HIPAA, CAN-SPAM, and FOIA Privacy Requirements

HIPAA, CAN-SPAM, and FOIA Privacy Requirements: A Comprehensive Guide for CIPM Exam Preparation

Introduction

When organizations receive requests or face incidents involving personal data, they must navigate a complex web of regulatory requirements. Three critical U.S. laws that privacy professionals must understand are the Health Insurance Portability and Accountability Act (HIPAA), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), and the Freedom of Information Act (FOIA). Each of these laws imposes specific obligations on organizations when it comes to responding to requests and incidents involving personal information. Understanding these requirements is essential for the Certified Information Privacy Manager (CIPM) exam and for real-world privacy management.

Why This Topic Is Important

Privacy professionals are frequently called upon to manage how organizations respond to data-related requests and incidents. Failure to comply with HIPAA, CAN-SPAM, or FOIA can result in:

• Significant financial penalties – HIPAA violations can cost millions of dollars; CAN-SPAM violations carry penalties of up to $51,744 per email.
• Legal liability – Organizations may face lawsuits, enforcement actions, and reputational damage.
• Loss of public trust – Mishandling personal data erodes confidence in an organization's ability to protect sensitive information.
• Regulatory scrutiny – Non-compliance invites increased oversight from agencies such as the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and other regulatory bodies.

For the CIPM exam, this topic falls under the domain of Responding to Requests and Incidents, which tests your ability to understand how various legal frameworks shape organizational responses to data access requests, opt-out requests, breach notifications, and public records disclosures.

---

HIPAA: Health Insurance Portability and Accountability Act

What It Is

HIPAA is a U.S. federal law enacted in 1996 that establishes national standards for the protection of Protected Health Information (PHI). It applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates (third parties that handle PHI on behalf of covered entities).

HIPAA consists of several key rules:

• Privacy Rule – Establishes standards for the use and disclosure of PHI and gives individuals rights over their health information.
• Security Rule – Sets standards for safeguarding electronic PHI (ePHI) through administrative, physical, and technical safeguards.
• Breach Notification Rule – Requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI.
• Enforcement Rule – Contains provisions relating to compliance, investigations, and penalties for violations.

How It Works in Responding to Requests and Incidents

Individual Rights Under HIPAA:

HIPAA grants individuals several important rights regarding their PHI:

• Right of Access – Individuals have the right to access and obtain a copy of their PHI held by covered entities. Organizations must respond within 30 days of receiving a request (with a possible 30-day extension).
• Right to Amend – Individuals can request corrections to their PHI if they believe it is inaccurate or incomplete.
• Right to an Accounting of Disclosures – Individuals can request a list of certain disclosures of their PHI made by the covered entity.
• Right to Request Restrictions – Individuals can ask that the covered entity restrict certain uses or disclosures of their PHI.
• Right to Request Confidential Communications – Individuals can request that communications about their PHI be sent through alternative means or to alternative locations.
• Right to Receive Notice of a Breach – Individuals must be notified if their unsecured PHI has been breached.

Breach Notification Requirements:

Under the Breach Notification Rule:

• Individual Notice – Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach. Notification must be in writing by first-class mail or email (if the individual has agreed).
• HHS Notification – If a breach affects 500 or more individuals, the covered entity must notify HHS contemporaneously with individual notification. For breaches affecting fewer than 500 individuals, the entity may report annually.
• Media Notification – If a breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that area.
• Business Associate Obligations – Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery.

Key Concepts for CIPM:

• A breach under HIPAA is defined as an impermissible use or disclosure of PHI that compromises the security or privacy of the information.
• There is a presumption that an impermissible use or disclosure is a breach unless the covered entity can demonstrate a low probability that PHI was compromised based on a four-factor risk assessment: (1) nature and extent of PHI involved, (2) unauthorized person who used or received the PHI, (3) whether PHI was actually acquired or viewed, and (4) extent of risk mitigation.
• There are three exceptions to the definition of a breach: unintentional acquisition by a workforce member acting in good faith, inadvertent disclosure between authorized persons, and good faith belief that the unauthorized recipient could not retain the information.

---

CAN-SPAM Act: Controlling the Assault of Non-Solicited Pornography and Marketing Act

What It Is

The CAN-SPAM Act, enacted in 2003, is a U.S. federal law that sets rules for commercial email messages and gives recipients the right to stop receiving them. It is enforced primarily by the Federal Trade Commission (FTC) and applies to all commercial messages, defined as any email whose primary purpose is the commercial advertisement or promotion of a commercial product or service.

Importantly, CAN-SPAM does not require senders to obtain consent before sending commercial emails (unlike laws like the EU's ePrivacy Directive). Instead, it operates on an opt-out model.

How It Works in Responding to Requests

Key Requirements for Commercial Email Senders:

• No false or misleading header information – The "From," "To," "Reply-To," and routing information must be accurate and identify the person or business that initiated the message.
• No deceptive subject lines – The subject line must accurately reflect the content of the message.
• Identification as an advertisement – The message must be clearly identified as an advertisement (there is flexibility in how this is done).
• Physical postal address – The message must include a valid physical postal address of the sender.
• Clear opt-out mechanism – Every commercial email must include a clear and conspicuous explanation of how the recipient can opt out of receiving future messages.
• Honor opt-out requests promptly – Opt-out requests must be honored within 10 business days. Once an individual opts out, the sender cannot sell or transfer the email address to another entity (except to a company hired to help comply with CAN-SPAM).
• Monitor third parties – Even if a company hires another entity to handle email marketing, the originating company remains legally responsible for compliance.

Responding to Opt-Out Requests:

The opt-out mechanism is the central "request response" element of CAN-SPAM:

• The opt-out mechanism must be operational for at least 30 days after the email is sent.
• Organizations must process opt-out requests within 10 business days.
• Organizations cannot charge a fee, require personal information beyond an email address, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out.
• The opt-out applies only to the specific sender; there is no universal opt-out under CAN-SPAM.

Key Concepts for CIPM:

• CAN-SPAM preempts state anti-spam laws but does not preempt state laws that are not specific to email (e.g., general fraud or deception statutes).
• Transactional or relationship messages (e.g., order confirmations, warranty information, account updates) are largely exempt from most CAN-SPAM requirements but must not contain false or misleading routing information.
• Violations can result in penalties of up to $51,744 per email in violation.
• Criminal penalties apply to those who use false identities, hijacked computers, or harvested email addresses.

---

FOIA: Freedom of Information Act

What It Is

The Freedom of Information Act (FOIA), enacted in 1966, provides the public with the right to request access to records held by federal government agencies. It is based on the principle of government transparency and accountability. FOIA applies to records held by agencies in the executive branch of the U.S. federal government. It does not apply to Congress, the courts, or state/local governments (though many states have their own open records laws).

From a privacy perspective, FOIA is significant because government records often contain personal information. The tension between transparency and privacy is managed through FOIA's nine exemptions, several of which directly relate to privacy.

How It Works in Responding to Requests

The FOIA Request Process:

• Any person (including non-U.S. citizens) can submit a FOIA request to a federal agency.
• Agencies must respond within 20 business days (though extensions are possible in unusual circumstances).
• Agencies must make reasonable efforts to search for responsive records.
• If records are found, the agency must release them unless one or more of the nine exemptions applies.
• Requesters can appeal a denial and ultimately seek judicial review in federal court.

FOIA Exemptions Relevant to Privacy:

• Exemption 6 – Protects information about individuals in personnel, medical, and similar files when disclosure would constitute a clearly unwarranted invasion of personal privacy. This requires a balancing test between the public interest in disclosure and the individual's privacy interest.
• Exemption 7(C) – Protects personal information in law enforcement records when disclosure could reasonably be expected to constitute an unwarranted invasion of personal privacy. Note that this is a lower threshold than Exemption 6 – disclosure need only "could reasonably be expected" to invade privacy rather than "would" constitute an invasion.
• Exemption 3 – Protects information specifically exempted from disclosure by another statute (e.g., tax return information under the Internal Revenue Code, census data).
• Exemption 4 – Protects trade secrets and confidential commercial or financial information, which may sometimes overlap with privacy interests of businesses.

The Privacy Act of 1974 and FOIA Interaction:

The Privacy Act of 1974 works in conjunction with FOIA. It governs how federal agencies collect, maintain, use, and disseminate personal information about individuals. Key interactions include:

• The Privacy Act restricts agencies from disclosing records about individuals without their consent, subject to certain exceptions – one of which is a required disclosure under FOIA.
• When a FOIA request seeks records about the requester themselves, the agency applies both FOIA and the Privacy Act, releasing information under whichever law provides greater access.
• When a FOIA request seeks records about a third party, FOIA exemptions 6 and 7(C) are applied to protect that third party's privacy.

Key Concepts for CIPM:

• FOIA creates a presumption of openness – agencies should disclose records unless an exemption applies, and they should apply exemptions narrowly.
• The foreseeable harm standard (strengthened by the FOIA Improvement Act of 2016) requires agencies to withhold information only if disclosure would cause foreseeable harm to an interest protected by an exemption or is prohibited by law.
• Agencies must proactively disclose certain categories of records online without waiting for a request (e.g., frequently requested records, policy statements, final opinions).
• Privacy professionals in government agencies play a crucial role in reviewing FOIA requests and determining when privacy exemptions should be applied.

---

Comparing HIPAA, CAN-SPAM, and FOIA Privacy Requirements

Understanding the differences and similarities among these three laws is critical for the CIPM exam:

Scope and Applicability:
• HIPAA – Applies to covered entities and business associates handling PHI in the healthcare sector.
• CAN-SPAM – Applies to any person or entity sending commercial email messages.
• FOIA – Applies to federal government agencies holding records.

Type of Request/Response:
• HIPAA – Individual access requests for PHI; breach notifications to individuals, HHS, and media.
• CAN-SPAM – Opt-out requests from recipients of commercial emails.
• FOIA – Public access requests for government records, balanced against privacy exemptions.

Response Timeframes:
• HIPAA – 30 days for access requests (with 30-day extension); 60 days for breach notifications.
• CAN-SPAM – 10 business days for opt-out requests.
• FOIA – 20 business days for records requests.

Privacy Protection Mechanism:
• HIPAA – Restricts use and disclosure of PHI; minimum necessary standard.
• CAN-SPAM – Opt-out mechanism for commercial emails; restrictions on email address sharing.
• FOIA – Exemptions 6 and 7(C) protect personal privacy in government records.

---

Exam Tips: Answering Questions on HIPAA, CAN-SPAM, and FOIA Privacy Requirements

1. Know the Key Timeframes
Exam questions frequently test your knowledge of deadlines. Create a mental reference table:
• HIPAA access request: 30 days (+ 30-day extension)
• HIPAA breach notification: 60 days (without unreasonable delay)
• CAN-SPAM opt-out: 10 business days
• FOIA response: 20 business days

2. Understand the Opt-Out vs. Opt-In Distinction
CAN-SPAM operates on an opt-out model, meaning commercial emails can be sent without prior consent. This distinguishes it from many other privacy frameworks (such as the EU's ePrivacy rules). If an exam question contrasts U.S. and international approaches to email marketing, this is a critical distinction.

3. Master the HIPAA Breach Risk Assessment
Questions may present a scenario and ask whether a breach has occurred. Remember the four-factor risk assessment and the three exceptions to the breach definition. If the scenario involves an unintentional disclosure between authorized individuals within the same organization, it likely falls under an exception.

4. Distinguish Between FOIA Exemption 6 and Exemption 7(C)
Both protect privacy, but they have different standards:
• Exemption 6: "clearly unwarranted invasion" – higher bar for withholding
• Exemption 7(C): "could reasonably be expected" – lower bar for withholding (more protective of privacy in law enforcement contexts)
If a question involves law enforcement records, Exemption 7(C) is likely the correct answer.

5. Remember Who Enforces What
• HIPAA: HHS Office for Civil Rights (OCR)
• CAN-SPAM: Federal Trade Commission (FTC) (plus state attorneys general and ISPs)
• FOIA: Individual agencies (with oversight from the Office of Government Information Services – OGIS)

6. Focus on the Privacy Professional's Role
The CIPM exam emphasizes the management perspective. Think about how a privacy professional would:
• Design and implement policies and procedures for responding to HIPAA access requests
• Establish and test a breach notification process under HIPAA
• Ensure marketing teams comply with CAN-SPAM opt-out requirements
• Train staff on CAN-SPAM's identification and disclosure requirements
• Advise government agencies on applying FOIA privacy exemptions
• Balance transparency with privacy protection in FOIA responses

7. Watch for Trick Answer Choices
Common traps include:
• Confusing HIPAA's 30-day access request deadline with its 60-day breach notification deadline
• Assuming CAN-SPAM requires opt-in consent (it does not)
• Applying FOIA to non-federal entities (FOIA only applies to federal executive branch agencies)
• Confusing HIPAA's Privacy Rule with the Privacy Act of 1974 (the Privacy Act applies to federal agencies, not healthcare entities)
• Stating that HIPAA requires consent for all disclosures (HIPAA permits many disclosures without individual authorization, such as for treatment, payment, and healthcare operations)

8. Use Process of Elimination
When unsure about an answer:
• Eliminate options that reference the wrong law or wrong entity
• Eliminate options with incorrect timeframes
• Look for the answer that best reflects a risk-based, balanced approach to privacy protection
• Consider which answer a reasonable privacy manager would select in practice

9. Understand Cross-Law Interactions
Some exam questions may test how these laws interact with each other or with other frameworks:
• FOIA and the Privacy Act of 1974 work together when individuals request their own records from federal agencies
• HIPAA may interact with state breach notification laws (HIPAA preempts less stringent state laws but does not preempt more stringent ones)
• CAN-SPAM preempts state anti-spam laws but not state laws addressing fraud or deception generally

10. Practice Scenario-Based Thinking
The CIPM exam often presents practical scenarios. Practice by asking yourself:
• A patient requests their medical records – what law applies, what is the deadline, and what are the potential grounds for denial?
• A company receives 50 opt-out requests after a marketing campaign – what must they do and by when?
• A journalist files a FOIA request for records containing personal information about private citizens – how should the agency respond?
• A laptop containing unencrypted PHI is stolen from a hospital – what notifications are required, to whom, and by when?

Conclusion

HIPAA, CAN-SPAM, and FOIA each represent distinct aspects of privacy law in the United States, but they share a common thread: they all impose specific obligations on organizations when responding to requests and incidents involving personal information. For the CIPM exam, mastering the key requirements, timeframes, and enforcement mechanisms of each law is essential. Focus on understanding when each law applies, what specific actions are required, how quickly organizations must respond, and what the consequences of non-compliance are. By combining a solid understanding of the legal framework with practical scenario-based reasoning, you will be well-prepared to answer exam questions on these critical privacy requirements.