Wow! Thank you for the web site, Patricia. My apologies if the message seemed to be to ignore the law. Rather, I think this website indicates how Healthcare can look to another industry response to develop HIPAA compliance standards. Will HHS "certify" banks or US Treasury? Rather, can the two industries work to develop standards that satisfy both?
Jim St.Clair Critical Infrastructure Protection Vredenburg (703) 412-4611 -----Original Message----- From: Patricia Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 10:48 AM To: [EMAIL PROTECTED] Subject: Re: Applying HIPAA to Banks? CE versus BA versus "conduit" The banking industry is thinking about it. Look at this http://mbproject.org/ "Drexler, Deborah" wrote: > I see what you mean. But if that's the result the law requires, our not > thinking about it won't have any effect. So maybe we *should* think about > it, just to convince ourselves we are wrong? > > -----Original Message----- > From: St. Clair, James [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 01, 2002 10:39 AM > To: [EMAIL PROTECTED] > Subject: RE: Applying HIPAA to Banks? CE versus BA versus "conduit" > > I would hesitate to pursue the line of thinking in this thread. As many of > you are probably aware, the banks already have their own "HIPAA" - the > Gramm-Leach-Biley Act (GLB). Getting into Banks being HIPAA compliant > because of CE relationships may in turn force Banks to consider CE partners > in healthcare to becoming GLB compliant - NOT a road I think any of us wish > to tread. > > Jim St.Clair > Critical Infrastructure Protection > Vredenburg > (703) 412-4611 > > -----Original Message----- > From: Leslie C. Bender [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 01, 2002 10:22 AM > To: 'Drexler, Deborah'; [EMAIL PROTECTED] > Subject: RE: Applying HIPAA to Banks? CE versus BA versus "conduit" > > I don't clearly see banks as clearinghouses (do the functions they > perform actually rise to the definitional requirements under HIPAA for a > healthcare clearinghouse?)-- but I can see a number of instances in > which banks could be "business associates." Banks can be "business > associates" particularly if they furnish lock box services, > handle/receive ACH or other electronic transfers from payers on behalf > of providers and there is any PHI on checks, correspondence or other > remittance documentation that accompanies the payments. Several years > ago there was a decided trend toward providers using lock box > arrangements as a cost containment concept and as part of perhaps a > larger commercial lending arrangement that gave added security to the > lenders. Another financing vehicle that would result in the use or > disclosure of PHI would be the securitization of patient accounts > receivable when potentially a provider would "sell" its patient accounts > receivable to a third party financier to raise capital and the third > party would be responsible for collecting the receivables from patients > or payers itself. > > In the smaller provider market, banks that handle all business banking > relationships with smaller provider groups and offer cash flow financing > (an asset or accounts receivable based line of credit) may also require > periodic receivables agings that potentially contain patient names. > > Leslie C. Bender, Esq. > > -----Original Message----- > From: Drexler, Deborah [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 4:26 PM > To: [EMAIL PROTECTED] > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > At the HIPAA summit in DC I just attended, there was talk of how the > banking industry is just starting to realize that they have to be HIPAA > compliant. Apparently banks are often clearinghouses and subject to the > HIPAA rules. I didn't really understand much more than that. > > Deborah Drexler > Privacy and Security Officer > Division of Medical Assistance > Boston, MA 02111 > 617-210-5372 > [EMAIL PROTECTED] > > -----Original Message----- > From: Meyers, Ed [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 3:44 PM > To: '[EMAIL PROTECTED]'; Bill Chessman; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > Well almost...... > > The Transaction regulation clearly requires some contractual > relationship between the CE and the bank. > > However, page 50318, Federal Register dated August 17, 2002 states, "The > administrative simplification provisions of HIPAA do not require > non-covered entities to use the standards, but non-covered entities are > encouraged to do so in order to achieve the benefits available from such > use." > > The bank does not have to accept or process HIPAA compliant > transactions. The bank cannot be out of HIPAA compliance at any time > because they are not subject to HIPAA. The bank is subject to GLB > privacy provisions for the data it has under its control. > > You as the CE will be OK if your contract spells out the needed HIPAA > language. > > Edward Meyers > Security Officer > Missouri Department of Mental Health [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 2:25 PM > To: Bill Chessman; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > Would you not have to have a "Chain of Trust" relationship, and a Trust > Partner Agreement with the Bank in question for all importation > exchange? I think so. Without it, you are liable. So the simple > answer is, the bank would have to be HIPAA compliant for all areas and > systems that receive and use that identified information. Sounds like a > new business opportunity for a smart bank! HIPAA Compliant Banking > Services!!! Any Bank VP's listening out there? Anyone own bank stock > who wants to write a letter to your bank CEO? > > Regards, > > Dr. Tim McGuinness, Ph.D. > Sr. Compliance Specialist & Solutions Architect > Certified HIPAA Chief Privacy Officer > DynTek Inc. > www.dyntek.com > > -----Original Message----- > From: Bill Chessman [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 1:31 PM > To: '[EMAIL PROTECTED]' > Subject: RE: questions on the appropriate way to reply when there are > errors in a transaction request > > This may not be the right place to ask this question (and it might not > even be reasonable or valid), but since the thread is running here, I > might as well throw it out: If an 835 contains patient information > (even the patient > name) is sent to an organization not required to be HIPAA compliant, > isn't it a violation of the patient's privacy rules? The bank may not > use the information, but since it's in the transaction, it is visible to > a > (theoretically) unauthorized party. > > Best regards, > Bill Chessman > Peregrine Systems, Inc. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
