Well almost...... The Transaction regulation clearly requires some contractual relationship between the CE and the bank.
However, page 50318, Federal Register dated August 17, 2002 states, "The administrative simplification provisions of HIPAA do not require non-covered entities to use the standards, but non-covered entities are encouraged to do so in order to achieve the benefits available from such use." The bank does not have to accept or process HIPAA compliant transactions. The bank cannot be out of HIPAA compliance at any time because they are not subject to HIPAA. The bank is subject to GLB privacy provisions for the data it has under its control. You as the CE will be OK if your contract spells out the needed HIPAA language. Edward Meyers Security Officer Missouri Department of Mental Health [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 2:25 PM To: Bill Chessman; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: questions on the appropriate way to reply when there are errors in a transaction request Would you not have to have a "Chain of Trust" relationship, and a Trust Partner Agreement with the Bank in question for all importation exchange? I think so. Without it, you are liable. So the simple answer is, the bank would have to be HIPAA compliant for all areas and systems that receive and use that identified information. Sounds like a new business opportunity for a smart bank! HIPAA Compliant Banking Services!!! Any Bank VP's listening out there? Anyone own bank stock who wants to write a letter to your bank CEO? Regards, Dr. Tim McGuinness, Ph.D. Sr. Compliance Specialist & Solutions Architect Certified HIPAA Chief Privacy Officer DynTek Inc. www.dyntek.com -----Original Message----- From: Bill Chessman [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 1:31 PM To: '[EMAIL PROTECTED]' Subject: RE: questions on the appropriate way to reply when there are errors in a transaction request This may not be the right place to ask this question (and it might not even be reasonable or valid), but since the thread is running here, I might as well throw it out: If an 835 contains patient information (even the patient name) is sent to an organization not required to be HIPAA compliant, isn't it a violation of the patient's privacy rules? The bank may not use the information, but since it's in the transaction, it is visible to a (theoretically) unauthorized party. Best regards, Bill Chessman Peregrine Systems, Inc. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
