best deal recuperare
click pentru detalii
click pentru detalii
click pentru detalii

Security Requirements for the Collection Industry

Published: Friday, January 12, 2007

Collectors follow specific federal guidelines that establish consumers' rights and collectors' responsibilities, including laws such as the Fair Debt Collection Practices Act (FDCPA), the Fair Credit Reporting Act (FCRA) and individual state consumer protection laws. Many of these laws contain data security and confidentiality provisions.

In addition, specialized laws such as the Gramm?Leach?Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require additional security standards be in place to protect against the unauthorized access of consumers' confidential information.

By creating liability for both collection agencies and their clients, GLBA and HIPAA demand that privacy and security be top priorities in the credit and collection industry. In fact, before a collection agency can enter an agreement to provide services to a healthcare provider or financial institution, the agency must demonstrate its capability to safeguard consumer information at the employee and physical security level, as well as the information technology level.

The following summary of GLBA and HIPAA privacy and security rules explains collectors' responsibilities and the measures a collection agency must take to ensure compliance with these laws:

Gramm?Leach?Bliley Act In order to comply with GLBA, a collection agency must:

  • • Designate an employee to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
  • • Implement policies and procedures to control security risks to customer information, and monitor their effectiveness.
  • • Oversee service providers by selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information, and requiring service providers by contract to implement and maintain such safeguards.

Further procedures recommended by the FTC for collection agencies to remain in compliance with the GLBA Safeguards rule:

  • • Lock rooms and file cabinets where paper records are kept.
  • • Use password?activated screensavers.
  • • Use strong passwords (at least eight characters long).
  • • Change passwords periodically, and do not post passwords near employees' computers.
  • • Encrypt sensitive customer information when it is transmitted electronically over networks or stored online.
  • • Refer calls or other requests for customer information to designated individuals who have had safeguards training.
  • • Recognize any fraudulent attempt to obtain customer information and report it to appropriate law enforcement agencies.
  • • Train employees on the agency's safeguard policies.
  • • Limit access to customer information to employees who have a business reason for seeing it.

HIPAA

In order to comply with HIPAA, a collection agency must:

  • • Designate an employee to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
  • • Apply appropriate sanctions against employees who fail to comply with the security policies and procedures of the agency.
  • • Regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
  • • Ensure that access to protected health information is only available to employees who need it.
  • • Provide appropriate supervision of employees who work with protected health information or in locations where it might be accessed.
  • • Control employee access to facilities in which paper records of protected health information are stored, and to software programs by which electronic records of this information can be accessed.
  • • Ensure that when a staff member's employment with the agency ends, his or her access to electronic protected health information is terminated.
  • • Isolate the protected health information from other divisions of the company, if the agency is part of a larger organization.
  • • Document and review employee use of electronic protected health information. Assign a unique login identifier and password for each employee, in order to trace the use of computer workstations or software programs to access the information.
  • • Train all employees and management on the security policies of the agency.
  • • Establish a contingency plan for responding to emergencies such as fire, vandalism and natural disasters that may damage systems containing electronic protected health information.
  • • Implement a data backup plan to create and maintain retrievable exact copies of electronic protected health information.
  • • Carefully monitor the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
  • • Ensure the proper disposal of electronic protected health information and/or the hardware or electronic media on which it is stored.
  • • Use password-activated screensavers that terminate a computer login session after a predetermined time of inactivity.
  • • Encrypt consumer information during transmission over an electronic communications network.
  • • Report any security incidents to the client.

Sursa: www.acainternational.org