Bill, I would tend to agree with you that a bank receiving an 835 from a payor (if it includes the PHI in table 2) is a BA acting on behalf of the payor, and would require an BA agreement with the payor. I'm not familiar with the CTX record, but "dropping the 835 and the fund transfer order into a CTX record" appears to be viewed as a "transport" event rather than a "translation" event, thus preventing the bank from meeting the HIPAA definition of "clearinghouse".
Rachel's response, however, seems to state that the bank would not even be a BA in this case: "Lastly, if the payer sends a HIPAA compliant 835 to its bank, the bank executes the payment instructions for funds transfer, and dumps the entire interchange into the CTX for transfer through the ACH network to the payee's bank, which credits the provider with the payment and then forwards the 835 intact to the provider....**neither** bank is acting in the role of a clearinghouse NOR a business associate, and thus neither bank is subject to HIPAA's regulations." Clearly, the bank in this example is accepting PHI for some reason. If the bank was not going to do something on some CE's behalf with that PHI, then I don't know why it would be willing to accept it (or legal for the CE to even send it). Accepting it and passing it along to the provider, however, would seem to make it a BA and subject to the applicable parts of HIPAA.... unless the movement of the PHI is again being regarded somehow as strictly "transport" in much the same way as an ISP would be "receiving" and "forwarding" PHI for its customers. But at the ISP level, the data would be encrypted, and presumably the bank is receiving, repackaging (into the CTX), and forwarding PHI "in the clear". It sure looks like a "BA" relationship to me. Regards, Chris At 10:31 AM 4/29/02 -0700, you wrote: >This may not be the right place to ask this question (and it might not even >be reasonable or valid), but since the thread is running here, I might as >well throw it out: If an 835 contains patient information (even the patient >name) is sent to an organization not required to be HIPAA compliant, isn't >it a violation of the patient's privacy rules? The bank may not use the >information, but since it's in the transaction, it is visible to a >(theoretically) unauthorized party. > >Best regards, >Bill Chessman >Peregrine Systems, Inc. Christopher J. Feahr, OD http://visiondatastandard.org [EMAIL PROTECTED] Cell/Pager: 707-529-2268
