June 17, 2004 Letter to the Secretary – Recommendations on the Effect of the Privacy Rule in Banking – National Committee on Vital and Health Statistics

June 17, 2004

The Honorable Tommy G. Thompson
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201

Dear Secretary Thompson:

As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Administrative Simplification provisions of HIPAA, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule).

The NCVHS Subcommittee on Privacy and Confidentiality held hearings in Washington, DC on February 18-19, 2004. The hearings, the second of several to be held on HIPAA implementation, were intended to gather information about the effect of the Privacy Rule in three areas: banking, law enforcement, and schools. Additional hearings will address other aspects of HIPAA implementation. This letter conveys the Committee’s findings and recommendations for action by the Department regarding banking. Separate letters contain findings and recommendations regarding law enforcement, and schools.

Representatives from a broad range of backgrounds testified about the effect of the Privacy Rule on banking, including representatives with extensive technical knowledge of health care information and bank processing, health care clearinghouses, electronic privacy issues, and confidentiality provisions contained in federal laws applicable to financial institutions.

HIPAA provides that its standards shall not apply to financial institutions engaged in banking functions, including functions that might involve use or disclosure of information about patients (see Social Security Act, Section 1179, 42 U.S.C. 1320d-8). Although the vast majority of health care information processing activities performed by financial institutions fall under this exception, there are circumstances under which financial institutions perform services not covered by the exception. For example, a small number of banks are clearinghouses as a result of services provided in addition to processing payments in their financial institution capacity, and are thus covered entities under HIPAA.

A critical issue is whether other privacy laws adequately protect health information held by financial institutions exempt from HIPAA under Section 1179. A witness from Georgetown University’s Health Policy Institute testified that other laws do not adequately protect personal health information held by financial institutions. Neither the Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act), nor the recent amendments to the Fair Credit Reporting Act made by the Fair and Accurate Credit Transactions Act (FACT Act) provide protection. The Gramm-Leach-Bliley Act was intended to facilitate the integration of banks and other financial institutions, which involves sharing consumer information. Generally, the FACT Act prohibits a bank and other creditors from obtaining and using health information for consumer-credit decision purposes. Regulations for the FACT Act are under development.

A witness from the American Bankers Association (ABA) testified that financial institutions are very diligent about protecting consumers’ personal financial and medical information. The ABA and the National Automated Clearinghouse Association (NACHA) developed educational materials to help financial institutions prepare for the implementation of the HIPAA Privacy Rule. The ABA has recommended to financial institutions that they participate in and execute business associate agreements when they are engaged in health care processing. The Medical Banking Project (Project) testified that a number of financial institutions have inquired about HIPAA business associate agreements and thus it is the sense of the Project that financial institutions are executing and signing the agreements when asked to do so.

A witness from the Electronic Privacy Information Center (EPIC) expressed several concerns about financial institutions and the privacy of personal health information. EPIC does not support the Section 1179 exception for financial institutions that handle protected health information (PHI) contained in premium payment and remittance advice transactions. EPIC believes such entities should have covered entity status as health care clearinghouses under the Privacy Rule. EPIC does not believe that business associate agreements provide the same level of protection for health information as covered entity status. Also, the EPIC witness discussed the problems associated with transmitting PHI through the banking system’s automated clearing house (ACH) network. EPIC suggested that when PHI moves through the ACH, it be encrypted so that it is accessible only by the final recipient. Encryption also would help provide protection in the event of network security breaches as well as prevent potential data mining for marketing purposes.

NCVHS notes that the banking industry is evolving and diversifying its services for the processing of personal health information. For example, financial institutions have begun to acquire health care clearinghouses, and they provide value-added services that potentially involve personal health information. Financial institutions face new privacy challenges and responsibilities in today’s environment and with that in mind, the NCVHS recommends the following:

HHS should clarify the nature of the Section 1179 exception for financial institutions when engaged in processing health care transactions. Specifically, clarification is needed from HHS about whether the exception applies to consumer-initiated transactions (e.g., credit card or check payments), covered entity-initiated payment transactions, or both.

Until HHS clarifies the Section 1179 exception, HHS should recommend to health care providers and payers that they use business associate agreements with financial institutions.

Regardless of the technical status of financial institutions under the law and the regulation, HHS should consider whether encryption should be required for PHI moving through the ACH, to ensure that it is available only to final recipients.

We appreciate the opportunity to offer these comments and recommendations.

Sincerely,

/s/

John R. Lumpkin, M.D., M.P.H.
Chairman, National Committee on Vital and Health Statistics

Cc: HHS Data Council Co-Chairs