Comment: A few commenters requested that we exclude information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act ("FCRA") from the requirements of the privacy regulation. These commenters noted that the protection in the privacy regulation duplicate those in the FCRA.
Response: Although we realize that some overlap between FCRA and the privacy rules may exist, we have chosen not to remove information that may come within the purview of FCRA from the scope of our rules because FCRA's focus is not the same as our Congressional mandate to protect individually identifiable health information.
To the extent a covered entity seeks to engage in collection activities or other payment-related activities, it may do so pursuant to the requirements of this rule related to payment. See discussion of §§ 164.501 and 164.502 below.
We understand that some covered entities may be part of, or contain components that are, entities which meet the definition of "consumer reporting agencies." As such, these entities are subject to the FCRA. As described in the preamble to § 164.504, covered entities must designate what parts of their organizations will be treated as covered entities for the purpose of these privacy rules. The covered entity component will need to comply with these rules, while the components that are consumer reporting agencies will need to comply with FCRA.
Comment: One comment suggested that the privacy regulation would conflict with the FCRA if the regulation's requirement applied to information disclosed to consumer reporting agencies.
Response: To the extent a covered entity is required to disclose protected health information to a consumer reporting agency, it may do so under § 164.512(a). See also discussion under the definition of "payment" below.