After more than a decade, consumers may still be unaware of some of the rules/laws businesses are required to follow to protect the safety, integrity and availability of customer electronic data. Published, publicly available standards exist to protect customer healthcare, financial and credit card data. In some cases federal laws exist. In others, companies have partnered to establish working groups responsible for defining these rules. You can be audited and fined for non-compliance. Three of the most common compliance standards include HIPAA, GLBA and PCI DSS.
You’re probably familiar with HIPAA (Health Insurance Portability and Accountability Act). Your doctor’s office has asked for your signature on forms related to keeping your healthcare data private. Not only must your medical provider adhere to privacy guidelines, but they must also take steps to ensure data security. According to the U.S. Department of Health and Human Services (HHS.gov), “The administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addressed the security and privacy of health data. As the industry adopts these standards for the efficiency and effectiveness of the nation’s health care system will improve the use of electronic data interchange.’
While HIPAA does add a layer of extra work and cost to providing you healthcare coverage, without data standard practices in healthcare, huge inefficiencies can develop which lead to rework and high cost at the low end and risk to human life at the extreme. In addition, your healthcare data can be used unscrupulously to the consumer’s detriment. You can read more about HIPAA at http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
GLBA, or the Gramm-Leach-Bliley Act was enacted by Congress in 1999 to protect your personal financial information. In terms of compliance, the key rules under the Act include The Financial Privacy Rule, which governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions.
Like HIPAA, GLBA defines a set of rules that companies must follow that protect the privacy and security of your personal financial data. Learn more about GLBA at https://www.gpo.gov/fdsys/pkg/PLAW-106publ102/content-detail.html.
The PCI DSS (Payment Card Industry Data Security Stand), a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. Any company who takes your credit card for payment must adhere to PCI DSS standards. These standards include taking appropriate steps to protect consumer data, protect the integrity of their network, monitor their network traffic and maintain strong policies for the use of their network. Companies found in breach of these standards can be fined or even terminated as credit card merchants. You can read more about PCI DSS at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
Most small IT shops are not well-suited to understand and apply these world-class standards to their business, leaving many small businesses vulnerable to litigation. Managed Services firms both understand and work with their customer base to plan and implement these standards to protect their customer’s data and reputation. If you work with health care data, financial data or process credit card transactions, consider engaging with a Managed Services firm to audit your current risks and develop a plan to fill the gaps before disaster strikes.
For more information on Orion Group and how to comply with consumer electronic data laws, contact us today to get your questions quickly answered.