Remettra FAQs
HIPAA related FAQs are based on the Regulations, published DHHS comments and the preambles of the regulations under HIPAA.

Can the group health plan conduct the electronic funds transfer portion of the standard transaction with a financial institution without restriction?
  • Yes, because it contains no protected health information. The protected health information contained in the electronic remittance advice portion of the transaction is not necessary either to conduct the funds transfer or to forward the transactions.
When can a group health plan transmit the portion of the transactions containing protected health information (remittance advice) through a financial institution?
  • The standards for Privacy of Individually Identifiable Health Information; Final Rule; 45 CFR; Section 164.501 (page 82496), state: "a covered entity may not disclose the protected health information (remittance advice) to a financial institution for these purposes [electronic funds transfer]. A covered entity may transmit the portions of the transactions containing protected health information through a financial institution if the protected health information is encrypted so it can be read only by the intended recipient [Healthcare Providers (835) or Health Plans (820)]. In such cases, no protected health information is disclosed and the financial institution is acting solely as a conduit for individually identifiable data."
Who are considered "covered entities"?
  • Healthcare Providers who conduct HIPAA transactions electronically
  • Group Health Plans
  • Healthcare Clearinghouses (public or private entities that processes health information received from another entity from non-standard format into standard format, or vice versa)
  • Financial Institutions may or may not be considered healthcare clearinghouses depending on the services they provide as defined above.
What is a Business Associate?
  • A business associate is someone who performs or assists the covered entity to perform a function of the covered entity, or who provides services to the covered entity.
  • Financial Institutions (ODFIs and RDFIs) that receive encrypted patient information (remittance advices) or do not send or receive patient information through the ACH network are not considered a business associate; and do not have to conform to the HIPAA Privacy Regulations.
What is HIPAA?
  • HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  • It was passed by Congress in an effort to improve the efficiency and effectiveness of the health care system and to ensure that patient information is kept confidential.
What are the HIPAA compliance dates?
  • Compliance with HIPAA's transactions and code sets ruling is required by October 16, 2002, unless an extension is filed. By filing an extension, the compliance date for transactions and code sets can be delayed until October 16, 2003.
  • Compliance with HIPAA's privacy ruling is required by April 14, 2003.
What is the projected cost to become HIPAA compliant?
  • HIPAA compliance has been projected as potentially more expensive than the Y2K retooling with cost estimates for the healthcare industry of approximately $40 billion. According to a study commissioned by the Blue Cross and Blue Shield Association, about $23 billion of that amount will be spent building the infrastructure necessary to support HIPAA's requirements.
  • Healthcare entities can be expected to recover their HIPAA related compliance expenditures from the efficiencies gained through standardization.
What is "Health Information"?
  • "Health Information" is broadly defined to include any information, oral or recorded, relating to the health of an individual, the health care provided to an individual, or payment for health care provided to an individual.
  • The regulations do not apply to health information that has been "de-identified" by removing, coding, encrypting, or otherwise elimination or concealing all individually identifiable information. Information is considered to be de-identified if all the following are removed: names, geographic designations smaller than a State; dates; telephone, fax and other identifying numbers, addresses; URLs and IP addresses; biometrics; identifiable photographs; and other unique identifiers.
What are the penalties for covered entities that violate the privacy regulation?
  • In HIPAA, Congress provided penalties for covered entities that misuse personal health information.
  • Civil penalties. Financial Institutions that violate these standards may be subject to civil liability. Civil monetary penalties are $100 per violation and up to $25,000 per person per year for each requirement or prohibition violated.
  • Federal criminal penalties. Under HIPAA Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining or disclosing protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.