We hope you were able to join us on June 2, 2010 at 2:00 EDT for our HITECH Act webinar!

Click to download the presentation: INSIGHTS_HITECH_June 2010.pdf (4.33 mb)  We are sorry to report that the live recording was inaudible, thus we are unable to post at this time. 
Please scroll down to see Sharon's answers to all received questions!

Compliance expert Sharon Blanchette, CPA, CIA, MBA, spoke about why you should add the HITECH Act to the  list of regulations included in your risk management program. The HITECH Act of 2009 impacts Financial Institutions who function as "Business Associates" of their healthcare customers.  Specifically, Sharon covered:

* How the HITECH Act expands the reach of the HIPAA Privacy and Security rules of 2003 and 2005.

* What is a “Business Associate” and how the HITECH Act can impact financial institutions that are Business Associates of HIPAA Covered Entities.

* What the true risks are in terms of reputational and financial risks for financial institutions that are Business Associates of HIPAA Covered Entities.

* What you need to do to respond to the requirements of the HITECH Act and manage the risks.

About Sharon A. Blanchette, CPA, CIA, MBA
Assistant Director, New England
ICS Compliance

Sharon Blanchette brings more than 20 years of regulatory compliance, accounting, and auditing experience to ICS Compliance, along with a background of more than 10 years in technology compliance. She serves as one of the Firm’s Subject Matter Experts in HIPAA and HITECH laws and regulations, as well as in disaster recovery and business continuity.

Sharon’s specific experience includes information privacy / security, vendor management, DR / BCP, compliance management systems, social media, enterprise risk management, BSA, NDIP, and Sarbanes-Oxley section 404 testing. As a former VP, Internal Audit & Control of a $1.4 billion FDICIA bank, Sharon was responsible for all aspects of auditing and annual audit risk assessments.

ANSWERS TO HITECH WEBINAR QUESTIONS RECEIVED:

Who has the obligation to ensure that a Business Associate is in place...the covered entity or the Business Associate?

 

Answer - Under the old HIPAA it was the covered entity to provide a BA agreement to the BA.  Under HITECH, since the BA is obligated no matter what, either one can take the lead on the BA agreement.  However, the covered entity is still obligated. 

 

If you, as a business associate, become aware of activity at one of your covered entity customers (such as accounts keep getting hacked or have poor security) what must you do?

 

Answer – Business Associates that become aware of a pattern of activity that constitutes a violation of HIPAA must take steps to cure the violation.  If a violation cannot be cured: 1. Terminate the agreement and 2. Report the problem to HHS. 

 

We’re a bank that does service some of our healthcare customers in our lockbox area, and we do work with paper EOBs and convert the information to a data file… BUT we essentially outsource this lockbox function to a third party.    Are we still a BA of the healthcare customer?

 

Answer - Yes:  You are still the BA of your healthcare customer.   The company that you outsource to is simply your 3^rd-party.   The company you outsource to isn’t a BA as well.     Now, let me flip that around a little.   If your healthcare customer contracted directly with the lockbox service provider, then the lockbox service provider would be the BA of the healthcare entity.

 

We have a few healthcare customers that we lend to for commercial loans.  Do we have any exposure to HIPAA or HITECH?

 

Answer:   Potentially, yes.    Again, there is nothing specific about this in the regulation.  But if you write commercial loans to healthcare companies and take as collateral their Accounts Receivable, you want to make sure you take their summary Accounts Receivable Aging and not their detailed Accounts Receivable aging that has patient’s names on it.    You simply want to expose yourself to the least amount of PHI as possible.

 

I’m in the benefits department of a large bank and we have our own self-insured medical plan, so we’re a Covered Entity.  We administer the plan ourselves.   What should we be doing?

 

Answer - The most important thing a Covered Entity should be doing right now is updating your list of Business Associates and sending them updated BA Agreements.   You will also want to retrain employees.   I’ve done HITECH training for some companies that were trained on HIPAA years ago, but have forgotten the nuances of what the terms mean.   Also, make sure your incident-response program is updated for Breach Notification procedures.

 

I had heard that a bill has been proposed that would essentially make all healthcare EFTs (electronic fund transfers) bona-fide HIPAA transactions.  Do you know the status of this?

 

Answer - I’d heard about the same thing, but as of today, there is no update on that.   Considering the way the regulations are leaning right now, I would anticipate this happening in the future.  This is why I indicated that ACH departments should be educated about this and be on stand-by for when it happens.

 

If we’re writing checks from a trust account to a medical practice, does that make the trust department a Business Associate of any type?

 

Answer -   No.   You can only be a business associate of a healthcare covered entity, not of an individual.

 

Our bank utilizes lockbox services with a healthcare customer.  We have contracted with a third-party company to scan in the documents and transmit the EOB and check copy to the bank customer.  Are we covered under the HITECH or HIPAA rules for Business Associates?

 

Answer - Yes, the bank would be a Business Associate of the Covered Entity (healthcare customer).   You are still responsible for monitoring the 3^rd-party, and this would more likely be done as part of the vendor management program.

  

Please advise if Lockbox processing for the payment of premiums would qualify as PHI or ePHI.  The information included would be payment coupons with policy numbers and member information

 

Answer - We have to look at each piece of this:    1) Assumption is that the bank’s customer is a Health Plan;   2) Under the HIPAA definitions, Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual, and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.   3) So the information would more than likely be PHI (or ePHI if electronic.)

 

With regard to Accounting Disclosures, is it necessary to keep an accounting of ePHI that is provided to examiners etc. in a paper format?

 

Answer - Before I attempt to answer this question, I have to caution the readers that this part of HITECH is still largely undefined.  I have no body of law to reference when answering.   At this point, however, it appears that there will be a decision tree required to analyze whether ePHI has to be logged on the Accounting of Disclosures.   Right now it appears that the only information covered is ePHI that originates from an electronic medical record.   So the Covered Entity and the Business Associate would have to know that detail about ePHI.   It’s also unknown what to do if that ePHI becomes regular paper-based PHI (as the question asks).  Again, there isn’t enough written on this area to provide a full answer.

 

 

Is there any checklist for the IT (Information Technology) systems to ensure the HITECH Compliance? What is involved from the IT Systems perspective to get HITECH/HIPAA compliance?

 

Answer - The IT/Compliance staff at the bank should download the HIPAA IT security rule matrix to use in their risk assessments.   However, the HIPAA Security Rule has long been criticized as being “soft”.  

Go to:      http://aspe.hhs.gov/admnsimp/FINAL/FR03-8334.pdf

The Security Rule Matrix begins on page 8380.

 

 

Are there any tools in the market for automation of checks for HIPAA/HITECH Compliance?

 

Answer - To the best of my knowledge, because this area is so new to banks, there are no tools for automating HITECH compliance for banks.   Compliance is evidenced more by performing a risk assessment, as well as implementing your policies, processes, and procedures. 

 

Please clarify the issue of disclosure to the covered entity by the Business Associate and when the covered entity notifies the patient.

 

Answer - Please see the HITECH Breach Notification Rule

Go to:    http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

Go to the end of page 42767 with section Subpart D—Notification in the Case of Breach of Unsecured Protected Health Information, start with section § 164.400 Applicability

And continue through section § 164.410 Notification by a Business Associate on page 42769.

This covers the same material as was in the webinar, but with more detail.

 

 Please discuss the risks and advantages of using a third party processor

 

Answer - Since the question is brief, I will answer it assuming the bank was asking about whether some of their risk could be changed by using a third party processor.    If the bank outsources any part of a process that has caused it to become a Business Associate of a Covered Entity, then the bank is still a BA of that Covered Entity.   The bank simply has a 3^rd-party to monitor, and this would more than likely be done as part of the vendor management program.   I’m not sure there are any benefits of using a 3^rd-party processor.

 

So it seems if the bank does not see or touch an EOB, but only accept deposits which may include payments to the doctor, co-pays, checks from the insurance company, etc., no BA agreement is needed, correct?

 

Answer - At this point this has not been directly addressed.   It’s believed that the section 1179 exemption was intended to cover consumer-originated transactions only, but clarification was never provided by the department of HHS.  If the Covered Entity healthcare customer provided a Business Associate agreement to the bank, each parties legal counsel would have to argue their interpretations of section 1179.

 

 

If HR department only acts as middleman with benefits offered through a state banking plan is there any HIPAA or HITECH exposure?

 

Answer - Yes.   While the health plan is “offered” through a state banking plan, my guess is that the formal name of the Health Plan is something like “XYZ Bank Employee Health Insurance Plan” or something like that.    If not, please ignore the rest of this answer!    The Health Plan itself is the actual Covered Entity.  It really is an entity in and of itself.  (This area of HIPAA is often times confusing to H/R benefits departments because the person who administers the Health Plan in the H/R department as the “middleman” is also an employee of the bank!)   The Health Plan itself needs to take all of the steps that a Covered Entity would have to take for the entire Privacy Rule and the entire Security Rule.   It will have a risk assessment, it will send out BA Agreements, it will have a full set of policies and procedures for HIPAA.   The scope of the webinar was designed for banks acting as B.A.s.   We will consider performing another webinar for H/R departments and their respective Health Plans.   However, a good place for you to obtain HIPAA guidance would be from the state entity that sponsors the health plan.  If you have trouble finding information, please call us.