Laboratory Manual to Legal issues in Information Security: Lab 3

  1. Which U.S government agency acts as the legal enforcement entity for businesses and organizations involved in commerce?

The Federal Trade Commission (FTC) acts as the legal enforcement entity for businesses and organizations involved in commerce. [1]

  • Which U.S government agency acts as the legal enforcement entity regarding HIPAA compliance and HIPAA violations?

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) acts as the legal enforcement entity regarding HIPAA compliance and HIPAA violations. [2]

  • List similarities between GLBA and HIPAA.

Both the GLBA and HIPAA came about to “tackle gaps in information assurance and privacy”. [4] They both have Privacy and Security Rules to do this. Further, they both demand that the organization –

  •  Secure, protect and maintain confidentiality of person’s private information
  •  “Implement policies and procedures to control security risks to customer information and monitor their effectiveness.” [3]
  • “Train all employees and management on the security policies of the agency.” [3]
  • Follow specific I.T. controls, which involve planning, implementation, audits, assessment, and risk management, to ensure privacy
  • Give the consumers a user-friendly privacy notice explaining the Privacy Rule.
  • List five examples of privacy data elements for GLBA as defined in the Financial Privacy Rule.

GLBA defines nonpublic personal information (NPI) as “personally identifiable financial information provided by a consumer to a financial institution during any transaction or service, or that is otherwise obtained by the financial institution.”  This information includes: [5]

• Customer name, address, social security number, account number

• Information a customer provides on an application

• Information obtained on a legal document that pertains to a summons, bankruptcy, divorce, etc.

• Information from a “cookie” obtained in using a website

• Information on a credit report obtained by a financial institution

  • List examples of privacy data elements for HIPAA as defined in the Privacy Rule.

The HIPAA protects all “individually identifiable health information” [6].
             This includes- [7]

  • Names
  • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Phone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images and
  • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
  • List three differences between HIPAA and GLBA.
  • The HIPAA deals with “health consumers’ private information”. [8]
    GLBA deals with “financial consumer’s non-public personal information”. [8]
  • Complying with the Privacy Rule of HIPAA requires identifying, restricting, and enforcing which personnel need access to employees’ PHI to perform their jobs. [9]
    The Financial Privacy Rule of the GLBA “governs how institutions can collect and disclose of customers’ personal financial information” [10]. It requires the company to “provide its customers a privacy notice” about information collected, information sharing policy, and give the customer a “reasonable” option to opt out of information-sharing agreements. [9]
  • HIPAA is enforced by The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR)
    GLBA is enforced by the Federal Trade Commission (FTC).
  • GLBA has a Pretexting Rule to protect against “the practice of obtaining personal information through false pretenses.”
    The HIPAA doesn’t have this.
  • How does GLBA’s and HIPAA’s privacy rule translate into information systems security controls and countermeasures?

In order to develop, implement, and maintain the information security program, the organization should:

(a) Designate an employee or employees to coordinate the information security program.

(b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of the operations, including:

(1) Employee training and management;

(2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and

(3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.

(c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

(d) Oversee service providers, by:

(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and

(2) Requiring the service providers by contract to implement and maintain such safeguards.

(e) Evaluate and adjust the information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to the operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on the information security program. • Document IT inventory and network device configurations, including device name, IP address, access method, vendor and model, and physical location. [11]

  • What three areas does the GLBA Safeguards Rule encompass?

(1) Insure the security and confidentiality of customer information;

(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and

(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. [10]

  • What is ePHI?

According to, the HIPAA Security Rule “protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.” The Security Rule calls this information “electronic protected health information” (e-PHI). [12]

  1. What three areas does the HIPAA Security Rule encompass for PHI?

The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. [13]

  1. Are organizations under GLBA and HIPAA required to mail and inform their customers in writing about their privacy right?


The HIPAA Privacy Rule “requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user friendly explanation of individuals’ rights with respect to their personal health information and the privacy practices of health plans and health care providers.” [14]

Similarly, the Gramm-Leach-Bliley Act “requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices.” [15]

  1. When you go to your doctor’s office, one of the forms the office asks you to fill in and sign is a HIPAA Release Form authorizing your doctor to share your medical records and privacy data with third parties, including health insurance companies. Is this an example of the HIPAA Privacy Rule or the HIPAA Security Rule?

It is an example of HIPAA Privacy Rule. The HIPAA website states that the Privacy Rule requires a person must have the choice “to decide if he want to give your permission before your health information can be used or shared for certain purposes, such as for marketing” [16]

  1. Why is a Business Associate Agreement/Contract required between a HIPAA-covered entity and a downstream medical or service provider to that covered entity?

By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate. [17]
The Agreement/Contract is thus needed to ensure the continued privacy of the PHI.

  1. Like HIPAA, GLBA has both privacy and security rules. What are the official names of these rules in GLBA law?

The GLBA privacy rule is known as: The Financial Privacy Rule

Its security rule is known as: Safeguards Rule





4. Grama, J. L. Laboratory Manual to Legal issues in Information Security Version 2.0