GLBA & HIPAA: How They Overlap
November 11, 2019
What is GLBA?
This week, we are devoting our blog post to a topic we receive many questions about: What is GLBA and how does it relate to HIPAA? What responsibilities do financial institutions have in protecting NPI?
GLBA (Gramm-Leach-Bliley Act of 1999), sometimes called the Financial Modernization Act, is a federal law that regulates financial institutions’ use and disclosure of their customers’ NPI (nonpublic personal information). GLBA defines NPI as “any information received by a financial institution that is not public.”1 Usually, this refers to “personally identifiable financial information.”2 This includes, but is not limited to: social security numbers, credit history, income data, credit card numbers, bank account numbers, addresses, phone numbers, and names.1
There are three main parts of this law you need to understand: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Prohibition. We will break down each in the sections below. But first, who needs to comply with GLBA?
Who is GLBA for?
GLBA applies to “financial institutions.” This is defined broadly in the law, but it is meant to describe businesses involved in banking, insurance, stocks and bonds, financial advertising, and investing.3 The GLBA law also refers to “nonbanking activities,” which include insurance and underwriting.2
Specific states have additional regulations for financial institutions subject to GLBA, including California, North Dakota, New York, and Vermont. Like HIPAA, you must adhere to your state laws if they are more stringent than federal regulations.3
The Financial Privacy Rule
The Financial Privacy Rule requires institutions to create a Privacy Notice for their clients. This document details what kind of information the institution collects about customers, who that information is shared with, how it is used, and how it is protected. The Privacy Notice must inform customers that they have the right to opt-out of having their information disclosed by the financial institution.
This is part of the Fair Credit Reporting Act. Additionally, if a company makes any changes to the ways they share client information, they must update the Privacy Notice. The update must be posted so clients have an opportunity to opt-out again if they do not approve of the change. Institutions provide a Privacy Notice when they establish a relationship with clients and once annually after that.4
The Safeguards Rule
Under the Safeguards Rule, financial institutions must have a written security plan that describes the measures they take to protect customer NPI. This is called an Information Security Plan and it must be detailed and tailored to the company.1 The security plan includes information like specific protocols for handling NPI and the measures the company takes to stay GLBA compliant. This document is similar to Security Policies and Procedures required by HIPAA.3
The Safeguards Rule also requires financial institutions to outline plans for training employees, so they may protect NPI in their day-to-day tasks. At least one or more employee(s) must oversee the Information Security program at the company, ensuring that security is not only outlined in the documents but tested and practiced regularly in the workplace.1
The Pretexting Prohibition
Pretexting occurs when an unauthorized party accesses NPI. Under GLBA, financial institutions must implement safeguards to prevent this type of unauthorized disclosure. Examples of pretexting include phishing, email or phone scams, someone posing as an account holder to access their NPI. Preventative measures taken by the company should be documented.5
GLBA Enforcement and Penalties
The FTC (Federal Trade Commission), federal banking agencies, state attorneys general and other federal regulatory institutions enforce GLBA.3 Like HIPAA, GLBA violations carry consequences for both individuals and entities. Financial institutions can pay up to $100,000 per violation. Individuals may pay fines of up to $10,000 per violation and serve up to five years in prison.1
HIPAA and GLBA
As you can see, there are many similarities between HIPAA and GLBA. Both revolve around protecting sensitive information, PHI and NPI, respectively.
Similarities between HIPAA and GLBA:
- Emphasis on employee training
- Privacy Notice (GLBA) and Notice of Privacy Practices (HIPAA)
- Information Security Plan (GLBA) and Security Policies and Procedures (HIPAA)
- Emphasis on testing systems for weakness
- Focus on constantly monitoring compliance and viewing compliance as a continuous process rather than a one time action
- Requirement of using secure service providers (GLBA), or Business Associates (HIPAA) to handle sensitive information responsibly on behalf of compliant entities
- Similar fines and penalties
What GLBA means for HIPAA compliance
The similarities between HIPAA and GLBA may leave agents and brokers wondering which law to follow. The truth is, you have to comply with every regulation that applies to your business. This may sound overwhelming or even impossible. However, you must remember the overlap between the two regulations. HIPAA serves as an excellent framework for GLBA compliance.
If a company becomes HIPAA complaint, all they have to do is add a bit of extra documentation to meet GLBA compliance, which Total HIPAA has added to our document plans specifically for insurance agents. For example, there is so much overlap between the Security Policies and Procedures required by HIPAA and GLBA’s Information Security Plan that one document can meet both needs. Agents and brokers will simply have to add a few additional items, like the Privacy Notice.
Understanding documentation is not easy. The law is complex and extremely thorough. We offer a chapter on GLBA in our Agency Privacy and Security Training to make things simple. Remember, if you feel overwhelmed by implementing policies at your company, it is best to reach out to an expert for help. Ignoring these laws will not exempt you from paying a price if you are caught.
January 6, 2020
HIPAA breaches involving fewer than 500 individuals, which occurred during 2019, must be reported to the US Department of Health and Human Services (HHS) by Saturday, February 29, 2020. Reporting… Read More ›Read More