HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT – HIPAA
HIPAA was enacted in 1996 and provides data privacy and security provisions in order to safeguard medical information. HIPAA falls under the jurisdiction of the U.S. Department of Health and Human Services and is broken down into 5 rules.
- Privacy Rule
- Transaction & Code Sets Rule
- Security Rule
- Unique Identifiers Rule
- Enforcement Rule
Here are the basic rules. The first is there to protect personal health information (PHI) from unauthorized access. It also describes the conditions on which that information may be legally released. The second rule stipulates how certain electronic transactions are transferred from one computer to another. The third pertains to electronic PHI and details the security protocols that must be implemented.
This included having written policies and procedures, employee training, and access controls. The fourth covers the National Provider Identifier. This is a unique identification number for covered health care providers. The last rule is about the compliance and investigations and covers the procedures for hearings, and penalties for violations. This brings us to an important amendment added in 2009 called the Health Information Technology for Economical and Clinical Health (HITECH). This widened the scope of privacy and security protections under HIPAA. It also increased the legal liability for noncompliance by providing more enforcement and stricter fines. It also required business associates to comply with HIPAA and created an obligation for a business associates agreement with any subcontractors.
GRAMM LEACH BLILEY ACT – GLBA
GLBA was enacted in 1999 and applies to all financial institutions. Several federal agencies are responsible for the enforcement of this act. Just like HIPAA the GLBA has rules set up to protect your personal information. It is called the Safeguard rule and requires financial institutions to identify and mitigate areas where such information may be at risk.
What Does This Mean For You? Well, this means that John Smith from Nowhere, TX won’t be able to walk into a hospital, doctor’s office, bank, or any financial institution and have access to any of your personal information. At least not without the proper credentials and authorization. It means that these officials and facilities are obligated to protect that information, and are held accountable if the worst should happen.