[Federal Register Volume 69, Number 82 (Wednesday, April 28, 2004)]
[Proposed Rules]
[Pages 23380-23407]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-9526]



[[Page 23379]]

  
  
  
  
  
  
-----------------------------------------------------------------------


Part V

Department of the Treasury



Office of the Comptroller of the Currency



12 CFR Part 41



Office of Thrift Supervision

12 CFR Part 571



-----------------------------------------------------------------------
Federal Reserve System

12 CFR Part 222



-----------------------------------------------------------------------
Federal Deposit Insurance Corporation

12 CFR Part 334



-----------------------------------------------------------------------
National Credit Union Administration

12 CFR Part 717



-----------------------------------------------------------------------



Fair Credit Reporting Medical Information Regulations; Proposed Rule

  Federal Register / Vol. 69, No. 82 / Wednesday, April 28, 2004 / 
Proposed Rules  

[[Page 23380]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 41

[Docket No. 04-09]
RIN 1557-AC85

FEDERAL RESERVE SYSTEM

12 CFR Part 222

[Regulation V; Docket No. R-1188]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 334

RIN 3064-AC81

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 571

[No. 2004-16]
RIN 1550-AB88

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 717


Fair Credit Reporting Medical Information Regulations

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, 
Treasury (OTS); National Credit Union Administration (NCUA).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, and NCUA (Agencies) are publishing 
for comment proposed regulations implementing section 411 of the Fair 
and Accurate Credit Transactions Act of 2003 (FACT Act). Public Law 
108-159, 117 Stat. 1952. The FACT Act substantially amends the Fair 
Credit Reporting Act (FCRA or Act), 15 U.S.C. 1681 et seq. Section 
411(a) of the FACT Act adds a new section 603(g)(1) to the FCRA to 
restrict the circumstances under which consumer reporting agencies may 
furnish consumer reports that contain medical information about 
consumers. Section 411(a) of the FACT Act also adds a new section 
604(g)(2) to the FCRA to prohibit creditors from obtaining or using 
medical information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit. The Agencies are required to prescribe regulations that 
permit creditors to obtain or use medical information for eligibility 
purposes where necessary and appropriate to protect legitimate 
operational, transactional, risk, consumer, and other needs, consistent 
with the Congressional intent to restrict the use of medical 
information for inappropriate purposes.
    In addition, section 411(b) of the FACT Act adds a new section 
603(d)(3) to the FCRA to restrict the sharing of medical information 
and related lists or descriptions with affiliates. Specifically, 
section 603(d)(3) provides that the standard exclusions from the 
definition of ``consumer report'' contained in section 603(d)(2)--such 
as sharing transaction or experience information about a consumer among 
affiliates or sharing other information among affiliates after 
providing the consumer notice and an opportunity to opt-out--do not 
apply if medical-related information is disclosed to an affiliate. 
Medical-related information includes medical information, an 
individualized list or description based on payment transactions for 
medical products or services, or an aggregate list of identified 
consumers based on payment transactions for medical products or 
services. The provisions of section 603(d)(3) do not apply if the 
sharing falls within certain exceptions, such as in connection with the 
business of insurance or annuities or for any purpose described in 
section 502(e) of the Gramm-Leach-Bliley Act (GLB Act), Public Law 106-
102. Section 411(b) authorizes the Agencies to promulgate additional 
exceptions by regulation or order, as determined by the Agencies to be 
appropriate or necessary.
    The Agencies generally provide a 60-day period for the public to 
comment on the burdens associated with proposed rules. In this case, 
however, the Agencies believe that a 30-day comment period is 
appropriate because the statute was enacted in December 2003 and 
imposes a statutory deadline for the final rule of June 4, 2004.

DATES: Comments must be received by May 28, 2004.

ADDRESSES: Comments should be directed to:
    OCC: You should designate OCC in your comment and include Docket 
Number 04-09. Because paper mail in the Washington, DC, area and at the 
OCC may be subject to delays, please submit your comments by e-mail or 
fax whenever possible. You may submit comments by any of the following 
methods:
     Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
     OCC Web site: http://www.occ.treas.gov. Click on 
``Contact the OCC,'' scroll down and click on ``Comments on proposed 
regulations.''
     E-mail address: [email protected].
     Fax: (202) 874-4448.
     Mail: Office of the Comptroller of the Currency, 
250 E Street, SW., Public Information Room, Mail Stop 1-5, Washington, 
DC 20219.
     Hand Delivery/Courier: 250 E Street, SW., Attn: 
Public Information Room, Mail Stop 1-5, Washington, DC 20219.
    Instructions: All submissions received must include the agency name 
(OCC) and docket number or Regulatory Information Number (RIN) for this 
notice of proposed rulemaking. In general, the OCC will enter all 
comments received into the docket without change, including any 
business or personal information that you provide.
     Docket: For access to the docket to read 
background documents or comments received you may:
     View docket information in person: You may 
personally inspect and photocopy docket information at the OCC's Public 
Information Room, 250 E Street, SW., Washington, DC. You can make an 
appointment to inspect the docket by calling (202) 874-5043.
     View docket information electronically: You may 
request that we send electronic copies of docket information to you via 
e-mail or mail you a CD-ROM containing electronic copies by contacting 
the OCC at [email protected].
     Request copies: You may request copies of docket 
information by fax at (202) 874-4448, mailing the OCC at 250 E Street, 
SW., Attn: Public Information Room, Mail Stop 1-5, Washington, DC 
20219, or by contacting us at (202) 874-5043.
    Board: You may submit comments, identified by Docket No. R-1188, by 
any of the following methods:
     Agency Web site: http://www.federalreserve.gov. 
Follow the instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
     E-mail: [email protected]. 
Include docket number in the subject line of the message.

[[Page 23381]]

     Fax: 202/452-3819 or 202/452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of 
Governors of the Federal Reserve System, 20th Street and Constitution 
Avenue, NW., Washington, DC 20551.
    All public comments are available from the Board's Web site at 
www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, 
except as necessary for technical reasons. Accordingly, your comments 
will not be edited to remove any identifying or contact information. 
Public comments may also be viewed electronically or on paper in Room 
MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 
9 a.m. and 5 p.m. on weekdays.
    FDIC: You may submit comments, identified by RIN number by any of 
the following methods:
     Agency Web site: http://www.fdic.gov/regulations/laws/federal/propose.html. Follow instructions for 
submitting comments on the Agency Web site.
     E-Mail: [email protected]. Include the RIN 
number in the subject line of the message.
     Mail: Robert E. Feldman, Executive Secretary, 
Attention: Comments, Federal Deposit Insurance Corporation, 550 17th 
Street, NW., Washington, DC 20429.
     Hand Delivery/Courier: Guard station at the rear 
of the 550 17th Street Building (located on F Street) on business days 
between 7 a.m. and 5 p.m.
     Instructions: All submissions received must 
include the agency name and RIN for this rulemaking. All comments 
received will be posted without change to http://www.fdic.gov/regulations/laws/federal/propose.html including any personal 
information provided.
    OTS: You may submit comments, identified by docket number 2004-16, 
by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
     E-mail address: [email protected]. 
Please include docket number 2004-16 in the subject line of the message 
and include your name and telephone number in the message.
     Fax: (202) 906-6518.
     Mail: Regulation Comments, Chief Counsel's 
Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, 
DC 20552, Attention: No. 2004-xx.
     Hand Delivery/Courier: Guard's Desk, East Lobby 
Entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, 
Attention: Regulation Comments, Chief Counsel's Office, Attention: No. 
2004-xx.
    Instructions: All submissions received must include the agency name 
and docket number or Regulatory Information Number (RIN) for this 
rulemaking. All comments received will be posted without change to the 
OTS Internet site at www.ots.treas.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1. In addition, you may inspect comments 
at the Public Reading Room, 1700 G Street, NW., by appointment. To make 
an appointment for access, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov">public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-7755. (Prior notice identifying the materials you will be 
requesting will assist us in serving you.) We schedule appointments on 
business days between 10 a.m. and 4 p.m. In most cases, appointments 
will be available the next business day following the date we receive a 
request.
    NCUA: You may submit comments by any of the following methods 
(Please send comments by one method only):
     Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
     NCUA Web site: http://www.ncua.gov/news/proposed_regs/proposed_regs.html. Follow the instructions for 
submitting comments.
     E-mail: Address to [email protected]. Include 
``[Your name] Comments on Proposed Rule Part 717, Fair Credit 
Reporting--Medical Information'' in the e-mail subject line.
     Fax: (703) 518-6319. Use the subject line 
described above for e-mail.
     Mail: Address to Becky Baker, Secretary of the 
Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.
     Hand Delivery/Courier: Becky Baker, Secretary of 
the Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.

FOR FURTHER INFORMATION CONTACT:
    OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael 
Bylsma, Director, or Stephen Van Meter, Assistant Director, Community 
and Consumer Law, (202) 874-5750; Patrick T. Tierney, Attorney, 
Legislative and Regulatory Activities Division, (202) 874-5090; or 
Carol Turner, Compliance Specialist, Compliance Department, (202) 874-
4858, Office of the Comptroller of the Currency, 250 E Street, SW., 
Washington, DC 20219.
    Board: David A. Stein, Counsel; Minh-Duc T. Le, Ky Tran-Trong, or 
Krista P. DeLargy, Senior Attorneys, Division of Consumer and Community 
Affairs, (202) 452-3667 or (202) 452-2412; or Andrew Miller, Counsel, 
Legal Division, (202) 452-3428, Board of Governors of the Federal 
Reserve System, 20th and C Streets, NW., Washington, DC 20551.
    FDIC: Robert A. Patrick, Counsel, (202) 898-3757, or Richard M. 
Schwartz, Counsel, Legal Division, (202) 898-7424; David LaFleur, 
Policy Analyst, (202) 898-6569, or Patricia Cashman, Senior Policy 
Analyst, Division of Supervision and Consumer Protection, (202) 898-
6534, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
    OTS: Elizabeth Baltierra, Program Analyst (Compliance), Compliance 
Policy, (202) 906-6540; Richard Bennett, Counsel (Banking and Finance), 
(202) 906-7409; or Paul Robin, Special Counsel, Regulations and 
Legislation Division, (202) 906-6648, Office of Thrift Supervision, 
1700 G Street, NW., Washington, DC 20552.
    NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel, 
(703) 518-6540, National Credit Union Administration, 1775 Duke Street, 
Alexandria, VA 22314-3428.

SUPPLEMENTARY INFORMATION:

I. Background

    On December 4, 2003, the President signed into law the FACT Act, 
which amends the FCRA. Public Law 108-159, 117 Stat. 1952. In general, 
the FACT Act contains provisions designed to enhance the ability of 
consumers to combat identity theft, increase the accuracy of consumer 
reports, and allow consumers to exercise greater control regarding the 
type and amount of marketing solicitations they receive. Section 411 of 
the FACT Act limits the ability of creditors to obtain or use, of 
consumer reporting agencies to disclose, and of affiliates to share 
medical information.
    Section 411(a) of the FACT Act adds a new section 604(g)(1) to the 
FCRA to restrict the circumstances under which consumer reporting 
agencies may furnish consumer reports that contain medical information 
about consumers. Specifically, under new section 604(g)(1), a consumer 
reporting agency may not furnish a consumer report that contains 
medical information about a consumer unless:
    (1) The report is furnished in connection with an insurance 
transaction, and the consumer

[[Page 23382]]

affirmatively consents to the furnishing of the report;
    (2) The report is furnished for employment purposes or in 
connection with a credit transaction, the information to be furnished 
is relevant to process or effect the employment or credit transaction, 
and the consumer provides specific written consent for the furnishing 
of the report that describes in clear and conspicuous language the use 
for which the information will be furnished; or
    (3) The information to be furnished pertains solely to 
transactions, accounts, or balances relating to debts arising from the 
receipt of medical services, products, or devices, where such 
information, other than account status or amounts, is restricted or 
reported using codes that do not identify, or do not provide 
information sufficient to infer, the specific provider or the nature of 
such services, products, or devices.
    Section 411(c) of the FACT Act revises the definition of ``medical 
information'' in section 603(i) to mean information or data, whether 
oral or recorded, in any form or medium, created by or derived from a 
health care provider or the consumer, that relates to the past, 
present, or future physical, mental, or behavioral health or condition 
of an individual, the provision of health care to an individual, or the 
payment for the provision of health care to an individual. The 
definition further provides that the term ``medical information'' does 
not include the age or gender of a consumer, demographic information 
about the consumer, including a consumer's residence address or e-mail 
address, or any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy.
    Section 411(a) also amends the FCRA by adding new section 604(g)(2) 
to prohibit creditors from obtaining or using medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit. Section 
604(g)(2) contains two independent prohibitions--a prohibition on 
obtaining medical information and a prohibition on using medical 
information. The statute contains no prohibition, however, on obtaining 
or using medical information other than in connection with a 
determination of the consumer's eligibility, or continued eligibility, 
for credit. Thus, section 604(g)(2) does not prohibit a creditor from 
obtaining medical information for employment purposes, in connection 
with a determination of a consumer's eligibility for an insurance 
product or through processing payments for a consumer, maintaining a 
consumer's account, or performing similar functions. Nevertheless, a 
creditor that obtains medical information in these circumstances may 
not use that information in connection with a determination of the 
consumer's eligibility, or continued eligibility, for credit. For 
example, medical information about a consumer obtained and used by a 
creditor for employment purposes may not subsequently be used in 
connection with any determination of the consumer's eligibility, or 
continued eligibility, for credit. New section 604(g)(5)(A) requires 
the Agencies to prescribe regulations that permit transactions that are 
determined to be necessary and appropriate to protect legitimate 
operational, transactional, risk, consumer, and other needs (including 
administrative verification purposes), consistent with congressional 
intent to restrict the use of medical information for inappropriate 
purposes.
    Section 411(b) of the FACT Act adds a new section 603(d)(3) to the 
FCRA to restrict the sharing of medical-related information with 
affiliates if that information meets the definition of ``consumer 
report'' in section 603(d)(1) of the FCRA. Specifically, section 
603(d)(3) provides that the standard exclusions from the definition of 
``consumer report'' contained in section 603(d)(2)--such as sharing 
transaction or experience information among affiliates or sharing other 
eligibility information among affiliates after notice and an 
opportunity to opt-out--do not apply if medical-related information is 
disclosed to an affiliate. Medical-related information includes medical 
information, as described above, as well as an individualized list or 
description based on payment transactions for medical products or 
services, and an aggregate list of identified consumers based on 
payment transactions for medical products or services.
    New section 604(g)(3) provides several exceptions that allow 
creditors to disclose medical information to affiliates according to 
the same rules that apply to other non-medical information. In 
particular, section 604(g)(3) provides that medical-related information 
that is transaction or experience information or that is subject to the 
FCRA affiliate sharing opt-out provisions or other standard exclusions 
in section 603(d)(2) may be shared with an affiliate of the creditor if 
the information is disclosed to an affiliate:
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
Standards for Individually Identifiable Health Information promulgated 
by the Department of Health and Human Services (HHS) pursuant to the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA);
    (3) For any purpose referred to under section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act; or
    (5) As otherwise determined to be necessary and appropriate, by 
regulation or order, by the Federal Trade Commission (FTC), the 
Agencies, or an applicable State insurance authority.
    Section 604(g)(4), as added by section 411(a)(4) of the FACT Act, 
also provides that any person that receives medical information from an 
affiliate pursuant to an exception in section 604(g)(3) or from a 
consumer reporting agency under section 604(g)(1) must not disclose 
such information to any other person, except as necessary to carry out 
the purpose for which the information was initially disclosed, or as 
otherwise permitted by statute, regulation, or order.

II. Proposed Rule

    The rule proposed by the Agencies would do two things. First, the 
proposed regulations would create exceptions to the general prohibition 
against obtaining or using medical information in connection with 
credit eligibility determinations, as required by section 604(g)(5)(A). 
The Agencies believe the proposed exceptions are necessary and 
appropriate to protect legitimate operational, transactional, risk, 
consumer, and other needs (including administrative verification 
purposes), and are consistent with the congressional intent to restrict 
the use of medical information for inappropriate purposes. Second, the 
proposed regulations would, as permitted by section 604(g)(3)(C), 
create additional exceptions to the special restrictions in section 
603(d)(3) on sharing medical-related information with affiliates that 
the Agencies believe are necessary and appropriate. The proposed 
regulations are discussed in more detail in the Section-by-Section 
Analysis below. The Agencies invite comment on all aspects of the 
proposal.

[[Page 23383]]

III. Section-by-Section Analysis

Section ----.1 Purpose, Scope, and Effective Dates

    Proposed Sec.  ----.1(b)(2) describes the institutions covered by 
the provisions of the regulations of each of the respective Agencies.

Section ----.2 Examples

    Proposed Sec.  ----.2 Discusses the Scope and Effect of the 
Examples Included in the Proposed Regulation.

Section ----.3 Definitions

    Proposed Sec.  ----.3 contains definitions for the terms 
``affiliate'' (as well as the related terms ``company'' and 
``control''), ``consumer,'' ``medical information,'' and ``you.''
Affiliate
    Several FCRA provisions apply to information sharing with persons 
``related by common ownership or affiliated by corporate control,'' 
``related by common ownership or affiliated by common corporate 
control,'' or ``affiliated by common ownership or common corporate 
control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2). 
Section 2 of the FACT Act defines the term ``affiliate'' to mean 
persons that are related by common ownership or affiliated by corporate 
control. Proposed paragraph (b) simplifies these various formulations 
by defining ``affiliate'' to mean any company that controls, is 
controlled by, or is under common control with another company. The 
proposed definition is identical to the definition of ``affiliate'' in 
the GLB Act privacy regulations.\1\ Consistent with the definitions in 
the privacy regulations and the practical application of the FCRA, the 
proposal uses a definition of ``control'' that applies exclusively to 
the control of a ``company,'' and defines ``company'' to include any 
corporation, limited liability company, business trust, general or 
limited partnership, association, or similar organization. See proposed 
paragraphs (d) (``company'') and (i) (``control'').\2\ The definition 
of ``company'' omits some entities that are ``persons'' under the 
FCRA--individuals, estates, cooperatives, governments, and government 
in which ``control'' could be exercised over individuals, government 
agencies, and other persons that do not fit within the definition of 
``company.''
---------------------------------------------------------------------------

    \1\ For purposes of the proposed regulation, an ``affiliate'' 
includes an operating subsidiary of a bank or savings association, 
and a credit union service organization that is controlled by a 
federal credit union.
    \2\ For purposes of the proposed regulation, NCUA will presume a 
federal credit union has a controlling influence over the management 
or policies of a credit union service organization if it is 67 
percent owned by credit unions.
---------------------------------------------------------------------------

Medical Information
    Under proposed paragraph (k), the term ``medical information'' 
means information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to (1) the past, present, or future physical, 
mental, or behavioral health or condition of an individual; (2) the 
provision of health care to an individual; or (3) the payment for the 
provision of health care to an individual. The term ``medical 
information'' does not include the age or gender of a consumer, 
demographic information about the consumer, including a consumer's 
residence address or e-mail address, or any other information about a 
consumer that does not relate to the physical, mental, or behavioral 
health or condition of a consumer, including the existence or value of 
any insurance policy. The proposal tracks the statutory definition of 
``medical information.''
    Creditors are reminded that other laws, such as the Americans with 
Disabilities Act, the Fair Housing Act, the GLB Act, and other parts of 
the FCRA, may limit or regulate the use, collection, and sharing of 
consumer information, including medical information. In particular, 
these and other laws, such as the Equal Credit Opportunity Act, also 
may prohibit creditors from using certain information that is excluded 
from the restrictions on obtaining or using medical information, such 
as age or gender information, in determining eligibility for credit or 
for other purposes.

Section ----.30 Obtaining and Using Medical Information in Connection 
With a Determination of Eligibility for Credit

    Section 411(a) of the FACT Act adds a broad new limitation on the 
ability of creditors to obtain medical information in connection with 
credit eligibility determinations or to use medical information in 
connection with credit eligibility determinations. Specifically, new 
section 604(g)(2) provides, that except as permitted by regulations, a 
creditor shall not obtain or use medical information pertaining to a 
consumer in connection with any determination of the consumer's 
eligibility, or continued eligibility, for credit.
A. General Prohibition on Obtaining or Using Medical Information
    Proposed Sec.  ----.30 contains the rules on obtaining or using 
medical information in connection with a determination of a consumer's 
eligibility, or continued eligibility, for credit. Proposed paragraph 
(a)(1) incorporates the general rule prohibiting creditors from 
obtaining or using medical information pertaining to a consumer in 
connection with any determination of a consumer's eligibility, or 
continued eligibility, for credit, except as provided in the 
regulations under Subpart D. The consumer's eligibility for credit 
typically would be determined when an initial decision is made on 
whether to grant or deny credit to the consumer. A determination of a 
consumer's continued eligibility for credit may also include decisions 
whether to terminate an account or adjust a credit limit following an 
account review.
    Proposed paragraph (a)(2) clarifies the definition of certain terms 
used in Subpart D, including ``credit'' and ``creditor.'' In addition, 
paragraph (a)(2) provides that the phrase ``eligibility, or continued 
eligibility, for credit'' means the consumer's qualification or fitness 
to receive, or continue to receive, credit, including the terms on 
which credit is offered, primarily for personal, family, or household 
purposes.
    The paragraph also clarifies that the phrase ``eligibility, or 
continued eligibility, for credit'' does not include the consumer's 
qualification or fitness to be offered employment, insurance products, 
or other non-credit products or services. Similarly, ``eligibility, or 
continued eligibility, for credit'' does not include a determination of 
whether the provisions of a debt cancellation contract, debt suspension 
agreement, credit insurance product, or similar forbearance practice or 
program are triggered. A forbearance practice or program may include 
circumstances in which a creditor allows a consumer to skip one or more 
scheduled payments because the consumer is hospitalized for a medical 
condition. For example, if a consumer is hospitalized on an emergency 
basis and is temporarily unable to pay his mortgage, the consumer's 
daughter may contact the consumer's mortgage lender by telephone, 
inform the lender of the consumer's medical condition, and request that 
the lender allow the deferral of one or more payments to accommodate 
the consumer's particular circumstances. The creditor's use of the 
medical information provided by the consumer's daughter to defer one or 
more mortgage payments to accommodate the consumer's particular 
circumstances would constitute a forbearance that is beyond the scope 
of the prohibition.

[[Page 23384]]

    Comment is requested on whether it is more appropriate to grant an 
exception to permit creditors to obtain and use medical information in 
connection with debt cancellation, debt suspension, or credit insurance 
products or practices, rather than issuing an interpretation that 
obtaining information necessary to trigger coverage under these 
products falls outside any determination of eligibility, or continued 
eligibility, for credit. In addition, comment is solicited on whether a 
separate exception for accommodating the particular medical condition 
or circumstances of the consumer should be created in lieu of or in 
addition to the interpretation that eligibility, or continued 
eligibility, for credit does not include forbearance.
    The proposed regulation also provides that the term ``eligibility, 
or continued eligibility, for credit'' does not include authorizing, 
processing, or documenting a payment or transaction on behalf of a 
consumer in a manner that does not involve a determination of the 
consumer's eligibility, or continued eligibility, for credit. Finally, 
the term ``eligibility, or continued eligibility, for credit'' does not 
include maintaining or servicing a consumer's account in a manner that 
does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    The Agencies note that section 604(g)(2) contains two distinct 
prohibitions--one on obtaining medical information and one on using 
medical information. Nothing in the statute prohibits a creditor from 
obtaining medical information if the information is not obtained in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit. Thus, there is no prohibition, for 
example, on a creditor obtaining medical information through 
authorizing, processing, or documenting a payment or transaction on 
behalf of the consumer, or managing or servicing the consumer's 
account. Nevertheless, a creditor that has obtained medical information 
in these circumstances may not use that information in connection with 
a determination of the consumer's eligibility, or continued 
eligibility, for credit, unless permitted by an exception provided in 
the regulations. However, there is no prohibition in section 411 of the 
FACT Act on a person that is a creditor from obtaining or using medical 
information for an employment purpose or in connection with a 
determination of the consumer's eligibility for an insurance product.
B. Receiving Unsolicited Medical Information
    Creditors may receive unsolicited medical information without 
specifically asking for such information. This may occur, for example, 
when a consumer informs the loan officer that she needs a loan to pay 
for treatment for a particular medical condition, or when a consumer, 
in response to a general request on a credit application for 
information about outstanding debts, lists debts owed to hospitals and 
doctors for medical services. The Agencies do not believe that a 
creditor violates the prohibition on obtaining medical information when 
the creditor does not specifically ask for or request such information, 
yet the consumer or other person provides that information to the 
creditor. However, because the statutory prohibition on obtaining 
medical information could be interpreted broadly to cover circumstances 
in which medical information is obtained by a creditor without asking 
for it, the Agencies have proposed a rule of construction to make clear 
that a creditor does not violate the prohibition on obtaining medical 
information if the creditor receives unsolicited medical information.
    Proposed paragraph (b) contains this rule of construction for 
receiving unsolicited medical information. Under proposed paragraph 
(b)(1), a creditor does not obtain medical information for purposes of 
proposed paragraph (a)(1) if it receives medical information pertaining 
to a consumer in connection with any determination of the consumer's 
eligibility, or continued eligibility, for credit without specifically 
requesting medical information, and does not use that information in 
determining whether to extend credit to the consumer and the terms on 
which credit is offered or continued. Paragraph (b)(2) provides 
examples for guidance. The Agencies seek comment on the appropriateness 
of this rule of construction and on whether this provision should be 
drafted as an exception to the general prohibition, rather than as a 
rule of construction.
C. Financial Information Exception for Obtaining and Using Medical 
Information
    As noted above, new section 604(g)(5)(A) of the Act gives the 
Agencies the authority to prescribe regulations, after notice and 
opportunity for comment, to permit creditors to obtain and use medical 
information in connection with determinations of credit eligibility 
that the Agencies determine to be necessary and appropriate to protect 
legitimate operational, transactional, risk, consumer, and other needs 
(including actions necessary for administrative verification purposes), 
consistent with the intent of the statute to restrict the use of 
medical information for inappropriate purposes. Applying this standard, 
the Agencies believe it is necessary and appropriate to permit 
creditors to obtain and use medical information in a number of 
circumstances.
    Proposed Sec. Sec.  ----.30(c)-(d) contain exceptions to the 
general prohibition on creditors obtaining or using medical 
information. Proposed paragraph (c) contains the first exception, and 
provides that a creditor may obtain and use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit so long as 
the following three elements are met. First, the information must 
relate to debts, expenses, income, benefits, collateral, or the purpose 
of the loan, including the use of proceeds. Second, the creditor must 
use the information in a manner and to an extent no less favorable than 
it would use comparable information that is not medical information in 
a credit transaction. Third, the creditor must not take the consumer's 
physical, mental, or behavioral health, condition or history, type of 
treatment, or prognosis into account as part of any such determination 
of credit eligibility. This three-part test strikes a balance between 
permitting creditors to obtain and use certain medical information 
about consumers when necessary and appropriate to satisfy prudent 
underwriting criteria and to ensure that credit is extended in a safe 
and sound manner, while restricting the use of medical information for 
inappropriate purposes.
    The first element of the test identifies certain types of 
information, specifically debts, expenses, income, benefits, 
collateral, or the purpose of the loan, that a creditor ordinarily 
would obtain and evaluate in connection with making a prudent credit 
decision, regardless of whether that information is medical or non-
medical information. A creditor should not be prohibited from obtaining 
or using information about a debt, for example, in connection with 
making a credit decision, just because that debt happens to be for 
medical products or services.
    The second element of the test provides that the creditor must use 
the medical information in a manner and to an extent no less favorable 
than it would use comparable, non-medical

[[Page 23385]]

information in a credit transaction. For example, a creditor may deny 
credit to the consumer because the consumer owes a debt to a hospital 
if the creditor would have denied credit to the consumer if the 
consumer had owed the same amount of debt with the same payment history 
to a retailer. Nothing in the rule prevents the creditor from treating 
information about medical debts (or expenses or income) more favorably 
than non-medical debts.
    The third element of the test provides that the creditor may not 
take the consumer's physical, mental, or behavioral health, condition, 
or history, type of treatment, or prognosis into account as part of any 
determination of the consumer's eligibility, or continued eligibility, 
for credit. For example, the consumer may owe a debt to a hospital or 
other facility that specializes in treating a potentially terminal 
disease. While the creditor may evaluate the debt to the hospital or 
facility in the same manner and to the same extent as it would evaluate 
any non-medical debt, the creditor may not take into account the 
consumer's individual physical, mental, or behavioral health, 
condition, or history, type of treatment, or prognosis in determining 
the consumer's eligibility, or continued eligibility for credit, or the 
terms under which credit will be offered or continued.
    The Agencies seek comment on the financial information exception 
outlined in paragraph (c)(1). In particular, the Agencies seek comment 
on whether each of the three parts of the exception is necessary and 
whether the three parts together strike the right balance between 
permitting creditors to obtain and use medical information where 
necessary and appropriate to protect legitimate operational, 
transactional, risk, consumer, and other needs (including actions 
necessary for administrative verification purposes) and restricting the 
use of medical information for inappropriate purposes.
    Proposed paragraph (c)(2) provides several examples of when 
creditors generally may obtain and use medical information under the 
financial information exception in proposed paragraph (c)(1). These 
examples in proposed paragraph (c)(2) are not exclusive. The Agencies 
seek comment on all of the examples in proposed paragraph (c)(2), 
including whether any of the examples should be amended or deleted, or 
whether additional examples should be provided.
    Proposed paragraph (c)(2)(i) provides examples of the circumstances 
in which medical information would relate to debts, expenses, income, 
benefits, collateral, or the purpose of the loan, including the use of 
proceeds. A creditor would, for example, be able to obtain and use 
medical information about--
     The dollar amount, repayment terms, repayment 
history, and similar information regarding medical debts that is used 
to calculate, measure, or verify the repayment ability of the consumer, 
the use of proceeds, or the terms for granting credit;
     The value, condition, and lien status of a 
medical device that is used as collateral to secure a loan;
     The dollar amount and continued eligibility for 
disability income or benefits related to health or a medical condition 
that is relied on as a source of repayment; or
     The identity of creditors to whom outstanding 
medical debts are owed in connection with an application for credit, 
including but not limited to a transaction involving the consolidation 
of medical debts.
    The Agencies propose to include five additional examples to 
illustrate uses of medical information consistent and inconsistent with 
the financial information exception. Proposed paragraph (c)(2)(ii) 
provides examples of uses of medical information that are consistent 
with the exception. The first example involves a consumer who includes 
two $20,000 debts on an application for credit--one debt to a hospital 
and the other to a retailer. The creditor contacts the hospital and the 
retailer in order to verify the amount and payment status of the debts 
and learns that both are more than 90 days past due. Any two debts of 
this size that are past due would disqualify the consumer under the 
creditor's established underwriting criteria. The creditor decides to 
deny the application on the basis of the consumer's poor repayment 
history on outstanding debts. Under these circumstances, the creditor 
obtains and uses information about medical debts the same way it uses 
information about non-medical debts. Accordingly, the creditor has used 
medical information in a manner consistent with the exception.
    In the second example, a consumer indicates on an application for a 
$200,000 mortgage loan that she receives $15,000 in long-term 
disability income each year from her former employer and has no other 
income. Annual income of $15,000, regardless of source, would not be 
sufficient to support the requested amount of credit. The creditor 
denies the application on the basis that the projected debt-to-income 
ratio of the consumer does not meet the creditor's underwriting 
criteria. In this example, the creditor analyzes the long-term 
disability income, which is medical information, the same way it would 
analyze any other income information of a potential borrower.
    The third example in proposed paragraph (c)(2)(ii) involves a 
consumer who includes on an application for a $10,000 home equity loan 
that he has a $50,000 debt to a medical facility that specializes in 
treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan, and learns that the debt is current and 
that the applicant meets the income requirements of the creditor's 
underwriting guidelines. The creditor grants the application. The 
creditor has used medical information in accordance with the exception.
    Proposed paragraph (c)(2)(iii) provides two examples of uses of 
medical information that are inconsistent with the exception. The first 
example involves a consumer who includes on an application for $25,000 
of credit information about a $50,000 debt to a hospital. The creditor 
contacts the hospital to verify the amount and payment status of the 
debt and learns that the debt is current and that the consumer has no 
delinquencies in her repayment history. If the existing debt were 
instead owed to a home furnishing retailer, the creditor would approve 
the application and extend credit based on the amount and repayment 
history of the outstanding debt. The creditor, however, denies the 
application because the consumer is indebted to a hospital. The 
creditor has used medical information, here the identity of the medical 
creditor, in a manner and to an extent that is less favorable than it 
would use comparable non-medical information.
    In the second example in proposed paragraph (c)(2)(iii), a consumer 
meets with a loan officer of a creditor to apply for a mortgage loan. 
While filling out the loan application, the consumer informs the loan 
officer orally that she has a potentially terminal disease. The 
consumer meets the creditor's established requirements for the 
requested mortgage. The loan officer recommends to the credit committee 
that the consumer be denied credit because the consumer has that 
disease. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis as part of a determination of

[[Page 23386]]

eligibility or continued eligibility for credit.
D. Specific Exceptions for Obtaining and Using Medical Information
    Proposed paragraph (d) contains specific exceptions to the general 
prohibition to allow creditors to obtain and use medical information 
for a limited number of particular purposes. The Agencies request 
comment on whether each of these specific exceptions is necessary and 
appropriate and, if so, whether they are properly defined.
    Proposed paragraph (d)(1)(i) provides that a creditor may obtain 
and use medical information to determine whether the use of a power of 
attorney or legal representative is necessary and appropriate. This 
exception would permit a creditor to verify, in connection with a 
credit eligibility determination, that the exercise of a power of 
attorney or legal representative is triggered by the consumer's medical 
condition.
    Under proposed paragraph (d)(1)(ii), a creditor may also use 
medical information to comply with applicable requirements of local, 
state, or federal laws. For example, some state laws may require 
creditors to consider medical information in certain circumstances to 
protect populations that may be vulnerable to financial abuse by 
caregivers. This exception would permit creditors to obtain and use 
medical information to comply with those laws.
    Proposed paragraph (d)(1)(iii) provides that a creditor may also 
obtain and use medical information to the extent such information is 
included in a consumer report from a consumer reporting agency in 
accordance with section 604(g)(1)(B) of the FCRA, and is used for the 
purpose for which the consumer provided specific written consent. As 
noted above, section 411 of the FACT Act prevents consumer reporting 
agencies from furnishing consumer reports containing medical 
information, except under specified circumstances. Consumer reports 
must be furnished with coding that blocks the identity of the provider 
of medical information and the nature of the services, products, or 
devices, unless a consumer provides a consumer reporting agency with 
specific written consent to furnish a report to a creditor containing 
uncoded medical information. This exception clarifies that a creditor 
may obtain uncoded medical information from a consumer reporting agency 
in accordance with section 604(g)(1)(B) of the FCRA, and use that 
information for the purpose for which the consumer provided specific 
written consent.
    The Agencies have not proposed a separate exception for obtaining 
and using consumer reports in accordance with section 604(g)(1)(C) of 
the FCRA, which relates to consumer reports containing coded medical 
information. The Agencies do not believe that it is necessary to 
propose a separate exception.
    The Agencies have considered three options that would allow 
creditors to obtain and use consumer reports containing the information 
described in section 604(g)(1) of the FCRA. The Agencies have 
considered whether the definition of ``medical information'' may be 
interpreted in a manner that would exclude the coded information that 
may be furnished under section 604(g)(1)(C) of the Act. This approach 
would permit all creditors to obtain consumer reports with coded 
information (but not consumer reports with uncoded medical information 
furnished under section 604(g)(1)(B)) and use that information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, even in the absence of an exception 
in the regulations. This approach is based on a statutory 
interpretation that such coded information would not relate to the 
physical, mental, or behavioral health of the consumer, and thus, is 
not medical information.
    The Agencies also have considered whether section 604(g) or other 
provisions of the FCRA may be interpreted in such a manner that no 
exception would be necessary to permit creditors to obtain and use 
medical information in consumer reports furnished by consumer reporting 
agencies in accordance with section 604(g)(1). For example, the 
Agencies have considered whether the broad prohibition in section 
604(g)(2) on obtaining and using medical information in credit 
eligibility determinations may be construed as being qualified by the 
specific provisions in section 604(g)(1) that authorize consumer 
reporting agencies to furnish consumer reports containing medical 
information under certain limited circumstances. This possible 
interpretation would be based on the Agencies' observation that (1) it 
is unlikely that Congress would permit consumer reporting agencies to 
furnish consumer reports containing medical information in connection 
with credit transactions without permitting creditors to obtain and use 
these reports, and (2) in these circumstances, Congress may well have 
provided the consumer protections it deemed necessary by specifying the 
limitations under which consumer reporting agencies could furnish 
reports containing medical information.
    The Agencies also have considered whether creditors who intend to 
obtain and use this coded medical information would be able to do so in 
accordance with the financial information exception in Sec.  ----.30(c) 
of the proposed regulations. Coded medical information relates to 
medical debts, and the creditor may use debt information in making 
credit eligibility determinations in a manner and to an extent that is 
no less favorable than it would use comparable information that is not 
medical information. In addition, because the medical information is 
coded as prescribed in the FCRA, it would not provide the creditor with 
specific information regarding the consumer's health, condition, 
history, type of treatment, or prognosis (which may not be taken into 
account under the financial information exception in proposed Sec.  --
--.30(c)(1)(iii)).
    The Agencies also note that the rule of construction in Sec.  --
--.30(b) of the proposed regulations would enable creditors to receive 
consumer reports containing coded medical information without violating 
the limit on ``obtaining'' medical information prescribed by section 
604(g)(2) of the FCRA, so long as they do not use that medical 
information in making credit eligibility determinations.
    The Agencies specifically request comment on the most appropriate 
way in which to deal with information contained in consumer reports, 
and related matters. In particular, comment is requested on these three 
approaches.
    A creditor may also obtain and use medical information for purposes 
of fraud prevention and detection under proposed paragraph (d)(1)(iv). 
Comment is solicited as to whether and to what extent it is necessary 
for creditors to obtain and use medical information for purposes of 
fraud prevention and detection in connection with the determination of 
a consumer's credit eligibility and whether the exception could be 
narrowed to prevent the unnecessary use of medical information without 
compromising legitimate fraud prevention and detection programs.
    Proposed paragraph (d)(1)(v) provides that a creditor may obtain 
and use medical information in the case of credit for the purpose of 
financing medical products or services to determine and verify the 
medical purpose of a loan and the use of proceeds. Certain creditors 
have established specialized loan programs that finance specific 
medical procedures, such as vision correction

[[Page 23387]]

surgery, but not others. In such cases, the creditor may need to obtain 
and use medical information in connection with determining whether the 
purpose of the loan is within the scope of the creditor's established 
loan program. Proposed paragraph (d)(2) provides examples of this 
exception. The Agencies invite comment on whether the medical purpose 
financing exception strikes the appropriate balance between satisfying 
the legitimate needs of medical finance creditors and the intent of 
Congress to limit the use of medical information in credit eligibility 
determinations.
    Proposed paragraph (d)(1)(vi) provides that a creditor may obtain 
and use medical information if the consumer or the consumer's legal 
representative requests in writing, on a separate document signed by 
the consumer or the consumer's legal representative, that the creditor 
use specific medical information for a specific purpose in determining 
the consumer's eligibility, or continued eligibility, for credit, to 
accommodate the consumer's particular circumstances. The signed, 
written request must describe the specific medical information that the 
consumer requests the creditor to use and the specific purpose for 
which the information will be used. This exception is designed to 
accommodate the particular medical condition or circumstances of the 
individual consumer and is not intended to allow creditors to obtain 
consent on a routine basis or as a part of loan applications or 
documentation. This exception would not be met by a form that contains 
a pre-printed description of various types of medical information and 
the uses to which it might be put. Instead, it contemplates an 
individualized process in which the consumer informs the creditor about 
the specific medical information that the consumer would like the 
creditor to use and for what purpose. Proposed paragraph (d)(3) 
provides examples of this consumer request exception.
    The Agencies seek comment on the need for a broader exception to 
permit creditors to make a ``medical accommodation'' where individual 
circumstances may warrant such an accommodation. The Agencies note that 
forbearance practices and programs, as discussed in the explanation of 
paragraph (a)(2) above, would permit creditors to take into account a 
consumer's medical condition to defer scheduled payments or take 
certain other actions on existing accounts as a medical accommodation 
to the consumer. Comment is requested on whether forbearance plus the 
consumer request exception provides sufficient flexibility to provide 
medical accommodations to consumers.
    The Agencies also request comment on whether the procedural aspects 
of the consumer request exception (i.e., the request must be in 
writing, on a separate form signed by the consumer or the consumer's 
legal representative) would unnecessarily hinder the ability of a 
creditor to make a medical accommodation where a consumer's medical 
condition and financial circumstances may justify such an 
accommodation, or whether these procedures are necessary to protect 
consumers.
    The Agencies seek comment on whether there is a need to establish 
an exception for consumer consent whereby a creditor could request that 
a consumer consent to the specific use of the consumer's medical 
information. If so, the Agencies request specific comment on when this 
exception might be used and how the exception should be fashioned to 
ensure appropriate consumer protection.
    Finally, proposed paragraph (d)(1)(vii) provides that a creditor 
may obtain and use medical information as otherwise permitted by order 
of the appropriate agency.
E. Limits on Redisclosure
    Proposed paragraph (e) incorporates the statutory provision 
regarding the limits on redisclosure of medical information. This 
paragraph provides that a person that receives medical information 
about a consumer from a consumer reporting agency or an affiliate is 
prohibited from disclosing that information to any other person, except 
as necessary to carry out the purposes for which the information was 
initially disclosed, or as otherwise permitted by statute, regulation, 
or order.
F. Request for Comment
    The Agencies solicit comment on each of the proposed provisions of 
Sec.  ----.30. Specifically, the Agencies request comment as to whether 
each of the proposed exceptions is, in fact, necessary and appropriate 
to protect legitimate operational, transactional, risk, consumer, and 
other needs (including actions necessary for administrative 
verification purposes), and consistent with the intent of Congress to 
restrict the use of medical information for inappropriate purposes. 
Comment is also requested on the examples used in this section and 
whether additional or different examples should be included.
    The Agencies also invite comment on whether any additional or 
different exceptions should be included in the final regulation. 
Commenters that recommend additional or different exceptions should 
explain why the exception is necessary and appropriate to protect 
legitimate operational, transactional, risk, consumer, and other needs, 
and is consistent with the intent of Congress to restrict the use of 
medical information for inappropriate purposes.

Section ----.31 Sharing Medical Information With Affiliates

    Section ----.31(a) provides that the standard exclusions from the 
definition of ``consumer report'' contained in section 603(d)(2) of the 
Act--including the exclusions for sharing transaction or experience 
information among affiliates or sharing other eligibility information 
among affiliates after notice and an opportunity to opt-out--do not 
apply if medical information, an individualized list or description 
based on payment transactions for medical products or services, or an 
aggregate list or description based on payment transactions for medical 
products or services is disclosed to an affiliate.
    Paragraph (b) provides that the special restrictions on sharing the 
information outlined in paragraph (a) with affiliates do not apply, and 
the standard exclusions from the definition of consumer report remain 
in effect, if the information is disclosed to an affiliate in certain 
circumstances. Paragraph (b) incorporates the four statutory exceptions 
from section 604(g)(3)(A) and (B) of the Act.
    The first exception is when the information described in paragraph 
(a) is shared with an affiliate in connection with the business of 
insurance or annuities (including the activities described in section 
18B of the model Privacy of Consumer Financial and Health Information 
Regulation issued by the National Association of Insurance 
Commissioners, as in effect on January 1, 2003). The second exception 
is when the information described in paragraph (a) is shared with an 
affiliate for any purpose permitted without authorization under the 
Standards for Individually Identifiable Health Information promulgated 
by the Department of Health and Human Services (HHS) pursuant to the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
    The third exception is when the information described in paragraph 
(a) is shared with an affiliate for any purpose referred to under 
section 1179 of HIPAA. Section 1179 of HIPAA provides that to the 
extent that an entity is engaged in activities of a financial 
institution or is engaged in authorizing,

[[Page 23388]]

processing, clearing, settling, billing, transferring, reconciling or 
collecting payments for a financial institution, the HIPAA standards 
and requirements do not apply to the entity with respect to such 
activities. Section 1179 also provides as an example of a use or 
disclosure of information not covered by that statute, the use or 
disclosure of information for authorizing, processing, clearing, 
settling, billing, transferring, reconciling, or collection, a payment 
for, or related to, health care premiums or health care. For purposes 
of this rulemaking, the phrase ``purposes referred to under section 
1179'' means, at a minimum, authorizing, processing, clearing, 
settling, billing, transferring, reconciling or collecting payments.
    The fourth exception is when the information described in paragraph 
(a) is shared with an affiliate for any purpose described in section 
502(e) of the GLB Act. The Agencies note that some of the purposes 
described in section 502(e) of the GLB Act may be germane to the 
sharing of information among affiliates--for example, sharing with the 
consent of the consumer, for fraud prevention purposes, or as necessary 
to effect, administer, or enforce a transaction requested or authorized 
by the consumer--while other purposes described in section 502(e) are 
not--for example, sharing information with law enforcement or 
regulatory authorities.
    In addition to the statutory exceptions, paragraph (b) also 
contains two additional exceptions that the Agencies believe are 
necessary and appropriate. Paragraph (b)(5) provides that the special 
restrictions on sharing the information described in paragraph (a) with 
affiliates do not apply, and the standard exclusions from the 
definition of consumer report remain in effect, if the information is 
disclosed to an affiliate in connection with a determination of the 
consumer's eligibility, or continued eligibility, for credit consistent 
with Sec.  ----.30 of this subpart. The Agencies believe it is 
necessary and appropriate to allow an affiliate to share medical 
information with another affiliate that obtains or uses it consistent 
with Sec.  ----.30.
    Paragraph (b)(6) provides that the special restrictions on sharing 
medical-related information with affiliates do not apply if otherwise 
permitted by order of the appropriate agency. This exception 
incorporates the authority delegated to the Agencies by Congress to 
create exceptions through orders.
    The Agencies note that prohibitions on obtaining or using medical 
information in Sec.  ----.30 operate independent of the exceptions that 
permit the sharing of that information among affiliates in accordance 
with the provisions of section 603(d)(2) of the Act. For example, if a 
mortgage lender has obtained and used medical information in accordance 
with one of the exceptions in Sec.  ----.30(c) or (d), the mortgage 
lender may share that information with its credit card affiliate 
without becoming a consumer reporting agency if one of the exceptions 
in Sec.  ----.31(b) applies. However, the credit card affiliate may not 
obtain or use that information in connection with any determination of 
the consumer's eligibility, or continued eligibility, for credit, 
unless consistent with Sec.  ----.30.
    The Agencies invite comment on the exceptions included in proposed 
Sec.  ----.31(b). Specifically, comment is solicited on whether 
additional or different exceptions are necessary and appropriate.
Additional Issues
    The statute provides that the final rules shall take effect on the 
later of 90 days after the rules are issued in final form, or the date 
specified in the regulations. Comment is requested on whether an 
effective date of 90 days after the final rules are issued is 
appropriate or whether a different effective date should be 
established.

III. Regulatory Analysis

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3506; 5 CFR 1320), the Agencies reviewed the proposed rule to implement 
section 411 of the Fair and Accurate Credit Transactions Act of 2003 as 
required by the Office of Management and Budget. No collections of 
information pursuant to the Paperwork Reduction Act are contained in 
the proposed rule.

Initial Regulatory Flexibility Analysis

    OCC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) 
requires an agency to either provide an Initial Regulatory Flexibility 
Analysis with a proposed rule or certify that the proposed rule will 
not have a significant economic impact on a substantial number of small 
entities (defined for purposes of the RFA to include banks with less 
than $150 million in assets).
A. Reasons for Proposed Rule
    Section 411 of the FACT Act requires the OCC, together with the 
other Agencies, to publish rules that are determined to be necessary 
and appropriate to protect legitimate operational, transactional risk, 
consumer, and other needs, including actions necessary for 
administrative verification, consistent with the intent of the section 
to restrict the use of medical information for inappropriate purposes, 
that permit the use of medical information in connection with any 
determination of a consumer's eligibility, or continued eligibility for 
credit. Section 411 also authorizes the OCC to issue regulations that 
are determined to be necessary and appropriate so as to exclude medical 
information shared by a covered entity with an affiliate from the 
definition of a consumer report in section 603(d) of the Fair Credit 
Reporting Act, and to address the reuse and redisclosure of medical 
information.
    The OCC does not expect that this rule, if adopted, would have a 
significant economic impact on small entities. The proposed rule 
implements section 411 of the FACT Act and imposes only minimal 
economic impact on national banks. The proposed rule would create 
exceptions to the FACT Act's prohibition against national banks 
obtaining and using a consumer's medical information in connection with 
credit determinations. Additionally, the proposed rule would implement 
the FACT Act's restrictions on the sharing of medical information among 
affiliates and would include exceptions to permit the sharing of 
medical information in certain circumstances. The proposed rule would 
apply to all national banks that obtain or use medical information in 
connection with credit determinations, regardless of bank size. 
However, it is likely that small national banks, because of the nature 
and size of their operations, will encounter fewer instances where they 
might obtain or use medical information. Therefore, no group of 
national banks, particularly small national banks, is expected to 
encounter a significant economic impact. However, the OCC invites 
comment on whether these assumptions are correct. Also, the OCC invites 
comment on the burden that likely will result on small institutions 
from this rulemaking, and has prepared the following analysis.
B. Statement of Objectives and Legal Basis
    The objectives of the proposed rule are described in the 
SUPPLEMENTARY INFORMATION section. In sum, the objectives are: (1) To 
implement the general statutory prohibition on creditors obtaining and 
using medical information in connection with credit eligibility 
determinations; (2) to fulfill the statutory mandate to prescribe 
regulations that permit creditors to obtain and use medical information 
for eligibility purposes when necessary and

[[Page 23389]]

appropriate to protect legitimate operational, transaction, risk, 
consumer, and other needs by granting exceptions; and (3) to implement 
the statutory exceptions to the special restrictions on sharing medical 
information with affiliates and to propose two additional exceptions 
the Agencies believe may be necessary and appropriate. The legal bases 
for the proposed rule are the National Bank Act found at 12 U.S.C. 1 et 
seq., 24(Seventh), 481, and 484, the Depository Institutions 
Deregulation and Monetary Control Act of 1980 found at 12 U.S.C. 93a, 
and the Federal Deposit Insurance Act found at 12 U.S.C. 1818; and the 
Fair Credit Reporting Act found at 15 U.S.C. 1681a, 1681b, and 1681s.
C. Description of Small Entities to Which the Rule Will Apply
    The proposed rule would apply to 1,214 national banks, Federal 
branches, and Federal agencies of foreign banks with assets under $150 
million.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
    The OCC does not believe that the proposed rule imposes any 
reporting or any specific recordkeeping requirements within the meaning 
of the RFA. Section 411 requires that all covered entities have the 
ability to identify medical information as defined by the FACT Act in 
order to avoid the general prohibition against obtaining or using it in 
connection with any eligibility determination. This may entail some 
training costs.
    However, the OCC believes that training costs will be minimal for a 
variety of reasons. One reason is the OCC does not believe that covered 
entities presently obtain or use medical information in making credit 
eligibility determinations on a broad basis. Another is that bank staff 
would already be trained on complying with other laws governing 
obtaining and using confidential information, including medical 
information, as discussed below.
    Further, entities have the option of complying with the general 
statutory prohibition on obtaining and using medical information or an 
applicable exception. Thus, any burden that may be associated with 
complying with the exceptions can be avoided entirely by complying with 
the general prohibition. The OCC contemplates that those entities that 
find the exceptions to be burden reducing would opt to use them.
    The OCC solicits information and comment on these assumptions. The 
OCC also seeks information and comment on any costs, such as training 
costs, compliance requirements, or changes in operating procedures 
arising from the application of the proposed rule in addition to or 
which may differ from those arising from the application of the statute 
generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules
    The OCC is unable to identify any statutes or rules, which would 
overlap or conflict with the proposed regulation. The OCC seeks comment 
and information about any such statutes or rules, as well as any other 
state, local, or industry rules or policies that require a covered 
institution to implement business practices that would comply with the 
requirements of the proposed rule.
F. Discussion of Significant Alternatives
    The proposed rule creates exceptions to the general prohibition on 
the use of medical information in determining the eligibility of a 
consumer for an initial extension or the continuation of an extension 
of credit. The proposed rule attempts to harmonize the circumstances 
under which a credit reporting agency may transfer medical information 
to a user of consumer reports with the ability of a financial 
institution to obtain and use that information. The proposed rule also 
provides exceptions, in addition to those contained in section 411, 
under which a financial institution may share medical information with 
an affiliate and not become a consumer reporting agency.
    In developing the proposal, the Agencies considered numerous 
alternatives. In particular, the Agencies considered creating a wide 
variety of possible exceptions to the general prohibition on obtaining 
and using medical information and numerous alternatives. A number of 
these are discussed in the SUPPLEMENTARY INFORMATION, including the 
following:
    1. The Agencies considered clarifying through an exception that 
obtaining and using medical information in connection with debt 
cancellation, debt suspension, or credit insurance products or similar 
forbearance practices or programs, is not prohibited, but are proposing 
to clarify this point through interpretation instead;
    2. The Agencies considered three options that would allow creditors 
to obtain and use consumer reports containing the various types of 
information described in section 604(g)(1) of the FCRA and are 
soliciting comment on these approaches;
    3. The Agencies considered the need for a broader exception to 
permit creditors to make a ``medical accommodation'' where individual 
circumstances may warrant such an accommodation; and
    4. The Agencies further considered the need to establish an 
exception for consumer consent whereby a creditor could request that a 
consumer consent to the specific use of the consumer's medical 
information.
    In all these cases and others, the Agencies have described relevant 
alternatives and are inviting comment on them in the SUPPLEMENTARY 
INFORMATION section.
    The relatively narrow scope of the exceptions proposed reflects the 
statutory mandate to create only those exceptions ``determined to be 
necessary and appropriate.'' While the Agencies believe that the 
proposed exceptions would be among those useful to small entities as 
well as large, we are not proposing a general exception that would 
apply only to small entities. Comment is solicited on whether such an 
exception would be necessary and appropriate and whether the risk is 
different for a small entity than a large entity that medical 
information obtained might be used for the type of ``inappropriate 
purposes'' the statute prohibits.
    The OCC welcomes comments on any significant alternatives, 
consistent with the mandate in section 411 to protect the privacy of 
medical information, that would minimize the impact of the proposed 
rule on small entities.
    Board: Subject to certain exceptions, the Regulatory Flexibility 
Act (5 U.S.C. 601-612) (RFA) requires an agency to publish an initial 
regulatory flexibility analysis with a proposed rule whenever the 
agency is required to publish a general notice of proposed rulemaking 
for a proposed rule. The SUPPLEMENTARY INFORMATION above describes the 
reasons why the regulations are being proposed and the objectives and 
the legal basis of the proposed rule. The SUPPLEMENTARY INFORMATION 
section also describes the compliance requirements of the proposed rule 
and identifies other relevant Federal rules which may duplicate or 
overlap with the proposed rule. The Board, in connection with its 
initial regulatory flexibility analysis, requests public comment in the 
following areas.
A. Reasons for the Proposed Rule
    Section 411 of the FACT Act requires the Board, together with the 
other Agencies, to publish rules that are determined to be necessary 
and appropriate to protect legitimate

[[Page 23390]]

operational, transactional risk, consumer, and other needs, including 
actions necessary for administrative verification, consistent with the 
intent of the section to restrict the use of medical information for 
inappropriate purposes, that permit the use of medical information in 
connection with any determination of a consumer's eligibility, or 
continued eligibility for credit. It permits the Board to issue 
regulations that are determined to be necessary and appropriate so as 
to exclude medical information shared by a covered entity with an 
affiliate from the definition of a consumer report in section 603(d) of 
the FCRA, and to address the reuse and redisclosure of medical 
information.
B. Statement of Objectives and Legal Basis
    The SUPPLEMENTARY INFORMATION above contains this information. The 
legal basis for the proposed rule is section 411 of the FACT Act.
C. Description of Small Entities to Which the Rule Applies
    The proposed rule would apply to all banks that are members of the 
Federal Reserve System (other than national banks), branches and 
Agencies of foreign banks (other than Federal branches, Federal 
Agencies, and insured State branches of foreign banks), commercial 
lending companies owned or controlled by foreign banks, organizations 
operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 
601 et seq., and 611 et seq.), bank holding companies and affiliates 
(other than depository institutions and consumer reporting agencies) of 
such holding companies. The Board's proposed rule will apply to the 
following institutions (numbers approximate): State member banks (932), 
bank holding companies (5,152), holding company non-bank subsidiaries 
(2,131), U.S. branches and agencies of foreign banks (289), Edge and 
agreement corporations (75), for a total of approximately 8,579 
institutions. The Board estimates that over 5,000 of these institutions 
could be considered small institutions with assets less than $150 
million.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
    The Board does not believe that the proposed rule imposes any new 
reporting or recordkeeping requirements, as defined in section 603 of 
the RFA. Section 411 requires that all covered entities have the 
ability to identify medical information as defined in order to avoid 
the general prohibition against obtaining or using it in connection 
with any eligibility determination. The Board believes that identifying 
that information for the purpose of either using it in eligibility 
determinations pursuant to the exceptions or to share the information 
with affiliates places no additional compliance burdens or costs on 
financial institutions.
    The Board seeks information and comment on any costs, compliance 
requirements, or changes in operating procedures arising from the 
application of the proposed rule in addition to or which may differ 
from those arising from the application of the statute generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules
    The Board is unable to identify any federal statutes or regulations 
that would duplicate, overlap, or conflict with the proposed rule. The 
Board seeks comment regarding any statues or regulations, including 
state or local statutes or regulations, that would duplicate, overlap, 
or conflict with the proposed rule, including particularly any that 
address situations in which medical information may be: (i) Obtained or 
used in connection with a determination of credit eligibility; or (ii) 
shared among financial institutions and their affiliates.
F. Discussion of Significant Alternatives
    The proposed rule creates exceptions to the general prohibition to 
the use of medical information in determining the eligibility of a 
consumer for an initial extension or the continuation of an extension 
of credit. The proposed rule attempts to harmonize the circumstances 
under which a credit reporting agency may transfer medical information 
to a user of consumer reports with the ability of a financial 
institution to obtain and use that information. The proposed rule also 
provides exceptions, in addition to those contained in section 411, 
under which a financial institution may share medical information with 
an affiliate and not become a consumer reporting agency.
    The Board welcomes comments on any significant alternatives, 
consistent with the mandate in section 411 to protect the privacy of 
medical information, that would minimize the impact of the proposed 
rule on small entities.
    FDIC: Subject to certain exceptions, the Regulatory Flexibility Act 
(5 U.S.C. 601-612) (RFA) requires an agency to publish an initial 
regulatory flexibility analysis with a proposed rule whenever the 
agency is required to publish a general notice of proposed rulemaking 
for a proposed rule. The FDIC, in connection with its initial 
regulatory flexibility analysis, requests public comment in the 
following areas.
A. Reasons for the Proposed Rule
    Section 411 of the FACT Act requires the FDIC, together with the 
other Agencies, to publish rules that are determined to be necessary 
and appropriate to protect legitimate operational, transactional risk, 
consumer, and other needs, including actions necessary for 
administrative verification, consistent with the intent of the section 
to restrict the use of medical information for inappropriate purposes, 
that permit the use of medical information in connection with any 
determination of a consumer's eligibility, or continued eligibility for 
credit. It permits the FDIC to issue regulations that are determined to 
be necessary and appropriate so as to exclude medical information 
shared by a covered entity with an affiliate from the definition of a 
consumer report in section 603(d) of the FCRA, and to address the reuse 
and redisclosure of medical information.
B. Statement of Objectives and Legal Basis
    The SUPPLEMENTARY INFORMATION above contains this information. The 
legal basis for the proposed rule is section 411 of the FACT Act.
C. Description of Small Entities to Which the Rule Applies
    The proposed rule would apply to all state non-member banks, 
approximately 3,700 of which are small entities as defined by the RFA.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
    The FDIC does not believe that the proposed rule imposes any new 
reporting or recordkeeping requirements, as defined in section 603 of 
the RFA. Section 411 requires that all covered entities have the 
ability to identify medical information as defined in order to avoid 
the general prohibition against obtaining or using it in connection 
with any eligibility determination. The FDIC believes that identifying 
that information for the purpose of either using it in eligibility 
determinations pursuant to the exceptions or to share the information 
with affiliates places no additional compliance burdens or costs on 
financial institutions.

[[Page 23391]]

    The FDIC seeks information and comment on any costs, compliance 
requirements, or changes in operating procedures arising from the 
application of the proposed rule in addition to or which may differ 
from those arising from the application of the statute generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules
    The FDIC is unable to identify any federal statutes or regulations 
that would duplicate, overlap, or conflict with the proposed rule. The 
FDIC seeks comment regarding any statues or regulations, including 
state or local statutes or regulations, that would duplicate, overlap, 
or conflict with the proposed rule, including particularly any that 
address situations in which medical information may be: (i) Obtained or 
used in connection with a determination of credit eligibility; or (ii) 
shared among financial institutions and their affiliates.
F. Discussion of Significant Alternatives
    The proposed rule creates exceptions to the general prohibition to 
the use of medical information in determining the eligibility of a 
consumer for an initial extension or the continuation of an extension 
of credit. The proposed rule attempts to harmonize the circumstances 
under which a credit reporting agency may transfer medical information 
to a user of consumer reports with the ability of a financial 
institution to obtain and use that information. The proposed rule also 
provides exceptions, in addition to those contained in section 411, 
under which a financial institution may share medical information with 
an affiliate and not become a consumer reporting agency.
    The FDIC welcomes comments on any significant alternatives, 
consistent with the mandate in section 411 to protect the privacy of 
medical information, that would minimize the impact of the proposed 
rule on small entities.
    OTS: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) 
requires an agency to either provide an Initial Regulatory Flexibility 
Analysis (IRFA) with a proposed rule or certify that the proposed rule 
will not have a significant economic impact on a substantial number of 
small entities. As discussed below, OTS does not expect that this rule, 
if adopted, would have a significant economic impact on a substantial 
number of small entities. Nonetheless, it is providing this IRFA.
    The proposed rule implements section 411 of the FACT Act. The 
proposed rule would implement the statutory prohibition on creditors 
obtaining and using a consumer's medical information in connection with 
credit determinations, while creating exceptions in certain 
circumstances. Additionally, the proposed rule would implement the FACT 
Act's restrictions on the sharing of medical information among 
affiliates, while including exceptions to permit the sharing of medical 
information in certain circumstances. As discussed below, the proposed 
rule would apply to savings associations or their subsidiaries, savings 
and loan holding companies, or affiliates of savings associations or 
savings and loan holding companies other than bank holding companies, 
banks, or subsidiaries of bank holding companies or banks.
    OTS does not expect that this rule, if adopted, would have a 
significant economic impact on a substantial number of small entities. 
The general statutory prohibition on obtaining and using medical 
information incorporated into the rule will only apply impact entities 
that obtain or use medical information in connection with credit 
determinations, regardless of size. OTS does not believe that obtaining 
and using medical information for credit eligibility determinations is 
a widespread practice today among creditors it regulates. Small 
entities, because of the nature and size of their operations, may be 
less likely than larger institutions to do so. Therefore, no group of 
covered entities, particularly small ones, is expected to encounter a 
significant economic impact. However, OTS invites comment whether these 
assumptions are correct. OTS further invites comment on the burden that 
will result on small entities from this rulemaking, and has prepared 
the following analysis.
A. Reasons for the Proposed Rule
    Section 411 of the FACT Act requires OTS, together with the other 
Agencies, to publish rules that are determined to be necessary and 
appropriate to protect legitimate operational, transactional risk, 
consumer, and other needs, including actions necessary for 
administrative verification, consistent with the intent of the section 
to restrict the use of medical information for inappropriate purposes, 
that permit the use of medical information in connection with any 
determination of a consumer's eligibility, or continued eligibility for 
credit. Section 411 also authorizes OTS to issue regulations that are 
determined to be necessary and appropriate so as to exclude medical 
information shared by a covered entity with an affiliate from the 
definition of a consumer report in section 603(d) of the Fair Credit 
Reporting Act, and to address the reuse and redisclosure of medical 
information.
B. Statement of Objectives and Legal Basis
    The objectives of the proposed rule are described in the 
SUPPLEMENTARY INFORMATION section. In sum, the objectives are: (1) To 
implement the general statutory prohibition on creditors obtaining and 
using medical information in connection with credit eligibility 
determinations, (2) to fulfill the statutory mandate to prescribe 
regulations that permit creditors to obtain and use medical information 
for eligibility purposes when necessary and appropriate to protect 
legitimate operational, transaction, risk, consumer, and other needs by 
granting exceptions, and (3) to implement the statutory exceptions to 
the special restrictions on sharing medical information with affiliates 
and to propose two additional exceptions the Agencies believe may be 
necessary and appropriate.
    The legal bases for the proposed rule are provisions of: (1) The 
Home Owners' Loan Act found at 12 U.S.C. 1462a, 1463, 1464, and 1467a; 
(2) the Federal Deposit Insurance Act, the Bank Protection Act, and 
other banking laws found at 12 U.S.C. 1828, 1831p-1, and 1881-1884; (3) 
the Fair Credit Reporting Act found at 15 U.S.C. 1681s and 1681w; and 
(4) the Gramm-Leach-Bliley Act found at 15 U.S.C. 6801 and 6805(b)(1).
C. Description of Small Entities to Which the Rule Applies
    Section 571.30(a)-(d) of the proposed rule would apply to those 
creditors, as defined in Sec.  571.30(a)(2), that are savings 
associations or their subsidiaries, savings and loan holding companies, 
or affiliates of savings associations or savings and loan holding 
companies other than bank holding companies, banks, or subsidiaries of 
bank holding companies or banks.
    Sections 571.30(e) and 571.31 of the proposed rule would apply to 
all savings associations and, in accordance with 12 CFR 559.3(h)(1), to 
federal savings association operating subsidiaries as well.
    Small savings associations are generally defined, for RFA purposes, 
as those with assets of $150 million or less. 13 CFR 121.201 (2003). 
OTS calculates that of the 921 savings associations, a maximum of 479 
of these are small savings associations. OTS also calculates that these 
479 savings associations hold 122 subordinate

[[Page 23392]]

organizations that could possibly qualify as small entities.
    With regard to savings and loan holding companies, the Small 
Business Administration (SBA) prescribes size standards for various 
economic activities and industries using the North American Industry 
Classification System (NAICS). 13 CFR part 121. Under the SBA's 
standards, companies that are primarily engaged in holding securities 
of (or other equity interests in) depository institutions for the 
purpose of controlling those companies are addressed at NAICS Codes 
551111 and 551112 (Office of Bank Holding Companies and Office of Other 
Holding Companies). Companies within this group are considered to be 
small if they have annual receipts of $6 million or less. Companies 
that are primarily engaged in holding the securities of depository 
institutions and operating these entities are classified under NAICS 
Codes 522110-522190. Companies classified in this group are considered 
to be small if their total assets are less than $150 million.
    In this IRFA, OTS has analyzed the impact of this rule using both 
the $150 million asset size standard and the $6 million annual receipts 
standard. OTS specifically requests comment on its use of these 
standards. Commenters are invited to address whether these or other 
size standards are appropriate.
    OTS calculates that there are approximately 969 OTS-regulated 
savings and loan holding companies. OTS further calculates that there 
are maximum of 381 savings and loan holding companies that could 
possibly qualify as small entities. OTS estimates that there are 151 
small savings and loan holding companies under an asset-based 
definition of $150 million or less of assets and 381 small savings and 
loan holding companies under a revenue-based definition of $6 million 
or less in annual receipts.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
    OTS does not believe that the proposed rule imposes any new 
reporting or any specific recordkeeping requirements within the meaning 
of the RFA. Implicitly, however, section 411 requires that all covered 
entities have the ability to identify medical information as defined by 
the FACT Act in order to avoid the general prohibition against 
obtaining or using it in connection with any eligibility determination. 
This may entail some training costs.
    However, OTS believes that training costs will be minimal for a 
variety of reasons. One reason is OTS does not believe that covered 
entities currently widely obtain or use medical information in making 
credit eligibility determinations. Another is that staff would already 
be trained on complying with other laws governing obtaining and using 
confidential information, including medical information, as discussed 
below.
    Further, entities have the option of complying with the general 
statutory prohibition on obtaining and using medical information or an 
applicable exception. Thus, any additional burden that may be 
associated with complying with the exceptions can be avoided entirely 
by complying with the general prohibition instead. OTS contemplates 
that entities that find the exceptions to be burden reducing would opt 
to use them and that others would choose to comply with the general 
prohibition.
    OTS solicits information and comments on these assumptions. OTS 
also solicits information and comment on any costs, such as training 
costs, as well as compliance requirements, or changes in operating 
procedures arising from the application of the proposed rule in 
addition to or which may differ from those arising from the application 
of the statute generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules
    The SUPPLEMENTARY INFORMATION section describes the compliance 
requirements of the proposed rule and identifies other relevant Federal 
rules that may duplicate or overlap with the proposed rule. As 
discussed in the SUPPLEMENTARY INFORMATION, other laws and rules issued 
under these laws, such as the Americans with Disabilities Act, the Fair 
Housing Act, the Gramm-Leach-Bliley Act, and other parts of the FCRA, 
may limit or regulate the use, collection, and sharing of consumer 
information, including medical information. In particular, these and 
other laws and rules, such as the Equal Credit Opportunity Act and 
Regulation B, also may prohibit creditors from using certain 
information that is excluded from the restrictions on obtaining or 
using medical information, such as age or gender information, in 
determining eligibility for credit or for other purposes. In this 
sense, there may be some overlap between these federal statutes and 
regulations and the proposed rule.
    OTS seeks comment and information regarding any statues or rules, 
including state or local statutes or regulations, that would duplicate, 
overlap, or conflict with the proposed rule, including particularly any 
that address situations in which medical information may be: (i) 
Obtained or used in connection with a determination of credit 
eligibility; or (ii) shared among financial institutions and their 
affiliates.
F. Discussion of Significant Alternatives
    The proposed rule creates exceptions to the general prohibition to 
the use of medical information in determining the eligibility of a 
consumer for an initial extension or the continuation of an extension 
of credit. The proposed rule attempts to harmonize the circumstances 
under which a credit reporting agency may transfer medical information 
to a user of consumer reports with the ability of a financial 
institution to obtain and use that information. The proposed rule also 
provides exceptions, in addition to those contained in section 411, 
under which a financial institution may share medical information with 
an affiliate and not become a consumer reporting agency.
    In developing the proposal, the Agencies considered numerous 
alternatives. In particular, it considered a wide variety of possible 
exceptions to create to the general prohibition on obtaining and using 
medical information and numerous alternatives. A number of these are 
discussed in the SUPPLEMENTARY INFORMATION, including the following:
    1. The Agencies considered clarifying through an exception that 
obtaining and using medical information in connection with debt 
cancellation, debt suspension, or credit insurance products or similar 
forbearance practices or programs, is not prohibited, but are proposing 
to clarify this point through interpretation instead.
    2. The Agencies considered three options that would allow creditors 
to obtain and use consumer reports containing the various types of 
information described in section 604(g)(1) of the FCRA and are 
soliciting comment on these approaches.
    3. The Agencies considered the need for a broader exception to 
permit creditors to make a ``medical accommodation'' where individual 
circumstances may warrant such an accommodation.
    4. The Agencies further considered the need to establish an 
exception for consumer consent whereby a creditor could request that a 
consumer consent to the specific use of the consumer's medical 
information.
    In all these cases and others, the Agencies have described relevant 
alternatives and are inviting comment on them in the SUPPLEMENTARY 
INFORMATION section.

[[Page 23393]]

    The relatively narrow scope of the exceptions proposed reflects the 
statutory mandate to create only those exceptions ``determined to be 
necessary and appropriate.'' While the Agencies believe that the 
proposed exceptions would be among those useful to small entities as 
well as large, we are not proposing a general exception that would 
apply only to small entities. Comment is solicited on whether such an 
exception would be necessary and appropriate and whether the risk is 
different for a small entity than a large entity that medical 
information obtained might be used for the type of ``inappropriate 
purposes'' the statute prohibits.
    OTS welcomes comments on any significant alternatives, consistent 
with the mandate in section 411 to protect the privacy of medical 
information, which would minimize the impact of the proposed rule on 
small entities.
    NCUA: The Regulatory Flexibility Act requires the NCUA to prepare 
an analysis to describe any significant economic impact a proposed rule 
may have on a substantial number of small credit unions (those under 
$10 million in assets).
    Section 411 of the FACT Act limits the ability of creditors to 
obtain or use medical information in connection with credit eligibility 
determinations and narrows when any person can share medical 
information and medical-related information with affiliates without 
becoming a consumer reporting agency for purposes of the FCRA. The 
statute requires the NCUA and the federal banking agencies to prescribe 
regulations that create exceptions to permit creditors to obtain or use 
medical information in connection with credit eligibility 
determinations where necessary and appropriate to protect legitimate 
operational, transactional, risk, consumer, and other needs (including 
administrative verification purposes), consistent with congressional 
intent to restrict the use of medical information for inappropriate 
purposes. Furthermore, the statute grants discretionary rulemaking 
authority to the NCUA, the federal banking agencies, and the Federal 
Trade Commission to create exceptions, in addition to those already 
provided in the statute, to allow affiliates to share medical 
information and medical-related information.
    Proposed Sec. Sec.  717.30 and 717.31 of the NCUA's proposed 
regulations would apply to all federal credit unions, regardless of 
their size. The proposed rule would contain restrictions set forth in 
section 411 of the FACT Act on federal credit unions obtaining and 
using medical information in connection with credit eligibility 
determinations and the sharing of medical information and medical-
related information with affiliates. The proposed regulations, however, 
also would grant exceptions to the statutory limitations to allow 
creditors to obtain or use medical information in enumerated situations 
in connection with determinations of consumer eligibility or continued 
eligibility for credit. The proposal would also enumerate the 
situations in which federal credit unions would be permitted to share 
medical information among affiliates.
    NCUA is not aware of any other federal rules that duplicate, 
overlap, or conflict with the proposed rule. NCUA specifically requests 
comment on the impact of the proposed rule on small federal credit 
unions.

OCC and OTS Executive Order 12866 Determination

    The OCC and OTS each has determined that its portion of the 
proposed rulemaking is not a significant regulatory action under 
Executive Order 12866. OCC and OTS Unfunded Mandates Reform Act of 1995 
Determination.

OCC Executive Order 13132 Determination

    The OCC has determined that this proposal does not have any 
Federalism implications, as required by Executive Order 13132.

NCUA Executive Order 13132 Determination

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their actions on state and local interests. In 
adherence to fundamental federalism principles, the NCUA, an 
independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the executive order. The proposed rule 
applies only to federally chartered credit unions and would not have 
substantial direct effects on the states, on the connection between the 
national government and the states, or on the distribution of power and 
responsibilities among the various levels of government. The NCUA has 
determined that this proposed rule does not constitute a policy that 
has federalism implications for purposes of the executive order.

OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 
104-4 (Unfunded Mandates Act) requires that an agency prepare a 
budgetary impact statement before promulgating a rule that includes a 
Federal mandate that may result in expenditure by State, local, and 
tribal governments, in the aggregate, or by the private sector, of $100 
million or more in any one year. If a budgetary impact statement is 
required, section 205 of the Unfunded Mandates Act also requires an 
agency to identify and consider a reasonable number of regulatory 
alternatives before promulgating a rule. The OCC and OTS each has 
determined that this proposed rule will not result in expenditures by 
State, local, and tribal governments, or by the private sector, of $100 
million or more. Accordingly, neither the OCC nor the OTS has prepared 
a budgetary impact statement or specifically addressed the regulatory 
alternatives considered.

NCUA: The Treasury and General Government Appropriations Act, 1999--
Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this proposed rule would not affect 
family well-being within the meaning of section 654 of the Treasury and 
General Government Appropriations Act, 1999, Public Law 105-277, 112 
Stat. 2681 (1998).

NCUA: Interpretive Ruling and Policy Statement (IRPS) 87-2, as Amended 
by IRPS 03-2

    Under NCUA's IRPS 87-2, as amended by IRPS 03-2, the NCUA Board's 
general policy is to provide a 60-day comment period for a proposed 
regulation. In this case, the NCUA Board believes that a 30-day comment 
period will be adequate and is appropriate given that the statutory 
deadline for the final rule is June 4, 2004. NCUA IRPS 87-2, 52 FR 
35231, Sept. 18, 1987, as amended by IRPS 03-2, 68 FR 31949, May 29, 
2003.

OCC Community Bank Comment Request

    The OCC invites your comments on the impact of this proposal on 
community banks. The OCC recognizes that community banks operate with 
more limited resources than larger institutions and may present a 
different risk profile. Thus, the OCC specifically requests comment on 
the impact of the proposal on community banks' current resources and 
available personnel with the requisite expertise, and whether the goals 
of the proposal could be achieved, for community banks, through an 
alternative approach.

[[Page 23394]]

IV. Solicitation of Comments on Use of Plain Language

    Section 722 of the GLB Act requires the Agencies \3\ to use plain 
language in all proposed and final rules published after January 1, 
2000. We invite your comments on how to make this proposed rule easier 
to understand. For example:
---------------------------------------------------------------------------

    \3\ Section 722 of the GLB Act does not apply to NCUA, but NCUA 
has a similar Agency Regulatory Goal to promote clear and 
understandable regulations that impose minimal regulatory burden.
---------------------------------------------------------------------------

     Have we organized the material to suit your 
needs? If not, how could this material be better organized?
     Are the requirements in the rule clearly stated? 
If not, how could the rule be more clearly stated?
     Do the regulations contain technical language or 
jargon that is not clear? If so, which language requires clarification?
     Would a different format (grouping and order of 
sections, use of headings, paragraphing) make the regulation easier to 
understand? If so, what changes to the format would make the regulation 
easier to understand?
     Would more, but shorter, sections be better? If 
so, which sections should be changed?
     What else could we do to make the regulation 
easier to understand?

List of Subjects

12 CFR Part 41

    Banks, Banking, Consumer protection, National banks, Reporting and 
recordkeeping requirements.

12 CFR Part 222

    Banks, Banking, Consumer protection, Credit, Fair Credit Reporting 
Act, Holding companies, Privacy, Reporting and recordkeeping 
requirements, State member banks.

12 CFR Part 334

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Reporting and recordkeeping requirements, Safety and 
soundness.

12 CFR Part 571

    Consumer protection, Credit, Fair Credit Reporting Act, Privacy, 
Reporting and recordkeeping requirements, Savings associations.

12 CFR Part 717

    Consumer protection, Credit unions, Fair credit reporting, Medical 
information, Privacy, Reporting and recordkeeping requirements.

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

    For the reasons set forth in the preamble, the OCC proposes to 
amend Chapter I of Title 12 of the Code of Federal Regulations as 
follows:
    1. Add part 41 to read as follows:

PART 41--FAIR CREDIT

Subpart A--General Provisions
Sec.
41.1 Purpose and scope.
41.2 Examples.
41.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
41.30 Obtaining or using medical information in connection with a 
determination of eligibility for credit.
41.31 Sharing medical information with affiliates.

    Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and 
1818; 15 U.S.C. 1681a, 1681b, and 1681s.

Subpart A--General Provisions


Sec.  41.1  Purpose and scope.

    (a) Purpose. The purpose of this part is to establish standards for 
national banks in key areas of regulation regarding consumer report 
information and fair credit. In addition, the purpose of this part is 
to specify the type of information, including medical information, 
national banks may obtain, use, or share among affiliates. This part 
also contains a number of measures national banks must take to combat 
consumer fraud and related crimes, including identity theft.
    (b) Scope.
    (1) [Reserved]
    (2) Institutions covered. Except as otherwise provided in this 
part, these regulations apply to national banks, Federal branches and 
Agencies of foreign banks, and their respective operating subsidiaries 
that are not functionally regulated within the meaning of section 
5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 
1844(c)(5)).


Sec.  41.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  41.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as the OCC 
determines.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to:
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address; or
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy.
    (l) [Reserved]
    (m) [Reserved]
    (n) [Reserved]
* * * * *

[[Page 23395]]

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec.  41.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) General prohibition on obtaining or using medical information--
(1) In general. A bank may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this subpart.
    (2) Definitions as used in this subpart--(i) Eligibility, or 
continued eligibility, for credit means the consumer's qualification or 
fitness to receive, or continue to receive, credit, including the terms 
on which credit is offered, primarily for personal, family, or 
household purposes. The term does not include:
    (A) The consumer's qualification or fitness to be offered 
employment, insurance products, or other non-credit products or 
services;
    (B) Any determination of whether the provisions of a debt 
cancellation contract, debt suspension agreement, credit insurance 
product, or similar forbearance practice or program are triggered;
    (C) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (D) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (ii) Bank means an institution that:
    (A) is covered by this part in Sec.  41.1(b)(2); and
    (B) is a ``creditor'' as that term is defined by section 702 of the 
Equal Credit Opportunity Act (15 U.S.C. 1691a).
    (iii) Credit has the same meaning as in section 702 of the Equal 
Credit Opportunity Act (15 U.S.C. 1691a).
    (b) Rule of construction for receiving unsolicited medical 
information--(1) In general. A bank does not obtain medical information 
for purposes of paragraph (a)(1) of this section if it:
    (i) Receives medical information pertaining to a consumer in 
connection with any determination of the consumer's eligibility, or 
continued eligibility, for credit without specifically requesting 
medical information; and
    (ii) Does not use that information in determining whether to extend 
or continue to extend credit to the consumer and the terms on which 
credit is offered or continued.
    (2) Examples of receiving unsolicited medical information. A bank 
receives unsolicited medical information if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the bank receives information that the consumer has a 
particular medical condition and does not use that information in 
determining whether to extend credit to the consumer or the terms on 
which credit is offered.
    (ii) In conversation with the loan officer, the consumer informs 
the bank that the consumer has a particular medical condition, and the 
bank does not use that information in determining whether to extend 
credit to the consumer or the terms on which credit is offered.
    (c) Financial information exception for obtaining and using medical 
information--(1) In general. A bank may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information relates to debts, expenses, income, benefits, 
collateral, or the purpose of the loan, including the use of proceeds;
    (ii) The bank uses the medical information in a manner and to an 
extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The bank does not take the consumer's physical, mental, or 
behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples--(i) Examples of information related to debts, 
expenses, income, benefits, collateral, or the purpose of the loan. 
Paragraph (c)(1)(i) of this section permits a bank, for example, to 
obtain and use information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts that is used to calculate, 
measure, or verify the repayment ability of the consumer, the use of 
proceeds, or the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
is used as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income or benefits related to health or a medical condition that is 
relied on as a source of repayment; or
    (D) The identity of entities to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The bank contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The bank 
learns that both debts are more than 90 days past due. Any two debts of 
this size that are past due would disqualify the consumer under the 
bank's established underwriting criteria. The bank denies the 
application on the basis that the consumer has a poor repayment history 
on outstanding debts. The bank has used medical information in a manner 
and to an extent no less favorable than it would use comparable non-
medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The bank denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the bank's underwriting criteria. The bank has used medical 
information in a manner and to an extent that is no less favorable than 
it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The bank contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The bank learns that the debt is 
current and that the applicant meets the income requirements of the 
bank's underwriting guidelines. The bank grants the application. The 
bank has used medical information in accordance with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception.
    (A) A consumer applies for $25,000 of credit and includes on the 
application information about a $50,000 debt to a hospital. The bank 
contacts the hospital to verify the amount and payment status

[[Page 23396]]

of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a home furnishing retailer, the bank would approve 
the application and extend credit based on the amount and repayment 
history of the outstanding debt. The bank, however, denies the 
application because the consumer is indebted to a hospital. The bank 
has used medical information, here the identity of the hospital, in a 
manner and to an extent that is less favorable than it would use 
comparable non-medical information.
    (B) A consumer meets with a loan officer of a bank to apply for a 
mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the bank's established requirements for the 
requested mortgage. The loan officer recommends to the credit committee 
that the consumer be denied credit because the consumer has that 
disease. The bank has used medical information in a manner inconsistent 
with the exception by taking into account the consumer's physical, 
mental, or behavioral health, condition, or history, type of treatment, 
or prognosis as part of a determination of eligibility or continued 
eligibility for credit.
    (d) Specific exceptions for obtaining and using medical 
information--(1) In general. A bank may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit:
    (i) To determine whether the use of a power of attorney or legal 
representative is necessary and appropriate;
    (ii) To comply with applicable requirements of local, state, or 
federal laws;
    (iii) To the extent such information is included in a consumer 
report from a consumer reporting agency, in accordance with 15 U.S.C. 
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer 
provided specific written consent;
    (iv) For purposes of fraud prevention and detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) If the consumer or the consumer's legal representative 
requests in writing, on a separate form signed by the consumer or the 
consumer's legal representative that the bank use specific medical 
information for a specific purpose in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances. The signed written request must 
describe the specific medical information that the consumer requests 
the bank to use and the specific purpose for which the information will 
be used; or
    (vii) As otherwise permitted by order of the OCC.
    (2) Examples of determining the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the bank may 
confirm the consumer's medical eligibility to undergo that procedure 
with the surgeon. If the surgeon reports that surgery will not be 
performed on the consumer, the bank may use that medical information to 
deny the consumer's application for credit, because the loan would not 
be used for the stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the bank may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the bank may use that medical information to offer 
the consumer only $5,000 of credit.
    (iii) A bank has an established medical loan program for financing 
particular elective surgical procedures. The bank receives a loan 
application from a consumer requesting $10,000 of credit under the 
established loan program for an elective surgical procedure. The 
consumer indicates on the application that the purpose of the loan is 
to finance an elective surgical procedure not eligible for funding 
under the guidelines of the established loan program. The bank may deny 
the consumer's application because the purpose of the loan is not for a 
particular procedure funded by the established loan program.
    (3) Examples of obtaining and using medical information at the 
request of the consumer. Consistent with safe and sound practices, and 
after obtaining from the consumer a signed, written document that 
describes the specific medical information that the consumer requests 
the bank to use and the specific purpose for which the information will 
be used, the bank may obtain and use the specific medical information 
for the specific purpose described in the request:
    (i) If a consumer applies for a loan and requests that the bank 
consider the consumer's medical disability at the relevant time as an 
explanation for adverse payment history information in his credit 
report, the bank may consider such medical information in evaluating 
the consumer's willingness and ability to repay the requested loan.
    (ii) If a consumer applies for a loan and explains that his income 
has been and will continue to be interrupted on account of a medical 
condition and that he expects to repay the loan from liquidation of 
assets, the bank may evaluate the application using the sale of assets 
as the primary source of repayment.
    (e) Limits on redisclosure of information. If the bank receives 
medical information about a consumer from a consumer reporting agency 
or its affiliate, the bank must not disclose that information to any 
other person, except as necessary to carry out the purpose for which 
the information was initially disclosed, or as otherwise permitted by 
statute, regulation, or order.


Sec.  41.31  Sharing medical information with affiliates.

    (a) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if the bank communicates to an affiliate:
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (b) Exceptions. The bank may rely on the exclusions from the term 
``consumer report'' in section 603(d)(2) of the Act to communicate the 
information in paragraph (a) of this section to an affiliate:
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the U.S. Department of Health and Human 
Services pursuant to the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
41.30; or

[[Page 23397]]

    (6) As otherwise permitted by order of the OCC.

Board of Governors of the Federal Reserve System

12 CFR Chapter II

Authority and Issuance

    For the reasons set forth in the joint preamble, title 12, chapter 
II, of the Code of Federal Regulations is proposed to be amended by 
revising part 222 to read as follows:

PART 222--FAIR CREDIT REPORTING (REGULATION V)

    1. The authority citation for part 222 is amended to read as 
follows:

    Authority: 15 U.S.C. 1681b and 1681s; Secs. 3 and 217, Pub. L. 
108-159, 117 Stat. 1952.

    2. In subpart A to part 222, the following amendments are made:
    a. Section 222.1 is amended by adding a new paragraph (b).
    b. Section 222.2 is added.
    c. Section 222.3 is added.
    3. A new subpart D is added to part 222.

Subpart A--General Provisions


Sec.  222.1  Purpose, scope, and effective dates

* * * * *
    (b) Scope.
    (1) [Reserved]
    (2) Institutions covered. (i) Except as otherwise provided in 
paragraph (b)(2) of this section, these regulations apply to banks that 
are members of the Federal Reserve System (other than national banks), 
branches and Agencies of foreign banks (other than Federal branches, 
Federal Agencies, and insured State branches of foreign banks), 
commercial lending companies owned or controlled by foreign banks, 
organizations operating under section 25 or 25A of the Federal Reserve 
Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank holding 
companies and affiliates of such holding companies.
    (ii) [Reserved]
    (iii) Section 222.30(a)-(d) of this part applies to persons listed 
in paragraph (b)(2)(i) of this section that are creditors.
    (iv) Section 222.31 of this part applies to banks that are members 
of the Federal Reserve System (other than national banks), branches and 
Agencies of foreign banks (other than Federal branches, Federal 
Agencies, and insured State branches of foreign banks), commercial 
lending companies owned or controlled by foreign banks, organizations 
operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 
601 et seq., and 611 et seq.).
* * * * *


Sec.  222.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  222.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as the Board 
determines.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to--
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address; or
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy.
    (l) [Reserved]
    (m) [Reserved]
    (n) [Reserved]
    (o) You means member banks of the Federal Reserve System (other 
than national banks), branches and Agencies of foreign banks (other 
than Federal branches, Federal Agencies, and insured State branches of 
foreign banks), commercial lending companies owned or controlled by 
foreign banks, organizations operating under section 25 or 25A of the 
Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank 
holding companies and affiliates of such holding companies (other than 
depository institutions and consumer reporting agencies).

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information
Sec.
222.30 Obtaining or using medical information in connection with a 
determination of eligibility for credit.
222.31 Sharing medical information with affiliates.

Subpart D--Medical Information


Sec.  222.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this subpart.
    (2) Definitions as used in this subpart--(i) Eligibility, or 
continued eligibility, for credit means the consumer's qualification or 
fitness to receive, or continue to receive, credit, including the terms 
on which credit is offered, primarily for personal, family, or 
household purposes. The term does not include:
    (A) The consumer's qualification or fitness to be offered 
employment, insurance products, or other non-credit products or 
services;
    (B) Any determination of whether the provisions of a debt 
cancellation contract, debt suspension agreement, credit insurance 
product, or similar forbearance practice or program are triggered;
    (C) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner

[[Page 23398]]

that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit; or
    (D) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Credit has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (b) Rule of construction for receiving unsolicited medical 
information--(1) In general. A creditor does not obtain medical 
information for purposes of paragraph (a)(1) of this section if it--
    (i) Receives medical information pertaining to a consumer in 
connection with any determination of the consumer's eligibility, or 
continued eligibility, for credit without specifically requesting 
medical information; and
    (ii) Does not use that information in determining whether to extend 
or continue to extend credit to the consumer and the terms on which 
credit is offered or continued.
    (2) Examples of receiving unsolicited medical information. A 
creditor receives unsolicited medical information if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer has a 
particular medical condition and does not use that information in 
determining whether to extend credit to the consumer or the terms on 
which credit is offered.
    (ii) In conversation with the loan officer, the consumer informs 
the creditor that the consumer has a particular medical condition, and 
the creditor does not use that information in determining whether to 
extend credit to the consumer or the terms on which credit is offered.
    (c) Financial information exception for obtaining and using medical 
information--(1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information relates to debts, expenses, income, benefits, 
collateral, or the purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples--(i) Examples of information related to debts, 
expenses, income, benefits, collateral, or the purpose of the loan. 
Paragraph (c)(1)(i) of this section permits a creditor, for example, to 
obtain and use information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts that is used to calculate, 
measure, or verify the repayment ability of the consumer, the use of 
proceeds, or the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
is used as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income or benefits related to health or a medical condition that is 
relied on as a source of repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are past due would disqualify the consumer 
under the creditor's established underwriting criteria. The creditor 
denies the application on the basis that the consumer has a poor 
repayment history on outstanding debts. The creditor has used medical 
information in a manner and to an extent no less favorable than it 
would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current and that the applicant meets the income requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception.
    (A) A consumer applies for $25,000 of credit and includes on the 
application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a home furnishing retailer, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis as part of a determination of eligibility or 
continued eligibility for credit.
    (d) Specific exceptions for obtaining and using medical 
information--(1) In general. A creditor may obtain and use medical 
information pertaining to a

[[Page 23399]]

consumer in connection with any determination of the consumer's 
eligibility, or continued eligibility, for credit--
    (i) To determine whether the use of a power of attorney or legal 
representative is necessary and appropriate;
    (ii) To comply with applicable requirements of local, state, or 
federal laws;
    (iii) To the extent such information is included in a consumer 
report from a consumer reporting agency, in accordance with 15 U.S.C. 
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer 
provided specific written consent;
    (iv) For purposes of fraud prevention and detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) If the consumer or the consumer's legal representative 
requests in writing, on a separate form signed by the consumer or the 
consumer's legal representative that the creditor use specific medical 
information for a specific purpose in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances. The signed written request must 
describe the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used; or
    (vii) As otherwise permitted by order of the Board.
    (2) Examples of determining the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
confirm the consumer's medical eligibility to undergo that procedure 
with the surgeon. If the surgeon reports that surgery will not be 
performed on the consumer, the creditor may use that medical 
information to deny the consumer's application for credit, because the 
loan would not be used for the stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (3) Examples of obtaining and using medical information at the 
request of the consumer. Consistent with safe and sound practices, and 
after obtaining from the consumer a signed, written document that 
describes the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used, the creditor may obtain and use the specific medical 
information for the specific purpose specified in the request:
    (i) If a consumer applies for a loan and requests that the creditor 
consider the consumer's medical disability at the relevant time as an 
explanation for adverse payment history information in his credit 
report, the creditor may consider such medical information in 
evaluating the consumer's willingness and ability to repay the 
requested loan.
    (ii) If a consumer applies for a loan and explains that his income 
has been and will continue to be interrupted on account of a medical 
condition and that he expects to repay the loan from liquidation of 
assets, the creditor may evaluate the application using the sale of 
assets as the primary source of repayment.
    (e) Limits on redisclosure of information. If you receive medical 
information about a consumer from a consumer reporting agency or your 
affiliate, you must not disclose that information to any other person, 
except as necessary to carry out the purpose for which the information 
was initially disclosed, or as otherwise permitted by statute, 
regulation, or order.


Sec.  222.31  Sharing medical information with affiliates.

    (a) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply to a person described in Sec.  222.1(b)(2)(iv) 
of this part if that person communicates to an affiliate
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (b) Exceptions. A person described in Sec.  222.1(b)(2)(iv) of this 
part may rely on the exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act to communicate the information in 
paragraph (a) to an affiliate--
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
222.30 of this part; or
    (6) As otherwise permitted by order of the Board.

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

    For the reasons set forth in the joint preamble, the Federal 
Deposit Insurance Corporation proposes to add part 334 of chapter III 
of title 12 of the Code of Federal Regulations to read as follows:

PART 334--FAIR CREDIT REPORTING

Subpart A--General Provisions

Sec.
334.1 Purpose, scope, and effective dates.
334.2 Examples.
334.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
334.30 Obtaining or using medical information in connection with a 
determination of eligibility for credit.
334.31 Sharing medical information with affiliates.

    Authority: 12 U.S.C. 1819(Tenth) and 1818; 15 U.S.C. 1681b and 
1681s.

[[Page 23400]]

Subpart A--General Provisions


Sec.  334.1  Purpose, scope, and effective dates.

    (a) [Reserved]
    (b) Scope.
    (1) [Reserved]
    (2) Institutions covered.
    (i) Except as otherwise provided in this paragraph, these 
regulations apply to banks insured by the FDIC (other than District 
Banks and members of the Federal Reserve System) and insured State 
branches of foreign banks and any subsidiaries and affiliates of such 
entities; and other entities or persons with respect to which the FDIC 
may exercise its enforcement authority under any provision of law. For 
purposes of this definition, a subsidiary does not include a broker, 
dealer, person providing insurance, investment company, and investment 
advisor.
    (ii) [Reserved]
    (iii) Section 334.30 of this part applies to creditors, as defined 
in Sec.  334.30(a)(2), that are subject to the jurisdiction of the 
Federal Deposit Insurance Corporation under paragraph (b)(2)(i) of this 
section.


Sec.  334.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  334.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as the Board 
determines.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to--
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address; or
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy.
    (l) [Reserved]
    (m) [Reserved]
    (n) [Reserved]
    (o) You means banks insured by the FDIC (other than District Banks 
and members of the Federal Reserve System) and insured State branches 
of foreign banks and any subsidiaries and affiliates of such entities; 
and other entities or persons with respect to which the FDIC may 
exercise its enforcement authority under any provision of law. For 
purposes of this definition, a subsidiary does not include a broker, 
dealer, person providing insurance, investment company, and investment 
advisor.

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec.  334.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this subpart.
    (2) Definitions as used in this subpart--(i) Eligibility, or 
continued eligibility, for credit means the consumer's qualification or 
fitness to receive, or continue to receive, credit, including the terms 
on which credit is offered, primarily for personal, family, or 
household purposes. The term does not include:
    (A) The consumer's qualification or fitness to be offered 
employment, insurance products, or other non-credit products or 
services;
    (B) Any determination of whether the provisions of a debt 
cancellation contract, debt suspension agreement, credit insurance 
product, or similar forbearance practice or program are triggered;
    (C) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (D) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Credit has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (b) Rule of construction for receiving unsolicited medical 
information--(1) In general. A creditor does not obtain medical 
information for purposes of paragraph (a)(1) of this section if it--
    (i) Receives medical information pertaining to a consumer in 
connection with any determination of the consumer's eligibility, or 
continued eligibility, for credit without specifically requesting 
medical information; and
    (ii) Does not use that information in determining whether to extend 
or continue to extend credit to the consumer and the terms on which 
credit is offered or continued.
    (2) Examples of receiving unsolicited medical information. A 
creditor receives unsolicited medical information if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer has a 
particular medical condition and does not use that information in 
determining whether to extend credit to the consumer or the terms on 
which credit is offered.
    (ii) In conversation with the loan officer, the consumer informs 
the creditor that the consumer has a particular medical condition, and 
the creditor does not use that information in determining whether to 
extend credit to the consumer or the terms on which credit is offered.

[[Page 23401]]

    (c) Financial information exception for obtaining and using medical 
information--(1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information relates to debts, expenses, income, benefits, 
collateral, or the purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples--(i) Examples of information related to debts, 
expenses, income, benefits, collateral, or the purpose of the loan. 
Paragraph (c)(1)(i) of this section permits a creditor, for example, to 
obtain and use information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts that is used to calculate, 
measure, or verify the repayment ability of the consumer, the use of 
proceeds, or the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
is used as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income or benefits related to health or a medical condition that is 
relied on as a source of repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are past due would disqualify the consumer 
under the creditor's established underwriting criteria. The creditor 
denies the application on the basis that the consumer has a poor 
repayment history on outstanding debts. The creditor has used medical 
information in a manner and to an extent no less favorable than it 
would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current and that the applicant meets the income requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception.
    (A) A consumer applies for $25,000 of credit and includes on the 
application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a home furnishing retailer, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis as part of a determination of eligibility or 
continued eligibility for credit.
    (d) Specific exceptions for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit--
    (i) To determine whether the use of a power of attorney or legal 
representative is necessary and appropriate;
    (ii) To comply with applicable requirements of local, state, or 
federal laws;
    (iii) To the extent such information is included in a consumer 
report from a consumer reporting agency, in accordance with 15 U.S.C. 
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer 
provided specific written consent;
    (iv) For purposes of fraud prevention and detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) If the consumer or the consumer's legal representative 
requests in writing, on a separate form signed by the consumer or the 
consumer's legal representative that the creditor use specific medical 
information for a specific purpose in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances. The signed written request must 
describe the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used; or
    (vii) As otherwise permitted by order of the Board.
    (2) Examples of determining the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
confirm the consumer's medical eligibility to undergo that procedure 
with the surgeon. If the surgeon reports that surgery will not be

[[Page 23402]]

performed on the consumer, the creditor may use that medical 
information to deny the consumer's application for credit, because the 
loan would not be used for the stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (3) Examples of obtaining and using medical information at the 
request of the consumer. Consistent with safe and sound practices, and 
after obtaining from the consumer a signed, written document that 
describes the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used, the creditor may obtain and use the specific medical 
information for the specific purpose specified in the request:
    (i) If a consumer applies for a loan and requests that the creditor 
consider the consumer's medical disability at the relevant time as an 
explanation for adverse payment history information in his credit 
report, the creditor may consider such medical information in 
evaluating the consumer's willingness and ability to repay the 
requested loan.
    (ii) If a consumer applies for a loan and explains that his income 
has been and will continue to be interrupted on account of a medical 
condition and that he expects to repay the loan from liquidation of 
assets, the creditor may evaluate the application using the sale of 
assets as the primary source of repayment.
    (e) Limits on redisclosure of information. If you receive medical 
information about a consumer from a consumer reporting agency or your 
affiliate, you must not disclose that information to any other person, 
except as necessary to carry out the purpose for which the information 
was initially disclosed, or as otherwise permitted by statute, 
regulation, or order.


Sec.  334.31  Sharing medical information with affiliates.

    (a) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if you communicate to an affiliate--
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (b) Exceptions. You may rely on the exclusions from the term 
``consumer report'' in section 603(d)(2) of the Act to communicate the 
information in paragraph (a) to an affiliate--
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
334.30 of this part; or
    (6) As otherwise permitted by order of the Board.

Office of Thrift Supervision

12 CFR Chapter V

Authority and Issuance

    For the reasons set forth in the joint preamble, the Office of 
Thrift Supervision proposes to amend chapter V of title 12 of the Code 
of Federal Regulations by adding a new part 571 to read as follows:

PART 571--FAIR CREDIT REPORTING

Subpart A--General Provisions
Sec.
571.1 Purpose, scope, and effective dates.
571.2 Examples.
571.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
571.30 Obtaining or using medical information in connection with a 
determination of eligibility for credit.
571.31 Sharing medical information with affiliates.

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1).

Subpart A--General Provisions


Sec.  571.1  Purpose, scope, and effective dates.

    (a) [Reserved]
    (b) Scope.
    (1) [Reserved]
    (2) Institutions covered. (i) Except as otherwise provided in this 
paragraph (b)(2), this part applies to savings associations whose 
deposits are insured by the Federal Deposit Insurance Corporation (and 
federal savings association operating subsidiaries in accordance with 
Sec.  559.3(h)(1) of this chapter).
    (ii) [Reserved]
    (iii) Section 571.30(a)-(d) of this part applies to creditors, as 
defined in Sec.  571.30(a)(2), that are savings associations or their 
subsidiaries, savings and loan holding companies, or affiliates of 
savings associations or savings and loan holding companies other than 
bank holding companies, banks, or subsidiaries of bank holding 
companies or banks.


Sec.  571.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  571.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]

[[Page 23403]]

    (i) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as OTS 
determines.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to--
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address; or
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy.
    (l)-(n) [Reserved]
    (o) You means savings associations whose deposits are insured by 
the Federal Deposit Insurance Corporation (and federal savings 
association operating subsidiaries in accordance with Sec.  559.3(h)(1) 
of this chapter).

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec.  571.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this subpart.
    (2) Definitions as used in this subpart--(i) Eligibility, or 
continued eligibility, for credit means the consumer's qualification or 
fitness to receive, or continue to receive, credit, including the terms 
on which credit is offered, primarily for personal, family, or 
household purposes. The term does not include:
    (A) The consumer's qualification or fitness to be offered 
employment, insurance products, or other non-credit products or 
services;
    (B) Any determination of whether the provisions of a debt 
cancellation contract, debt suspension agreement, credit insurance 
product, or similar forbearance practice or program are triggered;
    (C) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (D) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Credit has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (b) Rule of construction for receiving unsolicited medical 
information--(1) In general. A creditor does not obtain medical 
information for purposes of paragraph (a)(1) of this section if it--
    (i) Receives medical information pertaining to a consumer in 
connection with any determination of the consumer's eligibility, or 
continued eligibility, for credit without specifically requesting 
medical information; and
    (ii) Does not use that information in determining whether to extend 
or continue to extend credit to the consumer and the terms on which 
credit is offered or continued.
    (2) Examples of receiving unsolicited medical information. A 
creditor receives unsolicited medical information if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer has a 
particular medical condition and does not use that information in 
determining whether to extend credit to the consumer or the terms on 
which credit is offered.
    (ii) In conversation with the loan officer, the consumer informs 
the creditor that the consumer has a particular medical condition, and 
the creditor does not use that information in determining whether to 
extend credit to the consumer or the terms on which credit is offered.
    (c) Financial information exception for obtaining and using medical 
information--(1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information relates to debts, expenses, income, benefits, 
collateral, or the purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples--(i) Examples of information related to debts, 
expenses, income, benefits, collateral, or the purpose of the loan. 
Paragraph (c)(1)(i) of this section permits a creditor, for example, to 
obtain and use information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts that is used to calculate, 
measure, or verify the repayment ability of the consumer, the use of 
proceeds, or the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
is used as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income or benefits related to health or a medical condition that is 
relied on as a source of repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are past due would disqualify the consumer 
under the creditor's established underwriting criteria. The creditor 
denies the

[[Page 23404]]

application on the basis that the consumer has a poor repayment history 
on outstanding debts. The creditor has used medical information in a 
manner and to an extent no less favorable than it would use comparable 
non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current and that the applicant meets the income requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception.
    (A) A consumer applies for $25,000 of credit and includes on the 
application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a home furnishing retailer, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis as part of a determination of eligibility or 
continued eligibility for credit.
    (d) Specific exceptions for obtaining and using medical 
information--(1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit--
    (i) To determine whether the use of a power of attorney or legal 
representative is necessary and appropriate;
    (ii) To comply with applicable requirements of local, State, or 
Federal laws;
    (iii) To the extent such information is included in a consumer 
report from a consumer reporting agency, in accordance with 15 U.S.C. 
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer 
provided specific written consent;
    (iv) For purposes of fraud prevention and detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) If the consumer or the consumer's legal representative 
requests in writing, on a separate form signed by the consumer or the 
consumer's legal representative that the creditor use specific medical 
information for a specific purpose in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances. The signed written request must 
describe the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used; or
    (vii) As otherwise permitted by order of the Director of OTS.
    (2) Examples of determining the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
confirm the consumer's medical eligibility to undergo that procedure 
with the surgeon. If the surgeon reports that surgery will not be 
performed on the consumer, the creditor may use that medical 
information to deny the consumer's application for credit, because the 
loan would not be used for the stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (3) Examples of obtaining and using medical information at the 
request of the consumer. Consistent with safe and sound practices, and 
after obtaining from the consumer a signed, written document that 
describes the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used, the creditor may obtain and use the specific medical 
information for the specific purpose specified in the request:
    (i) If a consumer applies for a loan and requests that the creditor 
consider the consumer's medical disability at the relevant time as an 
explanation for adverse payment history information in his credit 
report, the creditor may consider such medical information in 
evaluating the consumer's willingness and ability to repay the 
requested loan.
    (ii) If a consumer applies for a loan and explains that his income 
has been and will continue to be interrupted on account of a medical 
condition and that he expects to repay the loan from liquidation of 
assets, the creditor may evaluate the application using the sale of 
assets as the primary source of repayment.
    (e) Limits on redisclosure of information. If you receive medical 
information about a consumer from a consumer reporting agency or your 
affiliate, you must not disclose that

[[Page 23405]]

information to any other person, except as necessary to carry out the 
purpose for which the information was initially disclosed, or as 
otherwise permitted by statute, regulation, or order.


Sec.  571.31  Sharing medical information with affiliates.

    (a) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if you communicate to an affiliate--
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (b) Exceptions. You may rely on the exclusions from the term 
``consumer report'' in section 603(d)(2) of the Act to communicate the 
information in paragraph (a) of this section to an affiliate--
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
571.30 of this part; or
    (6) As otherwise permitted by order of the Director of OTS.

National Credit Union Administration

    For the reasons set out in the preamble, it is proposed that 12 CFR 
chapter VII be amended by adding a new part 717 to read as follows:

PART 717--FAIR CREDIT REPORTING

Subpart A--General Provisions
Sec.
Sec.  717.1 Purpose, scope, and effective dates.
Sec.  717.2 Examples.
Sec.  717.3 Definitions.
Subpart B--[Reserved]
Subpart C--[Reserved]
Subpart D--Medical Information
717.30 Obtaining or using medical information in connection with a 
determination of eligibility for credit.
717.31 Sharing medical information with affiliates.

    Authority: 15 U.S.C. 1681b and 1681s.

Subpart A--General Provisions


Sec.  717.1  Purpose, scope, and effective dates.

    (a) [Reserved]
    (b) Scope.
    (1) [Reserved]
    (2) Institutions covered. These regulations apply to federal credit 
unions.


Sec.  717.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  717.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that controls, is controlled by, or 
is under common control with another company. For example, an affiliate 
of a federal credit union is a credit union service organization 
(CUSO), as provided in 12 CFR part 712, that is controlled by the 
federal credit union.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as the Board 
determines.
    (4) Example. NCUA will presume a credit union has a controlling 
influence over the management or policies of a CUSO, if the CUSO is 67% 
owned by credit unions.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to--
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address; or
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy.
    (l) [Reserved]
    (m) [Reserved]
    (n) [Reserved]
    (o) You means a federal credit union.

Subpart B--[Reserved]

Subpart C--[Reserved]

Subpart D--Medical Information


Sec.  717.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) General prohibition on obtaining or using medical information--
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this subpart.
    (2) Definitions as used in this subpart--(i) Eligibility, or 
continued eligibility, for credit means the consumer's qualification or 
fitness to receive, or continue to receive, credit, including the terms 
on which credit is offered, primarily for personal, family, or 
household purposes. The term does not include:
    (A) The consumer's qualification or fitness to be offered 
employment, insurance products, or other non-credit products or 
services;
    (B) Any determination of whether the provisions of a debt 
cancellation contract, debt suspension agreement,

[[Page 23406]]

credit insurance product, or similar forbearance practice or program 
are triggered;
    (C) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (D) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Credit has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (b) Rule of construction for receiving unsolicited medical 
information--(1) In general. A creditor does not obtain medical 
information for purposes of paragraph (a)(1) of this section if it--
    (i) Receives medical information pertaining to a consumer in 
connection with any determination of the consumer's eligibility, or 
continued eligibility, for credit without specifically requesting 
medical information; and
    (ii) Does not use that information in determining whether to extend 
or continue to extend credit to the consumer and the terms on which 
credit is offered or continued.
    (2) Examples of receiving unsolicited medical information. A 
creditor receives unsolicited medical information if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer has a 
particular medical condition and does not use that information in 
determining whether to extend credit to the consumer or the terms on 
which credit is offered.
    (ii) In conversation with the loan officer, the consumer informs 
the creditor that the consumer has a particular medical condition, and 
the creditor does not use that information in determining whether to 
extend credit to the consumer or the terms on which credit is offered.
    (c) Financial information exception for obtaining and using medical 
information--
    (1) In general. A creditor may obtain and use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit so long 
as:
    (i) The information relates to debts, expenses, income, benefits, 
collateral, or the purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples--(i) Examples of information related to debts, 
expenses, income, benefits, collateral, or the purpose of the loan. 
Paragraph (c)(1)(i) of this section permits a creditor, for example, to 
obtain and use information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts that is used to calculate, 
measure, or verify the repayment ability of the consumer, the use of 
proceeds, or the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
is used as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income or benefits related to health or a medical condition that is 
relied on as a source of repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are past due would disqualify the consumer 
under the creditor's established underwriting criteria. The creditor 
denies the application on the basis that the consumer has a poor 
repayment history on outstanding debts. The creditor has used medical 
information in a manner and to an extent no less favorable than it 
would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current and that the applicant meets the income requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception.
    (A) A consumer applies for $25,000 of credit and includes on the 
application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a home furnishing retailer, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or

[[Page 23407]]

prognosis as part of a determination of eligibility or continued 
eligibility for credit.
    (d) Specific exceptions for obtaining and using medical 
information--(1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit--
    (i) To determine whether the use of a power of attorney or legal 
representative is necessary and appropriate;
    (ii) To comply with applicable requirements of local, state, or 
federal laws;
    (iii) To the extent such information is included in a consumer 
report from a consumer reporting agency, in accordance with 15 U.S.C. 
1681b(g)(1)(B), and is used for the purpose(s) for which the consumer 
provided specific written consent;
    (iv) For purposes of fraud prevention and detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) If the consumer or the consumer's legal representative 
requests in writing, on a separate form signed by the consumer or the 
consumer's legal representative that the creditor use specific medical 
information for a specific purpose in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances. The signed written request must 
describe the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used; or
    (vii) As otherwise permitted by order of the NCUA.
    (2) Examples of determining the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
confirm the consumer's medical eligibility to undergo that procedure 
with the surgeon. If the surgeon reports that surgery will not be 
performed on the consumer, the creditor may use that medical 
information to deny the consumer's application for credit, because the 
loan would not be used for the stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (3) Examples of obtaining and using medical information at the 
request of the consumer. Consistent with safe and sound practices, and 
after obtaining from the consumer a signed, written document that 
describes the specific medical information that the consumer requests 
the creditor to use and the specific purpose for which the information 
will be used, the creditor may obtain and use the specific medical 
information for the specific purpose specified in the request:
    (i) If a consumer applies for a loan and requests that the creditor 
consider the consumer's medical disability at the relevant time as an 
explanation for adverse payment history information in his credit 
report, the creditor may consider such medical information in 
evaluating the consumer's willingness and ability to repay the 
requested loan.
    (ii) If a consumer applies for a loan and explains that his income 
has been and will continue to be interrupted on account of a medical 
condition and that he expects to repay the loan from liquidation of 
assets, the creditor may evaluate the application using the sale of 
assets as the primary source of repayment.
    (e) Limits on redisclosure of information. If you receive medical 
information about a consumer from a consumer reporting agency or your 
affiliate, you must not disclose that information to any other person, 
except as necessary to carry out the purpose for which the information 
was initially disclosed, or as otherwise permitted by statute, 
regulation, or order.


Sec.  717.31  Sharing medical information with affiliates.

    (a) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if you communicate to an affiliate--
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (b) Exceptions. You may rely on the exclusions from the term 
``consumer report'' in section 603(d)(2) of the Act to communicate the 
information in paragraph (a) to an affiliate--
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
717.30 of this part; or
    (6) As otherwise permitted by order of the NCUA.

    Dated: April 16, 2004.
John D. Hawke, Jr.,
Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve 
System, April 22, 2004.
Jennifer J. Johnson,
Secretary of the Board.

    Dated at Washington, DC, the 6th day of April, 2004.

    By order of the Board of Directors.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

    Dated: April 6, 2004.

    By the Office of Thrift Supervision.
James E. Gilleran,
Director.

    By the National Credit Union Administration Board on April 8, 
2004.
Becky Baker,
Secretary of the Board.
[FR Doc. 04-9526 Filed 4-27-04; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-10-P; 6720-01-P; 7535-01-P