By any measure, when you think back on healthcare legislation that has had a profound impact on American society, HIPAA rises to the top. A far reaching rule like that requires serious leadership and I’m proud to share the room with a few of those leaders. HIPAA is now a household word that means privacy and its recognition by the typical consumer is rivaled only by the Social Security Act that gave us Medicare. Truly, by any account, the story of HIPAA is remarkable.
In 1996, in the shadow of this major bill, I began to devote all of my energy on a side drama that has now gone main stream – the creation of a new and vibrant industry called medical banking. Anything good takes effort and driving this often misunderstood area has been anything but easy. A key story line in my work is the issue we’re discussing today – HIPAA’s impact on banks. Its occupied some portion of my time most everyday since 1996. Today, medical banking is raising a new generation of health care leaders from, of all places, banks. BNY Mellon, PNC, Wachovia-Wells Fargo, US Bank, Fifth Third and others are all taking their place at the table. New characters are writing chapters in the fascinating tale of HIPAA. Yet some people haven’t caught up, or even bothered to read the latest twist and turns in the plot, sort of like trying to read a book by starting in the middle.
Let’s start at the beginning to unwind the tale of HIPAA’s impact on banks. The year is 1996 – I wrote a little newsletter and sent it out to over 1,000 bank holding companies. It proposed that HIPAA could drive a new generation of banking services for healthcare but it only survived two printings because the issue wasn’t prominent. Fast forward to 1998, when I wrote a white paper called HIPAAs Impact On Lockbox Operations that pioneered new legal tests for assessing HIPAAs impact on banks and financial institutions. If you haven’t read it, I urge you to. It initiated a national discussion and debate about the questions being addressed today, questions that were answered between 2001 and 2004 by multiple federal agencies, a battery of attorneys and industry experts. Published by the International Association of Privacy Officers, the article caught the eye of LexisNexis who then published a 3-part sequel I wrote, considered a seminal piece on the topic, in Health Care Law Monthly and then contracted me to write Chapter 8, entitled Health Care Payment Systems, for their Treatise on Health Care Law.
Turning to the next chapter, the Healthcare Financial Management Association honored and appointed me as their lead advisor in medical banking. Much like a publisher that heralds a new book, Richard Clarke, CEO of HFMA, issued a wake-up call urging, no even insisting, that all healthcare groups read a white paper I wrote with Gail Sausser, an attorney who chaired the HFMA HIPAA@Work taskforce, that detailed HIPAA’s impact on bank-provider relations. Turning the pages further in this story, in 2003 and 2004, the National Committee on Vital and Health Statistics asked me to testify not once, but twice on this issue. I testified before AHIC more recently on the topic. If you haven’t read it, the testimony chronicles key factors in the development of medical banking policy.
Now if you’re anything like me, when I read a great story or come across a great book the first thing I ask is how did the author come up with that idea? At its core, the story of medical banking is shaped by this work on HIPAA’s impact on banks, interviews with 125 bankers in 1995 and Dr. Benn Konsynski’s work on inter-organizational systems, that shows how two adjacent industries upon reaching escalated levels of EDI adoption, inevitably form cross-industry bridges that remove systemic inefficiency. Taking the paper chase out of healthcare, I reasoned, is evolving into a banking issue. That was sort of like an intellectual awakening – an epiphany – and that really is how medical banking came to be. We pioneer new thinking around banking and healthcare and in this process HIPAA is a fundamental driver because its broad impact on the banking sector. Banks either must react or cease to offer some services in healthcare. From 2001-2005 in what many times seemed a field of blank stares and yawns, I created and promoted a vision of banks fully engaged to improve healthcare using systems that are secure, highly efficient and well-capitalized. A Deloitte survey of CIOs showed that banks routinely spend five times more than healthcare on technology. Why is that important? Its important because more healthcare groups are learning to harness bank technology for data processing.
Today, we’re witnessing Konsynski’s IOS theory in action as banks embrace healthcare, just like it proved out in other industries like SABRE in the airlines world and ASAP in the medical supply trade. Today you and I go to a website to buy our tickets, book our hotel rooms and cars – a direct result of close linkage between banks and the administrative process behind the airlines industry. The same industry dynamic, applied in banking and healthcare, will find consumers using online banking – a trusted portal for 55 million American homes – to do things like manage our investments in tax favored health savings accounts, research our care, receive reminders to fill our prescriptions and even request our healthcare records. This “health-wealth” portal of the future makes so much sense that one may well ask, why aren’t we doing this already? Medical banking is the tale of how this will come to pass.
If you believe in that kind of future then you need to draw lines back to where we were at in 1996 when HIPAA was passed. At that time I suggested that HIPAA’s impact on banks was broad because of that vision. In 2001, MBProject convened all the stakeholders to dialogue HIPAA’s impact and took our message now to over 30,000 banking and healthcare organizations, organizing 12 roundtables over 2 years and institutes – we’re now on our 7th Institute on March 11-13 in Nashville and you’re welcome to come – organizing a 15 month effort to create a Gold Seal accreditation standard for medical banking, defining the concept of a “bank-based health data clearinghouse”, carving it out of the body of law, and proposing and helping EHNAC to implement a bank clearinghouse accreditation program. This leads me to an interesting question: if this area really needs to be demystified, should we trust accreditation programs? MBProject certainly doesn’t believe this area needs to be demystified.
By 2003 we began a national tour targeting 10 stakeholders over 14 months with key experts like Tom Hanks, Stanley Nachimson and Alan Goldberg and organized national policy forums well followed in the media by CNBC, Health Data Management, Modern Healthcare and many others. We invited all the stakeholders and they came – FDIC, NACHA, ABA, OCR, Federal Reserve and many others. Today the US Treasury, DoD, CDC, major universities and some 60 firms are members of MBProject, and they’ve concluded that MBProject has already demystified HIPAA as evidenced by moving forward with their plans and strategies in medical banking. A growing number of banks are partnering, forming or acquiring their own clearinghouses and each are very serious about complying with HIPAA. So when I saw the title today – Demistifying HIPAA – I thought, didn’t we do that already? And then the second line caught my attention: “paving the way for banks”? Its common knowledge that the market has already paved the road; NCVHS, HHS and OCR have already weighed in on this issue. The road is paved, asphalted and marked. Banks, partnered with health IT firms and payors, aren’t waiting for next steps but running full throttle down a new medical banking highway, and not just in America but in Canada, Australia, Germany and other areas in the world. So maybe we should consider reframing this discussion but my next thought was reframe it to what? It seems like this story has already been told.
For argument’s sake let’s retell the story by going back to the middle of the book. The application of HIPAA on banks rests on 3 acid tests: 1. Does Section 1179 exempt banks from HIPAA? If it doesn’t we move onto the next test: 2. Does Section 1179 refer to payment data ONLY (dollars) or all payment-related functions (eligibility, authorization, remittance and even the claim)?; and finally, 3. When is a bank a clearinghouse under HIPAA? We found that framing the question in terms of trying to classify banks as BA vs. CH is redundant and I’ll explain that. We went through each test carefully, numerous times with numerous use cases and numerous stakeholders and here’s our summary:
Test number 1: How many people here believe that banks are 100% exempted from HIPAA? In a letter to HHS in 2004 NCVHS clearly states, and I quote, “For example, a small number of banks are clearinghouses as a result of services provided in addition to processing payments in their financial institution capacity, and are thus covered entities under HIPAA.” For those not following this area, the letter appears to raise unresolved questions but in reality, it was carefully worded to resolve far more than meets the eye. In fact, it carefully side-stepped a tense political drama to deliver a final verdict for acid tests number one, two and three, as we’ll see. If you haven’t read it I encourage you to go back and do so because NCVHS doesn’t even engage the debate but simply presumes HIPAA applies. End of story.
When you think about it, if HIPAA applies asymmetrically a bank-owned clearinghouse would be exempt and a non-bank owned clearinghouse would be covered, creating an uneven regulatory landscape that is inefficient and removes a blanket of data protection. In 2003 I argued in a letter to HHS and OCC for the symmetrical application of HIPAA across all market structures – not singling out banks or any other segment. I had delivered that message to AFECHT previously in 2002 and three days later the organization issued a letter to Secretary Thompson arguing against favorable treatment for banks. That was the right approach in our view and the market agreed with this conclusion. At our 2004 Institute three major banks publicly embraced this interpretation after much internal legal wrangling and analysis.
Section 1179, as Tom discussed, exempts consumer-initiated financial transactions like merchant and check processing. To their credit the banking industry, realizing this area was exposed, created FACTA’s Red Flag Rules (and PCI in the credit card arena) and now the healthcare industry is finding their world impacted by banking regulations. I suppose what’s good for the goose is good for the gander. We suggested, as did EPIC in 2004, that OMB implement a cross-industry group to review medical banking policy. Healthcare and banking do not live in isolation. As convergence broadens what one does will tend to impact the other. Thus the answer to the first test is “no”; banks aren’t 100% exempt from HIPAA.
The second test – does Section 1179 refer to payment data ONLY or all payment-related functions – is clarified in the guidance to the Privacy Rule drafted by Bill Braithewaite. What he wrote in 2001 is absolutely clear; I don’t think it needs to be demystified. Some argue that payment activities involve all of the claims transactions but the only way to reconcile the legislative intent of HIPAA and the guidance in the Privacy Rule is to specifically exempt consumer-initiated financial transactions not business-to-business transactions. This is clearly stated in the legislative record in no uncertain terms. The Privacy Rule guidance says moving diagnostic data through banking systems is only acceptable with a business associate contract in place. Thus the answer to the second test is to treat the term “payment activities” as movement of funds and not the movement of HIPAA transactions that have more data than this. In other words, if you exempt all HIPAA transactions you might as well exempt banks altogether and that’s an incorrect interpretation of the law. Whatever your view, NCVHS once again in 2004, makes it clear that covered entities should execute a business associate contract with their bank partners. Their advice is both sound and clear and if you look at the marketplace, its already complying or taking steps to do so.
The final test is “when is a bank a clearinghouse under HIPAA?” Talking about when a bank is a business associate vs. clearinghouse may be an interesting technical exercise but everyone involved in HIPAA knows the rule was drafted with the understanding that any HIPAA-CH is in fact already a business associate. That’s why the administrative regulations are different for clearinghouses; they don't need to do things like send privacy notices because obviously a clearinghouse has no direct relationship with the patient. So the real question is when is a bank a CH under HIPAA, because we already know that if a covered entity allows its business partner, bank or non-bank, to have access to protected health information they must execute a business associate contract. Thus a clearinghouse is presumed to always be a business associate; again, nothing to demystify here! We should also note that within the economic stimulus package the differentiation in terms of penalties between a CH and BA is blurring. Business associates will likely be penalized the same as clearinghouses! I think this is both unfortunate and difficult to apply. It undermines rather than leverages the underlining construct of HIPAA that in my opinion was a stroke of genius, pushing the privacy and security doctrines out into the marketplace in a very broad and sweeping way using the “covered entity-business association” principle. But I respect the work of many privacy groups and even the IOM has come out with a report suggesting we either scrap HIPAA or do an overhaul. We simply urge balance between privacy and functionality and privacy and safety.
So we turn to the issue of when is a bank a clearinghouse and here again, the law and NCVHS is abundantly clear. If a bank converts data to or from HIPAA transaction its a clearinghouse. That means it has federal obligations and not just contractual obligations and that could lead to fines for non-compliance but as we suggest even that may change under the Economic Stimulus plan. I want to add here that to suggest a BA or CH would be treated differently if there was evidence of unauthorized use of PHI is probably misleading. The Privacy Rule applies its penalties to individuals not companies. You don’t throw companies into jail, you throw people into jail. Today HIPAA penalties are the law of the land, whether BA, CH or a person walking down the street with unauthorized access to health data. Here again the story has already been told.
The third test then really revolves around function. Banks may be impacted in three areas: accounts payable and accounts receivable processing (at the lockbox or RDFI level) and point of service transaction processing to the extent HIPAA-regulated data conversion occurs. There may be other areas but one need only make this determination and you have your answer. Case settled.
In the interest of full disclosure, there are some outstanding policy issues having nothing to do with EDI. In 2003 I outlined new privacy rights in lending arrangements, published by the Banking Law Journal, that may become problematic until addressed. We alerted CMS and the marketplace in a press release on those issues and published opinions on the topic in our Medical Banking Road Map for America.
A few key facts related to this topic are important: first, less than 1% of remittance data flows through the ACH. This isn't a gaping risk area and its not growing; I’m not suggesting it isn’t important but its good to understand the magnitude of the topics we’re discussing; especially when talking about policy. Next, the average community bank that is processing payments from the ACH to the provider’s bank account may be business associates but the vast majority aren’t clearinghouses. Third, today no other industry outside of defense is as heavily invested in the Identity Theft Arms Race as banks. They simply cannot let the bad guys get your money, for if that happens just one time over 58% of all consumers will change banks according to a survey by Ponemon Institute. That unforgiving and small margin of error is a clear incentive for protecting both your confidentiality and money. Truth be told, the physical, technical and administrative safeguards banks are highly invested in are the most stringent prescribed in the Security Rule. Banks have layers of redundant safeguards to protect your confidentiality. We are convinced this engine of assurance can be harnessed to support national policy goals in healthcare through new medical banking innovations. Finally, even given today’s credit crisis, financial institutions have invested over half a billion dollars into health IT since 2001 and we see that trend growing. That’s new found money in health IT and its very important because most providers can’t afford to upgrade technology so banks partnered with health IT firms and payors can help to meet this critical need. For these and other reasons, banks should be a welcome stakeholder to improve healthcare for everyone.
In closing, every great story needs a great ending. I think the plot of medical banking, where there is an alliance between two industries that desperately need each other to be successful, is an inspiring story! HIPAA’s impact on banks is not a tale of mystery, in fact, there’s no mystery here whatsoever. I think the conclusion is crystal clear. That HIPAA has disclosed exciting and innovative ways for banks and healthcare to work together and that, working side-by-side through evolving cross-industry technologies, these groups have already paved a common destiny to improve healthcare. And that’s what the story of medical banking is all about. Thank-you!
Chair, Medical Banking Institute
Executive Director, Medical Banking Project
401 Pond View Court | Franklin, TN | 37064
Phone: 615.794.2009 Ext. 114| Fax: 615-468-7606