Security laws, regulations and guidelines directory

1 2 3 4 Page 3
Page 3 of 4

1. Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers. This rule is administered by The Centers for Medicare & Medicaid Services.

2. Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The rule permits the disclosure of personal health information needed for patient care and other important purposes. This rule is administered by the Office for Civil Rights.

3. Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information. This rule is administered by the Office for Civil Rights.

4. National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions. This rule is administered by The Centers for Medicare & Medicaid Services.

5. Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.

Source: U.S. Department of Health and Human Services,

The Health Information Technology for Economic and Clinical Health Act (HITECH)

What it covers: Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.

Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.

Link to the law: (easy to read format)

More formal version:

Key requirements/provisions:

* Expansion of HIPAA security standards to "business associates," including people and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions.

* Increased civil penalties for "willful neglect."

* Data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." These notification requirements are similar to many state data breach laws related to personally identifiable financial information data.

* Stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

* New limitations on the sale of protected health information, marketing and fundraising communications.

Source: U.S. Department of Health and Human Services,

Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)

What it covers: Enacted on January 19, 2009, PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides federal privilege and confidentiality protections for patient safety information, which includes information collected and created during the reporting and analysis of patient safety events.

These confidentiality provisions are intended to improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk. The Office of Civil Rights administers and enforces the confidentiality protections provided to PSWP. The Agency of Healthcare Research and Quality administers the provisions dealing with PSOs.

Who is affected: Healthcare providers, patients and individuals/entities that report medical errors or other patient safety events.

Link to the law:

Key requirements/provisions:

* Subpart A: Defines essential terms, such as patient safety work product (information collected and created during the reporting and analysis of patient safety events), patient safety evaluation system and patient safety organizations (PSO).

* Subpart B: Provides the requirements for listing PSOs. These entities offer their expert advice in analyzing the patient safety events and other information they collect or develop to provide feedback and recommendations to providers.

* Subpart C: Describes the privilege and confidentiality protections that attach to patient safety work product and the exceptions to the protections.

* Subpart D: Establishes a framework to enable HHS to monitor and ensure compliance with the confidentiality provisions, a process for imposing a civil money penalty for breach of the confidentiality provisions, and hearing procedures.

Source: U.S. Department of Health and Human Services, The Agency of Healthcare Research and Quality

H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

What it covers: The CFATS regulation went into effect in 2007 and was developed as part of the Homeland Security Appropriations Act. It imposes federal security regulations for high-risk chemical facilities, requiring covered chemical facilities to prepare Security Vulnerability Assessments and to develop and implement Site Security Plans that include measures to satisfy the identified risk-based performance standards. The regulations are in place through October 2011, at which point they will either be made permanent or will be extended with tougher requirements. One requirement under consideration is the Inherently Safer Technologies provision that would require some facilities using, storing and manufacturing certain chemicals to possibly change processes and the chemicals used.

Who is affected: Chemical facilities, including manufacturing; storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare.

Link to the law:

Key requirements/provisions: CFATS uses performance standards rather than prescriptive standards. These standards are "risk-based," meaning that security measures vary depending on each facility's determined level of risk.

To that end, DHS created a tiered system and assigned chemical facilities into one of four "risk" tiers, ranging from high (Tier 1) to low (Tier 4) risk. Tier assignment is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest.

Once assigned a tier, facilities must comply with 19 categories of risk-based performance standards:

1. Restrict Area Perimeter

2. Secure Site Assets

3. Screen and Control Access

4. Deter, Detect, Delay

5. Shipping, Receipt and Storage

6. Theft and Diversion

7. Sabotage

8. Cyber

9. Response

10. Monitoring

11. Training

12. Personnel Surety

13. Elevated Threats

14. Specific Threats, Vulnerabilities, Risks

15. Reporting of Significant Security Incidents

16. Significant Security Incidents and Suspicious Activities

17. Officials and Organization

18. Records

19. Address any performance standards the assistant secretary may specify

Source: Department of Homeland Security

Section three: Key state regulations (with broad impact in the US)

Massachusetts 201 CMR 17 (aka Mass Data Protection Law)

What it covers: This Massachusetts law--which went into effect March 2010--works to protect the state's residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach--rather than a prescriptive one--to information security. That means it directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.

More about Mass 201 CMR 17 and data breach notification

* The 201 CMR 17 survival guide

* Mass data protection law's tough requirements

* How NOT to write a disclosure letter

Who is affected: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.

Link to the law:

Key requirements/provisions: Key requirements of the regulation include the following:

* A documented information security program, detailing technical, physical and administrative measures taken to safeguard personal information.

* Encryption of personally identifiable information -- a combination of a name, Social Security number, bank account number or credit card number--when stored on portable devices, such as laptops, PDAs and flash drives, or transmitted wirelessly or on public networks.

* Selection of third-party service providers that can properly safeguard personal information.

* Designated employees charged with overseeing and managing security procedures in the workplace, as well as continuously monitoring and addressing security hazards.

* Limits on the collection of data to the minimum required for the intended purpose.

* Computer system security requirements, including secure user authentication protocols, access control measures, system monitoring, firewall protection, updated security patches and security agent software and employee education and training.

Source: Commonwealth of Massachusetts Office of Consumer Affairs

Nevada Personal Information Data Privacy Encryption Law NRS 603A

What it covers: In January 2010, Nevada was the first state to enact a data security law that mandates encryption for customers' stored and transported personal information.

More about encryption

* How to do end-to-end encryption

* Full-disk encryption dos and don'ts

Who is affected: Businesses that collect and retain personal information of Nevada residents.

Link to the law:

Key requirements/provisions: The law contains the following requirements:

* Data collectors that accept payment cards comply with the current version of PCI/DSS (see above).

* Businesses must encrypt any personal information that is electronically transmitted outside the business's secure system.

* Business must encrypt any personal information stored on a device (computer, phone, magnetic tape, flash drive, etc.) moved beyond the logical or physical controls of the data collector or data storage contractor.

* Businesses are not liable for damages of a security breach if they are in compliance with the law and the breach was not caused by gross negligence or intentional misconduct.

Source: State of Nevada, Paul Mudgett

Section four: Selected international security and privacy laws

Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)--Canada

What it covers: This Canadian privacy law governs how public and private organizations collect, use and disclose personal information in the course of business. It went into effect in January 2001 for federally regulated organizations and in January 2004 for all others.

In May 2010, Bill C-29 introduced numerous amendments to PIPEDA, involving exceptions for the use and disclosure of personal information without consent and further requirements for business transactions.

Who is affected: All private-sector companies doing business in Canada.

Link to the law:

Bill C-29 amendments:

Key requirements/provisions: PIPEDA establishes 10 principles to govern the collection, use and disclosure of personal information:

1. Accountability

2. Identifying Purposes

3. Consent

4. Limiting Collection

5. Limiting Use, Disclosure and Retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual Access

10. Challenging Compliance

Sources: BearingPoint, Office of the Privacy Commissioner of Canada

Law on the Protection of Personal Data Held by Private Parties--Mexico

What it covers: Published in July 2010, this Mexican law requires organizations to have a lawful basis--such as consent or legal obligation--for collecting, processing, using and disclosing personally identifiable information. While there is no requirement to notify processing activities to a government body, as in many European countries, companies handling personal data must furnish notice to the affected persons. Individuals must also be notified in the event of a security breach.

Link to the law (Spanish language):

Who it will impact: Mexican businesses, as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico.

Requirements/provisions: In addition to addressing data retention, the law also incorporates eight general principles that data controllers must follow in handling personal data:

* Legality

* Consent

* Notice

* Quality

* Purpose Limitation

* Fidelity

* Proportionality

* Accountability

Source: Information Law Group

1 2 3 4 Page 3
Page 3 of 4
The 10 most powerful companies in enterprise networking 2022