Testimony on Medical Information and Banking
for
National Committee on Vital and Health Statistics
by
Anna Slomovic, Ph.D.

February 18, 2004

Thank you, Chairman Rothstein and members of the Subcommittee on Privacy and Confidentiality, for the opportunity to testify before you as you consider issues related to banking and health information. My name is Anna Slomovic. I am a Senior Fellow at the Electronic Privacy Information Center in Washington, DC. EPIC is a public interest research center, established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC has a longstanding interest in privacy protections for health information handled by the financial industry and has testified on this subject in Congress.

In September 2003, a coalition of privacy groups, including EPIC, sent a letter to Secretary Thompson to express concern about discussions being held between the banking industry and the Department about a proposal that would permit banks to handle and transmit protected health information (PHI) without appropriate protections. These discussions involve the status of banks under HIPAA and permissibility of sending PHI via the automated clearinghouse (ACH) network without encrypting PHI so that it can be accessible only to final intended recipients. It is our view that banks which handle PHI contained in the Premium Payment and Electronic Remittance Advice (ERA) should be covered health care clearinghouses as defined in the Privacy Rule, and that PHI should be additionally encrypted so it cannot be accessed by those with access to the ACH network. These issues are gaining importance as banking regulators prepare to write new regulations under the Fair and Accurate Credit Transactions (FACT) Act of 2003. I will briefly address our concerns, as described in our letter and the response provided by the American Banking Association (ABA) and the NACHA, the Electronic Payment Association.

Banks and HIPAA

Applicability of the HIPAA Privacy Rule to banks arises from the fact that the Department of Health and Human Services (HHS) has adopted a transaction standard in which banks, normally not regulated by HHS, engage in activities which could make them, by definition, healthcare clearinghouses within the scope of HHS regulation. Although some banking activities were explicitly exempt from HIPAA under Section 1179 of the HIPAA statute, there is a disagreement about the extent to which this exemption applies.

The HIPAA Banking Taskforce, a joint initiative of the ABA and NACHA, has asked HHS to agree that all “activities of a financial institution” are exempt under Section 1179. Under this interpretation banks would not be designated healthcare clearinghouses even though they convert ACH transactions data from standard to non-standard format for their clients. ABA and NACHA have further stated that banks should not be considered clearinghouses because they perform such conversions only because their clients do not have their own conversion capabilities.

Privacy groups and the Medical Banking Project have taken the opposite position on the basis of our reading of Congressional intent behind Section 1179. As stated in the conference report on the Security and Electronic Signature Standards, the Congress intended to apply the exemption in Section 1179 only to consumer-oriented payment transactions, such as credit or debit card transactions. The ABA and NACHA have rejected this interpretation because they believe the statute language is clear on its face and requires no reference to legislative history. They have also rejected the notion that clearinghouses exist precisely because some providers and health plans do not have their own capabilities to convert non-standard transactions to standard.

The ABA and NACHA have stated that as long as Business Associate Agreements are in place between financial institutions and their covered entity clients, banks will meet their obligations under HIPAA. We do not believe Business Associate agreements provide the same protection for health information as covered entity status. While covered health care clearinghouses must comply with the Privacy Rule as spelled out in §164.500(b), business associates must comply with the Rule only to the extent required by Business Associate Agreements. As a result, permitting banks to be business associates would create a situation in which potentially different terms govern the same transaction on the originating end (where a bank might be a health plan’s business associate) and on the receiving end (where a bank might be a provider’s business associate). Depending on the terms of the two contracts, permitted uses and disclosures might be quite different, and terms of the contracts would depend on the relative power of the parties in the negotiation. Additionally, if banks are business associates, individuals who believe their privacy has been violated would have no recourse because they are not party to business associate contracts between covered entities and financial institutions. Furthermore banks would not be subject to oversight by the Office for Civil Rights and would be exempt from civil and criminal penalties under the Privacy Rule, complicating enforcement actions based on complaints about violations of privacy.

Transmitting protected health information (PHI) via the ACH network

The HIPAA Banking Task Force has requested HHS permission to move PHI through the ACH network without additional encryption to make PHI accessible only to the final recipient although clear statements in the Preamble to the December 2000 Privacy Rule require additional encryption of PHI. If permission is granted, large amounts of PHI would potentially be available to those with access to the ACH network and could be subject to abuse. Our greatest concern is that ACH transactions would be subject to data-mining for marketing and credit evaluation, and we focused on this concern in our letter to HHS. There are two additional problems. First, there is the problem of network security breaches. Second, there is the problem with ACH transactions being captured and stored in the intermediary nodes of the ACH network.

ABA and NACHA have stated that the ACH network is encrypted and secure. However, there is increasing evidence that the amount of fraudulent activity on the ACH network is rising as criminals become more familiar with networks in general and the ACH network in particular. The problem is compounded because banks are generally reluctant to report security breaches of their networks so as not to undermine faith in the soundness of the financial system. If banks transmit PHI through the ACH network without additional encryption and if they are designated as business associates, they would have an obligation under the Privacy and Security Rules to inform their covered entity clients about inappropriate uses and disclosures of PHI, including network security breaches. This would be a significant change in their current operations.

Our final concern has to do with the fact that as transactions go through the ACH network, they are captured and stored unencrypted in intermediary nodes. This is necessary in order to trace network problems and verify transaction integrity for financial transactions. Unfortunately, it means that PHI that is part of those transactions will be stored as well. This PHI not be protected by the Privacy Rule either through direct application to covered entities or through contract Business Associate contracts. Additional encryption is the only solution that would protect PHI in this instance.

The ABA and NACHA have stated that they oppose the use of personal health information for any purpose other than that for which it was obtained and that they oppose data-mining of health information for marketing or other purposes. It seems to us that the position would be strengthened if ABA and NACHA agreed with the need to provide additional encryption to PHI flowing through the ACH network, given the number of potential problems that could come from within and outside the banking system.

Summary and recommendation

Different groups disagree about the interpretation of Section 1179 of the HIPAA statute and the Preamble to the December 2000 Privacy Rule. These disagreements take on greater importance as the banking regulators and the National Credit Union Association prepare to issue rules for use and disclosure of medical information under the Fair and Accurate Credit Transactions Act of 2003. In light of this, we recommend that the Committee take the following actions.

  1. We ask the committee to recommend that the Office for Civil Rights and officials with responsibility for HIPAA transactions and code sets work with the banking regulators to resolve questions about the applicability of HIPAA to banks and on the permissibility of sending PHI through the ACH network without additional encryption.
  2. We ask the committee to recommend that the Office for Civil Rights work with the banking regulators and the National Credit Union Association to ensure that the rules promulgated under the FACT Act are consistent with the HIPAA Privacy Rule and provide an appropriate level of protection to PHI after the PHI enters the banking system.

Thank you.