Today’s healthcare providers must continue to diligently require business associate contracts from the banking/financial institution partners when there is access, use or disclosure of personal health information (PHI). This can happen in the cash management/lockbox setting, EDI department and other areas.
For example, when bank lockboxes are used to gather, collect and streamline payments management, processing the Explanation of Benefits (EOB) will result in the application of this important federal mandate as much of the information in the EOB is individually identifiable health information.
While this is old news to the nation’s largest banks, take note:
- Many smaller banks may not be ready when their healthcare clients – health plans and healthcare providers – ask them to sign a HIPAA business associate contract; and
- Under HITECH, the penalties for non-compliance have been expanded into the business associate category, so the risk level for payments processing in healthcare has increased (from a banker’s perspective).
While many, if not most, banks already have the safety precautions called for in the federal regulations, a gap assessment is likely required; calls for proof are not uncommon in the business associate legal language.
To further identify the evolving best practices in this area, I will be representing HIMSS as a panel member on June 27, from 1:30-3 p.m. ET, to discuss: Dispelling the Myth that Healthcare Regulatory Compliance is Inherently Addressed within Existing Controls.
The panel includes:
- Lee Barrett, Executive Director, Electronic Healthcare Network Accreditation Commission (EHNAC)
- John Casillas, Senior Vice President, HIMSS Medical Banking Project
- Jan Estep, President, NACHA – The Electronic Payments Association
- Alberto Casas, Vice President, CitiBank
- Sharon Klein Esq, Pepper Hamilton LLP
This is a free webinar with information on:
- why the healthcare legislation of HIPAA, ARRA/HITECH and safeguarding protected heath information is so critical;
- what the ramifications may be of not meeting compliance; and
- what you can do to protect your organization and mitigate risk of PHI disclosure.
You can register here.