|
|
A debate exists as to what extent, if any, HIPAA applies
to financial institutions. Three main areas of banking
are deemed to warrant the inclusion and understanding
of HIPAA as it is currently defined.
- 1. The Privacy Rule applies to financial
institutions that provide health care benefits
to its employees,
regardless of whether the Bank offers a self-insured
plan with active oversight by management
or a fully insured health plan where management
has
limited involvement in health care costs.
On behalf of the financial institutions,
they are
particularly susceptible to HIPAA violations
brought forth by bank employees who are knowledgeable
about privacy rights and will use their knowledge
as the basis for bringing claims and litigation
against employers.
- 2. Another issue is deciding whether actions
taken by the Bank constitutes them becoming a
business
associate. A “business associate” performs
a function or activity for a HIPAA covered entity
that involves the use of or disclosure of protected
health information on the entity’s patients
or members. If the financial institution becomes
a business associate, the HIPAA Privacy Rule
requires the health care customer to enter into
a contractual
relationship with the associate (banking institution).
The agreement imposes a number of privacy restrictions
on the bank with regards to handling sensitive
patient information they may receive from health
care companies
who are also bank customers.
The financial institution should evaluate the wide
range of services they provide to determine whether
or not these services constitute them performing
a “business associate” function. If the
bank receives no patient information from the customer
or simply processes checks received from the customer’s
patients which may include their name, address,
telephone number, this would seem to be encompassed
under Section
1179 and merely an incidental part of the services
that are extended to all customers, regardless
of what type of business venture they are involved
in.
The issue of HIPAA arises when banks take extra
steps in performing services for a health care
institution.
This could include matching claims to receipts
and collection efforts performed on delinquent
claims.
- 3. The last component analyzes whether or not
the financial institutions will feel pressure
from their
customer base to conform to HIPAA restrictions
even if the bank is not legally obligated to
comply with
the rules and regulations. Banks must evaluate
their customers and become educated with the
HIPAA requirements
so that employees will possess the ability
to answer any questions that may arise and/or
act upon new
business opportunities that clients in the
health care industry may have to offer. A good
way to ease
the minds of health care companies that do
business with your institution is to provide
information concerning
one’s policies and procedures on the
privacy and security of customer information.
More information
regarding HIPAA can be found here on
the website is manned by the US Department of Health
and Human
Services.
Contact Nichols,
Cauley & Associates by Email, phone,
or online form
with your questions.
Site visitors should keep in mind that
the content is generally designed to be of general
applicability. Particular state laws, regulations
and special contractual provisions can greatly impact
rights, responsibilities and legal obligations. Only
a competent attorney, accountant or other professional
looking at all the pertinent facts and circumstances
of a particular situation can provide definitive
guidance for you. Please refer to our important legal
discalimer which can be accessed from the bottom
of any BankAudit.net webpage.
|
 |
|
|
