An Update on Common Information Privacy Regulations
When your business handles confidential information, it’s imperative to understand your legal responsibility for maintaining confidentiality and privacy. As regulations continue to evolve, so do your compliance obligations. Here’s an update on common information privacy regulations and where they stand today.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is going on its twentieth year as a law regulating the security and dissemination of protected health information (PHI). But certain provisions of the law continue to evolve. On March 26th, 2013 the Final Omnibus Rule took effect, requiring covered entities to provide notification following a breach of unsecured protected health information.
The Fair and Accurate Credit Transactions Act (FACTA)
While HIPAA governs the protection of health information, FACTA gives individuals the ability to place alerts on their credit histories if identity theft is suspected. It requires lenders, credit card companies and other financial service organizations to properly dispose of information to protect against “unauthorized access to or use of the information.”
Gramm-Leach-Bliley Act (GLB)
The most important thing to know about GLB is that it contains a Safeguards Rule that requires financial institutions to develop a written information security plan outlining processes for protecting clients’ personal information. The plan must include:
- Designation of at least one employee to manage safeguards
- Risk analysis plans for each department handling personal information
- Develop, test and monitor an information security program
- Change safeguards as needed
As a result, your business should have a written plan for how its records are stored, controlled, accessed and disposed of.
California State Laws
In addition to keeping up with federal privacy regulations, you must also understand the state laws that affect your business. Historically, California has been the nation’s leader on privacy protection issues, with several laws designed to strengthen the privacy of consumer information.
California Senate Bill 24 details what a business must report to the state in the wake of a data breach. California 1798.81 specifically addresses document destruction. It states that businesses should “take all reasonable steps to dispose, or arrange for the disposal, of customer records” that contain “personal information when those records aren’t needed any longer by, among other means, shredding.”
All of this makes it imperative for any business collecting data from California consumers to have a secure and reliable information destruction strategy. Many other states have their own privacy regulations.
No matter where you are, it’s important to consult your attorney for guidance on the specific laws your business needs to follow.
Understanding federal, state and local privacy laws is essential for keeping your business secure and compliant. As your privacy protection resource, we’ll continue to publish information about the privacy regulation landscape.
Pacific Records Management provides information management and privacy protection solutions for businesses throughout Fresno, Stockton, Sacramento, Modesto, and Napa and Solano Counties. For more information, please contact us by phone or complete the form on this page.