Here is the latest monthly blog from the HIMSS Privacy and Security Committee…called PSST!. Keep reading to learn more about this month’s topic – Medical Banking and HIPAA, by HIMSS P&S Committee member David S. Finn, CISA, CISM, CRISC, Health IT Officer, Symantec Corporation
PPACA, the Patient Protection and Affordable Care Act - which today is still the law of the land, added accountability for financial institutions that provide medical lockboxes and other special services to healthcare providers and payers.
In my former role as a CIO, I recall often talking about the impact of HIPAA on banking and financial institutions.
I recall getting all this stuff from the Medical Banking Project (now part of HIMSS) and wondering what it had to do with me – - I used to send it on the revenue cycle people, who, in turn, wondered what it had to do with them. That was probably the early 2000’s. Now we know.
HIMSS Medical Banking recognized early on that today’s healthcare providers must continue to diligently require HIPAA Business Associate Agreements (BAA) from their financial institution partners when there is access, use or disclosure of personal health information (PHI). This happens in cash management with lockbox arrangements, with EDI operations and in other areas.
Here’s an example: when a bank’s lockbox is used to gather, collect and streamline payments, and it includes processing the Explanation of Benefits (EOBs), the HIPAA Privacy and Security Rules will apply. This is because much of the information in the EOB is individually identifiable health information, and the banks access to it makes them a HIPAA Business Associate.
The biggest banks may have a clue about what is coming, but I’m not sure all the financial institutions or smaller banks understand what HIPAA/HITECH is all about, or the difference between Covered Entity and Business Associate, let alone the difference between “the use or disclosure of protected health information on behalf of, or provides services” and “incidental disclosure.” And certainly not in terms of their operations and obligations:
- Smaller banks may not be ready when their healthcare clients – health plans and healthcare providers – ask them to sign a business associate agreement; and
- Under HITECH, the penalties for non-compliance have been expanded into the business associate category, so the risk level for payment processing in healthcare has increased – - for the financial institution.
Most banks already have the security and privacy precautions called for under the federal regulations related to banking, but these don’t align perfectly with HIPAA/HITECH. In any case, the HIMSS Medical Banking Project recommends a gap assessment, and calls for “proof” are not uncommon from the provider side and may be written into the BAA. Financial institutions need to be prepared to provide proof.
Here are some of the things that will be impacted:
- Rules for the eligibility and claim status transactions have a compliance date of Jan. 1, 2013;
- Other rules will cover electronic funds transfers and electronic remittance advice (2014); and
- Claims/encounters, coordination of benefits, enrollment/disenrollment, premium payments, attachments, and referral certification and authorization (2016).
Here are two good things about all this healthcare reform and the impact of the participation of financial institutions:
1) The use of electronic healthcare payments should drastically increase; and
2) Financial institutions can help health plans and providers become more efficient (as in reduce costs) by using electronic payments instead of checks.
I’m guessing most of you have seen “ACH” on a bank statement. ACH is the Automated Clearing House, and that is how all that money your employer provides to you winds up in your bank account (unless you still get a check – - I can’t remember the last time I actually saw a paycheck). NACHA is the private, rule-making body that administers the ACH network, and after 2014, most of those healthcare payments will have to be in HIPAA standard form.
The good news is that transmission of ACH payments is secure – - these payments are already subject to strict data security controls – - separate and apart from HIPAA. Financial institutions have to attest to compliance with these rules. The ACH network is closely audited by federal regulatory agencies, and while the laws are not healthcare-specific, the protections are applied broadly.
Financial institutions must document and implement a security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the organization and the scope and nature of its activities. Sound familiar? Like HIPAA, the rules on ACH payments require that reasonable safeguards be implemented but don’t dictate specific security solutions. The selection of safeguards must be driven by a Risk Assessment (what a novel idea!).
Many financial institutions don’t provide business associate-type services to HIPAA covered entities and don’t routinely access PHI to perform the services they provide. They do banking stuff, so they won’t likely be a business associate. And lest we forget, lenders may not use, under law, medical information to make credit decisions.
All that said, the transition will not be without some effort (and cost, for any CFOs that might be reading). Patient accounting systems will have to comply with many of the banking standards. Payer EOBs are (still) not standardized. If a business associate agreement is required, bankers will need to be educated about HIPAA. Also, there is the challenge of testing. …
Having looked at business associate agreements from both sides now, I’m certain a bank’s BAA won’t look anything like the covered entity’s – - whose data is at risk here. That’s because HIPAA has specific requirements for components of the BAA, which banks have not likely incorporated before. And given that HITECH expands the risks for business associates (as in “the bank”), well, this could take a while.
Clearly, HITECH modified and amplified the HIPAA provisions that affect financial institutions. Financial institutions must know about HITECH and assess whether these provisions impact current or future services. While the regulations specific to their industry give them a good start, they will need to do assessments/gap analysis and review internal policies, practices and procedures to help ensure compliance.
It is not too soon to start!