1

Running head: APPLICABLE LAWS TO HIC, INC.

Applicable Laws to HIC, Inc.

Jessica Romio
University of San Diego
 2
APPLICABLE LAWS TO HIC, INC.
I. Abstract
HIC, Inc. is a health insurance company that often deals with the personal health information of
its various customers. Because of this, it must comply with the health industry laws, regulations,
and standards. Not only must the company comply with those laws and regulations that pertain to
personal health data, but also the laws and regulations of the state of California in which it
resides. Laws such as HIPAA, HITECH, and the California Consumer Privacy Act of 2018, must
be followed by HIC, Inc. The following describes the various laws, regulations, and standards
that HIC, Inc. should comply with.

II. Laws
The Health Insurance Portability and Accountability Act (HIPAA) is a law that ensures that
one’s privacy is protected when handling health records. As a company that deals with health
insurance, HIC, Inc. is required to comply with HIPAA. The law defines that one’s health record
is protected health information (PHI) or electronic PHI (EPHI). It states how the PHI must be
collected, processed, and disclosed and states the penalties for violating those rules. In order to
be HIPAA compliant, HIC, Inc. must have the following key control requirements in place:
administrative safeguards, physical safeguards, technical safeguards, and risk assessment. When
put in place, HIPAA required that standards be adopted to address the security of electronic
health information systems, standards be put in place for electronic transactions, and that privacy
standards be put in place for health information. The Privacy Rule was put in place by the
Department of Health & Human Services (HHS) and set the national standards for the protection
of health information. The Security Rule was also put in place by HHS and it established a set of
security standards to protect health information that is held or transferred in electronic form. It
requires that confidentiality, integrity, and availability of EPHI be protected.
The Health Information Technology for Economic and Clinical Health Act (HITECH) created
incentives in using health care information technology and in doing so, widened the scope of
privacy and security protections under HIPAA. The Final Rule of HIPAA implemented several
provisions of the HITECH Act in order to strengthen the privacy and security protections that
were established under HIPAA. HITECH increased legal liability for not complying to HIPAA
and increased enforcement. It requires that HHS conduct periodic audits of covered entities, it
imposes data breach notification requirements related to PHI, and it requires that those
businesses that implement an electronic health record system, such as HIC, Inc., allow the right
of individual to obtain their PHI electronically.
The Health Information Trust Alliance (HITRUST) is a private group that collaborated with
security leaders to create a security framework. This framework should also be considered as it
includes controls that meet the requirements of several regulations and standards such as the
ISO/IEC 27000-series and the HIPAA standards. HITRUST focuses on created standard
processes for the healthcare sector and allows one to show compliance to the different federal
and state regulations, requirements, third party standards, as well as other standards and
regulations. It also offers assessments to provide assurance as well as standardized self-
assessments. Although complying with HITRUST is not a required law or regulation, it is helpful
in complying with the laws, regulations, and standards of the health industry.
 3
APPLICABLE LAWS TO HIC, INC.
Another set of practices that are not mandated, but would be helpful to HIC, Inc. are included in
the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)
document by HHS. The document aims to raise awareness and provide security best practices to
move organizations towards consistency in the sector when it comes to cybersecurity. The
document explores current threats to the healthcare industry and presents best practices to
mitigate them.
In addition to health-related legislation, there are also laws that must be followed to comply with
the state of California. One major law that affects HIC, Inc., as well as other businesses, is the
California Consumer Privacy Act of 2018. This law gives consumers more control over their
personal data that is collected by businesses. Companies like HIC, Inc. must tell individuals what
data they have collected, what they are using it for, and which third parties they may be giving
access to. This law adds another layer of compliance to HIPAA, which HIC, Inc. must already
comply with. This means that a consumer may require the organization to delete their personal
information other than their protected health information to which HIC, Inc. would have to take
into consideration. HIC’s privacy policy should comply with the California law.

III. Conclusion
As a health insurance company, HIC, Inc. has many additional laws and regulations to comply
with in order to protect the personal health information of its customers. Not only must the
company comply with additional health related law, but it must also comply with the laws of the
state in which it resides, California. California is often seen as a leader in passing regulations that
protect the consumer which means that HIC, Inc. must continue to stay in front of these laws and
regulations and to ensure they are fulfilling them. Laws such as HIPAA, HITECH, and the
California Consumer Privacy Act of 2018 are all laws that apply to HIC, Inc. and should be
closely monitored for compliance.
 4
APPLICABLE LAWS TO HIC, INC.

References
Arndt, R. Z. (2018, July 2). California law introduces new data concerns for healthcare

organizations. Retrieved from

https://www.modernhealthcare.com/article/20180702/NEWS/180709994/california-law-

introduces-new-data-concerns-for-healthcare-organizations

Bosworth, S., Kabay, M. E., & Whyne, E. (2014). Computer security handbook. Hoboken, NJ: John

Wiley & Sons, Inc.

(n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved

from https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

(n.d.). Health Information Technology for Economics and Clinical Health (HITECH) Act. Retrieved

from https://www.asha.org/Practice/reimbursement/hipaa/HITECH-Act/#targetText=The Health

Information Technology for,(EHR) systems among providers.

Johnson, R. (2015). Security policies and implementation issues. Burlington, MA: Jones & Bartlett

Learning.

Office of Civil Rights (OCR). (2017, June 16). HIPAA for Professionals. Retrieved from

https://www.hhs.gov/hipaa/for-professionals/index.html