Skip to Content

9-4 Information Technology Professionals Policy - Appendix A - Information Security Laws and Standards

Information Systems Department

Return to Information Technology Professionals Policy Table of Contents

What’s on this Page

Appendix A - Information Security Laws and Standards

  1. Federal Laws
  2. State of California Laws
  3. Standards

Read next: Acknowledgement

I. Federal Laws

  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    Congress enacted HIPAA, in part, to protect the privacy and security of protected health information (PHI) maintained by covered entities. Covered entities include most healthcare providers (i.e., those who use HIPAA- mandated electronic codes for billing purposes), health insurance companies, and employers who sponsor self- insured health plans. The U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA. The two principal sets of regulations issued by HHS to implement HIPAA are the Standards for Privacy of Individually Identifiable Health Information (the “HIPAA Privacy Rule”) and the Security Standards for Individually Identifiable Health Information (the “HIPAA Security Rule”). The HIPAA Privacy Rule requires covered entities to implement policies and procedures to ensure that (a) workforce members use and disclose PHI only for permissible purposes and (b) patients and insureds can exercise their HIPAA-mandated rights, such as the rights to access and to amend PHI. The HIPAA Security Rule requires covered entities to implement policies and procedures to ensure the confidentiality, integrity, and availability of PHI in electronic form; to protect against reasonably anticipated threats or hazards to the security or integrity of electronic PHI; and to protect against reasonably anticipated uses or disclosures of electronic PHI in violation of the HIPAA Privacy Rule.

    Health Information Technology for Economic and Clinical Health (HITECH) Act
    The HITECH Act, effective February 17, 2010 supplements the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule. The Act requires covered entities to notify patients and insureds whose PHI is compromised by a security breach. It extends many of the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule to vendors — such as insurance brokers, billing services, and third-party administrators — who create or receive PHI when providing services to covered entities. The HITECH Act increases the penalties that HHS can impose on a covered entity for violating HIPAA or its implementing regulations.

    Back to top

    II. State of California Laws

    1. Data Breach Notification Law (CA Civil Code 1798.29)
      California’s Data Breach Notification Law requires any agency that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
    2. Social Security Numbers Protection (CA Civil Code 1798.85-1798.89)
      Limits the use of social security numbers by restricting public posting and display to others, e.g., in printed or mailed materials unless required by law, on identification cards, and over the Internet without proper security measures.
    3. California Public Records Act (Government Code 6250-6276.48)
      The California Public Records Act (PRA) established in 1968, describes what information is available to the public. The PRA also defines required communications to the requestor and the records that are confidential under law and therefore, exempt from disclosure.

    Back to top

    III. Standards 

    1. Payment Card Industry Data Security Standard (PCI DSS)
      PCI DSS is an information security standard for organizations that store, process and transmit card holder data.
    2. Federal Bureau of Investigation Criminal Justice Information Services Standard (FBI CJIS)
      CJIS is an information security standard for organizations that store, process and transmit Criminal Justice Information.
    3. International Organization for Standardization (ISO) 27002
      ISO 27002 is an information security standard that provides best practice recommendations on information security management.

    Back to top