"How To Get Fit And Slash Your Health Insurance Costs"

"How To Get Fit And Slash Your Health Insurance Costs"

Okay, before we start, let me explain the purpose of this article. I want you to get so healthy, you'll never need to make a health insurance claim. You'll save money by increased fitness. You'll save money with a long no-claims insurance history. And you'll look and feel much better.

There's three sides to your maximum health and fitness. Diet, and Exercise. But that's only two ! Let me split Exercise into Aerobic exercise and Aneorobic exercise.

Get all three right. Get the right balance. And you'll get as fit and healthy as your body and genetics will allow.

Whole forests of paper have been filled with advice on each of these fitness factors. Just go into your local bookstore, and see shelves of diet advice. Shelves of exercise advice.

Funny how so much contradicts itself, especially for diet e.g right next to each other on the shelf, you'll find a book advocating low carbs & low fat; another saying high fat is okay if you keep the carbs low. Yet another focuses on high protein, and says carbs don't matter...

* Diet

Let me give you this simple diet advice. Stick to low fat, low carbs and high protein. Many medical and weight loss studies over the last 10-20 years prove this approach. Many other diet myths come from way back in time, and look just plain wrong when analyzed with modern methods.

* Aerobic Exercise

Couch potatoes don't realize how easily they can start feeling fit and healthy. Just walk somewhere 3-4 times per week, for around 20 minutes each time.

Ideally, do some more demanding aerobic exercise. I do a lot of cycling, because it's great low-impact exercise. And I get to see beautiful scenery while I ride.

Running provides even more intensive aerobic exercise, but careful of your joints. Maybe you prefer hiking, to see the local countryside ? Or take up a sport like rowing or tennis. You also get to meet new friends by taking up exercise as a sport.

* Anaerobic Exercise

Many people work on their diet. Many people take aerobic exercise. But many people ignore anaerobic exercise, or weight training.

What makes weight training so important ?

As you get older, muscle mass decreases. Muscle burns fat. So as you lose muscle, it gets harder to keep the fat off. Equally important, weight training can reshape your body.

No matter how much aerobic exercise you do, you'll still be a pear shape (a smaller pear shape) if you started out a pear shape.

Using weights you can flatten your stomach, tone your thighs, bulk up your chest and shoulders, and reshape your body any way you want.

Weight training is incredibly beneficial to your general skeleton strength and conditioning. Older women can reduce the effects of osteoporosis, and older men can maintain their strength and agility.

This short article can do nothing more than provide an introduction to the three keys to your health. Follow these and you shouldn't need to make a health insurance claim.

Slash your health insurance costs with a long no-claims bonus. Slash your health insurance costs with any insurer who rates your fitness.

Discover important health insurance facts and advice. Find out more about low carb foods, and how to lose weight quickly and easily. Go to ==> http://www.healthinsurance--quotes.com/ and ==> http://www.low-low-carb-foods.com/

Neil Stelling BSc, MBA

http://www.healthinsurance--quotes.com/

neil@healthinsurance--quotes.com

Changes to International Health Insurance

Those who travel overseas for business or vacation may want to know that two of the world's largest international health insurance plans - Atlas Travel and the International Citizen Medical Plan insured by Lloyds of London have changed coverage and rates effective January 1, 2002. The coverage levels are increased for the new policies and the premium cost is proportionately higher.

These plans are specifically designed to deal with the language issues, currency translation and business practices unique to the medical care of international travelers. I believe that the improvements in benefits will be welcomed by customers. The relatively low cost of these plans means that a modest price increase is not a significant barrier for most customers.

The updated rates and forms are now available online at www.MedSave.com using the International Health Insurance or the "Forms" link and printed versions of the new enrollment brochure are expected to be available in early January.

These plans are specifically designed to deal with the language issues, currency translation and business practices unique to the medical care of international travelers. I believe that the improvements in benefits will be welcomed by customers. The relatively low cost of these plans means that a modest price increase is not a significant barrier for most customers.

The updated rates and forms are now available online at www.MedSave.com using the International Health Insurance or the "Forms" link and printed versions of the new enrollment brochure are expected to be available in early January.

Tony Novak, MBA, MT, is a tax and benefits adviser based in Narberth, PA. His businesses Freedom Benefits Association and MedSave.com provide enrollment services to individuals and businesses nationwide

How to Save Up to 70% on Health Insurance Premiums

Are you tired of paying too much for health insurance premiums?
Only 5 or 6 years ago health insurance seemed very affordable
with fantastic coverage to match. Well, if youre an individual
or family who pays for health insurance today chances are youre
literally getting punched in the pocket book, and it hurts.

Dramatically health insurance has changed over the last five years
and this article will no doubt arm you with the knowledge you need
to get the most out of your next health insurance plan. First,
an individual or family needs to identify with what they need out
of a health plan. Notice I say need, because unless you make more
money than you know what to do with there is no way in the world
most people can afford the "Perfect" plan with all the bells
and whistles.

Do you need a doctors office co pay?

Most people dont realize this will save you up to 30%
with some companies by cutting this benefit out of your
health insurance plan. Doctors continually raise their fees
for visits and most of the time the consumer will go much faster
to the doctor if he or she has a $10 co pay as opposed to paying
the $50 the doctor may charge. Insurance companies pay millions
for these fees and trust me, after the first 12 months of your
plan being in effect youre the one who will be paying by a
huge increase in your premium. Ive seen insurance plans go up
79% after the first twelve months. Totally ridiculous.
The consumers cannot afford this.

Another huge problem which Ill go more in depth
in another article is prescription drug cards.
I really cant see where the consumer wins here either.
Dont get me wrong, if youre on an employer sponsored
group health insurance plan your probably getting a good deal
but I can assure you that your company is paying out the nose
for the coverage youve come to love. I talk to people weekly
who literally work for their health insurance coverage.
If you can do without a prescription drug plan I would.
It can generally save you 20 to 40% off your premium by
not having this benefit.

Consumers usually pay 500 to 700 dollars a year
for this benefit alone while the average family who can
qualify for individual or family medical plans dont spend near
this amount of money. And, once again when you finally use your
card the insurance company will generally offset the cost at
your renewal date by raising your health insurance premium.
Cut out these things and go with a deductible of $1,000 or higher
and you will definitely save yourself money both in the short
and long term. Most of us can pay for the occasional doctor visit
and prescription rather than giving our money up front to the
Insurance Company. Just a little food for thought.
Only 5 or 6 years ago health insurance seemed very affordable
with fantastic coverage to match. Well, if youre an individual
or family who pays for health insurance today chances are youre
literally getting punched in the pocket book, and it hurts.

Dramatically health insurance has changed over the last five years
and this article will no doubt arm you with the knowledge you need
to get the most out of your next health insurance plan. First,
an individual or family needs to identify with what they need out
of a health plan. Notice I say need, because unless you make more
money than you know what to do with there is no way in the world
most people can afford the "Perfect" plan with all the bells
and whistles.

Do you need a doctors office co pay?

Most people dont realize this will save you up to 30%
with some companies by cutting this benefit out of your
health insurance plan. Doctors continually raise their fees
for visits and most of the time the consumer will go much faster
to the doctor if he or she has a $10 co pay as opposed to paying
the $50 the doctor may charge. Insurance companies pay millions
for these fees and trust me, after the first 12 months of your
plan being in effect youre the one who will be paying by a
huge increase in your premium. Ive seen insurance plans go up
79% after the first twelve months. Totally ridiculous.
The consumers cannot afford this.

Another huge problem which Ill go more in depth
in another article is prescription drug cards.
I really cant see where the consumer wins here either.
Dont get me wrong, if youre on an employer sponsored
group health insurance plan your probably getting a good deal
but I can assure you that your company is paying out the nose
for the coverage youve come to love. I talk to people weekly
who literally work for their health insurance coverage.
If you can do without a prescription drug plan I would.
It can generally save you 20 to 40% off your premium by
not having this benefit.

Consumers usually pay 500 to 700 dollars a year
for this benefit alone while the average family who can
qualify for individual or family medical plans dont spend near
this amount of money. And, once again when you finally use your
card the insurance company will generally offset the cost at
your renewal date by raising your health insurance premium.
Cut out these things and go with a deductible of $1,000 or higher
and you will definitely save yourself money both in the short
and long term. Most of us can pay for the occasional doctor visit
and prescription rather than giving our money up front to the
Insurance Company. Just a little food for thought.

Ryan Orrell has been a specialist in the field of
health insurance since 1996 counseling hundreds of individuals
and families on policies which may be right for them.
Ryan is president of http://www.quotemonster.com,
an online shopping service designed to help individuals
and families find affordable health insurance plans.
This article is also posted on the Web at
http://www.quotemonster.com/health-insurance-article-1.html

Tales from the Corporate Frontline: The Worth of Health Insurance

This article relates to the Compensation and Benefits Competency, commonly evaluated in employee satisfaction surveys. The questions included in this competency will help your organization determine whether your employees feel they are fairly paid for the work they perform when compared to a similar job at a different company. This competency also queries their feelings regarding the adequacy and quality of their benefits package. A fair and attractive compensation package is critical for hiring and retaining quality employees. A high satisfaction level in this competency requires that your compensation structure and benefits package be fair, balanced, and understood by your present employees.

This article relates to the Compensation and Benefits Competency, commonly evaluated in employee satisfaction surveys. The questions included in this competency will help your organization determine whether your employees feel they are fairly paid for the work they perform when compared to a similar job at a different company. This competency also queries their feelings regarding the adequacy and quality of their benefits package. A fair and attractive compensation package is critical for hiring and retaining quality employees. A high satisfaction level in this competency requires that your compensation structure and benefits package be fair, balanced, and understood by your present employees.

This article, The Worth of Health Insurance, is part of AlphaMeasure's compilation, Tales from the Corporate Frontlines. It focuses specifically on the value of employer provided health insurance to employees in today's workplace and economic climate.

Anonymous Submission:

Large salary increases are rare these days, especially for mid level, mid career employees. Having worked at the same small, family owned business for about ten years now, my fellow employees and I were accustomed to getting about the same raise every year. It never varied very much, and we considered it fair, especially since the business was quite solid and successful with a steady profit stream for the past several years.

That's why we were all so shocked this year when our expected increase amount was cut in half. After the shock faded, the office was abuzz with speculation "the company is going under, that sales rep, Mr. Brown, lost that lucrative account, I knew this would happen, the owners are just getting greedy, they're thinking of selling to a large multinational" - were some of the stories considered.

Finally, our general manager caught wind of the discussions and settled us down for a meeting. He told us that the reason the increases had been cut was that the health insurance program premiums had risen very sharply. The owners decided that rather than require the employees to pay more for the insurance, it would be better to pay the extra premium and give smaller salary increases. He told us that many companies are handling rising premiums in much the same way.

Many employees, myself included, were skeptical. Sure, we told each other. That's a good story. And we picked up where we'd left off with our previous speculations.

That night, I received a phone call. It was my sister, and she was crying. She's a stay- at- home mom, her husband has been downsized, and the family is at the point where it has to pay for health insurance. As my sister tearfully recited the rates she'd been quoted, I was beyond shock. It amounted to a small fortune. After she hung up, I went online to my health insurance provider website. I checked the rate I would pay without my employer contribution. The price difference was far higher than my raise reduction, and the coverage wasn't as good.

Humbled, I went to work the next day and told my coworkers what I'd discovered. We'd all underestimated the worth of a solid benefit plan with good health insurance in today's workplace and economy. Suddenly our salary increase seemed a lot larger.

AlphaMeasure Employee Surveys, Inc. -
This article may be reprinted, provided it is published in its entirety, includes the author bio information, and all links remain active.

Measure. Report. Improve your organization with AlphaMeasure employee surveys.
Josh Greenberg is President of AlphaMeasure, Inc.
AlphaMeasure provides organizations of all sizes a powerful web based method for measuring employee satisfaction, determining employee engagement, and increasing employee retention.

Health Insurance for the Self-Employed

Having health insurance and being able to afford it is a great concern for many who leave a corporate job to run their own business.

The national crisis in health coverage is hitting the small business owners especially hard. About 24 million small-business employees and their families are uninsured, according to a study by the Kaiser Family Foundation.

After you leave your employer you may elect to continue to receive coverage in the employer's group plan at your expense for up to 18 months. The Consolidated Omnibus Budget Reconciliation Act (COBRA) is a federal law that requires employers to allow departing workers to buy health insurance through the employer's group plan.

However, the cost of the monthly premiums for COBRA can come as quite a surprise if you're accustomed to you employer picking up most of your health insurance tab.

Luckily starting in 2003, if you work as a consultant, freelance worker, and other self-employed individual you will be allowed to deduct all of your health insurance premiums. This is an increase form the 70% that was deductible in 2002. You can take the self-employed health insurance deduction even if you do not itemize your tax return.

But, even with health insurance the medical expenses that come out of your pocket can overwhelm you. If you have to dip into your retirement savings for certain medical expenses, the best way to do so is to transfer your IRA or previous 401(k) account to a Self-Employed 401(K) plan that you set up. You can then take a loan from that plan. Loans from a Self-Employed 401(k) plan are tax-free and penalty free as long as they are paid back.

By Daniel Lamaute of www.InvestSafe.com Daniel is a retirement plans specialist and owner of Lamaute Capital, (InvestSafe.com) an investment brokerage firm that works with individuals and small businesses.

How To Save Money On Health Insurance Premiums Using HSA's

Opening a health savings account (HSA) can save you hundreds on your health insurance premium and help pay for out of pocket expenses and deductibles. Anyone younger than age 65 who buys a qualified health insurance policy with a deductible of at least $1,000 for individuals, $2,000 for families, can open an HSA. An HSA lets you set aside pretax money up to the amount of the deductible (with an annual maximum of $2,600 for singles; $5,150 for families). You can use the money tax-free for medical expenses, and anything left over grows tax-deferred. You can use the money for anything after age 65 without penalty, but you will owe income taxes on any money that isn't used for medical expenses.

In many cases, the cost savings from buying a high-deductible policy make up for the higher out-of-pocket medical expenses you'll have to pay -- not to mention the tax benefits.

The HSA Insider Web site (http://www.hsainsider.com) has a comprehensive list of insurers offering HSA-eligible policies and financial institutions providing the investment accounts. You can also search for a quality high deductible health insurance plan to complement your HSA at Best Insurance Deals (http://www.Best-Insurance-Deals.net).

Charles White has authored several informational articles related to saving money on insurance. He is the owner of Best Insurance Deals, a website offering several sources of free insurance quotes saving you hundreds on Auto, Life, Health, Long Term Care and RV insurance. You can visit the website at http://www.best-insurance-deals.net and save money today.

HIPAA and privacy guide 101

HIPAA has led to sweeping changes to health care administration and information systems as health care organizations struggle to achieve cost-effective compliance by 2003. The US Congress enacted the Health Insurance Portability and Accountability Act or HIPAA in 1996. The act covered a wide array of issues surrounding the health insurance industry but in particular it required administration simplification, which addressed the issue of security and privacy of health information.

HIPAA is designed to standardize the way all health care organizations electronically exchange sensitive patient data and to protect patients from unauthorized disclosure of their medical records (whether paper or electronic). HIPAA outlined standards to improve the nation's health care system by incorporating electronic data exchange between health care providers. The idea of course was to allow various health providers to access the records of a particular patient. So, when a patient visits a new hospital, the covering doctor can access that patients past record and in so doing provide him with better care. However, as one could envisage, this raised a great number of apprehensions with respect to the privacy and confidentiality of people's medical records. So the legislature created a fundamental list of rules and regulations with which health care providers must comply. And the creation of these rules and regulations gave birth to the industry that is called HIPAA Compliance.

To ensure HIPAA compliance, there are certain key provisions, which need to be followed. For instance, individuals should be able to access their records and request correction of errors. Also, they should be informed about how their personal information will be used. The 'protected health information' (PHI) indicates that the information cannot be used for marketing purposes without the clear consent of the patients in question. People should be able to ask their covered entities (which maintain PHI about them), to ensure that their communications with the patient are confidential. It should be possible for people to file formal privacy-related complaints to the Department of Health and Human Services (HHS) Office for Civil Rights. Covered entities should document their privacy procedures, however, they have discretion on what to include in their privacy procedure. They are required to designate a privacy officer and train their employees. Covered entities can use an individual's information without the individual's consent if the purpose is to provide treatment, obtain payment for services and to perform the non-treatment operational tasks of the provider's business. Some of the agencies, government bodies and individuals who can access the medical records of a person under HIPAA compliance rules are the insurance companies, employers, courts, hospitals, or individual physicians. This is also considered as a downside of the HIPAA Privacy rule because sponsors of a research study; makers of drugs for the particular study and the researchers involved in the study are included in this list.

However, the ultimate objective of HIPAA is to increase the efficiency and effectiveness of health information systems through improvements in electronic health care transactions as well as to maintain the security and privacy of individually identifiable health information.

Mansi gupta recommends that you visit HIPAA and privacy for more information.

Alert: New HIPAA Rules Could Affect Your Organization

 Trust Failure to adhere to the new guidelines could cost your company
up to $250,000 per infraction!

On April 21, 2005 (just over three weeks from today), a new Health Insurance Portability and Accountability Act (HIPAA) security rule goes into effect. The requirements of this rule, which are basically information security best practices, focus on the three cornerstones of a solid information security infrastructure: confidentiality, integrity and availability of information.

The imminent HIPAA regulatory requirements encompass transmission, storage and discoverability of Protected Health Information (PHI). Given the widespread use and mission-critical nature of email, enforcement of HIPAA encryption policies and the growing demand for secure email solutions, email security has never been more important to the healthcare industry than it is right now.

Although many assume it applies only to health care providers, HIPAA affects nearly all companies that regularly transmit or store employee health insurance information. HIPAA was signed into law in 1996 by former President Bill Clinton, with the intent of protecting employee health and insurance information when workers changed or lost their jobs. As Internet use became more widespread in the mid-to-late 1990s, HIPAA requirements overlapped with the digital revolution and offered direction to organizations needing to exchange healthcare information.

HIPAA in the Workplace
Collaboration between employers and healthcare professionals has grown increasingly digital, and email has played an ever-increasing role in this communication. However, emails increased importance can lead to severe consequences without proper security and privacy measures implemented.

In addition to the usual concerns about privacy and security of email correspondence, even organizations that are not in the healthcare industry must now consider the regulatory compliance requirements associated with HIPAA. The Administrative Simplification section of HIPAA, which, among other things, mandates privacy and security of Protected Health Information (PHI), has sparked concern about how email containing PHI should be treated in the corporate setting. HIPAA, as it relates to email security, is an enforcement of otherwise well-known best practices that include:

• Ensuring that email messages containing PHI are kept secure when transmitted over an unprotected link
  
• Ensuring that email systems and users are properly authenticated so that PHI does not get into the wrong hands
  
• Protecting email servers and message stores where PHI may exist
  

Organizations regulated by HIPAA must comply and put these practices in place. However, the need to comply with regulations puts particular pressure on the healthcare industry to enhance their use of technology and catch up with other industries of similar size and scope.

Privacy and Email Security
The privacy protection provisions in HIPAA pose a major compliance challenge for the healthcare industry. These provisions are intended to protect patients from disclosure of any of their individually identifiable health information. Organizations that fail to protect this information face fines ranging from $10,000 to $25,000 for each instance of unauthorized disclosure. If the disclosure is found to be intentional, HIPAA provides for fines ranging from $100,000 to $250,000 and possible jail time for individuals involved in the violations.

The clock is ticking its time to get started
Bringing an enterprise into compliance with the rules set by HIPAA can seem like a very daunting task to even the most experienced executives. Nonetheless, the growing dependence on email as a mission-critical application requires that your organization implement comprehensive security and privacy policies and soon. A solid combination of security policies and the technologies to enforce those policies can ensure improved security as well as HIPAA readiness and ongoing adherence.

Despite the immediacy of the new HIPAA security rule, your organization can still achieve compliance. Learn more about how IronMail helps organizations comply with HIPAA by downloading CipherTrusts free whitepaper, "IronMail Compliance Control: Contributing to Corporate Regulatory Compliance". Failure to adhere to the new guidelines could cost your company
up to $250,000 per infraction!

On April 21, 2005 (just over three weeks from today), a new Health Insurance Portability and Accountability Act (HIPAA) security rule goes into effect. The requirements of this rule, which are basically information security best practices, focus on the three cornerstones of a solid information security infrastructure: confidentiality, integrity and availability of information.

The imminent HIPAA regulatory requirements encompass transmission, storage and discoverability of Protected Health Information (PHI). Given the widespread use and mission-critical nature of email, enforcement of HIPAA encryption policies and the growing demand for secure email solutions, email security has never been more important to the healthcare industry than it is right now.

Although many assume it applies only to health care providers, HIPAA affects nearly all companies that regularly transmit or store employee health insurance information. HIPAA was signed into law in 1996 by former President Bill Clinton, with the intent of protecting employee health and insurance information when workers changed or lost their jobs. As Internet use became more widespread in the mid-to-late 1990s, HIPAA requirements overlapped with the digital revolution and offered direction to organizations needing to exchange healthcare information.

HIPAA in the Workplace
Collaboration between employers and healthcare professionals has grown increasingly digital, and email has played an ever-increasing role in this communication. However, emails increased importance can lead to severe consequences without proper security and privacy measures implemented.

In addition to the usual concerns about privacy and security of email correspondence, even organizations that are not in the healthcare industry must now consider the regulatory compliance requirements associated with HIPAA. The Administrative Simplification section of HIPAA, which, among other things, mandates privacy and security of Protected Health Information (PHI), has sparked concern about how email containing PHI should be treated in the corporate setting. HIPAA, as it relates to email security, is an enforcement of otherwise well-known best practices that include:

• Ensuring that email messages containing PHI are kept secure when transmitted over an unprotected link
  
• Ensuring that email systems and users are properly authenticated so that PHI does not get into the wrong hands
  
• Protecting email servers and message stores where PHI may exist
  

Organizations regulated by HIPAA must comply and put these practices in place. However, the need to comply with regulations puts particular pressure on the healthcare industry to enhance their use of technology and catch up with other industries of similar size and scope.

Privacy and Email Security
The privacy protection provisions in HIPAA pose a major compliance challenge for the healthcare industry. These provisions are intended to protect patients from disclosure of any of their individually identifiable health information. Organizations that fail to protect this information face fines ranging from $10,000 to $25,000 for each instance of unauthorized disclosure. If the disclosure is found to be intentional, HIPAA provides for fines ranging from $100,000 to $250,000 and possible jail time for individuals involved in the violations.

The clock is ticking its time to get started
Bringing an enterprise into compliance with the rules set by HIPAA can seem like a very daunting task to even the most experienced executives. Nonetheless, the growing dependence on email as a mission-critical application requires that your organization implement comprehensive security and privacy policies and soon. A solid combination of security policies and the technologies to enforce those policies can ensure improved security as well as HIPAA readiness and ongoing adherence.

Despite the immediacy of the new HIPAA security rule, your organization can still achieve compliance. Learn more about how IronMail helps organizations comply with HIPAA by downloading CipherTrusts free whitepaper, "IronMail Compliance Control: Contributing to Corporate Regulatory Compliance".

CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, IronMail Compliance Control: Contributing to Corporate Regulatory Compliance or by visiting www.ciphertrust.com.

Deriving Due Care Practices from HIPAA and GLBA

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers' personal information to commonly known attacks by hackers, contrary to the company's claims. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)--although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers' private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards--the security practices that must be followed to avoid liability--for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information--clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers' information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn't be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company's liability.

Proposed Solution

The best approach for companies that wish to protect their customer's information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers' personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country's health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country's GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common

The 12 security practices in common between HIPAA and GLBA are all "high-level" practices. There are no specific technology controls. Some practices are required while others are required only if a risk assessment conducted by the entity determines that the practice is appropriate.

The HIPAA Final Security Rule and the GLBA Interagency Guidelines were designed to provide guidance to senior management. How the practices are implemented is left largely up to the companies to determine.

Following is the list of the 12 security practices in common between HIPAA and GLBA (please refer to the HIPAA/GLBA Due Care Practice Matrix in the Laws and Regulations section of the OpenCSOProject for detailed analysis and references):

 

1. Assess and Control Risk
2. Assign Security Responsibility
3. Appropriate Access and Authorization
4. Security Awareness and Training
5. Incident Response and Reporting
6. Disaster Recovery
7. Security Evaluation
8. Vendor Contracts
9. Facility Access Controls
10. Data Integrity Controls
11. Encryption
12. Security Monitoring Procedures

 

Validation from Recent Enforcement Actions

If the companies in the FTC settlement cases mentioned earlier had faithfully implemented these 12 practices, they would not have suffered any penalties and their customers’ information would have been protected. For instance, in the Guess case, the FTC ordered Guess to:

 

• Designate an employee or employees to coordinate and be accountable for the information security program (HIPAA/GLBA Due Care Practice #2: Assign Security Responsibility);
• Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation. (HIPAA/GLBA Due Care Practice #1: Assess and Control Risk);
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures. (HIPAA/GLBA Due Care Practice #7: Security Evaluation);
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program. (HIPAA/GLBA Due Care Practice #7: Security Evaluation)

 

These four requirements would have been fulfilled by following just three of the 12 HIPAA/GLBA Due Care Practices: Assess and Control Risk, Assign Security Responsibility, and Security Evaluation. The other settlement cases had similar requirements, also covered by the HIPAA/GLBA Due Care Practices. It is clear that the security practices required by both HIPAA and GLBA establish a basis of due care.

Conclusion

Companies are finding that they will pay the price for not maintaining strong security controls and protecting their customers' information. They must proactively implement and maintain prudent security processes to demonstrate that they are practicing due care. Until a universally accepted set of information security practices is produced, the best approach for companies is to implement the security practices required by both HIPAA and GLBA.

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.