The following is an article reprinted with permission from the Spring 2005 edition of The WWR Letter:
Impact of HIPAA on Credit Unions
By: Raymond Moats, Esquire
In response to the rising cost of health care and the unrestricted exchange of private health information between private companies, such as insurance companies and drug manufacturers, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA consists of two sections: health insurance reform and administrative simplification. Of the two sections, the administrative simplification section is more likely to have an impact on credit unions.
The health insurance reform provisions promote portability and continuity of health insurance coverage for workers and their families when they change or lose their jobs. The administrative simplification provisions regulate how health care providers, health plans and healthcare clearing houses (covered entities) protect the privacy of patient information as well as provide a national electronic standard for the exchange of health care transactions. The privacy rule provides that covered entities may not use or distribute an individual’s health information without the patient’s authorization, unless the release of information is permitted by an exception in the rule. The privacy regulations also cover businesses (business associates) that perform a function or activity on behalf of a covered entity. This may include third-party administrators, billing companies, lawyers and data processing firms.
There are two situations where the privacy requirements of HIPAA could affect a credit union. First, if the credit union provides bill processing services or Automated Clearing House (ACH) services to a covered entity, then the credit union is considered a business associate of the covered entity. As a business associate, the credit union is obligated to follow the requirements of HIPAA and maintain the privacy of the patient’s health information. Second, if the credit union provides a self-insured health group insurance or offers flexible spending accounts and employee assistance programs, the credit union may be considered a covered entity and again must comply with the HIPAA privacy rule.
In order for a credit union to provide services such as bill processing to a covered entity, the parties must enter into a contract in accordance with HIPAA. The covered entity may not disclose patient health information to a business associate unless the parties have signed a written contract that ensures the business associate will protect the information. The contract must specify the permitted and required uses and disclosures of information by the credit union.
Credit unions that contract with an insurance company or other third party administrator to administer their group health plan are typically exempt from the privacy rules. Also, medical information acquired through the employment process, as test results, does not make the employer a covered entity. However, credit unions that have a self-insured health plan or a flexible spending plan with more than 50 participants are subject to the regulations under the HIPAA privacy rule.
In order to be HIPAA compliant, a credit union that is designated as a covered entity must appoint a privacy officer. The privacy officer will be responsible for developing and implementing privacy policies. The policies and procedures shall cover the process of taking complaints, sanctioning employees for violating the policies, and the steps involved to mitigate the inappropriate use or disclosure of information. The privacy officer will also appoint a contact person who is responsible for receiving complaints. The credit union will then be required to train all employees on these policies and procedures.
HIPAA creates burdensome requirements for credit unions that are considered business associates to a covered entity or that maintain a self-insured health group plan. Failure to comply with HIPAA could subject a credit union to civil and criminal penalties. In either situation, a credit union would be wise to review its policies with an attorney that is well-versed on the complexity of HIPAA.
Raymond Moats is an Associate in the Collection Services and Probate departments of the Grove City operations center. He can be reached at (614) 801-2767 or firstname.lastname@example.org.