HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews Phoenix Health Systems
news
regs
action
tech
views
wares
alert
live
notes
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Banks Urged to Apply for Compliance Extension

The American Bankers Association and the National Automated ClearingHouse Association (NACHA) are encouraging banks to seek a one-year extension to the HIPAA transactions compliance date.

The HIPAA Transactions Rule applies to all healthcare providers, plans and “healthcare clearinghouses” as well as their third-party “business associates.” According to the Department of Health and Human Services (HHS), banks could be considered “healthcare clearinghouses” if they process certain payments (e.g., provide lockbox services) or other transactions for doctors, pharmacies, hospitals, etc. that include personally identifiable “protected health information” (PHI). Demographic data about patients such as name and address or patient IDs will be considered “protected” if it can be linked to a healthcare provider’s name, treatment, product description or other data from which medical facts about the patient may be inferred.

HHS has not yet determined whether certain bank payment processing activities make banks subject to the HIPAA rule. Through the HIPAA Banking Task Force, ABA and NACHA have argued that most banks should be exempt, and are working actively with HHS to resolve the issue. Nonetheless, the compliance deadline for the HIPAA Transactions Rule of October 16, 2002 is looming, and HHS expects banks to take action.

HHS will extend the compliance deadline for one year for banks and other parties that file an extension letter with the agency by October 15. To make this easier for banks, ABA and NACHA have created a sample letter that says the bank promises to be in compliance by October 16, 2003, if HHS determines that banks are subject to HIPAA.

According to American Banker magazine, more disturbing to banks are the law's reporting burdens. They would have to separate health-care payments from other transactions they process through the Automated Clearing House (ACH) Network and reformat them to meet the law's exacting guidelines. "This could mean billions of transactions a day and drastically increase processing time," said Gary Clark, senior product manager for Bank One Corp. in Chicago.

In a white paper presented to HHS in late May, the HIPAA Banking Task Force proposes that a bank be considered a health-care clearinghouse under just one condition: if it has a contract with a health-care provider requiring the bank to edit and reformat data to the HIPAA's specifications. But the department has yet to respond, and members of the task force said that they did not know when it would.

In addition, banks may well be “business associates” under HIPAA, which means that healthcare customers may be asking for banks to modify their contracts to become “HIPAA compliant.” ABA believes some of the HIPAA model contract provisions conflict with federal banking law and is working with industry attorneys to craft model agreement language acceptable to banks. American Banker reports Chris Naser, senior counsel for the American Bankers Association, said the banking industry has no objection to this distinction and that banks can easily meet these standards. "What we are saying" about privacy "is that Gramm-Leach-Bliley gets us 80% or 90% of the way, so some banks may have to amend their privacy policies slightly," Ms. Naser said.

To help speed the process along, the task force is preparing a privacy-compliance checklist. It is also trying to lobby HHS. "The problem with HHS," Ms. Naser said, "is that this is not its territory and they do not know about ACH program payments, so we are trying to educate them and talk to them about it."

ABA/NACHA Sample HIPAA Deadline Extension Letter.

Read the "White Paper on HIPAA Related Issues Affecting the Banking Industry" (PDF).