There are two separate issues: (1) Payments and electronic funds transfer. The exclusion Sujay refers to probably applies to the funds transfer and check clearing functions. Technically, even though minimal PHI is revealed in a payment (either by check or EFT) - such as possibly the name of the patient-subscriber and that of the provider - because of the exclusion, banks don't come under HIPAA privacy rules.
(2) But if banks inexplicably insist on getting into the Clearinghouse and VAN business by relaying PHI-laden EOBs, then it stands to reason they become an entirely different animal (either a covered entity, or a BA with the need to execute BA agreements with every other bank, provider or payer they come into contact with). Isn't it just simpler all around for payers and providers to reengineer their applications to (1) just send the EOB to the payee directly or through a CE like a clearinghouse, and (2) separately order the bank to transfer funds? Don't you remember the little sign that retailers often use to discourage checks? "We have an agreement with the bank: They don't sell ice cream, and we don't cash checks." William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ----- Original Message ----- From: "Sujay Pidara" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, 22 April, 2002 03:51 PM Subject: RE: questions on the appropriate way to reply when there areerror in a transaction request I think banks as financial institutions are excluded as far as transaction set compliance is concerned (unless they start doing other back office functions). Exclusion is stated in the federal register (rule- page 50313) " Finally, section 1179 of the Act makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when ''authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution." Sujay Pidara Radicle Incorporated >>> [EMAIL PROTECTED] 04/22/02 02:10PM >>> I am not sure if I sent this to this group previously, if so I apologize, but it is a good article about banking and HIPAA with a reference URL. Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 425-260-5030 Survey: Banks Unprepared for HIPAA A new survey indicates banks are not ready to comply with provisions of the Health Insurance Portability and Accountability Act.... http://www.technologyinpractice.com/html/news/NewsStory.cfm?DID=8213 -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 11:59 AM To: [EMAIL PROTECTED] Subject: Re: questions on the appropriate way to reply when there are error in a transaction request I think X12N was getting involved only insofar as the "BPR10" issue - where the HIPAA IGs mandate use of the FEIN to identify the Originator. I don't think banks have any plans to become Clearinghouses or Business Associates, unless they have deliberately intended to enter that business (e.g., back office operations to reformat flat files to 835s or whatnot). I don't think there is anything magical about banks or the ACH network: prudence would dictate that payers exercise caution before sending an EOB through the banking network which has not been encrypted. It doesn't even make that much sense anyway: these are two separate operations - just send the EOB to the payee directly or through a CE like a clearinghouse, and separately order the bank to transfer funds. William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ----- Original Message ----- From: "Jan Root" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, 22 April, 2002 01:36 PM Subject: Re: questions on the appropriate way to reply when there are error in a transaction request I could be way wrong or stating the obvious, but I thought banks were ruled to (possibly) be covered entities when they qualified to be classified as clearinghouses under HIPAA...? See quote from FAQ: "The definition of Business Associate at 45 CFR 160.103 applies generally to a person or organization that performs, on behalf of a covered entity, a function or activity involving the use or disclosure of protected health information or any other function, activity, or service covered by the Administrative Simplification regulations. If the network in the question accesses or uses protected health information on behalf of a covered entity, whether for translation or payment or quality assurance or other purposes, it is onsidered a business associate. " Translating payment data (associated with a particular person - there may be additional privacy issues possibly involved here as well if banks get classified as clearinghouses) in and out of the ACH format meets the definition of a clearinghouse, no? And the 835 is designed with the option of sending it to a bank. I thought this was why Finance got involved in the discussion with the 835 WG. They realized that HIPAA might be applied to them. Let me know if I'm off base here.... Jan Root ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ====================================================== The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
