The Security Rule isn't final...yet, so it's impossible to "violate" it. Furthermore, the banking network is not an open network, so encryption isn't required.
Also, the proposed security rule contains the concept of "chain of trust" which we have been told by HHS representatives will be brought into sync with the privacy rule concepts and language, along with other proposed security provisions. Data and dollars together and data and dollars separate has always been an issue for investigation, evaluation and resolution between the two trading partners ever since the 820 became an approved X12 standard transaction used for electronic funds transfer. Simply because some organizations have already made the "business decision" to separate the data from the dollars doesn't mean that that's the way it should be done for all organizations for all time. Rachel Rachel Foerster Principal Rachel Foerster & Associates, Ltd. Professionals in EDI & Electronic Commerce 39432 North Avenue Beach Park, IL 60099 Phone: 847-872-8070 Fax: 847-872-6860 http://www.rfa-edi.com -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 8:49 AM To: [EMAIL PROTECTED] Subject: Re: HIPAA and the Banking System Rachel: I never kid, as you well know: I'm the most serious, pucker-faced person around. Payers should be careful where they send 835 EOBs containing PHI. Wouldn't it be a violation of the Security Rule if a bank - which is not a covered entity and which most likely has no BA agreement with the payer - receives an unencrypted EOB as part of a payment order from that payer? And who's going to get into big trouble? Not the bank, I suspect, who is not in the healthcare business and was the innocent recipient of the 835 dripping with PHI. The payer is responsible for knowing where its PHI is, and is culpable for having passed PHI to a non-CE or entity with whom it has no BA agreement. I'm no HIPAA security whiz, but then nobody would have to be on this issue if banks didn't try to be all things to all people in the first place. Even one who is not "an old structured programming mainframe legacy programmer who was disciplined on modular approaches and independence of functions" might intuit that payments be separated from remittances, lest their mingling cause all sorts of havoc. Payments are orders to your bank to pay someone else, and remittances are sent to the provider to explain why a payment has been (or will be) made. I suppose payments and remittances might have something existentially to do with each other, but wouldn't it be simpler to reconcile payments and remittances in the A/R system at the provider's end? Even if it isn't simpler (than for the provider or his software vendor to have both the dollars and the remittances arrive together), it fortunately isn't my problem. Anyway, banks don't even do the job of Clearinghouse or VAN very well: the ACH system can't return X12 acknowledgements to the payer via the payer's bank, which was the original reason X12F Finance doesn't want 997s to report on IG compliance violations. William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ----- Original Message ----- From: "Rachel Foerster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, 22 April, 2002 05:17 PM Subject: HIPAA and the Banking System William, It's not a question of whether the banks will insist on providing clearinghouse-type services to their customers.....many are today and have been for years! The banks just aren't aware of what's heading their way as a result of HIPAA. Certainly you're kidding when you say it's simpler for the providers to reengineering their systems....what planet are you on! There are literally hundreds of patient accounting/practice management systems vendors serving the industry. This would not be a trivial effort! Rachel -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 3:29 PM To: [EMAIL PROTECTED] Subject: Re: questions on the appropriate way to reply when there areerror in a transaction request There are two separate issues: (1) Payments and electronic funds transfer. The exclusion Sujay refers to probably applies to the funds transfer and check clearing functions. Technically, even though minimal PHI is revealed in a payment (either by check or EFT) - such as possibly the name of the patient-subscriber and that of the provider - because of the exclusion, banks don't come under HIPAA privacy rules. (2) But if banks inexplicably insist on getting into the Clearinghouse and VAN business by relaying PHI-laden EOBs, then it stands to reason they become an entirely different animal (either a covered entity, or a BA with the need to execute BA agreements with every other bank, provider or payer they come into contact with). Isn't it just simpler all around for payers and providers to reengineer their applications to (1) just send the EOB to the payee directly or through a CE like a clearinghouse, and (2) separately order the bank to transfer funds? Don't you remember the little sign that retailers often use to discourage checks? "We have an agreement with the bank: They don't sell ice cream, and we don't cash checks." William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ====================================================== The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
