Information Privacy Laws
Identify, specify, or describe computer and network ethical, legal, and privacy issues.
Recognize laws that regulate privacy issues.
In today's computerized world, a great deal of information is collected about individuals by government agencies and private organizations.
The United States federal government and other countries have enacted laws designed to protect the privacy of citizens in specified circumstances. Some states have their own privacy laws, as well.
Some of the U.S. federal laws that address privacy issues include
The Privacy Act of 1974
The Right to Financial Privacy Act of 1978
The Cable TV Privacy Act of 1984
The Bank Secrecy Act
The Fair Credit Reporting Act
The Electronic Communications Privacy Act
Privacy legislation often makes exceptions for law enforcement agencies and, in fact, a number of laws are designed to aid police agencies in conducting surveillance, such as the Communications Assistance for Law Enforcement Act (CALEA) passed by the U.S. Congress in 1994. This act establishes legal requirements for telecom providers and equipment manufacturers on surveillance capabilities that must be built into telephone systems.
Other countries and jurisdictions have enacted privacy legislation, in some cases more stringent than that of the United States. Examples include the laws in European countries based on the European Union's Data Protection Directives.
Industry-Specific Privacy Issues
Laws have also been enacted that address privacy issues in particular fields. In the United States, these include the Health Insurance Portability and Accountability Act (HIPAA) governing the healthcare industry and the Gramm-Leach-Bliley (GLB) Act governing financial institutions.
HIPAA
HIPAA covers medical practices that conduct electronic transactions, such as filing of health insurance claims and processing payments. Each practice is required to appoint a “privacy official” who is responsible for developing policies governing the privacy protection of patient information.
EXAM TIP
Electronic Transmission of Health Information Under the HIPAA, when protected health information is transmitted electronically, security standards must be in place to protect the integrity of the transmission and authenticate the sender.
Notice of the privacy policies must be provided to patients, and must include the following information.
A description of the types of uses and disclosures that you are permitted to make for treatment, payment, and healthcare operations
A description of other uses and disclosures that you are permitted to make without the patient's consent or authorization (for example, law enforcement, public health)
An explanation that you will not use or disclose information for other purposes without the patient's specific authorization
An explanation of the patients' right to inspect and copy their medical records and to receive an accounting of disclosures
An explanation of your duty to maintain confidentiality
A description of how patients can register a complaint about privacy practices and whom to contact for further information
HIPAA also requires that healthcare professionals document any time they disclose patient information to outside entities.
NOTE
HIPAA Regulations The HIPAA regulations set out by federal law do not override state laws that may impose more stringent privacy protections, so it is important for security specialists working in the healthcare industry to also know the state laws governing privacy of patient information (for example, some states have strict regulations regarding release of results of HIV testing).
The effective date for HIPAA compliance is April 14, 2003, so medical practices are scrambling to learn more about it and start changing their procedures to come into compliance. It is essential that computer security personnel who work in the healthcare industry become familiar with the requirements of HIPAA.
Civil and criminal penalties can be imposed by the Department of Health and Human Services (HHS) for violations of the HIPAA regulations, ranging from a $100 per violation of civil penalty up to $250,000 and 10 years' imprisonment for obtaining or disclosing protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.
GLB
The GLB Act covers all financial institutions in the United States that provide financial products or services to consumers (that is, to individuals rather than exclusively to businesses). Financial products and services include
Lending money
Investing on behalf of others
Insuring against loss
Providing financial advice
Cashing checks
Wire transfers
Collecting debts
Preparing taxes
Credit counselors
The GLB Act governs disclosure of clients' nonpublic personal information. Basically, it stipulates that institutions may not disclose this information to any nonaffiliated third party unless they first provide a privacy notice and a reasonable opportunity for the consumer to “opt out” of the disclosure.
The GLB privacy rule does not supersede other laws (for example, the privacy restrictions in section 7216 of the Internal Revenue Code). Where there are other federal or state laws that impose more stringent restrictions than the GLB, those laws still apply.
Subtitle B of the Act prohibits fraudulent access to financial information (a number of exceptions exist; these restrictions do not apply to law enforcement agencies, insurance investigators, or agencies collecting child support judgments). A violation falling under this subtitle is a criminal offense, punishable by up to 5 years' imprisonment (10 years in aggravated cases, defined as committing the violation in conjunction with violating another federal law, or as part of a pattern of illegal activity that involves more than $100,000 in a 12-month period).
Security specialists who work in the financial services industry should become acquainted with the provisions of the GLB Act.