I am not really sure if I am posting this in the proper forum but hopefully so We are bringing on a medical customer to our lock box service and we are going to be performing data entry for them which means we will be receiving personal health information. We have established that we are considered a “business associate” under HIPAA and HI TECH. I am just wondering if anyone else out there has had to do anything for HIPAA and if so, what steps did you take? Do we need to have a separate HIPAA policy and procedures or can we incorporate into our Privacy and Information Security? We are going to be providing training to the staff members who will handle the information and we are also taking steps to ensure the information is only viewed by those specific employees. Any guidance anyone can share is greatly appreciated!!!

I've just become vaguely aware of the potential implications of HIPAA and HI TECH for banks, so I hope you don't mind if I ask how lock box service provides you with personal health information?

Thank you!

Section 1179 of HIPAA, Processing Payment Transactions by Financial Institutions, states that to the extent that an entity is engaged in activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following . . . (SEE ATTACHMENT, codification in 42 USC 1320d-8 for some specific examples of activities exempted). The part referenced in the sentence above is Part C of HIPAA, Administrative Simplification, and the regulations/standards regarding protection of privacy of personal health information are adopted under Part C. Therefore, the bank is exempt from HIPAA, Part C, Administrative Simplification, to the extent the bank is engaged in activities of a financial institution.

Also, a guidance paper from the Office of Civil Rights, dated 12/03/02, gives an example of the exemption for financial institutions relating to the business associate contract on page 41-42, see the last bullet on page 42 (if you print the guidance paper, it may be numbered within each section, in which case you need to go to the "Business Associates" section and see page 4-5, last bullet on page 5).

As to how this information is personal health information:
Customers will sometime include health billing information in with their payments. Also, the fact that a check is written to Dr. Snips Vasectomy Clinic is personal health information.

We are actually performing data entry for this customer. They are a HSA and FSA provider and all the claim forms and receipts will be sent to the lockbox for entry to electronic form by our deposit ops group. From what I understand, this makes us a business associate since we are doing more than financial services.

NB569: Yes, banks are subject to the new HITECH Act. The "exemption" that Gotwood referenced applied to the simple act of a bank processing customer checks that were for healthcare payments -- for example: me sending a check to xyz hospital for an xray. Banks were exempted from business associate status for those basic functions. However, banks will be facing HITECH risk mostly from their cash management functions such as lockbox, ACH, and any web-based products that their healthcare customers use to process transactions (depending on how the bank handles those electronic transactions.) The risk assessment and analysis are too complicated to fully describe in a posting. The HSA situation you discuss above would be subject to HITECH in my humble opinion. Totally separately, banks that are self-insured for their employee medical insurance Plan will find the Plan subject to HITECH as well.

NACHA ran a training session a few months ago about HITECH and the ABA has one coming up. Feel free to contact me for more info.

Can anyone point me to the definition of "protected health information"? Also when are the HI TECH rules mandatory? This one has caught me by surprize.

Electronic Protected Health Information means individually identifiable health information:
1) Except as provided in paragraph (2) of this definition, that is:
i) Transmitted by electronic media;
ii) Maintained in electronic media; or
iii) Transmitted or maintained in any other form or medium.
2) PHI excludes individually identifiable health information in;
i) Education records covered by the Family Educational Rights and Privacy Act.
ii) Records described at 20 USC 1232g(a)(4)(B)(iv); and
iii) Employment records held by a covered entity in its role as employer.

There is supposed to be some guidance from DHS in February 2010.

The NACHA training was good. They may have an archive of it available.

The ABA Briefing was 2-3-2010, but you can buy the CD.