INDUSTRY SPECIFIC PRIVACY EXPLAINED

Overview

The Health Insurance Portability and Accountability Act was enacted in 1996 and its “Privacy Rule” governing Individually Identifiable Health Information was added after public input in 2000. Overall, the privacy rule attempts to protect people’s private information from being disclosed illegitimately in medical contexts. HIPAA and the Privacy Rule are enforced by the U.S. Department of Health and Human Services and non-compliance can result in civil and criminal lawsuits initiated by the Office of Civil Rights. This summary should not be substituted for legal advice or actually reading HIPAA and its Privacy Rule.

Individually Identifiable Health Information

The rule protects demographic data and healthcare history. This includes past, present, or future health conditions, health care provisions, payments as well as individual data like social security numbers, past addresses, family history, financial information, etc.

Does the Privacy Rule Apply to my Organization?

The Privacy Rule applies to health plans, health care providers, and health care clearinghouses that deal with electronic data. Additionally, businesses that offer services to these covered entities (anyone offering financial, legal, consulting services and more). There are exceptions. To see if you are covered, visit https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity.html.

Privacy Rule Responsibilities

There are two parts of information protection to worry about— intentional dissemination and incidental breaches.

Use of Information

Regarding intentional dissemination, the Privacy Rule requires protection and confidentiality of the information above, except when individuals authorize disclosure or the government is verifying compliance. Information that has been de-identified (removal of specific individual identifiers and as determined by a statistician) tends not to require the same protection. To learn more about this core purpose of HIPAA, read on at: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.

Data Security

The second part of the Privacy Rule requires organizations to put reasonable mechanisms in place to prevent incidental loss of information. These mechanisms must be administrative, physical and technical. Administrative means you must 1) develop and implement written Privacy Policies and Procedures and 2) designate responsible Privacy Personnel.

Technical and physical solutions must be comprehensive and encompass all operations involving information. Examples include locking file cabinets, maintaining secure encryption systems and enforcing conversational confidentiality with doctors and other employees. You also must consider end-of-life data destruction processes. Computer systems and databases must sanitize personal information before they are disposed of, otherwise information may be recovered.

Handling a Breach

In the event that information is leaked, you must report breaches at http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/. The reporting policy differs for breaches involving fewer or greater than 500 individuals. Depending on your IT system architecture, lack of data destruction could result in a breach of thousands of patient records.

Consequences of Non-Compliance

Non-compliance is subject to civil and criminal fines and imprisonment. Civil violations are investigated and fines levied by the Office of Civil Rights. Violations occurring after 2/18/2009 will be between $100 to $50,000 or more per violation up to $1,500,000 per year. Criminal violations can result in fines of $250,000 and 10 years of imprisonment.

Civil violations apply if willful neglect results in violation of HIPAA but not if criminal action is taken, e.g. information was willfully distributed. Additionally, you have the opportunity to fix and appeal the violation.

In 2013 and 2014 there were a total of 30,381 violations. Of these violations, 26% resulted in corrective action while 74% were resolved with technical assistance and fixing the issue. 3 of the top 5 investigated issues included technical and administrative safeguards [https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html].

The bottom line: Protect yourself now to secure your organization and prevent non-compliance violations.

Sarbanes-Oxley Article

Overview

The Sarbanes-Oxley Act was introduced in 2002 to address corporate accounting scandals. It involves the regulation of financial practice and management in all publicly traded companies. The act is intended to increase transparency and accountability and therefore introduces criminal penalties for violations. The clauses related to managing internal information and data integrity are relevant to data security. This summary should not be substituted for legal advice or actually reading Sarbanes-Oxley.

To learn more about Sarbanes-Oxley and how its regulations affect your data security policy, check out out our white papers.

Responsibilities

Sarbanes-Oxley is mandatory for all publicly traded companies. Compliance is non-negotiable and is directed at the company’s board of directors, CEO and CFO to increase individual accountability. Specific requirements of Sarbanes-Oxley are to periodically disclose statutory financial reports that are accurate, create and disclose an internal information controls plan, and disclose to the public in real-time, changes in financial conditions. The act also establishes significant criminal penalties for non-compliance which increase when coupled with white-collar crimes. Several toolkits are available online for Sarbanes-Oxley compliance; see http://www.sarbanes-oxley-forum.com/ for more resources.

Data Security

The relevant clauses of Sarbanes-Oxley for data security are those that mention internal control procedures to ensure information integrity. Specifically, Section 302 makes signing officers responsible for:

• Internal controls and evaluations

• Reporting deficiencies in internal controls

• Reporting changes

Section 404 requires an assessment of the effectiveness of these internal controls and Section 409 requires reported information on operational changes.

Internal controls include a comprehensive look at information flow, processes and regulatory compliance and can be handled by tools like COBIT. One component of control is data integrity, which can suffer from a lack of end-of-life asset management plan. Additionally, a strong internal control process will protect personal financial data from being released.

Consequences of Non-Compliance

There are no civil penalties for non-compliance with Sarbanes-Oxley— all violations are criminal lawsuits. Submitting a report that does not comply subjects guilty parties to up to $1,000,000 in fines and 10 years in prison. Willfully submitting such a report raises those up to $5,000,000 and 20 years in prison.

See the actual Sarbanes-Oxley Act here: https://www.sec.gov/about/laws/soa2002.pdf.

Gramm-Leach-Bliley Act Article

The Gramm-Leach-Bliley Act (GLB) was signed in 1999 and governs financial institutions and is administered by the FTC. GLB specifies how financial institutions must disclose information-sharing practices to their consumers and customers as well as data safeguarding mechanisms. These key functions of information privacy and information security are specified in the Privacy of Consumer Information Rule and the Safeguards Rule, respectively. GLB has criminal penalties for violations.

To learn more about Gramm-Leach-Bliley Act and how its regulations affect your data security policy, check out out our white paper.

Gramm-Leach-Bliley Act

For whom does it matter?

GLB governs financial institutions including but not limited to banks, insurance companies, brokerages, real estate appraisers, investment advisers, non-bank mortgage lenders, tax preparers, courier services, check-cashing businesses and more. In addition, The Safeguard Rule applies to companies who are privy to personal information like ATM operators. The next question is for which institutions does it matter? While one institution may collect the information, the responsibility of data privacy and security may rest with all privy institutions. We will explain in the Privacy Rule section.

The Privacy Rule

“Significantly engaged” financial institutions must tell customers what information they are sharing and with whom they are sharing it. Being significantly engaged has to do with the extent to which an institution is providing financial services. While an ATM service may not be significantly engaged, banking institutions are. Information subject to the Privacy Rule includes nonpublic personal information (NPI). NPI could be information gleaned in a financial transaction and ranges from personal data (name, social security) to your financial history. As a financial institution, it is your duty to both explain the information you may be sharing with other institutions and also give them an opportunity to “opt out.” Opting out must come at least yearly, as well as anytime the information-sharing policy changes.

Information Security: The Safeguards Rule

The Safeguards Rule specifies that you must protect consumer information with a detailed written information policy and plan. The Safeguards Rule requires your organization to hire employees dedicated to information security, outline possible risks and exercise caution when choosing external service providers.

Particular processes must be put in place for employees (password training, background checks, appropriate expectations for device use and secure storage of devices at rest). Security maintenance and disposal mechanisms should be put in place and your company should stay up to date with regulations and best practices. Lastly, the organization must preserve this level of security through auditing and making improvements where security may be breached. For a comprehensive list of suggestions see: https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying.

When it comes to IT disposal, the FTC suggests compliance with their Disposal Rule. The Disposal Rule makes broad recommendations for physical hard copy destruction and electronic media erasure. Again, the FTC requires due diligence in picking third-party vendors to make sure they are compliant, well-reviewed and credible. For more information about the Disposal Rule, see http://www.ecfr.gov/cgi-bin/text-idx?SID=c2ae98df51d4c6e1e8d73fa66b29a538&mc=true&node=se16.1.682_13&rgn=div8.

Consequences for Non-Compliance

The FTC states that “whoever knowingly and intentionally violates or attempts to violate GLB can be fined in accordance with title 18, up to $500,000 and/or imprisoned for up to 5 years. In the case that the organization also violates another law, the fines and imprisonment times double.

The bottom line: Protect yourself now to secure your organization and prevent non-compliance violations.

See the actual Gramm-Leach-Bliley Act here: https://www.gpo.gov/fdsys/pkg/PLAW-106publ102/html/PLAW-106publ102.htm