above); or
(6) As otherwise permitted by order of the regulatory agencies issuing this regulation.