The Gramm-Leach-Bliley Act (GLBA), or Financial Services Modernization Act, was enacted in 1999 as a way of modernizing the financial industry. This act, in part, repealed many of the restrictions placed on financial institutions by the glass-steagall act in 1933, which prevented the merger of institutions like brokerage firms, banks, and insurance companies. Because the Gramm-Leach-Bliley Act allows these huge financial institutions the unprecedented possibility to access and share your personal information, it also included provisions for the protection of that information.
The GLBA requires financial institutions to:
- Safely and securely store personal information
- Be open in advising clients on their information sharing policies
- Allow consumers the option to opt-out of having some of their information shared between institutions
What Kind of Information Does GLBA Protect?
Personal information collected on individuals from various financial institutions can include names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and social security numbers.
Who Needs to Comply?
The definition of “financial institution” includes many businesses that may not normally describe themselves that way. In fact, the Safeguards Rule rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
For more information on whether the Safeguards Rule applies to your company, consult section 313.3(k) of the GLB Privacy Rule and the Financial Activities Regulations
How to Comply with the Gramm-Leach-Bliley Act
The Safeguards Rule within the GLBA requires institutions to have a written plan for information security that describes how they will protect customer information. The plan must be appropriate to the company’s size, type of activity, and what type of information they store and manage. As part of each plan, companies must:
Limit access to customer information to employees who have a legitimate need to see it.
Training employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including:
- Keeping records and files behind locked doors, in specially designated storage rooms
- Keeping employee passwords confidential and private
- Making sure that all information transmitted electronically is encrypted
- Referring calls related to personal information to designated individuals who have been trained for safeguarding private information
- Preventing terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures
Know where sensitive information is stored, make sure it is secure and only authorized individuals have access. For electronic communications, make sure that information is transmitted through a secure sockets layer (SSL) connection.
Do not use email for sending or receiving sensitive information, it is not secure and is susceptible to exploitation. Also make sure to dispose of customer information in a way that will keep it out of unauthorized hands and is in keeping with the FTC’s guidelines.
If you’re using conventional paper records, consider hiring a records retention manager to supervise the purging of records containing customer information. Records cannot be simply thrown away, they must be burned or shredded to prevent unauthorized access.
How to Make Compliance Easy
The above list is only a small portion of things to keep on top of in order to stay compliant with financial industry regulations. There is however, a much simpler way. With eFileCabinet’s paperless document management systems, all of these best practices can be automated. Features of eFileCabinet include:
- A Secure Database: Encryption of the documents stored by your medical practice is a necessity. Without a built-in data encryption mechanism, your office will need to employ additional technology services to encrypt your server. Some document management software (DMS) requires external encryption protocols to maintain security. A good DMS will have built-in encryption, preferably no lower than 128-bit with some as high as 256-bit encryption. These DMS products will not allow for ‘back door’ review of documents and will require that each individual user sign into the software with individual logins and passwords.
- Backup of the database protects documents from loss in the case of system and server failure. Further, HIPAA requires that a backup of electronic records be maintained at a separate physical location. Strong DMS providers will provide a backup solution as part of an overall document management package.
- Client Portal: much safer than email, a client portal allows for secure sharing of documents with patients and insurance companies through a cloud solution. The patients log into the portal with an individual username and password.
- Automated Retention is a must for compliance. Depending on the specific industry verticals and nature of the documents being stored, various policies must be observed. HIPPA requires that active employee records be maintained the duration of the employees employment and for 7 years after an employee’s termination. The Automated Retention features makes this feasible by preventing documents from being accidentally deleted during employment and automatically tracking the 7 years after the employee folders are marked as terminated. Medical providers are required to maintain records in accordance with state and company procedures. HIPAA does not mandate specific timelines for health records, but does require that retention is universal across the organization.
- Role Based Security: Employee records should only be accessible by HR personnel. In addition, accounting and payroll functions records should not be accessed by general employees. The ability to lock down the documents to users based on job function and individual need-to-know basis is critical to ensuring that private information remain private, even from a rogue employee.
- Audit Trails allow for tracking of every action taken in the filing cabinet and should only be available to top level administrators. This allows for overview and control of the documents and random verification that employees are utilizing the cabinet according to internal policy. Audit trails should be undeletable and unalterable.
For more information on industry compliance, click here.
To see how eFileCabinet can help your organization stay compliant with greater ease, fill out the form on this page for a trial of our products.