Regulatory Compliance: HIPAA, SOX, and GLBA
Health Insurance Portability and Accountability Act (HIPAA)
It's been nearly 15 years since passage of the Health Insurance Portability and Accountability Act (HIPAA), which established standards related to health insurance coverage and the privacy of health-related information. As HIPAA's regulations have been steadily implemented since 1996 by the Department of Health and Human Services (HHS), employers have faced significant civil and criminal penalties for failure to comply (including prison time for willful and flagrant violators, such as a UCLA researcher who snooped into celebrity records).
For most employers, the relevant portions of HIPAA concern the Privacy and Security Rules for so-called "covered entities"--insurers, health care providers, and the like. Although most companies deal with covered entities on an intermediary or once-removed basis, this does not exempt them from HIPAA's requirements. This important distinction was underscored with the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extends HIPAA's Privacy and Security Rules to "business associates" of covered entities. (The HITECH Act also increased penalties for non-compliance.)
Privacy Rule
The Privacy Rule limits the use and disclosure of a person's Protected Health Information (PHI), which includes the following:
*All medical records
*Claim status
*Payment history
*Health plan eligibility and enrollment status
The most important step in complying with the Privacy Rule is to identify, restrict, and enforce which personnel need access to employees' PHI to perform their jobs. Most often, this will be human resources staff or other administrators that coordinate with health insurance companies. However, don't forget about staff members that deal with pre-employment physicals or on-the-job injuries.
Security Rule
HIPAA's Security Rule complements the Privacy Rule by dealing solely with the administrative, physical, and technical safeguards for Electronic Protected Health Information (EPHI). Not surprisingly, human resources and IT departments must work hand-in-hand to ensure compliance with the Security Rule.
There are circumstances in which HIPAA regulations permit the relevant, limited, and appropriate release of health-related information, including:
*Emergencies and public health crises
*OSHA-related proceedings
*Worker's compensation claims
*Legal and national security matters
One final point: Despite claims and advertisements you might encounter, the HHS does not endorse or certify any products as "HIPAA compliant," and the Privacy and Security Rules do no require attendance at specific seminars or any special certifications.
For more information on everything HIPAA, visit the Health Information Privacy pages on the HHS website.
Sarbanes-Oxley Act (SOX)
Enacted in 2002 in the wake of several major accounting scandals, the Sarbanes-Oxley Act (SOX) seeks to improve the reliability of financial reporting by public companies and their accounting firms. Although private companies are not subject to the regulations, SOX has raised the bar for financial reporting in general. Private companies planning to go public or hoping to be acquired by a public company cannot ignore SOX requirements.
Not surprisingly, finance departments deal with the heavy lifting of SOX compliance. However, because the regulation deals with security, record keeping, and other requirements, IT departments must be close partners in the process. The SEC offers a guide on SOX compliance for small businesses, and there are many companies that offer SOX compliance solutions and training. The cost of SOX compliance is non-trivial, especially for smaller companies, so it's crucial to make your compliance efforts as efficient as possible.
Here's a summary of three key SOX provisions:
Section 302
This section puts officers "on the hook" so to speak for the truthfulness and accuracy of financial statements, as well as the robustness of internal procedures that deal with financial accounting.
Section 401
In response to the accounting scandals, legislators crafted Section 401 to require that financial reports include so-called "off-balance sheet items" such as liabilities, obligations, and other transactions.
Section 404
Section 404 requires companies and their external auditors to report on the adequacy of the internal controls that deal with financial reporting. It's a broad, complex topic that has given rise to a cottage industry of Section 404 consultants, compliance specialists, and premium checklists that seek to ease the pain of measuring up.
As the most rigorous and time-consuming portion of SOX compliance, Section 404 is not surprisingly also the most costly. According to Securities and Exchange Commission (SEC) data, companies with less than $100 million in revenue have been forced to spend up to 2.5% of their revenue on Section 404 compliance. However, in response to complaints that compliance was too onerous as originally passed, in recent years the SEC has made changes and offered updated guidance regarding Section 404.
Gramm-Leach-Bliley Act (GLBA)
Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) is a broad set of regulations that affect the financial services industry, which includes banking, insurance, and investment institutions.
In terms of compliance, GLBA created two key regulations, the Financial Privacy Rule and the Safeguards Rule, that govern the collection, storage, protection, and disclosure of customers' financial information. These rules also apply to entities outside the financial services industry that process or receive this information, such as real estate companies, tax preparers, and so on. Not surprisingly, IT departments often shoulder much of the burden of GLBA compliance, particularly with the Safeguards Rule.
Financial Privacy Rule
Under the Financial Privacy Rule, a company must provide its customers a privacy notice that includes the following:
*Information about the non-public personal customer information a company collects
*How and with whom the company shares that information
*How the company protects that information
Defining the term "non-public personal customer information" is important. First, the rule makes a distinction between customers and consumers. "Customers," such as credit card holders, have significant, long-term relationships with financial institutions. "Consumers," such as users of a check-cashing service or third-party ATM, have short-term, one-time, or sporadic dealings. Next, "non-public personal information" is usually any and all information a company obtains from a customer. However if this information is lawfully public, such as mortgage information in certain areas, it is not subject to the rule.
Under the rule, companies must also allow a customer to opt out of information-sharing agreements, and offer a reasonable way to do so. The opt-out provision has several exceptions however. For more details on these exceptions, as well as all the details of the Financial Privacy Rule, visit the FTC's Financial Privacy Rule summary page. There are also many companies that offer GLBA compliance solutions, consulting, and training.
Safeguards Rule
The Safeguards Rule regulates the security and confidentiality of customer information in three areas: employee management and training, information systems, and system failure.
The specific steps and requirements to secure your systems are beyond the scope of this article, but the FTC includes dozens of helpful pointers on its Safeguards Rule summary page.
For a big-picture perspective, the FTC also offers a useful five-point framework to maintain a protected infrastructure:
*Take stock: Know what information you have in files and computer systems
*Scale down: Keep only what you need for your business
*Secure it: Protect the information with encryption, strong passwords, and good physical security
*Toss it: Securely discard what you don't need (see the FTC's Disposal Rule)
*Plan ahead: Create a plan to respond to security incidents
Beyond regulation, every company should already be putting these guidelines in practice. Instilling confidence in your customers is just good business.
