Protected Health Information and Your Finances

SEC. 411. PROTECTION OF MEDICAL INFORMATION IN THE FINANCIAL
SYSTEM.
(a) IN GENERAL.—Section 604(g) of the Fair Credit Reporting
Act (15 U.S.C. 1681b(g)) is amended to read as follows:
15 USC 1681
note.
Deadline.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00049 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
117 STAT. 2000 PUBLIC LAW 108–159—DEC. 4, 2003
‘‘(g) PROTECTION OF MEDICAL INFORMATION.—
‘‘(1) LIMITATION ON CONSUMER REPORTING AGENCIES.—A
consumer reporting agency shall not furnish for employment
purposes, or in connection with a credit or insurance transaction,
a consumer report that contains medical information
about a consumer, unless—
‘‘(A) if furnished in connection with an insurance transaction,
the consumer affirmatively consents to the furnishing
of the report;
‘‘(B) if furnished for employment purposes or in connection
with a credit transaction—
‘‘(i) the information to be furnished is relevant
to process or effect the employment or credit transaction;
and
‘‘(ii) the consumer provides specific written consent
for the furnishing of the report that describes in clear
and conspicuous language the use for which the
information will be furnished; or
‘‘(C) the information to be furnished pertains solely
to transactions, accounts, or balances relating to debts
arising from the receipt of medical services, products, or
devises, where such information, other than account status
or amounts, is restricted or reported using codes that do
not identify, or do not provide information sufficient to
infer, the specific provider or the nature of such services,
products, or devices, as provided in section 605(a)(6).
‘‘(2) LIMITATION ON CREDITORS.—Except as permitted
pursuant to paragraph (3)(C) or regulations prescribed under
paragraph (5)(A), a creditor shall not obtain or use medical
information pertaining to a consumer in connection with any
determination of the consumer’s eligibility, or continued eligibility,
for credit.
‘‘(3) ACTIONS AUTHORIZED BY FEDERAL LAW, INSURANCE
ACTIVITIES AND REGULATORY DETERMINATIONS.—Section
603(d)(3) shall not be construed so as to treat information
or any communication of information as a consumer report
if the information or communication is disclosed—
‘‘(A) in connection with the business of insurance or
annuities, including the activities described in section 18B
of the model Privacy of Consumer Financial and Health
Information Regulation issued by the National Association
of Insurance Commissioners (as in effect on January 1,
2003);
‘‘(B) for any purpose permitted without authorization
under the Standards for Individually Identifiable Health
Information promulgated by the Department of Health and
Human Services pursuant to the Health Insurance Portability
and Accountability Act of 1996, or referred to under
section 1179 of such Act, or described in section 502(e)
of Public Law 106–102; or
‘‘(C) as otherwise determined to be necessary and
appropriate, by regulation or order and subject to paragraph
(6), by the Commission, any Federal banking agency
or the National Credit Union Administration (with respect
to any financial institution subject to the jurisdiction of
such agency or Administration under paragraph (1), (2),
or (3) of section 621(b), or the applicable State insurance
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00050 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 2001
authority (with respect to any person engaged in providing
insurance or annuities).
‘‘(4) LIMITATION ON REDISCLOSURE OF MEDICAL INFORMATION.—
Any person that receives medical information pursuant
to paragraph (1) or (3) shall not disclose such information
to any other person, except as necessary to carry out the purpose
for which the information was initially disclosed, or as
otherwise permitted by statute, regulation, or order.
‘‘(5) REGULATIONS AND EFFECTIVE DATE FOR PARAGRAPH
(2).—
‘‘(A) REGULATIONS REQUIRED.—Each Federal banking
agency and the National Credit Union Administration
shall, subject to paragraph (6) and after notice and opportunity
for comment, prescribe regulations that permit
transactions under paragraph (2) that are determined to
be necessary and appropriate to protect legitimate operational,
transactional, risk, consumer, and other needs (and
which shall include permitting actions necessary for
administrative verification purposes), consistent with the
intent of paragraph (2) to restrict the use of medical
information for inappropriate purposes.
‘‘(B) FINAL REGULATIONS REQUIRED.—The Federal
banking agencies and the National Credit Union Administration
shall issue the regulations required under subparagraph
(A) in final form before the end of the 6-month
period beginning on the date of enactment of the Fair
and Accurate Credit Transactions Act of 2003.
‘‘(6) COORDINATION WITH OTHER LAWS.—No provision of
this subsection shall be construed as altering, affecting, or
superseding the applicability of any other provision of Federal
law relating to medical confidentiality.’’.
(b) RESTRICTION ON SHARING OF MEDICAL INFORMATION.—Section
603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d))
is amended—
(1) in paragraph (2), by striking ‘‘The term’’ and inserting
‘‘Except as provided in paragraph (3), the term’’; and
(2) by adding at the end the following new paragraph:
‘‘(3) RESTRICTION ON SHARING OF MEDICAL INFORMATION.—
Except for information or any communication of information
disclosed as provided in section 604(g)(3), the exclusions in
paragraph (2) shall not apply with respect to information disclosed
to any person related by common ownership or affiliated
by corporate control, if the information is—
‘‘(A) medical information;
‘‘(B) an individualized list or description based on the
payment transactions of the consumer for medical products
or services; or
‘‘(C) an aggregate list of identified consumers based
on payment transactions for medical products or services.’’.
(c) DEFINITION.—Section 603(i) of the Fair Credit Reporting
Act (15 U.S.C. 1681a(i)) is amended to read as follows:
‘‘(i) MEDICAL INFORMATION.—The term ‘medical information’—
‘‘(1) means information or data, whether oral or recorded,
in any form or medium, created by or derived from a health
care provider or the consumer, that relates to—
‘‘(A) the past, present, or future physical, mental, or
behavioral health or condition of an individual;
Deadline.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00051 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
117 STAT. 2002 PUBLIC LAW 108–159—DEC. 4, 2003
‘‘(B) the provision of health care to an individual; or
‘‘(C) the payment for the provision of health care to
an individual.
‘‘(2) does not include the age or gender of a consumer,
demographic information about the consumer, including a consumer’s
residence address or e-mail address, or any other
information about a consumer that does not relate to the physical,
mental, or behavioral health or condition of a consumer,
including the existence or value of any insurance policy.’’.
(d) EFFECTIVE DATES.—This section shall take effect at the
end of the 180-day period beginning on the date of enactment
of this Act, except that paragraph (2) of section 604(g) of the
Fair Credit Reporting Act (as amended by subsection (a) of this
section) shall take effect on the later of—
(1) the end of the 90-day period beginning on the date
on which the regulations required under paragraph (5)(B) of
such section 604(g) are issued in final form; or
(2) the date specified in the regulations referred to in
paragraph (1).
SEC. 412. CONFIDENTIALITY OF MEDICAL CONTACT INFORMATION IN
CONSUMER REPORTS.
(a) DUTIES OF MEDICAL INFORMATION FURNISHERS.—Section
623(a) of the Fair Credit Reporting Act (15 U.S.C. 1681s–2(a)),
as amended by this Act, is amended by adding at the end the
following:
‘‘(9) DUTY TO PROVIDE NOTICE OF STATUS AS MEDICAL
INFORMATION FURNISHER.—A person whose primary business
is providing medical services, products, or devices, or the person’s
agent or assignee, who furnishes information to a consumer
reporting agency on a consumer shall be considered
a medical information furnisher for purposes of this title, and
shall notify the agency of such status.’’.
(b) RESTRICTION OF DISSEMINATION OF MEDICAL CONTACT
INFORMATION.—Section 605(a) of the Fair Credit Reporting Act
(15 U.S.C. 1681c(a)) is amended by adding at the end the following:
‘‘(6) The name, address, and telephone number of any medical
information furnisher that has notified the agency of its
status, unless—
‘‘(A) such name, address, and telephone number are
restricted or reported using codes that do not identify,
or provide information sufficient to infer, the specific provider
or the nature of such services, products, or devices
to a person other than the consumer; or
‘‘(B) the report is being provided to an insurance company
for a purpose relating to engaging in the business
of insurance other than property and casualty insurance.’’.
(c) NO EXCEPTIONS ALLOWED FOR DOLLAR AMOUNTS.—Section
605(b) of the Fair Credit Reporting Act (15 U.S.C. 1681c(b)) is
amended by striking ‘‘The provisions of subsection (a)’’ and inserting
‘‘The provisions of paragraphs (1) through (5) of subsection (a)’’.
(d) COORDINATION WITH OTHER LAWS.—No provision of any
amendment made by this section shall be construed as altering,
affecting, or superseding the applicability of any other provision
of Federal law relating to medical confidentiality.
15 USC 1681b
note.
15 USC 1681a
note.
VerDate 11-MAY-2000 04:48 Dec 12, 2003 Jkt 029139 PO 00159 Frm 00052 Fmt 6580 Sfmt 6581 E:PUBLAWPUBL159.108 BILLW PsN: PUBL159
PUBLIC LAW 108–159—DEC. 4, 2003 117 STAT. 2003
(e) FTC REGULATION OF CODING OF TRADE NAMES.—Section
621 of the Fair Credit Reporting Act (15 U.S.C. 1681s), as amended
by this Act, is amended by adding at the end the following:
‘‘(g) FTC REGULATION OF CODING OF TRADE NAMES.—If the
Commission determines that a person described in paragraph (9)
of section 623(a) has not met the requirements of such paragraph,
the Commission shall take action to ensure the person’s compliance
with such paragraph, which may include issuing model guidance
or prescribing reasonable policies and procedures, as necessary
to ensure that such person complies with such paragraph.’’.
(f) TECHNICAL AND CONFORMING AMENDMENTS.—Section 604(g)
of the Fair Credit Reporting Act (15 U.S.C. 1681b(g)), as amended
by section 411 of this Act, is amended—
(1) in paragraph (1), by inserting ‘‘(other than medical
contact information treated in the manner required under section
605(a)(6))’’ after ‘‘a consumer report that contains medical
information’’; and
(2) in paragraph (2), by inserting ‘‘(other than medical
information treated in the manner required under section
605(a)(6))’’ after ‘‘a creditor shall not obtain or use medical
information’’.
(g) EFFECTIVE DATE.—The amendments made by this section
shall take effect at the end of the 15-month period beginning on
the date of enactment of this Act.