NRPM: Standards for Privacy of Individually Identifiable Health Information. b. Proposed requirements.


We propose that covered entities be permitted to disclose protected health information to financial institutions for the specific purposes listed in the section. The permissible purposes are those identified in the statute, and the regulatory text would copy the statutory list of allowable uses.

Under section 1179 of the Act, activities of financial institutions are exempt from HIPAA’s Administrative Simplification requirements to the extent that those activities constitute “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments” for health care or health plan premiums. This section of the statute states that financial institutions can use or disclose protected health information for these purposes. We read this part of the statute as indicating that Congress intended that this regulation not impede the efficient processing of these transactions, and accordingly are allowing covered entities to disclose protected health information to financial institutions for the purposes listed in section 1179 of the statute.

Proposed § 164.510(i) would not allow covered entities to include any diagnostic or treatment information in the data transmitted to financial institutions. Such information is never necessary to process a payment transaction. We believe that, in most cases, the permitted disclosure would include only: (1) the name and address of the account holder; (2) the name and address of the payer or provider; (3) the amount of the charge for health services; (4) the date on which health services were rendered; (5) the expiration date for the payment mechanism, if applicable (i.e., credit card expiration date); and (6) the individual’s signature. At this time, we are not proposing to include in the regulation an exclusive list of information that could be lawfully disclosed for this purpose. We are, however, soliciting comment on whether more elements would be necessary for these banking and payment transactions and on whether including a specific list of the protected health information that could be disclosed is an appropriate approach.

We understand that financial institutions may also provide covered entities that accept payment via credit card with software that, in addition to fields for information required to process the transaction, includes blank fields in which health plans or health care providers may enter any type of information regarding their patients, such as diagnostic and treatment information, or other information that the covered entity wished to track and analyze. Other financial institutions could provide services to covered entities that constitute “health care operations” as defined in proposed § 164.504.

We do not know whether and to what extent health plans and health care providers are using such software to record and track diagnostic and treatment and similar information. However, we recognize that the capability exists and that if a plan or provider engages in this practice, information not necessary for processing the payment transaction could be forwarded to financial institutions along with other information used to process payments. Disclosing such information to a financial institution (absent a business partner relationship) would violate the provisions of this rule.

We also understand that banks, in addition to offering traditional banking services, may be interested in offering additional services to covered entities such as claims management and billing support. Nothing in this regulation would prohibit banks from becoming the business partners of covered entities in accordance with and subject to the conditions of §164.506(e). If a bank offers an integrated package of traditional banking services and health claims and billing services, it could do so through a business partner arrangement that meets the requirements of proposed § 164.506(e). Any services offered by the bank that are not on the list of exempt services in 1179 would be subject to the terms of this rule.

We recognize that financial institutions’ role in providing information management systems to customers is evolving and that in the future, banks and credit card companies could develop and market to health plans and health care providers software designed specifically to record and track diagnostic and treatment information along with payment information. In light of the rapid evolution of information management technology available to plans and providers, we seek comment on the types of services that financial institutions are performing or may soon perform for covered entities, and how these services could be best addressed by this proposed rule.

Finally, we note that we would impose no verification requirements for most routine banking and payment activities. However, if a bank or financial institution seeks information outside payment processing transactions (e.g., during a special audit), we would require the covered entity to take reasonable steps to verify the identity of the person requesting the disclosure.