Regulatory Compliance: HIPAA, SOX, and GLBA

Updated: May 19, 2010

Health Insurance Portability and Accountability Act (HIPAA)

It's been nearly 15 years since passage of the Health Insurance Portability and Accountability Act (HIPAA), which established standards related to health insurance coverage and the privacy of health-related information. As HIPAA's regulations have been steadily implemented since 1996 by the Department of Health and Human Services (HHS), employers have faced significant civil and criminal penalties for failure to comply (including prison time for willful and flagrant violators, such as a UCLA researcher who snooped into celebrity records).

For most employers, the relevant portions of HIPAA concern the Privacy and Security Rules for so-called "covered entities"--insurers, health care providers, and the like. Although most companies deal with covered entities on an intermediary or once-removed basis, this does not exempt them from HIPAA's requirements. This important distinction was underscored with the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extends HIPAA's Privacy and Security Rules to "business associates" of covered entities. (The HITECH Act also increased penalties for non-compliance.)

Privacy Rule

The Privacy Rule limits the use and disclosure of a person's Protected Health Information (PHI), which includes the following:

*All medical records
*Claim status
*Payment history
*Health plan eligibility and enrollment status

The most important step in complying with the Privacy Rule is to identify, restrict, and enforce which personnel need access to employees' PHI to perform their jobs. Most often, this will be human resources staff or other administrators that coordinate with health insurance companies. However, don't forget about staff members that deal with pre-employment physicals or on-the-job injuries.

Security Rule

HIPAA's Security Rule complements the Privacy Rule by dealing solely with the administrative, physical, and technical safeguards for Electronic Protected Health Information (EPHI). Not surprisingly, human resources and IT departments must work hand-in-hand to ensure compliance with the Security Rule.

There are circumstances in which HIPAA regulations permit the relevant, limited, and appropriate release of health-related information, including:

*Emergencies and public health crises
*OSHA-related proceedings
*Worker's compensation claims
*Legal and national security matters

One final point: Despite claims and advertisements you might encounter, the HHS does not endorse or certify any products as "HIPAA compliant," and the Privacy and Security Rules do no require attendance at specific seminars or any special certifications.

For more information on everything HIPAA, visit the Health Information Privacy pages on the HHS website.

Sarbanes-Oxley Act (SOX)

Enacted in 2002 in the wake of several major accounting scandals, the Sarbanes-Oxley Act (SOX) seeks to improve the reliability of financial reporting by public companies and their accounting firms. Although private companies are not subject to the regulations, SOX has raised the bar for financial reporting in general. Private companies planning to go public or hoping to be acquired by a public company cannot ignore SOX requirements.

Not surprisingly, finance departments deal with the heavy lifting of SOX compliance. However, because the regulation deals with security, record keeping, and other requirements, IT departments must be close partners in the process. The SEC offers a guide on SOX compliance for small businesses, and there are many companies that offer SOX compliance solutions and training. The cost of SOX compliance is non-trivial, especially for smaller companies, so it's crucial to make your compliance efforts as efficient as possible.

Here's a summary of three key SOX provisions:

Section 302

This section puts officers "on the hook" so to speak for the truthfulness and accuracy of financial statements, as well as the robustness of internal procedures that deal with financial accounting.

Section 401

In response to the accounting scandals, legislators crafted Section 401 to require that financial reports include so-called "off-balance sheet items" such as liabilities, obligations, and other transactions.

Section 404

Section 404 requires companies and their external auditors to report on the adequacy of the internal controls that deal with financial reporting. It's a broad, complex topic that has given rise to a cottage industry of Section 404 consultants, compliance specialists, and premium checklists that seek to ease the pain of measuring up.

As the most rigorous and time-consuming portion of SOX compliance, Section 404 is not surprisingly also the most costly. According to Securities and Exchange Commission (SEC) data, companies with less than $100 million in revenue have been forced to spend up to 2.5% of their revenue on Section 404 compliance. However, in response to complaints that compliance was too onerous as originally passed, in recent years the SEC has made changes and offered updated guidance regarding Section 404.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) is a broad set of regulations that affect the financial services industry, which includes banking, insurance, and investment institutions.

In terms of compliance, GLBA created two key regulations, the Financial Privacy Rule and the Safeguards Rule, that govern the collection, storage, protection, and disclosure of customers' financial information. These rules also apply to entities outside the financial services industry that process or receive this information, such as real estate companies, tax preparers, and so on. Not surprisingly, IT departments often shoulder much of the burden of GLBA compliance, particularly with the Safeguards Rule.

Financial Privacy Rule

Under the Financial Privacy Rule, a company must provide its customers a privacy notice that includes the following:

*Information about the non-public personal customer information a company collects
*How and with whom the company shares that information
*How the company protects that information

Defining the term "non-public personal customer information" is important. First, the rule makes a distinction between customers and consumers. "Customers," such as credit card holders, have significant, long-term relationships with financial institutions. "Consumers," such as users of a check-cashing service or third-party ATM, have short-term, one-time, or sporadic dealings. Next, "non-public personal information" is usually any and all information a company obtains from a customer. However if this information is lawfully public, such as mortgage information in certain areas, it is not subject to the rule.

Under the rule, companies must also allow a customer to opt out of information-sharing agreements, and offer a reasonable way to do so. The opt-out provision has several exceptions however. For more details on these exceptions, as well as all the details of the Financial Privacy Rule, visit the FTC's Financial Privacy Rule summary page. There are also many companies that offer GLBA compliance solutions, consulting, and training.

Safeguards Rule

The Safeguards Rule regulates the security and confidentiality of customer information in three areas: employee management and training, information systems, and system failure.

The specific steps and requirements to secure your systems are beyond the scope of this article, but the FTC includes dozens of helpful pointers on its Safeguards Rule summary page.

For a big-picture perspective, the FTC also offers a useful five-point framework to maintain a protected infrastructure:

*Take stock: Know what information you have in files and computer systems
*Scale down: Keep only what you need for your business
*Secure it: Protect the information with encryption, strong passwords, and good physical security
*Toss it: Securely discard what you don't need (see the FTC's Disposal Rule)
*Plan ahead: Create a plan to respond to security incidents

Beyond regulation, every company should already be putting these guidelines in practice. Instilling confidence in your customers is just good business.

Featured Research
  • Contact Center Implementation Best Practices

    Are you looking to add a contact center for your business but not quite sure of how to go about implementing one? You aren't alone, in fact, getting a modern contact center up and running efficiently and effectively is much more difficult than it was even five to ten years ago. more

  • Business Meeting Showdown

    It is no secret that communication and collaboration are at the heart of success and longevity for any business. However, as businesses become more global and more employees work remotely, video conferencing is being increasingly used as an alternative to face-to-face interactions. There are pros to both business travel and video conferencing such as personal connection and ease of use. However, there are cons as well ranging from travel delays to being technologically reliant. more

  • Mobile Communication Showdown

    It's no secret that businesses are becoming agiler and employees are spending more time away from their desks. The question isn't should we get rid of our landlines, but how quickly can we replace them?However, staying connected with your colleagues, clients, and customers is absolutely essential for cultivating long-term, lucrative relationships that will help your company achieve success. more

  • Signs you are Ready for Mobile BI

    With workforces moving more and more mobile on a daily basis, it is essential to ensure that your company is able to arm your employees with the analytics that they need to succeed. 89% of business leaders believe that Big Data will revolutionize business operations in the same way that the internet did. These numbers show the trend towards investing in a BI system. more

  • 15 Ways to Optimize Your Contact Center

    We live in a time where customer experience is seen as an important competitive differentiator. Given this, wouldn't you like to make sure that your contact center is fully optimized to meet your business needs? Deciding to upgrade and optimize your contact center is a big step, and one that shouldn't be done without due diligence and plenty of research. more