Chapter 9: Financial Privacy

Medical Information and Prescreened Lists Under FCRA

FCRA limits use of medical information from CRAs, generally requiring consent or coding for insurance, employment or credit uses. Prescreened lists let creditors and insurers make firm offers, but users must set criteria in advance, keep them three years, include required statements, and honor opt-out.

Medical information from CRAs is restricted (except coded payment data that does not identify the provider). For insurance use the consumer must consent or the data must be coded; for employment or credit use the consumer must give specific written consent and the information must be relevant. A recipient may not re-disclose medical information except as necessary or as permitted by law.

Before a prescreened offer, the user must establish the criteria to be used and grant credit/insurance on those criteria.
Maintain the criteria on file for three years from the date each offer is made.
Include a clear statement that file information was used, that the consumer met the criteria, that credit/insurance may not be extended if criteria are not met, and how to opt out.
Since 2005, prescreened solicitations must carry simple opt-out notices; the FTC requires a layered notice with opt-out rights on the first page.

← Misconduct Investigations and Investigative Consumer Reports FCRA Enforcement and Penalties →