Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | lester-johns |
View: | 213 times |
Download: | 0 times |
Banks and the Privacy of Medical Banks and the Privacy of Medical InformationInformation
88thth National HIPAA Summit National HIPAA SummitMarch 8, 2004March 8, 2004
Joy Pritts, JDJoy Pritts, JDHealth Policy InstituteHealth Policy InstituteGeorgetown UniversityGeorgetown University
202-687-0880202-687-0880
Joy Pritts, JDJoy Pritts, JD22
Public ConcernsPublic Concerns
95% adult Americans do not want banks to have 95% adult Americans do not want banks to have access to their medical record information access to their medical record information without their permission.*without their permission.*
* Gallup Organization nation-wide poll, August 2000, * Gallup Organization nation-wide poll, August 2000, available atavailable at: : http://forhealthfreedom.org/Gallupsurvey/index.htmlhttp://forhealthfreedom.org/Gallupsurvey/index.html
Joy Pritts, JDJoy Pritts, JD33
Information Networks: HIPAA & GLBAInformation Networks: HIPAA & GLBA
Protected Health Info. (PHI)
PH
I
Health Care Provider
Banks
Health Care Provider
Health Plan
PHIPHIPHI
PH
IAffiliateAffiliateAffiliateAffiliate
Joy Pritts, JDJoy Pritts, JD44
Public ConcernsPublic Concerns
Increased access to identifiable health Increased access to identifiable health information by banksinformation by banks
+ Increase in bank-insurer affiliations+ Increase in bank-insurer affiliations+ More sophisticated computer technology+ More sophisticated computer technology+ + Potential financial incentive .Potential financial incentive . Concerns about banks obtaining and using Concerns about banks obtaining and using
health information for consumer credit health information for consumer credit decisions & sharing health information with decisions & sharing health information with affiliatesaffiliates
Joy Pritts, JDJoy Pritts, JD55
Goal: Protect Privacy of Health Info. as It Goal: Protect Privacy of Health Info. as It Flows through the SystemFlows through the System
Claim for payment
Protected Health Info.
PHI
Health Care Provider
Banks
Health Care Provider
Covered
Health Plan
Covered Covered
Joy Pritts, JDJoy Pritts, JD66
Primary LawsPrimary Laws
Health Insurance Portability and Health Insurance Portability and Accountability Act of 1996 (HIPAA)Accountability Act of 1996 (HIPAA)
Gramm-Leach-Bliley Act (Financial Gramm-Leach-Bliley Act (Financial Services Modernization Act) 1999Services Modernization Act) 1999
Fair and Accurate Credit Transactions Act Fair and Accurate Credit Transactions Act of 2003 (FACT Act)of 2003 (FACT Act)– Amendments to Fair Credit Reporting ActAmendments to Fair Credit Reporting Act
Joy Pritts, JDJoy Pritts, JD77
HIPAA & BanksHIPAA & Banks
Are banks covered by HIPAA?Are banks covered by HIPAA?
What activities of banks, if any, make them What activities of banks, if any, make them “health care clearinghouses” covered by “health care clearinghouses” covered by HIPAA?HIPAA?
Joy Pritts, JDJoy Pritts, JD88
Processing Consumer Payment Info. Does Processing Consumer Payment Info. Does Not Not Make a Bank a HIPAA ClearinghouseMake a Bank a HIPAA Clearinghouse
Checks or Credit Card Payments
Patient Health Care Provider
Bank Credit Card Co.
Covered
NOT Covered Checks or Credit
Card Payments
3d Party or Affiliates
Info.
Joy Pritts, JDJoy Pritts, JD99
Processing 3d Party EFT Does Processing 3d Party EFT Does NotNot Make a Make a Bank a HIPAA ClearinghouseBank a HIPAA Clearinghouse
EFT
EFT
Claim for payment
BankBank
Covered
Health Care Provider
Covered
Health Plan
NOT Covered
Joy Pritts, JDJoy Pritts, JD1010
Does Processing ERAs Make a Bank Does Processing ERAs Make a Bank a HIPAA Clearinghouse?a HIPAA Clearinghouse?
Claim for payment
ERA – Identifiable
Health Info.
ERA
Health Care Provider
BankBank
Covered Covered
NOT Covered –
Sec. 1179 Exemption?
Covered
Health Care Provider
Covered
Health Plan
Info.
3d Party or Affiliate
Joy Pritts, JDJoy Pritts, JD1111
Sec. 1179Sec. 1179 PROCESSING PAYMENT TRANSACTIONS BY PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONSFINANCIAL INSTITUTIONS
SEC. 1179. To the extent that an entity is engaged in SEC. 1179. To the extent that an entity is engaged in activities of a financial institution (as defined in section 1101 of the activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978), or is engaged in authorizing, Right to Financial Privacy Act of 1978), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with standard adopted under this part, shall not apply to the entity with respect to such activities, including the following:respect to such activities, including the following:
(1) The use or disclosure of information by the entity for (1) The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting, a payment for, or related to, health plan reconciling, or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, means, including a credit, debit, or other payment card, an account, check or electronic funds transfer.check or electronic funds transfer.
* * ** * *
42 USCS § 1320d-842 USCS § 1320d-8
Joy Pritts, JDJoy Pritts, JD1212
IssueIssue
If banks are exempt from HIPAA under If banks are exempt from HIPAA under 1179, to what extent is medical information 1179, to what extent is medical information held by banks protected by other laws?held by banks protected by other laws?
Joy Pritts, JDJoy Pritts, JD1313
GLBAGLBA
Designed to encourage affiliations Designed to encourage affiliations between banks and other “financial between banks and other “financial institutions” institutions” Applies only to consumer & customer Applies only to consumer & customer financial information, not commercial financial information, not commercial transactionstransactionsPrivacy provisions establish limits on Privacy provisions establish limits on sharing sharing financial information (which may financial information (which may contain medical info.)contain medical info.)
Joy Pritts, JDJoy Pritts, JD1414
GLBA Limits GLBA Limits SharingSharing Consumer Consumer Payment Info. Payment Info.
Checks or Credit Card Payments
Patient Health Care Provider
Bank
Notice & Opt Out
3d PartyAffiliates
Information Information
Covere
dNotice
Checks Credit
Joy Pritts, JDJoy Pritts, JD1515
GLBA Does GLBA Does NotNot Prohibit Banks from Prohibit Banks from UsingUsing Consumer Payment Info.Consumer Payment Info.
Checks or Credit Card Payments
Patient
Bank Credit Card Co.
Covered
NOT Covered
Checks or Credit
Card Payments
Health Care Provider
Joy Pritts, JDJoy Pritts, JD1616
GLBA Doe GLBA Doe Not Not Prohibit Banks from Prohibit Banks from UsingUsing or or SharingSharing Info. from Info. from CommercialCommercial Transactions Transactions
Claim for payment
ERA – Identifiable
Health Info.
ERA
Health Care Provider
BankBank
Health Care Provider
Covered
Health Plan
Not Covered by GLBA
Affiliates3d Party
Joy Pritts, JDJoy Pritts, JD1717
Intent of FACT ActIntent of FACT Act
Fill some of gaps in privacy protections in:Fill some of gaps in privacy protections in:
HIPAAHIPAA
GLBAGLBA
Within context of consumer credit Within context of consumer credit protectionsprotections
Joy Pritts, JDJoy Pritts, JD1818
FACT ActFACT Act
Prohibits obtaining & using medical Prohibits obtaining & using medical information for information for consumer credit decisionconsumer credit decision purposes except where banking agencies purposes except where banking agencies determine it is “necessary and determine it is “necessary and appropriate” to protect legitimate appropriate” to protect legitimate operational, transactional, risk, consumer operational, transactional, risk, consumer and other needsand other needs Consistent with intent to restrict use of Consistent with intent to restrict use of medical info. for inappropriate purposesmedical info. for inappropriate purposes
Joy Pritts, JDJoy Pritts, JD1919
Regulations Drafted by Banking Agencies Regulations Drafted by Banking Agencies that Allow Using Info. for Credit May be that Allow Using Info. for Credit May be
Narrow. . .Narrow. . .
Claim for payment
ERA – Identifiable
Health Info.
Health Care ProviderHealth Care Provider
Covered
Health Plan
EFT
Patient
Checks
Credit
Check
s Cre
dit
Covered
Banks
Joy Pritts, JDJoy Pritts, JD2020
… … or Broador Broad
Claim for payment
ERA – Identifiable
Health Info.
Health Care ProviderHealth Care Provider
Covered
Health Plan
EFT
Patient
Checks
Credit
Check
s Cre
dit
Covered
Banks
Joy Pritts, JDJoy Pritts, JD2121
FACT Act Does FACT Act Does NotNot Prohibit Prohibit UsingUsing Payment Payment Info. for Insurance, Marketing or Other Info. for Insurance, Marketing or Other
PurposesPurposes
Claim for payment
ERA
ERA
Health Care Provider
BankBank
Health Care Provider
Covered
Health Plan
NOT Covered
EFT
EFTPatient
Checks
Credit
Check
s Cre
dit
Joy Pritts, JDJoy Pritts, JD2222
Limits on Sharing Medical Info. Limits on Sharing Medical Info. Are Not ClearAre Not Clear
Under best circumstances, permits banks Under best circumstances, permits banks to share medical info. with affiliates for any to share medical info. with affiliates for any purpose:purpose:
Permitted without authorization under Permitted without authorization under Privacy Rule orPrivacy Rule or
Referred to under Section 1179Referred to under Section 1179
Joy Pritts, JDJoy Pritts, JD2323
ConclusionConclusion
If banks are fully exempt under Sec. 1179, If banks are fully exempt under Sec. 1179, the medical information that they receive is the medical information that they receive is not fully protected by other laws.not fully protected by other laws.
The EndThe End