Rachel: I don't see how you arrive at the conclusion that PHI can be freely and openly transported between the payer and payee banks through the ACH network based on a snippet from SEC. 1179. I don't think any bank along the way should have any opportunity to poke its nose into PHI.
Actually, it seems some bankers would make an even stronger statement: that banks should stay away from EOBs altogether unless BA agreements are in place. See NACHA's "Impacts of HIPAA on the Banking Industry," by Kevin Case, Ernst & Young and Steven Stone, PNC Bank, at http://www.hipaabanking.org/ under "Education." One salient slide asks and answers this question: "Should a Financial Institution receive PHI in the 820 and 835 transmissions?" "No, the 820 and 835 transactions are split into two parts, an EFT part and the electronic remittance advice for 835 and the premium data for the 820 - Banks should only be receiving the EFT portion (unless a business associate contract is in place). In other words, a CCD is not covered under HIPAA while a CTX transaction probably is." William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Rachel Foerster" <[EMAIL PROTECTED]> To: "WEDI SNIP 2 (E-mail)" <[EMAIL PROTECTED]> Sent: Wednesday, 01 May, 2002 01:57 PM Subject: The Role of Banks in EFT and ERA Just another contribution to this discussion. While re-reviewing P.L. 104-191 I ran across the following: P.L. 104-191, August 21, 1996 Subtitle F Administrative Simplification ''PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS ''SEC. 1179. To the extent that an entity is engaged in activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978), or is engaged in authorizing, processing,clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following: ''(1) The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer. ''(2) The request for, or the use or disclosure of, information by the entity with respect to a payment described in paragraph (1)- ''(A) for transferring receivables; ''(B) for auditing; ''(C) in connection with- ''(i) a customer dispute; or ''(ii) an inquiry from, or to, a customer; ''(D) in a communication to a customer of the entity regarding the customer' s transactions, payment card, account, check, or electronic funds transfer; ''(E) for reporting to consumer reporting agencies; or ''(F) for complying with- ''(i) a civil or criminal subpoena; or ''(ii) a Federal or State law regulating the entity.''. Therefore, until such time as the security rule is adopted in final form, which may or may not contain a requirement for encrypting table 2 data in either the 820 or 835, I believe there is no requirement to encrypt table 2 of either the 820 or 835 when it's included along with table 1 and the entire transactions travels through the banking network. Rachel Foerster Principal Rachel Foerster & Associates, Ltd. Professionals in EDI & Electronic Commerce 39432 North Avenue Beach Park, IL 60099 Phone: 847-872-8070 Fax: 847-872-6860 http://www.rfa-edi.com
