[ Wednesday, February 18, 2004 ]
Should banks be covered entities?
That's the latest question
Washington regulators are being asked. The extremists at the Georgetown Health Privacy Project think so, and want HIPAA privacy restrictions extended to them. The banks say no, since (i) they're already subject to Gramm-Leach-Bliley privacy restrictions and (ii) they're already indirectly covered as business associates. The HPP folks are concerned that banks receive health information when they act as paying agents, and they might use that information to make underwriting decisions when the individual who is the subject of the information comes to the bank seeking a mortgage.
As anyone who knows anything about HIPAA knows, HIPAA imposes a significant financial, administrative, and operational burden on those who are subject to it. Adding a new class of parties to the definition of "covered entity" would add a whole new group of people subject to expensive and burdensome regulations. And to what end? Is there a compelling history of banks improperly using the information that might pass through their hands to deny sick people loans? I don't think so; I've never heard of it.
Right now, banks are prohibited from using health information in processing a loan application unless the purpose of the loan relates to the health information. Banks are also prohibited (under GLB) from using information they get from one line of business (say, their banking line) in another line of business (say, their insurance line) unless they've given the individual the opportunity to opt out of the crossover use. If the banks are receiving PHI from physicians, hospitals, or insurance companies (all covered entities), they need to have business associate agreements in place, by which they are contractually obligated to protect the information.
Could banks get the information and improperly use it? I guess it's possible, but I really doubt how a bank could get sufficient information, in a sufficiently usable format, to allow it to do anything nefarious. Imagine you are a banker, and one of your customers has written checks to hospital A or doctor B. That information might indicate that the customer has some evil illness and might die before he pays off the loan. Wouldn't you, as the banker, really have to dig through his check stubs to find this out, and wouldn't this violate a regulation to which the banker is already subject? What if the prospective borrower isn't a bank customer, but the doctor is; wouldn't it be prohibitively difficult for the bank to check out the records of all of its physician and hospital customers to look for information on the prospective borrower? Most of the bankers I know wouldn't make a loan to someone unless they had sufficient collateral or other security anyway, and do their underwriting assuming the borrower might die or go broke. These types of concerns about evil bankers just seem like a lot of conspiracy theory to me.
At any rate, I don't think the HPP folks are going to get anywhere with HHS. There are other non-covered entities who are much greater risks to the improper use of PHI, such as pharmacy benefit managers and drug manufacturers. Why didn't HHS put these folks under the regulatory umbrella of HIPAA? Because the HIPAA statute specifies who is a "covered entity," and HHS can't change that. If the HPP folks want to complain, they need to go upstream and petition Congress. Lotsa luck.
There are plenty of people, myself included, who feel that excessive governmental regulation is strangling the American economy. Here, the HPP gadflies are trying to attack a problem that I don't think exists. You've been denied a mortgage at the bank where your doctor banks, because the bank looked at the doctor's records and determined that you might be sick? Go to another lender! Based on all the "refinance your mortgage now" spam that I get, it sure seems like you'd be able to find another lender without too much effort.
How about we save our regulatory bullets for real problems? Is that too much to ask?
Jeff [10:48 AM]
Blogger: HIPAA Blog - Edit your Template