I only know what I've read - and it does kind of conform to the way I imagine things should work. For example, see HHS Response to Comments http://www.bricker.com/attserv/practice/hcare/hipaa/164.501p.asp -
Definitions - Payment - � 164.501 Because a financial institution does not require the remittance advice or premium data parts to conduct funds transfers, disclosure of those parts by a covered entity to it (absent a business associate arrangement to use the information to conduct other activities) would be a violation of this rule. Under the proposed Security Rule, the ACH system and similar systems would have been considered "open networks" because transmissions flow unpredictably through and become available to member institutions who are not party to any business associate agreements (in a way similar to the internet). The proposed Security Rule would require any protected health information transferred through the ACH or similar system to be encrypted. William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ----- Original Message ----- From: "Rachel Foerster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, 22 April, 2002 05:01 PM Subject: RE: questions on the appropriate way to reply when there are error in a transaction request Jan, It's a mistake to believe that the banks translate the X12 interchange into an ACH format. That's simply not true. When an X12 interchange is sent to a bank with payment instructions and table 2 data (RA stuff) the entire interchange is dumped into a CTX format. It's just a wrapper around the X12 stuff and no translation takes place. When the banks perform this activity with no other value-add services being done either on behalf of the payee or payer, they are simply a conduit and they are neither a business associate or a covered entity under HIPAA. On the other hand, if the bank provides additional services, such as reformatting the received table 2 data in an 835 into another format and then forwards that on to its customer, the provider, it is acting as a clearinghouse, thus becoming both a covered entity and a business associate. I also believe the same would be true if the bank received the 835 table 2 data and put it on paper to send to its customer. Encrypting is the entire interchange is not an option if sending the complete 835 through the banking system. The 835 table 1 data must be in the clear since this is where all of the payment instructions are found. In this case, then encyrpting table 2 would be the only option for ensuring the confidentiality of the PHI. But, this approach, of course, has all sorts of issues and challenges. And deciding to separate the data from the dollars has its own set of issues as well, not the least of which is the receiving system's ability to receive the 835, recognize that its RA only, that payment will be made electronically and thus to suspend posting of the RA until notified by the bank that the funds have been received, matching the 835 to the funds received notice from the bank, etc. Rachel ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ====================================================== The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
