Regulatory Compliance: HIPAA, SOX, and GLBA

Updated: May 19, 2010

Health Insurance Portability and Accountability Act (HIPAA)

It's been nearly 15 years since passage of the Health Insurance Portability and Accountability Act (HIPAA), which established standards related to health insurance coverage and the privacy of health-related information. As HIPAA's regulations have been steadily implemented since 1996 by the Department of Health and Human Services (HHS), employers have faced significant civil and criminal penalties for failure to comply (including prison time for willful and flagrant violators, such as a UCLA researcher who snooped into celebrity records).

For most employers, the relevant portions of HIPAA concern the Privacy and Security Rules for so-called "covered entities"--insurers, health care providers, and the like. Although most companies deal with covered entities on an intermediary or once-removed basis, this does not exempt them from HIPAA's requirements. This important distinction was underscored with the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extends HIPAA's Privacy and Security Rules to "business associates" of covered entities. (The HITECH Act also increased penalties for non-compliance.)

Privacy Rule

The Privacy Rule limits the use and disclosure of a person's Protected Health Information (PHI), which includes the following:

*All medical records
*Claim status
*Payment history
*Health plan eligibility and enrollment status

The most important step in complying with the Privacy Rule is to identify, restrict, and enforce which personnel need access to employees' PHI to perform their jobs. Most often, this will be human resources staff or other administrators that coordinate with health insurance companies. However, don't forget about staff members that deal with pre-employment physicals or on-the-job injuries.

Security Rule

HIPAA's Security Rule complements the Privacy Rule by dealing solely with the administrative, physical, and technical safeguards for Electronic Protected Health Information (EPHI). Not surprisingly, human resources and IT departments must work hand-in-hand to ensure compliance with the Security Rule.

There are circumstances in which HIPAA regulations permit the relevant, limited, and appropriate release of health-related information, including:

*Emergencies and public health crises
*OSHA-related proceedings
*Worker's compensation claims
*Legal and national security matters

One final point: Despite claims and advertisements you might encounter, the HHS does not endorse or certify any products as "HIPAA compliant," and the Privacy and Security Rules do no require attendance at specific seminars or any special certifications.

For more information on everything HIPAA, visit the Health Information Privacy pages on the HHS website.

Sarbanes-Oxley Act (SOX)

Enacted in 2002 in the wake of several major accounting scandals, the Sarbanes-Oxley Act (SOX) seeks to improve the reliability of financial reporting by public companies and their accounting firms. Although private companies are not subject to the regulations, SOX has raised the bar for financial reporting in general. Private companies planning to go public or hoping to be acquired by a public company cannot ignore SOX requirements.

Not surprisingly, finance departments deal with the heavy lifting of SOX compliance. However, because the regulation deals with security, record keeping, and other requirements, IT departments must be close partners in the process. The SEC offers a guide on SOX compliance for small businesses, and there are many companies that offer SOX compliance solutions and training. The cost of SOX compliance is non-trivial, especially for smaller companies, so it's crucial to make your compliance efforts as efficient as possible.

Here's a summary of three key SOX provisions:

Section 302

This section puts officers "on the hook" so to speak for the truthfulness and accuracy of financial statements, as well as the robustness of internal procedures that deal with financial accounting.

Section 401

In response to the accounting scandals, legislators crafted Section 401 to require that financial reports include so-called "off-balance sheet items" such as liabilities, obligations, and other transactions.

Section 404

Section 404 requires companies and their external auditors to report on the adequacy of the internal controls that deal with financial reporting. It's a broad, complex topic that has given rise to a cottage industry of Section 404 consultants, compliance specialists, and premium checklists that seek to ease the pain of measuring up.

As the most rigorous and time-consuming portion of SOX compliance, Section 404 is not surprisingly also the most costly. According to Securities and Exchange Commission (SEC) data, companies with less than $100 million in revenue have been forced to spend up to 2.5% of their revenue on Section 404 compliance. However, in response to complaints that compliance was too onerous as originally passed, in recent years the SEC has made changes and offered updated guidance regarding Section 404.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) is a broad set of regulations that affect the financial services industry, which includes banking, insurance, and investment institutions.

In terms of compliance, GLBA created two key regulations, the Financial Privacy Rule and the Safeguards Rule, that govern the collection, storage, protection, and disclosure of customers' financial information. These rules also apply to entities outside the financial services industry that process or receive this information, such as real estate companies, tax preparers, and so on. Not surprisingly, IT departments often shoulder much of the burden of GLBA compliance, particularly with the Safeguards Rule.

Financial Privacy Rule

Under the Financial Privacy Rule, a company must provide its customers a privacy notice that includes the following:

*Information about the non-public personal customer information a company collects
*How and with whom the company shares that information
*How the company protects that information

Defining the term "non-public personal customer information" is important. First, the rule makes a distinction between customers and consumers. "Customers," such as credit card holders, have significant, long-term relationships with financial institutions. "Consumers," such as users of a check-cashing service or third-party ATM, have short-term, one-time, or sporadic dealings. Next, "non-public personal information" is usually any and all information a company obtains from a customer. However if this information is lawfully public, such as mortgage information in certain areas, it is not subject to the rule.

Under the rule, companies must also allow a customer to opt out of information-sharing agreements, and offer a reasonable way to do so. The opt-out provision has several exceptions however. For more details on these exceptions, as well as all the details of the Financial Privacy Rule, visit the FTC's Financial Privacy Rule summary page. There are also many companies that offer GLBA compliance solutions, consulting, and training.

Safeguards Rule

The Safeguards Rule regulates the security and confidentiality of customer information in three areas: employee management and training, information systems, and system failure.

The specific steps and requirements to secure your systems are beyond the scope of this article, but the FTC includes dozens of helpful pointers on its Safeguards Rule summary page.

For a big-picture perspective, the FTC also offers a useful five-point framework to maintain a protected infrastructure:

*Take stock: Know what information you have in files and computer systems
*Scale down: Keep only what you need for your business
*Secure it: Protect the information with encryption, strong passwords, and good physical security
*Toss it: Securely discard what you don't need (see the FTC's Disposal Rule)
*Plan ahead: Create a plan to respond to security incidents

Beyond regulation, every company should already be putting these guidelines in practice. Instilling confidence in your customers is just good business.

Featured Research
  • Why Q4 is the Perfect Time to Invest in Video Conferencing

    If you’re currently relying on an outdated video conferencing solution - or if you don’t have one at all - you’re in luck. While any time is a good time to invest in video conferencing, Q4 may be the best. One big reason is that Q4 is when you can get the best deals, but there are also other important factors like increased access to seasonal employees. more

  • 8 Ways to Get More From Your VoIP System

    Many businesses adopt VoIP to take advantage of the cost savings without spending enough time reviewing the features and benefits made available by different solutions. If this is true for your business, there’s a good chance you could be getting more from your VoIP system in the form of even lower costs or improved employee productivity. You may even find that your current software offers features that you aren’t taking advantage of! more

  • Best ERP Features and Benefits for Your Business

    Are you considering investing in ERP software for the first time? Or maybe you already have an ERP solution but you’re worried it’s becoming dated. If either of the above apply to you, read our latest guide on the top ERP features and benefits based on the size of your business. You may be surprised at how versatile and cost-effective it is becoming - regardless of if you own a small business or run a large enterprise. more

  • 9 Spooky Signs You Need a Contact Center Upgrade

    When was the last time you evaluated the performance of your current contact center and the software you are using? The results may be frightening! If it’s been awhile since you invested in contact center software, there is a good chance that your needs have changed or that there are better options available now. Fortunately, it’s relatively easy to determine if you need an upgrade or not. more

  • 7 Ways the Wrong Phone System Can Haunt Your Business

    The wrong phone system could be haunting your business - and we’re talking about problems more serious than ghosts and ghouls. From increased costs to issues with scaling, we’ve identified seven important ways that a less than ideal phone system could be holding you back. You’ll be surprised at how much of a difference this can make to your bottom line too. more