HIPAA, GLBA, and Other

Compliance Requirements

This chapter looks at three items of legislation with wide impact, particularly for U.S.-based internal auditors. The first of these is the Health Insurance Portability and Accountability Act (HIPAA). An internal auditor might argue, “I do internal audits for a manufacturing company. Why should I worry about health insurance–related legislation?” HIPAA’s focus is on healthcare providers, but it addresses a wide range of personal privacy records that impact all U.S. enterprises, and it has caused changes in such areas as information technology (IT) security and human resource (HR) functions. Every enterprise that carries employee health insurance data in its HR records needs to be aware of HIPAA rules, and internal auditors can often be a major aid to management in highlighting potential HIPAA controls and violation.

Popular descriptive titles for U.S. federal legislation often is based on the names of its original legislative sponsors. For example, Senator Paul Sarbanes and Representative Michael Oxley have brought us the Sarbanes-Oxley Act. Another legislative item of about the same period is the Gramm Leach Bliley Act of 1999 (GLBA) named after Senator Phillip Gramm and others. This legislation requires financial institutions to further protect and audit their data and to take special care when sharing these data with others. While directed at financial institutions, GLBA impacts many enterprises, and this chapter discusses its main components affecting internal auditors.

HIPAA has had a large and growing impact on the entire healthcare industry and all affiliated delivery providers. Even more significantly, HIPAA rules cover a wide range of business processes based on electronic commerce.

The original HIPAA legislation has four primary objectives:

1. Ensure health portability by eliminating preexisting condition health care restrictions. This was the original motivation that led to the passage of HIPAA. People who were diagnosed with some condition often were unable to acquire new health insurance coverage when changing employers because preexisting conditions were shared with potential new employers, who did not want to cover or insure those conditions.

2. Reduce healthcare fraud and abuse. The congressional hearings leading to the legislation cited examples of alleged fraud and abuse.

3. Enforce standards for health information. This enforcement is covered by the HIPAA privacy and security rules to be outlined in this chapter.

4. Guarantee security and privacy of health information. An overall objective of HIPAA is that healthcare information is a personal issue that should not be openly shared with others.

a. HIPAA Patient Record Privacy Rules

HIPAA privacy rules cover five general areas, which are briefly outlined next. These comments do not provide an exhaustive coverage of and are not intended to be a reference source for HIPAA rules; they are intended to provide the nonmedical professional with an overview of these HIPAA new rules:

1. Medical records uses and disclosures . An enterprise that is subject to HIPAA rules must take steps to limit the use and disclosure of personal medical information to “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request” for non–treatment-related matters.

2. Authorization requirements. This is the section of HIPAA that many users of healthcare services first encounter.

3. Privacy practice communications. Healthcare providers must have published privacy practices that they should supply to healthcare users.

4. Medical record access and amendment rights. Individuals have the right to inspect and copy all or a portion of their personal health information.

5. HIPAAprivacy administration. Going beyond the records access and disclosure rules, HIPAA has an extensive set of privacy administrative requirements that apply to what are called “covered entities”—medical offices, laboratories, hospitals, and all others involved with personal healthcare. These privacy administration rules include:

The provider must designate a “Privacy Official” who is responsible for the development and implementation of these HIPAA policies and procedures.

The provider must train members of its workforce on these HIPAA privacyrelated policies and procedures and must maintain documentation to demonstrate that the training has been provided.

A healthcare provider must have in place administrative, technical, and physical safeguards to protect the privacy of personal health information.

The healthcare provider must apply “appropriate sanctions” against employees who fail to comply with these privacy policies and procedures.

The provider must develop and implement policies and procedures that are designed to comply with the elements of the HIPAA regulations, and this documentation must be maintained in written or electronic form for six years.

b. Cryptography, PKI, and HIPAA Security Requirements

The HIPAA Security Standards rules were not finalized and put into effect until April 2003, and compliance for these rules did not take effect until 2006. Among other areas, these rules include what HIPAA calls “covered entities” such as:

Doctors and other healthcare providers who process healthcare claims electronically

Health plans, including enterprises that “self-insure”

Healthcare clearinghouses—billing services and others that provide data formatting services for electronic claims submission

c. HIPAA Security Administrative Procedures

HIPAA requires administrative procedures to be in place to guard data integrity,confidentiality, and availability. These procedures must be carefully documented per HIPAA rules, and Exhibit 26.2 lists some of these “required” administrative procedures. The exhibit also lists the implementation rules in a very general manner;published HIPAA rules tend to be very detailed. Many of these requirements, such as a requirement for a documented and tested contingency plan or formal policies for information access controls, are similar to the control procedures internal auditors have been recommending over the years.

Risk analysis.

Risk management.

Sanctions policy.

Information systems security activity reporting.

Incident response.

Backup procedures.

Disaster recovery.

Emergency mode of operations.

Related business contracts

Disposal of patient information.

Media reuse.

Unique user identification.

Emergency access procedures.

Documentation

d. Technical Security Services and Mechanisms

Access control. Strong control mechanisms based on the context of the data or the role/position of authorized users must be established. In addition, control processes must always be in place to allow emergency access from data center operations if required.

Audit controls. Here and throughout all of the HIPAA rules are requirements for strong audit controls, including such things as documentation revision processes and traditional audit trails.

Data authentication. Strong systems controls over data integrity are required. These are the same types of application controls discussed in Chapter 19.

Entity authentication. Controls must be in place such that when one workstation attempts to access another, it should be authenticated. This process may include passwords, telephone callbacks, or even biometric controls. This requirement goes beyond many enterprise practices in place today where information is often freely shared through an e-mail note with attachments.

Communications and network controls. A wide range of controls are suggested here, including alarms, encryption, event reporting, message authentication, and others. The HIPAA-impacted enterprise must implement a very secure network.

e. Going Forward: HIPAA and E-Commerce

Beyond just pertaining to healthcare enterprises, these complex and important rules apply whenever health related records are maintained by a HR function. An internal auditor can find more

HIPAA information on the Web from two important sources:

1. U.S. Department of Health and Human Services. Copies of HIPAA rules and other supporting reference materials are available from http://hhs.gov/ocr/hipaa.

2. HIPPA Advisories. A site maintained by Phoenix Health Systems as a public service is a good source for HIPAA information; see www.hipaadvisory.com.

Gramm-Leach-Bliley Act Internal Audit Rules (GLBA)

Officially known as the Financial Modernization Act of 1999, the GLBA is a privacy related set of U.S. requirements with an objective to protect consumers’ personal financial information that is held by financial institutions. This legislation has three principal parts:

1. The Financial Privacy Rule

2. The Safeguards Rule

3. What is called its “pretexting provisions”

(a) GLBA Financial Privacy Rules

GLBA-mandated privacy notices must contain these information elements:

The types of nonpublic personal information an enterprise collects regarding its customer

The types of nonpublic personal information the enterprise will disclose to others about the customer

The parties to whom the enterprise discloses this information, other than under an exception to the prohibition on nondisclosure

The customer or client’s right to “opt out” of the disclosure along with simple rules for opting out

Enterprise policies with respect to sharing information about a person who is no longer a customer or client

Enterprise practices for protecting the confidentiality and security the customer or clients’ nonpublic personal information

(b) GLBA Safeguards Rule

Internal auditors should be aware of how a U.S.-based enterprise can demonstrate compliance with the GLBA safeguard rule through five steps:

1. Environmental risk analysis. The enterprise should formally identify the internal and external risks to the security, confidentiality, and integrity of all customer personal information. Risk analysis approaches were discussed in Chapter 6. This process should cover the risks of loss or disclosure for all sources of personal information, whether on automated systems or manual records.

2. Designing and implementing safeguards. These safeguards are essentially he internal control procedures discussed in Chapter 3 as part of the Committee of Sponsoring Organizations (COSO) internal controls framework and elsewhere throughout this book.

3. Monitoring and auditing. Continuous audit assurance monitoring processes, such as discussed in Chapter 29, should be in place. Internal audit can play an important monitoring and auditing role here by regularly scheduling reviews of the adequacy of the security plan, coupled with appropriate compliance tests.

4. Constant improvements program. The enterprise should have a program in place to constantly improve its security plan. That program should be well documented to describe the plan’s progress in improving any weaknesses found.

5. Overseeing security providers and partners. Many partners and other enterprises may have access to this same personal information or to systems network connections where personal privacy can be violated. Adequate policies, controls, and audit procedures need to be in place here as well.

(c) GLBA Pretexting Provisions

Under GLBA’s Pretexting Provisions, it is illegal for anyone to:

Use false, fictitious, or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.

Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.

Ask another person to get someone else’s customer information using false, fictitious, or fraudulent statements or using false, fictitious, or fraudulent documents or forged, counterfeit, lost, or stolen documents.

Pretexting leads to a new security and privacy risk or exposure: identity theft.

This occurs when someone hijacks your personal identifying information to open new charge accounts, order merchandise, or borrow money. Consumers targeted by identity thieves usually do not know they have been victimized until the hijackers fail to pay the bills or repay the loans, and collection agencies begin dunning targeted consumers for payment of accounts they did not even know they had. According to the FTC, the most common forms of identity theft are:

Credit card fraud. A credit card account is opened in a consumer’s name or an existing credit card account is “taken over.”

Communications services fraud. The identity thief opens telephone, cellular, or other utility service in the consumer’s name.

Bank fraud. The identity thief opens a checking or savings account in the consumer’s name and/or writes fraudulent checks.

Fraudulent loans. The identity thief gets a loan, such as a car loan, in the consumer’s name.