Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to prevent abuses and unauthorized access of protected health information (PHI). It is enforced by the U.S. Office of Civil Rights within the U.S. Department of Health and Human Services (HHS). Covered Entities, or those required to comply, are defined as one who collects health related information. With this said, even every employer is technically considered a Covered Entity as they obtain their employee’s health information. These Covered Entities must have a written policies and procedures manual to protect PHI.
Health Information Technology for Economic and Clinical Health Act (HITECH)
The American Recovery and Reinvestment Act amended HIPAA in February 2009, and one year later, the Health Information Technology for Economic and Clinical Health Act (HITECH) went into effect in February 2010. In addition to requiring covered entities to move into the electronic age and implement electronic health records (EHR), HITECH ultimately strengthened data protection requirements under HIPAA. HITECH requires HIPAA mandates to be applied to not just Covered Entities, but to Business Associates as well.
HITECH also requires a Health Data Breach Notification requiring healthcare providers to notify authorities and patients when any breach of confidentiality has occurred. When five hundred or more records are exposed, the media must also be informed. With this said, the State Attorney Generals are now responsible for enforcing HIPAA’s data security provisions. HITECH also implements a mandatory fine structure for any HIPAA violations. The least severe form of “willful neglect” imposes a mandatory find of $10,000.00 per occurrence.
For more information on HIPAA and HITECH, please visit http://www.hhs.gov/ocr/privacy/index.html
Gramm-Leach-Bliley ACT (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is officially known as the Financial Service Modernization Act of 1999. GLBA requires financial institutions to describe their information sharing practices to customers and provide customers with such notices on a minimum of an annual basis. As a result, consumers have the right to limit some of the information that is shared. Furthermore, the Safeguards Rule requires financial institutions to protect customer’s sensitive information. With this said, GLBA requires organizations to have written document management policies and procedures. GLBA also criminalizes fraudulent access to customer information, also known as pretexting.
For more information, please visit http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
Fair and Accurate Transaction Act (FACTA)
The Fair and Accurate Credit Transaction Act (FACTA) amended the Fair Credit Reporting Act (FCRA) on December 4, 2003. The provisions, or “Rules”, within FACTA were created to lower the risk of identity theft and consumer fraud as a result of improper disposal of consumer information. FACTA’s Final Disposal Rule went into effect June 1, 2005, becoming the first national information destruction requirement.
FACTA applies to practically every person and business in the country. It requires the proper disposal of consumer information that one maintains or possesses that is derived from consumer reports for a business purpose. It requires that covered entities take reasonable measures to protect against the unauthorized access to this information. Furthermore, it requires that this information be properly disposed of by a reasonable measure. The Final Disposal Rule offers specific examples, such as burning, pulverizing or shredding this information, and states that this information must be “practicably unreadable and unrecognizable”.
The bill is available at http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf
FACTA Red Flags Rule
The Red Flags Rule went into effect December 31, 2010. The Red Flags Rule states that financial institutions and creditors that maintain “covered accounts” must have a written Identity Theft Prevention Program which detects the warning signs, or “red flags”, and indicate identity theft. The Red Flags Rule applies to any organization extending payment terms to customers and has personal information on file.
The Identity Theft Prevention Program must detail policies and procedures for protecting, preventing and mitigating identity theft. This written program must identify where this information is susceptible to the risk of unauthorized access and/or identity theft. It must also include preventative measures that address identity theft vulnerabilities and intervene where there is a threat of identity theft. The owners of the company or board of directors must sign the written program annually, and it requires audits of data-related vendors with access to customers’ personal information.
For more information, please visit http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml