Information Technology Privacy and Security Requirements
Businesses today are subject to a variety of regulatory and
contractual requirements that make the privacy and security of
information absolutely necessary. This document provides an
overview of the key privacy and security requirements affecting
most businesses.
HIPAA - Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of
certain information held by "covered entities": health care
providers, health care clearinghouses, and health plans (including
employer self-funded health plans). It establishes
regulations for the use and disclosure of Protected Health
Information ("PHI"). PHI is any information held by a covered
entity which concerns health status, provision of health care, or
payment for health care that can be linked to an
individual.
HIPAA - Security Rule
The HIPAA Security Rule complements the HIPAA Privacy Rule.
While the Privacy Rule pertains to all Protected Health Information
including paper and electronic, the Security Rule deals
specifically with Electronic Protected Health Information ("EPHI").
It lays out three types of security safeguards required for
compliance: administrative, physical, and technical. For each of
these types the Rule identifies various security standards, and for
each standard it names both required and addressable implementation
specifications. Required specifications must be adopted and
administered as dictated by the Rule. Addressable specifications
are more flexible. Individual covered entities can evaluate their
own situation and determine the best way to implement addressable
specifications.
HIPAA - Enforcement Rule
The HIPAA Enforcement Rule sets civil money penalties for
violating HIPAA rules and establishes procedures for investigations
and hearings for HIPAA violations. Prior to the HITECH Act
(see page 2), the Department of Health and Human Services Secretary
was limited to imposing fines of $100 for each violation or $25,000
for all identical violations of the same HIPAA provision. The
HITECH Act substantially increases these monetary fines by
establishing tiered ranges of increasing minimum penalty amounts,
with a maximum penalty of $1.5 million for all violations of an
identical provision. The HITECH Act also allows states' Attorneys
General to levy fines and seek attorneys' fees from covered
entities on behalf of victims.
HITECH Act - Updates to HIPAA Privacy and Security Rules
The Health Information Technology for Economic and Clinical
Health Act ("HITECH Act"), enacted as part of the American Recovery
and Reinvestment Act of 2009, addresses the privacy and security
concerns associated with the electronic transmission of health
information. The HITECH Act extends HIPAA's Privacy and Security
Rules to the business associates of covered entities, including
newly updated civil and criminal penalties. The HITECH Act
imposes significant new notification requirements on covered
entities, business associates, vendors of personal health records
("PHR") and related entities if a breach of unsecured protected
health information occurs.
Gramm-Leach-Bliley Act - Safeguards Rule
As part of its implementation of the Gramm-Leach-Bliley Act, the
Federal Trade Commission issued the Safeguards Rule which requires
covered organizations to have measures in place to keep customer
information secure. The Safeguards Rule applies to all
businesses, regardless of size, that are "significantly engaged" in
providing financial products or services (such a deposit accounts,
investments, insurance products, and loans). The Rule
requires organizations to develop a written information security
plan that describes their program to protect customer
information.
Federal Trade Commission - Red Flags Rule
The Red Flags Rule was created by the Federal Trade Commission
along with federal banking regulatory agencies to help prevent
identity theft. Under the Red Flags Rule, financial institutions
and creditors must develop a written program that identifies and
detects the relevant warning signs - or "red flags" - of identity
theft. While it is easy to determine which
organizations are "financial institutions", determining which
organizations are creditors is not so easy. A "creditor" is any
entity that regularly extends, renews, or continues credit; any
entity that regularly arranges for the extension, renewal, or
continuation of credit; or any assignee of an original creditor who
is involved in the decision to extend, renew, or continue credit.
Creditors include finance companies, automobile dealers, mortgage
brokers, insurance companies, utility companies, and
telecommunications companies. Creditors also include any
entity, whether a for-profit business, non-profit organization, or
a governmental agency, that provides goods and/or services to
consumers and allows payment to be made after the goods and
services are delivered (e.g., hospitals, medical clinics, retail
stores, law firms, accounting firms, etc.)
Federal Trade Commission - Disposal Rule
Any business or individual who uses a consumer report for a
business purpose is subject to the requirements of the Federal
Trade Commission's Disposal Rule which calls for the proper
disposal of information in consumer reports and records to protect
against unauthorized access to or use of the information. The
Disposal Rule applies to consumer reports or information derived
from consumer reports. A "consumer report" includes information
obtained from a consumer reporting company that is used - or
expected to be used - in establishing a consumer's eligibility for
credit, employment, or insurance, among other purposes. Examples of
consumer reports include credit reports, credit scores, reports
businesses or individuals receive with information relating to
employment background, check writing history, insurance claims,
residential or tenant history, or medical history.
State Security Breach Notification Laws
Forty-six states, the District of Columbia, Puerto Rico and the
Virgin Islands have enacted legislation requiring notification of
security breaches involving personal information. Only four states
do not have a security breach law: Alabama, Kentucky, New Mexico,
and South Dakota.
These laws were enacted in response to an escalating number of
breaches of consumer databases containing personal information such
as social security numbers, driver's license numbers, and financial
account numbers, credit card numbers and debit card numbers along
with any PIN or other access code required for access to the
account. Some states also include medical information, insurance
policy numbers, passwords, biometric information, professional
license or permit numbers, telecommunication access codes, mother's
maiden name, employer identification number, electronic signatures,
and descriptions of an individual's personal
characteristics.
Most states define a security breach to mean an unauthorized
acquisition of electronic files, media, databases or computerized
data containing personal information of any resident of that state
when access to the personal information has not been secured by
encryption or by any other method or technology that renders the
personal information unreadable or unusable. It is important
to note that for most states, you do not have to have a physical
presence in that state in order to be subject to the law, but
merely have to hold personal information belonging to a resident of
that state. This is especially important if you have
employees and customers who reside in multiple states.
Federal Rules of Civil Procedure - Discovery of Electronically
Stored Evidence
The preponderance of electronic documents has not only changed
the ways that businesses manage and maintain information, but has
also changed the way information is produced and used during
litigation. When parties seek information related to
litigation, the discovery process provides a way for the parties to
request evidence, often in the form of documents and data, which
relates to the subject of the dispute. The Federal Rules of
Civil Procedure ("Federal Rules") stipulate how the discovery
process is conducted in Federal courts and are used as a guideline
for many State courts as well.
On December 1, 2006, the Federal Rules were amended to specifically
address the discovery of electronically stored information ("ESI"),
including the preservation of evidence, the assertion of privilege,
and the production of ESI. Failure to comply with the Federal
Rules can produce a variety of unfortunate outcomes, including
financial sanctions reaching millions of dollars. To be prepared,
businesses should have a litigation response plan in place that
ensures that management, legal counsel, information technology
staff and others can react quickly to ensure that relevant evidence
is preserved, identified, collected, analyzed, processed and
produced.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard ("PCI-DSS") is
a worldwide information security standard defined by the Payment
Card Industry Security Standards Council. The Standard was created
to help organizations that process card payments prevent credit
card fraud through increased data security. The core of the
PCI-DSS is a group of principles and accompanying requirements,
around which the specific elements of the DSS are organized:
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
HORNE Can Help You Comply
HORNE LLP has a staff of qualified consultants who can guide you
through the process of complying with each of these important
requirements. For more information, please contact Tony Brooks, Principal and Director of
Information Technology Assurance and Risk Services, at tony.brooks@horne-llp.com
or by calling 601-326-1281.