The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/657874
14 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2016 BEST PRACTICES Securing Apps for Regulatory Compliance Differences in Regulations The federal regulations discussed here are concerned with more than just the technical security of electronic data. However, both focus on the security of data, specifically HIPAA's requirement for securing Protected Health Information (PHI) and the Payment Card Industry Data Security Standard (PCI DSS) that requires the financial industry secure financial data. The health care and financial industries implemented these regulations for the same purpose: to safeguard the confidentiality, integrity and availability of an individual's private information, including the creation, maintenance, transmission and disposal of such information. There are, however, some major differences between the two regulatory schemes. Unlike the financial regulations that only apply to banks and banking services, HIPAA regulations can apply directly to an aorney or law firm. If a firm is engaged by a covered entity to perform services that include the use or disclosure of the client's PHI, the firm is considered a "business associate." Certain HIPAA standards are directly applicable to business associates because of the HITECH Act. In addition, the HIPAA standards require that the firm enter into a business associate agreement with its covered entity client. The firm will have both a legal and a contractual obligation to comply with HIPAA requirements applicable to business associates. Another difference is that HIPAA is considered descriptive, whereas the financial guidelines are prescriptive. HIPAA describes that "the statute and regulations (mostly the laer) tell you the what but not the how. This is by design." This description is necessary because the regulations must apply to so many types of companies; there cannot be a one-size- fits-all checklist. As Kamal Govindaswamy writes on the RisknCompliance blog, "If the HIPAA Security Rule were prescriptive (like PCI DSS, for example), the rule would need to be updated frequently in order for it to remain relevant in the constantly evolving environment of security threats and vulnerabilities." In fact, there might be more differences between the two regulatory schemes than similarities. Mike Klein, president and COO of Online Tech, writes on the Data Center Knowledge website: "HIPAA and PCI DSS compliance protect different types of information, with different audit guidelines, safeguard requirements and consequences for non-compliance or breaches." There is also an important distinction between the two regarding enforcement. HIPAA is law that has criminal and civil penalties and fines for non- compliance, which the Office of Civil Rights oversees. Mike Klein noted: "With PCI compliance, there are contractually agreed-upon fines, but no criminal Determining whether an app is "secure" for federal compliance, with HIPAA and HITECH for the health care industry or FDIC and GLBA for the financial services industry requires more than a one-time effort. Compliance includes selection, implementation, management and review. by Nathan Clark Securing Apps for Regulatory Compliance NATHAN CLARK Nathan Clark is a duly licensed non- practicing attorney with a technology degree in workforce training and development. After leaving private practice, Nathan started working in the IT department at Jones Walker LLP, designing, developing and implementing training initiatives. Nathan's current administrative role of IT Security Manager focuses on regulatory compliance and information security risks. Contact him at nclark@joneswalker.com.