HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

New Consumer Credit Law Protects Medical Information

The Fair and Accurate Credit Transactions (FACT) Act, signed by President Bush on December 4, 2003 (Public Law 108-159), establishes medical privacy provisions as part of consumer credit law. The bill amends the Fair Credit Reporting Act (FCRA) to include improved medical privacy protections, in addition to new protections against identity theft. Credit bureaus and creditors will have to comply with a number of medical privacy restrictions that ban the sharing of medical information. Title IV of the FACT Act limits the use and sharing of medical information in the financial system and provides an updated and more expansive definition of medical information.

The legislation prohibits the furnishing of consumer reports that contain medical information about a consumers, unless the consumer affirmatively consents to the furnishing of the report in the case of an insurance transaction, or the consumer provides specific written consent in the case of the an employment or credit transaction. The legislation also prohibits creditors from obtaining or using medical information in connection with any determination of the consumer's eligibility, or continued eligibility, for credit.

Section 411 under Title IV of the Act:

  • Revises the requirement for specific affirmative consumer consent (opt-in) regarding the use and sharing of medical information by consumer reporting agencies for employment or insurance purposes.
  • States that medical information shall not be excluded from credit reports shared among affiliates unless it is prohibited by this title.
  • Directs the Federal banking agencies and the NCUA to prescribe regulations limiting the use of such medical information.

Section 412 under Title IV of the Act:

  • Requires information furnishers whose primary business is providing medical services, products, or devices to notify any credit reporting agency to which they furnish consumer information that they are medical information furnishers, for purposes of compliance with medical information coding requirements.
  • Prohibits a consumer reporting agency from including in any consumer report the name, address, and telephone number of any medical information furnisher except in code, unless the report is provided to an insurance company for other than property and casualty insurance purposes.
  • Requires the FTC, if a furnisher of information fails to comply with requirements for the coding of trade names, to take action, including issuance of guidelines, to ensure the furnisher's compliance with such requirements.

The regulation text of Title IV of the FACT Act follows:

HR 2622

Fair and Accurate Credit Transactions Act of 2003 (Enrolled as Agreed to or Passed by Both House and Senate)

TITLE IV--LIMITING THE USE AND SHARING OF MEDICAL INFORMATION IN THE FINANCIAL SYSTEM

SEC. 411. PROTECTION OF MEDICAL INFORMATION IN THE FINANCIAL SYSTEM.

    (a) IN GENERAL- Section 604(g) of the Fair Credit Reporting Act (15 U.S.C. 1681b(g)) is amended to read as follows:
    `(g) PROTECTION OF MEDICAL INFORMATION-
      `(1) LIMITATION ON CONSUMER REPORTING AGENCIES- A consumer reporting agency shall not furnish for employment purposes, or in connection with a credit or insurance transaction, a consumer report that contains medical information about a consumer, unless--
        `(A) if furnished in connection with an insurance transaction, the consumer affirmatively consents to the furnishing of the report;
        `(B) if furnished for employment purposes or in connection with a credit transaction--
          `(i) the information to be furnished is relevant to process or effect the employment or credit transaction; and
          `(ii) the consumer provides specific written consent for the furnishing of the report that describes in clear and conspicuous language the use for which the information will be furnished; or
        `(C) the information to be furnished pertains solely to transactions, accounts, or balances relating to debts arising from the receipt of medical services, products, or devises, where such information, other than account status or amounts, is restricted or reported using codes that do not identify, or do not provide information sufficient to infer, the specific provider or the nature of such services, products, or devices, as provided in section 605(a)(6).
      `(2) LIMITATION ON CREDITORS- Except as permitted pursuant to paragraph (3)(C) or regulations prescribed under paragraph (5)(A), a creditor shall not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit.
      `(3) ACTIONS AUTHORIZED BY FEDERAL LAW, INSURANCE ACTIVITIES AND REGULATORY DETERMINATIONS- Section 603(d)(3) shall not be construed so as to treat information or any communication of information as a consumer report if the information or communication is disclosed--
        `(A) in connection with the business of insurance or annuities, including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners (as in effect on January 1, 2003);
        `(B) for any purpose permitted without authorization under the Standards for Individually Identifiable Health Information promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996, or referred to under section 1179 of such Act, or described in section 502(e) of Public Law 106-102; or
        `(C) as otherwise determined to be necessary and appropriate, by regulation or order and subject to paragraph (6), by the Commission, any Federal banking agency or the National Credit Union Administration (with respect to any financial institution subject to the jurisdiction of such agency or Administration under paragraph (1), (2), or (3) of section 621(b), or the applicable State insurance authority (with respect to any person engaged in providing insurance or annuities).
      `(4) LIMITATION ON REDISCLOSURE OF MEDICAL INFORMATION- Any person that receives medical information pursuant to paragraph (1) or (3) shall not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order.
      `(5) REGULATIONS AND EFFECTIVE DATE FOR PARAGRAPH (2)-
        `(A) REGULATIONS REQUIRED- Each Federal banking agency and the National Credit Union Administration shall, subject to paragraph (6) and after notice and opportunity for comment, prescribe regulations that permit transactions under paragraph (2) that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (and which shall include permitting actions necessary for administrative verification purposes), consistent with the intent of paragraph (2) to restrict the use of medical information for inappropriate purposes.
        `(B) FINAL REGULATIONS REQUIRED- The Federal banking agencies and the National Credit Union Administration shall issue the regulations required under subparagraph (A) in final form before the end of the 6-month period beginning on the date of enactment of the Fair and Accurate Credit Transactions Act of 2003.
      `(6) COORDINATION WITH OTHER LAWS- No provision of this subsection shall be construed as altering, affecting, or superseding the applicability of any other provision of Federal law relating to medical confidentiality.'.
    (b) RESTRICTION ON SHARING OF MEDICAL INFORMATION- Section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)) is amended--
      (1) in paragraph (2), by striking `The term' and inserting `Except as provided in paragraph (3), the term'; and
      (2) by adding at the end the following new paragraph:
      `(3) RESTRICTION ON SHARING OF MEDICAL INFORMATION- Except for information or any communication of information disclosed as provided in section 604(g)(3), the exclusions in paragraph (2) shall not apply with respect to information disclosed to any person related by common ownership or affiliated by corporate control, if the information is--
        `(A) medical information;
        `(B) an individualized list or description based on the payment transactions of the consumer for medical products or services; or
        `(C) an aggregate list of identified consumers based on payment transactions for medical products or services.'.
    (c) DEFINITION- Section 603(i) of the Fair Credit Reporting Act (15 U.S.C. 1681a(i)) is amended to read as follows:
    `(i) MEDICAL INFORMATION- The term `medical information'--
      `(1) means information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to--
        `(A) the past, present, or future physical, mental, or behavioral health or condition of an individual;
        `(B) the provision of health care to an individual; or
        `(C) the payment for the provision of health care to an individual.
      `(2) does not include the age or gender of a consumer, demographic information about the consumer, including a consumer's residence address or e-mail address, or any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy.'.
    (d) EFFECTIVE DATES- This section shall take effect at the end of the 180-day period beginning on the date of enactment of this Act, except that paragraph (2) of section 604(g) of the Fair Credit Reporting Act (as amended by subsection (a) of this section) shall take effect on the later of--
      (1) the end of the 90-day period beginning on the date on which the regulations required under paragraph (5)(B) of such section 604(g) are issued in final form; or
      (2) the date specified in the regulations referred to in paragraph (1).

SEC. 412. CONFIDENTIALITY OF MEDICAL CONTACT INFORMATION IN CONSUMER REPORTS.

    (a) DUTIES OF MEDICAL INFORMATION FURNISHERS- Section 623(a) of the Fair Credit Reporting Act (15 U.S.C. 1681s-2(a)), as amended by this Act, is amended by adding at the end the following:
      `(9) DUTY TO PROVIDE NOTICE OF STATUS AS MEDICAL INFORMATION FURNISHER- A person whose primary business is providing medical services, products, or devices, or the person's agent or assignee, who furnishes information to a consumer reporting agency on a consumer shall be considered a medical information furnisher for purposes of this title, and shall notify the agency of such status.'.
    (b) RESTRICTION OF DISSEMINATION OF MEDICAL CONTACT INFORMATION- Section 605(a) of the Fair Credit Reporting Act (15 U.S.C. 1681c(a)) is amended by adding at the end the following:
      `(6) The name, address, and telephone number of any medical information furnisher that has notified the agency of its status, unless--
        `(A) such name, address, and telephone number are restricted or reported using codes that do not identify, or provide information sufficient to infer, the specific provider or the nature of such services, products, or devices to a person other than the consumer; or
        `(B) the report is being provided to an insurance company for a purpose relating to engaging in the business of insurance other than property and casualty insurance.'.
    (c) NO EXCEPTIONS ALLOWED FOR DOLLAR AMOUNTS- Section 605(b) of the Fair Credit Reporting Act (15 U.S.C. 1681c(b)) is amended by striking `The provisions of subsection (a)' and inserting `The provisions of paragraphs (1) through (5) of subsection (a)'.
    (d) COORDINATION WITH OTHER LAWS- No provision of any amendment made by this section shall be construed as altering, affecting, or superseding the applicability of any other provision of Federal law relating to medical confidentiality.
    (e) FTC REGULATION OF CODING OF TRADE NAMES- Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s), as amended by this Act, is amended by adding at the end the following:
    `(g) FTC REGULATION OF CODING OF TRADE NAMES- If the Commission determines that a person described in paragraph (9) of section 623(a) has not met the requirements of such paragraph, the Commission shall take action to ensure the person's compliance with such paragraph, which may include issuing model guidance or prescribing reasonable policies and procedures, as necessary to ensure that such person complies with such paragraph.'.
    (f) TECHNICAL AND CONFORMING AMENDMENTS- Section 604(g) of the Fair Credit Reporting Act (15 U.S.C. 1681b(g)), as amended by section 411 of this Act, is amended--
      (1) in paragraph (1), by inserting `(other than medical contact information treated in the manner required under section 605(a)(6))' after `a consumer report that contains medical information'; and
      (2) in paragraph (2), by inserting `(other than medical information treated in the manner required under section 605(a)(6))' after `a creditor shall not obtain or use medical information'.

    (g) EFFECTIVE DATE- The amendments made by this section shall take effect at the end of the 15-month period beginning on the date of enactment of this Act.

Go to TOP