Page:United States Statutes at Large Volume 117.djvu/2020

 PUBLIC LAW 108–159—DEC. 4, 2003

117 STAT. 2001

authority (with respect to any person engaged in providing insurance or annuities). ‘‘(4) LIMITATION ON REDISCLOSURE OF MEDICAL INFORMATION.—Any person that receives medical information pursuant to paragraph (1) or (3) shall not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. ‘‘(5) REGULATIONS AND EFFECTIVE DATE FOR PARAGRAPH (2).— ‘‘(A) REGULATIONS REQUIRED.—Each Federal banking agency and the National Credit Union Administration shall, subject to paragraph (6) and after notice and opportunity for comment, prescribe regulations that permit transactions under paragraph (2) that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (and which shall include permitting actions necessary for administrative verification purposes), consistent with the intent of paragraph (2) to restrict the use of medical information for inappropriate purposes. ‘‘(B) FINAL REGULATIONS REQUIRED.—The Federal banking agencies and the National Credit Union Administration shall issue the regulations required under subparagraph (A) in final form before the end of the 6-month period beginning on the date of enactment of the Fair and Accurate Credit Transactions Act of 2003. ‘‘(6) COORDINATION WITH OTHER LAWS.—No provision of this subsection shall be construed as altering, affecting, or superseding the applicability of any other provision of Federal law relating to medical confidentiality.’’. (b) RESTRICTION ON SHARING OF MEDICAL INFORMATION.—Section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)) is amended— (1) in paragraph (2), by striking ‘‘The term’’ and inserting ‘‘Except as provided in paragraph (3), the term’’; and (2) by adding at the end the following new paragraph: ‘‘(3) RESTRICTION ON SHARING OF MEDICAL INFORMATION.— Except for information or any communication of information disclosed as provided in section 604(g)(3), the exclusions in paragraph (2) shall not apply with respect to information disclosed to any person related by common ownership or affiliated by corporate control, if the information is— ‘‘(A) medical information; ‘‘(B) an individualized list or description based on the payment transactions of the consumer for medical products or services; or ‘‘(C) an aggregate list of identified consumers based on payment transactions for medical products or services.’’. (c) DEFINITION.—Section 603(i) of the Fair Credit Reporting Act (15 U.S.C. 1681a(i)) is amended to read as follows: ‘‘(i) MEDICAL INFORMATION.—The term ‘medical information’— ‘‘(1) means information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to— ‘‘(A) the past, present, or future physical, mental, or behavioral health or condition of an individual;

VerDate 11-MAY-2000

10:15 Aug 27, 2004

Jkt 019194

PO 00000

Frm 00953

Fmt 6580

Sfmt 6581

Deadline.

D:\STATUTES\2003\19194PT2.001

APPS10

PsN: 19194PT2

�