Chris, I can't imagine why a bank would want to translate the 835 into another format for its own use. A bank wouldn't have "its own use for this information. The bank only needs the information contained in table 1 of the 835 in order to carry out the payment order and funds transfer. Everything else only "rides along" with the payment order instructions. The bank would execute the payment order instructions from table 1 and then dump the entire interchange into the CTX format, a standard format used by the ACH to transfer X12 interchanges through the ACH network.
On the other hand, if the bank translated the entire 835 into another format on behalf of its client (most likely the provider) then the bank is acting in the role of a clearinghouse, thereby making itself a covered entity under the law and subject to all of HIPAA's regulations and requirements. The reverse would also be true...if the bank received a non-standard format (payment instructions and remittance advice data) from its customer (most likely a payer) and then translated that into the 835, it too is acting as a clearinghouse, thereby subjecting itself to all of HIPAA's regulations. Lastly, if the payer sends a HIPAA compliant 835 to its bank, the bank executes the payment instructions for funds transfer, and dumps the entire interchange into the CTX for transfer through the ACH network to the payee's bank, which credits the provider with the payment and then forwards the 835 intact to the provider....**neither** bank is acting in the role of a clearinghouse NOR a business associate, and thus neither bank is subject to HIPAA's regulations. The bank that receives the payment instructions from the payer is called an Originating Depository Financial Institution (ODFI) and the bank the credits the funds to the payee's account is called a Receiving Depository Financial Institution (RDFI). Quite frankly, I don't see why everyone is in such a tizzy about this and the role of banks. It seems quite clear cut to me. Once a bank acts as a clearinghouse for its customer, it's a covered entity and a business associate. Thus its customer must require the bank to execute a business associate agreement. End of story. Neither HIPAA nor the privacy reg requires the bank's customer to monitor its activities nor the activities of any downstream financial institution....just as a covered entity is not required to monitor any other business associate's activities. The only issues here as I see them are: 1. If a huge volume of RA data is being transferred in table 2 of the 835, the originator of the 835 transaction must ensure that the CTX can accommodate the data volume. There are 9990 80-character addenda records into which the full **interchange** (ISA though to IEA) must be dumped. This will need to be evaluated. 2. Not all banks in the country (some 15,000 +/-) can handle the CTX...this needs to be determined between the payer and payee and their respective banks when entering into an EFT and data/dollars together approach. 3. The other big issue for banks are those that are providing lock box operations to their health care customers. In this case, they most certainly are a business associate of the customer and must enter into a business associate agreement with them. Rachel Rachel Foerster Principal Rachel Foerster & Associates, Ltd. Professionals in EDI & Electronic Commerce 39432 North Avenue Beach Park, IL 60099 Phone: 847-872-8070 Fax: 847-872-6860 http://www.rfa-edi.com -----Original Message----- From: Christopher J. Feahr, OD [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 27, 2002 8:01 PM To: [EMAIL PROTECTED]; 'Sujay Pidara'; [EMAIL PROTECTED] Subject: RE: questions on the appropriate way to reply when there are errors in a transaction request Rachel, So if the bank translates to/from a HIPAA standard on its OWN behalf (i.e. for the benefit of the bank's internal system, rather than "on behalf of" the CE sending/receiving the message), then that would NOT make it a CH... right? Could the bank (also for its OWN convenience/benefit) translate the 835 into a proprietary format before sending it to the provider... without making itself a CH? This "on behalf of" attribute seems a little vague because something could be done to benefit either or both parties, but not actually be "required" by the payor or provider. -Chris At 04:11 PM 4/24/02 -0500, Rachel Foerster wrote: >Now, if either bank was taking either non-standard or standard data and >reformatting it into either standard or non-standard data on behalf of their >customer, then that bank is acting in the role of a clearinghouse and >thereby becomes not only a covered entity under HIPAA, but also a business >associate of their customer, the covered entity, under HIPAA's privacy >regulation. Christopher J. Feahr, OD http://visiondatastandard.org [EMAIL PROTECTED] Cell/Pager: 707-529-2268
