HIPAA, FISMA, FERPA, PCI, GDPR - not just acronyms, these denote standards that govern software systems. Which federal and international regulations apply to your company’s IT? And how can you be sure you’re compliant? Here’s a quick summary of the most widely applicable standards, and how they might apply to you.
HIPAA (Health Insurance Portability and Accountability Act): Given the glut of new technologies in healthcare management, from electronic health records to self-service portals for health insurance subscribers, protection of digital health information is an increasingly critical issue. If your business involves any kind of healthcare data - as an actor in the healthcare industry, or as a provider of administrative services to a healthcare company - you must act in compliance with HIPAA. Double-check if HIPAA applies to you by using this tool.
HIPAA regulations are flexible and scalable, meaning they can be adapted to any organization’s size, structure, and risk, but this also means there is less written out in black and white. How do you get a handle on all this? Read through the Security Rule to better understand data protection and documentation requirements.
FISMA (Federal Information Security Management Act). FISMA equates information security to national security, and this act applies directly to federal agencies, as well as the contractors who they do business with. Recommendations for computer and network security are outlined in the NIST 800 series publications, particularly 800-37 and 800-53. If your company hopes to do business with a federal agency, make sure you implement the NIST recommendations in order to be FISMA compliant.
FERPA (Family Educational Rights and Privacy Act). This law dates back to the 1970s, before the digital revolution. It governs the retention and protection of student educational records, which today are managed electronically. If your business deals with student data from any post-secondary institution (university, vocational school, etc.), then section 3.1 of the FERPA applies to you.
PCI-DSS (Payment Card Industry Data Security Standard): Merchants, vendors, and financial institutions all handle payment cards, and therefore are all subject to the PCI-DSS. Aimed at reducing fraud and protecting customers, the PCI-DSS is broken down into 12 regulations. If your business has anything to do with credit card transactions, then you also have something to do with PCI-DSS.
GDPR (General Data Protection Regulation): Does your business have European clients or European employees? Or have you been considering doing any kind of business in the EU? The GDPR regulates data protection and privacy for all persons located within the EU/European Economic Area, even if the company handling this data is not based in the EU. It’s a thick regulation, but failing to properly protect and process EU citizen’s data leads to heavy fines.