HIPAA vs. GLBA

Privacy Compliance
December 5, 2022
Understand the key differences and similarities between HIPAA and GLBA. Learn how these regulations protect healthcare and financial data, who they apply to, and compliance best practices.

HIPAA vs. GLBA

If you work in the healthcare sector, you’ve probably heard about HIPAA. HIPAA is required for anyone in or working with the healthcare industry. If you work in the financial sector, you’ve probably heard of the GLBA. The GLBA has everything to do with financial organizations.

But can these two regulations overlap in any respective industry? How are they similar, and how are they different? When it comes down to it, what these laws have in common is their purpose to protect and guard the general public’s personal data within their respective industries. The terminology, applicability, and many other things do differ between the two.

In this guide, we’ll break down everything you need to know about the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

The Health Insurance Portability and Accountability Act - HIPAA

What is HIPAA?

Healthcare organizations nowadays are required to take extensive measures to safeguard the protected health information of their patients and consumers. Thanks to HIPAA, there is security over this information. Standards protecting the privacy of a person's health-related information were set by the Health Insurance Portability and Accountability Act of 1996 (commonly known as HIPAA). These requirements concern the data required for healthcare coverage. The purpose of HIPAA was to enhance the continuity and portability of health insurance coverage in both group markets and individual markets.

Key HIPAA Terms

  • Workstation and Security Controls - Once inside your building, you must secure all of your devices, including workstations and desktop and laptop computers as well as tablets and laptops. These workstations should only be accessible physically by authorized employees.
  • Controls for Devices and Media - Data should be safeguarded on any devices or media, including hard drives, external hard drives, memory cards, and flash drives. Unauthorized access ought to be avoided.
  • Access Controls - Only individuals who have been given permission should be able to access the files themselves. Without proper authorization, no one should be able to read, write, alter, or transmit data.
  • Controls for Auditing Data Activity - You must be able to audit data activity. This entails creating a thorough log of each file access, including who accessed the files, when, and any associated activities.
  • Integrity Controls - Integrity controls must be in place to guarantee that electronically protected health information is not lost or corrupted.
  • Person or Entity Authentication - It's crucial to confirm that the users trying to access protected data are, in fact, who they say they are. This can include employing strategies like multi-step verification.
  • Security Transmission - Security during transmission is required for all HIPAA-covered data when it is sent to third parties.
  • Facility Access Controls - The first line of defense for safeguarding your data entails regulating who has access to your physical facility. Only individuals with permission to view and work with sensitive data should have physical access.

Who Does HIPAA Apply to?

A "Covered Entity” is one type of organization that is subjected to HIPAA requirements. Among the covered entities are the following:

  • Health Plans, including health insurance providers, HMOs, workplace insurance programs, and some public health insurance programs like Medicare and Medicaid.
  • Health Care Providers. Most healthcare providers use electronic means to perform certain business, such as invoicing your health insurance. This includes the majority of medical professionals as well as most hospitals, nursing homes, pharmacies, etc.
  • Health Care Clearinghouses, which are organizations that transform nontraditional health information received from another organization into a standard, or the opposite.

Additionally, some HIPAA rules must be followed by business associates of covered businesses. Your health information will frequently need to be accessible to contractors, subcontractors, and other external parties who are not employed by a covered business in order to provide services for the covered company.

The Gramm Leach Bliley Act - GLBA

What is GLBA?

The Gramm-Leach-Bliley Act, or GLBA, focuses on the data protection measures that financial organizations are required to have in place. Companies that provide customers with financial goods or services are subject to these compliance requirements. This might refer to lenders, advisers on finances or investments, or insurers. Practices for exchanging information must have the necessary protections in place to secure sensitive data.

Key GLBA Terms

  • Financial Privacy Regulation - Companies that are financial institutions or that receive nonpublic personal information about customers from financial institutions are required to abide by the GLBA's privacy rule. Both transactional data and the majority of personal information are covered by this rule. It also includes any private information you could find out while conducting business.
  • The Safeguards Rule makes sure that people who fall within the GLBA's purview have certain tools at their disposal to safeguard confidential information. GLBA followers are required to have the administrative, technological, or physical protections you employ to access, gather, disseminate, process, safeguard, keep, utilize, transfer, dispose of, or otherwise manage customer information, according to the rule's language.
  • Pretexting Requirements - Covered entities and business associates under the GLBA are required to take precautions to secure nonpublic personal information as well as to identify and stop as many instances of illegal access as they can. Numerous malicious frauds are attempting to gain personal information by phone, email, or even in person. Pretexting laws are designed to lessen this data loss and safeguard more customers.

Who Does GLBA Apply to?

All firms, regardless of size, that play a substantial role in offering customers financial goods or services are subject to the Gramm-Leach-Bliley Act. This covers a wide range of businesses that aren't typically regarded as financial institutions, including check cashing operations, payday lenders, mortgage brokers, nonbank lenders, appraisers of personal property or real estate, merchants who issue branded credit cards, certified tax preparers, and courier services. The rule also applies to businesses that obtain information about clients of other financial institutions, such as credit reporting agencies and ATM operators. Companies covered by the regulation are required to take efforts to guarantee that their affiliates and service providers preserve client information in their care in addition to adopting their own safeguards.

Conclusion

The main distinction between these two sets of compliance guidelines is that each one is concentrated on safeguarding a different kind of data. Healthcare information about a patient is protected by HIPAA, while consumer data about financial institutions are protected under GLBA. But they all strive to protect sensitive data, which is a common objective. They can both take part in preserving PHI.

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals