Gramm-Leach-Bliley Act vs HIPAA: When Both Apply to Your Practice

Most small medical clinics know they are subject to HIPAA. Fewer know that certain billing practices can also bring the clinic under the Gramm-Leach-Bliley Act Safeguards Rule — a separate federal law with its own security program requirements, enforced by a different regulator.

The Gramm-Leach-Bliley Act (GLBA) and the HIPAA Security Rule have significant overlap. Both require written security programs, risk assessments, and third-party oversight. But they are not the same law, they cover different information, and compliance with one does not automatically satisfy the other. Clinics that may be subject to both need to understand the distinction.

What the Gramm-Leach-Bliley Act is

Congress enacted GLBA in 1999 primarily to regulate the financial services industry after the repeal of the Glass-Steagall Act. Title V of GLBA addresses financial privacy. The FTC implemented GLBA’s security requirements for non-bank financial institutions through the Safeguards Rule, codified at 16 CFR Part 314. The FTC updated the Safeguards Rule significantly in 2021, with the amended rule taking effect in phases through 2023.

The Safeguards Rule applies to financial institutions — not just banks and investment firms. The FTC’s implementing regulation defines “financial institution” to include any company that is significantly engaged in financial activities. That definition has been interpreted to include companies that extend credit.

When a clinic becomes a financial institution under GLBA

The FTC’s definition of “financial institution” reaches entities that are “significantly engaged in financial activities as described in section 4(k) of the Bank Holding Company Act.” Extending credit to consumers is listed as a financial activity under that framework.

A medical clinic that allows patients to pay balances over time through an in-house payment plan is extending credit. The patient owes a debt to the clinic, and the clinic is allowing payment over time rather than requiring immediate payment in full. The FTC has taken the position that this brings such clinics within the definition of “financial institution” under GLBA.

The threshold is the clinic’s own conduct. Clinics that bill for services and require payment in full are less likely to qualify. Clinics that maintain payment plan accounts — tracking outstanding balances, scheduling payment installments, charging interest or fees — are more likely to meet the definition.

Clinics that refer all financing to a third-party financing company (CareCredit, Synchrony Health, and similar products) and do not maintain their own payment plan accounts have a stronger argument that GLBA does not apply to their information systems — though the analysis depends on the specifics of the arrangement.

If you are uncertain whether your clinic is a financial institution under GLBA, consult counsel. The FTC’s guidance documents on the Safeguards Rule include examples of covered entities.

What the GLBA Safeguards Rule requires

16 CFR Part 314 requires covered financial institutions to develop, implement, and maintain a comprehensive written information security program. The program must contain specific administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of activities of the institution and the sensitivity of the customer information at issue.

The revised Safeguards Rule (effective 2023 for most requirements) specifies the following required program elements:

Designated qualified individual

The financial institution must designate a qualified individual responsible for overseeing, implementing, and enforcing the information security program. This is parallel to HIPAA’s security official requirement under 45 CFR §164.308(a)(2). In a small clinic, the same person can hold both roles.

Written risk assessment

The institution must conduct a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. The risk assessment must evaluate the likelihood and potential damage of threats. This requirement is substantially similar to the risk analysis required under HIPAA’s Security Rule at 45 CFR §164.308(a)(1).

The risk assessment must be in writing and must be reviewed at least annually and whenever a material change occurs.

Safeguards implementation

Based on the risk assessment, the institution must implement safeguards to control the identified risks. The Safeguards Rule specifies several categories of required safeguards:

• Access controls: Limit access to customer information to only authorized users, including multi-factor authentication for any individual accessing customer information
• Data inventory and classification: Know what customer information you hold, where it is stored, and how it flows through your systems
• Encryption: Encrypt customer information in transit and at rest
• Secure software development practices (for institutions that develop their own applications)
• Authentication: Multi-factor authentication for accessing customer information
• Disposal: Securely dispose of customer information that is no longer needed
• Change management: Procedures for implementing changes to information systems
• Monitoring and testing: Regular monitoring and testing of safeguards, including penetration testing and vulnerability scanning at specified intervals

The 2023 Safeguards Rule added several specific technical requirements — particularly around multi-factor authentication and encryption — that are more prescriptive than HIPAA’s Security Rule.

Third-party service provider oversight

The institution must oversee service providers by selecting those with appropriate safeguards, requiring service providers to maintain appropriate safeguards (through contract), and periodically reviewing their safeguards. This is substantially similar to the business associate management requirement under HIPAA — though GLBA does not use BAA terminology and has somewhat different contractual requirements.

Incident response plan

The institution must establish a written incident response plan addressing how to respond to security events. The plan must cover response goals, internal processes, clear roles and responsibilities, communications with customers, regulators, and law enforcement, and a process for documentation and recovery.

The FTC Safeguards Rule also requires reporting of security events involving the data of 500 or more customers to the FTC within 30 days of discovery — a shorter timeline than HIPAA’s 60-day breach notification requirement.

Annual report to the board

Financial institutions with boards of directors must have the qualified individual report in writing to the board at least annually on the status of the information security program, material matters related to the program, and the institution’s compliance with the Safeguards Rule.

How GLBA and HIPAA overlap and differ

Both laws require a written information security program, a risk assessment, access controls, encryption, vendor oversight, and incident response planning. A clinic that builds a robust HIPAA security program will have addressed most of what GLBA also requires.

But the laws are not identical. Key differences:

Information covered. HIPAA’s Security Rule covers electronic protected health information (ePHI) — health information. GLBA’s Safeguards Rule covers “customer information” — personal financial information of customers. For a clinic, the GLBA scope covers payment account data, payment plan information, and other financial information, while HIPAA covers clinical and health information. Some information (a patient’s name linked to their payment plan balance) may be covered by both.

Multi-factor authentication. The revised Safeguards Rule requires multi-factor authentication for accessing customer information systems. HIPAA requires access controls and authentication but does not mandate multi-factor authentication specifically for all systems.

Encryption specificity. The Safeguards Rule requires encryption of customer information both in transit and at rest. HIPAA lists encryption as an addressable specification — covered entities must implement it or document why it is not reasonable and appropriate. For practical purposes, HHS has signaled that encryption for ePHI in transit and at rest is expected, but the addressable classification creates some regulatory flexibility that GLBA does not.

FTC breach notification. The FTC’s 30-day notification requirement for incidents affecting 500 or more customers is shorter than HIPAA’s 60-day window. A clinic subject to both must follow the shorter timeline.

Regulator. HIPAA enforcement is by HHS OCR (and CMS for the Security Rule). GLBA Safeguards Rule enforcement is by the FTC. They are separate agencies with separate enforcement processes.

Building a dual-compliant program

For clinics subject to both GLBA and HIPAA, the most efficient approach is a unified information security program that explicitly addresses the requirements of both laws.

The program should:

• Use a single risk assessment that covers both ePHI risks (HIPAA) and customer financial information risks (GLBA)
• Designate one qualified individual responsible for both programs (or clearly define the relationship between the two roles)
• Apply the stricter requirement wherever the two laws differ — implement multi-factor authentication because GLBA requires it; encrypt data in transit and at rest because both laws effectively require it; follow the 30-day notification window because FTC requires it
• Maintain documentation that maps policies and safeguards to both regulatory frameworks

The administrative overhead is not doubled by dual compliance. The substantive work — risk assessment, access controls, encryption, vendor management, incident response — is largely the same under both regimes. The additional burden is mapping that work to both frameworks and ensuring the documentation is complete for both.

The threshold question

The most consequential step for any small clinic is determining whether GLBA applies at all. If the clinic does not extend credit through in-house payment plans and does not maintain financial accounts for patients, the Safeguards Rule likely does not apply, and the clinic can focus entirely on HIPAA compliance.

If the clinic does offer payment plans — even informal monthly payment arrangements documented in a patient’s account — a GLBA review is warranted before concluding the rule does not apply.

The consequences of incorrect assumptions run in both directions. A clinic that unnecessarily treats itself as a GLBA-covered financial institution wastes compliance resources. A clinic that incorrectly concludes GLBA does not apply when it should faces FTC enforcement risk — a separate enforcement channel with its own penalties.

Get the threshold question right, then build a program that covers everything that applies.