Well, most of you have heard me, for several years now, talking about the impact of HIPAA on banking and Financial Institutions. I remember as a hospital CIO getting all this stuff from the Medical Banking Project and wondering what it had to do with me - - I used to send it on the revenue cycle people, who in turn, I'm sure, wondered what it had to do with them . . . That was probably the early 2000’s. Now we know.
Today’s healthcare providers must continue to diligently require business associate contracts from their financial institution partners when there is access, use or disclosure of personal health information (PHI). This happens in cash management with lockbox arrangements, with EDI operations and in other areas. Here’s an example: when a bank’s lockbox is used to gather, collect and streamline payments and it includes processing the Explanation of Benefits (EOBs), this will result in the application HIPAA. That is because much of the information in the EOB is individually identifiable health information.
The biggest banks may have a clue about what is coming but I’m not sure all the financial institutions or smaller banks understand what HIPAA/HITECH is all about or the difference between Covered Entity and Business Associate let alone the difference between “the use or disclosure of protected health information on behalf of, or provides services” and “incidental disclosure”. And certainly not in terms of their operations and obligations:
- Smaller banks may not be ready when their healthcare clients – health plans and healthcare providers – ask them to sign a HIPAA business associate agreement; and
- Under HITECH, the penalties for non-compliance have been expanded into the business associate category, so the risk level for payment processing in healthcare has increased - - for the financial institution
Most banks already have the security and privacy precautions called for under the federal regulations related to banking but these don’t align perfectly with HIPAA/HITECH. In any case, a gap assessment should be done and calls for “proof” are not uncommon from the provider side and may be written into the BAA. Financial institutions need to be prepared to provide proof.
Here are some of the things that will be impacted: rules for the eligibility and claim status transactions have a compliance date of Jan. 1, 2013. Other rules will cover electronic funds transfers and electronic remittance advice (2014); and claims/encounters, coordination of benefits, enrollment/disenrollment, premium payments, attachments, and referral certification and authorization (2016).
So, here are a couple good things about all this healthcare reform and financial institutions: 1) The use of Electronic Health Care Payments should drastically increase; and 2) financial institutions can help health plans and providers become more efficient (as in reduce costs) by using electronic payments instead of checks.
I’m guessing most of you have seen “ACH” on a bank statement. ACH is the Automated Clearing House and that is how all that money your employer provides you winds up in your bank account (unless you still get a check - - I can’t remember the last time I actually saw a paycheck). NACHA is the private, rule making body that administers the ACH network and after 2014 most of those healthcare payments will have to be in HIPAA standard form.
I won’t try to explain how Electronic Funds Transfer works today (and I'd be afraid to ask a bank) except to say there are currently two standards CCD+ (which carries no PHI) and CTX and that the CTX carries the EFT (payment instructions) and the ERA payment information together over the ACH network and either format can be specified in the 835 payment instructions. The good news is that transmission of ACH payments is secure - - these payments are already subject to strict data security controls - - separate and apart from HIPAA and financial institutions have to attest to compliance with these rules. The ACH network is closely audited and Federal regulatory agencies and while the laws are not healthcare specific the protections are applied broadly.
Like HIPPA, the rules require that reasonable safeguards be implemented but doesn’t dictate specific security solutions. Financial institutions must document and implement a security program that includes administrative, technical and physical safeguards (sound familiar?) appropriate to the size and complexity of the organization and the scope and nature of its activities. And again, just like HIPAA, the safeguards must be driven by a Risk Assessment (what a novel idea!).
Most financial institutions don’t provide Business Associate type services to Covered Entities and don’t routinely access PHI to perform the services they do provide. They do banking stuff so they won’t likely be a BA. And lest we forget, lenders may not use, under law, medical information to make credit decisions.
All that said the transition will not be without some effort (and cost, for any CFOs that might be reading). Patient Accounting systems will have to comply with many of the banking standards. Payer EOBs are (still) not standardized. If a BA is required, there will be a lot of “banker education” around HIPAA and then there is the testing. Having looked at BAAs from both sides now, I’m certain the Bank’s BA won’t look anything like the Covered Entity’s - - whose data is at risk here. And given that HITECH expands the risks for Business Associates (as in “the bank”), well, this could take a while.
PPACA, which as of today is still the law of the land, added accountability for financial institutions that provide medical lockboxes and other special services to healthcare providers and payers. HITECH modified and amplified the HIPAA provisions that affect financial institutions. Financial institutions will need to be knowledgeable about HITECH and assess whether these provisions impact current or future services. While the regulations specific to their industry give them a good start, they will need to do assessments/gap analysis and review internal policies, practices and procedures to help ensure compliance. It is not too soon to start.