HITECH, HIPAA and Financial Institutions: Building a Roadmap to Ensure Privacy and Security

As featured on HIMSS Business Edge

By Lee Barrett

With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, electronic business processes in healthcare are evolving at lightning speed. More specifically, organizations are seeking more effective ways to link the provision of healthcare services with payments for those services. Financial institutions across the country have adopted healthcare financial transactions – the integration of banking technology, infrastructure and credit with healthcare administrative operations – to help streamline payment processes, reduce paper-based inefficiencies and improve workflow for their business customers in healthcare.

However, as banking and healthcare technologies converge, consumers have growing concerns regarding who has access to their health information and how that information will be used. While financial organizations are highly regulated and maintain some of the highest standards for data protection across all industries, new laws under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act – including the addition of breach reporting requirements and increased penalties for disclosure of protected health information – have made these standards even more stringent. These laws clearly impact banks, revenue cycle management firms and other financial service firms that deliver services to the healthcare sector, making it imperative that they understand the application of this legislation on their operations.

As a first step, financial institutions need to determine their status as a “covered entity” or “business associate” under HIPAA and HITECH. In some cases, a financial institution may qualify as a “hybrid entity,” which enables the organization to isolate the covered functions or services subject to HIPAA from non-covered functions. However, if a financial institution meets any of the above definitions, it must develop and implement policies and procedures that ensure compliance in regard to the use and disclosure of protected health information (PHI) according to HIPAA privacy and security provisions. This includes, but is not limited to, setting up a compliance governance program, performing a risk analysis and audit, updating technology systems, developing a communications plan, and strengthening compliance education for personnel who process payments and manage other healthcare-related financial transactions.

At the end of the day, financial institutions involved in electronic processing for healthcare need to perform the due diligence necessary to make sure they clearly understand the HIPAA and HITECH legislation, why safeguarding PHI is so critical, the ramifications of inaction, and what can be done to protect the organization and mitigate risk of PHI disclosure. Those organizations that do so will be prepared to navigate the hurdles of safeguarding privacy and security as the collaboration between ehealth and medical banking continues to evolve.

Lee Barrett is Executive Director of the Electronic Healthcare Network Accreditation Commission (EHNAC).