There are more than 20 optional regulatory factors that an organization can consider as part of a HITRUST assessment. These are individual options, based on specific industry requirements, and can be quite tricky to parse.
This article is Part Three of a Four-part Series on the HITRUST Framework
Part One: 7 HITRUST Regulatory Factors to Consider for Healthcare
Part Two: 7 HITRUST Regulatory Factors to Consider for Federal Compliance
Part Three: 5 HITRUST Regulatory Factors to Consider for International and State-level Privacy Compliance
Part Four: 4 Miscellaneous HITRUST Regulatory Factors to Consider
In this blog series we are taking a look at these regulatory factors. We have already explored two major groups of HITRUST regulatory factors: healthcare and federal compliance initiatives. But, as we mentioned previously, HITRUST has evolved over the past few years to become more industry agnostic. As such, we turn our attention now, not to an industry-specific initiative, but rather one of the most impactful global trends of the past few years – privacy.
GDPR and CCPA are two of the most frequently added regulatory factors – there is value and demand in demonstrating compliance with these regulations. As privacy becomes more relevant, more people will become aware of the regulations below and enforcement will become more common.
For the sake of this discussion, we’ve broken the privacy-related regulatory factors into two categories: international regulations and state-specific laws. Read on for a better understanding of the regulatory landscape for privacy compliance, and which regulations matter most.
First Introduced in HITRUST 9.1 – February 2018
The European Union General Data Protection Regulation is the 800-pound gorilla in the room. Introduced in 2016 and implemented in 2018 (and drawing from two decades of prior privacy legislation), GDPR is a set of data privacy and protection regulations that has completely changed the way organizations collect and retain information about their “data subjects.” Its requirements include informed consent, the right to be forgotten, and the installation of a chief privacy officer to oversee these programs (among others). GDPR has far-reaching applications, as even United States-based organizations must follow its regulations if it collects data on individuals based in the EU. The fines for GDPR violations can be steep – €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
The A-LIGN Bottom Line: Even though GDPR is a European regulation, American companies still need to be aware of it because of the nature of its global enforcement. Particularly, American companies with a multi-national presence will almost certainly be asked about their GDPR compliance efforts when working with European customers and partners. Currently, there is no official mechanism to become certified as GDPR compliant, so adding GDPR to a HITRUST assessment is a great approach for addressing questions and concerns about GDPR compliance.
Singapore Personal Data Protection Act
First Introduced in HITRUST 9.2 – January 2019
The Singapore Personal Data Protection Act is a lot like GDPR, except instead of applying to all of Europe (or even all of Asia) it only applies to Singapore. The Singapore Personal Data Protection Act precedes GDPR by a few years, having been introduced in 2012. Like GDPR, The Singapore Personal Data Protection Act is focused on the collection, use and disclosure of personal information, as well as its protection. As of November 2020, the maximum fine for a violation is $1 million – which has been levied against organizations several times – and there is currently a proposal in parliament to increase this to 10% of an organization’s annual turnover in Singapore.
The A-LIGN Bottom Line: Even though the Singapore Personal Data Protection Act is an international regulation, it is not nearly as influential as GDPR since it only applies to Singapore. Never-the-less, multi-national corporations with a presence in Singapore should be aware of the regulation. There is no formal certification process for this regulation, so adding it to a HITRUST assessment is a good way for an organization to demonstrate compliance if it needs to do so.
First Introduced in HITRUST 9.3 – October 2019
The California Consumer Privacy Act is both the most recent and the most impactful of the state-level privacy regulations. CCPA was introduced in 2018 and enforcement began in 2020, although there have not been any fines announced as of November 2020. Additionally, during its 2020 election, California voted to create an agency to enforce CCPA. Similar to GDPR, CCPA protects the privacy rights of individuals by giving them the right to opt-out of being tracked online and requires organizations to protect the data it does collect. Technically, CCPA only applies to residents of California, but like GDPR, many organizations have determined it is safer to apply enforcement to all of its users, rather than risk a violation.
The A-LIGN Bottom Line: CCPA has impacted the United States the same way GDPR has impacted the world and many organizations are looking for attestation that CCPA is being followed. CCPA defines both data processors and sub-processors, which means that if an organization is sharing its customer data with another company it is going to want proof they are in compliance with CCPA. There is no formal certification for CCPA, so adding it to a HITRUST assessment is a great way to demonstrate compliance.
(State of Mass.) 201 CMR 17.00
First Introduced in HITRUST 2.1 – March 2010
The State of Massachusetts 201 CMR 17.00 is a data protection act enacted in 2010 with a focus on personal privacy. This law, and its enforcement, are primarily concerned with identity theft and data breaches. Achieving compliance requires organizations to produce a written plan of policies and procedures that include security controls – a similarity it shares with the process of a HITRUST assessment. The State of Massachusetts data protection act is the oldest in the United States.
The A-LIGN Bottom Line: Although the State of Massachusetts data protection act has been around for more than a decade it is typically only enforced in the case of large public data breaches. In light of GDPR and CCPA, most organizations do not feel the need to demonstrate compliance with these less stringent regulations, but it should still be considered a best practice for any company that is doing business with-in Massachusetts.
State of Nevada Security of Personal Information Requirements
First Introduced in HITRUST 2.2 – March 2010
Similar to the Massachusetts data protection act, the State of Nevada has a set of personal privacy requirements focused on personally identifiable information, such as driver’s license and credit card numbers, and is primarily concerned with data breaches.
The A-LIGN Bottom Line: The State of Nevada Security of Personal Information Requirements may be redundant for organizations that are already focused on other larger compliance programs – for example, an organization that is PCI compliant will have achieved compliance with this Nevada law. However, for any business based in Nevada it should be considered a best practice to demonstrate compliance with these requirements.
UP NEXT: Financial Services and Miscellaneous Regulatory Factors – Part 4 of 4