Yes, a bank can act as a business associate when it performs functions that go beyond routine payment processing for a covered entity, like a healthcare provider.
According to the HHS, “A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
These tasks can vary widely, from billing, data processing, and IT services to legal, accounting, and consulting functions. The primary function of a business associate is to assist the covered entity in carrying out its healthcare operations while ensuring that PHI is handled in a way that complies with HIPAA. They are not directly involved in patient care, but their role in the background is necessary for the security of protected health information (PHI).
Government guidance provides that, “...a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.”
Typically, banks handle transactions without falling under HIPAA’s rules, since payment processing alone doesn’t involve accessing PHI in a way that makes them a business associate. When a bank steps into roles that require managing or accessing PHI, such as handling accounts receivable for a healthcare provider, it becomes more than just a financial institution, it takes on the responsibilities of a business associate under HIPAA. The shift in role means the bank must now comply with strict regulations designed to protect PHI.
See also: HIPAA Compliant Email: The Definitive Guide
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that directly handles PHI.
It primarily requires them to enter into business associate agreements under which they are required to outline how PHI will be accessed and handled.
A subcontractor is a person or entity that a business associate hires to perform services that involve handling PHI on behalf of the business associate.