Financial Services Alert

New Health Care Privacy Law Affects Bank's Products

Monday, February 23, 2009

Medical banking is defined as the integration of banking technology, infrastructure and credit with health care administrative operations. In increasing numbers, banks are providing medical banking services such as health care payment services and health savings accounts. Since the passage of the Health Insurance Portability and Accountability Act (HIPAA) there has been some confusion regarding the status of banks when they receive protected health information (PHI) when providing these services.

HIPAA applies only to "covered entities" that are health care providers, health plans and health care clearinghouses. Some banks qualify as a health care clearinghouse because they translate nonstandard transactions into the HIPAA standards, and vice versa. However, most banks do not provide HIPAA clearinghouse services, but rather operate as business associates because they receive PHI when providing financial services on behalf of a covered entity. To perform as a business associate, the bank and the covered entity enter into a Business Associate Agreement (BAA). The BAA establishes permitted uses and disclosures of the PHI that the bank receives from the covered entity. The BAA also requires the bank to implement security safeguards and privacy measures to protect the PHI. However, for a number of reasons BAAs contain terms that do not ensure that proper safeguards and privacy protections are actually implemented. The basic business associate terms mandated by the HIPAA rules do not require contract review or renewal and impose no direct obligation on the business associate to comply with HIPAA.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), passed as part of the American Recovery and Reinvestment Act (ARRA) of 2009, is designed to strengthen business associate privacy and security protections. These new provisions:

• require business associates to implement the same information security safeguards provided in the HIPAA security rule that a covered entity must implement
• obligate the business associate to provide notice to a covered entity if a system containing PHI is breached
• compel the business associate to terminate the agreement if a covered entity materially breaches the contract or report the breach to the U.S. Department of Health and Human Services if termination is not possible
• impose stronger controls on the sale of PHI
• apply directly the HIPAA criminal and civil penalties to business associates
• enhance civil penalties from a minimum of $100 for each violation up to an amount not to exceed $25,000 per year to a maximum of $50,000 for each violation, not to exceed $1.5 million per year, and
• provide funds for enforcement and authorize enforcement by state attorneys general.

Pepper Points - The changes to HIPAA brought by the HITECH Act are aimed at enhancing privacy and security and thereby improving the chain of trust in a nationwide health information technology (HIT) infrastructure, including electronic health records and health information exchanges. As trust increases, more covered entities and patients will use HIT, leading to the creation and delivery of new medical banking services. Although most of the privacy and security changes will not be effective until 12 months after enactment, banks interested in strengthening their medical banking services can begin now by:

• updating their inventory of business associate agreements
• preparing contract language that complies with the new provisions
• implementing an information security program that complies with the HIPAA security rule, including an incident response program that includes notice of breach procedures, and
• obtaining accreditation from the Electronic Health Network Accreditation Commission (EHNAC) or other credible accrediting organization, that requires compliance with the enhanced HIPAA privacy and security provisions.

M. Peter Adler

Written by

M. Peter Adler

This is one of a series of articles published by members of Pepper Hamilton LLP discussing issues arising out of the American Recovery and Reinvestment Act of 2009. For our other publications, please refer to our firm's Web site at www.pepperlaw.com.

The material in this publication is based on laws, court decisions, administrative rulings and congressional materials, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

View the PDF version