APA Comments
Comments of EPIC to the CFPB On the Prohibition on Creditors and Consumer Reporting Agencies Concerning Medical Information
Docket No. CFPB-2024-0023
I. Introduction
The Electronic Privacy Information Center (EPIC) submits these comments in response to the Consumer Financial Protection Bureau (CFPB or the Bureau)’s Notice of Proposed Rulemaking entitled Prohibition on Creditors and Consumer Reporting Agencies Concerning Medical Information (Regulation V), published on June 18, 2024.[1]
EPIC is a public interest research center in Washington, D.C., established in 1994 to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation.[2] EPIC has long advocated for privacy rights and robust safeguards to protect consumers. EPIC has previously called on the CFPB to strengthen its Fair Credit Reporting Act (FCRA) regulations, including provisions that would ensure personal data can only be collected, used, or disclosed as necessary to fulfill purposes consistent with the reasonable expectations of consumers.[3] EPIC has also fought for greater transparency and oversight with respect to how companies collect, use, and disseminate personal data[4] and stricter enforcement to safeguard the rights of consumers.[5]
EPIC supports the CFPB’s efforts to regulate the collection and dissemination of personal information through rulemaking. EPIC has previously engaged with the Bureau’s work on consumer privacy through our January 2023 comments on the CFPB’s Rulemaking on Personal Financial Data Rights,[6] our February 2023 coalition letter regarding credit header data,[7] our July 2023 comments in response to the Bureau’s Request for Information regarding data brokers,[8] and our September 2024 comments in respond to the Bureau’s Small Business Advisory Review Panel for Consumer Reporting Rulemaking Outline of Proposals and Alternatives Under Consideration.[9] We commend the Bureau for proposing rules which will protect the privacy of consumers’ sensitive medical information and promote fairness and accuracy in credit reporting.
With this comment, we support the CFPB’s proposals and emphasize the Bureau’s legal authority to promulgate the proposed rules.
II. EPIC Supports the CFPB’s Proposed Rule Amending Regulation V
II. EPIC Supports the CFPB’s Proposed Rule Amending Regulation V
At its core, the Fair Credit Reporting Act (FCRA) promotes fairness and accuracy in credit reporting. The inclusion of medical debt on credit reports undermines those goals, as the Bureau’s NPRM demonstrates. People who accrue medical debt often do so because they experience serious and unexpected illnesses or injuries. After a life-altering medical event, individuals and their families contend with the medical billing system, which is riddled with complexity and errors. Many consumers receive medical bills that contain errors; the CFPB’s NPRM cites a survey finding that 51% of respondents who noticed an error on a medical bill did not dispute the error or were unable to resolve their dispute.[10] Often consumers do not notice erroneous medical bills until they discover than such a bill negatively impacted their credit when they are turned down for a loan.[11] In other cases consumers may pay medical bills they know they do not owe to avoid taking a hit to their credit—indeed, medical debt collectors may even leverage the risk of credit damage to pressure consumers into paying medical bills.[12] As the Bureau’s NPRM demonstrates, the inclusion of medical debt on credit reports undermines fairness and accuracy in credit reporting, resulting in financial harm to consumers facing serious medical challenges and their families.
The inclusion of medical debt also poses a risk to consumer privacy. The inclusion of medical debt on a credit report may indicate that an individual is disabled or has had a serious injury or illness. Such inferences may result in health discrimination against consumers. For example, medical debt reporting could facilitate unlawful employment discrimination on the basis of disability or medical condition.[13] Health information is particularly sensitive and requires heightened privacy protections. The Health Information Portability and Accountability Act (HIPAA)[14] recognizes individuals’ right to the privacy of their health information. The Fair and Accurate Credit Transactions Act of 2003 (FACTA),[15] which is at the core of this rulemaking, recognizes that medical information is particularly sensitive, which is why Congress chose to include a broad prohibition on the use of medical information in credit reporting.
Given the serious financial and privacy risks that can be caused by the inclusion of medical debt on credit reports, the burden to avoid or correct erroneous medical debts should not be placed on individual consumers. Navigating medical debt collection systems is difficult, especially given the added stress of recovering from the medical issues which resulted in debt. Further, consumers may not even have the legal ability to meaningfully challenge the inclusion of erroneous medical debt entries on their credit reports. In TransUnion LLC v. Ramirez, the U.S. Supreme Courtlimited consumers’ Article III standing to sue companies for maintaining inaccurate information in their credit files, holding that the plaintiffs in the case had not suffered a concrete injury absent disclosure of the inaccurate information to a third party.[16] Because consumers have limited legal recourse to hold companies accountable for failing to maintain current and accurate credit files, it is all the more important that CFPB step in to protect consumers by prohibiting the inclusion of medical debt on credit reports.
III. The CFPB Has Authority to Promulgate This Rule
III. The CFPB Has Authority to Promulgate This Rule
The Bureau’s proposed rules are supported by legislative history of FACTA’s enactment in 2003. Congress intended for FACTA to contain broad privacy protections for medical information, including medical financial information on credit reports. In congressional debates on FACTA, multiple members of Congress stated that the law should include strong privacy protections for medical information, including financial information on credit reports. For example:
– Rep. Dennis Moore (D-KS-03): “The FACT Act will: . . . Provide consumers with broad new medical privacy rights.”[17]
– Rep. Paul Kanjorski (D-PA-11): “These provisions, among other things, will improve the accuracy of and correction process for credit reports and establish strong privacy protections for consumers’ sensitive medical information.”[18]
– Rep. Sue Kelly (R-NY-19): “We have also made other important improvements to the FCRA in order to protect the sanctity of privacy of the American people throughout the credit-granting process. I believe that medical information of consumers should be kept private and does not need to be shared or distributed to others by creditors listed on credit reports. Individuals should know their personal medical information belongs to them and is not released for other purposes, whether it is for the credit-granting process or employee background checks.”[19]
– Rep. Joe Crowley (D-NY-14): “Most importantly, this bill ensures the strict prohibition of medical and health information from being used in the credit-granting or denial process. No longer can the information used in hospitals and in doctors’ offices be used to decide one’s creditworthiness.”[20]
– Rep. Rahm Emanuel (D-IL-05): “Medical information should have no place in employment decisions or credit determinations, and corporate affiliates should not be able to share it. This information deserves the strongest protection under the law, but beyond that it is important that we give consumers back some control over who can and cannot use this information. . . . Your medical information, medical information in your family from here forward is blacked out. It protects you in the most sensitive area. It blacks out the use of medical information in the credit-granting process. . . . It blacks out the use of medical information to create individualized or aggregate lists based on consumers’ payment transactions for medical products; creates a new and higher standard for reporting by credit reporting agencies to others who have requested information; and establishes strict limits on the reuse of medical information.”[21]
– Rep. Steny Hoyer (D-MD-05): “Finally, the Act greatly expands the protections in the Fair Credit Reporting Act that govern the sharing and use of sensitive medical records and information, as well as information pertaining to medical-related payments and debts. These provisions will prohibit consumer reporting agencies from including medical information in a consumer’s credit report unless the medical information is directly relevant to the consumer’s attempts to obtain employment or credit and the consumer has explicitly consented to the release of the information.”[22]
– Rep. Michael Oxley (R-OH-04): “Equally important, we provide critical new protections for consumers’ medical information. After this bill is enacted, lenders will not be able to use medical information without an individual’s consent, nor will they be able to share or have access to unencrypted private medical information without consent. These are important benefits that will protect consumers in every State.”[23]
As the legislative history above shows, Congress intended for FACTA to protect the privacy of consumers’ medical debt information in credit reporting. FACTA amended Section 604(g)(5)(A) to read:
Unfortunately, the agency-crafted carveout to FACTA that has permitted entities to include medical debt on credit reports is overbroad and does not meet the “necessary and appropriate” threshold set forth in FACTA.[25] As the above legislative history shows, Congress clearly intended to protect the privacy of medical information, including financial information like medical debt, when it enacted FACTA. But in construing the “necessary and appropriate” exception set out by Congress, agencies (including the Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance; Office of Thrift Supervision, Treasury; and National Credit Union Administration) established an overly permissive carveout that broadly empowered entities to include information about medical bills and debt on credit reports.[26] This result is directly contrary to Congress’s stated goal of protecting the privacy of medical financial information.
The rule put forward by the CFPB would correct this error and fulfill Congress’s privacy-enhancing purpose in enacting FACTA. We urge the Bureau to exercise its authority to safeguard medical financial authority and adopt the rule as proposed.
IV. Conclusion
IV. Conclusion
We commend the CFPB’s work to strengthen the privacy of medical information in credit reporting. In this comment and our previous engagements with the Bureau, we have advocated for strong consumer privacy protections. This rule presents an opportunity for the CFPB to update FCRA regulations to better protect consumers’ medical privacy. We appreciate this opportunity to comment, and we are eager to engage with the Bureau further as the rulemaking process continues. If you have any questions, please contact EPIC Director of Litigation John Davisson ([email protected]).
Respectfully submitted,
/s/ John Davisson
John Davisson
Director of Litigation
/s/ Caroline Kraczon
Caroline Kraczon
Law Fellow
[1] Proposed Rule: Prohibition on Creditors and Consumer Reporting Agencies Concerning Medical Information (Regulation V), Consumer Financial Protection Bureau (June 18, 2024) [hereinafter “Medical Information Prohibition NPRM”].
[2] About Us, EPIC, https://epic.org/about/ (2024).
[3] EPIC, Comments on CFPB Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16,951 (Jul. 14, 2023); cf. Consumer Reps. & EPIC, How the FTC Can Mandate Data Minimization Through a Section 5 Unfairness Rulemaking (2022), https://epic.org/wp-content/uploads/2022/01/CR_Epic_FTCDataMinimization_012522_VF.pdf.
[4] See, e.g., Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors: Hearing Before the H. Comm. on House Admin., 117th Cong. 53 (2022), https://epic.org/documents/hearing-on-big-data-privacy-risks-and-needed-reforms-in-the-public-and-private-sectors/ (statement of Caitriona Fitzgerald, Deputy Director, EPIC); EPIC, Comments on CFPB Inquiry into Big Tech Payment Platforms, 86 Fed. Reg. 61,182 (Dec. 21, 2021), https://epic.org/documents/epic-comments-on-cfpb-inquiry-into-big-tech-payment-platforms/.
[5] See, e.g., EPIC, Comments on CFPB Request for Information on the Equal Credit Opportunity Act and Regulation B, 85 Fed. Reg. 46600 (Oct. 2, 2020), https://epic.org/wp-content/uploads/apa/comments/EPIC-CFPB-Oct2020-AI-ML.pdf.
[6] EPIC, Comments on CFPB Consumer Financial Data Rights Rulemaking (Jan. 25, 2023).
[7] Coalition Letter to CFPB Requesting Broad Consumer Financial Market Correction, Beginning with an Advisory Opinion Regarding Credit Header Data (Feb. 8, 2023), https://epic.org/wp-content/uploads/2023/02/2023-02-08-Coalition-Letter-to-CFPB.pdf.
[8] EPIC, Comments on CFPB Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16,951 (Jul. 14, 2023).
[9] EPIC, Comments on CFPB Small Business Advisory Review Panel for Consumer Reporting Rulemaking Outline of Proposals and Alternatives Under Consideration, (Oct. 30, 2023).
[10] Medical Information Prohibition NPRM at 10 (citing Karen Pollitz & Kaye Pestaina, Kaiser Fam. Found., Could Consumer Assistance Be Helpful to People Facing Medical Debt? (July 14, 2022), https://www.kff.org/policy-watch/could-consumer-assistance-be-helpful-topeople-facing-medical-debt/ (analyzing results of 2022 Kaiser Family Foundation Health Care Debt Survey)).
[11] Id. at 4 (citing Consumer Fin. Prot. Bureau, Consumer credit reports: A study of medical and non-medical collections, 15- 16, 38-49 (Dec. 2014), https://files.consumerfinance.gov/f/201412_cfpb_reports_consumer-credit-medical-and-nonmedical-collections.pdf).
[12] Id. at 106.
[13] See Medical Condition Discrimination Laws in Employment, Justia, https://www.justia.com/employment/employment-discrimination/medical-condition-discrimination/ (last visited Aug. 9, 2024); Ebone Wilson, How Medical Debt Can Impact Your Job Search and Employment, Delancey Street (Apr. 11, 2024), https://www.delanceystreet.com/how-medical-debt-can-impact-your-job-search-and-employment/.
[14] Pub. L. 104-191, 110 Stat. 1936 (1996).
[15] Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. 108-159, 117 Stat. 1952, 1999 (2003).
[16] TransUnion LLC v. Ramirez, 594 U.S. 413 (2021).
[17] 149 Cong. Rec. E2493-03 (2003).
[18] 149 Cong. Rec. H8122-02 (2003).
[19] Id.
[20] Id.
[21] Id.
[22] Id.
[23] 149 Cong. Rec. H8118-06 (2003).
[24] 15 U.S.C. § 1681b(g)(5) (emphasis added).
[25] FACT Act section 411(a), 117 Stat. 2001 (15 U.S.C. 1681b(g)(5)(A)).
[26] 70 Fed. Reg. 70,664 (Nov. 22, 2005).
News
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate