Summary of Major US and Industry Rules
There are Federal and State rules that organizations need to comply with. Organizations need to identify regulations that apply to them. Factors that need to be considered are whether it is a public or private organization, the locations, industry, and type of information stored, transmitted and processed. Federal and State rules may have competing interest. Competing regulatory agencies may have different missions, may define data privacy differently. Compliance can be difficult and costly with conflicting language and different interpretations. [1] In some cases federal regulation supersede any contrary state regulations. Federal requirements are additive to state regulations that do not conflict with federal regulations. Also, federal requirements do not supersede more stringent state requirements. [8]
For example, the following could apply to a publicly-traded organization in California in the healthcare industry.
US Federal rules for the Healthcare industry
HIPAA The Health Insurance Portability and Accountability Act became law in 1996. HIPAA was created to protect privacy of health information. In 2013 HHS enacted the HIPAA Omnibus rule that implemented a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information, finalizing the Breach Notification Rule and extended the compliance requirements to Business Associates.
The HIPAA Security Rule requires the following safeguards to be in place:
SOX: The Sarbanes-Oxley Act of 2002, was a change to federal securities law as a result of major corporate financial scandals. SOX requires all publicly-traded companies' financial reports to include an Internal Controls in order to show the company's financial data is accurate and adequate controls are in place to safeguard financial data.
Ultimately CEO and CFO are directly responsible for the accuracy, documentation and submission of all financial reports. To support this the following controls, need to be in place:
PCI-DSS: The purpose Payment Card Industry Data Security Standard is to protect cardholder information. Security Controls and Processes to comply with PCI-DSS are:
State rules for the healthcare industry
CMIA: Confidentiality of Medical Information Act – CA Civil Code § 56.10-56.16. This law protects the privacy of medical information by limiting disclosures of providers of health care, health care service plans, and contractors. It specifically prohibits many types of marketing uses and disclosures. It requires an electronic health or medical record system to protect the integrity of electronic medical information and to automatically record and preserve any change or deletion. [7] This law emphasizes protection of health information.
Breach Notification – CA Civil Code § 1798.82. This law requires companies that collect personal information to notify each person in their database should there be a security breach involving personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account. [6] This law emphasizes protection of customer data privacy in it requires business to notify if personal information has been acquired by an unauthorized person. [6]
Glossary of Key Terms
Business Associate (BA): Is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. [3]
Covered Entity (CE): Individual and group health plans that provide or pay the cost of medical care. A health care provider, regardless of size, who electronically transmits health information in connection with certain transactions. [3]
ePHI: Electronic Protected Health Information.
HIPAA: Health Insurance Portability and Accountability Act.
HITECH: The Health Information Technology for Economic and Clinical Health was signed into law in 2009 to promote health IT, including electronic health records and private and secure electronic health information exchange. The HITECH Act broadens and expands the scope of personal healthcare information (PHI). [8]
PHI: Protected Health Information, all "individually identifiable health information"
held or transmitted by a covered entity or its business associate.
PCI-DSS: Payment Card Industry Data Security Standard that all entities involved in payment card processing must comply with. [4]
SOX: The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data accurate and adequate controls are in place to safeguard financial data. [5]
References
[1] Johnson, R. (2015). Security policies and implementation issues, second edition. Burlington, MA: Jones & Bartlett Learning.
[2] hhs.gov. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
[3] hhs.gov. (2003). Summary of the HIPAA privacy rule. retrieved from https://www.hhs.gov/sites/default/files/privacysummary.pdf
[4] PCI Security Standards Council. (2016). PCI quick reference guide: Understanding the payment card industry data security standard version 1.2. Retrieved from https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
[5] Sarbanes-Oxley-101.com (2018). Sarbanes Oxley 101. Retrieved from http://www.sarbanes-oxley-101.com/
[6] State of California Department of Justice. (2018). Data security breach reporting. Retrieved from https://oag.ca.gov/privacy/databreach/reporting
[7] State of California Department of Justice. (2018). Privacy laws. Retrieved from
https://oag.ca.gov/privacy/privacy-laws
[8] Bosworth, S., Kabay, M. & Whyne, E. (2014). Computer security handbook. Hoboken, New Jersey: Wiley.
There are Federal and State rules that organizations need to comply with. Organizations need to identify regulations that apply to them. Factors that need to be considered are whether it is a public or private organization, the locations, industry, and type of information stored, transmitted and processed. Federal and State rules may have competing interest. Competing regulatory agencies may have different missions, may define data privacy differently. Compliance can be difficult and costly with conflicting language and different interpretations. [1] In some cases federal regulation supersede any contrary state regulations. Federal requirements are additive to state regulations that do not conflict with federal regulations. Also, federal requirements do not supersede more stringent state requirements. [8]
For example, the following could apply to a publicly-traded organization in California in the healthcare industry.
US Federal rules for the Healthcare industry
HIPAA The Health Insurance Portability and Accountability Act became law in 1996. HIPAA was created to protect privacy of health information. In 2013 HHS enacted the HIPAA Omnibus rule that implemented a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information, finalizing the Breach Notification Rule and extended the compliance requirements to Business Associates.
The HIPAA Security Rule requires the following safeguards to be in place:
- Administrative Safeguards which include: Assigned Security Responsibility, Security Awareness and Training, Security Incident Procedures and Contingency Plan.
- Physical Safeguards which include: Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls.
- Technical Safeguards which include: Access Control, Audit Controls, Integrity Controls, Authentication and Transmission Security.
SOX: The Sarbanes-Oxley Act of 2002, was a change to federal securities law as a result of major corporate financial scandals. SOX requires all publicly-traded companies' financial reports to include an Internal Controls in order to show the company's financial data is accurate and adequate controls are in place to safeguard financial data.
Ultimately CEO and CFO are directly responsible for the accuracy, documentation and submission of all financial reports. To support this the following controls, need to be in place:
- Security controls to ensure the accuracy and integrity of the financial data.
- Proper access controls to ensure adequate permissions are provisioned.
- Proper controls need to audit log modification of any financial relevant data.
PCI-DSS: The purpose Payment Card Industry Data Security Standard is to protect cardholder information. Security Controls and Processes to comply with PCI-DSS are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly monitor and test security systems and processes
- Maintain a policy that addresses information security for all personnel. [4]
State rules for the healthcare industry
CMIA: Confidentiality of Medical Information Act – CA Civil Code § 56.10-56.16. This law protects the privacy of medical information by limiting disclosures of providers of health care, health care service plans, and contractors. It specifically prohibits many types of marketing uses and disclosures. It requires an electronic health or medical record system to protect the integrity of electronic medical information and to automatically record and preserve any change or deletion. [7] This law emphasizes protection of health information.
Breach Notification – CA Civil Code § 1798.82. This law requires companies that collect personal information to notify each person in their database should there be a security breach involving personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account. [6] This law emphasizes protection of customer data privacy in it requires business to notify if personal information has been acquired by an unauthorized person. [6]
Glossary of Key Terms
Business Associate (BA): Is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. [3]
Covered Entity (CE): Individual and group health plans that provide or pay the cost of medical care. A health care provider, regardless of size, who electronically transmits health information in connection with certain transactions. [3]
ePHI: Electronic Protected Health Information.
HIPAA: Health Insurance Portability and Accountability Act.
HITECH: The Health Information Technology for Economic and Clinical Health was signed into law in 2009 to promote health IT, including electronic health records and private and secure electronic health information exchange. The HITECH Act broadens and expands the scope of personal healthcare information (PHI). [8]
PHI: Protected Health Information, all "individually identifiable health information"
held or transmitted by a covered entity or its business associate.
PCI-DSS: Payment Card Industry Data Security Standard that all entities involved in payment card processing must comply with. [4]
SOX: The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data accurate and adequate controls are in place to safeguard financial data. [5]
References
[1] Johnson, R. (2015). Security policies and implementation issues, second edition. Burlington, MA: Jones & Bartlett Learning.
[2] hhs.gov. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
[3] hhs.gov. (2003). Summary of the HIPAA privacy rule. retrieved from https://www.hhs.gov/sites/default/files/privacysummary.pdf
[4] PCI Security Standards Council. (2016). PCI quick reference guide: Understanding the payment card industry data security standard version 1.2. Retrieved from https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
[5] Sarbanes-Oxley-101.com (2018). Sarbanes Oxley 101. Retrieved from http://www.sarbanes-oxley-101.com/
[6] State of California Department of Justice. (2018). Data security breach reporting. Retrieved from https://oag.ca.gov/privacy/databreach/reporting
[7] State of California Department of Justice. (2018). Privacy laws. Retrieved from
https://oag.ca.gov/privacy/privacy-laws
[8] Bosworth, S., Kabay, M. & Whyne, E. (2014). Computer security handbook. Hoboken, New Jersey: Wiley.