HIPPA and the GLB: The Information Security and the Law
Mark Goodell
Holliday
5-17-04
Abstract
This paper looks at the Gramm-Leach-Bliley Financial Modernization Act (GLB) and the Health Insurance Portability and Accountability Act (HIPPA), passed by the United States Congress in 1999 and 1996, respectively. The paper will first focus on the parts of both Acts which deal directly with information assurance. Both laws will be analyzed for how effective they will each be, what steps are required to be compliant, how secure compliant companies are, what happens if companies are noncompliant. The next section covers problems with each of the two laws, limitations in implementation, cost of complying and other social costs. The last section will be looking at these two laws as part of a broader trend, analyzing and predicting where companies and the government policy is heading as the new millennium starts.
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Act was passed in 1996 but the key technological parts, the privacy and security rule are expected to be implemented in 2003 and 2005. This Act is important in that it affects the whole of the health-care industry, from pharmaceuticals down to individual doctors in its scope. Additionally, many companies not really in the health-care field fall under HIPAA because “the self-insured ERISA plans sponsored by many employers are also ‘covered entities’ under the law” (Insider). The health care industry has also done more than any other industry to comply with the regulations and is as open about their compliance efforts (Scalet 1-2). This makes analysis of the Act even more important in determining strengths and weaknesses, whether similar regulations need to be applied in other areas.
The privacy rule aim is fairly simple. Information regarding medical condition or diagnosis must be kept separately from information used in hiring, firing and promotions (Insider). As one aspect, this requires the development of both internal and external security to protect this information. The route many companies are looking at is outsourcing as much of the health functions as possible. The less medical information a company has the easier it is to keep the information isolated and secure. The privacy rule has a broader scope than the security rule, which is limited to electronic forms of storage and information transfer.
The security rule is a logical extension of the privacy rule. If information is going to be private, the access to the information must be restricted and guarded. The security rule runs a rather jam-packed forty-six pages. The rule is summarized in one simple chart; three categories administrative, physical and technical are laid out, see appendix 1. Aboutthree dozen action items are enumerated in the chart from as specific as workstation security out to risk analysis and management. The rule is flexible with some items being required but the majority are classified as addressable, suggested but not required for all entities. This flexibility recognizes not all companies have the same level of sensitive information, may not have the resources to implement all possible security measures. In addition, the security rule is kept somewhat general; to leave room for future development and part of the standards is periodic reassessments to ensure they remain appropriate to the businesses involved. While the language of the Congressional Act set extreme standards using phrases “covered entities must assure that electronic health information pertaining to an individual remains secure,” the rule explicitly recognizes trade-offs will occur.
The Federal Register notes in process of development, “We also consulted extensively with experts in the field of security throughout the health care industry. The standards are generally accepted security principles and practices that are already in widespread use,” (8344). Industry leaders recognize with the president of a health-care consultancy, a CISO (Computer Information Security Officer), and an assistant vice-president echoing these sentiments. While this gives many companies a potential boost in that their security analysis may result in relatively few changes required, as simple as locking up and blanking workstations left unattended for three minutes, which is a fairly straightforward process on a network. The real problem comes in balancing HIPAA regulations with the health-care ideal which was solely on ease of use. As one example, the computers used by doctors in the emergency medical room had to be restricted to only EMR data, to both comply with HIPAA and give the doctors the immediate access they may need for the computer access. “Compliance is a game of compromise,” (Scalet 5). The IT overhaul may end up costing the entire industry an estimated $22 billion or more (Fonseca).
The generality of the rule, while great for crafting answers suited for each company raises questions about the enforcement which has legal departments putting some pressure on the computer security officers to make sure they’re safe from potential suits. The somewhat real fear is “the combination of the privacy rules and the long-delayed and open-to-interpretation security standards could become a honey pot for law firms that specialize in class-action suits,” (Brewin 2). These lawyers feel the suits could be as successful as asbestos or breast implementation class-suits combined. The question then becomes not simply what steps are we taking but can we prove what we are doing. While this can lead to some extreme measures, as one hospital does not send birth announcements to local newspapers citing HIPAA concerns. A Wisconsin hospital rules a young teen leukemia survivor would not be allowed to make her annual toy delivery to patients with concerns for violation of patient privacy. Most will strike a fairly reasonable balance, as they are unlikely to come under a microscope from the Health and Human Services (HHS). Enforcement being complaint driven for both privacy and security rules reasonable care should prevent many problems. In 2003, the “HHS received 3,745 complaints of which by April, 2004 forty percent had been resolved, and a small number…had been passed to the Department of Justice,” (Scalet 6).
The jury will be out as HIPAA swings into full effect in 2005 but looks to be a generally well-crafted policy. As security information becomes a more important public issue if businesses do not act quickly enough, the regulations may become more widespread. “The Federal Trade Commission reports that last year’s identity theft losses to businesses, financial institutions and consumers totaled a mind-boggling 53 billion,” (ITsecurity.com). Mounting numbers will increase public pressure and could very well result in HIPAA-like regulations either being adopted by various industries or imposed by government fiat. As one California executive realizes from her company working to comply with both HIPAA rules, Sarbane-Oaxley (deals with public companies, focusing on preventing Enron-like accounting and auditing errors), and SB 104 (a California law), it is all about common-sense and good practice. She is confident any company following best practice would comply with any regulation dealing with privacy or security.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act of 1999, in terms of the scope of this paper falls under three broad categories; protection of private personal information, puts obligations on the disclosures of personal information, and disclosure of the institutions privacy policy. The Act protects only personal information, and only financial institutions; banks, insurance companies, loan institutions, or companies which offer financial or investment advice. Companies which engage in significant financial activities such as debt collectors, tax preparers, and loan brokers are included in this bill and are regulated by the Federal Trade Commission.
The intent of the law is to protect individual’s privacy in regards to financial information which is the target of people seeking to perform the crime of identity theft. Companies in the financial sector have to let customers or consumers know what information it has on people who use its’ services, who has access in terms of other companies, and how it protects the information. There is no specification of what these safeguards should or must be. In some cases the customer may opt out of having his/her information shared although there are several exceptions where customers cannot opt out. The goal is to tighten customer protection and give customers the ability to limit who has access to their personal information.
If this sounds more than a little confusing, many professionals are not sure how the regulations are supposed to work out. A month before the deadline to comply with sweeping privacy regulations, I asked a senior IT person responsible for compliance at a securities firm how things were going. He laughed. “Can you explain the regulations?” he asked. He was joking, I think, but his comment sums things up. (Scalet Privacy Lessons).
As simply one factor backfiring, the companies are required to give customers an annual notice giving them their chance to opt out. “In reality, though, customers with multiple accounts are getting inundated with notices full of impenetrable legalese, which sabotages the key intent of the regulations: to enlighten customers,” (Scalet Privacy Lessons). Despite an official June 1st deadline, the auditors were already starting their work, and focusing in an unexpected area, wide-area network security which typically is not currently encrypted by many companies. This has brought a slew of complaints on the interpretation being used by the auditors. The companies were focusing on the privacy aspects which deal with deliberate inter-company communication, not the aspects of information theft, which although it is a provision was hardly the centerpiece or main thrust of the Act as first set out.
The other major issue is the fact that many financial corporations are global; do corporations that do business in the United States as well as the European Union is common. The likelihood the GLB will be strict enough to meet the privacy directive of the EU is fairly unlikely; Europeans are generally stricter about privacy laws notes Stewart Baker, a partner at a law firm. Other governments are working on their own policies which will most likely fit with the current policies like a round peg in a square hole. “This has left global institutions confused about how to, say, and send information about a European employee to U.S. headquarters,” (Scalet). This international aspect has not been sufficiently addressed and will need to be resolved in some way for these companies to keep from being caught in a catch-22.
Privacy regulation is more likely to be addressed from a stronger individual consideration as the Democrats gain control of one or both Houses of Congress. The issues surrounding privacy and thus security will only grow with time as it cost nearly $53 billion in 2002 and there is currently a better one in 700 chance of being caughtmaking it both relatively safe, and highly lucrative. The GLB as it stands is not protectionist enough, and adding to the complexity can be superseded by stricter individual state laws. This potentially can force companies to comply with up to fifty different laws, which could have slightly different, or worse, conflicting requirements.
Sarah Scalet simplifies the issues with the GLB down to two simple options if one grants the proposition that stricter security measures need to take place, “At this point, we have two options. We can see GLBA as a learning experience for how privacy regulations should be drafted and enforced, or we can use it as fodder for the debate that privacy regulation is a bad idea. CIO’s are in a unique position to get involved in the creation of those regulations or to get their houses in order so that they can argue, effectively, that regulations are unnecessary.”
Compare and Contrast
HIPAA and GLB both introduce the concept of regulation to different industry and in vastly different ways. The final rule devised by Health and Human Services for HIPAA was clearly written with intelligent input from people in the health computer field resulting in a clear, understandable and reasonable actions required for compliance (see chart at back). The GLB does not do an adequate job of integrating these two related topics, methods which would be acceptable or clear standards to evaluate compliance. The GLB also suffers from failure to take the global nature of the financial world into account, which limits the ability for unilateral action by the United States.
GLB is a very minimalist in the way of protections and security required, and it is rather likely that any state law passed would be stricter and thus supercede the federal law. Due to the lack of a baseline standard, states could focus or create fairly stringent requirements for some areas of the business, other states could have a different focus, and a company working in both states would have to comply with both. If too many compliance dates are set for the around the same time, it could be an enormous financial setback or actually impossible for a company to make both.
In contrast, HIPAA requires a reasonable level of security, and provides a fairly good goal in the writing of the Security Rules. While individual states could make the security requirements were stringent, making some of the addressable items mandatory, or adding something new or more specific (specifying public-private key encryption be used) it is very difficult to imagine a reasonable scenario in which the laws would conflict.
Analysis: What Does the Future Hold?
Privacy and security are growing concerns as viruses and worm attacks become more numerous year by year, as identity theft costs more and more, and as the public leaders become more and more computer literate. As computer security becomes more of an industry in its own right, solutions may be forthcoming. Previously Sun Microsystems Inc., Divine Inc. and Digex Inc. announced solutions for outsourced HIPAA solutions (Fonseca). Slightly modified versions could very well be offered to other industries if an incident highlights the importance of business information.
The problem is that putting money into security is taking away from money put elsewhere and good security does not pay for itself in obvious ways. If security comes more into the public eye, it could become a bigger priority for consumers enabling more secure companies to charge more and thus justify the resources security takes up. A major incident will galvanize the government into passing some wider-scope or possibly more stringent than the current rather reasonable HIPAA standards. In many cases, industry is slowly moving towards rational and reasonable security measures as their situation warrants. With the Middle East taking political attention, and the economy coming close behind the likelihood of any swift action taking place barring some incident of immediate and large scope is very slim. I do feel some regulation will have to take place, in looking at general business track record. The auto industry fought making seatbelts mandatory, drug companies always push to rush FDA approval, and food companies do want to have organic labels for their products. Companies will generally oppose policies which require a diversion of resources which they had expected to have to generate further revenue. With around $22 billion for the initial IT costs for a 1 trillion dollar industry (Brewin Health), imagine the cost if all applicable industry had to comply to HIPAA-like standards. Clearly, huge cost in time and money, but also very necessary. What makes it so necessary is that HIPAA does not require anything esoteric, just simply good security what should be standard practices for any business.
Works Cited
“Boulder Computer Services Firm Encourages Companies to Prevent Computer Hackers and Consumer Identity Theft” posted 10-17-2003 .
Brewin, Bob. Computerworld “Health Care Group: Lack Of IT Leads to Deaths” 4-22- 2002.
Brewin, Bob. Computerworld “New HIPAA Security Rules could open door to litigation” 2-20-2003.
Federal Register 45 Health Insurance Reform: Security Standards; Final Rule CFR Parts 160, 162, and 164 2-20-2003.
Fonseca, Brian. Computerworld“Sun, Digex and Divine push outsourced HIPAA solutions” 1-30-2002.
Glass, Michelle R. and Hoeg, Gregory J. “The Likely Impact of the Gramm-Leach-Bliley Financial Modernization Act of 1999” posted 6-22-2000 at
Scalet, Sarah D. CSO “Managing HIPAA’s Pain” April 2004
Watson Wyatt Insider “Bigger Than a Breadbox: The Impact of HIPAA on American Employers April 2003