Banking and HIPAA Business Associates
Many banking institutions handle health information related to an individual in order to provide typical banking services to their healthcare customers. All organizations that handle Individually Identifiable Health Information on behalf of a Covered Entity, such as a healthcare provider or payer, to perform activities that the Covered Entity would otherwise perform themselves, is a Business Associate under HIPAA.
With the passage of the HITECH Act (Title X of the American Recovery and Reinvestment Act of 2009), all Business Associates must adhere to the same privacy and security controls that Covered Entities have adhered to since 2003. This often includes typical banking institutions who often times are not aware that they are defined as Business Associates, and thus subject to these controls.
Many services offered by banking institutions to their healthcare customers involve the use of health information related to an individual. These services might be Lockbox, whether traditional or online, remote deposit capture, or even printing services such as statements or EOBs.
If your institution utilizes PHI to perform functions for your healthcare customers, a risk analysis is a necessary first step towards HIPAA compliance. RISC can help you to understand the HIPAA Privacy and Security Rules, policy and supporting procedure requirements, and all of the practices you need to put in place to maintain compliance.
RISC understands the heavily regulated banking industry. Many existing policies, procedures, and control mechanisms can be leveraged to achieve compliance with HIPAA, based upon documentation and controls already in place, rather than creating new, specific, HIPAA-focused controls. RISC can assist with policy and procedure crosswalk projects to reduce or eliminate redundant policies. RISC can also analyze your organization's current information security controls and draw parallels to the HIPAA regulations saving your Risk, Compliance, and Information Security team's time and effort. Contact us to discover how we can help you meet HIPAA requirements and achieve privacy and security ROI.