'Medical banking' expands HIPAA compliance to financial institutions

The Health Information and Management Systems Society (HIMSS) has issued a set of recommendations to help financial institutions comply with federal privacy laws for protected patient health data.

Financial institutions that manage revenue for healthcare companies have been required to meet more stringent security and privacy guidelines since the 2009 passage of the Health Information Technology for Economic and Clinical Health Act (HITECH). The increased accountability makes it "critical to evaluate compliance responsibilities," HIMSS says in a white paper released earlier this month.

Because of HITECH, companies engaged in "medical banking" (a term trademarked by HIMSS) for healthcare-specific banking or financial services, must comply with the privacy requirements in the Health Insurance Portability and Accountability Act (HIPAA). The paper cites an example of converting paper Explanation of Benefits statements into electronic remittance advice files delivered to a lockbox with a check payment.

The recommended guidelines for achieving compliance are:

1. Determine eligible current or planned services and the financial institution's status as a covered entity or business associate under HIPAA and HITECH.

2. Set up the infrastructure to achieve compliance, including selecting a corporate-level program sponsor, a privacy officer and a security officer.

3. Conduct a risk analysis.

4. Conduct a risk audit and identify controls or control gaps.

5. Review and update technology systems as needed.

6. Develop a communications plan.

7. Update workforce training.

8. Consider data privacy and security accreditation or certification by an independent third party.

"As customers of financial institutions, healthcare providers and payers need assurances that financial institutions can safeguard protected health information with appropriate technology systems, infrastructure, and procedures for risk management and incident management," the paper concludes.

Technology increasingly links healthcare organizations and financial institutions, elevating security risks. Earlier this month, the U.S. Department of Health & Human Services released new rules meant to ease electronic fund transfer (EFT) and remittance advice transactions.

Spending to secure private healthcare data is expected to reach $40 billion this year and $70 billion in three years, Princeton, N.J.-based consulting firm The Boyd Company reported earlier this year.

To learn more:
- read the white paper

 Related articles:
Can providers afford the changes government is implementing?
Cost of data breaches drops in U.S., but not for healthcare
Blue Cross spends $18.5M on HIPAA violation