|
|
|
|
| Read more articles on: |
|
|
 |
|
The Indian IT scenario depicts a landscape without boundaries. Information collected in USA and Europe is processed in India and transferred back. Does it also mean that the laws pertaining to information collection and dissemination as applicable in the USA and European nations pertain to India as well? "No, the law is not binding". But again, does it make sense for Indian IT companies to follow these laws? - The answer is an emphatic "Yes". Let us analyze two such laws, which makes business sense for Indian firms viz. the HIPAA Security Rule and Gramm-Leech-Bliley Act or GLBA for short.
HIPAA security rule
Under the Government of USA, HIPAA (Health Insurance Portability Accountability Act) requires that the healthcare industry and associated entities ensure the privacy of protected health information (PHI). The Final HIPAA Security rule specifies that, health care providers, and health care clearinghouses must assure their customers, for example, patients, insured individuals, providers, and health plans that the Confidentiality, Integrity and Availability of electronic protected health information they collect, maintain, use, or transmit is protected. The HIPAA Regulations mandates for health care (and related businesses) to recognize that,
I. Confidentiality refers to the assurance that electronic Protected Health Information (ePHI) is shared only among authorized persons or organizations
II. Integrity refers to the assurance that ePHI has not been altered or destroyed in an unauthorized manner.
III. Availability refers to the assurance that the systems responsible for processing, storing and delivering ePHI are accessible when needed, by authorized individuals who need them.
Why is there so much stress on privacy of personal health information?
The principal reason for this has been cases of discrimination specifically at the work place. Social prejudices towards certain diseases, though they may be non-communicable in nature has led to individual being terminated from jobs on flimsy grounds. HIPAA Security rule ensures that these incidents are not repeated.
HIPAA security rule and relevance to Indian BPO scenario
Insurance firms in the USA have for some time now, been exporting health claim forms for processing to India. A significant percentage of BPO's operating in India work in this sector. Though the Indian law does not require them to follow these security regulations, it makes good business sense to adhere to HIPAA Security regulations. Landing business deals become a problem if HIPAA Security regulations are US firms are stringent about personal health information. A leakage would result in substantial financial damages.
The GLB Act
The US government in 1999 adopted the Gramm-Leach-Bliley(GLB) Act(GLBA). The GLBA aims to protect the personal financial information of consumers held by financial institutions. The three principal rules of GLBA are:
- The Financial Privacy Rule: Determines the collection and disclosure of the personal financial information of customers by financial institutions.
- The Safeguards Rule: Mandatory rrequirement for all financial institutions to design, implement, and maintain safeguards to protect customer information.
- The Pretexting Provisions: Protect consumers from individuals and companies that obtain their personal financial information under false pretences.
There is a separate section under GLBA titled Section 501 (b) called the Standards for Protecting Customer Data. This section mandates certain criteria to be followed by financial institutions in selecting service providers:
- The institutions must exercise appropriate diligence in selecting its service providers
- The service provider must implement appropriate measures designed to meet the objectives of these guidelines
- The service providers must subject themselves to confirm that they have satisfied their obligations to safeguard confidential information and data
- The service provider must conduct regular information security audits and test security levels.
- The monitoring level of the financial information processing operation should be based on risk assessment conducted at the service providers' facility.
Implementing HIPAA security rule
A question that springs up all too often is- "If I am complying to international standards such as BS7799 (ISO 17799), do I have to go for a separate HIPAA Security Rule Implementation". The answer is "No". The basic idea behind HIPAA or GLBA is to have a comprehensive information security management system (ISMS) in place. Having a good ISMS, which complies, with BS7799 would meet almost all of the requirements of HIPAA, except for a few technical requirements.
To comply or not?
The decision to comply in a proactive manner to international information security standards is a good business decision. In today's IT scenario absence of compliance amounts to lack of awareness of the importance attached to information security by business in the USA and Europe. Hence, to stay in the IT business and to ensure that the customer remains confident that his information is not leaked, go ahead with the relevant information security laws to your business.
The author is founder and senior consultant for Juvena Consulting, an information security consultancy based out of Kochi, Kerala, India.
|