• HIPAA: The New Applications of Health Care Regulations on the Financial Industry
  • February 18, 2011 | Author: David W. Donnell
  • Law Firm: Adams and Reese LLP - Ridgeland Office
  • In 2010 financial institutions were put squarely in the sights of privacy regulations historically found only in the health care industry. The enforcement of these regulations is now increasing. With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the implementing regulations in 2010, “business associates” of health care providers were required to establish and maintain the same level of privacy and security policies as their health care providing clients. Banks and financial institutions who provide medical lockboxes, medical banking services or other services which require the access to and/or dissemination of protected health information (PHI”) are included in the “business associates” identified in the HITECH Act. The compliance requirements for “business associates” are now equal to those of health care providers, and the HITECH Act equipped the Office of Civil Rights, the policing arm of HIPAA, to assess strong penalties - under certain circumstances as much as $1.5 million per year - for violations.

    Banks and financial institutions who are involved with their health care clients as “business associates” must now proceed with developing and implementing compliant privacy and security policies to guide them and safeguard their handling of PHI. They must appoint privacy and security officers who will police the flow of PHI, and provide appropriate notifications of privacy practices and only use or disclose PHI in ways authorized by the individuals (patients) or as allowed under HIPAA. Annual training is also now required. Failing to adhere to these standards is not an option. The audits and active enforcement efforts being conducted by the Office of Civil Rights are beginning to include banks and other “business associates.” Lax efforts to comply with privacy and security policies may be considered “willful neglect” and mandatory penalties can be imposed.

    You should take appropriate steps now to determine what, if any, PHI you may be handling with respect to your health care clients and implement HIPAA compliant privacy and security policies to protect your institutions from the broad reach of HIPAA’s new enforcement efforts.