[Federal Register Volume 70, Number 224 (Tuesday, November 22, 2005)]
[Rules and Regulations]
[Pages 70664-70696]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-22830]



[[Page 70663]]

  
  
  
  
  
  
-----------------------------------------------------------------------


Part II





Department of the Treasury





Office of the Comptroller of the Currency



12 CFR Part 41



Office of Thrift Supervision

12 CFR Part 571



-----------------------------------------------------------------------





Federal Reserve System

12 CFR Parts 222 and 232



-----------------------------------------------------------------------





Federal Deposit Insurance Corporation

12 CFR Part 334



-----------------------------------------------------------------------





National Credit Union Administration

12 CFR Part 717



Fair Credit Reporting Medical Information Regulations; Final Rule

Federal Register / Vol. 70, No. 224 / Tuesday, November 22, 2005 / 
Rules and Regulations

[[Page 70664]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 41

[Docket No. 05-18]
RIN 1557-AC85

FEDERAL RESERVE SYSTEM

12 CFR Parts 222 and 232

[Regulation V and FF; Docket No. R-1188]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 334

RIN 3064-AC81

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 571

[No. 2005-49]
RIN 1550-AB88

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 717


Fair Credit Reporting Medical Information Regulations

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, 
Treasury (OTS); National Credit Union Administration (NCUA).

ACTION: Final rules.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, and NCUA (Agencies) are publishing 
final rules to implement section 411 of the Fair and Accurate Credit 
Transactions Act of 2003 (FACT Act). The final rules create exceptions 
to the statute's general prohibition on creditors obtaining or using 
medical information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit for all creditors. The exceptions permit creditors to obtain 
or use medical information in connection with credit eligibility 
determinations where necessary and appropriate for legitimate purposes, 
consistent with the Congressional intent to restrict the use of medical 
information for inappropriate purposes. The final rules also create 
limited exceptions to permit affiliates to share medical information 
with each other without becoming consumer reporting agencies. The final 
rules are substantially similar to the rules adopted by the Agencies on 
an interim final basis in June 2005.

DATES: The effective date of the interim final rule published on June 
10, 2005 (70 FR 33958) is delayed until April 1, 2006. The amendments 
in this final rule are effective April 1, 2006.

FOR FURTHER INFORMATION CONTACT: 
    OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael 
Bylsma, Director, or Stephen Van Meter, Assistant Director, Community 
and Consumer Law, (202) 874-5750; or Patrick T. Tierney, Senior 
Attorney, Legislative and Regulatory Activities Division, (202) 874-
5090, Office of the Comptroller of the Currency, 250 E Street, SW., 
Washington, DC 20219.
    Board: David A. Stein, Counsel; Minh-Duc T. Le, Ky Tran-Trong, or 
Krista P. DeLargy, Senior Attorneys, Division of Consumer and Community 
Affairs, (202) 452-3667 or (202) 452-2412; or Andrew Miller, Counsel, 
Legal Division, (202) 452-3428, Board of Governors of the Federal 
Reserve System, 20th and C Streets, NW., Washington, DC 20551.
    FDIC: Richard M. Schwartz, Counsel, Legal Division, (202) 898-7424; 
David Lafleur, Policy Analyst, (202) 898-6569, or Patricia Cashman, 
Senior Policy Analyst, Division of Supervision and Consumer Protection, 
(202) 898-6534, Federal Deposit Insurance Corporation, 550 17th Street, 
NW., Washington, DC 20429.
    OTS: Glenn Gimble, Senior Project Manager, Operation Risk, (202) 
906-7158; Richard Bennett, Counsel, (202) 906-7409, Office of Thrift 
Supervision, 1700 G Street, NW., Washington, DC 20552.
    NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel, 
(703) 518-6540, National Credit Union Administration, 1775 Duke Street, 
Alexandria, VA 22314-3428.

SUPPLEMENTARY INFORMATION:

I. Background

    The FACT Act became law on December 4, 2003. Public Law 108-159, 
117 Stat. 1952. In general, the FACT Act amends the Fair Credit 
Reporting Act (FCRA or Act) to enhance the ability of consumers to 
combat identity theft, increase the accuracy of consumer reports, and 
allow consumers to exercise greater control regarding the type and 
amount of marketing solicitations they receive.
    Section 411 of the FACT Act generally limits the ability of 
creditors to obtain or use medical information in connection with 
credit eligibility determinations and the ability of consumer reporting 
agencies to disclose medical information, and restricts the sharing of 
medical information and other medically related information with 
affiliates. The FACT Act also revised the definition of ``medical 
information'' in section 603(i) of the FCRA to mean information or 
data, whether oral or recorded, in any form or medium, created by or 
derived from a health care provider or the consumer, that relates to 
the past, present, or future physical, mental, or behavioral health or 
condition of an individual, the provision of health care to an 
individual, or the payment for the provision of health care to an 
individual. The term ``medical information'' does not include the age 
or gender of a consumer, demographic information about the consumer, 
including a consumer's residence address or e-mail address, or any 
other information about a consumer that does not relate to the 
physical, mental, or behavioral health or condition of a consumer, 
including the existence or value of any insurance policy.
    Section 604(g)(1) of the FCRA restricts the circumstances under 
which consumer reporting agencies may furnish consumer reports that 
contain medical information about consumers. This provision is not the 
subject of the Agencies' rulemaking.
    Section 604(g)(2) of the FCRA prohibits creditors from either 
obtaining or using medical information pertaining to a consumer in 
connection with any determination of the consumer's eligibility, or 
continued eligibility, for credit. The statute contains no prohibition, 
however, on creditors obtaining or using medical information for other 
purposes that are not in connection with a determination of the 
consumer's eligibility, or continued eligibility, for credit. Section 
604(g)(5)(A) requires the Agencies to prescribe regulations that permit 
transactions that are determined to be necessary and appropriate to 
protect legitimate operational, transactional, risk, consumer, and 
other needs (including administrative verification purposes), 
consistent with Congressional intent to restrict the use of medical 
information for inappropriate purposes.
    Section 603(d)(3) of the FCRA restricts the sharing of medically 
related information with affiliates if that information meets the 
definition of ``consumer report'' in section 603(d)(1) of the FCRA. 
Specifically, section 603(d)(3) provides that the standard

[[Page 70665]]

exclusions from the definition of ``consumer report'' contained in 
section 603(d)(2)--such as sharing transaction or experience 
information among affiliates or sharing other information among 
affiliates after notice and an opportunity to opt-out--do not apply if 
medically related information is disclosed to an affiliate. Medically 
related information includes medical information, as described above, 
as well as an individualized list or description based on payment 
transactions for medical products or services, and an aggregate list of 
identified consumers based on payment transactions for medical products 
or services.
    Section 604(g)(3) of the FCRA provides several exceptions that 
allow institutions to share medically related information with 
affiliates in accordance with the standard exclusions that apply to the 
sharing of non-medically related information.\1\ The statute gives the 
Agencies and the FTC the authority to create additional exceptions by 
regulation or order.
---------------------------------------------------------------------------

    \1\ The statutory exceptions provide that an institution may 
share medically related information with an affiliate without having 
the communication categorically treated as a consumer report if the 
information is disclosed to an affiliate: (1) In connection with the 
business of insurance or annuities (including the activities 
described in section 18B of the model Privacy of Consumer Financial 
and Health Information Regulation issued by the National Association 
of Insurance Commissioners, as in effect on January 1, 2003); (2) 
For any purpose permitted without authorization under the Standards 
for Individually Identifiable Health Information promulgated by the 
Department of Health and Human Services (HHS) pursuant to the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA); (3) 
For any purpose referred to under section 1179 of HIPAA; (4) For any 
purpose described in section 502(e) of the Gramm-Leach-Bliley Act; 
or (5) As otherwise determined to be necessary and appropriate, by 
regulation or order, by the Federal Trade Commission (FTC), the 
Agencies, or an applicable State insurance authority. 15 U.S.C. 
1681b(g)(3).
---------------------------------------------------------------------------

    Section 604(g)(4) of the FCRA provides that any person that 
receives medical information from an affiliate pursuant to an exception 
in section 604(g)(3) or from a consumer reporting agency under section 
604(g)(1) must not disclose such information to any other person, 
except as necessary to carry out the purpose for which the information 
was initially disclosed, or as otherwise permitted by statute, 
regulation, or order.

II. Overview of Comments Received

    On April 28, 2004, the Agencies published a notice of proposed 
rulemaking in the Federal Register (69 FR 23380) relating to the 
medical information provisions of section 411 of the FACT Act. The 
proposed rules applied to banks, thrifts, Federal credit unions, and 
other creditors regulated by one of the Agencies. Most commenters 
supported the proposed rules, but urged the Agencies to broaden the 
scope of the rules to apply to all creditors.
    On June 10, 2005, the Agencies published interim final rules and a 
request for public comments in the Federal Register (70 FR 33958). The 
interim final rules created exceptions to the general prohibition 
against creditors obtaining or using medical information in connection 
with credit eligibility determinations, as required by section 
604(g)(5)(A), to permit transactions necessary and appropriate to 
protect legitimate operational, transactional, risk, consumer, and 
other needs (including administrative verification purposes), 
consistent with the intent of Congress to restrict the use of medical 
information for inappropriate purposes. In response to comments on the 
proposed rules, the scope of the interim final rules was expanded so 
that all creditors could rely on the exceptions for obtaining and using 
medical information in connection with credit eligibility 
determinations. The interim final rules also created exceptions to the 
special restrictions in section 603(d)(3) on sharing medically related 
information with affiliates, as permitted by section 604(g)(3)(C). The 
Agencies published these rules as interim final rules to give 
interested parties an opportunity to comment on the expanded scope of 
the exceptions for obtaining and using medical information in 
connection with credit eligibility determinations.
    Each Agency received the following number of comment letters on the 
interim final rules: OCC (8), Board (13), FDIC (9), OTS (7), and NCUA 
(11). Comments were received from industry commenters (including 
depository institutions, credit card companies, mortgage lenders and 
other non-bank creditors, and industry trade associations), consumer 
and community groups, and health privacy advocates. As discussed more 
fully below, commenters strongly supported the expanded scope of the 
rules to allow all creditors to rely on the exceptions for obtaining 
and using medical information in connection with credit eligibility 
determinations. The comments, and the Agencies' responses to the 
comments, are discussed in the following section-by-section analysis.

III. Section-by-Section Analysis

Section----.3 Definitions

    The Agencies received no comments on the definitions of ``Act,'' 
``company,'' ``consumer,'' ``common ownership or common corporate 
control,'' ``medical information,'' or ``person'' as defined in the 
interim final rules. These definitions are republished in the final 
rules without revision.

Affiliate

    Section----.3(b) of the interim final rules defined ``affiliate'' 
to mean any company that is related by common ownership or common 
corporate control with another company.\2\ The Agencies concluded that 
this definition of ``affiliate'' closely tracked the definition 
contained in section 2 of the FACT Act. The Agencies also concluded 
that there was no substantive difference between the FACT Act 
definition of ``affiliate'' and the definition of ``affiliate'' in 
section 509 of the Gramm-Leach-Bliley Act (GLB Act).
---------------------------------------------------------------------------

    \2\ For purposes of the regulation, an ``affiliate'' includes an 
operating subsidiary of a bank or savings association, and a credit 
union service organization that is controlled by a Federal credit 
union.
---------------------------------------------------------------------------

    One commenter requested use of an alternative definition of 
``affiliate'' that would incorporate certain concepts from California 
law. Specifically, this commenter suggested revising the definition of 
``affiliate'' to eliminate information sharing restrictions among 
affiliates that are regulated by the same or similar functional 
regulators, involved in the same broad line of business, or share a 
common brand or identity. This commenter maintained that such a 
definition would reduce costs and allow multiple entity financial 
institutions to better serve their clients.
    The Agencies decline to incorporate into the definition of 
``affiliate'' exceptions for entities regulated by the same or similar 
functional regulators, entities in the same line of business, or 
entities that share a common brand or identity. These exceptions were 
incorporated into a California financial privacy law in August 2003.\3\ 
Section 2 of the FACT Act defines the term ``affiliate'' to mean 
``persons that are related by common ownership or affiliated by 
corporate control.'' \4\ Congress did not incorporate the exceptions 
from California law into the definition of ``affiliate'' when it 
enacted the FACT Act at the end of 2003. The Agencies believe that the 
definition of ``affiliate'' included in the interim final rules better 
effectuates the intent of Congress than the revision suggested by the 
commenter. Accordingly, the

[[Page 70666]]

definition of ``affiliate'' is republished without change in the final 
rules.
---------------------------------------------------------------------------

    \3\ See Calif. Financial Code Sec.  4053(c).
    \4\ Fair and Accurate Credit Transactions Act of 2003, Public 
Law No. 108-159, Sec.  2, 117 Stat. 1952, 1953 (2003).
---------------------------------------------------------------------------

Section----.30 Obtaining or Using Medical Information in Connection 
With a Determination of Eligibility for Credit

    Section 411(a) of the FACT Act adds a new section 604(g)(2) to the 
FCRA. This provision contains a broad limitation on the ability of 
creditors to either obtain or use medical information in connection 
with credit eligibility determinations.

A. Scope of Rules on Obtaining or Using Medical Information

    The proposed rules would have applied the exceptions to banks, 
thrifts, and Federal credit unions. Many commenters on the proposal 
urged the Agencies to expand the scope of the exceptions to apply to 
all creditors, not just to creditors that are banks, thrifts, or 
Federal credit unions.
    As noted in the supplementary information to the interim final 
rules, the prohibition in section 604(g)(2) on creditors obtaining or 
using medical information in connection with credit eligibility 
determinations applies to all creditors. Under the FCRA, the term 
``creditor'' has the same meaning as in the Equal Credit Opportunity 
Act (``ECOA''), which defines a ``creditor'' as any person who 
regularly extends, renews, or continues credit; any person who 
regularly arranges for the extension, renewal, or continuation of 
credit; or any assignee of an original creditor who participates in the 
decision to extend, renew, or continue credit.\5\ Creditors include 
depository institutions as well as entities that are neither depository 
institutions nor affiliates of depository institutions, such as 
independent finance companies, loan brokers, health care providers, and 
automobile dealers.
---------------------------------------------------------------------------

    \5\ 15 U.S.C. 1681a(r)(5) and 1691a(e).
---------------------------------------------------------------------------

    The statute does not contain any specific exceptions to this broad 
prohibition. Instead, section 604(g)(5) directs the Agencies to 
prescribe regulations to permit ``transactions'' in which creditors 
obtain or use medical information where ``necessary and appropriate to 
protect legitimate operational, transactional, risk, consumer, and 
other needs consistent with the intent of paragraph (2) to restrict the 
use of medical information for inappropriate purposes.'' \6\
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 1681b(g)(5)(A).
---------------------------------------------------------------------------

    The supplementary information to the interim final rules noted that 
section 604(g)(5) does not, by its terms, limit the creditors that may 
rely on exceptions granted by the Agencies. Moreover, that section, by 
its terms, applies to ``transactions'' for which the Agencies determine 
exceptions are necessary, not to ``creditors'' that the Agencies 
determine must be protected by the exceptions. Accordingly, the 
combined scope of the exceptions adopted pursuant to section 604(g)(5) 
in the interim final rules is as broad as the prohibition to which it 
applies, and is available to all creditors.
    The interim final action was comprised of six rules. The 
applicability of the section of each Agency's rule addressing the 
prohibition on and exceptions for creditors obtaining or using medical 
information in connection with credit eligibility determinations was 
set forth in Sec.  ----.30(a) and covered transactions in which certain 
enumerated entities participate as creditors. Under Sec.  --
--.30(a)(2), other entities that participate as creditors in 
transactions in which an enumerated entity also participates as a 
creditor would also be subject to that Agency's rule.
    In addition, the interim final action included a separate rule, 
codified in part 232 of the Board's chapter of the Code of Federal 
Regulations as Regulation FF (hereafter ``separate rule''), which 
afforded the exceptions to the prohibition against obtaining and using 
medical information for credit eligibility determinations generally to 
all creditors, except for creditors that are subject to one of the 
other Agencies' rules. This combination of rules established uniform 
coverage and exceptions for transactions involving any creditor that is 
subject to the prohibition on obtaining or using medical information in 
section 411. The separate rule was located in the Board's chapter of 
the Code of Federal Regulations as a matter of convenience because many 
creditors are accustomed to looking to the Board's regulations 
implementing other statutes, such as the Truth-in-Lending Act and the 
ECOA.
    In the supplementary information to the interim final rules, the 
Agencies expressed concern that uncertainty about this matter may have 
led creditors that believed they could not avail themselves of the 
exceptions not to comment on the appropriateness and details of the 
exceptions. Therefore, these rules were adopted on an interim final 
basis to provide interested parties with an opportunity to comment on 
the expanded scope of the rules.
    Most commenters strongly supported the approach taken in the 
interim final rules to expand the scope of the exceptions to apply to 
all creditors. None of the commenters objected to the expanded scope of 
the exceptions.
    One commenter expressed concern about enforcement of the rules in 
the event of potential abuses by non-bank creditors using medical 
information pursuant to the exceptions and requested that the Agencies 
and the FTC address this issue. The Agencies will enforce compliance 
with the final rules against creditors subject to their enforcement 
authority. The Agencies will coordinate with other agencies to promote 
compliance with the final rules by all creditors, including through 
referrals to the relevant enforcement agency where appropriate.
    One trade association representing state and Federal credit unions 
urged the NCUA to reassess its authority to apply its rule to state-
chartered credit unions or, alternatively, to seek a legislative 
solution to provide the NCUA, or state regulators, with rulemaking 
authority over state-chartered credit unions with regard to medical 
information. This commenter believed that allowing the NCUA to exercise 
rulemaking authority with respect to state-chartered credit unions 
would be more effective than having a separate rule located in the 
Board's chapter of the Code of Federal Regulations that applies to 
``all other creditors'' because the NCUA works more closely with state-
chartered credit unions than the Board does. Finally, this commenter 
suggested that there was ambiguity regarding the rules and the 
authority to enforce the rules against state-chartered credit unions.
    The NCUA and the other Agencies believe that covering state-
chartered credit unions under the separate rule is the most appropriate 
means for making the exceptions to the general prohibition applicable 
to those entities. Under section 621(a) of the FCRA, the FTC has 
enforcement authority over state-chartered credit unions. As noted in 
the supplementary information to the interim final rule, the separate 
rule has been located in the Board's chapter of the Code of Federal 
Regulations as a matter of convenience because many creditors are 
accustomed to looking to the Board's regulations implementing other 
statutes, such as the Truth-in-Lending Act and the Equal Credit 
Opportunity Act.
    Accordingly, the scope of the final rules is identical to the scope 
of the interim final rules. The final rules consist of the six rules 
included in the interim final rules. The scope provisions in Sec.  --
--.30(a) of each Agency's rule and Sec.  232.1(a) of the separate rule 
are

[[Page 70667]]

republished without change in the final rules.\7\
---------------------------------------------------------------------------

    \7\ OTS is making a technical change to the scope provision of 
its Fair Credit Reporting rule (section 571.1(b)) to make the 
provision more user-friendly.
---------------------------------------------------------------------------

    In the supplementary information to the interim final rules, the 
Agencies emphasized the importance of having consistent rules that 
prescribe exceptions to the prohibitions from obtaining or using 
medical information in connection with credit eligibility 
determinations. Thus, in developing the proposed, interim final, and 
final rules, the Agencies have consulted and coordinated with each 
other to establish identical rules. The Agencies will consult and 
coordinate with each other regarding any amendments to the rules for 
the purpose of assuring, to the extent possible, that the regulations 
prescribed by each Agency remain consistent and comparable with the 
regulations prescribed by the other Agencies.

B. General Prohibition on Obtaining or Using Medical Information

    Section ----.30(b)(1) of each Agency's interim final rule and Sec.  
232.1(b) of the separate rule incorporated the statute's general rule 
prohibiting creditors from obtaining or using medical information 
pertaining to a consumer in connection with any determination of a 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in the regulations under subpart D. The Agencies received no 
comments on these provisions. Section ----.30(b)(1) of each Agency's 
rule and Sec.  232.1(b) of the separate rule are republished without 
change in the final rule.
    Section ----.30(b)(2) of each Agency's interim final rule and Sec.  
232.1(c) of the separate rule clarified the meaning of certain terms 
used in the statutory prohibition and the proposed rule, including 
``eligibility, or continued eligibility, for credit,'' ``credit,'' and 
``creditor.'' One commenter requested that the Agencies clarify that 
the definitions of ``credit'' and ``creditor'' include the Board's 
interpretations of these terms pursuant to the Board's Regulation B, 
which implements the ECOA, and the Board's official staff commentary to 
Regulation B.\8\
---------------------------------------------------------------------------

    \8\ Under Regulation B, the Board defines the term ``creditor'' 
to mean a person who, in the ordinary course of business, regularly 
participates in a credit decision, including setting the terms of 
the credit, and includes a creditor's assignee, transferee, or 
subrogee who so participates. A creditor also includes a person, 
such as a broker, who regularly refers applicants or prospective 
applicants to creditors, or selects or offers to select creditors to 
whom requests for credit may be made, for purposes of Regulation B's 
prohibitions against discrimination and discouragement. A person is 
not a creditor regarding any violation of the ECOA or Regulation B 
committed by another creditor unless the person knew or had 
reasonable notice of the act, policy, or practice that constituted 
the violation before becoming involved in the credit transaction. 
Finally, a creditor does not include a person whose only 
participation in a credit transaction involves honoring a credit 
card. See 12 CFR 202.2(1).
---------------------------------------------------------------------------

    As noted in the supplementary information to the interim final 
rules, section 603(r)(5) of the FCRA provides that the terms ``credit'' 
and ``creditor'' have the same meanings as in section 702 of the ECOA. 
The interim final rules track the FCRA definitions of ``credit'' and 
``creditor.'' The Board's interpretation of the terms ``credit'' and 
``creditor'' in Regulation B and the official staff commentary to 
Regulation B, as appropriate, informs the application of those terms 
for FCRA purposes.

C. Receiving Unsolicited Medical Information

    Section ---- .30(c) of each Agency's interim final rule contained a 
rule of construction for the receipt of unsolicited medical 
information. Section 232.2 of the separate rule contained the identical 
provision. The rule of construction provides that a creditor does not 
obtain medical information in violation of the prohibition if it 
receives such information from a consumer, a consumer reporting agency, 
or any other person in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit without 
specifically requesting medical information. The interim final rules 
clarified that a creditor that receives unsolicited medical information 
may use that information in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit only to 
the extent the creditor can rely on one of the exceptions in Sec. Sec.  
---- .30(d) and (e) of each Agency's rule or Sec. Sec.  232.3 and .4 of 
the separate rule. The interim final rules also provided examples to 
illustrate the rule of construction.
    One commenter noted that it had previously requested that the 
provision dealing with receipt of unsolicited medical information 
should be an exception, rather than a rule of construction. As 
explained in the supplementary information to the interim final rules, 
the rule of construction was retained as an interpretation, rather than 
as an exception, because it interprets the statutory language regarding 
when a creditor ``obtains'' medical information in violation of the 
prohibition. This commenter also noted that it had previously suggested 
limiting the ability of creditors to indirectly solicit or encourage 
the sharing of medical information. As explained in the supplementary 
information to the interim final rules, the rule of construction uses 
the phrase ``without specifically requesting medical information.'' The 
examples make clear that the rule of construction applies when medical 
information is provided by the consumer in response to a general 
inquiry that does not specifically request medical information or is 
provided by the consumer voluntarily on an unsolicited basis.
    This commenter also reiterated its previous request that the 
Agencies require creditors to destroy or eliminate any unsolicited 
medical information that they receive. As explained in the 
supplementary information to the interim final rules, the destruction 
of unsolicited medical information would not be appropriate in 
circumstances where records must be retained. For example, if 
unsolicited medical information is obtained by a creditor on a credit 
application for which adverse action is taken, the creditor generally 
would be required to retain a copy of the application, including any 
medical information on the application, for 25 months pursuant to the 
record retention provisions of Regulation B, which implements the ECOA. 
Therefore, the Agencies decline to impose a requirement to destroy or 
eliminate unsolicited medical information. Section ---- .30(c) of each 
Agency's rule and Sec.  232.2 of the separate rule are republished 
without change in the final rule.

D. Financial Information Exception for Obtaining and Using Medical 
Information

    Section ---- .30(d) of each Agency's interim final rule contained 
the financial information exception and examples. Section 232.3 of the 
separate rule contained the identical provision and examples.\9\ The 
financial information exception consists of a three-part test. First, 
the information must be the type of information routinely used in 
making credit eligibility determinations, such as information relating 
to debts, expenses, income, benefits, assets, collateral, or the 
purpose of the loan, including the use of proceeds. Second, the 
creditor must use the information in a manner and to an extent no less 
favorable than it would use comparable information

[[Page 70668]]

that is not medical information in a credit transaction. Third, the 
creditor must not take the consumer's physical, mental, or behavioral 
health, condition or history, type of treatment, or prognosis into 
account as part of any such determination of credit eligibility. The 
interim final rules also provided examples of the types of information 
covered by the exception, uses of medical information that are 
consistent with the exception, and uses of medical information that are 
not consistent with the exception.
---------------------------------------------------------------------------

    \9\ For simplicity, references and citations to the separate 
rule have been omitted from the discussion below. For any change 
made to the provisions of Sec. Sec.  ---- .30(d) and (e), 
corresponding changes have been made to Sec. Sec.  232.3 and 232.4 
of the separate rule.
---------------------------------------------------------------------------

    One commenter noted that none of the examples explicitly mention 
workers' compensation, even though Sec.  ---- .30(d)(1)(i) and the 
example in Sec.  ---- .30(d)(2)(i)(C) appear to cover the use of 
medical information to determine the likelihood and amount of future 
medically-based income, including by analogy workers' compensation. 
This commenter therefore requested a clarification that medically-based 
income, such as workers' compensation, may be obtained and used under 
the exception just as disability income.
    The Agencies agree that workers' compensation is income that would 
be covered by the financial information exception so long as it is the 
type of information routinely used in making credit eligibility 
determinations. The Agencies have revised the example in Sec.  --
--.30(d)(2)(i)(C) to add a reference to workers' compensation. 
Specifically, the example has been revised to read as follows: ``The 
dollar amount and continued eligibility for disability income, workers' 
compensation income, or other benefits related to health or a medical 
condition that is relied on as a source of repayment.''
    The Agencies reiterate their statement in the supplementary 
information to the interim final rule that the types of information 
listed as examples of information routinely used in making credit 
eligibility determinations for purposes of the financial information 
exception is not an exhaustive list. The fact that a particular type of 
information is not specifically mentioned in the text of the regulation 
or the accompanying examples does not mean that such information falls 
outside the scope of the financial information exception.
    Another commenter requested clarification of the example in Sec.  
----.30(d)(2)(i)(D) that the provision does not require the identity 
and contact information for medical debt creditors to be coded when 
included on credit reports. Sections 604(g)(1) and 605(a)(6) of the 
FCRA generally require consumer reporting agencies to use codes on 
consumer reports furnished in connection with credit transactions that 
do not identify the specific provider of medical information or the 
nature of such services, products, or devices to a person other than 
the consumer, unless the uncoded information is relevant to process or 
effect the transaction and the consumer provides specific written 
consent for the furnishing of the uncoded information. The requirement 
for consumer reporting agencies to code certain information on consumer 
reports is beyond the scope of this rulemaking. Therefore, the Agencies 
decline to amend the example in the manner requested.
    The Agencies are revising the example in Sec.  --
--.30(d)(2)(iii)(C) to illustrate a circumstance where a creditor 
requires the consumer to obtain a debt cancellation contract, debt 
suspension agreement, or credit insurance product from a 
``nonaffiliated third party'' in order to obtain a loan. This change is 
designed to avoid confusion with other legal requirements. As noted in 
the supplementary information to the interim final rules, other laws 
and regulations, including applicable anti-tying rules and fair lending 
laws, may prohibit or otherwise restrict a creditor from requiring a 
consumer to obtain a debt cancellation contract, debt suspension 
agreement, or credit insurance product in connection with an extension 
of credit.\10\ A discussion of the circumstances prohibited by other 
laws and regulations is beyond the scope of this rule.
---------------------------------------------------------------------------

    \10\ For example, banks are prohibited from conditioning an 
extension of credit on the consumer obtaining some additional 
credit, property or service from the bank or its affiliate other 
than a loan, discount, deposit or trust service, see Bank Holding 
Company Amendments of 1970 Sec.  106(b) (12 U.S.C. 1972); see also 
12 CFR 37.3(a) (providing that a national bank may not extend credit 
nor alter the terms or conditions of an extension of credit 
conditioned upon the customer entering into a debt cancellation 
contract or debt suspension agreement with the bank).
---------------------------------------------------------------------------

    One commenter believed that a sentence in the supplementary 
information to the interim final rules created a conflict with the 
financial information exception by implying that the only circumstance 
where the creditor could legitimately seek medical information was when 
the consumer is applying to finance a medical procedure. This commenter 
believed that a conflict was created by the following sentence: ``Thus, 
except where a creditor has a specific application for the financing of 
medical procedures, a creditor generally would be prohibited from 
specifically asking for medical information on a credit application.'' 
(70 FR 33967.) This commenter requested that the Agencies modify this 
sentence to state that: ``Except where a creditor has a specific 
application for the financing of medical procedures or has received an 
application in which income was claimed as deriving from injury or 
disability, a creditor generally would be prohibited from specifically 
asking for medical information on a credit application.''
    The Agencies do not believe that the quoted sentence from the 
supplementary information to the interim final rules creates a conflict 
with the financial information exception. The quoted language refers to 
circumstances in which medical information may be specifically 
requested on an application. The revision requested by the commenter 
does not relate to what a creditor may ask on an application, but 
relates to whether a creditor may use medical information it ``has 
received [on] an application in which income was claimed as deriving 
from injury or disability.'' If a consumer lists medically related 
income on an application, the creditor may use that information in 
accordance with the exceptions in Sec. Sec.  ----.30(d) and (e). The 
application, however, should not specifically request the consumer to 
disclose such medically related income. Of course, the application can 
ask the consumer to list all sources of income that the consumer would 
like the creditor to consider. Section ----.30(d) of the final rule is 
revised as noted above.

E. Specific Exceptions for Obtaining and Using Medical Information

    Sections ----.30(e)(1)(i)-(ix) of the interim final rules contained 
a number of specific exceptions to the general prohibition. Section --
--.30(e) of the interim final rules provided examples of certain 
exceptions. These exceptions allow creditors to obtain and use medical 
information for a limited number of particular purposes in connection 
with a determination of the consumer's eligibility, or continued 
eligibility, for credit. A creditor that obtains medical information 
pursuant to one of these specific exceptions may not subsequently use 
the information in connection with determining the consumer's 
eligibility, or continued eligibility, for credit unless an exception 
applies. The specific exceptions and examples are republished in each 
Agency's final rules and the separate rule with a few technical, non-
substantive changes.
    Determination of power of attorney, legal representative and legal 
capacity. Section ----.30(e)(1)(i) of the interim final rules contained 
an exception relating to the use of a power of attorney

[[Page 70669]]

or legal representative. This exception permits a creditor to obtain 
and use medical information in connection with determining the 
consumer's credit eligibility to determine: (1) Whether the use of a 
power of attorney or legal representative that is triggered by a 
medical event or condition is necessary and appropriate; or (2) whether 
the consumer has the legal capacity to contract when a person seeks to 
exercise a power of attorney or act as legal representative for a 
consumer based on an asserted medical event or condition.
    One commenter requested that the Agencies broaden the scope of this 
exception to permit creditors to investigate the mental capacity of a 
consumer based on a suspicion that the consumer lacks the capacity to 
contract. This commenter did not believe that an exception to permit an 
inquiry into the consumer's legal capacity ``when a person seeks to 
exercise a power of attorney or act as a legal representative for a 
consumer based on an asserted medical event or condition'' was broad 
enough to cover all circumstances where the consumer's legal capacity 
may be in doubt. This commenter urged the Agencies to clarify that 
creditors may investigate the mental capacity of a consumer even when 
there is no power of attorney issue, and that a reasonable suspicion is 
a sufficient basis to conduct the investigation. Additionally, or in 
the alternative, this commenter requested clarification that loan 
denials based on lack of legal mental capacity are not eligibility 
issues; therefore, no exception is necessary, because use of medical 
information for this purpose is not subject to the general statutory 
prohibition. Finally, this commenter did not believe that the terms 
``medical event'' or ``condition'' were clear for purposes of the power 
of attorney exception. Specifically, this commenter believed it was 
unclear how significant the medical event or condition must be, who 
must make the determination that the medical event or condition has 
occurred, and whether a suspicion allows the creditor to investigate 
further.
    As noted in the supplementary information to the interim final 
rules, commenters on the proposal were divided on the need for a 
broader exception covering powers of attorney and legal capacity. In 
the interim final rules, the Agencies considered whether to adopt a 
broader exception, but declined to do so. The Agencies believe that 
creditors, or their counsel, are qualified to determine whether a power 
of attorney or legal representative status has been properly invoked 
based on an asserted medical condition or event. Creditors generally 
are not qualified to determine the mental capacity of a consumer. 
Moreover, permitting creditors to inquire into the mental capacity of 
consumers based only on a ``reasonable suspicion'' could result in 
discrimination against certain consumers and circumvention of the 
general prohibition. Therefore, the Agencies decline to expand the 
exception in the manner requested by the commenter.
    The Agencies recognized in the supplementary information to the 
interim final rules that a power of attorney or legal representative 
status may be used in a variety of circumstances, many of which may 
have no connection with a determination of a consumer's eligibility, or 
continued eligibility, for credit. Nevertheless, the Agencies concluded 
that an exception was necessary because a power of attorney or legal 
representative status based on an asserted medical condition or event 
may relate to a credit eligibility determination in certain 
circumstances. The Agencies do not agree with the commenter that the 
use of medical information to deny loans based on a lack of mental 
capacity is not connected with credit eligibility determinations. 
Accordingly, the Agencies cannot state categorically that medical 
information used for this purpose is not subject to the general 
prohibition.
    The Agencies believe that the terms ``medical event'' and ``medical 
condition'' are clear. The Agencies note that these terms have been 
used in a number of other exceptions without objection as to their 
clarity.
    A technical, non-substantive change is made to Sec.  --
--.30(e)(1)(i) in the final rules. Section ----.30(e)(1)(i) is revised 
to replace ``medical event or condition'' with ``medical condition or 
event'' for consistency with the exceptions in Sec. Sec.  --
--.30(e)(viii) and (ix).
    Compliance with applicable law. Section ----.30(e)(1)(ii) of the 
interim final rules contained an exception to permit a creditor to 
obtain and use medical information to comply with applicable 
requirements of local, state, or Federal laws.
    One commenter believed that, even when an applicant meets the 
minimum standard of legal capacity, there may be situations in which 
the creditor believes that the consumer may not fully understand the 
nature of the transaction or be able to determine whether it is in his 
or her best interest. This commenter argued that HOEPA and its 
borrower's interest and net tangible benefit tests, as well as state 
anti-flipping laws, could be read to require an evaluation of the 
consumer's medical condition. Therefore, this commenter requested the 
Agencies to confirm its interpretation that the compliance with 
applicable laws exception is broad enough to permit creditors to 
consider medical conditions even though such laws do not specifically 
require the consideration of medical conditions.
    The Agencies acknowledge that it may be necessary to obtain and use 
medical information to comply with various requirements of local, 
state, or Federal laws. A discussion of whether specific laws and legal 
requirements may trigger this exception would involve interpretation of 
those laws and is beyond the scope of this rulemaking. Section --
--.30(e)(1)(ii) is republished without change in the final rules.
    Special credit program or credit-related assistance program. 
Section ----.30(e)(1)(iii) of the interim final rules contained an 
exception to permit creditors to obtain and use medical information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, to determine, at the consumer's 
request, whether the consumer qualifies for a legally permissible 
special credit program or credit-related assistance program that is: 
(a) Designed to meet the special needs of consumers with medical 
conditions and (b) established and administered pursuant to a written 
plan of the plan sponsor that identifies the class of persons that the 
program is designed to benefit and sets forth the procedures and 
standards for extending credit or providing other credit-related 
assistance under the program. This exception was added in the interim 
final rules and is modeled after the provisions relating to special 
purpose credit programs in the ECOA and the Board's Regulation B, 12 
CFR part 202. An example of this exception was provided in Sec.  --
--.30(e)(2). Commenters supported the addition of this exception. 
Sections ----.30(e)(1)(iii) and (e)(2) are republished without change 
in the final rules.
    Fraud prevention or detection. Section ----.30(e)(1)(iv) of the 
interim final rules contained an exception for fraud prevention or 
detection. One commenter reiterated a previous request that the 
Agencies delete this exception, maintaining that the exception was 
overly broad and unnecessary.
    As explained in the supplementary information to the interim final 
rules, the fraud prevention or detection exception is available only to 
the extent necessary to detect or prevent fraud. The Agencies believe 
that there may be limited circumstances where the use of medical 
information is necessary for

[[Page 70670]]

fraud prevention or detection purposes. For example, given the broad 
definition of ``medical information'' and the development of 
increasingly sophisticated anti-fraud technologies, such as various 
biometric tools, the Agencies believe it is important to retain the 
fraud prevention or detection exception so as not to hinder the 
development of new anti-fraud technologies. Furthermore, the 
supplementary information to the interim final rules also noted that 
creditors may not rely on blanket assertions of a fraud prevention or 
detection purpose to fall within the exception, but must demonstrate 
the necessity for, and actual use of, medical information to prevent or 
detect fraud. Section ----.30(e)(1)(iv) is republished without change 
in the final rules.
    Financing medical products or services. Section ----.30(e)(1)(v) of 
the interim final rules contained an exception for the financing of 
medical products or services. Section ----.30(e)(3) of the interim 
final rules provided examples of this exception. The Agencies received 
no comments on the medical financing exception in the interim final 
rules. Sections ----.30(e)(1)(v) and (e)(3) are republished without 
change in the final rules.
    Medical accommodation. Section ----.30(e)(1)(vi) of the interim 
final rules contained an exception for medical accommodations to 
consumers. This exception applies where the consumer, or the consumer's 
legal representative, specifically requests that the creditor use 
medical information in determining the consumer's eligibility, or 
continued eligibility, for credit, to accommodate the consumer's 
particular circumstances, and such request is documented by the 
creditor. Any such accommodation must be consistent with safe and sound 
practices. The interim final rules permitted the medical accommodation 
exception to be triggered by the consumer's oral, electronic, or 
written request. Moreover, a consumer could make a specific request by 
responding to a generic inquiry on a credit application that invites 
the consumer to describe any special circumstances or other information 
(not limited to medical information) that the consumer would like the 
creditor to consider in evaluating the consumer's application. Section 
----.30(e)(4) of the interim final rules provided examples to 
illustrate the medical accommodation exception.
    One commenter believed that the regulation should clarify that, to 
meet the medical accommodation exception, the consumer need not be the 
first to broach the topic of medical information. This commenter 
maintained that a creditor should be able to raise the topic in a 
manner consistent with the prohibition against holding information 
about a medical condition against the consumer. For example, if 
negative information from a medical furnisher appeared on a consumer's 
credit report, this commenter would want the loan officer to be able to 
explain that the consumer may voluntarily provide an explanation of the 
underlying medical condition and, if the consumer did so, the creditor 
could verify that explanation. This commenter also requested the 
creation of a ``safe harbor'' provision to permit the use of a consent 
form (or standard language read over the telephone) to satisfy 
compliance with the medical accommodation exception. This commenter 
believed that use of a consent form containing standard language is 
appropriate once the consumer indicates that he or she wants the 
creditor to consider medical information to accommodate the consumer.
    As explained in the supplementary information to the interim final 
rules, the medical accommodation exception is triggered by the specific 
request of the consumer. The example in Sec.  ----.30(e)(4)(iii) of the 
interim final rules and the supplementary information also explained 
that a consumer may make a specific request by responding to a generic 
inquiry on a credit application that invites the consumer to describe 
any special circumstances or other information (not limited to medical 
information) that the consumer would like the creditor to consider in 
evaluating the consumer's application. The medical accommodation 
exception is not triggered until the consumer makes a specific request 
for an accommodation. Therefore, in the circumstances described by the 
commenter, the use by a creditor of medical information from a consumer 
report, such as information about a medical debt, to make a specific 
inquiry about the consumer's medical condition is not consistent with 
the financial information exception and is not permitted.
    Of course, if a consumer's credit report shows a substantial unpaid 
debt that has been coded as medical information, the creditor may use 
that information in a manner and to an extent that is no less favorable 
than it would use comparable information that is not medical 
information. For example, if two consumers apply for credit and each 
has a $50,000 debt that is 90-days past due, one of which is a coded 
medical debt and the other which is a non-medical debt, the creditor 
may seek an explanation from the consumer with the medical debt about 
the amount and status of the debt and verify that explanation, provided 
that the creditor's policies and procedures also require that the 
creditor seek an explanation from the consumer with the non-medical 
debt about the amount and status of the debt and verifies that 
explanation.
    The Agencies decline to provide a model consent form that would 
create a safe harbor for satisfying the medical accommodation 
exception. In the interim final rules, the Agencies omitted the 
requirement for a separate signed writing by the consumer that 
describes the specific medical information and the specific purpose for 
which it is to be used. Instead, the Agencies chose to adopt a more 
flexible standard that focuses on the specific request of the consumer 
for a medical accommodation and the creditor's documentation of that 
request. Under this approach, the creditor is not restricted to any 
particular form of documentation of the consumer's request. For 
example, once a consumer has requested a medical accommodation, a 
creditor may elect to document a consumer's request by having the 
consumer complete and sign a standard consent form. Although the 
example in Sec.  ----.30(e)(4)(v) provides that the use of boilerplate 
language in an application to routinely obtain consumer authorization 
or consent to obtain and use medical information for credit eligibility 
determinations does not constitute a specific request for a medical 
accommodation, nothing in that example prohibits the use of a standard 
consent form as a means of documentation once the consumer has made a 
specific request. Because other forms of documentation may also be 
appropriate, the Agencies do not believe the final rules should specify 
any particular form of documentation or create a safe harbor for one 
particular form of documentation. Sections ----.30(e)(1)(vi) and (e)(4) 
are republished without change in the final rules.
    Forbearance. Section ----.30(e)(1)(vii) of the interim final rules 
contained an exception to the general prohibition for forbearance 
practices and programs that are triggered by medical events or 
conditions. Specifically, this exception permits creditors to obtain 
and use medical information ``consistent with safe and sound practices, 
to determine whether the provisions of a forbearance practice or 
program that is triggered by a medical event or condition apply to a 
consumer.''

[[Page 70671]]

    One commenter requested that the rule clarify that the phrase 
``similar forbearance practice or program'' includes informal 
forbearance practices by creditors. According to the commenter, this 
clarification would benefit consumers because the creditor would be 
able to consider medical information in decisions regarding additional 
credit or debt deferment.
    As noted in the supplementary information to the interim final 
rule, the forbearance exception is flexible enough to cover both formal 
and informal forbearance practices and programs. Therefore, the 
Agencies believe that the recommended change is unnecessary.
    A technical, non-substantive change is made to Sec.  --
--.30(e)(1)(vii) in the final rules. Section ----.30(e)(1)(vii) is 
revised to replace ``medical event or condition'' with ``medical 
condition or event'' for consistency with the exceptions in Sec. Sec.  
----.30(e)(viii) and (ix). In addition, a non-substantive change is 
made to the example of the forbearance exception in Sec.  ----.30(e)(5) 
by adding a concluding sentence to indicate that the exception would 
apply in the example presented.
    Debt cancellation contracts, debt suspension agreements, or credit 
insurance products. Section ----.30(e)(1)(viii) of the interim final 
rules contained an exception for debt cancellation contracts and debt 
suspension agreements. Section ----.30(e)(1)(ix) of the interim final 
rules contained an exception for credit insurance products.
    These exceptions made clear that creditors may use medical 
information to underwrite credit insurance, or to underwrite related 
credit products, such as debt cancellation contracts and debt 
suspension agreements, if a medical condition or event is a triggering 
event for the provision of benefits. However, the fact that a consumer 
is denied these products cannot be used as a subterfuge to consider 
medical information in making a determination about eligibility or 
continued eligibility for an underlying loan. Therefore, a creditor may 
not use medical information about a consumer, such as the fact that the 
consumer uses a wheelchair, to determine whether the consumer will be 
required to obtain a debt cancellation contract, debt suspension 
agreement, or credit insurance product.\11\ The Agencies received no 
comments on these two exceptions. Sections ----.30(e)(1)(viii) and (ix) 
are republished without change in the final rules.
---------------------------------------------------------------------------

    \11\ As noted above, other laws and regulations may prohibit or 
otherwise restrict a creditor from requiring a consumer to obtain 
one of these products in connection with an extension of credit.
---------------------------------------------------------------------------

    Additional exceptions requested by commenters. One commenter 
reiterated a previous request that the final rules exclude from the 
prohibition on obtaining or using medical information employers, plan 
administrators, and card issuers that provide flexible spending account 
programs or healthcare reimbursement account programs that utilize 
cards with credit features. As noted in the supplementary information 
to the interim final rules, the Agencies believe that an additional 
exception that relates to flexible spending programs tied to credit 
cards is not needed because the commenter's concerns are adequately 
addressed by the definition of ``eligibility, or continued eligibility, 
for credit'' and the existing exceptions.

Section ----.31 Limits on Redisclosure of Information

    Section ----.31 of each Agency's interim final rule incorporated 
the statutory provision regarding the limits on redisclosure of medical 
information. This section provided that a person receiving medical 
information about a consumer from a consumer reporting agency or an 
affiliate is prohibited from disclosing that information to any other 
person, except as necessary to carry out the purposes for which the 
information was initially disclosed, or as otherwise permitted by 
statute, regulation, or order. The separate rule did not contain a 
comparable provision on redisclosure limits because the Agencies' 
rulemaking authority under section 604(g)(5)(A) of the FCRA does not 
apply to the statute's redisclosure provision.
    The Agencies received one comment on the redisclosure provision. 
The Agencies have incorporated into this rulemaking the redisclosure 
provision directly from the statute, without further interpretation. 
Section ----.31 is therefore republished without change in the final 
rules.

Section ----.32 Sharing Medical Information With Affiliates

    Section ----.32 of the interim final rules addressed the sharing of 
medically related information with affiliates. Section ----.32(a) of 
the interim final rules described the institutions to which this 
section applies. Section ----.32(b) of the interim final rules restated 
the statutory restriction on sharing medically related information with 
affiliates. Section ----.32(c) of the interim final rules contained 
exceptions to the statutory restriction on sharing medically related 
information with affiliates. The separate rule did not contain a 
comparable provision on sharing medically related information with 
affiliates because the Agencies' rulemaking authority under section 
604(g)(5)(A) of the FCRA does not apply to the statute's affiliate 
sharing provisions.
    A number of commenters expressed concern that the separate rule 
does not address the sharing of medically related information with 
affiliates. These commenters generally believed that there should be 
regulatory provisions parallel to those in Sec.  ----.32 to create 
exceptions applicable to all creditors that share medically related 
information with affiliates. Some of these commenters requested that 
the Agencies modify the separate rule to incorporate these exceptions. 
Other commenters recognized the limited regulatory authority of the 
Agencies with respect to the sharing of medically related information 
with affiliates and requested that the FTC issue a rule consistent with 
the provisions of Sec.  ----.32. One commenter requested a 
clarification that creditors not subject to Sec.  ----.32 could rely on 
the statutory exceptions for sharing medically related information with 
affiliates. Another commenter urged NCUA to encourage the Board to 
provide guidance to state-chartered credit unions and other creditors 
on this issue.
    Each Agency's authority to create exceptions to permit the sharing 
of medically related information with affiliates is limited to 
prescribing rules applicable to entities subject to the jurisdiction of 
each particular Agency. The FTC has the authority to promulgate rules 
creating exceptions to the restrictions on sharing medically related 
information with affiliates for entities subject to the FTC's 
enforcement authority. The Agencies have forwarded comments on this 
issue to the FTC for its consideration.
    The Agencies note that five of the six exceptions included in Sec.  
----.32(c) simply repeat exceptions specifically enumerated in the 
statute. Any person may rely on the statutory exceptions as 
appropriate. The only exception not contained in the statute relates to 
sharing medically related information with an affiliate in connection 
with a determination of the consumer's eligibility, or continued 
eligibility, for credit consistent with Sec.  ----.30, and is found in 
Sec.  ----.32(c)(5).
    In many circumstances where this additional, non-statutory 
exception would apply, it is likely that one of the exceptions 
enumerated in the statute would also apply, such as the exception 
linked to section 502(e) of the GLB Act. For example, if a creditor has 
an affiliate

[[Page 70672]]

perform underwriting for loans it originates and the creditor receives 
an application containing information about medical debts, the creditor 
may furnish the application, including the medical debt information, to 
the underwriting affiliate for use in underwriting consistent with the 
exceptions in Sec.  ----.30. This sharing of medical information would 
be permissible both because it is in connection with a determination of 
the consumer's credit eligibility consistent with Sec.  ----.30 and 
because the disclosure is necessary to effect, administer, or enforce a 
transaction requested or authorized by the consumer in accordance with 
section 502(e) of the GLB Act. Section ----.32 is therefore republished 
without change in the final rules.

Effective Date

    The effective date of the interim final rules, published in the 
Federal Register on June 10, 2005 (70 FR 33958), is delayed until April 
1, 2006, the first day of the calendar quarter. The effective date of 
these final rules published today is also April 1, 2006. These final 
rules will immediately replace the interim final rules on April 1, 
2006, and only these final rules will be in effect on or after April 1, 
2006.
    One commenter believed that an implementation date should not be 
set until at least six months after a final determination as to which 
agency will enforce these rules against state-chartered credit unions 
and which agency is responsible for providing guidance on information 
sharing with affiliates of state-chartered credit unions. As noted 
above, the FCRA clearly provides that the FTC is responsible for 
enforcing the statute against state-chartered credit unions. Similarly, 
any regulations on information sharing with affiliates of state-
chartered credit unions would have to be issued by the FTC. The 
Agencies do not believe that any further delay in the effective date is 
warranted.

V. Regulatory Analysis

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3506, et seq.) and its implementing regulations at 5 CFR part 1320, 
including Appendix A.1, the Agencies have reviewed the final rules and 
determined that they contain no collections of information. The Board 
made this determination under authority delegated by the Office of 
Management and Budget.

Regulatory Flexibility Analysis

    OCC: Under section 605(b) of the Regulatory Flexibility Act (RFA), 
5 U.S.C. 605(b), the regulatory flexibility analysis otherwise required 
under section 604 of the RFA is not required if an agency certifies, 
along with a statement providing the factual basis for such 
certification, that the rule will not have a significant economic 
impact on a substantial number of small entities. The Small Business 
Administration (SBA) has defined ``small entities'' for banking 
purposes as a bank or savings institution with assets of $150 million 
or less. See 13 CFR 121.201.
    The OCC published an Initial Regulatory Flexibility Analysis in 
connection with the April 28, 2004 NPRM. The OCC also certified that 
there would not be a significant economic impact on a substantial 
number of small entities in the June 10, 2005 interim final rule. The 
OCC did not receive any comments relating to significant economic 
impact upon a substantial number of small entities on either the NPRM 
or interim final rule.
    The final rule implements section 411 of the FACT Act and imposes 
only minimal economic impact on entities covered by the OCC's final 
rule. The final rule creates exceptions to the FACT Act's prohibition 
against national banks obtaining and using a consumer's medical 
information in connection with credit determinations. Additionally, the 
final rule implements the FACT Act's restrictions on the sharing of 
medical information among affiliates and includes exceptions to permit 
the sharing of medical information in certain circumstances. The final 
rule applies to all national banks and Federal branches and agencies. 
The final rule also applies to persons, regardless of asset size, that 
participate in a credit transaction involving a national bank or 
Federal Branch or agency that obtain or use medical information in 
connection with credit determinations. Approximately 1,077 national 
banks have assets of $150 million or less. The OCC is unable to 
estimate the number of persons that may participate in a credit 
transaction with national banks or Federal branches or agencies. The 
OCC has determined that the estimated per bank cost of the final rule 
is not large enough to have a significant economic impact. Therefore, 
the OCC certifies that this final rule will not have a significant 
economic impact on a substantial number of small entities.
    Board: The Board prepared a regulatory flexibility analysis as 
required by the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) in 
connection with the June 10, 2005, interim final rule. The Board 
received no comments on its regulatory flexibility analysis.
    Under section 605(b) of the Regulatory Flexibility Act (RFA), 5 
U.S.C. 605(b), the regulatory flexibility analysis otherwise required 
under section 604 of the RFA is not required if an agency certifies, 
along with a statement providing the factual basis for such 
certification, that the rule will not have a significant economic 
impact on a substantial number of small entities. Based on the analysis 
below, the Board certifies that this final rule will not have a 
significant economic impact on a substantial number of small entities 
for the reasons stated below.
    1. Statement of the need for and objectives of the final rule. The 
FACT Act amends the FCRA and was enacted, in part, for the purpose of 
protecting consumers' medical information. Section 411 of the FACT Act 
contains a general prohibition on creditors obtaining or using medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit. Section 411 authorizes the Board, together with the other 
Agencies, to create exceptions to allow creditors to obtain or use 
medical information for eligibility purposes where necessary and 
appropriate to protect legitimate operational, transactional risk, 
consumer, and other needs, consistent with the Congressional intent to 
restrict the use of medical information for inappropriate purposes.
    Section 411 also limits the ability of an institution to share 
medical information with its affiliates without becoming a consumer 
reporting agency, subject to certain exceptions, and restricts the 
redisclosure of medical information. The statute authorizes the Board 
to issue regulations to create additional exceptions that are 
determined to be necessary and appropriate to permit the sharing of 
medical information among affiliates. The Board is adopting the final 
rule to create exceptions that permit creditors to obtain and use 
medical information in credit eligibility determinations, restate the 
limits on redisclosure, and restate and add to the exceptions that 
allow sharing among affiliates. The SUPPLEMENTARY INFORMATION above and 
the SUPPLEMENTARY INFORMATION to the interim final rule (70 FR 33958) 
contain information on the objectives of the final rule.
    2. Summary of issues raised by comments in response to the interim 
final regulatory flexibility analysis. In accordance with section 3(a) 
of the

[[Page 70673]]

Regulatory Flexibility Act, the Board conducted a regulatory 
flexibility analysis in connection with the interim final rules. The 
Board did not receive any comments on its regulatory flexibility 
analysis.
    3. Description of small entities affected by the proposal. Each 
section of the final rule applies to different types of small entities 
and specifies the types of small entities subject to that section. The 
final rule will apply, in whole or in part, to banks that are members 
of the Federal Reserve System (other than national banks) and their 
subsidiaries, branches and Agencies of foreign banks (other than 
Federal branches, Federal Agencies, and insured State branches of 
foreign banks) and their subsidiaries, commercial lending companies 
owned or controlled by foreign banks, organizations operating under 
section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., 
and 611 et seq.), bank holding companies and affiliates of such holding 
companies (other than depository institutions and consumer reporting 
agencies), and creditors that participate in transactions with one of 
the above-mentioned entities. A separate rule codified in Regulation FF 
will apply to creditors not otherwise subject to one of the Agency 
rules. The Board's final rule will apply to the following institutions 
(numbers approximate): State member banks (932), bank holding companies 
(5,152), holding company non-bank subsidiaries (2,131), U.S. branches 
and agencies of foreign banks (289), and Edge and agreement 
corporations (75), for a subtotal of approximately 8,579 institutions. 
The Board estimates that over 5,000 of these institutions could be 
considered small institutions with assets less than $150 million. The 
Board is unable to estimate the number of creditors that may 
participate in transactions with such institutions or the number of 
other creditors that may be covered by the separate rule codified in 
Regulation FF.
    All small entities that are creditors will be affected by the 
provision of the final rule that addresses the prohibition on, and 
exceptions to, creditors obtaining or using medical information in 
connection with credit eligibility determinations. All small creditors 
will have to comply with the exceptions if they obtain or use medical 
information about consumers in connection with any credit eligibility 
determination.
    4. Recordkeeping, reporting, and compliance requirements. The final 
rule requires certain documentation to qualify for some of the specific 
exceptions, as discussed in the SUPPLEMENTARY INFORMATION above and the 
SUPPLEMENTARY INFORMATION to the interim final rule (70 FR 33958). The 
final rule contains no reporting or disclosure requirements.
    5. Steps taken to minimize the economic impact on small entities. 
The Board solicited comment on how to minimize the economic impact on 
small entities. The Board did not receive any comments on this issue. 
By adopting consistent rules and exceptions, the Board and the other 
Agencies have attempted to minimize the economic impact on small 
entities.
    FDIC: The FDIC prepared a regulatory flexibility analysis as 
required by the Regulatory Flexibility Act (5 U.S.C. 601 et seq.). The 
FDIC received no comments on its analysis.
    Under section 605(b) of the Regulatory Flexibility Act (RFA), 5 
U.S.C. 605(b), the regulatory flexibility analysis otherwise required 
under section 604 of the RFA is not required if an agency certifies, 
along with a statement providing the factual basis for such 
certification, that the rule will not have a significant economic 
impact on a substantial number of small entities. FDIC certified that 
the interim final rule will not have a significant economic impact on a 
substantial number of small entities; and upon further analysis, the 
FDIC certifies that this final rule creating exceptions to the FACT 
Act's general prohibition on creditors obtaining or using medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit will not have a significant economic impact on small 
entities.
    The Small Business Administration (SBA) has defined ``small 
entities'' for banking purposes as a bank or savings institution with 
assets of $150 million or less. See 13 CFR 121.201. This final rule, as 
authorized by section 411 of the FACT Act, creates exceptions to allow 
creditors to obtain or use medical information for eligibility purposes 
where necessary and appropriate to protect legitimate operational, 
transactional risk, consumer, and other needs, consistent with the 
Congressional intent to restrict the use of medical information for 
inappropriate purposes. The rule also excludes, in certain situations, 
medical information shared by a covered entity with an affiliate from 
the definition of a consumer report in section 603(d) of the FCRA, and 
addresses the reuse and redisclosure of medical information.
    The final rule applies to all state banks insured by the FDIC 
(other than members of the Federal Reserve System), all insured State 
branches of foreign banks, and persons that participate in a credit 
transaction involving these banks, regardless of their size. Of the 
approximately 5,250 banks that fall in these categories, approximately 
3,368 have assets of $150 million or less.
    OTS: In accordance with section 603(a) of the Regulatory 
Flexibility Act (RFA) (5 U.S.C. 603(a)), OTS conducted an initial 
regulatory flexibility analysis in connection with the April 28, 2004 
proposed rule. OTS did not receive any comments on its initial 
regulatory flexibility analysis.
    Upon further analysis, OTS certified in accordance with section 
605(b) of the RFA (5 U.S.C. 605(b)) that the June 10, 2005 interim 
final rule would not have a significant economic impact on a 
substantial number of small entities. OTS received no comments on its 
certification. OTS makes the same certification for this final rule. 
The Small Business Administration (SBA) has generally defined small 
savings institutions for RFA purposes as those with assets of $150 
million or less. 13 CFR 121.201.
    This final rule implements section 411 of the FACT Act and imposes 
only minimal economic impact. Section 571.30 creates exceptions to 
allow creditors to obtain or use medical information for credit 
eligibility purposes where necessary and appropriate to protect 
legitimate operational, transactional, risk, consumer, and other needs, 
consistent with the Congressional intent to restrict the use of medical 
information for inappropriate purposes. It applies to any of the 
following, regardless of size, that participates as a creditor in a 
transaction: (1) A savings association; (2) a subsidiary owned in whole 
or in part by a savings association; (3) a savings and loan holding 
company; (4) a subsidiary of a savings and loan holding company other 
than a bank or subsidiary of a bank; (5) a service corporation owned in 
whole or in part by a savings association; or (6) any other person that 
participates as a creditor in a transaction involving a person 
described in (1)-(5).
    Section 571.31 implements the FACT Act's restrictions on the 
redisclosure of information. Section 571.32 implements the FACT Act's 
restrictions on the sharing of medical information among affiliates and 
includes exceptions to permit the sharing of medical information in 
certain circumstances. These sections apply to savings associations and 
federal savings association operating subsidiaries, regardless of size.

[[Page 70674]]

    As referenced in the Supplementary Information to the interim final 
rule (70 FR 33958), other laws and regulations, such as the Fair 
Housing Act, the Americans with Disabilities Act, and OTS's anti-
discrimination rules in 12 CFR part 528, also limit or regulate 
obtaining and using medical information for credit eligibility 
determinations in a manner that discriminates against persons whose 
medical condition constitutes a ``disability'' or ``handicap'' under 
those authorities. Other laws, such as the GLB Act, the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA), and other 
parts of the FCRA, also limit or regulate the use, collection, and 
sharing of consumer information, including medical information. The 
industry's preexisting familiarity and compliance with the requirements 
of these other authorities to the extent applicable is one factor that 
OTS expects will minimize the economic impact of today's final rule.
    NCUA: The Regulatory Flexibility Act requires NCUA to prepare an 
analysis to describe any significant economic impact any regulation may 
have on a substantial number of small entities. NCUA considers credit 
unions having less than ten million dollars in assets to be small for 
purposes of the Regulatory Flexibility Act. NCUA Interpretive Ruling 
and Policy Statement (IRPS) 87-2, as amended by IRPS 03-2. NCUA 
conducted an initial regulatory flexibility analysis in connection with 
the proposed rule and did not receive any comments on it.
    NCUA certified that the interim final rule would not have a 
significant economic impact on a substantial number of small entities 
and, upon further review, now also certifies that the final rule will 
not have a significant economic impact on a substantial number of small 
entities. The final rule applies to all Federal credit unions that 
obtain or use a consumer's medical information in connection with 
credit determinations, regardless of credit union size. The final rule 
creates exceptions to the FACT Act's prohibition against Federal credit 
unions obtaining and using such information in connection with credit 
determinations. Additionally, the final rule implements the FACT Act's 
restrictions on the sharing of medical information among Federal credit 
union affiliates, credit union service organizations (CUSOs), and 
includes exceptions to permit the sharing of medical information in 
certain circumstances.

Small Business Regulatory Enforcement Fairness Act

    FDIC: The Small Business Regulatory Enforcement Fairness Act of 
1996 (SBREFA) (Pub. L. 104-121, 110 Stat. 857) provides generally for 
agencies to report rules to Congress and for Congress to review these 
rules. The reporting requirement is triggered in instances where the 
FDIC issues a final rule as defined by the Administrative Procedure Act 
(APA) (5 U.S.C. 551, et seq.). Because the FDIC is issuing a final rule 
as defined by the APA, the FDIC will file the reports required by 
SBREFA.
    NCUA: A SBREFA (Pub. L. 104-121) reporting requirement is also 
triggered in instances where NCUA issues a final rule as defined by 
section 551 of the Administrative Procedure Act 5 U.S.C. 551. NCUA is 
submitting this final rule to the Office of Management and Budget for a 
determination that this rule is not a major rule for purposes of 
SBREFA.

OCC and OTS Executive Order 12866 Determination

    The OCC and OTS each has determined that its portion of the rule is 
not a significant regulatory action under Executive Order 12866.

OCC Executive Order 13132 Determination

    The OCC has determined that this rule does not have any Federalism 
implications, as required by Executive Order 13132, because it would 
not have substantial direct effects on the States, on the relationship 
between the national government and the States, or on the distribution 
of power and responsibilities among the various levels of government.

NCUA Executive Order 13132 Determination

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their actions on state and local interests. In 
adherence to fundamental federalism principles, the NCUA, an 
independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the executive order. The rule applies only to 
federally chartered credit unions and would not have substantial direct 
effects on the states, on the connection between the national 
government and the states, or on the distribution of power and 
responsibilities among the various levels of government. The NCUA has 
determined that this rule does not constitute a policy that has 
federalism implications for purposes of the executive order.

OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 
104-4 (Unfunded Mandates Act) requires that an agency prepare a 
budgetary impact statement before promulgating a rule that includes a 
Federal mandate that may result in expenditure by state, local, and 
tribal governments, in the aggregate, or by the private sector, of $100 
million or more in any one year. If a budgetary impact statement is 
required, section 205 of the Unfunded Mandates Act also requires an 
agency to identify and consider a reasonable number of regulatory 
alternatives before promulgating a rule. The OCC and OTS each has 
determined that their respective final rules will not result in 
expenditures by State, local, and tribal governments, or by the private 
sector, of $100 million or more. Accordingly, neither the OCC nor the 
OTS has prepared a budgetary impact statement or specifically addressed 
the regulatory alternatives considered.

NCUA: The Treasury and General Government Appropriations Act, 1999--
Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this rule would not affect family 
well-being within the meaning of section 654 of the Treasury and 
General Government Appropriations Act, 1999, Public Law 105-277, 112 
Stat. 2681 (1998).

Plain Language Requirement

    Section 722 of the Gramm-Leach-Bliley Act (GLB Act) (12 U.S.C. 
4809), requires the Federal banking agencies to use plain language in 
all proposed and final rules published after January 1, 2000. The 
proposed rule requested comments on how the rule might be changed to 
reflect the requirements of GLB Act. No GLB Act comments were received.

List of Subjects

12 CFR Part 41

    Banks, banking, Consumer protection, National banks, Reporting and 
recordkeeping requirements.

12 CFR Part 222

    Banks, banking, Consumer protection, Credit, Fair Credit Reporting 
Act, Holding companies, Privacy, Reporting and recordkeeping 
requirements, State member banks.

12 CFR Part 232

    Consumer protection, Credit, Fair Credit Reporting Act, Privacy, 
Reporting and recordkeeping requirements.

[[Page 70675]]

12 CFR Part 334

    Administrative practice and procedure, Bank deposit insurance, 
Banks, banking, Reporting and recordkeeping requirements, Safety and 
soundness.

12 CFR Part 571

    Consumer protection, Credit, Fair Credit Reporting Act, Privacy, 
Reporting and recordkeeping requirements, Savings associations.

12 CFR Part 717

    Consumer protection, Credit unions, Fair credit reporting, Medical 
information, Privacy, Reporting and recordkeeping requirements.

12 CFR Chapter I

Office of the Comptroller of the Currency

Authority and Issuance

0
For the reasons set forth in the preamble, the OCC amends Chapter I of 
Title 12 of the Code of Federal Regulations as follows:

PART 41--FAIR CREDIT

0
1. Revise the authority citation for part 41 to read as follows:

    Authority: 12 U.S.C. 1 et seq., 24(Seventh), 93a, 481, 484, and 
1818; 15 U.S.C. 1681a, 1681b, 1681s, 1681w, 6801, and 6805.


0
2. Revise subpart A to read as follows:

Subpart A--General Provisions


Sec.  41.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  41.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that is related by common ownership 
or common corporate control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Common ownership or common corporate control means a 
relationship between two companies under which:
    (1) One company has, with respect to the other company:
    (i) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of a company, 
directly or indirectly, or acting through one or more other persons;
    (ii) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of a company; or
    (iii) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of a company, as the OCC 
determines; or
    (2) Any other person has, with respect to both companies, a 
relationship described in paragraphs (i)(1)(i)-(i)(1)(iii) of this 
section.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to:
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address;
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy; or
    (iv) Information that does not identify a specific consumer.
    (l) Person means any individual, partnership, corporation, trust, 
estate cooperative, association, government or governmental subdivision 
or agency, or other entity.

0
3. Add subpart D to read as follows:

Subpart D--Medical Information


Sec.  41.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) Scope. This section applies to:
    (1) Any person that participates as a creditor in a transaction and 
that is a national bank, a Federal branch or agency of a foreign bank, 
and their respective subsidiaries; or
    (2) Any other person that participates as a creditor in a 
transaction involving a person described in paragraph (a)(1) of this 
section.
    (b) General prohibition on obtaining or using medical information. 
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this section.
    (2) Definitions. (i) Credit has the same meaning as in section 702 
of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Eligibility, or continued eligibility, for credit means the 
consumer's qualification or fitness to receive, or continue to receive, 
credit, including the terms on which credit is offered. The term does 
not include:
    (A) Any determination of the consumer's qualification or fitness 
for employment, insurance (other than a credit insurance product), or 
other non-credit products or services;
    (B) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (C) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (c) Rule of construction for obtaining and using unsolicited 
medical information. (1) In general. A creditor does not obtain medical 
information in violation of the prohibition if it receives medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit without specifically requesting medical information.
    (2) Use of unsolicited medical information. A creditor that 
receives unsolicited medical information in the manner described in 
paragraph (c)(1) of this section may use that information in connection 
with any determination of the consumer's eligibility, or continued 
eligibility, for credit to the extent the creditor can rely on at least 
one of the exceptions in Sec.  41.30(d) or (e).
    (3) Examples. A creditor does not obtain medical information in 
violation of the prohibition if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives

[[Page 70676]]

information that the consumer owes a debt to a hospital.
    (ii) In a conversation with the creditor's loan officer, the 
consumer informs the creditor that the consumer has a particular 
medical condition.
    (iii) In connection with a consumer's application for an extension 
of credit, the creditor requests a consumer report from a consumer 
reporting agency and receives medical information in the consumer 
report furnished by the agency even though the creditor did not 
specifically request medical information from the consumer reporting 
agency.
    (d) Financial information exception for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information is the type of information routinely used in 
making credit eligibility determinations, such as information relating 
to debts, expenses, income, benefits, assets, collateral, or the 
purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples. (i) Examples of the types of information routinely 
used in making credit eligibility determinations. Paragraph (d)(1)(i) 
of this section permits a creditor, for example, to obtain and use 
information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts to calculate, measure, or 
verify the repayment ability of the consumer, the use of proceeds, or 
the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
may serve as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income, workers' compensation income, or other benefits related to 
health or a medical condition that is relied on as a source of 
repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to, a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are more than 90 days past due would disqualify 
the consumer under the creditor's established underwriting criteria. 
The creditor denies the application on the basis that the consumer has 
a poor repayment history on outstanding debts. The creditor has used 
medical information in a manner and to an extent no less favorable than 
it would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current. The applicant meets the income and other requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception. (A) A consumer applies for $25,000 of credit and includes on 
the application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a retail department store, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage loan. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The credit committee follows the loan officer's 
recommendation and denies the application because the consumer has a 
potentially terminal disease. The creditor has used medical information 
in a manner inconsistent with the exception by taking into account the 
consumer's physical, mental, or behavioral health, condition, or 
history, type of treatment, or prognosis as part of a determination of 
eligibility or continued eligibility for credit.
    (C) A consumer who has an apparent medical condition, such as a 
consumer who uses a wheelchair or an oxygen tank, meets with a loan 
officer to apply for a home equity loan. The consumer meets the 
creditor's established requirements for the requested home equity loan 
and the creditor typically does not require consumers to obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product in connection with such loans. However, based on the consumer's 
apparent medical condition, the loan officer recommends to the credit 
committee that credit be extended to the consumer only if the consumer 
obtains a debt cancellation contract, debt suspension agreement, or 
credit insurance product from a nonaffiliated third party. The credit 
committee agrees with the loan officer's recommendation. The loan 
officer informs the consumer that the consumer must obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product from a nonaffiliated third party to qualify for the loan. The 
consumer obtains one of these products and the creditor approves the 
loan. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's

[[Page 70677]]

physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis in setting conditions on the consumer's 
eligibility for credit.
    (e) Specific exceptions for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit:
    (i) To determine whether the use of a power of attorney or legal 
representative that is triggered by a medical condition or event is 
necessary and appropriate or whether the consumer has the legal 
capacity to contract when a person seeks to exercise a power of 
attorney or act as legal representative for a consumer based on an 
asserted medical condition or event;
    (ii) To comply with applicable requirements of local, state, or 
Federal laws;
    (iii) To determine, at the consumer's request, whether the consumer 
qualifies for a legally permissible special credit program or credit-
related assistance program that is:
    (A) Designed to meet the special needs of consumers with medical 
conditions; and
    (B) Established and administered pursuant to a written plan that:
    (1) Identifies the class of persons that the program is designed to 
benefit; and
    (2) Sets forth the procedures and standards for extending credit or 
providing other credit-related assistance under the program;
    (iv) To the extent necessary for purposes of fraud prevention or 
detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) Consistent with safe and sound practices, if the consumer or 
the consumer's legal representative specifically requests that the 
creditor use medical information in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances, and such request is documented by 
the creditor;
    (vii) Consistent with safe and sound practices, to determine 
whether the provisions of a forbearance practice or program that is 
triggered by a medical condition or event apply to a consumer;
    (viii) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a debt cancellation contract or debt 
suspension agreement if a medical condition or event is a triggering 
event for the provision of benefits under the contract or agreement; or
    (ix) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a credit insurance product if a medical 
condition or event is a triggering event for the provision of benefits 
under the product.
    (2) Example of determining eligibility for a special credit program 
or credit assistance program. A not-for-profit organization establishes 
a credit assistance program pursuant to a written plan that is designed 
to assist disabled veterans in purchasing homes by subsidizing the down 
payment for the home purchase mortgage loans of qualifying veterans. 
The organization works through mortgage lenders and requires mortgage 
lenders to obtain medical information about the disability of any 
consumer that seeks to qualify for the program, use that information to 
verify the consumer's eligibility for the program, and forward that 
information to the organization. A consumer who is a veteran applies to 
a creditor for a home purchase mortgage loan. The creditor informs the 
consumer about the credit assistance program for disabled veterans and 
the consumer seeks to qualify for the program. Assuming that the 
program complies with all applicable law, including applicable fair 
lending laws, the creditor may obtain and use medical information about 
the medical condition and disability, if any, of the consumer to 
determine whether the consumer qualifies for the credit assistance 
program.
    (3) Examples of verifying the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
verify with the surgeon that the procedure will be performed. If the 
surgeon reports that surgery will not be performed on the consumer, the 
creditor may use that medical information to deny the consumer's 
application for credit, because the loan would not be used for the 
stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (4) Examples of obtaining and using medical information at the 
request of the consumer. (i) If a consumer applies for a loan and 
specifically requests that the creditor consider the consumer's medical 
disability at the relevant time as an explanation for adverse payment 
history information in his credit report, the creditor may consider 
such medical information in evaluating the consumer's willingness and 
ability to repay the requested loan to accommodate the consumer's 
particular circumstances, consistent with safe and sound practices. The 
creditor may also decline to consider such medical information to 
accommodate the consumer, but may evaluate the consumer's application 
in accordance with its otherwise applicable underwriting criteria. The 
creditor may not deny the consumer's application or otherwise treat the 
consumer less favorably because the consumer specifically requested a 
medical accommodation, if the creditor would have extended the credit 
or treated the consumer more favorably under the creditor's otherwise 
applicable underwriting criteria.
    (ii) If a consumer applies for a loan by telephone and explains 
that his income has been and will continue to be interrupted on account 
of a medical condition and that he expects to repay the loan by 
liquidating assets, the creditor may, but is not required to, evaluate 
the application using the sale of assets as the primary source of 
repayment, consistent with safe and sound practices, provided that the 
creditor documents the consumer's request by recording the oral 
conversation or making a notation of the request in the consumer's 
file.
    (iii) If a consumer applies for a loan and the application form 
provides a space where the consumer may provide any other information 
or special circumstances, whether medical or non-medical, that the 
consumer would like the creditor to consider in evaluating the 
consumer's application, the creditor may use medical information 
provided by the consumer in that space on that application to 
accommodate the consumer's application for credit,

[[Page 70678]]

consistent with safe and sound practices, or may disregard that 
information.
    (iv) If a consumer specifically requests that the creditor use 
medical information in determining the consumer's eligibility, or 
continued eligibility, for credit and provides the creditor with 
medical information for that purpose, and the creditor determines that 
it needs additional information regarding the consumer's circumstances, 
the creditor may request, obtain, and use additional medical 
information about the consumer as necessary to verify the information 
provided by the consumer or to determine whether to make an 
accommodation for the consumer. The consumer may decline to provide 
additional information, withdraw the request for an accommodation, and 
have the application considered under the creditor's otherwise 
applicable underwriting criteria.
    (v) If a consumer completes and signs a credit application that is 
not for medical purpose credit and the application contains boilerplate 
language that routinely requests medical information from the consumer 
or that indicates that by applying for credit the consumer authorizes 
or consents to the creditor obtaining and using medical information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, the consumer has not specifically 
requested that the creditor obtain and use medical information to 
accommodate the consumer's particular circumstances.
    (5) Example of a forbearance practice or program. After an 
appropriate safety and soundness review, a creditor institutes a 
program that allows consumers who are or will be hospitalized to defer 
payments as needed for up to three months, without penalty, if the 
credit account has been open for more than one year and has not 
previously been in default, and the consumer provides confirming 
documentation at an appropriate time. A consumer is hospitalized and 
does not pay her bill for a particular month. This consumer has had a 
credit account with the creditor for more than one year and has not 
previously been in default. The creditor attempts to contact the 
consumer and speaks with the consumer's adult child, who is not the 
consumer's legal representative. The adult child informs the creditor 
that the consumer is hospitalized and is unable to pay the bill at that 
time. The creditor defers payments for up to three months, without 
penalty, for the hospitalized consumer and sends the consumer a letter 
confirming this practice and the date on which the next payment will be 
due. The creditor has obtained and used medical information to 
determine whether the provisions of a medically-triggered forbearance 
practice or program apply to a consumer.


Sec.  41.31  Limits on redisclosure of information.

    (a) Scope. This section applies to national banks, Federal branches 
and agencies of foreign banks, and their respective operating 
subsidiaries.
    (b) Limits on redisclosure. If a person described in paragraph (a) 
of this section receives medical information about a consumer from a 
consumer reporting agency or its affiliate, the person must not 
disclose that information to any other person, except as necessary to 
carry out the purpose for which the information was initially 
disclosed, or as otherwise permitted by statute, regulation, or order.


Sec.  41.32  Sharing medical information with affiliates.

    (a) Scope. This section applies to national banks, Federal branches 
and agencies of foreign banks, and their respective operating 
subsidiaries.
    (b) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if a person described in paragraph (a) of this 
section communicates to an affiliate:
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (c) Exceptions. A person described in paragraph (a) may rely on the 
exclusions from the term ``consumer report'' in section 603(d)(2) of 
the Act to communicate the information in paragraph (b) to an 
affiliate:
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
41.30; or
    (6) As otherwise permitted by order of the OCC.

Board of Governors of the Federal Reserve System

12 CFR Chapter II

Authority and Issuance

0
For the reasons set forth in the joint preamble, Title 12, Chapter II, 
of the Code of Federal Regulations is amended as follows:

PART 222--FAIR CREDIT REPORTING (REGULATION V)

0
1. The authority citation for part 222 is revised to read as follows:

    Authority: 15 U.S.C. 1681b and 1681s; Secs. 3, 214, and 217, 
Pub. L. 108-159, 117 Stat. 1952.

0
2. Amend subpart A to part 222 by adding Sec. Sec.  222.2 and 222.3 to 
read as follows:

Subpart A--General Provisions

* * * * *


Sec.  222.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  222.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that is related by common ownership 
or common corporate control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Common ownership or common corporate control means a 
relationship between two companies under which:
    (1) One company has, with respect to the other company:
    (i) Ownership, control, or power to vote 25 percent or more of the

[[Page 70679]]

outstanding shares of any class of voting security of a company, 
directly or indirectly, or acting through one or more other persons;
    (ii) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of a company; or
    (iii) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of a company, as the Board 
determines; or
    (2) Any other person has, with respect to both companies, a 
relationship described in paragraphs (i)(1)(i) through (i)(1)(iii) of 
this section.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to:
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address;
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy; or
    (iv) Information that does not identify a specific consumer.
    (l) Person means any individual, partnership, corporation, trust, 
estate cooperative, association, government or governmental subdivision 
or agency, or other entity.

0
3. Subpart D is added to part 222 to read as follows:

Subpart D--Medical Information


Sec.  222.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) Scope. This section applies to
    (1) Any of the following that participates as a creditor in a 
transaction--
    (i) A bank that is a member of the Federal Reserve System (other 
than national banks) and its subsidiaries;
    (ii) A branch or Agency of a foreign bank (other than Federal 
branches, Federal Agencies, and insured State branches of foreign 
banks) and its subsidiaries;
    (iii) A commercial lending company owned or controlled by foreign 
banks;
    (iv) An organization operating under section 25 or 25A of the 
Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.);
    (v) A bank holding company and an affiliate of such holding company 
(other than depository institutions and consumer reporting agencies); 
or
    (2) Any other person that participates as a creditor in a 
transaction involving a person described in paragraph (a)(1) of this 
section.
    (b) General prohibition on obtaining or using medical information. 
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this section.
    (2) Definitions. (i) Credit has the same meaning as in section 702 
of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Eligibility, or continued eligibility, for credit means the 
consumer's qualification or fitness to receive, or continue to receive, 
credit, including the terms on which credit is offered. The term does 
not include:
    (A) Any determination of the consumer's qualification or fitness 
for employment, insurance (other than a credit insurance product), or 
other non-credit products or services;
    (B) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (C) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (c) Rule of construction for obtaining and using unsolicited 
medical information. (1) In general. A creditor does not obtain medical 
information in violation of the prohibition if it receives medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit without specifically requesting medical information.
    (2) Use of unsolicited medical information. A creditor that 
receives unsolicited medical information in the manner described in 
paragraph (c)(1) of this section may use that information in connection 
with any determination of the consumer's eligibility, or continued 
eligibility, for credit to the extent the creditor can rely on at least 
one of the exceptions in Sec.  222.30(d) or (e).
    (3) Examples. A creditor does not obtain medical information in 
violation of the prohibition if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer owes a 
debt to a hospital.
    (ii) In a conversation with the creditor's loan officer, the 
consumer informs the creditor that the consumer has a particular 
medical condition.
    (iii) In connection with a consumer's application for an extension 
of credit, the creditor requests a consumer report from a consumer 
reporting agency and receives medical information in the consumer 
report furnished by the agency even though the creditor did not 
specifically request medical information from the consumer reporting 
agency.
    (d) Financial information exception for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information is the type of information routinely used in 
making credit eligibility determinations, such as information relating 
to debts, expenses, income, benefits, assets, collateral, or the 
purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples. (i) Examples of the types of information routinely 
used in making credit eligibility determinations. Paragraph (d)(1)(i) 
of this section permits a creditor, for example, to obtain and use 
information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts to calculate, measure, or 
verify the repayment ability of the consumer, the use of proceeds, or 
the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
may serve as collateral to secure a loan;

[[Page 70680]]

    (C) The dollar amount and continued eligibility for disability 
income, workers' compensation income, or other benefits related to 
health or a medical condition that is relied on as a source of 
repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to, a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are more than 90 days past due would disqualify 
the consumer under the creditor's established underwriting criteria. 
The creditor denies the application on the basis that the consumer has 
a poor repayment history on outstanding debts. The creditor has used 
medical information in a manner and to an extent no less favorable than 
it would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current. The applicant meets the income and other requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception. (A) A consumer applies for $25,000 of credit and includes on 
the application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a retail department store, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage loan. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The credit committee follows the loan officer's 
recommendation and denies the application because the consumer has a 
potentially terminal disease. The creditor has used medical information 
in a manner inconsistent with the exception by taking into account the 
consumer's physical, mental, or behavioral health, condition, or 
history, type of treatment, or prognosis as part of a determination of 
eligibility or continued eligibility for credit.
    (C) A consumer who has an apparent medical condition, such as a 
consumer who uses a wheelchair or an oxygen tank, meets with a loan 
officer to apply for a home equity loan. The consumer meets the 
creditor's established requirements for the requested home equity loan 
and the creditor typically does not require consumers to obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product in connection with such loans. However, based on the consumer's 
apparent medical condition, the loan officer recommends to the credit 
committee that credit be extended to the consumer only if the consumer 
obtains a debt cancellation contract, debt suspension agreement, or 
credit insurance product from a nonaffiliated third party. The credit 
committee agrees with the loan officer's recommendation. The loan 
officer informs the consumer that the consumer must obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product from a nonaffiliated third party to qualify for the loan. The 
consumer obtains one of these products and the creditor approves the 
loan. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis in setting conditions on the consumer's 
eligibility for credit.
    (e) Specific exceptions for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit--
    (i) To determine whether the use of a power of attorney or legal 
representative that is triggered by a medical condition or event is 
necessary and appropriate or whether the consumer has the legal 
capacity to contract when a person seeks to exercise a power of 
attorney or act as legal representative for a consumer based on an 
asserted medical condition or event;
    (ii) To comply with applicable requirements of local, state, or 
Federal laws;
    (iii) To determine, at the consumer's request, whether the consumer 
qualifies for a legally permissible special credit program or credit-
related assistance program that is--
    (A) Designed to meet the special needs of consumers with medical 
conditions; and
    (B) Established and administered pursuant to a written plan that--
    (1) Identifies the class of persons that the program is designed to 
benefit; and
    (2) Sets forth the procedures and standards for extending credit or 
providing other credit-related assistance under the program;
    (iv) To the extent necessary for purposes of fraud prevention or 
detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) Consistent with safe and sound practices, if the consumer or 
the consumer's legal representative specifically requests that the 
creditor use medical information in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances, and such request is documented by 
the creditor;

[[Page 70681]]

    (vii) Consistent with safe and sound practices, to determine 
whether the provisions of a forbearance practice or program that is 
triggered by a medical condition or event apply to a consumer;
    (viii) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a debt cancellation contract or debt 
suspension agreement if a medical condition or event is a triggering 
event for the provision of benefits under the contract or agreement; or
    (ix) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a credit insurance product if a medical 
condition or event is a triggering event for the provision of benefits 
under the product.
    (2) Example of determining eligibility for a special credit program 
or credit assistance program. A not-for-profit organization establishes 
a credit assistance program pursuant to a written plan that is designed 
to assist disabled veterans in purchasing homes by subsidizing the down 
payment for the home purchase mortgage loans of qualifying veterans. 
The organization works through mortgage lenders and requires mortgage 
lenders to obtain medical information about the disability of any 
consumer that seeks to qualify for the program, use that information to 
verify the consumer's eligibility for the program, and forward that 
information to the organization. A consumer who is a veteran applies to 
a creditor for a home purchase mortgage loan. The creditor informs the 
consumer about the credit assistance program for disabled veterans and 
the consumer seeks to qualify for the program. Assuming that the 
program complies with all applicable law, including applicable fair 
lending laws, the creditor may obtain and use medical information about 
the medical condition and disability, if any, of the consumer to 
determine whether the consumer qualifies for the credit assistance 
program.
    (3) Examples of verifying the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
verify with the surgeon that the procedure will be performed. If the 
surgeon reports that surgery will not be performed on the consumer, the 
creditor may use that medical information to deny the consumer's 
application for credit, because the loan would not be used for the 
stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (4) Examples of obtaining and using medical information at the 
request of the consumer. (i) If a consumer applies for a loan and 
specifically requests that the creditor consider the consumer's medical 
disability at the relevant time as an explanation for adverse payment 
history information in his credit report, the creditor may consider 
such medical information in evaluating the consumer's willingness and 
ability to repay the requested loan to accommodate the consumer's 
particular circumstances, consistent with safe and sound practices. The 
creditor may also decline to consider such medical information to 
accommodate the consumer, but may evaluate the consumer's application 
in accordance with its otherwise applicable underwriting criteria. The 
creditor may not deny the consumer's application or otherwise treat the 
consumer less favorably because the consumer specifically requested a 
medical accommodation, if the creditor would have extended the credit 
or treated the consumer more favorably under the creditor's otherwise 
applicable underwriting criteria.
    (ii) If a consumer applies for a loan by telephone and explains 
that his income has been and will continue to be interrupted on account 
of a medical condition and that he expects to repay the loan by 
liquidating assets, the creditor may, but is not required to, evaluate 
the application using the sale of assets as the primary source of 
repayment, consistent with safe and sound practices, provided that the 
creditor documents the consumer's request by recording the oral 
conversation or making a notation of the request in the consumer's 
file.
    (iii) If a consumer applies for a loan and the application form 
provides a space where the consumer may provide any other information 
or special circumstances, whether medical or non-medical, that the 
consumer would like the creditor to consider in evaluating the 
consumer's application, the creditor may use medical information 
provided by the consumer in that space on that application to 
accommodate the consumer's application for credit, consistent with safe 
and sound practices, or may disregard that information.
    (iv) If a consumer specifically requests that the creditor use 
medical information in determining the consumer's eligibility, or 
continued eligibility, for credit and provides the creditor with 
medical information for that purpose, and the creditor determines that 
it needs additional information regarding the consumer's circumstances, 
the creditor may request, obtain, and use additional medical 
information about the consumer as necessary to verify the information 
provided by the consumer or to determine whether to make an 
accommodation for the consumer. The consumer may decline to provide 
additional information, withdraw the request for an accommodation, and 
have the application considered under the creditor's otherwise 
applicable underwriting criteria.
    (v) If a consumer completes and signs a credit application that is 
not for medical purpose credit and the application contains boilerplate 
language that routinely requests medical information from the consumer 
or that indicates that by applying for credit the consumer authorizes 
or consents to the creditor obtaining and using medical information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, the consumer has not specifically 
requested that the creditor obtain and use medical information to 
accommodate the consumer's particular circumstances.
    (5) Example of a forbearance practice or program. After an 
appropriate safety and soundness review, a creditor institutes a 
program that allows consumers who are or will be hospitalized to defer 
payments as needed for up to three months, without penalty, if the 
credit account has been open for more than one year and has not 
previously been in default, and the consumer provides confirming 
documentation at an appropriate time. A consumer is hospitalized and 
does not pay her bill for a particular month. This consumer has had a 
credit account with the creditor for more than one year and has not 
previously been in default.

[[Page 70682]]

The creditor attempts to contact the consumer and speaks with the 
consumer's adult child, who is not the consumer's legal representative. 
The adult child informs the creditor that the consumer is hospitalized 
and is unable to pay the bill at that time. The creditor defers 
payments for up to three months, without penalty, for the hospitalized 
consumer and sends the consumer a letter confirming this practice and 
the date on which the next payment will be due. The creditor has 
obtained and used medical information to determine whether the 
provisions of a medically-triggered forbearance practice or program 
apply to a consumer.


Sec.  222.31  Limits on redisclosure of information.

    (a) Scope. This section applies to banks that are members of the 
Federal Reserve System (other than national banks) and their respective 
operating subsidiaries, branches and agencies of foreign banks (other 
than Federal branches, Federal Agencies, and insured State branches of 
foreign banks), commercial lending companies owned or controlled by 
foreign banks, organizations operating under section 25 or 25A of the 
Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank 
holding companies and affiliates of such holding companies (other than 
depository institutions and consumer reporting agencies).
    (b) Limits on redisclosure. If a person described in paragraph (a) 
of this section receives medical information about a consumer from a 
consumer reporting agency or its affiliate, the person must not 
disclose that information to any other person, except as necessary to 
carry out the purpose for which the information was initially 
disclosed, or as otherwise permitted by statute, regulation, or order.


Sec.  222.32  Sharing medical information with affiliates.

    (a) Scope. This section applies to banks that are members of the 
Federal Reserve System (other than national banks) and their respective 
operating subsidiaries, branches and agencies of foreign banks (other 
than Federal branches, Federal Agencies, and insured State branches of 
foreign banks), commercial lending companies owned or controlled by 
foreign banks, organizations operating under section 25 or 25A of the 
Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).
    (b) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply to a person described in paragraph (a) of this 
section if that person communicates to an affiliate:
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (c) Exceptions. A person described in paragraph (a) of this section 
may rely on the exclusions from the term ``consumer report'' in section 
603(d)(2) of the Act to communicate the information in paragraph (b) of 
this section to an affiliate:
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
222.30 of this part; or
    (6) As otherwise permitted by order of the Board.

0
4. A new part 232 is added to read as follows:

PART 232--OBTAINING AND USING MEDICAL INFORMATION IN CONNECTION 
WITH CREDIT (REGULATION FF)

Sec.
Sec.  232.1 Scope, General Prohibition and Definitions
Sec.  232.2 Rule of Construction for Obtaining and Using Unsolicited 
Medical Information
Sec.  232.3 Financial Information Exception for Obtaining and Using 
Medical Information
Sec.  232.4 Specific Exceptions for Obtaining and Using Medical 
Information

    Authority: 15 U.S.C. 1681b.


Sec.  232.1  Scope, General Prohibition and Definitions

    (a) Scope. This part applies to creditors, as defined in paragraph 
(c)(3) of this section, except for creditors that are subject to 
Sec. Sec.  41.30, 222.30, 334.30, 571.30, or 717.30.
    (b) In general. A creditor may not obtain or use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit, except as provided in this section.
    (c) Definitions. (1) Consumer means an individual.
    (2) Credit has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (3) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (4) Eligibility, or continued eligibility, for credit means the 
consumer's qualification or fitness to receive, or continue to receive, 
credit, including the terms on which credit is offered. The term does 
not include:
    (i) Any determination of the consumer's qualification or fitness 
for employment, insurance (other than a credit insurance product), or 
other non-credit products or services;
    (ii) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (iii) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (5) Medical information means:
    (i) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to--
    (A) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (B) The provision of health care to an individual; or
    (C) The payment for the provision of health care to an individual.
    (ii) The term does not include:
    (A) The age or gender of a consumer;
    (B) Demographic information about the consumer, including a 
consumer's residence address or e-mail address;
    (C) Any other information about a consumer that does not relate to 
the physical, mental, or behavioral health or condition of a consumer, 
including the existence or value of any insurance policy; or
    (D) Information that does not identify a specific consumer.
    (6) Person means any individual, partnership, corporation, trust, 
estate cooperative, association, government or governmental subdivision 
or agency, or other entity.

[[Page 70683]]

Sec.  232.2  Rule of construction for obtaining and using unsolicited 
medical information.

    (a) In general. A creditor does not obtain medical information in 
violation of the prohibition if it receives medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit without 
specifically requesting medical information.
    (b) Use of unsolicited medical information. A creditor that 
receives unsolicited medical information in the manner described in 
paragraph (a) of this section may use that information in connection 
with any determination of the consumer's eligibility, or continued 
eligibility, for credit to the extent the creditor can rely on at least 
one of the exceptions in Sec.  232.3 or Sec.  232.4.
    (c) Examples. A creditor does not obtain medical information in 
violation of the prohibition if, for example:
    (1) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer owes a 
debt to a hospital.
    (2) In a conversation with the creditor's loan officer, the 
consumer informs the creditor that the consumer has a particular 
medical condition.
    (3) In connection with a consumer's application for an extension of 
credit, the creditor requests a consumer report from a consumer 
reporting agency and receives medical information in the consumer 
report furnished by the agency even though the creditor did not 
specifically request medical information from the consumer reporting 
agency.


Sec.  232.3  Financial information exception for obtaining and using 
medical information.

    (a) In general. A creditor may obtain and use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit so long 
as:
    (1) The information is the type of information routinely used in 
making credit eligibility determinations, such as information relating 
to debts, expenses, income, benefits, assets, collateral, or the 
purpose of the loan, including the use of proceeds;
    (2) The creditor uses the medical information in a manner and to an 
extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (3) The creditor does not take the consumer's physical, mental, or 
behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (b) Examples. (1) Examples of the types of information routinely 
used in making credit eligibility determinations. Paragraph (a)(1) of 
this section permits a creditor, for example, to obtain and use 
information about:
    (i) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts to calculate, measure, or 
verify the repayment ability of the consumer, the use of proceeds, or 
the terms for granting credit;
    (ii) The value, condition, and lien status of a medical device that 
may serve as collateral to secure a loan;
    (iii) The dollar amount and continued eligibility for disability 
income, workers' compensation income, or other benefits related to 
health or a medical condition that is relied on as a source of 
repayment; or
    (iv) The identity of creditors to whom outstanding medical debts 
are owed in connection with an application for credit, including but 
not limited to, a transaction involving the consolidation of medical 
debts.
    (2) Examples of uses of medical information consistent with the 
exception. (i) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are more than 90 days past due would disqualify 
the consumer under the creditor's established underwriting criteria. 
The creditor denies the application on the basis that the consumer has 
a poor repayment history on outstanding debts. The creditor has used 
medical information in a manner and to an extent no less favorable than 
it would use comparable non-medical information.
    (ii) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (iii) A consumer includes on an application for a $10,000 home 
equity loan that he has a $50,000 debt to a medical facility that 
specializes in treating a potentially terminal disease. The creditor 
contacts the medical facility to verify the debt and obtain the 
repayment history and current status of the loan. The creditor learns 
that the debt is current. The applicant meets the income and other 
requirements of the creditor's underwriting guidelines. The creditor 
grants the application. The creditor has used medical information in 
accordance with the exception.
    (3) Examples of uses of medical information inconsistent with the 
exception. (i) A consumer applies for $25,000 of credit and includes on 
the application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a retail department store, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (ii) A consumer meets with a loan officer of a creditor to apply 
for a mortgage loan. While filling out the loan application, the 
consumer informs the loan officer orally that she has a potentially 
terminal disease. The consumer meets the creditor's established 
requirements for the requested mortgage loan. The loan officer 
recommends to the credit committee that the consumer be denied credit 
because the consumer has that disease. The credit committee follows the 
loan officer's recommendation and denies the application because the 
consumer has a potentially terminal disease. The creditor has used 
medical information in a manner inconsistent with the exception by 
taking into account the consumer's physical, mental, or behavioral 
health, condition, or history, type of treatment, or prognosis as part 
of a determination of eligibility or continued eligibility for credit.
    (iii) A consumer who has an apparent medical condition, such as a 
consumer who uses a wheelchair or an oxygen tank, meets with a loan 
officer to apply for a home equity loan. The consumer meets the 
creditor's established requirements for the requested home

[[Page 70684]]

equity loan and the creditor typically does not require consumers to 
obtain a debt cancellation contract, debt suspension agreement, or 
credit insurance product in connection with such loans. However, based 
on the consumer's apparent medical condition, the loan officer 
recommends to the credit committee that credit be extended to the 
consumer only if the consumer obtains a debt cancellation contract, 
debt suspension agreement, or credit insurance product from a 
nonaffiliated third party. The credit committee agrees with the loan 
officer's recommendation. The loan officer informs the consumer that 
the consumer must obtain a debt cancellation contract, debt suspension 
agreement, or credit insurance product from a nonaffiliated third party 
to qualify for the loan. The consumer obtains one of these products and 
the creditor approves the loan. The creditor has used medical 
information in a manner inconsistent with the exception by taking into 
account the consumer's physical, mental, or behavioral health, 
condition, or history, type of treatment, or prognosis in setting 
conditions on the consumer's eligibility for credit.


Sec.  232.4  Specific exceptions for obtaining and using medical 
information.

    (a) In general. A creditor may obtain and use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit:
    (1) To determine whether the use of a power of attorney or legal 
representative that is triggered by a medical condition or event is 
necessary and appropriate or whether the consumer has the legal 
capacity to contract when a person seeks to exercise a power of 
attorney or act as legal representative for a consumer based on an 
asserted medical condition or event;
    (2) To comply with applicable requirements of local, state, or 
Federal laws;
    (3) To determine, at the consumer's request, whether the consumer 
qualifies for a legally permissible special credit program or credit-
related assistance program that is--
    (i) Designed to meet the special needs of consumers with medical 
conditions; and
    (ii) Established and administered pursuant to a written plan that--
    (A) Identifies the class of persons that the program is designed to 
benefit; and
    (B) Sets forth the procedures and standards for extending credit or 
providing other credit-related assistance under the program;
    (4) To the extent necessary for purposes of fraud prevention or 
detection;
    (5) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (6) Consistent with safe and sound practices, if the consumer or 
the consumer's legal representative specifically requests that the 
creditor use medical information in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances, and such request is documented by 
the creditor;
    (7) Consistent with safe and sound practices, to determine whether 
the provisions of a forbearance practice or program that is triggered 
by a medical condition or event apply to a consumer;
    (8) To determine the consumer's eligibility for, the triggering of, 
or the reactivation of a debt cancellation contract or debt suspension 
agreement if a medical condition or event is a triggering event for the 
provision of benefits under the contract or agreement; or
    (9) To determine the consumer's eligibility for, the triggering of, 
or the reactivation of a credit insurance product if a medical 
condition or event is a triggering event for the provision of benefits 
under the product.
    (b) Example of determining eligibility for a special credit program 
or credit assistance program. A not-for-profit organization establishes 
a credit assistance program pursuant to a written plan that is designed 
to assist disabled veterans in purchasing homes by subsidizing the down 
payment for the home purchase mortgage loans of qualifying veterans. 
The organization works through mortgage lenders and requires mortgage 
lenders to obtain medical information about the disability of any 
consumer that seeks to qualify for the program, use that information to 
verify the consumer's eligibility for the program, and forward that 
information to the organization. A consumer who is a veteran applies to 
a creditor for a home purchase mortgage loan. The creditor informs the 
consumer about the credit assistance program for disabled veterans and 
the consumer seeks to qualify for the program. Assuming that the 
program complies with all applicable law, including applicable fair 
lending laws, the creditor may obtain and use medical information about 
the medical condition and disability, if any, of the consumer to 
determine whether the consumer qualifies for the credit assistance 
program.
    (c) Examples of verifying the medical purpose of the loan or the 
use of proceeds. (1) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
verify with the surgeon that the procedure will be performed. If the 
surgeon reports that surgery will not be performed on the consumer, the 
creditor may use that medical information to deny the consumer's 
application for credit, because the loan would not be used for the 
stated purpose.
    (2) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (3) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (d) Examples of obtaining and using medical information at the 
request of the consumer. (1) If a consumer applies for a loan and 
specifically requests that the creditor consider the consumer's medical 
disability at the relevant time as an explanation for adverse payment 
history information in his credit report, the creditor may consider 
such medical information in evaluating the consumer's willingness and 
ability to repay the requested loan to accommodate the consumer's 
particular circumstances, consistent with safe and sound practices. The 
creditor may also decline to consider such medical information to 
accommodate the consumer, but may evaluate the consumer's application 
in accordance with its otherwise applicable underwriting criteria. The 
creditor may not deny the consumer's application or otherwise treat the 
consumer less favorably because the consumer specifically requested a 
medical accommodation, if the creditor would have extended the credit 
or treated the consumer more favorably under the

[[Page 70685]]

creditor's otherwise applicable underwriting criteria.
    (2) If a consumer applies for a loan by telephone and explains that 
his income has been and will continue to be interrupted on account of a 
medical condition and that he expects to repay the loan liquidating 
assets, the creditor may, but is not required to, evaluate the 
application using the sale of assets as the primary source of 
repayment, consistent with safe and sound practices, provided that the 
creditor documents the consumer's request by recording the oral 
conversation or making a notation of the request in the consumer's 
file.
    (3) If a consumer applies for a loan and the application form 
provides a space where the consumer may provide any other information 
or special circumstances, whether medical or non-medical, that the 
consumer would like the creditor to consider in evaluating the 
consumer's application, the creditor may use medical information 
provided by the consumer in that space on that application to 
accommodate the consumer's application for credit, consistent with safe 
and sound practices, or may disregard that information.
    (4) If a consumer specifically requests that the creditor use 
medical information in determining the consumer's eligibility, or 
continued eligibility, for credit and provides the creditor with 
medical information for that purpose, and the creditor determines that 
it needs additional information regarding the consumer's circumstances, 
the creditor may request, obtain, and use additional medical 
information about the consumer as necessary to verify the information 
provided by the consumer or to determine whether to make an 
accommodation for the consumer. The consumer may decline to provide 
additional information, withdraw the request for an accommodation, and 
have the application considered under the creditor's otherwise 
applicable underwriting criteria.
    (5) If a consumer completes and signs a credit application that is 
not for medical purpose credit and the application contains boilerplate 
language that routinely requests medical information from the consumer 
or that indicates that by applying for credit the consumer authorizes 
or consents to the creditor obtaining and using medical information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, the consumer has not specifically 
requested that the creditor obtain and use medical information to 
accommodate the consumer's particular circumstances.
    (e) Example of a forbearance practice or program. After an 
appropriate safety and soundness review, a creditor institutes a 
program that allows consumers who are or will be hospitalized to defer 
payments as needed for up to three months, without penalty, if the 
credit account has been open for more than one year and has not 
previously been in default, and the consumer provides confirming 
documentation at an appropriate time. A consumer is hospitalized and 
does not pay her bill for a particular month. This consumer has had a 
credit account with the creditor for more than one year and has not 
previously been in default. The creditor attempts to contact the 
consumer and speaks with the consumer's adult child, who is not the 
consumer's legal representative. The adult child informs the creditor 
that the consumer is hospitalized and is unable to pay the bill at that 
time. The creditor defers payments for up to three months, without 
penalty, for the hospitalized consumer and sends the consumer a letter 
confirming this practice and the date on which the next payment will be 
due. The creditor has obtained and used medical information to 
determine whether the provisions of a medically-triggered forbearance 
practice or program apply to a consumer.

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

0
For the reasons set forth in the joint preamble, the Federal Deposit 
Insurance Corporation amends part 334 of chapter III of title 12 of the 
Code of Federal Regulations as follows:

PART 334--FAIR CREDIT REPORTING

0
1. The authority citation for part 334 is revised to read as follows:

    Authority: 12 U.S.C. 1819(Tenth) and 1818; 15 U.S.C. 1681b and 
1681s.


0
2. Subpart A is added to part 334 to read as follows:

Subpart A--General Provisions


Sec.  334.1  [Reserved]


Sec.  334.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  334.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that is related by common ownership 
or common corporate control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Common ownership or common corporate control means a 
relationship between two companies under which:
    (1) One company has, with respect to the other company:
    (i) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of a company, 
directly or indirectly, or acting through one or more other persons;
    (ii) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of a company; or
    (iii) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of a company, as the FDIC 
determines; or
    (2) Any other person has, with respect to both companies, a 
relationship described in paragraphs (i)(1)(i) through (i)(1)(iii) of 
this section.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to:
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address;
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy; or
    (iv) Information that does not identify a specific consumer.

[[Page 70686]]

    (l) Person means any individual, partnership, corporation, trust, 
estate cooperative, association, government or governmental subdivision 
or agency, or other entity.

0
3. Subpart D is added to part 334 to read as follows:

Subpart D--Medical Information


Sec.  334.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) Scope. This section applies to:
    (1) Any of the following that participates as a creditor in a 
transaction:
    (i) A State bank insured by the FDIC (other than members of the 
Federal Reserve System);
    (ii) An insured State branch of a foreign bank; or
    (2) Any other person that participates as a creditor in a 
transaction involving a person described in paragraph (a)(1) of this 
section.
    (b) General prohibition on obtaining or using medical information. 
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this section.
    (2) Definitions. (i) Credit has the same meaning as in section 702 
of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Eligibility, or continued eligibility, for credit means the 
consumer's qualification or fitness to receive, or continue to receive, 
credit, including the terms on which credit is offered. The term does 
not include:
    (A) Any determination of the consumer's qualification or fitness 
for employment, insurance (other than a credit insurance product), or 
other non-credit products or services;
    (B) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (C) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (c) Rule of construction for obtaining and using unsolicited 
medical information. (1) In general. A creditor does not obtain medical 
information in violation of the prohibition if it receives medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit without specifically requesting medical information.
    (2) Use of unsolicited medical information. A creditor that 
receives unsolicited medical information in the manner described in 
paragraph (c)(1) of this section may use that information in connection 
with any determination of the consumer's eligibility, or continued 
eligibility, for credit to the extent the creditor can rely on at least 
one of the exceptions in Sec.  334.30(d) or (e).
    (3) Examples. A creditor does not obtain medical information in 
violation of the prohibition if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer owes a 
debt to a hospital.
    (ii) In a conversation with the creditor's loan officer, the 
consumer informs the creditor that the consumer has a particular 
medical condition.
    (iii) In connection with a consumer's application for an extension 
of credit, the creditor requests a consumer report from a consumer 
reporting agency and receives medical information in the consumer 
report furnished by the agency even though the creditor did not 
specifically request medical information from the consumer reporting 
agency.
    (d) Financial information exception for obtaining and using medical 
information.
    (1) In general. A creditor may obtain and use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit so long 
as:
    (i) The information is the type of information routinely used in 
making credit eligibility determinations, such as information relating 
to debts, expenses, income, benefits, assets, collateral, or the 
purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples. (i) Examples of the types of information routinely 
used in making credit eligibility determinations. Paragraph (d)(1)(i) 
of this section permits a creditor, for example, to obtain and use 
information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts to calculate, measure, or 
verify the repayment ability of the consumer, the use of proceeds, or 
the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
may serve as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income, workers' compensation income, or other benefits related to 
health or a medical condition that is relied on as a source of 
repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to, a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are more than 90 days past due would disqualify 
the consumer under the creditor's established underwriting criteria. 
The creditor denies the application on the basis that the consumer has 
a poor repayment history on outstanding debts. The creditor has used 
medical information in a manner and to an extent no less favorable than 
it would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical

[[Page 70687]]

facility to verify the debt and obtain the repayment history and 
current status of the loan. The creditor learns that the debt is 
current. The applicant meets the income and other requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception. (A) A consumer applies for $25,000 of credit and includes on 
the application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a retail department store, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage loan. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The credit committee follows the loan officer's 
recommendation and denies the application because the consumer has a 
potentially terminal disease. The creditor has used medical information 
in a manner inconsistent with the exception by taking into account the 
consumer's physical, mental, or behavioral health, condition, or 
history, type of treatment, or prognosis as part of a determination of 
eligibility or continued eligibility for credit.
    (C) A consumer who has an apparent medical condition, such as a 
consumer who uses a wheelchair or an oxygen tank, meets with a loan 
officer to apply for a home equity loan. The consumer meets the 
creditor's established requirements for the requested home equity loan 
and the creditor typically does not require consumers to obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product in connection with such loans. However, based on the consumer's 
apparent medical condition, the loan officer recommends to the credit 
committee that credit be extended to the consumer only if the consumer 
obtains a debt cancellation contract, debt suspension agreement, or 
credit insurance product from a nonaffiliated third party. The credit 
committee agrees with the loan officer's recommendation. The loan 
officer informs the consumer that the consumer must obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product from a nonaffiliated third party to qualify for the loan. The 
consumer obtains one of these products and the creditor approves the 
loan. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis in setting conditions on the consumer's 
eligibility for credit.
    (e) Specific exceptions for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit:
    (i) To determine whether the use of a power of attorney or legal 
representative that is triggered by a medical condition or event is 
necessary and appropriate or whether the consumer has the legal 
capacity to contract when a person seeks to exercise a power of 
attorney or act as legal representative for a consumer based on an 
asserted medical condition or event;
    (ii) To comply with applicable requirements of local, state, or 
Federal laws;
    (iii) To determine, at the consumer's request, whether the consumer 
qualifies for a legally permissible special credit program or credit-
related assistance program that is:
    (A) Designed to meet the special needs of consumers with medical 
conditions; and
    (B) Established and administered pursuant to a written plan that:
    (1) Identifies the class of persons that the program is designed to 
benefit; and
    (2) Sets forth the procedures and standards for extending credit or 
providing other credit-related assistance under the program;
    (iv) To the extent necessary for purposes of fraud prevention or 
detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) Consistent with safe and sound practices, if the consumer or 
the consumer's legal representative specifically requests that the 
creditor use medical information in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances, and such request is documented by 
the creditor;
    (vii) Consistent with safe and sound practices, to determine 
whether the provisions of a forbearance practice or program that is 
triggered by a medical condition or event apply to a consumer;
    (viii) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a debt cancellation contract or debt 
suspension agreement if a medical condition or event is a triggering 
event for the provision of benefits under the contract or agreement; or
    (ix) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a credit insurance product if a medical 
condition or event is a triggering event for the provision of benefits 
under the product.
    (2) Example of determining eligibility for a special credit program 
or credit assistance program. A not-for-profit organization establishes 
a credit assistance program pursuant to a written plan that is designed 
to assist disabled veterans in purchasing homes by subsidizing the down 
payment for the home purchase mortgage loans of qualifying veterans. 
The organization works through mortgage lenders and requires mortgage 
lenders to obtain medical information about the disability of any 
consumer that seeks to qualify for the program, use that information to 
verify the consumer's eligibility for the program, and forward that 
information to the organization. A consumer who is a veteran applies to 
a creditor for a home purchase mortgage loan. The creditor informs the 
consumer about the credit assistance program for disabled veterans and 
the consumer seeks to qualify for the program. Assuming that the 
program complies with all applicable law, including applicable fair 
lending laws, the creditor may obtain and use medical information about 
the medical condition and disability, if any, of the consumer to 
determine whether the consumer qualifies for the credit assistance 
program.
    (3) Examples of verifying the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
verify with the surgeon

[[Page 70688]]

that the procedure will be performed. If the surgeon reports that 
surgery will not be performed on the consumer, the creditor may use 
that medical information to deny the consumer's application for credit, 
because the loan would not be used for the stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (4) Examples of obtaining and using medical information at the 
request of the consumer. (i) If a consumer applies for a loan and 
specifically requests that the creditor consider the consumer's medical 
disability at the relevant time as an explanation for adverse payment 
history information in his credit report, the creditor may consider 
such medical information in evaluating the consumer's willingness and 
ability to repay the requested loan to accommodate the consumer's 
particular circumstances, consistent with safe and sound practices. The 
creditor may also decline to consider such medical information to 
accommodate the consumer, but may evaluate the consumer's application 
in accordance with its otherwise applicable underwriting criteria. The 
creditor may not deny the consumer's application or otherwise treat the 
consumer less favorably because the consumer specifically requested a 
medical accommodation, if the creditor would have extended the credit 
or treated the consumer more favorably under the creditor's otherwise 
applicable underwriting criteria.
    (ii) If a consumer applies for a loan by telephone and explains 
that his income has been and will continue to be interrupted on account 
of a medical condition and that he expects to repay the loan by 
liquidating assets, the creditor may, but is not required to, evaluate 
the application using the sale of assets as the primary source of 
repayment, consistent with safe and sound practices, provided that the 
creditor documents the consumer's request by recording the oral 
conversation or making a notation of the request in the consumer's 
file.
    (iii) If a consumer applies for a loan and the application form 
provides a space where the consumer may provide any other information 
or special circumstances, whether medical or non-medical, that the 
consumer would like the creditor to consider in evaluating the 
consumer's application, the creditor may use medical information 
provided by the consumer in that space on that application to 
accommodate the consumer's application for credit, consistent with safe 
and sound practices, or may disregard that information.
    (iv) If a consumer specifically requests that the creditor use 
medical information in determining the consumer's eligibility, or 
continued eligibility, for credit and provides the creditor with 
medical information for that purpose, and the creditor determines that 
it needs additional information regarding the consumer's circumstances, 
the creditor may request, obtain, and use additional medical 
information about the consumer as necessary to verify the information 
provided by the consumer or to determine whether to make an 
accommodation for the consumer. The consumer may decline to provide 
additional information, withdraw the request for an accommodation, and 
have the application considered under the creditor's otherwise 
applicable underwriting criteria.
    (v) If a consumer completes and signs a credit application that is 
not for medical purpose credit and the application contains boilerplate 
language that routinely requests medical information from the consumer 
or that indicates that by applying for credit the consumer authorizes 
or consents to the creditor obtaining and using medical information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, the consumer has not specifically 
requested that the creditor obtain and use medical information to 
accommodate the consumer's particular circumstances.
    (5) Example of a forbearance practice or program. After an 
appropriate safety and soundness review, a creditor institutes a 
program that allows consumers who are or will be hospitalized to defer 
payments as needed for up to three months, without penalty, if the 
credit account has been open for more than one year and has not 
previously been in default, and the consumer provides confirming 
documentation at an appropriate time. A consumer is hospitalized and 
does not pay her bill for a particular month. This consumer has had a 
credit account with the creditor for more than one year and has not 
previously been in default. The creditor attempts to contact the 
consumer and speaks with the consumer's adult child, who is not the 
consumer's legal representative. The adult child informs the creditor 
that the consumer is hospitalized and is unable to pay the bill at that 
time. The creditor defers payments for up to three months, without 
penalty, for the hospitalized consumer and sends the consumer a letter 
confirming this practice and the date on which the next payment will be 
due. The creditor has obtained and used medical information to 
determine whether the provisions of a medically-triggered forbearance 
practice or program apply to a consumer.


Sec.  334.31  Limits on redisclosure of information.

    (a) Scope. This section applies to State banks insured by the FDIC 
(other than members of the Federal Reserve System) and insured State 
branches of foreign banks.
    (b) Limits on redisclosure. If a person described in paragraph (a) 
of this section receives medical information about a consumer from a 
consumer reporting agency or its affiliate, the person must not 
disclose that information to any other person, except as necessary to 
carry out the purpose for which the information was initially 
disclosed, or as otherwise permitted by statute, regulation, or order.


Sec.  334.32  Sharing medical information with affiliates.

    (a) Scope. This section applies to State banks insured by the FDIC 
(other than members of the Federal Reserve System) and insured State 
branches of foreign banks.
    (b) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if a person described in paragraph (a) of this 
section communicates to an affiliate--
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or

[[Page 70689]]

    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (c) Exceptions. A person described in paragraph (a) of this section 
may rely on the exclusions from the term ``consumer report'' in section 
603(d)(2) of the Act to communicate the information in paragraph (b) of 
this section to an affiliate--
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
334.30; or
    (6) As otherwise permitted by order of the FDIC.

Office of Thrift Supervision

    12 CFR Chapter V.

Authority and Issuance

0
For the reasons set forth in the joint preamble, the Office of Thrift 
Supervision amends chapter V of title 12 of the Code of Federal 
Regulations as follows:

PART 571--FAIR CREDIT REPORTING

0
1. The authority citation for part 571 is revised to read as follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
and 1881-1884; 15 U.S.C. 1681b, 1681s, and 1681w; 15 U.S.C. 6801 and 
6805(b)(1).

Subpart A--General Provisions

0
2. Revise Sec.  571.1(b) to read as follows:


Sec.  571.1  Purpose and Scope.

* * * * *
    (b) Scope. (1)-(3) [Reserved]
    (4) The scope of Subpart D of this part is stated in Sec. Sec.  
571.30(a), 571.31(a), and 571.32(a) of this part.
    (5)-(8) [Reserved]
    (9) Subpart I of this part applies to savings associations whose 
deposits are insured by the Federal Deposit Insurance Corporation (and 
federal savings association operating subsidiaries in accordance with 
Sec.  559.3(h)(1) of this chapter).

0
3. Add Sec.  571.2 to read as follows:


Sec.  571.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.

0
4. Amend Sec.  571.3 by revising the introductory text and paragraphs 
(a) through (n) to read as follows:


Sec.  571.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that is related by common ownership 
or common corporate control with another company.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f)-(h) [Reserved]
    (i) Common ownership or common corporate control means a 
relationship between two companies under which:
    (1) One company has, with respect to the other company:
    (i) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of a company, 
directly or indirectly, or acting through one or more other persons;
    (ii) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of a company; or
    (iii) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of a company, as the OTS 
determines; or
    (2) Any other person has, with respect to both companies, a 
relationship described in paragraphs (i)(1)(i) through (i)(1)(iii) of 
this section.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to--
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address;
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy; or
    (iv) Information that does not identify a specific consumer.
    (l) Person means any individual, partnership, corporation, trust, 
estate cooperative, association, government or governmental subdivision 
or agency, or other entity.
    (m)-(n) [Reserved]
* * * * *

0
5. Add subpart D to part 571 to read as follows:

Subpart D--Medical Information


Sec.  571.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) Scope. This section applies to:
    (1) Any of the following that participates as a creditor in a 
transaction--
    (i) A savings association;
    (ii) A subsidiary owned in whole or in part by a savings 
association;
    (iii) A savings and loan holding company;
    (iv) A subsidiary of a savings and loan holding company other than 
a bank or subsidiary of a bank; or
    (v) A service corporation owned in whole or in part by a savings 
association; or
    (2) Any other person that participates as a creditor in a 
transaction involving a person described in paragraph (a)(1) of this 
section.
    (b) General prohibition on obtaining or using medical information. 
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this section.
    (2) Definitions. (i) Credit has the same meaning as in section 702 
of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Eligibility, or continued eligibility, for credit means the 
consumer's

[[Page 70690]]

qualification or fitness to receive, or continue to receive, credit, 
including the terms on which credit is offered. The term does not 
include:
    (A) Any determination of the consumer's qualification or fitness 
for employment, insurance (other than a credit insurance product), or 
other non-credit products or services;
    (B) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (C) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (c) Rule of construction for obtaining and using unsolicited 
medical information. (1) In general. A creditor does not obtain medical 
information in violation of the prohibition if it receives medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit without specifically requesting medical information.
    (2) Use of unsolicited medical information. A creditor that 
receives unsolicited medical information in the manner described in 
paragraph (c)(1) of this section may use that information in connection 
with any determination of the consumer's eligibility, or continued 
eligibility, for credit to the extent the creditor can rely on at least 
one of the exceptions in Sec.  571.30(d) or (e).
    (3) Examples. A creditor does not obtain medical information in 
violation of the prohibition if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer owes a 
debt to a hospital;
    (ii) In a conversation with the creditor's loan officer, the 
consumer informs the creditor that the consumer has a particular 
medical condition; or
    (iii) In connection with a consumer's application for an extension 
of credit, the creditor requests a consumer report from a consumer 
reporting agency and receives medical information in the consumer 
report furnished by the agency even though the creditor did not 
specifically request medical information from the consumer reporting 
agency.
    (d) Financial information exception for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information is the type of information routinely used in 
making credit eligibility determinations, such as information relating 
to debts, expenses, income, benefits, assets, collateral, or the 
purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples. (i) Examples of the types of information routinely 
used in making credit eligibility determinations. Paragraph (d)(1)(i) 
of this section permits a creditor, for example, to obtain and use 
information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts to calculate, measure, or 
verify the repayment ability of the consumer, the use of proceeds, or 
the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
may serve as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income, workers' compensation income, or other benefits related to 
health or a medical condition that is relied on as a source of 
repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to, a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are more than 90 days past due would disqualify 
the consumer under the creditor's established underwriting criteria. 
The creditor denies the application on the basis that the consumer has 
a poor repayment history on outstanding debts. The creditor has used 
medical information in a manner and to an extent no less favorable than 
it would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current. The applicant meets the income and other requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception. (A) A consumer applies for $25,000 of credit and includes on 
the application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a retail department store, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage loan. The loan officer recommends to the credit 
committee that the consumer be denied

[[Page 70691]]

credit because the consumer has that disease. The credit committee 
follows the loan officer's recommendation and denies the application 
because the consumer has a potentially terminal disease. The creditor 
has used medical information in a manner inconsistent with the 
exception by taking into account the consumer's physical, mental, or 
behavioral health, condition, or history, type of treatment, or 
prognosis as part of a determination of eligibility or continued 
eligibility for credit.
    (C) A consumer who has an apparent medical condition, such as a 
consumer who uses a wheelchair or an oxygen tank, meets with a loan 
officer to apply for a home equity loan. The consumer meets the 
creditor's established requirements for the requested home equity loan 
and the creditor typically does not require consumers to obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product in connection with such loans. However, based on the consumer's 
apparent medical condition, the loan officer recommends to the credit 
committee that credit be extended to the consumer only if the consumer 
obtains a debt cancellation contract, debt suspension agreement, or 
credit insurance product from a nonaffiliated third party. The credit 
committee agrees with the loan officer's recommendation. The loan 
officer informs the consumer that the consumer must obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product from a nonaffiliated third party to qualify for the loan. The 
consumer obtains one of these products and the creditor approves the 
loan. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis in setting conditions on the consumer's 
eligibility for credit.
    (e) Specific exceptions for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit--
    (i) To determine whether the use of a power of attorney or legal 
representative that is triggered by a medical condition or event is 
necessary and appropriate or whether the consumer has the legal 
capacity to contract when a person seeks to exercise a power of 
attorney or act as legal representative for a consumer based on an 
asserted medical condition or event;
    (ii) To comply with applicable requirements of local, state, or 
federal laws;
    (iii) To determine, at the consumer's request, whether the consumer 
qualifies for a legally permissible special credit program or credit-
related assistance program that is--
    (A) Designed to meet the special needs of consumers with medical 
conditions; and
    (B) Established and administered pursuant to a written plan that--
    (1) Identifies the class of persons that the program is designed to 
benefit; and
    (2) Sets forth the procedures and standards for extending credit or 
providing other credit-related assistance under the program;
    (iv) To the extent necessary for purposes of fraud prevention or 
detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) Consistent with safe and sound practices, if the consumer or 
the consumer's legal representative specifically requests that the 
creditor use medical information in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances, and such request is documented by 
the creditor;
    (vii) Consistent with safe and sound practices, to determine 
whether the provisions of a forbearance practice or program that is 
triggered by a medical condition or event apply to a consumer;
    (viii) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a debt cancellation contract or debt 
suspension agreement if a medical condition or event is a triggering 
event for the provision of benefits under the contract or agreement; or
    (ix) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a credit insurance product if a medical 
condition or event is a triggering event for the provision of benefits 
under the product.
    (2) Example of determining eligibility for a special credit program 
or credit assistance program. A not-for-profit organization establishes 
a credit assistance program pursuant to a written plan that is designed 
to assist disabled veterans in purchasing homes by subsidizing the down 
payment for the home purchase mortgage loans of qualifying veterans. 
The organization works through mortgage lenders and requires mortgage 
lenders to obtain medical information about the disability of any 
consumer that seeks to qualify for the program, use that information to 
verify the consumer's eligibility for the program, and forward that 
information to the organization. A consumer who is a veteran applies to 
a creditor for a home purchase mortgage loan. The creditor informs the 
consumer about the credit assistance program for disabled veterans and 
the consumer seeks to qualify for the program. Assuming that the 
program complies with all applicable law, including applicable fair 
lending laws, the creditor may obtain and use medical information about 
the medical condition and disability, if any, of the consumer to 
determine whether the consumer qualifies for the credit assistance 
program.
    (3) Examples of verifying the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
verify with the surgeon that the procedure will be performed. If the 
surgeon reports that surgery will not be performed on the consumer, the 
creditor may use that medical information to deny the consumer's 
application for credit, because the loan would not be used for the 
stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (4) Examples of obtaining and using medical information at the 
request of the consumer. (i) If a consumer applies for a loan and 
specifically requests that the creditor consider the consumer's medical 
disability at the relevant time as an explanation for adverse payment 
history information in his credit report, the creditor may consider 
such medical information in evaluating the

[[Page 70692]]

consumer's willingness and ability to repay the requested loan to 
accommodate the consumer's particular circumstances, consistent with 
safe and sound practices. The creditor may also decline to consider 
such medical information to accommodate the consumer, but may evaluate 
the consumer's application in accordance with its otherwise applicable 
underwriting criteria. The creditor may not deny the consumer's 
application or otherwise treat the consumer less favorably because the 
consumer specifically requested a medical accommodation, if the 
creditor would have extended the credit or treated the consumer more 
favorably under the creditor's otherwise applicable underwriting 
criteria.
    (ii) If a consumer applies for a loan by telephone and explains 
that his income has been and will continue to be interrupted on account 
of a medical condition and that he expects to repay the loan by 
liquidating assets, the creditor may, but is not required to, evaluate 
the application using the sale of assets as the primary source of 
repayment, consistent with safe and sound practices, provided that the 
creditor documents the consumer's request by recording the oral 
conversation or making a notation of the request in the consumer's 
file.
    (iii) If a consumer applies for a loan and the application form 
provides a space where the consumer may provide any other information 
or special circumstances, whether medical or non-medical, that the 
consumer would like the creditor to consider in evaluating the 
consumer's application, the creditor may use medical information 
provided by the consumer in that space on that application to 
accommodate the consumer's application for credit, consistent with safe 
and sound practices, or may disregard that information.
    (iv) If a consumer specifically requests that the creditor use 
medical information in determining the consumer's eligibility, or 
continued eligibility, for credit and provides the creditor with 
medical information for that purpose, and the creditor determines that 
it needs additional information regarding the consumer's circumstances, 
the creditor may request, obtain, and use additional medical 
information about the consumer as necessary to verify the information 
provided by the consumer or to determine whether to make an 
accommodation for the consumer. The consumer may decline to provide 
additional information, withdraw the request for an accommodation, and 
have the application considered under the creditor's otherwise 
applicable underwriting criteria.
    (v) If a consumer completes and signs a credit application that is 
not for medical purpose credit and the application contains boilerplate 
language that routinely requests medical information from the consumer 
or that indicates that by applying for credit the consumer authorizes 
or consents to the creditor obtaining and using medical information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, the consumer has not specifically 
requested that the creditor obtain and use medical information to 
accommodate the consumer's particular circumstances.
    (5) Example of a forbearance practice or program. After an 
appropriate safety and soundness review, a creditor institutes a 
program that allows consumers who are or will be hospitalized to defer 
payments as needed for up to three months, without penalty, if the 
credit account has been open for more than one year and has not 
previously been in default, and the consumer provides confirming 
documentation at an appropriate time. A consumer is hospitalized and 
does not pay her bill for a particular month. This consumer has had a 
credit account with the creditor for more than one year and has not 
previously been in default. The creditor attempts to contact the 
consumer and speaks with the consumer's spouse, who is not the 
consumer's legal representative. The spouse informs the creditor that 
the consumer is hospitalized and is unable to pay the bill at that 
time. The creditor defers payments for up to three months, without 
penalty, for the hospitalized consumer and sends the consumer a letter 
confirming this practice and the date on which the next payment will be 
due. The creditor has obtained and used medical information to 
determine whether the provisions of a medically-triggered forbearance 
practice or program apply to a consumer.


Sec.  571.31  Limits on redisclosure of information.

    (a) Scope. This section applies to savings associations and federal 
savings association operating subsidiaries.
    (b) Limits on redisclosure. If a person described in paragraph (a) 
of this section receives medical information about a consumer from a 
consumer reporting agency or its affiliate, the person must not 
disclose that information to any other person, except as necessary to 
carry out the purpose for which the information was initially 
disclosed, or as otherwise permitted by statute, regulation, or order.


Sec.  571.32  Sharing medical information with affiliates.

    (a) Scope. This section applies to savings associations and federal 
savings association operating subsidiaries.
    (b) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if a person described in paragraph (a) of this 
section communicates to an affiliate:
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (c) Exceptions. A person described in paragraph (a) of this section 
may rely on the exclusions from the term ``consumer report'' in section 
603(d)(2) of the Act to communicate the information in paragraph (b) of 
this section to an affiliate:
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
571.30; or
    (6) As otherwise permitted by order of the OTS.

National Credit Union Administration

0
For the reasons set out in the preamble, 12 CFR chapter VII is amended 
as follows:

PART 717--FAIR CREDIT REPORTING

0
1. Revise the authority citation for part 717 to read as follows:

    Authority: 15 U.S.C. 1681a, 1681b, 1681s, 1681w, 6801 and 6805.


0
2. Amend part 717 by revising subpart A to read as follows:

[[Page 70693]]

Subpart A--General Provisions


Sec.  717.1  Purpose.

    (a) Purpose. The purpose of this part is to establish standards for 
Federal credit unions regarding consumer report information. In 
addition, the purpose of this part is to specify the extent to which 
Federal credit unions may obtain, use or share certain information. 
This part also contains a number of measures Federal credit unions must 
take to combat consumer fraud and related crimes, including identity 
theft.
    (b) [Reserved].


Sec.  717.2  Examples.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part. Examples in a paragraph illustrate only the issue described in 
the paragraph and do not illustrate any other issue that may arise in 
this part.


Sec.  717.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate means any company that is related by common ownership 
or common corporate control with another company. For example, an 
affiliate of a Federal credit union is a credit union service 
corporation (CUSO), as provided in 12 CFR part 712, that is controlled 
by the Federal credit union.
    (c) [Reserved]
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (e) Consumer means an individual.
    (f) [Reserved]
    (g) [Reserved]
    (h) [Reserved]
    (i) Common ownership or common corporate control means a 
relationship between two companies under which:
    (1) One company has, with respect to the other company:
    (i) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of a company, 
directly or indirectly, or acting through one or more other persons;
    (ii) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of a company; or
    (iii) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of a company, as the NCUA 
determines; or
    (iv) Example. NCUA will presume a credit union has a controlling 
influence over the management or policies of a CUSO, if the CUSO is 67% 
owned by credit unions.
    (2) Any other person has, with respect to both companies, a 
relationship described in paragraphs (i)(1)(i) through (i)(1)(iii) of 
this section.
    (j) [Reserved]
    (k) Medical information means:
    (1) Information or data, whether oral or recorded, in any form or 
medium, created by or derived from a health care provider or the 
consumer, that relates to:
    (i) The past, present, or future physical, mental, or behavioral 
health or condition of an individual;
    (ii) The provision of health care to an individual; or
    (iii) The payment for the provision of health care to an 
individual.
    (2) The term does not include:
    (i) The age or gender of a consumer;
    (ii) Demographic information about the consumer, including a 
consumer's residence address or e-mail address;
    (iii) Any other information about a consumer that does not relate 
to the physical, mental, or behavioral health or condition of a 
consumer, including the existence or value of any insurance policy; or
    (iv) Information that does not identify a specific consumer.
    (l) Person means any individual, partnership, corporation, trust, 
estate cooperative, association, government or governmental subdivision 
or agency, or other entity.

0
3. Subpart D is added to part 717 to read as follows:

Subpart D--Medical Information


Sec.  717.30  Obtaining or using medical information in connection with 
a determination of eligibility for credit.

    (a) Scope. This section applies to:
    (1) A Federal credit union that participates as a creditor in a 
transaction; or
    (2) Any other person that participates as a creditor in a 
transaction involving a person described in paragraph (a)(1) of this 
section.
    (b) General prohibition on obtaining or using medical information. 
(1) In general. A creditor may not obtain or use medical information 
pertaining to a consumer in connection with any determination of the 
consumer's eligibility, or continued eligibility, for credit, except as 
provided in this section.
    (2) Definitions. (i) Credit has the same meaning as in section 702 
of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.
    (ii) Creditor has the same meaning as in section 702 of the Equal 
Credit Opportunity Act, 15 U.S.C. 1691a.
    (iii) Eligibility, or continued eligibility, for credit means the 
consumer's qualification or fitness to receive, or continue to receive, 
credit, including the terms on which credit is offered. The term does 
not include:
    (A) Any determination of the consumer's qualification or fitness 
for employment, insurance (other than a credit insurance product), or 
other non-credit products or services;
    (B) Authorizing, processing, or documenting a payment or 
transaction on behalf of the consumer in a manner that does not involve 
a determination of the consumer's eligibility, or continued 
eligibility, for credit; or
    (C) Maintaining or servicing the consumer's account in a manner 
that does not involve a determination of the consumer's eligibility, or 
continued eligibility, for credit.
    (c) Rule of construction for obtaining and using unsolicited 
medical information. (1) In general. A creditor does not obtain medical 
information in violation of the prohibition if it receives medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit without specifically requesting medical information.
    (2) Use of unsolicited medical information. A creditor that 
receives unsolicited medical information in the manner described in 
paragraph (c)(1) of this section may use that information in connection 
with any determination of the consumer's eligibility, or continued 
eligibility, for credit to the extent the creditor can rely on at least 
one of the exceptions in Sec.  717.30(d) or (e).
    (3) Examples. A creditor does not obtain medical information in 
violation of the prohibition if, for example:
    (i) In response to a general question regarding a consumer's debts 
or expenses, the creditor receives information that the consumer owes a 
debt to a hospital.
    (ii) In a conversation with the creditor's loan officer, the 
consumer informs the creditor that the consumer has a particular 
medical condition.
    (iii) In connection with a consumer's application for an extension 
of credit, the creditor requests a consumer report from a consumer 
reporting agency and receives medical information in the consumer 
report furnished by the agency even though the creditor did not 
specifically request medical information from the consumer reporting 
agency.
    (d) Financial information exception for obtaining and using medical

[[Page 70694]]

information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit so long as:
    (i) The information is the type of information routinely used in 
making credit eligibility determinations, such as information relating 
to debts, expenses, income, benefits, assets, collateral, or the 
purpose of the loan, including the use of proceeds;
    (ii) The creditor uses the medical information in a manner and to 
an extent that is no less favorable than it would use comparable 
information that is not medical information in a credit transaction; 
and
    (iii) The creditor does not take the consumer's physical, mental, 
or behavioral health, condition or history, type of treatment, or 
prognosis into account as part of any such determination.
    (2) Examples. (i) Examples of the types of information routinely 
used in making credit eligibility determinations. Paragraph (d)(1)(i) 
of this section permits a creditor, for example, to obtain and use 
information about:
    (A) The dollar amount, repayment terms, repayment history, and 
similar information regarding medical debts to calculate, measure, or 
verify the repayment ability of the consumer, the use of proceeds, or 
the terms for granting credit;
    (B) The value, condition, and lien status of a medical device that 
may serve as collateral to secure a loan;
    (C) The dollar amount and continued eligibility for disability 
income, workers' compensation income, or other benefits related to 
health or a medical condition that is relied on as a source of 
repayment; or
    (D) The identity of creditors to whom outstanding medical debts are 
owed in connection with an application for credit, including but not 
limited to, a transaction involving the consolidation of medical debts.
    (ii) Examples of uses of medical information consistent with the 
exception. (A) A consumer includes on an application for credit 
information about two $20,000 debts. One debt is to a hospital; the 
other debt is to a retailer. The creditor contacts the hospital and the 
retailer to verify the amount and payment status of the debts. The 
creditor learns that both debts are more than 90 days past due. Any two 
debts of this size that are more than 90 days past due would disqualify 
the consumer under the creditor's established underwriting criteria. 
The creditor denies the application on the basis that the consumer has 
a poor repayment history on outstanding debts. The creditor has used 
medical information in a manner and to an extent no less favorable than 
it would use comparable non-medical information.
    (B) A consumer indicates on an application for a $200,000 mortgage 
loan that she receives $15,000 in long-term disability income each year 
from her former employer and has no other income. Annual income of 
$15,000, regardless of source, would not be sufficient to support the 
requested amount of credit. The creditor denies the application on the 
basis that the projected debt-to-income ratio of the consumer does not 
meet the creditor's underwriting criteria. The creditor has used 
medical information in a manner and to an extent that is no less 
favorable than it would use comparable non-medical information.
    (C) A consumer includes on an application for a $10,000 home equity 
loan that he has a $50,000 debt to a medical facility that specializes 
in treating a potentially terminal disease. The creditor contacts the 
medical facility to verify the debt and obtain the repayment history 
and current status of the loan. The creditor learns that the debt is 
current. The applicant meets the income and other requirements of the 
creditor's underwriting guidelines. The creditor grants the 
application. The creditor has used medical information in accordance 
with the exception.
    (iii) Examples of uses of medical information inconsistent with the 
exception. (A) A consumer applies for $25,000 of credit and includes on 
the application information about a $50,000 debt to a hospital. The 
creditor contacts the hospital to verify the amount and payment status 
of the debt, and learns that the debt is current and that the consumer 
has no delinquencies in her repayment history. If the existing debt 
were instead owed to a retail department store, the creditor would 
approve the application and extend credit based on the amount and 
repayment history of the outstanding debt. The creditor, however, 
denies the application because the consumer is indebted to a hospital. 
The creditor has used medical information, here the identity of the 
medical creditor, in a manner and to an extent that is less favorable 
than it would use comparable non-medical information.
    (B) A consumer meets with a loan officer of a creditor to apply for 
a mortgage loan. While filling out the loan application, the consumer 
informs the loan officer orally that she has a potentially terminal 
disease. The consumer meets the creditor's established requirements for 
the requested mortgage loan. The loan officer recommends to the credit 
committee that the consumer be denied credit because the consumer has 
that disease. The credit committee follows the loan officer's 
recommendation and denies the application because the consumer has a 
potentially terminal disease. The creditor has used medical information 
in a manner inconsistent with the exception by taking into account the 
consumer's physical, mental, or behavioral health, condition, or 
history, type of treatment, or prognosis as part of a determination of 
eligibility or continued eligibility for credit.
    (C) A consumer who has an apparent medical condition, such as a 
consumer who uses a wheelchair or an oxygen tank, meets with a loan 
officer to apply for a home equity loan. The consumer meets the 
creditor's established requirements for the requested home equity loan 
and the creditor typically does not require consumers to obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product in connection with such loans. However, based on the consumer's 
apparent medical condition, the loan officer recommends to the credit 
committee that credit be extended to the consumer only if the consumer 
obtains a debt cancellation contract, debt suspension agreement, or 
credit insurance product from a nonaffiliated third party. The credit 
committee agrees with the loan officer's recommendation. The loan 
officer informs the consumer that the consumer must obtain a debt 
cancellation contract, debt suspension agreement, or credit insurance 
product from a nonaffiliated third party to qualify for the loan. The 
consumer obtains one of these products and the creditor approves the 
loan. The creditor has used medical information in a manner 
inconsistent with the exception by taking into account the consumer's 
physical, mental, or behavioral health, condition, or history, type of 
treatment, or prognosis in setting conditions on the consumer's 
eligibility for credit.
    (e) Specific exceptions for obtaining and using medical 
information. (1) In general. A creditor may obtain and use medical 
information pertaining to a consumer in connection with any 
determination of the consumer's eligibility, or continued eligibility, 
for credit:
    (i) To determine whether the use of a power of attorney or legal 
representative that is triggered by a medical condition or event is 
necessary and appropriate or whether the consumer has the legal 
capacity to contract when a person

[[Page 70695]]

seeks to exercise a power of attorney or act as legal representative 
for a consumer based on an asserted medical condition or event;
    (ii) To comply with applicable requirements of local, state, or 
Federal laws;
    (iii) To determine, at the consumer's request, whether the consumer 
qualifies for a legally permissible special credit program or credit-
related assistance program that is:
    (A) Designed to meet the special needs of consumers with medical 
conditions; and
    (B) Established and administered pursuant to a written plan that:
    (1) Identifies the class of persons that the program is designed to 
benefit; and
    (2) Sets forth the procedures and standards for extending credit or 
providing other credit-related assistance under the program;
    (iv) To the extent necessary for purposes of fraud prevention or 
detection;
    (v) In the case of credit for the purpose of financing medical 
products or services, to determine and verify the medical purpose of a 
loan and the use of proceeds;
    (vi) Consistent with safe and sound practices, if the consumer or 
the consumer's legal representative specifically requests that the 
creditor use medical information in determining the consumer's 
eligibility, or continued eligibility, for credit, to accommodate the 
consumer's particular circumstances, and such request is documented by 
the creditor;
    (vii) Consistent with safe and sound practices, to determine 
whether the provisions of a forbearance practice or program that is 
triggered by a medical condition or event apply to a consumer;
    (viii) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a debt cancellation contract or debt 
suspension agreement if a medical condition or event is a triggering 
event for the provision of benefits under the contract or agreement; or
    (ix) To determine the consumer's eligibility for, the triggering 
of, or the reactivation of a credit insurance product if a medical 
condition or event is a triggering event for the provision of benefits 
under the product.
    (2) Example of determining eligibility for a special credit program 
or credit assistance program. A not-for-profit organization establishes 
a credit assistance program pursuant to a written plan that is designed 
to assist disabled veterans in purchasing homes by subsidizing the down 
payment for the home purchase mortgage loans of qualifying veterans. 
The organization works through mortgage lenders and requires mortgage 
lenders to obtain medical information about the disability of any 
consumer that seeks to qualify for the program, use that information to 
verify the consumer's eligibility for the program, and forward that 
information to the organization. A consumer who is a veteran applies to 
a creditor for a home purchase mortgage loan. The creditor informs the 
consumer about the credit assistance program for disabled veterans and 
the consumer seeks to qualify for the program. Assuming that the 
program complies with all applicable law, including applicable fair 
lending laws, the creditor may obtain and use medical information about 
the medical condition and disability, if any, of the consumer to 
determine whether the consumer qualifies for the credit assistance 
program.
    (3) Examples of verifying the medical purpose of the loan or the 
use of proceeds. (i) If a consumer applies for $10,000 of credit for 
the purpose of financing vision correction surgery, the creditor may 
verify with the surgeon that the procedure will be performed. If the 
surgeon reports that surgery will not be performed on the consumer, the 
creditor may use that medical information to deny the consumer's 
application for credit, because the loan would not be used for the 
stated purpose.
    (ii) If a consumer applies for $10,000 of credit for the purpose of 
financing cosmetic surgery, the creditor may confirm the cost of the 
procedure with the surgeon. If the surgeon reports that the cost of the 
procedure is $5,000, the creditor may use that medical information to 
offer the consumer only $5,000 of credit.
    (iii) A creditor has an established medical loan program for 
financing particular elective surgical procedures. The creditor 
receives a loan application from a consumer requesting $10,000 of 
credit under the established loan program for an elective surgical 
procedure. The consumer indicates on the application that the purpose 
of the loan is to finance an elective surgical procedure not eligible 
for funding under the guidelines of the established loan program. The 
creditor may deny the consumer's application because the purpose of the 
loan is not for a particular procedure funded by the established loan 
program.
    (4) Examples of obtaining and using medical information at the 
request of the consumer. (i) If a consumer applies for a loan and 
specifically requests that the creditor consider the consumer's medical 
disability at the relevant time as an explanation for adverse payment 
history information in his credit report, the creditor may consider 
such medical information in evaluating the consumer's willingness and 
ability to repay the requested loan to accommodate the consumer's 
particular circumstances, consistent with safe and sound practices. The 
creditor may also decline to consider such medical information to 
accommodate the consumer, but may evaluate the consumer's application 
in accordance with its otherwise applicable underwriting criteria. The 
creditor may not deny the consumer's application or otherwise treat the 
consumer less favorably because the consumer specifically requested a 
medical accommodation, if the creditor would have extended the credit 
or treated the consumer more favorably under the creditor's otherwise 
applicable underwriting criteria.
    (ii) If a consumer applies for a loan by telephone and explains 
that his income has been and will continue to be interrupted on account 
of a medical condition and that he expects to repay the loan by 
liquidating assets, the creditor may, but is not required to, evaluate 
the application using the sale of assets as the primary source of 
repayment, consistent with safe and sound practices, provided that the 
creditor documents the consumer's request by recording the oral 
conversation or making a notation of the request in the consumer's 
file.
    (iii) If a consumer applies for a loan and the application form 
provides a space where the consumer may provide any other information 
or special circumstances, whether medical or non-medical, that the 
consumer would like the creditor to consider in evaluating the 
consumer's application, the creditor may use medical information 
provided by the consumer in that space on that application to 
accommodate the consumer's application for credit, consistent with safe 
and sound practices, or may disregard that information.
    (iv) If a consumer specifically requests that the creditor use 
medical information in determining the consumer's eligibility, or 
continued eligibility, for credit and provides the creditor with 
medical information for that purpose, and the creditor determines that 
it needs additional information regarding the consumer's circumstances, 
the creditor may request, obtain, and use additional medical 
information about the consumer as necessary to verify the information 
provided by the consumer or to determine whether to make an

[[Page 70696]]

accommodation for the consumer. The consumer may decline to provide 
additional information, withdraw the request for an accommodation, and 
have the application considered under the creditor's otherwise 
applicable underwriting criteria.
    (v) If a consumer completes and signs a credit application that is 
not for medical purpose credit and the application contains boilerplate 
language that routinely requests medical information from the consumer 
or that indicates that by applying for credit the consumer authorizes 
or consents to the creditor obtaining and using medical information in 
connection with a determination of the consumer's eligibility, or 
continued eligibility, for credit, the consumer has not specifically 
requested that the creditor obtain and use medical information to 
accommodate the consumer's particular circumstances.
    (5) Example of a forbearance practice or program. After an 
appropriate safety and soundness review, a creditor institutes a 
program that allows consumers who are or will be hospitalized to defer 
payments as needed for up to three months, without penalty, if the 
credit account has been open for more than one year and has not 
previously been in default, and the consumer provides confirming 
documentation at an appropriate time. A consumer is hospitalized and 
does not pay her bill for a particular month. This consumer has had a 
credit account with the creditor for more than one year and has not 
previously been in default. The creditor attempts to contact the 
consumer and speaks with the consumer's adult child, who is not the 
consumer's legal representative. The adult child informs the creditor 
that the consumer is hospitalized and is unable to pay the bill at that 
time. The creditor defers payments for up to three months, without 
penalty, for the hospitalized consumer and sends the consumer a letter 
confirming this practice and the date on which the next payment will be 
due. The creditor has obtained and used medical information to 
determine whether the provisions of a medically-triggered forbearance 
practice or program apply to a consumer.


Sec.  717.31  Limits on redisclosure of information

    (a) Scope. This section applies to Federal credit unions.
    (b) Limits on redisclosure. If a Federal credit union receives 
medical information about a consumer from a consumer reporting agency 
or its affiliate, the person must not disclose that information to any 
other person, except as necessary to carry out the purpose for which 
the information was initially disclosed, or as otherwise permitted by 
statute, regulation, or order.


Sec.  717.32  Sharing medical information with affiliates.

    (a) Scope. This section applies to Federal credit unions.
    (b) In general. The exclusions from the term ``consumer report'' in 
section 603(d)(2) of the Act that allow the sharing of information with 
affiliates do not apply if a Federal credit union communicates to an 
affiliate:
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (c) Exceptions. A Federal credit union may rely on the exclusions 
from the term ``consumer report'' in section 603(d)(2) of the Act to 
communicate the information in paragraph (b) to an affiliate:
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
717.30; or
    (6) As otherwise permitted by order of the NCUA.

    Dated: November 8, 2005.
John C. Dugan,
Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve 
System, November 14, 2005.
Robert deV. Frierson,
Deputy Secretary of the Board.

    Dated at Washington, DC, this 8th day of November, 2005.

    By order of the Board of Directors,

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

    Dated: November 11, 2005.

    By the Office of Thrift Supervision,
John M. Reich,
Director.

    By the National Credit Union Administration Board on November 8, 
2005.
Mary F. Rupp,
Secretary of the Board.
[FR Doc. 05-22830 Filed 11-21-05; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-10-P; 6720-01-P; 7535-01-P