The Gramm Leach Bliley Act (GLBA) of 1999 (Pub. L 106-102, 113 Stat.1338) has two parts.

The first allows for the consolidation/merger of financial institutions such as banks, insurance companies and investment/security firms.

The second regulates the use, disclosure (sharing) and security of the massive amounts of personal information (which includes health records) that will result from these mergers/consolidations by mandating adherence to the following three rules.

  1. Financial Privacy
    • Enforced by Federal Trade Commission,
    • Privacy Agreements (signed by both parties, lists use of, types of, parties who will receive/share personal information), and
    • Opt Out Clauses to include details as to when a consumer may and may not opt out.
  2. Safeguard
    • Written security plan for all personal information,
    • Plan must be “managed” by at least one “dedicated” employee, and
    • Plan must be continuously monitored for “future” threats.
  3. Pretexting Provisions
    • Financial institutions must monitor and prevent disclosure of personal information to unauthorized parties (i.e. unauthorized individual attempts to access by phone, text, email and personal appearance).

While GLBA expands consumer protections pertinent to the security of health information, it does not invoke HIPAA privacy regulations pertinent to entities who may/may not receive health information.  Instead, the consumer must go through “opt out” provisions.  This is of concern because the average consumer may not be aware of HIPAA purpose/protections (i.e. minimum necessary) and the potential ramifications if not followed.

For more information on Gramm Leach Bliley’s impact on healthcare law, please contact Linda Mancini at 781-272-8001.