FACT Act Regulations: Medical Information
by Lucy Griffin, BOL Guru and Editor of Compliance Action
After a long wait, we now have a regulation on treatment of medical information. Think of this as the financial world's approach to privacy in health care.
The rule incorporates some exceptions to make the rule feasible given the realities of conducting business, such as processing checks and other forms of payments. But the rule does contain some elements that will prove a challenge. The effective date is April 1, 2006.
In terms of what to anticipate in compliance problems, we can look to existing rules that are similar in both form and substance. This rule has some interesting parallels to fair lending, both in the ask/don't ask restrictions and in the consideration of information rules. Although this provision is part of the fair credit reporting act and has the stated purpose of privacy protection, the rule actually functions like a discrimination law. The parallels to the age discrimination rules in Regulation B are striking. Understanding this should help with compliance.
Most of the definitions are not anything new or dramatic. "Affiliate" and "company" have meanings that are familiar as does consumer, defined as an individual. When using this rule, it is important to remember that the definitions distinguish between "consumer," which is limited to an individual, and "person" which includes both consumers and companies. In short, when the term "person" is used, the rule is referring to pretty much anything - both human beings and legally created entities. When the rule uses the term "consumer" the scope is limited to protecting only consumers and not companies.
The other important definition is "medical information." This definition is about as broad as possible. Instead of being confined to specific circumstances or situations, the definition incorporates almost any document, action or other information that conveys information about medical conditions or treatments. With a definition this broad, the term "medical information" actually operates like a prohibited basis.
Medical data can occur in any form or medium - paper, electronic, spoken, or any coming inventions. It includes information derived from a health care provider and information from the consumer - your customer. Health care providers can be doctors, clinics, hospitals, home care - anything that provides any care or service that meets the definition of medical.
Medical includes physical, mental, or behavioral health or condition. This includes everything from cancer to an odd gait caused by a short bone. It also includes every verb tense known to mankind: past, present and future.
Medical information can be revealed directly or indirectly, as for example by noticing the payee on checks. For this reason, the definition also reaches the different ways in which this information can be revealed.
The definition excludes information related to the age or gender of the consumer or demographic information such as address (which could be a nursing home). In effect, the information reportable on the HMDA LAR is not medical information but almost everything else is.
Also excluded is information that does not specifically identify a consumer. This sort of information would include payment or billing lists from hospitals with account or transfer numbers only. It would also include information from medical service business customers, such as doctor's offices, nursing homes or hospitals that provides the number of patients or clients served but not their identities.
Each federal financial institution regulatory agency has issued its own regulations. The regulations are almost identical except for institution terminology (bank, association, credit union) and the section of the Code of Federal Regulations. The agencies used the same approach with CRA.
There is one difference. The Federal Reserve issued two sets of medical information regulations. One, placed in Regulation V, applies to entities regulated directly by the Federal Reserve. The other is a new Regulation FF and applies to all other creditors not regulated by the federal financial regulatory agencies. The only good news here is that Regulation FF does not apply directly to financial institutions. Of course, there is Regulation V and its cronies.
From here, the medical information rule begins to look a great deal like the information rules in Regulation B. First, there are prohibitions on when and how medical information may be obtained. Next, there are rules about when and how such information may be used in making credit decisions.
The general prohibition is broad. Creditors must not obtain or use medical information about a consumer. The prohibition applies to any action that is connected to a determination of the consumer's current or continued eligibility for credit. Determining the consumer's eligibility to receive or hold credit includes an assessment of the consumer's fitness. The general prohibition generally treats any consideration of medical information as not pertinent to creditworthiness.
Fortunately, there are some exceptions. These exceptions appear in the form of exclusions from the definition of eligibility. The result is that a financial institution may use medical information to make a determination of the consumer's fitness or qualification for employment and for non-credit products and services. This is a credit-only rule.
Also excepted are routine payment processing activities such as servicing an account or authorizing or documenting a payment as long as it is not related to a determination of the consumer's qualifications for credit. The net result of these exceptions is that the financial institution can process payments to a doctor or hospital for a consumer but may not consider that information in a credit decision.
There are also some recognitions of reality in how information may be obtained. The rule recognizes that information related to medical health or conditions can enter or pass through a financial institution in a wide variety of ways, ranging from statements by the consumer to processing of checks.
If the consumer blurts out the information - such as "I need this loan for my nose job" - then obtaining the information is not illegal. However, asking for medical information is prohibited.
When pursuing information related to a loan application, such as the purpose of the loan or an explanation of the need for a loan, the consumer may provide medical information. It may be the loan purpose - anything from a nose job to paying off medical expenses of a family member - or it may explain existing debts and payment issues. When medical information enters this way, from the consumer in response to a legitimate and legal question, the information is legally obtained. It may not be used unless the information is pertinent to the credit decision.
The key test here is that the creditor must not ask for the medical information. Just as with questions that relate to marital status, direct questions are prohibited as are questions designed to elicit the information. But the information is legally obtained if it happens to be the response to an appropriate credit question.
As with Regulation B, the medical information rules recognize that medical information may come into the institution without a direct question. The rule then prohibits the use of information unless the use is permitted by one of the exceptions. If this sounds like a double negative, it is - that's exactly how the rule works.
The test for using medical information is whether the information is pertinent to evaluating the creditworthiness of the applicant. Information that is pertinent may be considered while information that is not must be ignored.
Information that is pertinent includes information that the creditor would usually consider, such as obligations of the borrower even if these obligations are medical in nature. The obligation to pay is a relevant consideration just as is the obligation to pay alimony.
Use of medical information, when appropriate, is conditioned on giving the information consideration that is no less favorable than other comparable information. Again, the "no less favorable" test should be a familiar concept already in use under Regulation B.
A final condition of considering medical information is that the creditor must only consider information that is relevant to the credit decision but not take into account the medical information itself. The creditor cannot make assumptions about the course of treatment or the future health expectations of the applicant.
There are certain circumstances under which a creditor may ask for and obtain information that constitutes medical information related to the consumer. The creditor may always ask about the applicant's debts even if the answer will reveal medical information.
The consumer may volunteer information that is medical in nature. Finally, the credit report may contain medical information such as the fact that the consumer owes a debt to a medical provider. Obtaining medical information in these ways does not violate the rule. However, the use prohibitions will dictate what the creditor may do with this information.
The creditor may also ask questions that relate to or reveal medical information if that question is needed to resolve an issue related to the application, such as whether the use of a power of attorney is proper. The creditor may ask questions that relate to the events that underlie the power of attorney to determine that the use of the power is legal or necessary.
Creditors may also ask questions that reveal medical information if the information is required for a government program related to the credit or a special purpose credit program that is designed to meet special medical needs or financial needs related to medical conditions.
If medical information exists in the files of a creditor, there is always the possibility that the information may be used or transferred. The rule places strict limits on any redisclosure or sharing of medical information. These restrictions include affiliates and subsidiaries. Sharing such information may only be done to carry out the purpose for which the information was originally provided or if the sharing is otherwise permitted by law. The regulation also contains exceptions to the exception rules for sharing with affiliates. The exceptions for affiliates identified in ?603(d)(2) do not apply to most medical information. Essentially, this means that medical information must be kept secure and be carefully protected. Given that medical information can enter the institution from so many sources, managing medical information security will be a challenge.
- Review underwriting criteria to identify when and how medical information may be obtained by lenders.
- Determine whether credit application procedures ask for any prohibited medical information. If so, change them.
- Review training material, including fair lending programs, to identify programs that should include references to the medical information rules.
- Take a close look at information sharing with affiliates and access by affiliates to information in the institution. Find avenues that may need to be closed off.
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 7, 6/05
First published on 06/01/2005