In the United States, although there is no overarching privacy law, a complex arrangement of federal laws and even more complex state laws govern the use of personal information in different industries and contexts.
The changes brought about by the HITECH Act1 (part of the ARRA2 that was signed into law in February 2009) are still keeping many companies busy in 2010. This law amended HIPAA3 and has established requirements that reach far beyond the health care industry by stating the data protection responsibilities of business partners and vendors that handle protected health information (PHI) on behalf of health care organizations.
Other provisions in the HITECH Act underscore existing HIPAA requirements and specify enhancements related to their implementation. The HITECH Act also adds requirements around breach notification for protected health information, which is a new consideration and goes further than most of the existing breach notification rules that had focused on financial information and identity theft.
…security and protection of personal information is generally a requirement, no matter where it is held and to whom it is transferred.
The implementation process that organizations will go through to address these new requirements will continue beyond 2010 as the US Department of Health and Human Services (HHS) and the Federal Trade Commission continue to provide guidance and final requirements for the different provisions.
Outside the US, national data protection laws are well established in Europe, Canada and some Pacific Rim countries. Whereas data protection authorities have identified the need to develop consistent privacy standards (such as in the recent Madrid resolution4), the laws vary greatly on many issues. Privacy regulations in different countries continue to evolve.
Breach notification requirements are at different stages of consideration and development across the globe. In addition, other regulators (other than privacy commissioners, such as financial industry regulators) are increasingly involved in enforcing the rules over handling personal information.
Security and protection of personal information is generally a requirement, no matter where it is held and to whom it is transferred.
Ask yourself
In keeping up with the changing regulatory landscape, have you:
- Recently reviewed the regulatory changes in jurisdictions in which you operate and have you assessed your compliance with them?
- Updated your policies to reflect the changes in the regulations that affect your organization?
1 Heath Information Technology for Economic and Clinic Heath (HITECH) Act
2 American Recovery and Reinvestment Act (ARRA)
3 Health Insurance Portability and Accountability Act (HIPAA)
4 See the Madrid conference website here.
