Handle Medical Information With Care

Exercise caution when requesting information on medical debts.

February 1, 2012

Section 604(G) of the Fair Credit Reporting Act (FCRA) limits the circumstances under which consumer reporting agencies can furnish reports that contain medical information about consumers. “Medical information” is created by or derived from:

  •  A health provider or consumer that relates to the past, present, or future physical, mental, or behavioral condition of an individual;
  •  Providing health care to an individual; or
  •  The payment or provision of health care to an individual.

Credit unions should care about these restrictions because “medical information” includes consumer report data related to medical debts. The definition of medical information doesn’t include the age or gender of the consumer, demographic data, or anything unrelated to the physical, mental, or behavioral health or condition of the consumer, including the existence or value of any insurance policy.

FCRA prohibits creditors from obtaining or using a consumer’s medical information to determine eligibility for credit. But FCRA regulations contain exceptions to the general statutory prohibition on obtaining and using medical information, including exceptions for the use of medical information that’s also financial-related and typically considered in credit underwriting.

Financial information exception

Under the “financial information exception,” credit unions may obtain and use medical information to determine credit eligibility if:

  • It’s information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of the proceeds;
  • The credit union uses it in a manner and to an extent no less favorable than it would use comparable information that’s not medically related in a credit transaction (medical expenses or income can be treated more favorably); and
  • The credit union doesn’t take the consumer’s physical, mental, or behavioral, condition or history, type of treatment, or prognosis into account as part of any credit eligibility determination.

The following example is consistent with the financial information exception:

A member’s credit application includes two $20,000 debts, one to a hospital and the other to a retailer. Both debts are more than 90 days past due. Any two debts of this size that are more than 90 days past due disqualify an applicant under the credit union’s established underwriting criteria. The credit union denies the application on the basis that the member has a poor repayment history on outstanding debts. In this case, the credit union has used medical information in a manner and to an extent no less favorable than it would use comparable nonmedical information. On the other hand, the institution would have violated the regulation if it applied more onerous lending criteria just because the member had substantial medical debt or serious health condition.

A creditor also may obtain such information in connection with determining credit eligibility if it’s unsolicited. For example:

  • The credit union discovers the member owes a debt to a hospital in response to a general question regarding the member’s debts or expenses;
  • The member, during a conversation with a loan officer, volunteers that he has a particular medical condition; or
  • A medical debt appears on a credit report even though the credit union didn’t specifically request medical information from the consumer reporting agency.

None of these examples would violate the general prohibition on obtaining medical information from a consumer. The credit union can use this unsolicited information in credit eligibility determinations so long as the usage meets either the financial information exception, or one of the additional exceptions
outlined below.

Next: Additional exceptions 

Additional exceptions

The regulation also contains specific exceptions for obtaining or using medical information. These exceptions apply when:

  • Determining whether the use of a power of attorney or legal representative is necessary and appropriate.
  • Complying with applicable local, state, or federal laws.
  • Using the information included in a credit bureau consumer report, as permitted under FCRA, for the same purpose in which the consumer provided written consent.
  • Preventing and detecting fraud.
  • Verifying the medical purpose of a loan and use of the proceeds to finance medical products or services.
  • Complying with written requests by the consumer or the consumer’s legal representative that the creditor use specific medical information in determining credit eligibility to accommodate the consumer’s particular circumstances. The request must describe the specific medical information and the specific purpose for which it will be used. This exception isn’t intended to be used on a routine basis and doesn’t allow for forms with preprinted descriptions of medical information and purposes for which it may be used.
  • Complying with orders by appropriate government agencies, such as NCUA.

Sharing medical information with affiliates

FCRA also restricts sharing medical-related information with affiliates (e.g., credit union service organizations) if it meets FCRA’s definition of “consumer report” (generally refers to credit or personal information to establish eligibility for credit, employment, etc.). The implementing regulations, however, create the following exceptions that allow credit unions to share medical information with affiliates under the standard FCRA exceptions, such as sharing transactional or experiential information among affiliates or sharing other information after providing consumers with the opportunity to “opt-out”:

  • In connection with the business of insurance or annuities.
  • For any purpose permitted without authorization under the Standards for Individually Identifiable Health Information issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA). This generally applies to information necessary to insure access to effective health care.
  • Pursuant to HIPAA provisions pertaining to authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments.
  • As permitted under Section 502(e) of the Gramm-Leach-Bliley Act (GLBA), which allows sharing of information with consent of the consumer, for fraud prevention purposes, or to process a transaction authorized by the consumer.
  • As otherwise permitted by regulations or orders.

Finally, note that other laws—such as the Americans with Disabilities Act, the Fair Housing Act (FHA), GLBA, HIPAA, and other parts of FCRA—may limit or regulate the use, collection, and sharing of consumer information. This includes medical information.

These and other laws like the Equal Credit Opportunity Act also may prohibit the credit union from using certain information that is excluded from the restrictions on obtaining or using medical information, such as age or gender, to determine eligibility for credit or for other purposes. The exceptions created by this particular regulation don’t override or modify, or in any way limit, the credit union’s responsibility to comply with all applicable federal and state fair lending laws.

For details on FCRA requirements, visit CUNA’s e-Guide at

VALERIE Y. MOSS is CUNA’s director of compliance information. Contact CUNA’s compliance department at