Navigating the Privacy Hodgepodge

By Jeff Spivey

According to the dictionary, a hodgepodge is a confused mass of things. According to a scan of current privacy laws, so is the U.S. regulatory landscape.

No single, comprehensive privacy law blankets the country. Instead, there is a crazy quilt of industry-specific and state laws that every organization doing business in the United States needs to track and comply with.

This is not because our society hasn’t had enough time to act. Samuel Warren and Louis Brandeis published their article, “The Right to Privacy,” in 1891, arguing that a new right, termed privacy, demanded acceptance in the American jurisprudence system.

Fast-forward nearly 100 years to the mid-1960s, when Congress began looking at the privacy implications of records maintained by federal agencies in reaction to the proposed establishment of a National Data Center. After years of studies and amid mounting privacy concerns after Watergate, the U.S. Privacy Act of 1974 was passed. It governs the collection, use and dissemination of a record about an individual that is maintained by federal agencies.

Since then, the Internet and increasingly sophisticated data gathering, storage and processing technologies have made it progressively easier for organizations to process and hold personally identifiable information (PII).

Concurrently, consumers have become more concerned about their privacy. This poses a challenge for businesses: how to strike a balance between the need to access PII and the expectation of privacy that Warren and Brandeis described as the “right to be left alone”? Adding to this challenge is a complex and shifting set of laws.

The Federal Privacy Landscape

One of the contributing factors to the regulatory hodgepodge is the mix of federal and state-level laws. The major federal legislation addresses two influential industries (financial services and health care), and a vulnerable demographic: children and young adults. The major federal laws and their key changes are:

·  Gramm-Leach-Bliley Act (GLBA)/Financial Modernization Act of 1999:The act requires financial institutions that offer consumers financial products or services (such as loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data. Four years ago, a privacy notice form made it easier for consumers to understand how financial institutions collect and share information about consumers; GLBA has since been stable.

·  Fair Credit Reporting Act (FCRA): The act, passed in 1970, promotes the accuracy, fairness and privacy of information in the files of consumer reporting agencies, which compile and maintain information about consumer credit ratings to sell the listings to businesses, potential lenders and individuals. The FCRA was amended in 2005 by the Fair and Accurate Credit Transactions Act (FACTA). (Both FCRA and FACTA refer to the same law.) The Identity Theft Red Flags Rule is part of FACTA.

Under changes effective January 2013, employers that utilize background checks must use a “Summary of Consumer Rights” form to notify job applicants and employees of their rights under the FCRA. Employers also must make clear that the newly  created Consumer Financial Protection Bureau—not the Federal Trade Commission—is the agency that applicants and employees should contact with questions about FCRA rights.

·  Health Insurance Portability and Accountability Act (HIPAA) of 1996: The act applies to health plan providers, health care clearinghouses and certain health care providers. It covers protected health information, which is information related to physical or mental health, the provision of health care and payment for health care. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act’s enforcement provisions strengthened the HIPAA protections and rights.

In January 2013, the final rule was approved. The changes enhance a patient’s privacy rights and protections, and strengthen the ability of the Health and Human Services office to enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.