In recent months, banks and other financial institutions have lobbied the Department of Health and Human Services to be exempt from requirements under the Health Insurance Portability and Accountability Act.
Whether banks should be considered clearinghouses under HIPAA's transactions and code sets rule-and also governed under the privacy and data security rules-was the focus of a recent public hearing sponsored by the National Committee on Vital and Health Statistics, which advises HHS on health data issues. The NCVHS privacy and confidentiality subcommittee heard testimony from industry experts and expects to make recommendations to the full committee.
The question of whether banks fall under HIPAA is important because the banking industry-through electronic remittance advice transactions, receivables financing arrangements based on claims data, and other services-handles a significant amount of protected health information.
Further, claims clearinghouses fear that enabling banks to process health care transactions yet be exempt from HIPAA rules will result in a competitive disadvantage.
'Clearinghouses have to meet the privacy rule and if banks don't, that's not a level playing field,' argues Thomas Gilligan, executive director of the Association for Electronic Health Care Transactions, a Washington-based trade group. 'A health care clearinghouse not following the privacy rule is out of business and that should just be the cost of doing business for financial institutions.'
Different interpretations
At the crux of the issue is the reluctance of banks to be considered claims clearinghouses under HIPAA, meaning they would be covered entities under the transactions, privacy and security rules. Gilligan, working with financial institutions in the mid-1990s, helped push through a section of HIPAA, Section 1179, that exempted many activities of financial institutions from HIPAA.
Banks are using Section 1179 to argue that they are exempt from requirements of HIPAA when handling electronic remittance advice-a HIPAA transaction-because the transaction is part of the 'payments process' referenced in the section.
However, HIPAA's conference report-written during the process in which the U.S. House and Senate resolve differences in their different versions of a bill and also explain congressional 'intent'-states an exemption from HIPAA only exists for consumer payment transactions, such as when an individual pays a hospital bill by check, credit card or debit card.
Enabling banks to handle health care transactions outside of HIPAA worries clearinghouses and other covered entities that make money from these transactions.
But it also concerns privacy advocates who worry that protected health information won't be adequately secured when banks handle it. If HHS rules banks are not subject to HIPAA, large amounts of protected health information could move, without full encryption, through the automated clearinghouse network that banks use to process transactions, according to Anna Slomovic, a senior fellow at the Electronic Privacy Information Center in Washington.
'Our greatest concern is that automated clearinghouse transactions would be subject to data mining for marketing and credit evaluation,' Slomovic told the subcommittee.
As transactions go through the automated clearinghouse network, 'they are captured and stored unencrypted in intermediary nodes,' she added. 'This is necessary in order to trace network problems and verify transaction integrity for financial transactions. Unfortunately, this means that protected health information that is part of those transactions will be stored as well. This protected health information would not be protected by the privacy rule either through direct application to covered entities or through business associate contracts.'
The other side
However, financial institutions are not trying to avoid HIPAA's privacy and security requirements, contended J. Steven Stone, senior vice president of PNC Bank in Pittsburgh and representing the American Bankers Association and the Electronic Payments Association.
Both associations 'are unequivocally opposed' to data mining records of health care transactions for medical information, Stone said. Further, he added, financial institutions with access to protected health information should be business associates under HIPAA, thereby subject to the privacy and security rules.
'Financial institutions exist for one reason-because the public trusts us to protect and preserve their assets and their information,' Stone told the NCVHS subcommittee. 'If we fail in that mission, if we violate that trust, we will not be in business for long.'
Copyright 2004 Thomson Media Inc. All Rights Reserved. http://www.thomsonmedia.com http://www.healthdatamanagement.com
