Menu
Free Trial

Global Compliances

  • HIPAA → (Health Insurance Portability and Accountability) Protects health/medical data.
  • FCRA → (Fair Credit Reporting Act) Protects credit and consumer reporting data.
  • State Privacy Laws → Protect personal data at the consumer level (like GDPR in Europe).
1. HIPAA (Health Insurance Portability and Accountability Act, 1996)

 

  • Purpose:  Protects the privacy and security of individuals’ medical information (PHI – Protected Health Information).
  • Who it applies to:
    • Covered Entities – healthcare providers, health plans, and healthcare clearinghouses.
    • Business Associates – vendors/partners handling PHI on behalf of covered entities.
  • Key Rules:
    • Privacy Rule: Sets standards on how PHI can be used and disclosed.
    • Security Rule: Requires safeguards (technical, physical, administrative) for electronic PHI (ePHI).
    • Breach Notification Rule: Requires notification to affected individuals, HHS, and sometimes the media if a breach occurs.
  • Penalties: Civil fines up to $1.5 million per violation category per year; criminal penalties for willful misuse.
2. FCRA (Fair Credit Reporting Act, 1970)

 

  • Purpose: Protects consumer information collected by consumer reporting agencies (CRAs) and ensures fairness, accuracy, and privacy of consumer reports.
  • What it covers: Credit reports, tenant screening, employment background checks, and insurance underwriting reports.
  • Key Rights for Consumers:
    • Access to their own credit reports.
    • Ability to dispute inaccurate information.
    • Consent required before employers run background checks.
    • Limitations on how long negative info can stay on a report (generally 7 years, 10 for bankruptcies).
  • Enforcement: Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and state attorneys general.
  • Penalties: Businesses can face fines and lawsuits for violations (both civil and criminal).
3. State-Level Privacy Laws

 

In the U.S., states are increasingly passing their own privacy laws that go beyond federal protections:

  • California Consumer Privacy Act (CCPA, 2020) / CPRA (2023 update):
    • Gives Californians rights to access, delete, opt-out of sale/sharing of their personal data.
    • Requires businesses to disclose how they collect, use, and share data.
  • Virginia Consumer Data Protection Act (VCDPA, 2023):
    • Similar to CCPA but with specific provisions on data minimization and consumer consent.
  • Colorado Privacy Act (CPA, 2023):
    • Provides rights to access, correct, delete, and opt-out of data sales and profiling.
  • Utah Consumer Privacy Act (UCPA, 2023):
    • Focused on data access and opt-out rights; lighter obligations compared to California.
  • Connecticut Data Privacy Act (CTDPA, 2023):
    • Grants rights similar to Colorado and Virginia, including opt-out of targeted advertising.

👉 Other states (e.g., Texas, Oregon, Montana, and Delaware) have also passed consumer privacy laws set to take effect in 2024–2026.

The following table shows how HIPAA is sector-specific (healthcare), FCRA is industry-specific (credit/consumer reporting), and state privacy laws are broad (covering all personal data).

Aspect

HIPAA

FCRA

State-Level Privacy Laws

Primary Focus

Health & medical information (PHI/ePHI)

Consumer credit & reporting information

General personal data (PII) & consumer privacy

Who Must Comply

Healthcare providers, health plans, clearinghouses, and business associates

Consumer Reporting Agencies (CRAs), employers, landlords, insurers using reports

Businesses meeting revenue/data thresholds (varies by state, e.g., CCPA applies to companies with $25M+ revenue or handling 100k+ records)

Key Protections

Privacy, security, and breach notification for health data

Accuracy, fairness, and privacy of credit/consumer reports

Transparency, data rights (access, delete, correct, opt-out), limits on sale/sharing of data

Consumer/Individual Rights

– Access to own health records- Request corrections- Restrict disclosures- Receive breach notifications

– Access to credit reports- Dispute inaccuracies- Require consent for employment checks- Limit negative info reporting

– Access to personal data- Correct/delete data- Opt-out of sale/sharing- Data portability (varies by state)

Examples of Covered Data

Medical history, diagnoses, treatment records, lab results, billing info

Credit history, payment history, tenant screening reports, employment background checks

Personal identifiers (name, email, phone, SSN, IP, geolocation, biometric, browsing data)

Enforcement Authority

U.S. Department of Health and Human Services (HHS) – Office for Civil Rights (OCR)

Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), State AGs

State Attorneys General, sometimes state privacy agencies (e.g., California Privacy Protection Agency)

Penalties

Civil: Up to $1.5M/year per violation typeCriminal: Fines & imprisonment

Civil damages, fines, criminal penalties for willful violations

Varies by state:- CCPA/CPRA: $2,500 per violation, $7,500 per intentional violation- Other states: Similar statutory fines

Notable Laws/Updates

HIPAA Privacy Rule, Security Rule, Breach Notification Rule

Fair Credit Reporting Act (1970), amended by FACTA

CCPA/CPRA (CA), VCDPA (VA), CPA (CO), UCPA (UT), CTDPA (CT), plus emerging laws in TX, OR, MT, DE (2024–2026)

    Privacy Policy

    Home

    Product Demo

    Quick Link

    Information

    Icon-linkedin-1 X-twitter Instagram Facebook

    Term & Conditions | Powered By AI | A Product of Datadot

    Scroll to Top