15 U.S.C. 1681b - part 5

In this installment, I'll finish explaining the permissible purposes section of the Fair Credit Reporting Act - 15 U.S.C. 1681b.

"(f) Certain use or obtaining of information prohibited. A person shall not use or obtain a consumer report for any purpose unless

(1) the consumer report is obtained for a purpose for which the consumer report is authorized to be furnished under this subsection; and

(2) the purpose is certified in accordance with section 607 [section 1681e] by a prospective user of the report through a general or specific certification."

[This is the section that makes it a violation to obtain or use a credit report for a purpose that is not permitted by the rest of 15 U.S.C. 1681b. The "or use" is very important so that a user cannot use the report for any purpose even if it was obtained using a permissible purpose.]

"(g) Protection of Medical Information

(1) Limitation on consumer reporting agencies. A consumer reporting agency shall not furnish for employment purposes, or in connection with a credit or insurance transaction, a consumer report that contains medical information (other than medical contact information treated in the manner required under section 605(a)(6)) about a consumer, unless --

(A) if furnished in connection with an insurance transaction, the consumer affirmatively consents to the furnishing of the report;

(B) if furnished for employment purposes or in connection with a credit transaction --

(i) the information to be furnished is relevant to process or effect the employment or credit transaction; and

(ii) the consumer provides specific written consent for the furnishing of the report that describes in clear and conspicuous language the use for which the information will be furnished; or

(C) the information to be furnished pertains solely to transactions, accounts, or balances relating to debts arising from the receipt of medical services, products, or devises, where such information, other than account status or amounts, is restricted or reported using codes that do not identify, or do not provide information sufficient to infer, the specific provider or the nature of such services, products, or devices, as provided in section 605(a)(6)."

[A consumer reporting agency can only provide a credit report with medical information on it for an insurance transaction IF the consumer consents to it. A consumer reporting agency can only provide a credit report containing medical information regarding an employment or credit transaction IF the medical information to be provided is relevant to the transaction and the consumer consents in writing or if the medical information is restricted in such a way that the specific provider or nature of the medical treatment is not identified and can not be inferred. One way the CRAs do this is reporting the information using a code number instead of the name of the medical provider (i.e. #12345 instead of "Cancer Institute") which, in this example, keeps the recipient of the report from knowing the consumer has been treated for cancer.]

"(2) Limitation on creditors. Except as permitted pursuant to paragraph (3)(C) or regulations prescribed under paragraph (5)(A), a creditor shall not obtain or use medical information (other than medical contact information treated in the manner required under section 605(a)(6)) pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit."

[This means that the recipient of the credit report can not use the medical information provided as a factor in the consumer's eligibility for credit (i.e. that the consumer may have cancer should not prevent him or her from getting a credit card, but non-payment of a medical bill can affect the consumer's eligibility to get a credit card).]

"(3) Actions authorized by federal law, insurance activities and regulatory determinations. Section 603(d)(3) shall not be construed so as to treat information or any communication of information as a consumer report if the information or communication is disclosed --

(A) in connection with the business of insurance or annuities, including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners (as in effect on January 1, 2003);

(B) for any purpose permitted without authorization under the Standards for Individually Identifiable Health Information promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 or referred to under section 1179 of such Act, or described in section 502(e) of Public Law 106-102; or

(C) as otherwise determined to be necessary and appropriate, by regulation or order and subject to paragraph (6), by the Commission, any Federal banking agency or the National Credit Union Administration (with respect to any financial institution subject to the jurisdiction of such agency or Administration under paragraph (1), (2), or (3) of section 621(b), or the applicable State insurance authority (with respect to any person engaged in providing insurance or annuities).

[In other words, publication of medical infrormation for underwriting of health or life insurance, or HIPAA compliant publications of medical information are not considered consumer reports.]

"(4) Limitation on redisclosure of medical information. Any person that receives medical information pursuant to paragrpah (1) or (3) shall not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order."

[So even if the recipient has a permissible purpose for receiving the medical information, he or she can not disclose it to others unless it is necessary for carrying out the purpose that the information was originally (and permissibly) obtained to do or as permitted by law.]

"(5) Regulations and Effective Date for Paragraph (2)

(A) Regulations required. Each Federal banking agency and the National Credit Union Administration shall, subject to paragraph (6) and after notice and opportunity for comment, prescribe regulations that permit transactions under paragraph (2) that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (and which shall include permitting actions necessary for administrative verification purposes), consistent with the intent of paragraph (2) to restrict the use of medical information for inappropriate purposes."

[This section requires each Federal banking agency and the National Credit Union Administration to propose regulations that allow creditors, in certain circumstances, to use the medical information on credit reports for credit eligibility decisions.]

"(B) Final regulations required. The Federal banking agencies and the National Credit Union Administration shall issue the regulations required under subparagraph (A) in final form before the end of the 6-month period beginning on the date of enactment of the Fair and Accurate Credit Transactions Act of 2003."

[Subsection (B) just puts a deadline on the regulations required by subsection (A).]

"(6) Coordination with other laws. No provision of this subsection shall be construed as altering, affecting, or superseding the applicability of any other provision of Federal law relating to medical confidentiality."

[This section just makes it clear that 15 U.S.C. 1681b(f) does not alter, affect or supersede any other federal law regaridng medical confidentiality. In other words, it does not make something disclosable if it is otherwise non-disclosable or confidential.]

That's it for the explanation of 15 U.S.C. 1681b. I will start explaining 15 U.S.C. 1681c in the next installment.