717.32—Sharing medical information with affiliates.
(b) In general.
The exclusions from the term “consumer report” in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply if a Federal credit union communicates to an affiliate:
(2)
An individualized list or description based on the payment transactions of the consumer for medical products or services; or
(3)
An aggregate list of identified consumers based on payment transactions for medical products or services.
(c) Exceptions.
A Federal credit union may rely on the exclusions from the term “consumer report” in section 603(d)(2) of the Act to communicate the information in paragraph (b) to an affiliate:
(1)
In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003);
(2)
For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
(5)
In connection with a determination of the consumer's eligibility, or continued eligibility, for credit consistent with § 717.30; or