LAWS & REGULATIONS
1. Notify Americans Before Outsourcing Personal Information Act
(Introduced in House)
HR 4241 IH 110th CONGRESS 1st Session H. R. 4241 To prohibit the transfer of personal information to any person or business outside the United States, without notice. IN THE HOUSE OF REPRESENTATIVES - November 15, 2007
A BILL
To prohibit the transfer of personal information to any person or business
outside the United States, without notice.
SECTION 1. SHORT TITLE
This Act may be cited as the `Notify Americans
Before Outsourcing Personal Information Act'.
SEC. 2. PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION FROM UNAUTHORIZED
TRANSFER
(a) In General- A business shall not transfer personally identifiable
information regarding a citizen of the United States to any foreign affiliate
or subcontractor located in another country without providing that citizen
written notice that such information may be transferred to such foreign
affiliate or subcontractor.
(b) Plain Language Requirement- Written notice must be sent by regular mail, not e-mail, and separate from any other financial disclosure or information. It must be written in easily understandable, plain language.
(c) Notice Period- Written notice must be provided to a citizen of the United States at least ninety (90) days before such information may be transferred to any foreign affiliate or subcontractor.
SEC. 3. PRIVATE CAUSE OF ACTION
To enforce compliance with this Act, to obtain damages, including compensatory
and punitive; to obtain injunctive relief; and to obtain any other compensation,
a private cause of action in State court is authorized.
SEC. 4. EFFECTIVE DATE
This Act shall take effect on the 90th day beginning after the date of
the enactment of this Act.
SEC. 5. DEFINITIONS
As used in this Act, the following definitions apply: http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.4241:
(2 of 3)12/7/2007 8:16:27 PM Search Results - THOMAS (Library of Congress)
2. Federal Law - HIPAA
The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the "federal
floor" of privacy protection for health information in the United
States, while allowing more protective ("stringent") state
laws to continue in force. Under the Privacy Rule, protected health information
(PHI) is defined very broadly. PHI includes individually identifiable
health information related to the past, present or future physical or
mental health or condition, the provision of health care to an individual,
or the past, present, or future payment for the provision of health care
to an individual. Even the fact that an individual received medical care
is protected information under the regulation. The Privacy Rule establishes
a federal mandate for individual rights in health information, imposes
restrictions on uses and disclosures of individually identifiable health
information, and provides for civil and criminal penalties for violations.
The complementary Security Rule includes standards for protection of
"Covered entities" must also have formal contracts with their
business associates, which use PHI to perform functions on their behalf.
Examples of business associates include law firms, accounting firms,
accreditation organizations, credentialing services, billing services
and third-party administrators. Business associate agreements must stipulate
that the business associate will safeguard PHI and will assist the "covered
entity" in complying with its obligations with regard to individual
rights and oversight by the Secretary of Health and Human Services.
ImageDoc falls under “third-party administrators”
Security standards
Requirements for safeguarding protected health information
(PHI) are found in two separate but complementary Rules under HIPAA.
The Privacy Rule requires "covered entities" to have in place "appropriate
administrative, physical and technical measures" to safeguard PHI.
This obligation must be passed on to business associates in business
associate agreements and to researchers in limited data use agreements.
The Security Rule, published in final form on February 20, 2003, contains
considerably more detail about the meaning of appropriate safeguards.
3. FACTA
The Fair and Accurate Credit Transactions Act of 2003 (FACTA), which calls for the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”
The standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.
The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies; lenders; insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule.
The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.
The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company’s information security policies or procedures.
Financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires institutions to take steps to protect sensitive customer information, should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires. Information is available at www.ftc.gov/privacy/privacyinitiatives/safeguards.html