HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf
HIPAA Security Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf
Key requirements/provisions: There are five parts to HIPAA's Administrative Simplification Statute and Rules:
1. Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers. This rule is administered by The Centers for Medicare & Medicaid Services.
2. Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The rule permits the disclosure of personal health information needed for patient care and other important purposes. This rule is administered by the Office for Civil Rights.
3. Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information. This rule is administered by the Office for Civil Rights.
4. National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions. This rule is administered by The Centers for Medicare & Medicaid Services.
5. Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.
Source: U.S. Department of Health and Human Services, HIPAASurvivalGuide.com
The Health Information Technology for Economic and Clinical Health Act (HITECH)
What it covers: Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.
Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.
Link to the law: http://www.hipaasurvivalguide.com/hitech-act-text.php (easy to read format)
More formal version: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf
* Expansion of HIPAA security standards to "business associates," including people and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions.
* Increased civil penalties for "willful neglect."
* Data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." These notification requirements are similar to many state data breach laws related to personally identifiable financial information data.
* Stronger individual rights to access electronic medical records and restrict the disclosure of certain information.
* New limitations on the sale of protected health information, marketing and fundraising communications.
Source: U.S. Department of Health and Human Services, HIPAASurvivalGuide.com
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
What it covers: Enacted on January 19, 2009, PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides federal privilege and confidentiality protections for patient safety information, which includes information collected and created during the reporting and analysis of patient safety events.
These confidentiality provisions are intended to improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk. The Office of Civil Rights administers and enforces the confidentiality protections provided to PSWP. The Agency of Healthcare Research and Quality administers the provisions dealing with PSOs.
Who is affected: Healthcare providers, patients and individuals/entities that report medical errors or other patient safety events.
Link to the law: http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf
* Subpart A: Defines essential terms, such as patient safety work product (information collected and created during the reporting and analysis of patient safety events), patient safety evaluation system and patient safety organizations (PSO).
* Subpart B: Provides the requirements for listing PSOs. These entities offer their expert advice in analyzing the patient safety events and other information they collect or develop to provide feedback and recommendations to providers.
* Subpart C: Describes the privilege and confidentiality protections that attach to patient safety work product and the exceptions to the protections.
* Subpart D: Establishes a framework to enable HHS to monitor and ensure compliance with the confidentiality provisions, a process for imposing a civil money penalty for breach of the confidentiality provisions, and hearing procedures.
Source: U.S. Department of Health and Human Services, The Agency of Healthcare Research and Quality
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
What it covers: The CFATS regulation went into effect in 2007 and was developed as part of the Homeland Security Appropriations Act. It imposes federal security regulations for high-risk chemical facilities, requiring covered chemical facilities to prepare Security Vulnerability Assessments and to develop and implement Site Security Plans that include measures to satisfy the identified risk-based performance standards. The regulations are in place through October 2011, at which point they will either be made permanent or will be extended with tougher requirements. One requirement under consideration is the Inherently Safer Technologies provision that would require some facilities using, storing and manufacturing certain chemicals to possibly change processes and the chemicals used.
Who is affected: Chemical facilities, including manufacturing; storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare.
Link to the law: http://energycommerce.house.gov/Press_111/20091001/hr2868_billtext.pdf
Key requirements/provisions: CFATS uses performance standards rather than prescriptive standards. These standards are "risk-based," meaning that security measures vary depending on each facility's determined level of risk.
To that end, DHS created a tiered system and assigned chemical facilities into one of four "risk" tiers, ranging from high (Tier 1) to low (Tier 4) risk. Tier assignment is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest.
Once assigned a tier, facilities must comply with 19 categories of risk-based performance standards:
1. Restrict Area Perimeter
2. Secure Site Assets
3. Screen and Control Access
4. Deter, Detect, Delay
5. Shipping, Receipt and Storage
6. Theft and Diversion
12. Personnel Surety
13. Elevated Threats
14. Specific Threats, Vulnerabilities, Risks
15. Reporting of Significant Security Incidents
16. Significant Security Incidents and Suspicious Activities
17. Officials and Organization
19. Address any performance standards the assistant secretary may specify
Source: Department of Homeland Security
Section three: Key state regulations (with broad impact in the US)
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
What it covers: This Massachusetts law--which went into effect March 2010--works to protect the state's residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach--rather than a prescriptive one--to information security. That means it directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.
More about Mass 201 CMR 17 and data breach notification
Who is affected: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.
Link to the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Key requirements/provisions: Key requirements of the regulation include the following:
* A documented information security program, detailing technical, physical and administrative measures taken to safeguard personal information.
* Encryption of personally identifiable information -- a combination of a name, Social Security number, bank account number or credit card number--when stored on portable devices, such as laptops, PDAs and flash drives, or transmitted wirelessly or on public networks.
* Selection of third-party service providers that can properly safeguard personal information.
* Designated employees charged with overseeing and managing security procedures in the workplace, as well as continuously monitoring and addressing security hazards.
* Limits on the collection of data to the minimum required for the intended purpose.
* Computer system security requirements, including secure user authentication protocols, access control measures, system monitoring, firewall protection, updated security patches and security agent software and employee education and training.
Source: Commonwealth of Massachusetts Office of Consumer Affairs
Nevada Personal Information Data Privacy Encryption Law NRS 603A
What it covers: In January 2010, Nevada was the first state to enact a data security law that mandates encryption for customers' stored and transported personal information.
More about encryption
Who is affected: Businesses that collect and retain personal information of Nevada residents.
Link to the law: http://www.leg.state.nv.us/nrs/nrs-603a.html
Key requirements/provisions: The law contains the following requirements:
* Data collectors that accept payment cards comply with the current version of PCI/DSS (see above).
* Businesses must encrypt any personal information that is electronically transmitted outside the business's secure system.
* Business must encrypt any personal information stored on a device (computer, phone, magnetic tape, flash drive, etc.) moved beyond the logical or physical controls of the data collector or data storage contractor.
* Businesses are not liable for damages of a security breach if they are in compliance with the law and the breach was not caused by gross negligence or intentional misconduct.
Source: State of Nevada, Paul Mudgett
Section four: Selected international security and privacy laws
Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)--Canada
What it covers: This Canadian privacy law governs how public and private organizations collect, use and disclose personal information in the course of business. It went into effect in January 2001 for federally regulated organizations and in January 2004 for all others.
In May 2010, Bill C-29 introduced numerous amendments to PIPEDA, involving exceptions for the use and disclosure of personal information without consent and further requirements for business transactions.
Who is affected: All private-sector companies doing business in Canada.
Link to the law: http://www2.parl.gc.ca/HousePublications/Publication.aspx?pub=bill&doc=c-6&parl=36&ses=2&language=E
Bill C-29 amendments: http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=4547739&
Key requirements/provisions: PIPEDA establishes 10 principles to govern the collection, use and disclosure of personal information:
2. Identifying Purposes
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
9. Individual Access
10. Challenging Compliance
Sources: BearingPoint, Office of the Privacy Commissioner of Canada
Law on the Protection of Personal Data Held by Private Parties--Mexico