All-in-one Risk Management Platform

HIPAA vs. GLBA

These two regulations are quite similar, but they are also separate and focus on different aspects of privacy. Let’s break down the basics of both.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.
sana logobig sky health logowellness fx logoacuity logohealthcare.com logo

HIPAA vs. GLBA

If you work in the healthcare sector, you’ve probably heard about HIPAA. HIPAA is required for anyone in or working with the healthcare industry. If you work in the financial sector, you’ve probably heard of the GLBA. The GLBA has everything to do with financial organizations.

But can these two regulations overlap in any respective industry? How are they similar, and how are they different? When it comes down to it, what these laws have in common is their purpose to protect and guard the general public’s personal data within their respective industries. The terminology, applicability, and many other things do differ between the two.

In this guide, we’ll break down everything you need to know about the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

The Health Insurance Portability and Accountability Act - HIPAA

What is HIPAA?

Healthcare organizations nowadays are required to take extensive measures to safeguard the protected health information of their patients and consumers. Thanks to HIPAA, there is security over this information. Standards protecting the privacy of a person's health-related information were set by the Health Insurance Portability and Accountability Act of 1996 (commonly known as HIPAA). These requirements concern the data required for healthcare coverage. The purpose of HIPAA was to enhance the continuity and portability of health insurance coverage in both group markets and individual markets.

Key HIPAA Terms

  • Workstation and Security Controls - Once inside your building, you must secure all of your devices, including workstations and desktop and laptop computers as well as tablets and laptops. These workstations should only be accessible physically by authorized employees.
  • Controls for Devices and Media - Data should be safeguarded on any devices or media, including hard drives, external hard drives, memory cards, and flash drives. Unauthorized access ought to be avoided.
  • Access Controls - Only individuals who have been given permission should be able to access the files themselves. Without proper authorization, no one should be able to read, write, alter, or transmit data.
  • Controls for Auditing Data Activity - You must be able to audit data activity. This entails creating a thorough log of each file access, including who accessed the files, when, and any associated activities.
  • Integrity Controls - Integrity controls must be in place to guarantee that electronically protected health information is not lost or corrupted.
  • Person or Entity Authentication - It's crucial to confirm that the users trying to access protected data are, in fact, who they say they are. This can include employing strategies like multi-step verification.
  • Security Transmission - Security during transmission is required for all HIPAA-covered data when it is sent to third parties.
  • Facility Access Controls - The first line of defense for safeguarding your data entails regulating who has access to your physical facility. Only individuals with permission to view and work with sensitive data should have physical access.

Who Does HIPAA Apply to?

A "Covered Entity” is one type of organization that is subjected to HIPAA requirements. Among the covered entities are the following:

  • Health Plans, including health insurance providers, HMOs, workplace insurance programs, and some public health insurance programs like Medicare and Medicaid.
  • Health Care Providers. Most healthcare providers use electronic means to perform certain business, such as invoicing your health insurance. This includes the majority of medical professionals as well as most hospitals, nursing homes, pharmacies, etc.
  • Health Care Clearinghouses, which are organizations that transform nontraditional health information received from another organization into a standard, or the opposite.

Additionally, some HIPAA rules must be followed by business associates of covered businesses. Your health information will frequently need to be accessible to contractors, subcontractors, and other external parties who are not employed by a covered business in order to provide services for the covered company.

star iconstar iconstar iconstar iconstar icon
“Saved our business.”
star iconstar iconstar iconstar iconstar icon
"Easy to use!"
star iconstar iconstar iconstar iconstar icon
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

The Gramm Leach Bliley Act - GLBA

What is GLBA?

The Gramm-Leach-Bliley Act, or GLBA, focuses on the data protection measures that financial organizations are required to have in place. Companies that provide customers with financial goods or services are subject to these compliance requirements. This might refer to lenders, advisers on finances or investments, or insurers. Practices for exchanging information must have the necessary protections in place to secure sensitive data.

Key GLBA Terms

  • Financial Privacy Regulation - Companies that are financial institutions or that receive nonpublic personal information about customers from financial institutions are required to abide by the GLBA's privacy rule. Both transactional data and the majority of personal information are covered by this rule. It also includes any private information you could find out while conducting business.
  • The Safeguards Rule makes sure that people who fall within the GLBA's purview have certain tools at their disposal to safeguard confidential information. GLBA followers are required to have the administrative, technological, or physical protections you employ to access, gather, disseminate, process, safeguard, keep, utilize, transfer, dispose of, or otherwise manage customer information, according to the rule's language.
  • Pretexting Requirements - Covered entities and business associates under the GLBA are required to take precautions to secure nonpublic personal information as well as to identify and stop as many instances of illegal access as they can. Numerous malicious frauds are attempting to gain personal information by phone, email, or even in person. Pretexting laws are designed to lessen this data loss and safeguard more customers.

Who Does GLBA Apply to?

All firms, regardless of size, that play a substantial role in offering customers financial goods or services are subject to the Gramm-Leach-Bliley Act. This covers a wide range of businesses that aren't typically regarded as financial institutions, including check cashing operations, payday lenders, mortgage brokers, nonbank lenders, appraisers of personal property or real estate, merchants who issue branded credit cards, certified tax preparers, and courier services. The rule also applies to businesses that obtain information about clients of other financial institutions, such as credit reporting agencies and ATM operators. Companies covered by the regulation are required to take efforts to guarantee that their affiliates and service providers preserve client information in their care in addition to adopting their own safeguards.

Conclusion

The main distinction between these two sets of compliance guidelines is that each one is concentrated on safeguarding a different kind of data. Healthcare information about a patient is protected by HIPAA, while consumer data about financial institutions are protected under GLBA. But they all strive to protect sensitive data, which is a common objective. They can both take part in preserving PHI.

Like what you see?  Learn more below

These two regulations are quite similar, but they are also separate and focus on different aspects of privacy. Let’s break down the basics of both.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
CCPA vs CPRA vs GDPR
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
HIPAA vs. GLBA
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
GDPR vs. HIPAA
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)