Recent news accounts have described how the federal government agency, the United States Department of Health and Human Services (HHS) has been levying multimillion-dollar fines against health care providers, health insurance companies, and related health care vendors to insurance companies and providers. The latest is a $5.5 million fine for Advocate Health for HIPAA violations. A HIPAA violation entails a business failing to safeguard Personal Identifying Information (PII), Personal Health Information (PHI), and Personal Financial Information (PFI) stored by health care insurance companies and providers as well as the suppliers they do business with.
But, with all the news about HIPAA violations, many businesses do not understand they have responsibilities for safeguarding PII and PFI they store from their customer’s transactions. If you accept credit cards and store the PII and/or the PFI of your customers, you too can be fined by a federal agency.
The Federal Government & Your Business
There are a number of laws and federal agencies to enforce them that your business must comply with or be subject to a fine for noncompliance. Following are some of the applicable laws and enforcement agencies.
The Federal Trade Commission
The Federal Trade Commission (FTC) is an agency of the federal government that is concerned with deceptive and unfair trade practices. The FTC has used Section 5 of the FTC Trade Commission Act to pursue companies that fail to honor their own data security and privacy security statements. The FTC has successfully brought enforcement actions against companies in both the offline and online milieus. The agency also enforces the Children’s Online Privacy Protection Act (COPPA) and the Self-Regulatory Principles for Behavioral Advertising.
Additionally, the FTC is the primary enforcer of the Financial Services Modernization Act (Gramm-Leach-Bliley Act(GLB)). This act deals with the amassing, use, and disclosure of financial information. It is broadly applied by the FTC to regulate the privacy practices of banks, insurance companies, mortgage lenders, and other financial services providers. They also ensure that these types of financial service companies comply with many privacy rules put forward by national banking agencies and the Safeguards Rule. This is an FTC rule that, like HIPAA, requires financial institutions, rather than health care entities, to maintain their own data security protocols and make sure that service providers and affiliates do the same.
In 2015 – 2016 the FTC fined LifeLock, an online identity security provider, $100 million dollars for failure to follow through on a 2010 memorandum of understanding between LifeLock and the FTC and for failure to adequately safeguard customers’ PII. It is the largest fine levied against a single company in the history of the FTC.
Consumer Financial Protection Board
The Consumer Financial Protection Board (CFPB) is a newcomer to Privacy Enforcement actions as it was created in 2010 as part of the Consumer Financial Protection Act of 2010. Based on a Memorandum of Understanding between the FTC and the CFPB, the two agencies share the enforcement privacy actions of regulated financial companies. A recent action by the CFPB against the online payment platform Dwolla resulted in a $100,000 fine for deceptive practices concerning its data security practices as well as the protection of its online system for processing payments.
If your business processes credit card transactions or stores any PII, your company most likely has to comply with these and other agencies’ rules and regulations concerning privacy.
Need Help? A Managed Service Provider May Be Right for You
If you want to run your business without the distractions of ensuring compliance with applicable privacy and financial information laws, you may want to engage a Managed Services Provider (MSP). These companies can handle any and all aspects of your data system from just security to outsourcing all of your Information Technology work.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.