Which Federal Privacy Laws Affect Your Business?

In 1974 the Federal Privacy Act established a Code of Fair Information Practice that governed the collection, maintenance, use, and dissemination of personally identifiable information about individuals to be maintained in records by federal agencies.  This Act insured that government agencies protect the privacy of individuals and businesses with regard to information held by them and to hold these agencies liable for any information released without proper authorization.  Since that time numerous laws have been created to ensure that information you currently capture in your business is inevitably covered by a federal law that protects a patient, employee, or consumer privacy.  Some items may not be initially deemed private but actually contain information that, if not secured or properly destroyed, could expose an organization to trade secret theft.  According to The Economic Espionage Act of 1996 (EEA) the government will only protect companies who take “reasonable measures” to safeguard their information.  Those items could include:

  • Brainstorming notes
  • Misaligned forms and copies
  • Phone logs
  • Sales call reports
  • Shipping data
  • Market analysis

Financial Services

Gramm-Leach-Bliley Act (1999) Financial Services Modernization Act – This Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. This Act requires many companies to give consumers privacy notices that explain the institutions’ information-sharing practices. The Safeguards Rule requires financial institutions to secure customer records and information. But the law defines “financial institution” broadly to cover many businesses who might not describe themselves that way.

A sample of documents affected:

  • Account data
  • Banking information
  • Cancelled checks
  • Copies of checks
  • Customers’ addresses and names
  • Loan information
  • Social Security numbers

Consumer Services

The Fair and Accurate Credit Transaction Act (FACTA) – is a United States federal law, passed by the United States Congress on November 22, 2003, as an amendment to the Fair Credit Reporting Act. The Act contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.

A sample of documents affected:

  • Account data
  • Customers’ names and addresses
  • Drafts of contracts, letters or proposals
  • Obsolete contracts
  • Obsolete records
  • Sales information
  • Social Security Numbers

Health Care

Health Insurance Portability & Accountability Act (HIPAA) – The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities” (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions). By regulation, the Department of Health and Human Services extended the HIPAA Privacy Rule to independent contractors of covered entities who fit within the definition of “business associates”. PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual’s medical record or payment history. HIPAA was enacted in 1996 and the mandatory compliance date was April 14, 2003.  All hospitals, doctors, pharmacies, health plans, medical billing companies and any other business entity involved in the healthcare industry must comply.  The rules apply to all protected health information.  The Standard for Privacy of Identifiable Health Information requires that covered entities put in place administrative, technical and physical safeguards to protect the privacy of protected health information.  One example given of a safeguard for the proper disposal of paper documents containing protected health information is that the documents be shredded prior to disposal.

Sample of documents affected:

  • Medical information
  • Patient billing information
  • Patient names
  • Phone logs
  • Social Security numbers
  • Insurance information