When Does HIPAA Apply to Banks?

Uncertainty Remains After Electronic Funds Transfer Rule Issued
When Does HIPAA Apply to Banks?

The federal government has issued streamlined standards for electronic funds transfers that a health plan uses to pay a claim, as well for related electronic remittance advice. But despite the issuance of a new rule enacting the standards, it remains unclear under what circumstances the HIPAA privacy and security rules might apply to banks handling transactions, one compliance expert says.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

All health plans covered under the Health Insurance Portability and Accountability Act must comply with the new standards by Jan. 1, 2014, according to the interim final rule from the Department of Health and Human Services.

The rule adopts streamlined standards for the format and data content of a transmission a health plan sends to its bank when it wants to pay a claim to a provider through electronic funds transfer as well as updated standards to issue an electronic remittance advice notice. These notices, which explain the payment details, often are transmitted separately from EFTs. So the new rule requires the use of a trace number to ease the matching of the payment with the remittance advice, eliminating costly manual reconciliation, according to HHS.

HHS contends that the new standards could save more than $4.5 billion over the next 10 years by eliminating various manual processes.

Sorting Out Privacy Issues

Dan Rode, vice president of policy and government relations at the American Health Information Management Association, says "lawyers are going to have to figure out" under what circumstances the HIPAA rules - rather than various banking privacy rules - apply to banks involved in these transactions. For example, if a bank qualified as a business associate under HIPAA, it would have to comply with HIPAA privacy and security guidelines.

Under the original HIPAA rules, banks that handle EFT for health plans are not considered business associates. But a pending final version of proposed modifications to HIPAA, expected in the coming months, could change that in cases where banks have direct access to protected health information and serve as more than just a conduit for payments, Rode says. "Banking as it was defined back in 1996 is different than banking as it's described in 2012," he notes.

The HHS Office for Civil Rights plans to issue a long-overdue omnibus package of regulations in the weeks ahead that will include a final version of the HIPAA modifications as well as the HIPAA breach notification rule.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.