HIPAA, GLBA, and Other Compliance Requirements This chapter looks at three items of legislation with wide impact,

particularly for U.S.-based internal auditors. The rst of these is the Health Insurance Portability and Accountability Act (HIPAA). An internal auditor might argue, I do internal audits for a manufacturing company. Why should I worry about health insurancerelated legislation? HIPAAs focus is on healthcare providers, but it addresses a wide range of personal privacy records that impact all U.S. enterprises, and it has caused changes in such areas as information technology (IT) security and human resource (HR) functions. Every enterprise that carries employee health insurance data in its HR records needs to be aware of HIPAA rules, and internal auditors can often be a major aid to management in highlighting potential HIPAA controls and violation. Popular descriptive titles for U.S. federal legislation often is based on the names of its original legislative sponsors. For example, Senator Paul Sarbanes and Representative Michael Oxley have brought us the Sarbanes-Oxley Act. Another legislative item of about the same period is the Gramm Leach Bliley Act of 1999 (GLBA) named after Senator Phillip Gramm and others. This legislation requires nancial institutions to further protect and audit their data and to take special care when sharing these data with others. While directed at nancial institutions, GLBA impacts many enterprises, and this chapter discusses its main components affecting internal auditors. HIPAA has had a large and growing impact on the entire healthcare industry and all afliated delivery providers. Even more signicantly, HIPAA rules cover a wide range of business processes based on electronic commerce. The original HIPAA legislation has four primary objectives: 1. Ensure health portability by eliminating preexisting condition health care restrictions. This was the original motivation that led to the passage of HIPAA. People who were diagnosed with some condition often were unable to acquire new health insurance coverage when changing employers because preexisting conditions were shared with potential new employers, who did not want to cover or insure those conditions. 2. Reduce healthcare fraud and abuse. The congressional hearings leading to the legislation cited examples of alleged fraud and abuse. 3. Enforce standards for health information. This enforcement is covered by the HIPAA privacy and security rules to be outlined in this chapter. 4. Guarantee security and privacy of health information. An overall objective of HIPAA is that healthcare information is a personal issue that should not be openly shared with others. a. HIPAA Patient Record Privacy Rules HIPAA privacy rules cover ve general areas, which are briey outlined next. These comments do not provide an exhaustive coverage of and are not intended to be a reference source for HIPAA rules; they are intended to provide the nonmedical professional with an overview of these HIPAA new rules:

1. Medical records uses and disclosures . An enterprise that is subject to HIPAA rules must take steps to limit the use and disclosure of personal medical information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request for nontreatment-related matters. 2. Authorization requirements. This is the section of HIPAA that many users of healthcare services rst encounter. 3. Privacy practice communications. Healthcare providers must have published privacy practices that they should supply to healthcare users. 4. Medical record access and amendment rights. Individuals have the right to inspect and copy all or a portion of their personal health information. 5. HIPAAprivacy administration. Going beyond the records access and disclosure rules, HIPAA has an extensive set of privacy administrative requirements that apply to what are called covered entitiesmedical ofces, laboratories, hospitals, and all others involved with personal healthcare. These privacy administration rules include: The provider must designate a Privacy Ofcial who is responsible for the development and implementation of these HIPAA policies and procedures. The provider must train members of its workforce on these HIPAA privacyrelated policies and procedures and must maintain documentation to demonstrate that the training has been provided. A healthcare provider must have in place administrative, technical, and physical safeguards to protect the privacy of personal health information. The healthcare provider must apply appropriate sanctions against employees who fail to comply with these privacy policies and procedures. The provider must develop and implement policies and procedures that are designed to comply with the elements of the HIPAA regulations, and this documentation must be maintained in written or electronic form for six years. b. Cryptography, PKI, and HIPAA Security Requirements The HIPAA Security Standards rules were not nalized and put into effect until April 2003, and compliance for these rules did not take effect until 2006. Among other areas, these rules include what HIPAA calls covered entities such as: Doctors and other healthcare providers who process healthcare claims electronically Health plans, including enterprises that self-insure Healthcare clearinghousesbilling services and others that provide data formatting services for electronic claims submission c. HIPAA Security Administrative Procedures

HIPAA requires administrative procedures to be in place to guard data integrity,condentiality, and availability. These procedures must be carefully documented per HIPAA rules, and Exhibit 26.2 lists some of these required administrative procedures. The exhibit also lists the implementation rules in a very general manner;published HIPAA rules tend to be very detailed. Many of these requirements, such as a requirement for a documented and tested contingency plan or formal policies for information access controls, are similar to the control procedures internal auditors have been recommending over the years. Risk analysis. Risk management. Sanctions policy. Information systems security activity reporting. Incident response. Backup procedures. Disaster recovery. Emergency mode of operations. Related business contracts Disposal of patient information. Media reuse. Unique user identification. Emergency access procedures. Documentation d. Technical Security Services and Mechanisms Access control. Strong control mechanisms based on the context of the data or the role/position of authorized users must be established. In addition, control processes must always be in place to allow emergency access from data center operations if required. Audit controls. Here and throughout all of the HIPAA rules are requirements for strong audit controls, including such things as documentation revision processes and traditional audit trails. Data authentication. Strong systems controls over data integrity are required. These are the same types of application controls discussed in Chapter 19. Entity authentication. Controls must be in place such that when one workstation attempts to access another, it should be authenticated. This process may include passwords, telephone callbacks, or even biometric controls. This requirement goes beyond many enterprise practices in place today where information is often freely shared through an e-mail note with attachments.

Communications and network controls. A wide range of controls are suggested here, including alarms, encryption, event reporting, message authentication, and others. The HIPAA-impacted enterprise must implement a very secure network. e. Going Forward: HIPAA and E-Commerce Beyond just pertaining to healthcare enterprises, these complex and important rules apply whenever health related records are maintained by a HR function. An internal auditor can nd more HIPAA information on the Web from two important sources: 1. U.S. Department of Health and Human Services. Copies of HIPAA rules and other supporting reference materials are available from http://hhs.gov/ocr/hipaa. 2. HIPPA Advisories. A site maintained by Phoenix Health Systems as a public service is a good source for HIPAA information; see www.hipaadvisory.com. Gramm-Leach-Bliley Act Internal Audit Rules (GLBA) Ofcially known as the Financial Modernization Act of 1999, the GLBA is a privacy related set of U.S. requirements with an objective to protect consumers personal nancial information that is held by nancial institutions. This legislation has three principal parts: 1. The Financial Privacy Rule 2. The Safeguards Rule 3. What is called its pretexting provisions (a) GLBA Financial Privacy Rules GLBA-mandated privacy notices must contain these information elements: The types of nonpublic personal information an enterprise collects regarding its customer The types of nonpublic personal information the enterprise will disclose to others about the customer The parties to whom the enterprise discloses this information, other than under an exception to the prohibition on nondisclosure The customer or clients right to opt out of the disclosure along with simple rules for opting out Enterprise policies with respect to sharing information about a person who is no longer a customer or client Enterprise practices for protecting the condentiality and security the customer or clients nonpublic personal information (b) GLBA Safeguards Rule

Internal auditors should be aware of how a U.S.-based enterprise can demonstrate compliance with the GLBA safeguard rule through ve steps: 1. Environmental risk analysis. The enterprise should formally identify the internal and external risks to the security, condentiality, and integrity of all customer personal information. Risk analysis approaches were discussed in Chapter 6. This process should cover the risks of loss or disclosure for all sources of personal information, whether on automated systems or manual records. 2. Designing and implementing safeguards. These safeguards are essentially he internal control procedures discussed in Chapter 3 as part of the Committee of Sponsoring Organizations (COSO) internal controls framework and elsewhere throughout this book. 3. Monitoring and auditing. Continuous audit assurance monitoring processes, such as discussed in Chapter 29, should be in place. Internal audit can play an important monitoring and auditing role here by regularly scheduling reviews of the adequacy of the security plan, coupled with appropriate compliance tests. 4. Constant improvements program. The enterprise should have a program in place to constantly improve its security plan. That program should be well documented to describe the plans progress in improving any weaknesses found. 5. Overseeing security providers and partners. Many partners and other enterprises may have access to this same personal information or to systems network connections where personal privacy can be violated. Adequate policies, controls, and audit procedures need to be in place here as well. (c) GLBA Pretexting Provisions Under GLBAs Pretexting Provisions, it is illegal for anyone to: Use false, ctitious, or fraudulent statements or documents to get customer information from a nancial institution or directly from a customer of a nancial institution. Use forged, counterfeit, lost, or stolen documents to get customer information from a nancial institution or directly from a customer of a nancial institution. Ask another person to get someone elses customer information using false, ctitious, or fraudulent statements or using false, ctitious, or fraudulent documents or forged, counterfeit, lost, or stolen documents. Pretexting leads to a new security and privacy risk or exposure: identity theft. This occurs when someone hijacks your personal identifying information to open new charge accounts, order merchandise, or borrow money. Consumers targeted by identity thieves usually do not know they have been victimized until the hijackers fail to pay the bills or repay the loans, and collection agencies begin dunning targeted consumers for payment of accounts they did not even know they had. According to the FTC, the most common forms of identity theft are: Credit card fraud. A credit card account is opened in a consumers name or an existing credit card account is taken over.

Communications services fraud. The identity thief opens telephone, cellular, or other utility service in the consumers name. Bank fraud. The identity thief opens a checking or savings account in the consumers name and/or writes fraudulent checks. Fraudulent loans. The identity thief gets a loan, such as a car loan, in the consumers name.