Privacy Principles for Accountants

CPA Journal, The, May 2008 by Hildebrand, Mary J, Savare, Matthew

Accountants possess the technical skills and training to provide information assurance, compliance testing, independent verifications, and attestations of management reporting. Historically, accountants have provided these services as they relate to financial reporting. With the current emphasis on information privacy, many accountants now offer the following privacy services as well:

* Strategic privacy and business planning

* Privacy gap and risk analysis

* Benchmarking

* Privacy-policy design and implementation

* Performance measurement

* Independent verification of privacy controls (privacy audits)

* Attestation of management's privacy reports.

As noted above, privacy legislation is a patchwork of federal and state statutes and regulations. As such, accountants are well advised to consult with an experienced privacy attorney before offering privacy services to the public. At minimum, however, accountants should have at least a rudimentary independent understanding of the following privacy statutes:

Health Insurance Portability and Accounting Act (HIPAA). HIPAA [PL 104-191, 110 Stat. 1936 (1996)] and the regulations promulgated under it are the first set of comprehensive rules on health privacy. However, these regulations do not apply to all people or entities that have access to an individual's health information. Instead, they apply only to "a health plan," "a health care clearinghouse," and "a health care provider who transmits any health information in electronic form" (45 CFR section 160.102). These "covered entities" are defined in 45 CFR section 160.103 as follows: a "health plan" is "an individual or group that provides, or pays the cost of, medical care." This definition encompasses health insurers, HMOs, and group health plans. A "health care clearinghouse" is a public or private entity that processes health information into a standard format or into specialized formats for the needs of specific entities. This definition includes billing services, repricing companies, community health management information systems, and community health information systems. Finally, a "health care provider" is a "provider of medical or health services ... and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." Examples of healthcare providers include physicians, hospitals, and pharmacists.

HIPAA's privacy rule creates standards for electronic transactions, data security, patient identification numbers, and the privacy of health information.

Gramm-Leach Btiley Act (GLBA). As discussed in detail above, GLBA applies to "financial institutions." The statute governs privacy issues for personal financial information.

Children's Online Privacy Protection Act (COPPA). COPPA (15 USC sections 6501-06) regulates the collection and use of children's information by websites. It applies to "an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child."