Use of Personal Medical Data by Financial Institutions: Comments to the Federal Deposit Insurance Corporation

Advocacy Comments

Submitted to the Federal Deposit Insurance Corporation for FACTA
Fair Credit Reporting Proposed Rulemaking


Submitted May 24, 2004
by the Privacy Rights Clearinghouse
3100 - 5th Ave., Suite B, San Diego, CA 92103


Robert E. Feldman, Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, D.C. 20429
Submitted by E-Mail:


RE: Fair Credit Reporting Medical Information Regulations - RIN 3064-AC81


Dear Mr. Feldman,


The Privacy Rights Clearinghouse1 (PRC) is pleased to join the Electronic Privacy Information Center (EPIC) and other consumer organizations in comments about proposed Fair Credit Reporting Act Medical Information Regulations. We wholeheartedly support the joint comments submitted.

In addition, we provide the following comments to highlight certain sections of the proposal that are central to consumer privacy interests.2

Our comments are directed specifically at the following aspects of the Medical Information Regulations, namely:

  1. Treatment of financial information that is related to medical debt.
  2. Voluntary disclosure by consumer of medical information.
  3. Consumer's request to use medical information.
  4. Consumer's consent to use medical information.
  5. Limits on affiliate sharing of medical information.
  6. Changes to the proposed regulations should be reopened for public comment.

When it comes to privacy, consumer expectations and fears are most elevated for sensitive data included in medical records. A major concern is potential secondary uses of medical information. For example, a consumer may understandably be concerned that a medical condition could adversely affect the ability to get a job or a mortgage. In recent amendments to the Fair Credit Reporting Act (FCRA), Congress acted to address the discriminatory use of medical information in credit transactions.

In particular, Congress, by enacting the Fair and Accurate Credit Transactions Act of 2003 (FACTA) restricted the use of medical data for credit in three ways:

  • Restricts consumer reports that contain medical information (FACTA adds section 603(g)(1) to the FCRA.)
  • Prohibits creditors from obtaining and using medical information for credit determinations.(FACTA adds section 604(g)(2) to the FCRA)
  • Restricts the sharing of medical information with affiliates. (FACTA adds section 603(d)(3) to the FCRA)

Congress also directed the federal banking agencies and the National Credit Union Administration to prescribe regulations to determine when it is necessary and appropriate for creditors to obtain and use medical information to protect legitimate operational, transaction, risk, consumer, and other needs. (Section 604(g)(5)) Accordingly, the banking agencies and the NCUA have proposed these rules to effect the medical privacy provisions of FACTA.

The proposed rule generally prohibits creditors from obtaining and using medical information for deciding whether the consumer is eligible for credit. As directed by Congress, the proposed rule generally creates fairly narrow exceptions to this general prohibition where it is appropriate. We encourage the agencies to continue this framework. It meets Congressional intent to restrict the inappropriate use of medical information for making credit decisions.


1. Financial Information that Is Related to Medical Debt

The proposed rule generally prohibits a creditor from obtaining and using medical information for making decisions about a consumer's credit eligibility. The rule then makes an exception that allows creditors to obtain and use financial information that happens to be related to medical debts, expenses and income. Rule section §§____.30(c)-(d) establishes a reasonable three-part test for creditors.

First, the information must relate to debts, expenses, income, benefits, collateral, or the purpose of the loan. Second the creditor must use the information no less favorably than comparable information that is not medical. Third the creditor cannot take the consumer's physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination.

We believe this section strikes a fair balance between a creditor's need to obtain and use financial information that may be medically related and the right of the consumer to obtain credit without discrimination based on medical factors. The rule as proposed allows the creditor all the information it needs to assess its risk, that is, whether the debt is likely to be repaid.

We largely support the rule's requirement that medical debt be treated the same as other debt, and urge the agencies to retain this standard in the final regulations.

However, we believe the examples given to illustrate use of medical information consistent with the rule should specifically state that the creditor's inquiry will be limited to the information necessary to process the application. Take the example where the consumer includes information about two $20,000 debts, one to a hospital and one to a retailer. In this example the "bank contacts the hospital and the retailer to verify the amount and payment status of the debt." ______30(c)(ii)(A). This should clearly state that the creditor's representative will make no inquiry beyond the amount and status of the debt to the hospital.

In theory the information disclosed by the hospital in the above example would be limited by the Health Insurance Portability and Accountability Act (HIPAA). However, the consumer's right to privacy under HIPAA becomes less protected if the information about the debt resides with a business associate of the hospital or even with a non-related collection agency. Thus, the rule should clearly place the burden of limiting the inquiry on the creditor. Any information disclosed voluntarily by a HIPAA covered entity, a covered entity's business associate or an entity not related to the hospital should be treated as we suggest for voluntary information disclosed by the consumer, that is the information should be destroyed.

Similarly, the example used in _______30.(c)(ii)(B) should specify that the creditor should make no inquiry about the underlying condition that led to the consumer's long-term disability payment. In the example given, the consumer's $15,000 disability income did not qualify her for the mortgage for which she applied In another situation, a consumer's disability payment could be a qualifying factor for another type of loan. In this case, the bank might want to verify the payment. The rule should clearly state that the bank could make no inquiry beyond the amount and term of the disability payment.


2. Voluntary Disclosure of Medical Information

The agencies propose a rule of construction for an instance where a creditor voluntarily receives medical information from the consumer. The agencies solicit comment on whether this should be included as an exception rather than a rule of construction. For the reasons stated in the joint comments, we believe an exception to the rule is more appropriate in this instance.

We also believe that the regulation should clearly state that the phrase "without specifically requesting medical information" means volunteered by the consumer without any pressure, prompting, or solicitation (whether direct or indirect) by the creditor. For example, a creditor could prompt a consumer to provide medical information by saying that "we are not allowed to ask you for medical information, but you can volunteer to provide it if you choose." This type of solicitation should be expressly prohibited.

In addition, the rule should specifically state that voluntary disclosures of medical information may not be used to determine a consumer's eligibility or continued eligibility for credit or to establish the terms upon which credit is offered. We also recommend adding a provision stating that unsolicited medical information should not be maintained and should be destroyed.


3. Consumer's Request to Use Medical Information

The proposed rule [section __.30(d)(1)(vi)] allows a creditor to obtain and use medical information if the consumer requests in writing that the creditor use specific medical information for a specific purpose in determining the consumer's eligibility, or continued eligibility, for credit, to accommodate the consumer's particular circumstances.

According to the banking agencies:

This exception is designed to accommodate the particular medical condition or circumstances of the individual consumer and is not intended to allow creditors to obtain consent on a routine basis or as part of loan applications or documentation. This exception would not be met by a form that contains a pre-printed description of various types of medical information and the uses to which it might be put. Instead, it contemplates an individualized process in which the consumer informs the creditor about the specific medical information that the consumer would like the creditor to use and for what purpose.

We support the banking agencies' stated approach which protects consumers' medical information from inappropriate uses, as directed by Congress. This approach ensures that the request to use medical information is voluntary and is initiated by the consumer. However, this intent is not expressly included in the text of the proposed rule. Proposed section __.30(d)(1)(vi) should be amended to expressly state that creditors may not request or require consent under this provision on a routine basis or as part of a loan application.


4. Consumer's Consent to Use Medical Information

The agencies seek comment on whether proposed rule §_____30.(d)(1)(vii) should -- in addition to allowing creditors to obtain and use medical information at the consumer's request - allow creditors to request that a consumer consent to the specific use of the consumer's medical information.

The PRC is opposed to any provision in the Medical Information Regulations that would allow creditors to request consumer consent for use of medical information. If creditors are allowed this choice, consumers in all likelihood will view consent as a condition of obtaining credit or continuing to use existing credit.

The regulations as proposed include the elements necessary to protect a creditor's legitimate operational, transactional and risk determinations. The authority of creditors to make additional inquiries of consumers by requesting consent would simply erode the intent of Congress to protect consumers against unfair and discriminatory credit decisions based upon medical information.


5. Limits on Affiliate Sharing

The FACT Act adds a new section to the FCRA which restricts the sharing of medical-related information with affiliates if that information otherwise meets the FCRA definition of "consumer report." Generally, certain information (such as transaction or experience information) that is shared among affiliates is not considered to be a consumer report under the FCRA.

The new section provides, however, that if this information is medical-related information, the affiliate-sharing exception will not apply and the information will be considered to be a consumer report. Medical-related information includes medical information, as defined in the FACT Act, as well as other lists based on payment transactions for medical products and services.

The new section also provides several specific exceptions that allow creditors to disclose medical information to affiliates according to the same rules that apply to other non-medical information. The section also permits the federal banking agencies to determine, by order or regulation, that other exceptions are necessary and appropriate. In addition to statutory exceptions that permit affiliate sharing of medical information, the agencies have proposed section __.31(b)(5), which would allow creditors to share with affiliates medical-related information in connection with a determination of the consumer's eligibility for credit consistent with proposed section __.30. There is no explanation as to why the agencies believe this proposed exception is necessary and appropriate.

We believe that the proposed approach is overbroad, and appears inconsistent with the specific conditions imposed in other provisions of the proposed rule and FACTA. Proposed section __.31(b)(5) should be deleted. If retained, at a minimum it should be amended to state that the exception does not apply to the extent that the creditors has obtained medical information in a credit report furnished in accordance with 604(g)(1)(B) of FCRA or pursuant to a consumer's request.

Furthermore, any exceptions adopted should be accomplished through public rulemaking rather than agency order.


6. Additional Comment Period May Be Required

The banking agencies seek comment on whether, in the final rule, they should create any additional or different exceptions to the general prohibition against obtaining and using medical information for making decisions about a consumer's credit eligibility. We believe the proposed rule is sufficient to protect legitimate operational, transactional, risk and other needs consistent with Congressional intent while protecting the consumer's private medical information.

In Congressional hearings leading up to the passage of the FACTA, representatives of the industry repeatedly took the position that banks did not request and did not use medical information for consumer credit purposes. There was no substantive discussion of when the use of medical information for consumer credit decisions might be appropriate and necessary.

Thus, consumers entered this rulemaking procedure with little knowledge of when banks actually use medical information in making credit decisions and whether such use might be appropriate. If the financial industry requests exceptions for additional or different practices during the comment period, it is only fair that consumers be given the opportunity to comment on whether these new exceptions are necessary and appropriate prior to the rule's becoming final.

We believe the agencies are correct in requiring creditors to treat medical debt like any other debt. At the same time, we agree with provisions in the proposed rule that prohibit a creditor from discriminating against the consumer based on their underlying medical condition, treatment, or prognosis. As we discuss in Section A, we believe the intent of the rule to treat medical debt or income such as disability payments the same as other financial factors will be more forceful if the examples given specifically limit the inquiry allowed.

Furthermore, we strongly oppose any amendments to the final rule that would allow creditors to request consumer consent for use of medical information. Any additional exceptions in the final rule that would alter these fundamental principles should be open for public comment.

Last, the agencies should publish detailed guidance for financial institutions about the use of medical information in extending, continuing to extend, or setting the terms of credit. This should include mandatory training for all bank or other financial institution employees as well as training up the supervisory chain. The banking agencies and the NCUA should also institute comprehensive oversight programs to ensure compliance.

Again, the PRC appreciates the opportunity to provide comments on the proposed medical information rules. We also fully support the more extensive comments submitted jointly by the other consumer-oriented organizations, among them EPIC, representing consumer and privacy interests.



Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse


1 The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers' interests in legislative and regulatory proceedings on the state and federal

The PRC submits these comments only to the FDIC with the understanding that our comments will be shared among all the agencies that are party to this rulemaking.

2 The proposed Medical Information Regulations were issued jointly by the Office of Comptroller of the Currency; Board of Governors of the Federal Reserve; Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision; and National Credit Union Administration.