Regulatory Compliance: HIPAA, SOX, and GLBA

Updated: May 19, 2010

Health Insurance Portability and Accountability Act (HIPAA)

It's been nearly 15 years since passage of the Health Insurance Portability and Accountability Act (HIPAA), which established standards related to health insurance coverage and the privacy of health-related information. As HIPAA's regulations have been steadily implemented since 1996 by the Department of Health and Human Services (HHS), employers have faced significant civil and criminal penalties for failure to comply (including prison time for willful and flagrant violators, such as a UCLA researcher who snooped into celebrity records).

For most employers, the relevant portions of HIPAA concern the Privacy and Security Rules for so-called "covered entities"--insurers, health care providers, and the like. Although most companies deal with covered entities on an intermediary or once-removed basis, this does not exempt them from HIPAA's requirements. This important distinction was underscored with the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extends HIPAA's Privacy and Security Rules to "business associates" of covered entities. (The HITECH Act also increased penalties for non-compliance.)

Privacy Rule

The Privacy Rule limits the use and disclosure of a person's Protected Health Information (PHI), which includes the following:

*All medical records
*Claim status
*Payment history
*Health plan eligibility and enrollment status

The most important step in complying with the Privacy Rule is to identify, restrict, and enforce which personnel need access to employees' PHI to perform their jobs. Most often, this will be human resources staff or other administrators that coordinate with health insurance companies. However, don't forget about staff members that deal with pre-employment physicals or on-the-job injuries.

Security Rule

HIPAA's Security Rule complements the Privacy Rule by dealing solely with the administrative, physical, and technical safeguards for Electronic Protected Health Information (EPHI). Not surprisingly, human resources and IT departments must work hand-in-hand to ensure compliance with the Security Rule.

There are circumstances in which HIPAA regulations permit the relevant, limited, and appropriate release of health-related information, including:

*Emergencies and public health crises
*OSHA-related proceedings
*Worker's compensation claims
*Legal and national security matters

One final point: Despite claims and advertisements you might encounter, the HHS does not endorse or certify any products as "HIPAA compliant," and the Privacy and Security Rules do no require attendance at specific seminars or any special certifications.

For more information on everything HIPAA, visit the Health Information Privacy pages on the HHS website.

Sarbanes-Oxley Act (SOX)

Enacted in 2002 in the wake of several major accounting scandals, the Sarbanes-Oxley Act (SOX) seeks to improve the reliability of financial reporting by public companies and their accounting firms. Although private companies are not subject to the regulations, SOX has raised the bar for financial reporting in general. Private companies planning to go public or hoping to be acquired by a public company cannot ignore SOX requirements.

Not surprisingly, finance departments deal with the heavy lifting of SOX compliance. However, because the regulation deals with security, record keeping, and other requirements, IT departments must be close partners in the process. The SEC offers a guide on SOX compliance for small businesses, and there are many companies that offer SOX compliance solutions and training. The cost of SOX compliance is non-trivial, especially for smaller companies, so it's crucial to make your compliance efforts as efficient as possible.

Here's a summary of three key SOX provisions:

Section 302

This section puts officers "on the hook" so to speak for the truthfulness and accuracy of financial statements, as well as the robustness of internal procedures that deal with financial accounting.

Section 401

In response to the accounting scandals, legislators crafted Section 401 to require that financial reports include so-called "off-balance sheet items" such as liabilities, obligations, and other transactions.

Section 404

Section 404 requires companies and their external auditors to report on the adequacy of the internal controls that deal with financial reporting. It's a broad, complex topic that has given rise to a cottage industry of Section 404 consultants, compliance specialists, and premium checklists that seek to ease the pain of measuring up.

As the most rigorous and time-consuming portion of SOX compliance, Section 404 is not surprisingly also the most costly. According to Securities and Exchange Commission (SEC) data, companies with less than $100 million in revenue have been forced to spend up to 2.5% of their revenue on Section 404 compliance. However, in response to complaints that compliance was too onerous as originally passed, in recent years the SEC has made changes and offered updated guidance regarding Section 404.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) is a broad set of regulations that affect the financial services industry, which includes banking, insurance, and investment institutions.

In terms of compliance, GLBA created two key regulations, the Financial Privacy Rule and the Safeguards Rule, that govern the collection, storage, protection, and disclosure of customers' financial information. These rules also apply to entities outside the financial services industry that process or receive this information, such as real estate companies, tax preparers, and so on. Not surprisingly, IT departments often shoulder much of the burden of GLBA compliance, particularly with the Safeguards Rule.

Financial Privacy Rule

Under the Financial Privacy Rule, a company must provide its customers a privacy notice that includes the following:

*Information about the non-public personal customer information a company collects
*How and with whom the company shares that information
*How the company protects that information

Defining the term "non-public personal customer information" is important. First, the rule makes a distinction between customers and consumers. "Customers," such as credit card holders, have significant, long-term relationships with financial institutions. "Consumers," such as users of a check-cashing service or third-party ATM, have short-term, one-time, or sporadic dealings. Next, "non-public personal information" is usually any and all information a company obtains from a customer. However if this information is lawfully public, such as mortgage information in certain areas, it is not subject to the rule.

Under the rule, companies must also allow a customer to opt out of information-sharing agreements, and offer a reasonable way to do so. The opt-out provision has several exceptions however. For more details on these exceptions, as well as all the details of the Financial Privacy Rule, visit the FTC's Financial Privacy Rule summary page. There are also many companies that offer GLBA compliance solutions, consulting, and training.

Safeguards Rule

The Safeguards Rule regulates the security and confidentiality of customer information in three areas: employee management and training, information systems, and system failure.

The specific steps and requirements to secure your systems are beyond the scope of this article, but the FTC includes dozens of helpful pointers on its Safeguards Rule summary page.

For a big-picture perspective, the FTC also offers a useful five-point framework to maintain a protected infrastructure:

*Take stock: Know what information you have in files and computer systems
*Scale down: Keep only what you need for your business
*Secure it: Protect the information with encryption, strong passwords, and good physical security
*Toss it: Securely discard what you don't need (see the FTC's Disposal Rule)
*Plan ahead: Create a plan to respond to security incidents

Beyond regulation, every company should already be putting these guidelines in practice. Instilling confidence in your customers is just good business.

Featured Research
  • Contact Center Software on a Budget

    Although contact center software is necessary for a modern contact center, it can be outrageously expensive. Many companies find that their budget bloats during the implementation process. more

  • How UC Can Help Your Business Survive the Holidays

    The holiday season is filled with frenzy and excitement for businesses and consumers alike. Consumers prepare gift lists, compare brands and prices, and begin shopping with a vigor that is not present most other times of the year. For many businesses, the holiday season accounts for a large profit bump at the end of each year, and companies strive to exceed their goals and keep customers happy during this rush late in the year. more

  • [Infographic] Switching Phone Systems

    There are a lot of possible reasons you might want to switch to a new phone system. The old one might cost too much or be too troublesome to operate and maintain. It might not be flexible enough. It might not be reliable enough. Or it just might not have the kinds of features and capabilities that you need in today’s competitive business climate. more

  • Business Intelligence Software Cost Guide

    Your choice in a BI (Business Intelligence) provider can lead you to make better, data-driven decisions for your business, resulting in significant ROI. Or it can cost hundreds of thousands of dollars with mixed results. more

  • The New 2016 ERP Comparison Guide

    Selecting an ERP solution is no easy undertaking. You have to select and configure a system that fits your exact business needs. The right system can make operations more streamlined, efficient, and agile. But choosing the right vendor can be difficult. more