Does a Financial Institution Qualify as a HIPAA Business Associate?

Physicians inevitably use banks and financial institutions as a regular part of business transactions. But do these institutions qualify as business associates or subcontractors under HIPAA? The answer: It depends.

On August 21, 1996, Congress enacted Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, affectionately known as HIPAA. Title II, Part C, Section 1179 addresses the processing of payment transactions by financial institutions. HIPAA relies on the definition of a "financial institution" as that connoted in section 1101 of the Right to Financial Privacy Act of 1978. Section 1179 sets forth the exception that HIPAA shall not apply to the entity with respect to such activities that include, for example, "[t]he use or disclosure of information by the entity for authorizing, processing clearing, settling, billing, transferring, reconciling, or collecting a payment for, or related to, health plan premiums or healthcare, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer" among other items.

Given the recent compliance date of the Omnibus Rule, does this standard still apply? HHS received comments on this very issue and addressed the issue in the Federal Register.

The general rule is that the "HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities defined in §1179 of the HIPAA statute." (78 Fed. Reg. 5566, 5575 (Jan. 25, 2013)). Like most laws and regulations, there are exceptions. And, a bank or financial institution may qualify as a business associate or subcontractor "where the institution performs functions above and beyond the payment processing activities… such as performing accounts receivable functions on behalf of a health care provider." Consequently, as long as the bank or financial institution is solely engaging in payment activities identified under §1179 of HIPAA, a business-associate agreement, either between the covered entity and the business associate or the business associate and the subcontractor(s), is not required. If the activities extend beyond the exceptions, then a business associate agreement is required.

Having said that, other regulations, such as those promulgated by the Federal Trade Commission (FTC), may have requirements related to personally identifiable information, so those standards should be considered, too. In sum, the activity determines the relationship and the requirements that need to be met. Providers, especially those engaging in bond and equity offerings, may hire banks and other entities to perform due diligence. This type of "research" into an entity may expose these entities to protected health information in a manner that comports with HIPAA and the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, which in turn requires a business-associate agreement to be executed. Therefore, it is prudent for providers to make sure they meet an exception so that they are compliant.