Forces of Change

Compliance

While the major regulatory compliance regimes like Sarbanes-Oxley, HIPAA, GLBA, PCI, and NERC/FERC were put in place years ago, the compliance landscape continues to change. Three examples are FTC’s Red Flag Rules, Massachusetts 201 CMR 17, and ARRA/HITECH.

Red Flags Rules

The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Mass 201 CMR 17

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

ARRA/HITECH

President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA) on Tuesday, February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII include important changes in Privacy (Subtitle D). Our focus in this posting is the change related to business associates under HIPAA Administrative Simplification that is specified in Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities. In this section, administrative, physical, and technical safeguards, and policy, procedure, and documentation requirements of the HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.

The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” The additional requirements include civil and criminal penalties, notification provisions for a breach, and application of “guidance on the most effective and appropriate technical safeguards” as determined by the Secretary of Health and Human Services (HHS), amongst other requirements. These changes become effective one year after enactment of ARRA on February 17, 2010.