The Fair and Accurate Credit Transactions Act of 2003 (FACTA) included rules governing medical information protections. In November 2005, the federal agencies finalized these rules, and they became effective in April 2006. The rules are codified now in the Consumer Financial Protection Bureau’s Fair Credit Reporting Act (Regulation V), 12 CFR Part 1022, sections 1022.30 to 1022.32. Despite the fact that these rules have been around for more than 10 years, when we visit financial institutions and ask for their policy and procedures regarding the proper use of medical information, we are usually informed there is nothing documented for us to review.
Does your financial institution have a documented policy and procedures for complying with these sections? Have appropriate employees been trained on when and how they can use medical information and with whom it may be shared? Does someone periodically review loan files to ensure medical information is only used as allowed? If you have answered “no” to any of these questions, it is time for management to take action.
Below are some questions you may be asking yourself:
What should the financial institution’s policy and procedures address?
They should include:
- Your financial institution’s commitment statement for complying with the rules.
- The general prohibition on obtaining and using medical information.
- Definitions of specific terms to help ensure understanding.
- An explanation of when medical information that does not violate the general prohibition may be obtained and how it may be used.
- Exceptions for obtaining and using medical information.
- When medical information may be shared, including specific procedures for affiliates.
- Training of applicable employees.
- Monitoring expectations.
In addition, providing specific examples would be helpful.
What is a good way to draft a policy and/or write procedures from scratch?
To begin the process, look at your financial institution’s other policies and procedures and how they are formatted. You will want to draft a document or documents that are similar in style. For example, is the commitment statement at the beginning? Are headings used? Are individuals listed by name for an area they are responsible for or are titles used where appropriate? Are procedures part of the policy or in a separate document?
Once you have the format figured out, it is time to move on to the content. Luckily, sections 1022.30-1022.32 lend themselves nicely to being easily adapted into a policy and procedures. For example, 1022.30(b)(1) reads as follows:
“(1) In general. A creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit, except as provided in this section.”
This can be reworded to read:
We will not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit, except as allowed.
You now have number 2 on the list above completed. Numbers 3–7 can be accomplished in the same manner. In addition, the rules for use of medical information have lots of great examples. These examples can be cut and pasted into the policy and procedures or an appendix to the policy and procedures. They can also be used for training employees who must comply with the rules.
If there aren’t procedures and a policy in place, it is now time to get to work writing so when management is asked to provide them to an examiner, auditor, or (yikes, take a deep breath) someone’s attorney, you will be prepared.
And don’t forget to document your financial institution’s monitoring and the training that was provided to staff (who, what, when, how, testing results, etc.). Hmm, this could be the topic for another article. Stay tuned!!