There are major risks involved in the loss of data. Whether you know it or not, you may be liable for data-loss related issues. And different industries have different laws regarding the protection of customer data. Spend the time it takes to know your responsibilities, and see how our services can help you comply.

Medical and Dental Record Data (HIPAA)
Credit Card and Payment Data (PCI DSS)
Financial and Accounting Data (Gramm-Leach-Bliley Act)


Health Insurance Portability and Accessibility Act (HIPAA)

The Health Insurance Portability and Accountability act (HIPAA) was instituted by Congress effective April 21, 2006. Covered entities must establish a data backup plan, disaster recovery plan, and an emergency mode operation plan along with the technical security mechanisms (such as encryption) to protect patient data.

Who must comply? All entities handling sensitive patient medical or billing information including business associates of covered entities.

Section 164.306 pertains specifically to the protection and continuity of patient data.

• Ensure the confidentiality, integrity, and availability of all electronic protected health information (EPHI) the covered entity creates, receives, maintains, or transmits;
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
• Ensure compliance with this subpart by its workforce.

• Data files used in transcription or recording patient information including Microsoft word and excel.
• Emails between patients and physicians and emails between referring and attending physicians and their offices.
• Patient administrative and billing information exchanged with health plans and payers;
• Data that is exchanged with hospitals, utilization management organizations, and patients including referrals and authorizations;
• Patient health information gathered from or displayed on a website or portal;
• Digitally stored or transmitted clinical and lab data.

The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies as a standard to protect consumer credit card information from unauthorized access.

Who must comply? All businesses who store customer credit card information, specifically a primary account number (PAN).

Section 3.4 pertains specifically to the protection credit card data.
Render Pan, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:

• Strong one-way hash functions (hashed indexes)
• Truncation
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures

iDataSure.com Solution: For PCI DSS strong cryptography compliance our backup service encrypts all credit card information stored in quickbooks or other accounting or database applications with government grade AES or Blowfish encryption to ensure the credit card data is unreadable during transmission and offsite storage. Your information is stored in a secure off-site facility for compliance with section 9.5.

Gramm-Leach-Bliley Act

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB, includes provisions to protect consumer's personal financial information.

Who must comply? Banks, securities firms, insurance companies. In addition, companies providing many other types of non-traditional financial products and services to consumers. Among these are those in the business of lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, residential real estate settlement services, collecting consumer debts, providing health insurance and an array of other activities.

The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:

• Designate one or more employees to coordinate its information security program;
• Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
• Design and implement a safeguards program, and regularly monitor and test it;
• Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
• Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.

• Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.
• Store records in a room or cabinet that is locked when unattended.
• When customer information is stored on a server or other computer, ensure that the computer is accessible only with a "strong" password and is kept in a physically-secure area.
• Where possible, avoid storing sensitive customer data on a computer with an Internet connection.
• Maintain secure backup records and keep archived data secure by storing it in a physically-secure area.
• Maintain a careful inventory of your company's computers and any other equipment on which customer information may be stored.