Global Compliances
- HIPAA → (Health Insurance Portability and Accountability) Protects health/medical data.
- FCRA → (Fair Credit Reporting Act) Protects credit and consumer reporting data.
- State Privacy Laws → Protect personal data at the consumer level (like GDPR in Europe).
1. HIPAA (Health Insurance Portability and Accountability Act, 1996)
- Purpose: Protects the privacy and security of individuals’ medical information (PHI – Protected Health Information).
- Who it applies to:
- Covered Entities – healthcare providers, health plans, and healthcare clearinghouses.
- Business Associates – vendors/partners handling PHI on behalf of covered entities.
- Key Rules:
- Privacy Rule: Sets standards on how PHI can be used and disclosed.
- Security Rule: Requires safeguards (technical, physical, administrative) for electronic PHI (ePHI).
- Breach Notification Rule: Requires notification to affected individuals, HHS, and sometimes the media if a breach occurs.
- Penalties: Civil fines up to $1.5 million per violation category per year; criminal penalties for willful misuse.
2. FCRA (Fair Credit Reporting Act, 1970)
- Purpose: Protects consumer information collected by consumer reporting agencies (CRAs) and ensures fairness, accuracy, and privacy of consumer reports.
- What it covers: Credit reports, tenant screening, employment background checks, and insurance underwriting reports.
- Key Rights for Consumers:
- Access to their own credit reports.
- Ability to dispute inaccurate information.
- Consent required before employers run background checks.
- Limitations on how long negative info can stay on a report (generally 7 years, 10 for bankruptcies).
- Enforcement: Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and state attorneys general.
- Penalties: Businesses can face fines and lawsuits for violations (both civil and criminal).
3. State-Level Privacy Laws
In the U.S., states are increasingly passing their own privacy laws that go beyond federal protections:
- California Consumer Privacy Act (CCPA, 2020) / CPRA (2023 update):
- Gives Californians rights to access, delete, opt-out of sale/sharing of their personal data.
- Requires businesses to disclose how they collect, use, and share data.
- Virginia Consumer Data Protection Act (VCDPA, 2023):
- Similar to CCPA but with specific provisions on data minimization and consumer consent.
- Colorado Privacy Act (CPA, 2023):
- Provides rights to access, correct, delete, and opt-out of data sales and profiling.
- Utah Consumer Privacy Act (UCPA, 2023):
- Focused on data access and opt-out rights; lighter obligations compared to California.
- Connecticut Data Privacy Act (CTDPA, 2023):
- Grants rights similar to Colorado and Virginia, including opt-out of targeted advertising.
👉 Other states (e.g., Texas, Oregon, Montana, and Delaware) have also passed consumer privacy laws set to take effect in 2024–2026.
The following table shows how HIPAA is sector-specific (healthcare), FCRA is industry-specific (credit/consumer reporting), and state privacy laws are broad (covering all personal data).
Aspect | HIPAA | FCRA | State-Level Privacy Laws |
Primary Focus | Health & medical information (PHI/ePHI) | Consumer credit & reporting information | General personal data (PII) & consumer privacy |
Who Must Comply | Healthcare providers, health plans, clearinghouses, and business associates | Consumer Reporting Agencies (CRAs), employers, landlords, insurers using reports | Businesses meeting revenue/data thresholds (varies by state, e.g., CCPA applies to companies with $25M+ revenue or handling 100k+ records) |
Key Protections | Privacy, security, and breach notification for health data | Accuracy, fairness, and privacy of credit/consumer reports | Transparency, data rights (access, delete, correct, opt-out), limits on sale/sharing of data |
Consumer/Individual Rights | – Access to own health records- Request corrections- Restrict disclosures- Receive breach notifications | – Access to credit reports- Dispute inaccuracies- Require consent for employment checks- Limit negative info reporting | – Access to personal data- Correct/delete data- Opt-out of sale/sharing- Data portability (varies by state) |
Examples of Covered Data | Medical history, diagnoses, treatment records, lab results, billing info | Credit history, payment history, tenant screening reports, employment background checks | Personal identifiers (name, email, phone, SSN, IP, geolocation, biometric, browsing data) |
Enforcement Authority | U.S. Department of Health and Human Services (HHS) – Office for Civil Rights (OCR) | Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), State AGs | State Attorneys General, sometimes state privacy agencies (e.g., California Privacy Protection Agency) |
Penalties | Civil: Up to $1.5M/year per violation typeCriminal: Fines & imprisonment | Civil damages, fines, criminal penalties for willful violations | Varies by state:- CCPA/CPRA: $2,500 per violation, $7,500 per intentional violation- Other states: Similar statutory fines |
Notable Laws/Updates | HIPAA Privacy Rule, Security Rule, Breach Notification Rule | Fair Credit Reporting Act (1970), amended by FACTA | CCPA/CPRA (CA), VCDPA (VA), CPA (CO), UCPA (UT), CTDPA (CT), plus emerging laws in TX, OR, MT, DE (2024–2026) |