Health Information Compliance Alert

Published on Tue Mar 02, 2004 PDF

Don't wager on HIPAA to protect patient privacy at the bank 

Do you send your patients' protected health information to your bank along with your claims? Can your patients expect their private medical information to remain protected? The resounding answer is "No."

There is a huge tug of war being waged on whether banks are responsible for protecting patient privacy, and privacy may be on the losing end of the stick, experts tell Eli.

Though banks often act as clearinghouses for healthcare providers, the banking industry is working to exempt itself from the HIPAA umbrella. At a hearing before the National Committee on Vital and Health Statistics, the banking industry testified that the HIPAA regulation directly conflicts with the various other regulations with which banks must comply, explains Anna Slomovic, a senior fellow at the Electronic Privacy Information Center (EPIC) in Washington, DC.

Problem: "The regulations were never coordinated," and so it is likely that the banking regulations and the healthcare regulations stand in direct contrast to each other, Slomovic claims.

Solution: "Bank regulators and HIPAA regulators have to get together and work this stuff out," she recommends.

Business Associates?

In the meantime, banking groups like the American Banking Association and the Electronic Payments Association  have stated that banks can meet their HIPAA obligations via a business associate agreement (BAA), making any further HIPAA compliance unnecessary.

"It's not clear that BAAs provide an appropriate level of [patient privacy] protection," Slomovic says.

Warning: "The banks are going to be transmitting information to other banks. Once the data moves outside the HIPAA protection regime, there is no more protection," she clarifies. That means that as soon as your patient's information goes into the banking system, it is no longer safeguarded by HIPAA's privacy and security rules.

While there are personal privacy protections set forth in banking regulations, none of them produce the same effect as HIPAA. Example: The Financial Modernization Act, also known as Graham-Leach-Bliley Act (GLB), allows banks to share a client's information. This "record sharing" is "what we don't want in the case of health information," Slomovic asserts.

Though complying with HIPAA puts a tremendous burden on banks, it would enable the Office for Civil Rights to "come down directly on them for violations, unlike a BAA in which banks are only subject to potential termination for their contract," clarifies Debbie Larios, a partner in the Nashville, TN office of Miller & Martin. The risk of penalties would force banks to implement policies and procedures to protect PHI at all stages of a transaction, she says.

What's Good For the Goose.....

Banks' involvement in the healthcare industry isn't a foreign concept. A clearinghouse is the channel through which providers and health plans operate, explains Matthew Rosenblum, COO of CPI Directions, Inc. in New York. Due to the cost of using a clearinghouse, many providers rely on banks to transfer bundled electronic claims and funds to the appropriate destination.

Why: "It's a natural business for banks to get into -- they already have the computers, technical expertise and people-power" to facilitate clearinghouse functions, Rosenblum states. And when a bank performs clearinghouse functions, those bank components must comply with HIPAA regulations.

So why is the banking industry fighting tooth and nail to avoid the clearinghouse label? It's all about cost, experts agree. "If you look at the rules for clearinghouses, an entity that is both a bank and a clearinghouse has to separate out clearinghouse functions and set [those functions] up as a HIPAA entity," Slomovic explains. That's not cheap!

As it stands, banks are in major competition with clearinghouses because they do not have to put forth the same financial efforts as the latter. Tip: This financial freedom allows banks to offer their customers a greater return than clearinghouses can. "If [banks] don't have to spend any extra money on HIPAA compliance," they can offer their customers both savings and a value-added service, Slomovic says.

Mining For Data

The healthcare industry is concerned about the many ways banks' HIPAA exemptions will affect patient privacy for several reasons. The most important reason is also the most obvious. "Privacy protection leads to better healthcare because people trust the system more," Slomovic reminds. "Making banks fall under HIPAA will provide better healthcare" through stronger patient-provider relationships, she asserts.

Warning: As patients' protected health information becomes more closely bound with financial transactions, the ability of data miners to extract and use that information increases. A senator's wife goes to a substance abuse specialist and pays with a credit card, Rosenblum postulates. "Somebody in the bank gets this information, notices it's the senator's wife and suddenly that information is leaked to the press," he explains.

Data mining isn't just a concern for your high-profile patients, experts warn. In a letter to Department of Health and Human Services' Secretary Tommy Thompson, Katherine Kopp of the Health Privacy Project outlines the various ways patients' unprotected health information can be used and exploited by financial institutions.

"GLB does not limit what banks can do with the personal information of individuals who are not their customers," she writes. Therefore, "a financial institution may store information about individuals that may or may not have any relationship with the bank and use that information for its own business interests," she states.

Examples: Banks can use patients' information to assess risk in loan applications, or could share that information with their insurance, mortgage or credit card affiliates, Kopp warns.

While you are under no obligation to warn your patients of the risk posed to their privacy by the involvement of banks, you might find that patients welcome the heads up. You have to "weigh the danger of scaring the patient away" against the likelihood that they'll appreciate the information, Larios says.

Suggestion: If your patient is receiving treatment for a sensitive issue, you may want to let them know about the risks involved because "very sensitive information could be misused," Larios warns. Though this may change patients' decisions about how they receive their healthcare, it will also instill trust and confidence in the patient-provider relationship, she says.

Benefits To You

The benefits for the healthcare industry when working with banks can be tremendous, experts say. Tip: Financial transactions outside the healthcare industry are usually conducted for mere pennies. Compare that with the exorbitant rates the healthcare industry deals with and you see the allure. "Why shouldn't it be that a healthcare transmission costs pennies on the dollar instead of $15 to $20 per claims transaction?" Rosenblum asks.

This cost efficiency is a major factor. If banks comply with HIPAA's regulations, the healthcare industry can both please their patients and improve their bottom lines, experts predict. As banks become more involved in HIPAA-compliant transactions, they will "want to maximize their investments and become more involved in clearinghouse functions," Rosenblum posits.

However, the future of banks and clearinghouses remains to be seen. Disadvantage: If banks are declared exempt from HIPAA's regulations, clearinghouses could warp into banks to avoid HIPAA's rules and regulations. "It's not a farfetched notion that banks and clearinghouses will begin to merge if it's advantageous," Slomovic says.

"That would be a logical move for [clearinghouses] under those circumstances," Larios asserts. Though, with all the regulation already directed toward banks, "it's more likely that they would cry foul that the banks would get undue advantage," she predicts.

As the issue is hashed out among industry regulators, providers can take steps to protect their patients' privacy via the BAA.

Problem: Most agreements require that business associates facilitate similar contracts downstream, but those sections are very truncated, Larios explains.

Solution: Go into detail and expand the language in your BAA so that business associates can understand, appreciate and abide by HIPAA's rules, Larios suggests.