The Health Insurance Portability and Accessibility Act of 1996 (HIPAA) defines Protected Health Information (PHI) as any individually identifiable information about a patient, including treatments, conditions and payments. Any entity that takes custody of this information has to meet a standard of care in terms of security and privacy, and becomes answerable to the U.S. Department of Health and Human Services.
For many banks, the prospect of satisfying another regulator has been enough to raise the red flag on getting involved with healthcare providers. But for Charlotte, N.C.-based Bank of America ($1.11 trillion in assets), the drive to serve all facets of the healthcare industry has been a race for the checkered flag.
"We are uniquely positioned in that we have the No. 1 market penetration in the healthcare industry for large corporate treasury management, we're the largest small-business banker and we're also the No. 1 consumer franchise," says Catherine Warren, vice president, healthcare industry strategy, global treasury services. "We overlay the entire industry."
BofA: Clearinghouse Bank
To support the payment needs of large insurance companies (the payers), Bank of America offers PayMode, a lockbox and clearinghouse service that accepts benefit payments files in proprietary formats and converts them to the HIPAA-standard explanation of benefits (EOB) required by healthcare providers. "Because we can take in the dollars and the [claim] information from the payer and provide that information together, there's no need to re-associate that information," says Warren.
PayMode, a legacy Fleet initiative, demonstrates the potential for post-merger synergy. "We're very excited about bringing [PayMode] into the broader organization, really leveraging that across the new bank and getting that out into the Bank of America footprint," relates Warren.
Because PayMode is a clearinghouse service, Bank of America is a "covered entity" under the HIPAA rules. HIPAA creates a distinction between "HIPAA-covered entities" that process Protected Health Information and "business associates," which do business with covered entities such as clearinghouses. Thus, an organization such as Bank of America can have a clearinghouse unit that is a covered entity, other units that are business associates, and unrelated businesses that are not subject to HIPAA rules at all.
One of the challenges in becoming either a HIPAA-covered entity or a business associate is in meeting HIPAA's security and privacy rules. From BofA's perspective, both are areas in which the organization already excels. "It's what banks do really well and what we do really well," says Warren. "You have to, whether you're a clearinghouse or a business associate," she asserts.
ABN Amro: Lockbox With a Partner
The line between HIPAA-covered entity and business associate, however, has been difficult to discern. "HIPAA is still a little bit ambiguous toward banks," confirms Nav Ranajee, vice president, business strategies group, ABN AMRO Services Company (Chicago). "There hasn't been any clearly stated language."
What's clear is that an entity that acts as a clearinghouse falls within the definition of a covered entity. "If you're converting data from a non-standard into a standard, you're a clearinghouse," says Ranajee. "If you're a clearinghouse, you're a covered entity."
Other situations are less clearly defined. ABN AMRO offers a healthcare receivables management service, but instead of operating the clearinghouse itself, it has outsourced that function to a third party. "The paper explanation of benefits comes into our lockbox, we image it at our lockbox and we send it off to our vendor's system, where they convert that image EOB into an electronic HIPAA-standard payment," explains Ranajee.
At that point, the vendor then performs reconciliation between the EOB remittances and the payments. "We're able to match it up before we send it to the providers," says Ranajee. "It's a great advantage to providers because it enables them to analyze their accounts receivables," he asserts.
The question of whether ABN AMRO is a covered entity under HIPAA has yet to be answered definitively, but to be on the safe side, some banks' lawyers are assuming that the answer is "yes." While complying with covered-entity requirements might cause banks some short-term pain, the longer-term business prospects for banks that choose to serve the healthcare market are quite healthy indeed.