I’m trying to figure out if this situation I’m in could be a HIPAA violation. I work at a bank. The county ambulance service gives us all their mail every weekday. We go through it to find checks and deposit them. The issue is, they give us everything, including bills and patient info. We have to open each envelope to check for checks, even if we are careful not to read the details. It just feels wrong that we see this info. Can anyone help me confirm if this is a violation so I can talk to my boss about it?
Patient information can be shared for billing, but it should be the minimum needed for that purpose. So, this could be a HIPAA violation.
Afton said:
Patient information can be shared for billing, but it should be the minimum needed for that purpose. So, this could be a HIPAA violation.
HIPAA allows sharing for payment functions only with covered entities or healthcare providers involved in those processes. Here, the bank is neither. Banks normally aren’t bound by HIPAA guidelines, but if they’re doing more than processing payments, they might be violating HIPAA regulations.
Afton said:
Patient information can be shared for billing, but it should be the minimum needed for that purpose. So, this could be a HIPAA violation.
Wow, that’s interesting. I had no idea about the specifics. That does make sense.
@Finnley
Why is your bank taking on their mail? This is very unusual. Did they pressure you into this? A proper bank should just accept checks, not handle all their mail like this. Something seems off here.
@Lior
This could be fine if the bank offers a service for it and has a contract.
Valen said:
@Lior
This could be fine if the bank offers a service for it and has a contract.
Came here to see if they do offer that service. It seems like they do, and maybe the original poster just isn’t aware of the agreement, which might not violate HIPAA.
@Lior
Why the outrage? Handling mail like this is common practice for banks.
@Lior
This is just a standard lockbox service; plenty of banks provide this.
Your employer should have you sign papers regarding HIPAA if you’ll handle this kind of information. It would be worth discussing with them. They might already have those forms, or they could help ease your worries. Do they return the paperwork to finish processing?
Did the bank sign a Business Associate Agreement with the ambulance service? If that’s the case, you fall under HIPAA rules and should receive training. Consider asking your supervisor about it.
Even if this isn’t a HIPAA violation (which I think it is), it’s still very wrong. You need to tell them to stop this. They should be handling their own mail and only bringing you checks for deposit.
Kellen said:
Even if this isn’t a HIPAA violation (which I think it is), it’s still very wrong. You need to tell them to stop this. They should be handling their own mail and only bringing you checks for deposit.
Lockbox services are standard offerings from banks.
Kellen said:
Even if this isn’t a HIPAA violation (which I think it is), it’s still very wrong. You need to tell them to stop this. They should be handling their own mail and only bringing you checks for deposit.
The violation likely falls on the ambulance service for sharing info with someone who doesn’t need to see it.
If the bank is functioning as a lockbox, it might not be a HIPAA violation because they would be protected under a Business Associate Agreement. Every billing office I’ve worked with used this setup.
Do you know if a business associate agreement is in place? That would normally be part of such contracts.
Atlas said:
Do you know if a business associate agreement is in place? That would normally be part of such contracts.
There might have been one, but the branch recently changed staff completely, so no one is here to confirm it.
@Finnley
Your bank seems unorganized. It’s odd to handle anything other than checks from them.
Lior said:
@Finnley
Your bank seems unorganized. It’s odd to handle anything other than checks from them.
That isn’t correct.
What happens to the mail that’s not a check? Does the ambulance service have an agreement for all their correspondence to be processed together? Do you scan any of it?