1.10 Privacy Standards and Regulations


1.10 Privacy Standards and Regulations

There has been a lot of activity on the national legislative front over the last couple of years , specifically regarding protection of information that is unique to the individual. This type of information is regarded as a basic element of our right to privacy, and companies are being required to take (sometimes costly and arduous) steps to protect it. Failure to do so can have serious repercussions . Insurance companies, health care providers, financial institutions, service providers, retailers, telemarketing organizations, communications providers, and so on all have a part to play in protecting an individual's right to privacy. The next few sections highlight some of the more relevant changes made in the last few years.

1.10.1 NAIC Model Act

Beginning in the early 1980s, the National Association of Insurance Companies [19] (NAIC) recognized the importance of protecting the privacy of their customers. With the adoption of the Insurance Information and Privacy Protection Model Act , the NAIC established a standard for disclosure of insurance consumers' personal information, including financial and health information. Currently, 13 states have laws based on this 1982 Model Act. The NAIC believes that the state laws based on this Model Act are generally more protective of consumer privacy than the privacy provisions of the Gramm-Leach-Bliley Act (GLBA), which is discussed in the next section.

In 1998, the NAIC turned its focus specifically to the privacy of personal health information. The Health Information Privacy Model Act was developed primarily to guide Congress and the U.S. Department of Health and Human Services (DHHS), both of which were considering health information privacy protections under the Health Insurance Portability and Accountability Act (HIPAA, discussed later in this chapter).

In February 2000, the NAIC established the Privacy Issues Working Group in order to give guidance to state insurance regulators in response to the enactment of GLBA, which required state insurance regulators to promulgate regulations enforcing the consumer privacy protection laws. On September 26, 2000, the Privacy of Consumer Financial and Health Information Model regulation was adopted by the NAIC.

In 2001, the NAIC reconvened the Privacy Issues Working Group. This group was tasked to increase dialogue among regulators and interested parties who were concerned about privacy standards and regulations because they deeply affected the conduct of operations for these insurance carriers . One of the principal missions of the Privacy Issues Working Group was to serve as a forum for regulators, industry, and individual consumers. This forum allowed participants to discuss questions and issues that arose as the states interpreted and began enforcement of their privacy protections. In order to stay abreast of the states' efforts and to be consistent in their approaches to privacy protection, the Privacy Issues Working Group established a goal to agree on uniform responses to such questions because many of these issues would be repeated in multiple states. The Privacy Issues Working Group's analysis of particular issues and responses to questions has served as guidance to all NAIC members .

In March 2002, the Privacy Issues Working Group adopted a document entitled " Informal Procedures for Consideration of Privacy Questions ." These procedures were developed as part of an effort to be responsive to interested party concerns about the drafting and adoption of question-and-answer documents among NAIC members. The informal procedures reflect the evolving efforts of the Privacy Issues Working Group to ensure that members and other interested parties are well informed of the process for consideration of privacy issues.

In early 2002, content found within financial institutions' privacy notices and the degree to which consumers are opting out from disclosure received a great deal of attention. In an effort to make these privacy notices worthwhile for consumers and industry, and to realize the intent of Congress and the regulators who put these protections in place, the NAIC formed a subgroup, the Privacy Notice Subgroup , whose task was to draft a " plain language " model for privacy notices. The Privacy Notice Subgroup has begun working closely with interested parties to draft samples that make privacy notices more understandable for consumers while ensuring a high degree of uniformity and compliance with the requirements of the NAIC model privacy regulation for industry.

In the latter part of 2002, the NAIC reestablished the Privacy Notice Subgroup. This group completed a draft report outlining specific suggestions to improve privacy notices. The changes include use of simpler sentences, clearer terminology, and easy-to-read formatting. At an annual meeting held in fall 2002, the Privacy Notice Subgroup distributed a draft report to the Privacy Issues Working Group and urged recipients to examine the report and submit comments to NAIC staff for inclusion in the final report. The NAIC has been in the vanguard of establishing privacy protections and will continue to be so for some time.

1.10.2 Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) [20] was enacted as Public Law 106-102 on November 12, 1999. This law was intended to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers. The GLBA is enforced by several different agencies, depending on the type of financial business involved. Most depository institutions such as banks and savings and loans are regulated by either the Office of the Comptroller of Currency (OCC), the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), or the Office of Thrift Supervision (OTS). These four agencies have enacted joint regulations that became effective July 1, 2001, under 12 CFR part 30 et al. , to guide audit and compliance certification processes.

Many other nondepository institutions are regulated by the Federal Trade Commission (FTC), which specifically claims authority over financial institutions "not otherwise subject to the enforcement authority of another regulator " 16 CFR part 313.1 (b). The FTC information security requirements were published May 23, 2002, as 16 CFR part 314, and are available from the FTC. Finally, the Office for Regulatory Audits and Compliance (OFRAC) is an Atlanta-based organization set up to conduct compliance surveys and audits for regulations affecting businesses regulated by GLBA, the Department of Transportation (DOT), HIPAA, DHHS, CFR 42, 49, 67 , the USA PATRIOT ACT, and the Public Health Security and Bioterrorism Preparedness Response Act of 2002 (HR 3448). Their services are designed to meet the testing requirements of both GLBA and HIPAA. This is extremely important because the penalties for not complying with the aforementioned laws are quite severe. Individuals who fail to fully comply with the regulations are subject to a $250,000 fine, and any other person (facility or organization) failing to follow the regulations is subject to a fine of $500,000. Prison terms can be up to five years for each violation. As you can see, privacy security has become a very serious issue that mandates business attention at the risk of huge penalty.

1.10.3 HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) [21] was enacted in order to accomplish the following goals:

  1. Improving portability and continuity of health insurance coverage in group and individual markets

  2. Combating waste, fraud, and abuse in health insurance and health care delivery

  3. Promoting the use of medical savings accounts

  4. Improving access to long- term care services and coverage

  5. Simplifing the administration of health insurance

In order to comprehend the total impact of HIPAA, it is important to understand the protections it created for millions of working Americans and their families. HIPAA includes provisions that may increase individuals' ability to get health coverage for themselves and their dependents if they start a new job. HIPAA can lower individuals' chances of losing existing health care coverage, regardless of whether they have that coverage through a job or through individual health insurance. HIPAA can help persons to maintain continuous health coverage for themselves and their dependents when they change jobs. HIPAA can also help individuals buy health insurance coverage on their own if they lose coverage under an employer's group health plan and have no other health coverage available. Among its specific protections, HIPAA limits the use of preexisting condition exclusions and prohibits group health plans from discriminating by denying someone coverage or charging extra for coverage based on a covered member's past or present poor health.

HIPAA guarantees certain small employers and certain individuals who lose job- related coverage the right to purchase health insurance, and it guarantees (in most cases) that employers or individuals who purchase health insurance can renew the coverage regardless of any health conditions of individuals covered under the insurance policy. In short, HIPAA may lower individuals' chance of losing existing coverage, ease their ability to switch health plans, and/or help them buy coverage on their own if they lose coverage under an employer's plan and have no other coverage available.

In setting out to achieve each of the aforementioned six goals, the final bill that was enacted can be summarized into the following five areas where action was mandated :

  1. Standards for electronic health information transactions. Within 18 months of enactment, the Secretary of Health and Human Services (HHS) was required to adopt standards from among those already approved by private standards-developing organizations (such as NAIC) for certain electronic health transactions, including claims, enrollment, eligibility, payment, and coordination of benefits. These standards were required to address the security of electronic health information systems. This last sentence is of particular concern to security professionals who must enable organizations to enforce such privacy rules.

  2. Mandate on providers and health plans, and timetable. Providers and health plans were required to use the standards for the specified electronic transactions 24 months after they were adopted. Plans and providers were given the option to comply directly or to use a health care clearinghouse. Certain health plans, in particular worker's compensation, were not covered.

  3. Privacy. The Secretary of HHS was required to recommend privacy standards for health information to Congress 12 months after HIPAA was enacted. A provision stated that if Congress did not enact privacy legislation within three years of HIPAA enactment, the Secretary of HHS should promulgate privacy regulations for individually identifiable electronic health information.

  4. Preemption of state law. The HIPAA bill superceded state laws, except where the Secretary of HHS determined that the state law is necessary to prevent fraud and abuse or to ensure the appropriate regulation of insurance or health plans, and to address concerns about the use of controlled substances. If the Secretary promulgates privacy regulations, those regulations can not preempt state laws that imposed more stringent requirements. These provisions did not limit a state's ability to require health plan reporting or audits.

  5. Penalties. The bill imposed civil money penalties and prison for certain violations. Individuals who fail to fully comply with the regulations are subject to a $250,000 fine, and any other person (facility or organization) failing to follow the regulations is subject to a fine of $500,000. Prison terms can be up to five years for each violation.

As you can see, items 1, 2, and 3 have specific provisions to protect electronic data. This is the area of HIPAA where cybersecurity is most concerned. The preceding sections have concentrated on standards, laws, and enforcement issues related to security and privacy. In the actual implementation of security measures needed to comply with such regulatory guidance, a security professional relies on adoption of good practices that have been evaluated and adopted as "best practices" across industry.




Wireless Operational Security
Wireless Operational Security
ISBN: 1555583172
EAN: 2147483647
Year: 2004
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net