Department of Health and Human Services


Subcommittee on Privacy, Confidentiality and Security


May 6 – 7, 2015

NCHS Auditorium
Hyattsville, MD

Meeting Summary

The National Committee on Vital and Health Statistics Subcommittee on Privacy, Confidentiality and Security convened on May 6 -7, 2015 at the National Center for Health Statistics in Hyattsville, MD. The meetings were open to the public.


Committee Members

  • Linda A. Kloss, MA, Chair
  • Vickie M. Mays, PhD, MSPH (via phone)
  • Sallie Milam, JD (via phone)
  • Walter G. Suarez, MD, MPH


  • John J. Burke, MBA, MSPharm

Staff and Liaisons

  • Maya Bernstein, JD, ASPE, Lead Staff
  • Amy Chapper, JD, CMS
  • Leslie Francis, JD, PhD, Working Group member, Subcommittee Chair Emeritus
  • Gail Horlick, MSW, JD, CDC (via phone)
  • Debbie Jackson, NCHS/CDC
  • Katherine D. Jones, NCHS/CDC
  • Hetty Khan, NCHS
  • Jeannine Mtui, Affirma Solutions, Inc.
  • Rachel Seeger, OCR


  • Kathryn Marchesini, JD, ONC


  • None

Presenters (May 6, 2015)

  • Michelle DeMooy, JD
  • John Casillas
  • James S. Gandolfo
  • Stuart M. Hanson, MBA
  • Margaret Hambleton, MBA, CHC, CHPC
  • Robert Holden
  • Priscilla C. Holland, AAP, CCM
  • Sajid Imam
  • Kevin McKechnie
  • Kirk J. Nahra, JD
  • Thomas Wilder, JD
  • Sandra J. Wolfskill, FHFMA for Stuart M. Hanson, MBA



  • Mr. McKechnie will supply a written response to concerns about the interaction between a person’s use of an HSA and their lending experience; legal protections for consumers that exist outside of HIPAA; and bank practices that are utilized when a person’s HSA use changes significantly.
  • Ms. Hambleton will submit information about third-party certification tools of HIMSS and the Electronic Healthcare Network Accreditation Commission (EHNAC).
  • A request was made for Ms. Seeger to disseminate relevant language from the Omnibus Rule to Subcommittee members.
  • A draft letter to the Secretary and accompanying PowerPoint will be presented at the next full Committee meeting in the Fall of 2015.


(Note: For further information, please refer to transcripts, presenter statements and PowerPoint materials)

Introductions and Opening Remarks Linda Kloss, MA, Chair

The purpose of the meeting was to learn how banking and other financial service businesses use personal health data as their services evolve; and to consider issues that emerge due to changes in the industry, particularly relative to handling personal health information. Meeting objectives included increasing awareness of current and anticipated practices involving personal health data; understanding Section 1179 in light of these practices; and identifying areas where outreach, education technical assistance or guidance might be useful.

Overview and Framing of Current Issues Kirk J. Nahra, JD, Wiley Rein LLP

The history of Section 1179 was presented and analyzed in relation to its meaning as determined by Congress. As assessment of its implementation during the HIPAA era was put forth and current issues were raised. The HIPAA statute and its use over time were reviewed as were changes within financial institutions and health care relative to Section 1179. The biggest “next generation” issue points to what is expanding outside of HIPAA (e.g., commercial web sites; patient support groups; growth of personal health records; and an increased number of mobile applications directed to healthcare data). A wide variety of healthcare information (HIPAA-regulated and not) is being examined within the context of “big data”; and a growing range of big data activities is being conducted by healthcare entities.

Issues to consider covered a range of topics. To wit: what is different about financial institutions in a “non-HIPAA” healthcare environment; greater regulation of financial institutions when compared to other affected entities (noting that Section 1179 is not relevant to this matter); financial institutions as covered versus non-covered entities; financial institutions as business associates; and other considerations that concern banks with regard to non-HIPAA health data and additional regulation for financial institutions. Further questions include: Is there protected health information (PHI) when a bank is involved? Who is the financial institution acting on behalf of? Are there meaningful ways to limit the PHI and existing controls? Does PHI exist within Section 1179 exempted activities?

PANEL I Financial Institutions and Financial Services

  • Priscilla Holland National Clearinghouse Association
  • Kevin McKechnie, Executive Director HSA Council
  • James S. Gandolfo, Chair HSA Council, ABA
  • Sandra Wolfskill for Stuart Hanson Emdeon Business Services, LLC
  • Robert Holden Third Party Administrators Assn. of America
  • Sajid Iman Visa, Inc.

Ms. Holland: NACHA is a not-for profit institution that administers and enforces rules for the ACH network (NACHA operating rules). The rules support electronic payment services and standards, bringing together over 12,000 financial institutions in the United States. However, less than 20 financial institutions receive and handle protected health information (PHI) for healthcare clients, noting that PHI is transmitted through channels other than the Automated Clearing House (ACH) network. These institutions address HIPAA Privacy and Security requirements. It was noted that financial institutions are well-positioned to handle and protect PHI through the ACH network in the future (specifics outlined).

Protections provided by NACHA operating rules were also outlined. Specific topics included: types of services financial sector companies provide to HIPAA covered entities; how PHI received by financial sector companies is used; regulations applying to that information (including self-regulatory codes); when business associate agreements are required; and helpful technical assistance guidance or resources available from the Office of Civil Rights (OCR). In conjunction with the healthcare industry, the financial services industry can help the healthcare industry reduce costs and improve administrative simplification as well as their process.

Mr. McKechnie: Representing the Health Savings Accounts (HSA) Council of the American Bankers Association, Mr. McKechnie noted a 40% population increase from 1970 to the present (@ 120 million), resulting in a massive increase in administrative costs. Today’s big challenge revolves around updating HIPAA in order to ensure cyber security. Bank security standards are very robust in contrast to insurance companies (the Anthem Insurance breach cost about $18 billion). Today’s challenge revolves around how porous the technology is, noting that the National Institute for Standards in Technology (NIST) has built a massive database of known vulnerabilities. Banking is a national product that does treasury management rather than PHI. American banks “talk” to each other through ACH and internationally, through systems like SWIFT. Money is moved more quickly in today’s world as insurance deductibles rise. That is, claims are being paid through debit and ACH transactions in real-time and tracked by insurance companies.

Mr. Gandolfo: The HSA is an account (rather than a health insurance product) that travels at Level One (with a receipt). Other HSA payments are self-driven (e.g., checks; ACH; reimbursements to HSA accounts from bank accounts). This is a simple, non-descript process.

Ms. Wolfskill: The HIMSS Revenue Cycle Improvement Taskforce (RCITF) was formed to acknowledge the inadequacy and cumbersome nature of the current healthcare revenue cycle, which has not achieved simplification or cost savings. The Taskforce began by examining the physician office visit, the primary focus of which was to acknowledge a “healthcare hub” or information conduit. The concept is that everything runs through an interconnected hub that allows the patient to do what needs to be done (e.g., shopping for physician services; scheduling appointments; identifying what is within and without the network; etc. ). The hub becomes an information highway; and in that regard, it is imperative to assess what security rules must be implemented. This is a real-time environment concept.

The RCITF has distributed a document entitled, “Rethinking Revenue Cycle Management” (April 2015) that provides further background information; a vision of the consumer financial experience of the future and its impact on providers, payers and consumers; a brief overview of the RCM process and accompanying challenges; key points; and future goals.

Mr. Holden: The Third Party Administrators Association of America (TPAAA) advocates nationwide for Third Party Administrators (TPAs). With licensed members in 43 states, TPAs provide analytical and claims processing services covered under HIPAA in addition to operating under business associate agreements and vendor contracts. Traditionally, TPAs have processed claims, often providing direct payment to providers. Covered under HIPAA and using PHI intensively, they also provide specialty management services to carriers and other entities such as self-insured employers. Financial transactions with banks do not carry any of the above information. Topics such as services that TPAs provide to HIPAA-covered entities and TPA regulation and contractual PHI protection are covered more fully in the TPAAA hand-out of May 6, 2015. TPAAA represents the viewpoint that TPAs are at the forefront of innovation in case and care management in a changing healthcare landscape. PHIs must be protected at the federal and state level, allowing for protections in private contracts as needed.

Mr. Imam: Visa is a global payments technology company that connects financial institutions, merchants and governments. While Visa does not issue payment cards or contract with merchants to accept those cards, its network supports branded credit, debit and prepaid products issues by financial institutions to cardholders who can make purchases globally in a secure, convenient and reliable manner. Consumer and commercial transactions were described. Commercial payment card transactions would not include identifiable information about individual patients for whom health care claim payments are made; and there is no information about specific products or services being purchased by individual cardholders. Financial institutions (including card issuers and their agents) are exempt from HIPAA requirements (including business associate provisions) under an exemption provided in Section 1179. As such, a healthcare payment card transaction does not include protected health information other than what is necessary to effect the transaction. Commercial payments have no PHI transmitted in the transaction. Healthcare payment card transaction information is secure (specifics given).

Discussion Third Party Administrators gather claims information from providers and patients, providing utilization review protocols as well as information about national, state or professional standards appropriate for contractual agreements for networks or between providers and carriers. Contractual requirements also ensure appropriate interface for technological and compliance purposes. Analytics determine whether a claim is appropriate; and advice is dispensed to carriers and other entities that pay for coverage or claims on how to better utilize provider resources to lower costs and/or increase quality of care. Some TPAAA members provide pharmacy benefit management services within a group health or worker’s compensation context (covered under different regulations); and some provide radiological services benefit management.

A limited number of banking institutions dealing with the healthcare industry accept, process and handle PHI. Those that do (e.g., Bank of America; Citibank; JP Morgan) adhere to HIPAA requirements when doing business associate agreements. Many have declared themselves to be healthcare clearinghouses; and some develop separate companies to perform these functions. Approximately 20 of 12,000 banks are involved in healthcare due to liabilities associated with health information and security concerns.

A suggestion was made to develop an optional federal insurance charter to match regulatory and legal frameworks. Banks are cash management companies used to managing in a uniform environment. Massive HIPAA compliance expectations are most burdensome to banks when handling PHI. Only a small group of financial institutions (@ 4,000 banks) do HSA, custodian and trustee services, because of the money involved. Most banks have strict security requirements and as such, are unwilling to track an individual’s access to information. Banks have regulations that prohibit them from changing records whereas HIPAA allows for individual changes. Banks do not want to assume HIPAA training requirements.

A concern was raised about whether undue use of a healthcare Visa card might damage a person’s broader credit line. What is the interaction between a person’s health and lending experience within this context; what legal protections exist for consumers outside of HIPAA; and what bank practices come into play under these circumstances? Mr. McKechnie will provide a written response to these concerns. Banks care about the level of credit use rather than how it is used. It is not unusual in the industry for individuals to drain their HSAs at one time (e.g., at age 65, when it offers a tax advantage), noting that HSAs cannot be overdrawn and that the balance at year’s end must be zero (providing protection from exposure). An HSA cannot be denied to an individual based upon a credit record.

The HSA statute is modeled after the IRA. As a savings account, its funds can be accessed via checks, a HSA Visa card or Master Card debit card. The HSA card can be used for non-health-related purchases. Financial institutions do not track specific purchases but do track where funds are spent as well as payment history. The Fair and Accurate Credit Transactions Act (FACT) of 2003 prohibits the use of health information to make underwriting decisions for credit. Visa examines patterns of transactions to identify unusual behavior that should be flagged.

Oversight of handling protected information under HIPAA within financial institutions comes from within healthcare organizations as well as financial institutions, which are responsible for educating their clients. The complexities of HIPAA compliance within banking institutions were further discussed. One question to address is how healthcare might utilize the expertise and competency of financial services. These issues could be considered by the NCVHS relative to roadmaps for administrative simplification and other issues.

A question was posed about other services performed by financial institutions on behalf of health care other than HSA lockbox. A wide assortment of services that banks offer to different industries was outlined (e.g., treasury and cash management services, among others). A bank’s ability to create checks, ACH transactions and wire transfers allows health plans to have a streamlined process. In general, bank treasury staff is available to consult with organizations to ensure that their needs are met. Some larger banks carrying out revenue cycle activities have added a consulting component when working with providers to encourage them to move toward best practice solutions.

Certain banks now offer a wide array of services (e.g., claims; remittance; denial prevention; responsibility estimation; insurance eligibility; payment plans; patient payment portals and billing services). A need for these services was recognized as was the cost of providing them. A discussion ensued about extra requirements imposed by HIPAA within financial institutions (e.g., requirements for access to the ACH department as well as restrictions on who has access to specific information). Another challenge is the consumer’s right to request record amendments (that may or may not be granted) while the banking industry cannot make such changes (which pose concerns within the healthcare industry). There is no audit log function of specific transactions. With both medical records and banking, it is important to preserve the accuracy of the transaction on the day it was made. Ongoing ambiguities within HIPAA were noted.

With regard to rethinking revenue cycle management, movement forward is toward a consumer-directed healthcare world, which will require new kinds of bridges. It would be useful for the Subcommittee on Privacy, Confidentiality and Security to explore such changes and associated policy disconnects. A summary of the Subcommittee’s 2004 hearing on this topic was presented. The complexity of following specific regulations within different banking departments was further discussed. What policy issues will exist, particularly in relation to privacy and security? A person’s financial and healthcare experience must be integrated as part of their interaction with the healthcare system. The data hub’s function is transmission in a real-time environment rather than storage, noting the importance of real-time data exchange models. The need for interoperability is clear and must be a part of the revenue cycle of the future (specifics given).

The HSA industry has an extremely efficient payment methodology that should not be disturbed. Increased efficiency should not come at the expense of individual privacy. From an HSA perspective, the “bright line of separation” between banks and health plans must be maintained. Tension between interoperability and such a “bright line of separation” was raised. A bank’s possible approach to the role of HSA custodian was described, although banks believe that they already have an efficient cash management system that crosses state lines. Creating desirable changes system-wide takes time. Financial institutions are invited to become involved by contacting HIMSS.

Discussion ensued about flexible savings accounts (FSAs) as differentiated from HSAs (specifics given) with a focus on the financial transaction between the payer and provider. Banks view payment processing to be payment and remittance data. Clarification is need about what a payment is and what is covered under Section 1179. Guidance is sought about when business associate agreements are necessary to satisfy providers and payers.

PANEL II Covered Entities

  • Margaret Hambleton Dignity Health
  • Thomas Wilder America’s Health Insurance Plan
  • Sandra Wolfskill Healthcare Financial Mgmt. Assn.

Ms. Hambleton: As it considers Section 1179 more broadly, Dignity Health is offering more services needed in the healthcare industry (often revolving around the revenue cycle) when reaching out to traditional banking partners. Engagement with financial partners could expand significantly in the future. It will be important to ensure that business associates (and accompanying agreements) are compliant with all obligations including HIPAA. However, due diligence must be done to address changes in existing relationships covered under Section 1179. Many financial institutions do not yet have a full understanding of HIPAA. Dignity Health has several tools to ensure that business associates comply with HIPAA (e.g., security rule risk assessment).

Recommendations include additional training for covered entities and financial institution partners; developing a process for third party certification; standardization in due diligence as well as tools, technologies or template language for business associate agreements.

Mr. Wilder: AHIP is a trade association that represents most health insurers in the country and a number of banks providing custodial and administrative services for healthcare spending accounts (e.g., HSAs; health flexible spending accounts or arrangements; Archer MSAs and health reimbursement arrangements). The spending accounts, which reimburse qualified healthcare expenses, were described in detail. As such, consumers decide how to spend their healthcare dollars. Under the tax code for all of these accounts, the consumer is responsible for proving to the IRS that the money was spent for qualified medical expenses.

There is a clear distinction between a pure banking function spelled out in Section 1179 (acting on a basic financial transaction) and other transactions. Additional tools would be helpful to help users determine when a business associate agreement verses a data protection agreement is needed. Even non-HIPAA-covered entities must adhere to Gramm-Leach-Bliley and extensive state laws.

Ms. Wolfskill: The Healthcare Financial Management Association (HFAM) is a professional organization committed to helping its members improve healthcare delivery systems management; comply with rules and regulations governing the industry; and adhere to principles of administrative simplification. Standardization and universal adoption of a standard that clearly defines processes and transactions are essential. Providers turn to financial institutions to accept payments and to convert non-standard transactions into 835 compliant files that can be electronically posted to the provider’s patient accounting system. A significantly expanded range of products and services offered by various banking institutions were identified (noting that many such services are also provided by traditional clearinghouses, which may negate the exemption provided under Section 1179). The ever-expanding role of financial institutions in the provision of revenue cycle-related services includes access to and processing of protected health information.

HFMA encourages the Subcommittee to work with CMS to provide technical guidance to the industry in order to better define Section 1179 exemptions relative to specific types of services involving protected health information provided by financial institutions. The organization also supports the continued development and implementation of the administrative simplification components of the HIPAA Act.

Discussion Dignity Health’s vendor insurance program tools include a security rule risk assessment and a privacy impact assessment. Primarily, normal bank processing functions include lockbox services (which allows them to receive identifiable information). More traditional functions include banking relationships in which the banks provide Dignity Health services for their own purposes or to their own customers.

Health debit cards vary considerably. Questions were posed about oversight of health debit card transactions; and whether a standard exists for how the industry operates to be HIPAA- compliant. In most cases, debit card functions are exempt under Section 1179. It is important to distinguish between an entity administering such an account using PHI or collecting on behalf of a covered entity and the financial institution providing debit card services (exempt under Section 1179) [examples given]. Privacy and confidentiality concerns for such transactions were raised. More clarity is needed about what constitutes financial services business associates and clearinghouse services.

Developing protocols and more sophisticated compliance activities occurs much more often in large organizations. Smaller entities sometimes do not even know that they have become business associates to providers/covered entities, particularly when doing business with local bankers. While healthcare providers want to improve the health of populations, financial institutions can provide health information about populations. Predictive modeling, big data and combining big sets of data are “scary” but also the wave of the future. Care must be taken with how that data move and are used while ensuring appropriate privacy and security controls. As a piece of the transaction (either as a business associate or another extensive data protection agreement), many banks (along with providers and health plans) understand that all the data must be brought together to improve health.

Discussion ensued about differences in protections offered by HIPAA verses Gramm-Leach-Bliley (GLB) or banking law. GLB is not as strong as HIPAA in the privacy arena but is stronger on security. It is important to understand the context of what the laws require; how a particular entity is using the data; and what kind of data they have. Banking is a high volume transaction processing operation.

Big data analytics are just beginning to evolve. Future challenges include questions about how big data can best be used to achieve better healthcare across populations. While good tools exist for due diligence with business associates, ongoing monitoring poses a greater challenge. Monitoring is mostly based on risk; and that which is deemed high-risk is periodically evaluated. In response to a question about vendor assurance and due diligence, it was noted that HIMSS and the Electronic Healthcare Network Accreditation Commission (EHNAC) have a third-party certification tool.

PANEL III Policy Issues

  • John Casillas, J.D. World Bank
  • Michelle DeMooy Center for Democracy and Technology

Mr. Casillas: Founded in 2001 by Mr. Casillas, the Medical Banking Project works to involve banks in health care with the intention of reducing cost, increasing access to and quality of care. Background on medical banking was provided. The focus of discussion was on: 1) what the Office of the Comptroller of the Currency (OCC) sees as permissible banking activities;

2) symmetrical application of HIPAA across market and medical banking structures; and 3) the evolution of healthcare payment innovations in HIPAA (specifics given). Take-aways and recommendations were provided for each of the three focal points.

Key points included: Focus Area 1: Although the OCC lists traditional health data clearinghouse services as a permissible national bank activity incidental to the business of banking, only electronic funds transfers (EFTs) appear to be exempted from HIPAA. It was suggested that HHS should assert its role for overseeing medical banking market structures and implement a cross-stakeholder panel of independent experts to review evolving medial banking policy issues. Focus Area 2: Symmetrical application of HIPAA across all market structures is recommended along with the provision of education and educational materials to the banking community. Focus Area 3: Healthcare payment innovation and new forms of healthcare credit will evolve cross-industry policy issues in banking and health care. Policy executives should actively engage in educational forums at the nexus of banking, health care and technology. In addition, healthcare credit practices (and associated challenges) were discussed.

Ms. DeMooy: The Center for Democracy and Technology is a non-profit, non-partisan, technology and policy advocacy organization that houses the Consumer Privacy Project. The presentation focused on current interpretations of the broader policy implications of Section 1179 relative to publicly-shared data on social media or the web. Consumers are increasingly taking control of their health and medical information; and such information is being shared in unexpected and impactful ways (e.g., through employee wellness programs, where for example, life insurance companies might provide data to entities unknown to the consumer). Sometimes, the only privacy rules are those set by the companies as much of the data are used beyond the scope of HIPAA. The need for data management and processing has skyrocketed; and financial institutions are filling the demand. Electronic and mobile payment services (related to unregulated bank services) are also growing.

A review of privacy protections was deemed inadequate (specifics given). With regard to Section 1179, lockbox, accounts receivable and mobile payment services like Square Services should still be considered business associates if the services require the bank’s use and disclosure of PHI. Fair information practice principles provide guidance on openness, transparency, integrity, access, individual participation, security and remedies. The era of big data poses special considerations for providers and payers; and partnerships between app developers, manufacturers and providers are becoming more common. Commercial data broker services may get more use by providers and payers for fraud control, assessing ability to pay and determining eligibility. Other challenges arise relative to publicly-shared data on social media and the web.

Discussion There is an exhaustive list of permissible activities for banks disseminated by the OCC although it is not clear that mobile uses of data are included. It was recommended that Section 1179 exempt electronic funds transfers. It would be useful to analyze the business models and FIPs underlying the activities. In response to a question about significant concerns regarding data gathering by financial institutions, the lack of protection outside of HIPAA was identified. Another concern is a perceived or real lack of transparency. The Subcommittee has developed a stewardship framework based on fair information practices for community uses of health data that could possibly be used in this context. Banks are examining the link of on-line banking to health portals as the consumer engagement movement grows. Some banks might use their authentication engines for identify access and management into personal health record repositories.

Banks have PHI databases in lockbox. When payments come through, such information is given to providers for research purposes. Some banks provide accounts payable services that include printing EOBs. Privacy concerns always arise in medical-banking discussions. How privacy concerns are handled in Tanzania and Kenya was briefly outlined. Underserved communities in the United States almost solely use mobile phones and devices. In response to a question about patient protections when providers seek credit using accounts receivables, it was noted that the FACT Act prohibits use of information in ways that have an adverse effect on things like mortgages; and Gramm-Leach-Bliley would be in place but functioning more as a notice of practices rather than a protection (although such data could be sold or used for marketing purposes). In the case of bankruptcy, it is not clear whether data from hospitals or providers would be considered assets. The issue of credit within underserved communities is significant, especially with regard to dissemination of unprotected data.

Consumers often do not understand notices that are legalized on purpose to obscure certain data practices. While it is important to educate consumers, companies must be held accountable for maintaining clear, current and accessible information about what happens to consumer data. The future portends greater use of tools like InstaMed or Apple Pay (which is extremely protective of consumer privacy while not being part of HIPAA). Within a discussion about bank algorithms, it was noted that banks can put claims and remittance data together to produce real-time data about hospital and insurance company spending. As such, some banks sell business intelligence.

Banks are in a good position to convey what consumers spend in order to help them obtain information about types of activities that will lead to a higher quality of life (two related studies noted). Algorithms in the “learning health system” can determine what types of health products or services are offered. A question was posed about how people who are not on-line get access to the same kinds of healthcare information. It was suggested that bank data could be incorporated as part of a hospital’s mandated community health needs assessment. The Community Reinvestment Act (CRA) obligates banks to support their communities and many banks want to provide meaningful services to their communities.


Framing Issues for May 7, 2015 Working Session

The goal of the May 7, 2015 working session was to frame issues as well as areas requiring further information; review themes; identify potential recommendations; and determine next steps. Subcommittee members were asked to bring three key take-aways from the May 6, 2015 hearing to the May 7, 2015 working session. Participants were also asked to list topics requiring further clarification.

The meeting was adjourned at 5:00 p.m.

DAY TWO: Thursday, May 7, 2015



Review themes and Identify Potential Recommendations and Additional Information Needs

Participants shared their “aha” moments and lessons learned from yesterday’s meeting. One suggestion was to develop a set of guidelines for increased PHI as consumer-driven healthcare moves toward greater interoperability and systems integration. The topic of “guidelines” was suggested for another hearing, with the understanding that guidelines are technical documents that could be developed by HHS. That the 20 biggest of 12,000 financial institutions conduct transactions other than what would be excluded under Section 1179 is mirrored by the healthcare industry’s consolidation of large healthcare and hospital systems; and both point to ongoing questions about scope. Organizations serious about performing a range of healthcare services are creating hybrids such as subsidiaries or separate companies. They adhere to a philosophy of keeping business lines distinct.

What tasks are financial institutions doing and under what business structures? It is not clear how many organizations perform any of the functions mentioned. One participant thought that hearing participants from financial institutions held a narrow viewpoint about what banking does with regard to health care relative to what is possible. Are different people needed around the table? More information is needed before recommendations can be made.

Clarification is needed in several categories, including “treasury” (or payment cycle – the 835 on the EFC and the lockbox concept); the clearinghouse function (with the understanding that banks and clearinghouses are co-entities; and that lockboxes can also help clearinghouses) [covered entity status]; administration of health plan and insurance options in relation to the banks and business associate relationships [covered entity or not]; other financial functions including investment administration as well as functions that support help lines and providers [business associate status]; data analytics – the extent to which information is used and passed along to others (e.g., to what extent a mortgage application is affected by a bank’s ability to check a person’s medical status via payment for tests, etc.).

More clarity is sought for “allowable uses” and uses in general. It was noted that bankers discount or minimize health information that could be associated with transactions they receive. Such huge volume of automated information allows for little to no focus on individual transactions. However, more banks are starting to see the value of the big data they hold as well as the possibility of aggregating or selling such data to other industries.

Banks seem to value protection by their size rather than by considering individuals. This raises concerns within the healthcare field that banks might begin to cross data use boundaries. A request was made for a chart depicting how banking statutes differ from HIPAA. Banks seem unclear about the differences. Confusion exists about “meaningful use” and “minimum necessary”. Is the bank structure of protections sufficiently similar to those within healthcare? An analysis of the financial structure, its gaps, potential conflicts and tensions, is needed. Where are opportunities for harmonization?

It was suggested that banks feel overly regulated while believing that the healthcare field does not do enough to adopt security safeguards. Conversely, financial institutions do not have audit controls on who examines their data and for what purpose although they are more protective upfront about who has access in the first place. Several groups focusing on information security were mentioned (e.g., the National Health Information Sharing and Analysis Center [NH-ISAC]; and Homeland Security’s Computer Security Emergency Response). Cyber-security is a significant area of concern.

Questions were raised about research done within banks to track individual payments, which reflects a policy of “protecting the big and not the individual”. Lack of clarity about financial institution services is a provider issue as well as a banking concern as both parties are gatekeepers. Guidance is needed to ensure a more uniform practice among providers relative to business associate agreements. It was noted that after the HITECH Act, business associate status has become a legal question. Some Subcommittee members thought that banking personnel attending the May 6 meeting misused the term, “PHI” and did not understand certain intricacies of HIPAA. Training is needed for those outside of the healthcare field that interface with HIPAA. Cultural differences between the financial and healthcare industry were discussed.

Data handling and analysis and the use of technology are growing at a rapid pace. As mentioned, data that financial institutions hold are quite valuable to other entities. Third-party administrators (TPAs), which perform a wide variety of functions, are business associates. Also mentioned was the lack of a chain of evidence procedure. A suggestion was made to describe the life cycle of a transaction in order to identify gaps. It would be useful to gather information about what other kinds of financial services companies are doing in the healthcare realm (e.g., PayPal; Apple Pay; Amazon web services).

Clear rules are needed about how to define the scope of Section 1179 (treasury function); a clearinghouse function; and what legally moves into the realm of business associate. What is and is not covered by HIPAA? The financial industry considers financial regulations to be enough – they do not want an additional FTE to manage HIPAA regulations. It was suggested that adding HIPAA rules to the financial rules and regulations would not be a stretch. There is much the healthcare field can learn about compliance best practices from the banks (e.g., security auditing [due diligence]; and interoperability).

Data was referred to as an asset but one that the healthcare field does not monetize. However, formulas to monetize the value of big data are used in other fields; and as such when broken down, individuals can be profiled. A suggestion was made to hold a hearing about what health data policies should be in place for cases of bankruptcy. Discussion ensued about the algorithms behind people’s data that, if sold, could create inequality (redlining principle).

Due diligence in the security realm is stronger than privacy in the banking industry (with the exception of the legal prohibition on use of information for underwriting). The financial industry has much to teach the healthcare field about security; and the healthcare field has much to teach banks about privacy. Wearable technology such as a Fitbit or Apple Watch (patient-generated data) is not covered by HIPAA except when given to the individual by a health insurance company. Such devices were suggested as a topic for another time. There was further discussion of the Gramm-Leach-Bliley law, which allows banks to join forces (e.g., Citibank and Traveler’s Insurance). These groupings can sell a range of products that use health information but are not covered by HIPAA. Helping the public understand what is and is not covered under HIPAA would be a very useful job for NCVHS.

F rame Letter of Recommendation and Timeline for the Secretary of HHS

Discussion Beyond an introduction about the May 6-7, 2015 hearing, the first few PowerPoint presentation slides should clarify and address the scope of Section 1179, to include when a bank is performing treasury (i.e., payment functions: 837, EFT, etc.) verses clearinghouse functions; and what constitutes a legal business associate. The next slide should provide a basic framework that defines differences between statutory structures that apply to health care under HIPAA and various banking statutes. A gap analysis between the two privacy parts of these laws should be included in addition to mention of conflict areas and opportunities for harmonization.

Opportunities for learning, with a focus on to security and interoperability, could come next (recognizing that health care is stronger in privacy but weaker in security; and that the financial industry has strong audit and compliance functions). Separate slides were suggested for financial services and healthcare services learning opportunities. Core differences should be spelled out (e.g., HIPAA is built around patient rights and the financial industry is not). Issues surrounding the nature of personal health information should be addressed in order to clarify confusion about meaningful use versus minimum necessary as well as modification or corrections to health records.

It would be important to detail the financial industry’s gaps in understanding HIPAA, followed by gaps in how healthcare organizations manage their relationships with the industry. The gap analysis should be followed by what the financial industry is actually doing, which is turn should be followed by opportunities for learning. Are metrics available relative to the financial industry’s adherence to HIPAA?

The next category to include has to do with administration of health insurance options; and the final major category is “other services”, including investment services. Suggestions were made to refer to the categories presented by John Casillas; and to be explicit about back office financial functions such as lockbox, credit checking and credit card operations vis-à-vis HIPAA. Clarity is needed with regard to functions such as authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting payments.

The order of topic presentations was discussed and revised. Noting a changing environment, other topics to address include: the bigger vision (consumer-driven healthcare issues; big data use issues); “aha” moments or take-aways; new territories (e.g., wearables); and emerging issues. It was noted that ONC and OCR are jointly developing guidance about non-covered entities and non-business associates. Big data, along with the accompanying algorithms and analytics, should be discussed relative to how they are used. Recommendations should be presented about specific written guidance to be developed by HHS although the Department has addressed the financial industry’s changing functions. That financial institutions are involved in new activities on behalf of healthcare clients should be acknowledged. Competencies in vendor assurance were discussed for inclusion.

Developing the notion of parallel data stewardship could be useful to the Committee. Issues for further exploration were reiterated to include: data as an asset; and wearables and wellness programs when they are non-HIPAA covered entities. However, these topics reach beyond financial services. The letter should cover topics that have evolved from the hearing and recommend clarifying guidance, training and the development of a workgroup that brings the financial and healthcare fields together.

A question arose about how far to go with contrasting HIPAA and relevant banking laws in the letter. The majority of work has to do with bank versus health industry under HIPAA security requirements. The Subcommittee will recommend that a security analysis be done (but not by the Subcommittee). In the upcoming full Committee meeting, Subcommittee members will lead with a presentation that is followed by a discussion of next steps in the healthcare arena; and then in the financial industry. Additional topics for the Committee to consider will then be put forth.


A PowerPoint presentation developed in the above meeting will be circulated to Subcommittee members. The Subcommittee will next meet for breakfast prior to the next full Committee meeting in the Fall of 2015.


The meeting was adjourned at 11:50 a.m.

To the best of my knowledge, the meeting summary is accurate and complete.


Chair DATE