The banking industry is thinking about it. Look at this http://mbproject.org/
"Drexler, Deborah" wrote: > I see what you mean. But if that's the result the law requires, our not > thinking about it won't have any effect. So maybe we *should* think about > it, just to convince ourselves we are wrong? > > -----Original Message----- > From: St. Clair, James [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 01, 2002 10:39 AM > To: [EMAIL PROTECTED] > Subject: RE: Applying HIPAA to Banks? CE versus BA versus "conduit" > > I would hesitate to pursue the line of thinking in this thread. As many of > you are probably aware, the banks already have their own "HIPAA" - the > Gramm-Leach-Biley Act (GLB). Getting into Banks being HIPAA compliant > because of CE relationships may in turn force Banks to consider CE partners > in healthcare to becoming GLB compliant - NOT a road I think any of us wish > to tread. > > Jim St.Clair > Critical Infrastructure Protection > Vredenburg > (703) 412-4611 > > -----Original Message----- > From: Leslie C. Bender [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 01, 2002 10:22 AM > To: 'Drexler, Deborah'; [EMAIL PROTECTED] > Subject: RE: Applying HIPAA to Banks? CE versus BA versus "conduit" > > I don't clearly see banks as clearinghouses (do the functions they > perform actually rise to the definitional requirements under HIPAA for a > healthcare clearinghouse?)-- but I can see a number of instances in > which banks could be "business associates." Banks can be "business > associates" particularly if they furnish lock box services, > handle/receive ACH or other electronic transfers from payers on behalf > of providers and there is any PHI on checks, correspondence or other > remittance documentation that accompanies the payments. Several years > ago there was a decided trend toward providers using lock box > arrangements as a cost containment concept and as part of perhaps a > larger commercial lending arrangement that gave added security to the > lenders. Another financing vehicle that would result in the use or > disclosure of PHI would be the securitization of patient accounts > receivable when potentially a provider would "sell" its patient accounts > receivable to a third party financier to raise capital and the third > party would be responsible for collecting the receivables from patients > or payers itself. > > In the smaller provider market, banks that handle all business banking > relationships with smaller provider groups and offer cash flow financing > (an asset or accounts receivable based line of credit) may also require > periodic receivables agings that potentially contain patient names. > > Leslie C. Bender, Esq. > > -----Original Message----- > From: Drexler, Deborah [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 4:26 PM > To: [EMAIL PROTECTED] > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > At the HIPAA summit in DC I just attended, there was talk of how the > banking industry is just starting to realize that they have to be HIPAA > compliant. Apparently banks are often clearinghouses and subject to the > HIPAA rules. I didn't really understand much more than that. > > Deborah Drexler > Privacy and Security Officer > Division of Medical Assistance > Boston, MA 02111 > 617-210-5372 > [EMAIL PROTECTED] > > -----Original Message----- > From: Meyers, Ed [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 3:44 PM > To: '[EMAIL PROTECTED]'; Bill Chessman; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > Well almost...... > > The Transaction regulation clearly requires some contractual > relationship between the CE and the bank. > > However, page 50318, Federal Register dated August 17, 2002 states, "The > administrative simplification provisions of HIPAA do not require > non-covered entities to use the standards, but non-covered entities are > encouraged to do so in order to achieve the benefits available from such > use." > > The bank does not have to accept or process HIPAA compliant > transactions. The bank cannot be out of HIPAA compliance at any time > because they are not subject to HIPAA. The bank is subject to GLB > privacy provisions for the data it has under its control. > > You as the CE will be OK if your contract spells out the needed HIPAA > language. > > Edward Meyers > Security Officer > Missouri Department of Mental Health [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 2:25 PM > To: Bill Chessman; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > Would you not have to have a "Chain of Trust" relationship, and a Trust > Partner Agreement with the Bank in question for all importation > exchange? I think so. Without it, you are liable. So the simple > answer is, the bank would have to be HIPAA compliant for all areas and > systems that receive and use that identified information. Sounds like a > new business opportunity for a smart bank! HIPAA Compliant Banking > Services!!! Any Bank VP's listening out there? Anyone own bank stock > who wants to write a letter to your bank CEO? > > Regards, > > Dr. Tim McGuinness, Ph.D. > Sr. Compliance Specialist & Solutions Architect > Certified HIPAA Chief Privacy Officer > DynTek Inc. > www.dyntek.com > > -----Original Message----- > From: Bill Chessman [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 1:31 PM > To: '[EMAIL PROTECTED]' > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > This may not be the right place to ask this question (and it might not > even be reasonable or valid), but since the thread is running here, I > might as well throw it out: If an 835 contains patient information > (even the patient > name) is sent to an organization not required to be HIPAA compliant, > isn't it a violation of the patient's privacy rules? The bank may not > use the information, but since it's in the transaction, it is visible to > a > (theoretically) unauthorized party. > > Best regards, > Bill Chessman > Peregrine Systems, Inc. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: >http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
