When Does HIPAA Apply to Banks?Uncertainty Remains After Electronic Funds Transfer Rule Issued
The federal government has issued streamlined standards for electronic funds transfers that a health plan uses to pay a claim, as well for related electronic remittance advice. But despite the issuance of a new rule enacting the standards, it remains unclear under what circumstances the HIPAA privacy and security rules might apply to banks handling transactions, one compliance expert says.
All health plans covered under the Health Insurance Portability and Accountability Act must comply with the new standards by Jan. 1, 2014, according to the interim final rule from the Department of Health and Human Services.
The rule adopts streamlined standards for the format and data content of a transmission a health plan sends to its bank when it wants to pay a claim to a provider through electronic funds transfer as well as updated standards to issue an electronic remittance advice notice. These notices, which explain the payment details, often are transmitted separately from EFTs. So the new rule requires the use of a trace number to ease the matching of the payment with the remittance advice, eliminating costly manual reconciliation, according to HHS.
HHS contends that the new standards could save more than $4.5 billion over the next 10 years by eliminating various manual processes.
Sorting Out Privacy Issues
Dan Rode, vice president of policy and government relations at the American Health Information Management Association, says "lawyers are going to have to figure out" under what circumstances the HIPAA rules - rather than various banking privacy rules - apply to banks involved in these transactions. For example, if a bank qualified as a business associate under HIPAA, it would have to comply with HIPAA privacy and security guidelines.
Under the original HIPAA rules, banks that handle EFT for health plans are not considered business associates. But a pending final version of proposed modifications to HIPAA, expected in the coming months, could change that in cases where banks have direct access to protected health information and serve as more than just a conduit for payments, Rode says. "Banking as it was defined back in 1996 is different than banking as it's described in 2012," he notes.
The HHS Office for Civil Rights plans to issue a long-overdue omnibus package of regulations in the weeks ahead that will include a final version of the HIPAA modifications as well as the HIPAA breach notification rule.