HHS Committee To Consider Whether HIPAA Medical Privacy Rule Applies to Banks

Representatives of patient advocacy groups and banks on Wednesday will testify before an HHS advisory panel about whether the privacy provision of the Health Insurance Portability and Accountability Act should directly cover banks, USA Today reports (Appleby, USA Today, 2/18). The HIPAA Federal Privacy Rule, enacted on April 14, 2003, allows health care providers to share patient records for the purposes of treatment and other "health care operations." Providers do not have to obtain written consent before they disclose medical records, but rather must inform patients of their new rights and make a "good faith effort" to obtain written acknowledgment from patients that they have received the information. Providers must obtain consent from patients before they can disclose medical records in "nonroutine" cases (California Healthline, 12/11/03). Under the law, HHS regulates "directly covered" groups -- such as insurers, hospitals, physicians and data clearinghouses -- but has no authority to oversee "business associates" of those groups, according to USA Today. Banks, which receive medical treatment information to process insurers', hospitals' and doctors' claims, are considered business associates. Patient advocates, including Janlori Goldman of the Health Privacy Project, want banks to be directly covered under the law. Goldman said, "People go to the doctor and file claims for one purpose. They don't want banks looking at their information to decide whether they should get a loan or a mortgage." Bank representatives say that banks sign business associate contracts with health providers that are covered by the law and that changing the law "would be an unnecessary layer of bureaucracy," USA Today reports. Cris Naser, senior counsel for the American Bankers Association, said that banks cannot use personal health information to make decisions on credit unless the credit is for a medical purpose. He added that banks are also already covered by a range of security and privacy rules and will be further regulated when rules related to a new credit reporting law, which are expected to define what health information banks can have, take effect (USA Today, 2/18).