that will need to be addressed before it can be utilized in accordance with the security requirements of HIPAA and HITECH.
The most significant issue is that ACH data is encrypted while in
motion but is almost always stored in a non-encrypted format.
In such an environment, unsecured PHI in an ACH addenda
record might be accessible by someone other than the intended
recipient. While access to ACH data has generally been limited
to personnel within a financial institution with a “need to know,”
this standard is insufficient for healthcare information. Access
to PHI must be limited to the intended recipient or a business
associate thereof, and each time a record is accessed for purposes
of disclosure, it must be logged so that an accounting of such
disclosure can be made—something that virtually no ACH
system does today.
There are alternatives that can be considered by the National
Automated Clearing House Association (NACHA) and its members to make the ACH system compliant with existing security
regulations. Such changes include encrypting addenda records
containing PHI; establishing a new standard entry class (SEC)
code for healthcare transactions so that special access controls
can be implemented for those payments exclusively; creating a
network of business associate agreements binding all NACHA
participants and their service partners to applicable privacy and
security requirements; or some combination of these changes.
Ultimately, whether the ACH network will work and the costs of
compliance will be driven by decisions that will be made in the
next two years by HHS and its designated not-for-profit rules-making organization.
For financial institutions, the stakes are high. Compliance
could be costly, but noncompliance could compromise existing
relationships with covered entities. And where Medicare goes, the
commercial healthcare insurers are likely to follow. This change
could easily be as significant to the payments industry as Social
Security’s decision to move to direct deposit in 1975—a move
that gave the ACH network the scale and credibility it needed to
become a national payments network.
At the intersection of the healthcare and financial services in-
dustries, a space sometimes referred to as “medical banking,”
an increasingly complex web of regulatory interaction is being
created. Privacy, security, and breach notification provisions
overlap, creating additional challenges for compliance profes-
sionals. Business associate agreements, a mainstay of medical
banking since HIPAA’s passage in 1996, have taken on added
importance. Banks and bankers are directly subject to criminal
and civil penalties where liability previously was contractual. In
this environment, it is critically important for banks to consider
how they interact with healthcare payers and providers, identify
where and how PHI is handled and stored, create robust processes
for protecting healthcare information, and, should these efforts
fall short, establish contingency plans to deal swiftly with a data
breach in accordance with the regulations.
The consequences for noncompliance—criminal penalties,
civil penalties, and reputational risk—are substantial. ■
1 The HIPAA privacy rule defines “protected health information”(PHI)
as all “individually identifiable health information” held or transmitted
by a covered entity or its business associate, in any form or medium,
whether electronic, paper, or oral. “Individually identifiable health
information” is information, including demographic data, that relates
to an individual’s past, present or future physical or mental health or
condition, the provision of healthcare to that individual, or the past,
present, or future payment for the provision of healthcare to that
individual; and that identifies the individual or for which there is a
reasonable basis to believe can be used to identify the individual.
2 The Health Information Technology for Economic and Clinical
Health Act (HITECH) is found at Title XIII of ARRA.
3 “Covered entity” is defined at 45 CFR 160.103.
4 “Healthcare clearinghouse” is defined at 45 CFR 160.103.
5 “Business associate” is defined at 45 CFR 160.103.
6 American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5,
§ 13400; at § 13402.
7 Id. at § 13402
8 Id. at 13402.
9 Id. at 13402.
10 74 FR 74740 (August 24, 2009).
11 California and Arkansas are notable exceptions; each has security
breach notification requirements with respect to “medical
information” and California also includes “insurance information.”
12 For example, New York’s security breach notification law states, “The
disclosure shall be made in the most expedient time possible and
without unreasonable delay.”
13 45 CFR 164.314(a)( 2)(i)(C).
1445 CFR 164.304.
15 Section 13404 (c) of HITECH applies both civil and criminal penalties
under Sections 1176 and 1177 of the Social Security Act to business
16 Sec. 1179 of the SSA. [ 42 U.S.C. 1320d– 8].
About the Authors
lIndA A. MAlEK is a partner and chair of the Healthcare
and Privacy Practice Groups at Moses & Singer LLP.
Reach her at (212) 554-7814 or via e-mail at lmalek@
CRISTEEnA nASER is senior counsel for Center for
Securities, Trust & Investment at the American Bankers
Association. Reach her at 1-800 BANKERS or via e-mail at
SAMuEl J. SERVEllo is an associate in the Healthcare
Practice Group at Moses & Singer LLP. Reach him at (212)
554-7872 or via e-mail at firstname.lastname@example.org.
J. STEVEn STonE is senior vice president of Treasury
Management Operations at PNC Bank Treasury
Management. Reach him at (412) 531-7553 or via e-mail at