Regulatory Compliance: HIPAA, SOX, and GLBA

Updated: May 19, 2010

Health Insurance Portability and Accountability Act (HIPAA)

It's been nearly 15 years since passage of the Health Insurance Portability and Accountability Act (HIPAA), which established standards related to health insurance coverage and the privacy of health-related information. As HIPAA's regulations have been steadily implemented since 1996 by the Department of Health and Human Services (HHS), employers have faced significant civil and criminal penalties for failure to comply (including prison time for willful and flagrant violators, such as a UCLA researcher who snooped into celebrity records).

For most employers, the relevant portions of HIPAA concern the Privacy and Security Rules for so-called "covered entities"--insurers, health care providers, and the like. Although most companies deal with covered entities on an intermediary or once-removed basis, this does not exempt them from HIPAA's requirements. This important distinction was underscored with the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extends HIPAA's Privacy and Security Rules to "business associates" of covered entities. (The HITECH Act also increased penalties for non-compliance.)

Privacy Rule

The Privacy Rule limits the use and disclosure of a person's Protected Health Information (PHI), which includes the following:

*All medical records
*Claim status
*Payment history
*Health plan eligibility and enrollment status

The most important step in complying with the Privacy Rule is to identify, restrict, and enforce which personnel need access to employees' PHI to perform their jobs. Most often, this will be human resources staff or other administrators that coordinate with health insurance companies. However, don't forget about staff members that deal with pre-employment physicals or on-the-job injuries.

Security Rule

HIPAA's Security Rule complements the Privacy Rule by dealing solely with the administrative, physical, and technical safeguards for Electronic Protected Health Information (EPHI). Not surprisingly, human resources and IT departments must work hand-in-hand to ensure compliance with the Security Rule.

There are circumstances in which HIPAA regulations permit the relevant, limited, and appropriate release of health-related information, including:

*Emergencies and public health crises
*OSHA-related proceedings
*Worker's compensation claims
*Legal and national security matters

One final point: Despite claims and advertisements you might encounter, the HHS does not endorse or certify any products as "HIPAA compliant," and the Privacy and Security Rules do no require attendance at specific seminars or any special certifications.

For more information on everything HIPAA, visit the Health Information Privacy pages on the HHS website.

Sarbanes-Oxley Act (SOX)

Enacted in 2002 in the wake of several major accounting scandals, the Sarbanes-Oxley Act (SOX) seeks to improve the reliability of financial reporting by public companies and their accounting firms. Although private companies are not subject to the regulations, SOX has raised the bar for financial reporting in general. Private companies planning to go public or hoping to be acquired by a public company cannot ignore SOX requirements.

Not surprisingly, finance departments deal with the heavy lifting of SOX compliance. However, because the regulation deals with security, record keeping, and other requirements, IT departments must be close partners in the process. The SEC offers a guide on SOX compliance for small businesses, and there are many companies that offer SOX compliance solutions and training. The cost of SOX compliance is non-trivial, especially for smaller companies, so it's crucial to make your compliance efforts as efficient as possible.

Here's a summary of three key SOX provisions:

Section 302

This section puts officers "on the hook" so to speak for the truthfulness and accuracy of financial statements, as well as the robustness of internal procedures that deal with financial accounting.

Section 401

In response to the accounting scandals, legislators crafted Section 401 to require that financial reports include so-called "off-balance sheet items" such as liabilities, obligations, and other transactions.

Section 404

Section 404 requires companies and their external auditors to report on the adequacy of the internal controls that deal with financial reporting. It's a broad, complex topic that has given rise to a cottage industry of Section 404 consultants, compliance specialists, and premium checklists that seek to ease the pain of measuring up.

As the most rigorous and time-consuming portion of SOX compliance, Section 404 is not surprisingly also the most costly. According to Securities and Exchange Commission (SEC) data, companies with less than $100 million in revenue have been forced to spend up to 2.5% of their revenue on Section 404 compliance. However, in response to complaints that compliance was too onerous as originally passed, in recent years the SEC has made changes and offered updated guidance regarding Section 404.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) is a broad set of regulations that affect the financial services industry, which includes banking, insurance, and investment institutions.

In terms of compliance, GLBA created two key regulations, the Financial Privacy Rule and the Safeguards Rule, that govern the collection, storage, protection, and disclosure of customers' financial information. These rules also apply to entities outside the financial services industry that process or receive this information, such as real estate companies, tax preparers, and so on. Not surprisingly, IT departments often shoulder much of the burden of GLBA compliance, particularly with the Safeguards Rule.

Financial Privacy Rule

Under the Financial Privacy Rule, a company must provide its customers a privacy notice that includes the following:

*Information about the non-public personal customer information a company collects
*How and with whom the company shares that information
*How the company protects that information

Defining the term "non-public personal customer information" is important. First, the rule makes a distinction between customers and consumers. "Customers," such as credit card holders, have significant, long-term relationships with financial institutions. "Consumers," such as users of a check-cashing service or third-party ATM, have short-term, one-time, or sporadic dealings. Next, "non-public personal information" is usually any and all information a company obtains from a customer. However if this information is lawfully public, such as mortgage information in certain areas, it is not subject to the rule.

Under the rule, companies must also allow a customer to opt out of information-sharing agreements, and offer a reasonable way to do so. The opt-out provision has several exceptions however. For more details on these exceptions, as well as all the details of the Financial Privacy Rule, visit the FTC's Financial Privacy Rule summary page. There are also many companies that offer GLBA compliance solutions, consulting, and training.

Safeguards Rule

The Safeguards Rule regulates the security and confidentiality of customer information in three areas: employee management and training, information systems, and system failure.

The specific steps and requirements to secure your systems are beyond the scope of this article, but the FTC includes dozens of helpful pointers on its Safeguards Rule summary page.

For a big-picture perspective, the FTC also offers a useful five-point framework to maintain a protected infrastructure:

*Take stock: Know what information you have in files and computer systems
*Scale down: Keep only what you need for your business
*Secure it: Protect the information with encryption, strong passwords, and good physical security
*Toss it: Securely discard what you don't need (see the FTC's Disposal Rule)
*Plan ahead: Create a plan to respond to security incidents

Beyond regulation, every company should already be putting these guidelines in practice. Instilling confidence in your customers is just good business.

Featured Research
  • The Future of Remote Work

    Before it became a necessity during the 2020 COVID-19 pandemic, many companies had already begun realizing the benefits inherent in embracing remote work. These benefits are substantial and signal that (even when the pandemic is but a memory) remote work will continue to flourish and become a mainstay in the redefined workplace - particularly when it comes to VoIP. This guide will demonstrate how the workforce is changing and leaning toward remote work as a permanent business choice, explain the critical role VoIP will continue to play in supporting remote work, and highlight some of the new trends and innovations coming in 2021 for VoIP. more

  • The Best HR & Payroll Features in 2021

    As companies look for cloud-based tools to support recruiting, employee onboarding and training, payroll, and benefits, HR and Payroll software solutions will be positioned for substantial growth every year over the next 5-7 years. But what HR and payroll features are going to be necessities for a changing workforce heading into 2021? This guide describes the functions of HR and Payroll software in the changing business landscape, provides insight into how your business can determine which tools you need, showcases some stats and facts about the HR software market, and outlines the best features and functionalities of Payroll and HR software. more

  • Security Software for Mid-Sized Companies in 2021

    Due to increasing cloud software adoption and a growing number of connected devices leveraged for business, security software is not just a mission-critical necessity, but also a strategic advantage that can be leveraged to secure company data, protect networks, and ensure that all endpoints are open only for authorized, trusted employees. This guide explores recent statistics around cybercrime and endpoint security, outlines the key functions of cybersecurity and endpoint security software, and highlights some of the security industry leaders to watch in 2021. more