Financial institutions that provide services to healthcare organizations and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) became subject last year to the law’s privacy and security provisions. The Health Information Technology for Economic and Clinical Health Act (HITECH) extended HIPAA’s provisions for data privacy and security to businesses associated with entities that fall under HIPAA’s rule. Today, when a bank of any size provides covered services to a healthcare organization, it assumes a host of new responsibilities.
Most banks doing business in healthcare have taken steps to ensure their compliance with the new law, including creating appropriate breach notification programs and adapting systems for compliance with audits by the Department of Health and Human Services. Many have also created HIPAA-specific risk assessment methodologies to help determine when risk thresholds have been reached that call for breach notification.
Still, bank relationships with healthcare providers are complex and varied, from the major financial institutions that provide health insurance to tens of thousands of employees around the globe to the small credit union providing remittance processing services at a family practice in Des Moines. While some banks are savvy about the new requirements, others are struggling to adjust to their new responsibilities. Still others are exposed and don’t know it.
Exposure creates serious risk. Among other things, HITECH calls for civil penalties of up to $50,000 per violation. Yearly penalty maximums of $1.5 million could be stacked in cases where multiple violations are found and the legislation empowers state attorneys general to seek damages from entities for HIPAA violations.
Given the complexity and possible outcomes of noncompliance, banks that provide services to healthcare need to focus on HITECH’s hurdles. For those not fully adjusted to the changes, full compliance is essential. It’s also important for banks to be savvy regarding HIPAA-related changes in agreements with healthcare organizations and fully understand their new responsibilities with each individual client.
But for banks that are knowledgeable about healthcare privacy there’s another way to look at HITECH that reveals a rich field of opportunity. Imagine your financial institution has been servicing hundreds of doctors’ offices for the last ten years. It’s safe to say that many of those offices are struggling. The transition from paper to electronic health records alone creates a tremendous burden. The everyday tasks of dealing with the health insurance system can create another area of enormous administrative difficulty. In this context, many provider offices simply don’t have the time or resources to examine the details – details that could get them into serious trouble.
What can local, regional and even global financial institutions offer these organizations? First, they can offer technological solutions to ease electronic health records and HIPAA burdens. This might be a transaction processing system that saves time and money, or it might go beyond strict financial services products to data maintenance software that helps streamline data storage. Imagine a doctor’s office keeping patient records on a desktop computer in the back office. Could your financial institution offer the client storage and backup via secure servers? Or perhaps your organization has developed a proprietary tool for detecting data breaches. Could that tool be adapted to the healthcare environment and sold to clients seeking reliable means of detecting system compromises?
Banks also hold knowledge. With a long history of responding to Gramm Leach Bliley and other federal and state-level security and privacy related laws, banks are in a good position to consult with healthcare organizations about implementation and optimization of data management systems.
Banks have earned their credibility in data privacy and security. Those that clearly communicate this to their clients and talk with customers about what they can do to stay ahead of the compliance curve, avoid fines, and ensure their systems are adequately protected from breaches will be best poised to take advantage of HIPAA and HITECH’s hidden opportunities.
Ms. Slade is senior vice president and chief operating officer with The Santa Fe Group and coordinator of the Protected Health Information Project, a joint effort of the American National Standards Institute, the Shared Assessments Program and the Internet Security Alliance. She can be reached at robin@santa-fe-group.com.
Stay connected to Expert Perspectives, Research and Intelligence — subscribe to BAI Banking Strategies now!