In my discussions with the FTC, it would seem at odds with your statements. First off, the trigger is "Financial Activities" not "Financial Institution". For example, the following are some of the triggering financial activities:
ACTIVITIES THAT ARE FINANCIAL IN NATURE - For purposes of this subsection, the following activities shall be considered to be financial in nature: (A) Lending, exchanging, transferring, investing for others, or safeguarding money or securities. (B) Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State. It is true that MOST small providers would not be covered under GLBA, but it is essential to look at the real business processes and corporate structure of a HIPAA CE before making a blanket statement. As someone who has focused on non-traditional covered entities - I have found that the definitions of the terms are critical, as well as the intent of those terms in their application to the underlying business processes. For example, a significant number of providers provide (in one means or another) financing for services - just like an auto dealer (which is very much a GLBA covered entity). The most notable are cosmetic surgery clinics. Hospitals are also engaged in financing arrangements. This would bring them under GLBA (per the FTC). Also many employers may also be under the GLBA for their employee investment activities - though this is not my area of expertise. I do not believe it is as black and white as you suggest. Additionally, the Insurers I have worked with disagree that they are not obligated to employ the FTC security rule, even though they are covered under state law, they still believe they are covered under GLBA. State Law may be more stringent on Privacy in select cases, but like HIPAA, generally not on the Security requirements. Also, like HIPAA, there is no exemption for government (state or local either). So my point was that each entity has to make their own determination, and then accept the associated risk that goes with that determination. Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Alt Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization =========================================================================== IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you’re use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -----Original Message----- From: Nahra, Kirk [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 8:29 AM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: RE: FTC Security Rule Its somewhat more complicated in terms of who must comply with the GLB provisions. "Insurers" need to comply generally, but they would need to comply with state laws developed by the insurance departments, rather than the FTC rule (meaning in part that the FTC deadline is not relevant to most insurers). Many states have not yet passed a state GLB security rule. There is a model from the National Association of Insurance Commissioners that is being used by many states. Employer plans for the most part are not covered by GLB. Neither are most health care providers, unless they somehow also qualify as a "financial institution." So, while it is important to be aware of the FTC and/or GLB security rules, this is not necessarily important for many HIPAA covered entities (and probably less important than the security provisions of the Privacy Rule that went into effect on April 14, 2003.) Kirk J. Nahra Wiley Rein & Fielding, LLP. 1776 K Street, N.W. Washington, D.C. 20006 202.719.7335 202. 974.1402 (fax) [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Visit www.wrf.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 4:34 AM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: FTC Security Rule This is all well and good, but I think you all have a surprise in store. Many (exact quality unknown) Healthcare providers and plans also fall under the Gramm-Leach Bliley Act. Interestingly enough, the FTC's Safeguards Rule deadline was last May. As such ALL HIPAA entities that also fall under GLBA must also comply with the FTC Safeguard Rule which is very similar, though has some interesting twists. What is interesting about the FTC vision of security, is that no Risk is acceptable when a customer's data is subject to compromise. Of course the practicality of such an approach is problematic, but it does speak to their approach on enforcement - serious and to the point. I would strongly suggest that ALL HIPAA CE's examine the FTC Safeguard Rule available from the FTC's website www.ftc.gov (under Privacy initiatives). At least now you all have justification for your Security Budget!! Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Alt Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization =========================================================================== IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -----Original Message----- From: Bill Pankey [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 6:56 PM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED] Subject: Avoiding Risk was Re: PGP encryption Chris, Doug What is very interesting about the security rule is that it does not seem to include *any* duty to 'avoid' a risk when the 'appropriate' control cannot be 'reasonably' implemented. Given that relatively few CE publish a (public) encryption key, it is easy to argue that wholesale email encryption is 'not reasonable' .... in that the cost of email encryption would then exceed its security mitigation benefit. (the lack of marginal risk mitigation benefit derives from the objectively low likelihood and potentially low impact associated with the interception / redirection of any particular message). Clearly though email encryption is appropriate as there are few, if any, alternate confidentiality controls. On the other hand, there is nothing that obligates the CE to allow email transmission of PHI, indeed many CE will claim to have had long-standing policy precluding such use of email. The fact that these polices were often incompetent or not enforced is irrelevant; the HCO having such policies, (necessarily) claim that such polices do / did not negatively impact patient care or healthcare operations .... so the unmitigated risk of email interception / redirection (apparently) can be avoided with such polices. Similarly, some marquee CE, motivated by a concern over a lack of what they considered good security, have similarly adopted categorical 'no wireless' policies. At some point (perhaps instigated by the plaintiff's bar) there simply has to be consideration of the "avoid" risk option. It does seem incumbent on the CE who decides that 'appropriate' security is too expensive (and thus unreasonable) to consider why it is that the CE is not avoiding the risk entirely, by (perhaps) disallowing certain practices, connections, technology, protocols, etc. Although not explicitly required by the Rule, where addressable features were not implemented, it seems prudent to document why the risk that would have been mitigated by those features could not somehow be avoided. bill pankey --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org