We are a community bank of 150 employees and are interested in knowing how other banking organizations are responding to the HIPAA Privacy regulations. Has your organization developed a written plan? We believe we already comply with most requirements due to employment law and procedures developed for Y2K, but have not developed a plan specifically addressing HIPAA. We would appreciate hearing how other banks are responding.

Here's a great place to start. HIPAA Banking
Check the recent edition of ABA Bank Compliance. There's an excellent article on HIPAA for banks.

Thanks for the input. I've been checking the ABA site. What I'm hoping to find is a model to point us in the right direction.

In a nutshell, a model would look like this with these steps [this is for the HIPAA privacy regs, not the HIPAA security regs which are not final]:
1. Do a gap analysis. In other words, compare present practices for handling PHI with the requirements of the regs. Note the deficiencies. Prepare an action plan.
2. Write your policy and procedures for all aspects of the privacy regs. Articles can help you determine necessary procedures.
3. Implement and train on your procedures.
4. Have business associate agreements in place where necessary.
5. Have all this done by the April 13, 2003 deadline.
There's help out there. We hired a regional accounting/consulting firm to do our gap analysis and to provide standard procedures forms. We're doing all the rest, and our counsel prepared the BAA's.

I hope this is a little more help to you. If you are immersed in HIPAA any more than on the employment side (like medical lockbox services) I'd suggest going the consultant route to get you started.

Thanks again for the input. I'm trying to monitor daily on new information re. this issue.

FYI--Ken is speaking on this topic as the 2003 NRCC in Washington D.C. in June. I look forward to his session.

Ken: Are you open to receiving questions prior to the conference...perhaps to help prepare the scope of your presentation? If yes, how can we contact you?

Two easy ways to contact me: click on my name to the left of this message and then click on my email address at the top of my profile. Or you may send me a private message through BOL. There's a button at the bottom of my profile.

What is the April '03 date, I thought it was Oct. '03??

Privacy rules effective date is April 14, 2003. Final security rules expected out this month.

Are most banks going to fall under the definition of a healtcare clearing house, just by virture of processing some ACH transactions? I have tried reading the information at the above website, but I must be in brain lock, because I just don't understand. If we process some ACH activity, but do not receive/review/share medical data, what are we required to do?

If the bank is editing or reformatting data against the specifications of the HIPAA Implementation Guidelines, then it qualifies as a Healthcare Clearinghouse. Normally banks are not Healthcare Clearinghouses even though they may originate or receive HIPAA standard transactions through the ACH process.

I guess I've had my head buried in the sand!!! Is there an easy way to determine if our bank is a "clearing house"? We do not take lock box payments. We take deposits from a doctor and local clinic????? I am attending HIPAA privacy training, but I was not aware of the need to write a policy and gap analysis and action plans, etc.... Thanks for your input.

You probably should check with your ACH folks to determine how data is handled (if ACH is even used.). As Mr. Holmes said, "
If the bank is editing or reformatting data against the specifications of the HIPAA Implementation Guidelines, then it qualifies as a Healthcare Clearinghouse. Normally banks are not Healthcare Clearinghouses even though they may originate or receive HIPAA standard transactions through the ACH process."
A doctor, hospital deposit account for normal transactions/processing, does not make you subject to HIPAA.

Correct Stu (except I'm not Mr. Holmes). Your IT folks need to make sure they understand how to map X12's and Loop 2440 under the 837 rules, if it indeed applies to them.

We are not a healthcare clearinghouse. We have procedures in place if any of our customers want us to sign a privacy agreement. However, in speaking with another bank in a similar situation, I was told they are writing a HIPAA policy and naming a HIPAA Privacy Officer. Is this required for a bank like us? We are using the ABA/NACHA privacy agreement for any of our customers who want us to sign off on that.

I thought we had HIPAA under control and now I'm not sure.

The requirement for policies and procedures (14 in total) and naming a Privacy Officer only relates to covered entities. Covered entities are Providers (those who furnish, bill or are paid for health care services in the normal course of its business), Clearinghouses, and Health Plans and Group Health Plans which are the insurance companies either as a fully insured provider or self-insured underwriter(not to be confused with employer-administered). Employers who provide health care plans are "employer-sponsored" and are not covered entities. Therefore, employers are exempt from this requirement as long as they are not a clearinghouse. Employer-sponsored health plans with fewer than 50 employees are exempt from HIPAA Privacy Regulations.

Thanks Bob. I have passed this information along to our HR people as well.