| |
Fair and Accurate
Credit Transactions Act of 2003 (FACTA)
Protecting
Personnel Information and Privacy
Beginning June 1, 2005,
a new federal rule requires businesses and individuals to
take appropriate measures to dispose of sensitive
information derived from consumer reports. Any business or
individual who uses a consumer report for a business purpose
is subject to the requirements of the Disposal Rule, a part
of the Fair and Accurate Credit Transactions Act of 2003 (FACTA),
which calls for the proper disposal of information in
consumer reports and records to protect against
"unauthorized access to or use of the information."
The Rule applies to people and both large and small
organizations that use consumer reports, including: consumer
reporting companies; lenders; insurers; employers;
landlords; government agencies; mortgage brokers, car
dealers; attorneys; private investigators; debt collectors;
individuals who pull consumer reports on prospective home
employees, such as nannies or contractors; and entities that
maintain information in consumer reports as part of their
role as a service provider to other organizations covered by
the Rule.
The Disposal Rule applies to consumer reports or information
derived from consumer reports. The Fair Credit Reporting Act
defines the term consumer report to include information
obtained from a consumer reporting company that is used - or
expected to be used - in establishing a consumer's
eligibility for credit, employment, or insurance, among
other purposes. Examples of consumer reports include credit
reports, credit scores, reports businesses or individuals
receive with information relating to employment background,
check writing history, insurance claims, residential or
tenant history, or medical history.
The Rule requires disposal practices that are reasonable and
appropriate to prevent the unauthorized access to - or use
of - information in a consumer report. For example,
reasonable measures for disposing of consumer report
information could include establishing and complying with
policies to: burn, pulverize, or shred papers containing
consumer report information so that the information cannot
be read or reconstructed; destroy or erase electronic files
or media containing consumer report information so that the
information cannot be read or reconstructed; or conduct due
diligence and hire a document destruction contractor to
dispose of material specifically identified as consumer
report information consistent with the Rule. Due diligence
could include: reviewing an independent audit of a disposal
company's operations and/or its compliance with the Rule;
obtaining information about the disposal company from
several references; requiring that the disposal company be
certified by a recognized trade association; or reviewing
and evaluating the disposal company's information security
policies or procedures.
Financial institutions that are subject to both the Disposal
Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule, which
requires institutions to take steps to protect sensitive
customer information, should incorporate practices dealing
with the proper disposal of consumer information into the
information security program that the Safeguards Rule
requires. Information is available at
http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html
Protecting Your
Health Information
What you need to know about
the Health Insurance Portability and Accountability Act (HIPAA).
Identity theft. Credit card
fraud. Computer viruses. Concern for the privacy and
security of personal information, has never been greater.
Our concern for the safety and security of your personal
health care information has never been taken more seriously.
While we have always gone to
great lengths to ensure the privacy of your personal health
information, we will soon be getting additional help from
the Federal Government in the form of new regulations. These
regulations will help standardize privacy and security
requirements across the country and across all different
types of health care organizations.
New Regulations
Passed
The regulations are part of the Health Insurance Portability
and Accountability Act or HIPAA, for short. HIPAA does three
primary things:
- It helps standardize and
simplify the way health care organizations exchange
electronic health care data.
- It provides consumers
with additional protections for getting and maintaining
health insurance coverage; although, it does not
guarantee coverage.
- It creates new security
rules to ensure the safety and privacy of individual
health information and medical records.
HIPAA Ensures the
Privacy and Security of Individual Health Information
Currently, individual state laws govern use and disclosure
of this information, creating many inconsistencies and gaps
in the way your health information is protected. HIPAA sets
minimum security and privacy standards for health care
organizations to follow. If a state has more stringent
privacy and security laws, then those would be followed
instead.
In addition, HIPAA
sets heavy penalties for violations of these standards and
the misuse of personal health information.
Defining Individual
Health Information
Every time you go to see a doctor, are admitted to a
hospital, fill a prescription or send a claim to an
insurance company, a record is made of your confidential
health information. This type of information is referred to
as individually identifiable health information and is the
type of information regulated by HIPAA. It can be in any
format-electronic, paper or oral. Health care organizations
that collect and manage this type of information and are
therefore covered by these regulations including physicians,
physical therapists, mental health professionals, dentists,
chiropractors, optometrists, podiatrists, and others;
hospitals; health plans; employers; health care
clearinghouses such as claims processors; and other
health care organizations who conduct administrative and
financial transactions.
Added Control Over
Health Information
Under HIPAA, you have new rights to understand and control
how your health information is used:
Right to education -
Health care providers and health plans are required to
provide you with a clear written explanation of how they
intend to use and disclose your information.
Right to access
medical records-
You have the right to see and get copies of your medical
records, request changes and receive a history on
non-routine disclosures of your personal health information.
Right to consent-
Health care providers are required to obtain prior consent
before sharing personal health information other than
treatment, payment and health care operations.
Right to Recourse-
You have the right to file a formal complaint if you believe
that violations of the regulations were made.
|
