Doug, Going forward, there are definitely going to be issues with banks using the ACH for 835 distribution. Last Friday, the Medical Banking Project hosted a telebriefing on the Security Rule. Stanley Nachimson participated and had this to say about PHI in a banking context (full transcript available on their web site at mbproject.org):
"...you've got to worry about first of all the storage on your site, on the bank's site, to make sure that only the right people are accessing that information and able to send it. Secondly, you've got to make sure that the transmission is protected, that as the information is being sent it's possibly encrypted or there's another method that's being used to protect the information so that if it's intercepted nobody can see it. And you also want to make sure that it's clearly going to the right place in the provider's office and that only the right folks in the provider really have access to that information. So I think there are a series of controls that would have to be implemented." Therefore, for the bank to be a "conduit" (as opposed to a covered entity or business associate), the PHI contained in an 835 has to be transmitted in such a way that the originating bank, the ACH, the Federal Reserve, and the receiving bank do not have access to the PHI. Only the provider, and actually "only the right folks in the provider" can see the PHI contained in the 835. As has been discussed here before, "addressable" encryption doesn't mean you don't have to encrypt, it means you have to prove 6 ways to Sunday that you don't need to encrypt or to have an equally secure method/technology. It also means that the word "encrypt" may be meaningless at some point in the future, so do whatever current technology requires you to do to fulfill the intent of the Privacy regs. Today, in nearly every case, that means encrypt. Most originating banks are not prepared at this point to accept an encrypted 835 and send it on through the ACH, and most receiving banks are not prepared to extract that encrypted data from the unencrypted CTX and pass that on to the provider for them to then finally decrypt. Those are the issues for the bank to be a "conduit". Now, if both the originating bank (with the payer) and the receiving bank (with the payee/provider) signs business associate agreements, then they could access the PHI (receive it from the payer/deliver it to the provider). And if the bank modifies the information in any way, they would then be a health care clearinghouse, and a covered entity. NACHA rules (IV-II-C "RDFI OUTPUT" on page OG 99 of the 2003 ACH rules) state that if a receiving bank cannot deliver the EDI data enveloped in a CTX (the 835) in it's native format to the payee, they are required to deliver it in whatever manner they can. If an RDFI delivers the remittance in any format other than the passed-in 835, they are inherently a covered entity translating from standard to nonstandard. Since NACHA rules require this of receiving banks, those receivers have a business decision to make regarding their continuing ability to receive CTX transmissions containing 835 remittance data. Brett Hacker, CIO Remettra, Inc. 866-226-9641 -----Original Message----- From: Doug Webb [mailto:[EMAIL PROTECTED] Sent: Thursday, March 20, 2003 3:20 PM To: WEDI SNIP Transactions Workgroup List Subject: Re: 837I and 837P Billie Jo, Direct Deposit requires that the receiver of the funds (provider) supply the sender (payer) with bank inofomation. This is generally done once (when the provider signs up to receive ACH payments), and then applies until revoked. For this reason, bank information is not placed on the 837. Direct Deposit of my paycheck and my mom's Social Security check works the same way. Note that you can sign up for either ACH payments, the 835, or both. If the banks at both ends are capable of handling a data record the size of the 835, then the banks can be a conduit of 835 information to the provider. Many smaller banks do not offer this service. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." ----- Original Message ----- From: Adams, Billie Jo To: WEDI SNIP Transactions Workgroup List Sent: Thursday, March 20, 2003 02:23 PM Subject: 837I and 837P How are people handling bank information that is needed for the 835? There are no fields on the 837 to pass to the 835 for banking information. All responses are appreciated. Billie Jo Adams Project Analyst World Insurance Company --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-transactions as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-transactions as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-transactions as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
