9-2 Information Technology Use and Security Policy Manual - Appendix B: Information Security Laws and Standards

Return to IT Use and Security Policy Manual Table of Contents

Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”

Read next: Appendix C – Security Policy/Standard Waiver

What's on this Page

1. Federal Laws
   1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
   2. Health Information Technology for Economic and Clinical Health (HITECH) Act
2. State of California Laws
   1. Data Breach Notification Law (CA Civil Code 1798.29)
   2. California Public Records Act (Government Code 6250-6276.48)
   3. Social Security Numbers Protection (CA Civil Code 1798.85-1798.89)
3. Standards
   1. Payment Card Industry Data Security Standard (PCS DSS)
   2. Federal Bureau of Investigation Criminal Justice Information Services Standard (FBI CJIS)
   3. International Organization for Standardization (ISO) 27002

I. Federal Laws

1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
   Congress enacted HIPAA, in part, to protect the privacy and security of protected health information (PHI) maintained by covered entities. Covered entities include most healthcare providers (i.e., those who use HIPAA- mandated electronic codes for billing purposes), health insurance companies, and employers who sponsor self- insured health plans. The U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA. The two principal sets of regulations issued by HHS to implement HIPAA are the Standards for Privacy of Individually Identifiable Health Information (the “HIPAA Privacy Rule”) and the Security Standards for Individually Identifiable Health Information (the “HIPAA Security Rule”). The HIPAA Privacy Rule requires covered entities to implement policies and procedures to ensure that (a) workforce members use and disclose PHI only for permissible purposes and (b) patients and insured’s can exercise their HIPAA-mandated rights, such as the rights to access and to amend PHI. The HIPAA Security Rule requires covered entities to implement policies and procedures to ensure the confidentiality, integrity, and availability of PHI in electronic form; to protect against reasonably anticipated threats or hazards to the security or integrity of electronic PHI; and to protect against reasonably anticipated uses or disclosures of electronic PHI in violation of the HIPAA Privacy Rule.
2. Health Information Technology for Economic and Clinical Health (HITECH) Act
   The HITECH Act, effective February 17, 2010 supplements the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule. The Act requires covered entities to notify patients and insured’s whose PHI is compromised by a security breach. It extends many of the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule to vendors — such as insurance brokers, billing services, and third-party administrators — who create or receive PHI when providing services to covered entities. The HITECH Act increases the penalties that HHS can impose on a covered entity for violating HIPAA or its implementing regulations.

Back to top

II. State of California Laws

1. Data Breach Notification Law (CA Civil Code 1798.29)
   California’s Data Breach Notification Law requires any agency that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
2. California Public Records Act (Government Code 6250-6276.48)
   The California Public Records Act (PRA) established in 1968, describes what information is available to the public.  The PRA also defines required communications to the requestor and the records that are confidential under law and therefore, exempt from disclosure.
3. Social Security Numbers Protection (CA Civil Code 1798.85-1798.89)
   Limits the use of social security numbers by restricting public posting and display to others, e.g., in printed or mailed materials unless required by law, on identification cards, and over the Internet without proper security measures.
4. Privacy Electronic Communications (SB178) CA Civil Code 1798.90
   SB178 describes that a government entity is prohibited from access to electronic communication or electronic device communication without a search warrant, wiretap order or electronic reader records except for emergency situations.

Back to top

III. Standards

1. Payment Card Industry Data Security Standard (PCS DSS)
   PCI DSS is an information security standard for organizations that store, process and transmit card holder data.
2. Federal Bureau of Investigation Criminal Justice Information Services Standard (FBI CJIS)
   CJIS is an information security standard for organizations that store, process, and transmit Criminal Justice Information.
3. International Organization for Standardization (ISO) 27002
   ISO 27002 is an information security standard that provides best practice recommendations on information security management.

Back to top