Health Insurance Portability and Accountability Act (HIPAA) of 1996
HIPAA is a U.S. Federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. These standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed (HHS, 2013).
Required Security Controls
Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
Federal law enacted in 2009 to increase the meaningful adoption of Electronic Health Records (HER) systems. The law is composed of four parts: Promotion of health information technology, testing of health information technology, grants and loans funding and privacy (Morgan, 2012)
Required Security Controls
Red Flags Rule passed in January 2008
This legislation officially passed in 2008 but clarified in 2010; requires businesses and organizations (including insurers) to develop a written program to detect identity theft warning signs in ongoing operations. The law was proposed by the Federal Trade Commission (FTC) to help prevent identity theft.
Required Security Controls
California State rules and statutes for entities providing health insurance
California Notice of Security Breach Act 2003
A breach notification law that applies to businesses or state agencies that own or maintain personal information on California residents to notify the resident of a breach or suspected breach to their unencrypted data (Becerra, 2017).
Required Security Controls
California Insurance Code Sections 791 - 791.27, the Insurance Information and Privacy Protection Act (IIPPA) (CDI, n.d.)
Provide protections for one's personally identifiable information, which is generally provided to an agent, broker or insurance company in order to apply for insurance or submit a claim.
Required Security Controls
HIPAA is a U.S. Federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. These standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed (HHS, 2013).
Required Security Controls
- Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
- Assign a unique name and/or number for identifying and tracking user identity
- Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency
- Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
- Implement a mechanism to encrypt and decrypt electronic protected health information
- Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information
- Implement policies and procedures to protect electronic protected health information from improper alteration or destruction
- Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
- Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed
- Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network
- Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
- Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate
Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
Federal law enacted in 2009 to increase the meaningful adoption of Electronic Health Records (HER) systems. The law is composed of four parts: Promotion of health information technology, testing of health information technology, grants and loans funding and privacy (Morgan, 2012)
Required Security Controls
- Requires entities covered by the HIPAA to report data breaches, which affect 500 or more persons, to the United States Department of Health and Human Services (U.S.HHS), to the news media, and to the people affected by the data breaches
- Covered entities, business associates, vendors of PHI records and related entities must comply with notification requirements in the event of a breach of unsecured PHI data occurs.
- Provides individuals with the right to receive an access report indicating who has accessed electronic protected health information in a designated record set.
Red Flags Rule passed in January 2008
This legislation officially passed in 2008 but clarified in 2010; requires businesses and organizations (including insurers) to develop a written program to detect identity theft warning signs in ongoing operations. The law was proposed by the Federal Trade Commission (FTC) to help prevent identity theft.
Required Security Controls
- Must have the ability to detect and report identity theft.
California State rules and statutes for entities providing health insurance
California Notice of Security Breach Act 2003
A breach notification law that applies to businesses or state agencies that own or maintain personal information on California residents to notify the resident of a breach or suspected breach to their unencrypted data (Becerra, 2017).
Required Security Controls
- Requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event.
- Any person or business required to issue a security breach notification to more than 500 California residents must electronically submit a single sample copy of that security breach notification to the Attorney General.
California Insurance Code Sections 791 - 791.27, the Insurance Information and Privacy Protection Act (IIPPA) (CDI, n.d.)
Provide protections for one's personally identifiable information, which is generally provided to an agent, broker or insurance company in order to apply for insurance or submit a claim.
Required Security Controls
- Licensees must generally provide consumers with a notice describing the licensee's privacy practices at the time of policy application and annually thereafter.
- Notices must describe the categories of personal information collected about individuals
- licensee must provide a clear and conspicuous Opt-Out notice and a cost-free method for the consumer to reply if the licensee wishes to disclose financial information to 3rd parties
- Nonpublic personal medical record information may not be disclosed without prior written consent.
- Standards are required for the safeguarding of nonpublic personal information.