Understanding the privacy laws that impact public and private organizations is important. Several well-known federal regulations set strict privacy standards for medical, financial, and personal information. Here’s an overview of the laws that may affect your business:
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA affects any healthcare organization that handles, stores, and transmits protected health information (PHI). The law’s Privacy Rule and Security Rule require covered entities to implement physical, administrative, and technical safeguards for PHI. HIPAA compliance is monitored and enforced by the Department of Health and Human Services’ Office of Civil Rights (OCR). Penalties for HIPAA violations can be severe and may include the following:
- Civil fines of up to $25,000 a year
- Criminal penalties reaching $250,000 and up to 10 years in prison
The Fair and Accurate Credit Transactions Act (FACTA)
FACTA was enacted to protect prevent consumer fraud and protect personally identifiable information (PII). FACTA’s Disposal Rule calls for the proper disposal of information to protect against “unauthorized access to or use of the information.” If your business collects sensitive client data, such as credit applications, that data should be disposed of according to retention and final disposition guidelines. FACTA violations may include the following:
- Federal fines of up to $2,500 for each violation
- State fines of up to $1,000 for each violation
Family Educational Rights and Privacy Act (FERPA)
FERPA prevents educational institutions from distributing student records to anyone other than parents or certain educational institutions and organizations without written permission. If student information is breached, the organization held responsible can be subject to a withholding of federal funds and payments. As a result, educational institutions must dispose of student records securely at the end of their retention lifecycle.
Gramm-Leach-Bliley Act (GLBA)
GLBA requires financial institutions to develop and maintain a written information security plan for protecting consumer information. The act is comprised of three sections:
- The Financial Privacy Rule
- The Safeguards Rule
- Pretexting Provisions
The Financial Privacy Rule applies to how information is collected and disclosed, the Safeguards Rule requires financial institutions to have an enforceable security program, and the Pretexting Provisions forbids anyone from gaining access to private information for reasons not fully disclosed.
Sarbanes-Oxley Act (SOX)
SOX was enacted in 2002 to enhance corporate responsibility, set standards for financial disclosures, and combat corporate and accounting fraud. SOX requires public companies to evaluate and disclose the effectiveness of their internal controls. This requirement highlights the need for companies to have detailed information systems in place, including secure disposal of obsolete business records.