Module 3 - Privacy and HIPAA Flashcards
Two laws related to PII
Privacy Act of 1974
HIPAA
Privacy Act of 1974 (goals)
- to limit the amount of information that is recorded,
- ensure that Federal agencies that collect personal records have the appropriate
authority, - protect the information that is recorded, and
- give citizens the opportunity to review information and a means to change
incorrect entries.
HIPAA
Health Insurance Portability and Accountability Act
- gave the U.S. Department of Health and Human Services (HHS) the ability to establish privacy regulations.
- The Act was designed to protect health-related information (past, present, and future), which could be used to identify individuals.
Other Documents / Guidance Documents (4)
- Appendix J of NIST’s Special Publication 800-53
- Office of Management and Budget (OMB) Memorandum M-03-22
- Executive Office Memorandum 99-18 for posting Privacy policies on the Internet
- The EU Privacy Directive
Privacy Act of 1974 (purpose)
response to the creation of databases and the impact on individual privacy
exemptions:
- government law enforcement agencies
- excuse through “routine use” exemption
Privacy Act Definitions: Individual Maintain Record System of Records Statistical Records Routine Use Matching Program Recipient Agency
10 or more records
Privacy Act Accounting for Disclosures
- maintain accounting of: date, nature, and purpose of each disclosure.
- retain for at least five years, or the life of the record
Privacy Act Access to Records
- individual can gain access to his record
- permit individual to request amendment of a record
- permit the individual who disagrees
System of Records Notice
SORN - Federal Register
Agency Requirements
Privacy Officer
Privacy Training
Privacy Act Systems of Records
System of Records Notice (SORN)
Privacy Impact Assessment
PIA
Certification & Accreditation process
-
NIST 800-53 appendix J
Privacy Controls - best practices
risk management
Privacy Practices Notice
-
