The following is from the preamble to the final privacy rule regarding financial institutions beginning on page 82570:
Response: We interpret section 1179 of the Act to mean that entities engaged in the activities of a financial institution, and those acting on behalf of a financial institution, are not subject to this regulation when they are engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution. The statutory reference to 12 U.S.C. 3401 indicates that Congress chose to adopt the definition of financial institutions found in the Right to Financial Privacy Act, which defines financial institutions as any office of a bank, savings bank, card issuer, industrial loan company, trust company, savings association, building and loan, homestead association, cooperative bank, credit union, or consumer finance institution located in the United States or one of its Territories. Thus, when we use the term ��financial institution�� in this regulation, we turn to the definition with which Congress provided us. We interpret this provision to mean that when a financial institution, or its agent on behalf of the financial institution, conducts the activities described in section 1179, the privacy regulation will not govern the activity. If, however, these activities are performed by a covered entity or by another entity, including a financial institution, on behalf of a covered entity, the activities are subject to this rule. For example, if a bank operates the accounts payable system or other ��back office�� functions for a covered health care provider, that activity is not described in section 1179. In such instances, because the bank would meet the rule�s definition of ��business associate,�� the provider must enter into a business associate contract with the bank before disclosing protected health information pursuant to this relationship. However, if the same provider maintains an account through which he/she cashes checks from patients, no business associate contract would be necessary because the bank�s activities are not undertaken for or on behalf of the covered entity, and fall within the scope of section 1179. In part to give effect to section 1179, in this rule we do not consider a financial institution to be acting on behalf of a covered entity when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care. We do not agree with the comment that section 1179 of the Act means that the privacy regulation�s requirements cannot apply to the activities listed in that section; rather, it means that the entities expressly mentioned, financial institutions (as defined in the Right to Financial Privacy Act), and their agents that engage in the listed activities for the financial institution are not within the scope of the regulation. Nor do we interpret section 1179 to support an exemption for disclosures to financial institutions from the minimum necessary provisions of this regulation. Rachel Foerster Principal Rachel Foerster & Associates, Ltd. Professionals in EDI & Electronic Commerce 39432 North Avenue Beach Park, IL 60099 Phone: 847-872-8070 Fax: 847-872-6860 http://www.rfa-edi.com -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: questions on the appropriate way to reply when there are error in a transaction request I only know what I've read - and it does kind of conform to the way I imagine things should work. For example, see HHS Response to Comments http://www.bricker.com/attserv/practice/hcare/hipaa/164.501p.asp - Definitions - Payment - � 164.501 Because a financial institution does not require the remittance advice or premium data parts to conduct funds transfers, disclosure of those parts by a covered entity to it (absent a business associate arrangement to use the information to conduct other activities) would be a violation of this rule. Under the proposed Security Rule, the ACH system and similar systems would have been considered "open networks" because transmissions flow unpredictably through and become available to member institutions who are not party to any business associate agreements (in a way similar to the internet). The proposed Security Rule would require any protected health information transferred through the ACH or similar system to be encrypted. William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ----- Original Message ----- From: "Rachel Foerster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, 22 April, 2002 05:01 PM Subject: RE: questions on the appropriate way to reply when there are error in a transaction request Jan, It's a mistake to believe that the banks translate the X12 interchange into an ACH format. That's simply not true. When an X12 interchange is sent to a bank with payment instructions and table 2 data (RA stuff) the entire interchange is dumped into a CTX format. It's just a wrapper around the X12 stuff and no translation takes place. When the banks perform this activity with no other value-add services being done either on behalf of the payee or payer, they are simply a conduit and they are neither a business associate or a covered entity under HIPAA. On the other hand, if the bank provides additional services, such as reformatting the received table 2 data in an 835 into another format and then forwards that on to its customer, the provider, it is acting as a clearinghouse, thus becoming both a covered entity and a business associate. I also believe the same would be true if the bank received the 835 table 2 data and put it on paper to send to its customer. Encrypting is the entire interchange is not an option if sending the complete 835 through the banking system. The 835 table 1 data must be in the clear since this is where all of the payment instructions are found. In this case, then encyrpting table 2 would be the only option for ensuring the confidentiality of the PHI. But, this approach, of course, has all sorts of issues and challenges. And deciding to separate the data from the dollars has its own set of issues as well, not the least of which is the receiving system's ability to receive the 835, recognize that its RA only, that payment will be made electronically and thus to suspend posting of the RA until notified by the bank that the funds have been received, matching the 835 to the funds received notice from the bank, etc. Rachel ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ====================================================== The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ====================================================== The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
