Final Omnibus HIPAA Rule: What it Means for Financial Institutions

Appeared in the Summer 2013 edition of The Bankers' Statement

In January, the U.S. Department of Health and Human Services (HHS) issued the long-awaited Final Omnibus HIPAA Rules.  The Rules, effective on March 26, 2013, require compliance by September 23, 2013.  While health care providers, health care plans and health care clearinghouses – covered entities as defined by HIPAA –  have all been closely following the evolution of HIPAA after HITECH, certain financial institutions, though seemingly far-removed from the health care industry, may not be immune from HIPAA liability.

Although many financial institutions have historically relied upon HIPAA’s Section 1179 exception to avoid any HIPAA compliance obligations, this exception may no longer provide a safe harbor given the evolving nature of the services that many financial institutions are providing to their health care clients today.  Section 1179 of the HIPAA statute provides that:

To the extent that an entity is engaged in the activities of a financial institution, or is engaged in authorizing, processing, clearing, settling, billing, transferring or collecting payments for a financial institution, then the HIPAA statute and the accompanying rules do not apply.

That being said, banks and financial institutions, whose services for their health care clients go beyond traditional financial institution activities, should be re-considering their potential HIPAA obligations carefully. 

First, banks that provide clearinghouse services for their health care clients may be a covered entity themselves.  Health care clearinghouses are one of the three types of covered entities under HIPAA.  A health care clearinghouse converts health information from a non-standard format into a standard data format (i.e., a physician sends a paper claim to a health care clearinghouse where it is converted into a standard electronic format for submission to a health insurer for claims payment).  Thus, banks that process protected health information (PHI) from a non-standard format into a standard electronic format for purposes of billing and claims payment should take care in their analysis of their HIPAA obligations.  It is likely, given the nature of these services, that the bank is acting as a health care clearinghouse under HIPAA.

Second,  banks and other financial institutions that use or disclose PHI to perform services for or on behalf of their health care clients or health care plans, may very well be business associates under HIPAA.  For instance, banks that provide lockbox services for their health care clients are arguably business associates for these clients if the service performed requires the bank’s use and disclosure of the health care client’s PHI to perform it.  Thus, banks that use PHI in performing services for their health care clients that go beyond the simple processing of checks should also be carefully re-evaluating their potential HIPAA obligations as a business associate of these health care clients.

The HIPAA stakes have never been higher. 

For financial institutions that are covered entities, the entire HIPAA enforcement landscape has changed since the enactment of HITECH in 2009.  Before the enactment of HITECH in 2009, HIPAA enforcement actions were almost non-existent and the financial penalties for violations were relatively small.  Since HITECH, the Office of Civil Rights (OCR) has been tasked with and well-funded to actively pursue HIPAA enforcement over the past three years.  Multi-million dollar fines and settlements, random HIPAA audits, and state attorney general involvement all mark the heightened enforcement environment that has arisen since 2009.  In addition, HITECH’s breach notification obligations have made breaches of PHI a very costly event for all covered entities.

For financial institutions that are business associates, HIPAA is now more than a simple contractual obligation.  Prior to the 2009 enactment of HITECH, business associates were subject to HIPAA only through contracts with covered entities. These contracts, called business associate agreements, set forth requirements for the business associate’s use and disclosure of protected health information.  HIPAA now directly applies to business associates as well as to covered entities.  After 2009, HITECH, which has now been incorporated into the Final Omnibus HIPAA Rule, expanded HIPAA’s privacy and security regulations and made some significant changes related to business associates of covered entities.  Now, business associates are statutorily obligated to comply with certain HIPAA provisions, including:

• Business associates must conduct a security rule risk assessment.
• Business associates must develop HIPAA policies and procedures that govern their use and disclosure of PHI.
• Business associates must establish administrative, physical and technical safeguards to prevent, detect and correct security breaches.
• Business associates are also now required by law to adhere to the terms of their business associate agreements.

Business associates are also now subject to HIPAA’s expanded civil and criminal penalties for violations of HIPAA.  These penalties are not insignificant.  Civil monetary penalties after HITECH now range anywhere from $50,000 to $1.5 million per violation per calendar year.  In addition, HHS more readily refers some HIPAA violations to the Department of Justice for criminal investigation.  Other enforcement activity also abounds.  HHS is now actively pursuing random audits, and state attorneys general now have the power to enforce HIPAA as well.

As a result, banks and financial institutions must re-evaluate the various services they provide to their health care clients that require the use or disclosure of PHI and re-consider whether these services make them a covered entity or business associate under HIPAA.  Further, if it is determined that HIPAA does govern their use and dissemination of PHI in the performance of these services, efforts to achieve HIPAA compliance should be a very high priority.  With the September 23, 2013 HIPAA compliance deadline looming, time is running short.