Medical Information Protected by Amendments to the Fair Credit Reporting Act

Ronald L. Scott

President Bush recently signed into law the Fair and Accurate Credit Transactions Act (FACTA) of 2003 (PL 108-159, 12/04/03).  FACTA amends the  Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., intended to promote accuracy in consumer reports and to ensure the privacy of the information contained in such reports.  See The Federal Trade Commission (FTC) is required by the law to issue regulations this year to implement many of the new provisions of the FCRA.

In addition to provisions allowing consumers free credit reports annually and provisions to help prevent identity theft, FACTA limits the use and sharing of medical information in the financial system.

“Medical information” is defined in § 411 of FACTA as:

(1) … information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to-
(A) the past, present, or future physical, mental, or behavioral health or condition of an individual;
(B) the provision of health care to an individual; or
(C) the payment for the provision of health care to an individual.

However, “medical information” does not include a consumer’s age or sex, or demographic information such as a consumer’s residence or e-mail address, or any other information “that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy.”  See id.

With limited exceptions, consumer reporting agencies are prohibited from furnishing reports containing medical information.  A consumer must affirmatively consent to the furnishing of a report containing medical information where the report is furnished in connection with an insurance transaction.  Where a report is furnished for employment purposes or in connection with a credit transaction, any medical information furnished must be relevant to the employment or credit transaction and the consumer must provide specific written consent for disclosure of the medical information.  Further, the consent must clearly and conspicuously describe the use for which the medical information will be furnished.  Note that the definition of “medical information” includes the payment for the provision of health care to an individual.  However, an exception allows reporting of transactions, accounts, or balances relating to debts arising from the provision of medical services if the name of the health care provider is reported using codes that do not identify the provider or the nature of the medical services provided.  In addition to regulating consumer reporting agencies, FACTA also limits creditor’s ability to obtain or use medical information in connection with determining a consumer’s eligibility for credit.  See FACTA § 411.

FACTA will also require health care providers or their agents who furnish medical information to a consumer reporting agency to advise the FTC that they are “medical information furnishers.”  Such health care providers will be required to use codes when reporting health care debt to consumer reporting agencies.  Such codes must not identify the specific provider or the nature of the medical services provided to the consumer.  See FACTA § 412.

One criticism of FACTA is that the law preempts states from passing stricter laws to even better protect consumers. Also,  a single comprehensive federal medical privacy law would have been preferable to the current patchwork of legislation including FACTA and HIPAA (Health Insurance Portability and Accountability Act).  Nonetheless, FACTA represents another important step in further protecting confidential medical information.