HIPAA Compliance
What does it mean?
- Addresses the security and privacy of health data
- Requires health care organizations to “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information”
- Applies to health information (such as medical records) held or disclosed in any form
Who is affected?
Any organization with access to patient information, such as:
- Clinics and hospitals
- Pharmacies
- Pharmaceutical companies
- Healthcare clearinghouses
- Doctors and nurses
- Insurance companies
- Business associates of covered entities
What is the impact? (penalties and fines)
- Complaints lead to compliance review and report
- Noncriminal violation (including disclosures made in error):
Fines of $100 – $50,000 per violation and up to $25,000 – $1.5 million per year, for similar violations - Potential criminal penalties:
- Wrongful disclosure: $50,000 fine, 1 year in prison, or both
- Offense under false pretenses: $100,000 fine, 5 years in prison, or both
- Offense with intent to sell information: $250,000 fine, 10 years in prison, or both
How to reach compliance?
- Implement polices and procedures related to accessing information to ensure protected health information is properly secured and not disclosed
- Maintain Business Associate Agreements with outside suppliers who have access to protected health information
- Keep documentation in accordance with your internal document retention policy
HITECH Act Compliance
(Part of the American Recovery and Reinvestment Act of 2009)
What does it mean?
- The Health Information Technology for Economic and Clinical Health Act (HITECH Act) extends certain HIPAA requirements, such as the administrative, physical and technical safeguard requirements for health information, to Business Associates
- Requires Business Associates that are aware of a pattern of activity that constitutes a violation of HIPAA to take certain steps to cure the violation
Who is affected?
- Any organization with access to protected health information (Covered Entities)
- Business Associates of Covered Entities and certain third-party service providers
- Vendors of Public Health Records
What is the impact? (penalties and fines)
- Tiered-penalty structure based on the organization’s level of knowledge of the violation:
- If entity did not know of violation, penalties of $100-$50,000 per violation
- If violation is due to reasonable cause and not willful neglect, penalties of $1,000 – $50,000 per violation
- If violation is due to willful neglect and failure is corrected within 30 days, penalties of $10,000 – $50,000 per violation
- If violation is due to willful neglect and failure is not corrected within 30 days, penalties of at least $50,000 per violation
- Additional enforcement authorized for State Attorney Generals
How to reach compliance?
- Develop written privacy and security policies and procedures related to handling protected health information
- In the event of a security breach, notify affected individuals and the Federal Trade Commission without unreasonable delay and within 60 calendar days
FACTA Compliance
What does it mean?
- Helps consumers prevent or reduce the harm from identity theft
- Requires that any individual or business who maintains, compiles, or possesses consumer information from consumer reports (Credit reports, credit scores, reports businesses, etc.) for a business purpose “must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal”
Who is affected?
- Any individuals and organizations that use consumer reports, including: consumer reporting agencies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, car dealers, attorneys, private investigators, and debt collectors
What is the impact? (penalties and fines)
- Federal fines up to $2,500 per violation
- State fines up to $1,000
How to reach compliance?
Take reasonable measures to implement and monitor compliance with policies and procedures to ensure that consumer information cannot feasibly be read or reconstructed by:
- The burning, pulverizing, or shredding of papers
- The destruction and erasure of electronic media
- Conducting due diligence and hiring a document destruction contractor to dispose of material specifically identified as consumer report information
Red Flags Rule Compliance
What does it mean?
- Helps consumers prevent or reduce the harm from identity theft
- Under the Rule, financial institutions and certain other creditors must adopt written identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft
Who is affected?
The Red Flags Rule applies to “financial institutions” and “creditors” that maintain one or more “covered accounts.”
- A “financial institution” is a bank, savings and loan, credit union, or other entity that holds an account belonging to a consumer that allows the owner to make payments or transfers.
- A “creditor” is any entity that regularly extends, renews or continues credit, arranges for someone else to extend, renew or continue credit, or an assignee of a creditor who is involved in the decision to extend, renew or continue credit.
- A “covered account” is an account that is either (i) an account used primarily for personal, family or household purposes and that involves multiple payments or transactions or (ii) an account for which there is a foreseeable risk of identity theft (such as small business accounts).
What is the impact? (penalties and fines)
- Civil penalties of up to $3,500 per violation
- Injunctive relief is also available
How to reach compliance?
Develop and maintain a written identity theft prevention program that is appropriate for your business based on its size and potential risks of identity theft.
The four basic steps to designing a program to comply with the Rule are:
- Identify relevant red flags;
- Detect red flags;
- Prevent and mitigate identity theft; and
- Update your program periodically
FCRA Compliance
What does it mean?
- Promotes the accuracy, fairness and privacy of personal information assembled by Consumer Reporting Agencies (CRAs)
- Requires CRAs to provide notice forms similar to those prescribed by the Federal Trade Commission
- Governs other files of information collected and maintained on consumers that may not be on file with credit bureaus
Who is affected?
CRAs that gather and sell credit information such as:
- Credit bureaus
- Tenant or employment screening services or agencies whose data is limited to a consumer’s check writing history
- Organizations or people who furnish consumer reports to third parties for profit
What is the impact? (penalties and fines)
- Anyone who obtains information from a consumer reporting agency under false pretenses – $3,500, two years in prison, or both
- Same for any officer or employee of a CRA bank who provides information from a bank’s files about a consumer to a person not authorized to receive it
How to reach compliance?
- Provide a summary of rights under the law to consumers and a notice of responsibilities under the law to parties who obtain consumer reports or regularly furnish CRAs with consumer information
- If a consumer disputes information provided, all relevant information provided by the CRA about the dispute must be investigated, reviewed, and reported to the CRA
GLBA
What does it mean?
Protects consumers’ personal financial information and requires companies to give consumers privacy notices that explain the financial institutions’ information sharing practices.
- Financial Privacy Rule – governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.
- Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information. Applies not only to financial institutions that collect information from their own customers, but also to financial institutions (such as credit reporting agencies) that receive customer information from other financial institutions.
- Pre-texting Provisions – protect consumers from individuals and companies that obtain their personal financial information under false pretenses.
Who is affected?
GLBA applies to “financial institutions” which includes companies such as loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors that offer financial products or services (i.e., loans, financial or investment advice, or insurance) to individuals.
What is the impact? (penalties and fines)
- Financial institution subject to civil penalty of not more than $100,000 for each violation
- Officers and directors subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
- Criminal penalties of up to 5 years in prison
How to reach compliance?
- Have a security plan to protect the confidentiality and integrity of personal consumer information
- Disclose all privacy policies/procedures
- Give notification when sharing with third parties for non-financial reasons
- Give customers privacy notices and establish limitations of using information
ITPEA
What does it mean?
- Establishes as a federal crime and imposes penalties for aggravated identity theft, defined as knowingly transferring, possessing, or using a means of identification of another person without lawful authority
Who is affected?
- All U.S. residents, as it is designed to safeguard information, protect privacy, and reduce the risk of identity theft
What is the impact? (penalties and fines)
- Any felony violation enumerated in subsection (c) sentenced to 2 years in prison in addition to the punishment provided for such a felony
- Any felony violation enumerated in section 2332b (g) (5) (B) sentenced to a term of 5 years in prison in addition to the punishment provided for such a felony
How to reach compliance?
- Since the purpose of the Identity Theft Penalty Enhancement Act is to deter identity theft by imposing harsher punishments, no specific compliance regulations exist to support the Act; however, companies should review their information protection policies and procedures to ensure safe information handling and storage
SOX
What does it mean?
- Enhances corporate responsibility and financial reporting, and imposes new duties and significant penalties for noncompliance on public companies and their executives, directors, auditors, attorneys and securities analysts
Who is affected?
- All companies that are required to file periodic reports with the SEC, as well as accounting, legal and records/information management professions within public companies traded on U.S. stock exchanges who work with companies on financial and corporate reporting
What is the impact? (penalties and fines)
- Any individual who destructs, alters, or falsifies records with the intent to impede, obstruct, or influence an investigation will be fined, imprisoned not more than 20 years, or both.
- Whoever knowingly and willfully destructs corporate audit records or any rule or regulation disseminated by the Securities and Exchange Commission will be fined, imprisoned not more than 10 years, or both
How to reach compliance?
- Keep a record and information management policy, which details certain polices and procedures, including a document destruction policy focusing on how to stop destruction if an investigation is anticipated
- Regularly review this policy with your attorneys, and update it accordingly