Privacy, security, and compliance

Experian Health is commitment to you

Experian Health is highly sensitive to the many privacy issues surrounding consumer information. Among other things, Experian Health does the following:

  • All data is transmitted via encrypted web servers
  • All users are required to have a business need (permissible purpose) to access the services
  • All clients are screened to ensure appropriate use practices and are granted access only to the appropriate level of information

Experian Health has established procedures to comply with the following regulations:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Fair Credit Reporting Act (FCRA)

Experian Health has a commitment to provide secure and reliable services to clients and is diligent about compliance to the HIPAA Privacy and Security regulations. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a broad federal law enacted by Congress, in part to help protect patient privacy. The part of the law that deals with privacy is intended to do the following:

  • Set limits on the use and disclosure of health information
  • Establish safeguards that hospitals, physicians, health plans and clearing-houses (“covered entities”) and their business associates must have in place to protect the privacy of health information
  • Hold violators accountable with civil and criminal penalties if they violate a patient’s privacy rights

As a trusted business associate with a variety of covered entities, Experian Health has implemented many safeguards, including a corporate HIPAA Security Program to effectively communicate and administer the HIPAA Privacy and Security regulations internally to associates and with business processes throughout the organization.

The HIPAA Privacy and Security Program is designed to:

  • Adapt and implement HIPAA Privacy and Security regulations to all areas of the organization
  • Protect the confidentiality, integrity and availability of electronic PHI
  • Use administrative, physical and technical safeguards to address reasonably anticipated threats and hazards to PHI
  • Educate and train all employees on the program and guidelines around Protected Health Information (PHI)

With the Final Omnibus Rule that was finalized in September of 2014, Experian Health implemented the requirements of this ruling in the form of risk assessments, updated breach notification policies and process, Business Associate responsibilities and requirements and regular HIPAA training. If you have any questions related to these changes or how Experian Health can assist you in this regard, please contact Marcia Topiwala, Associate General Counsel and Privacy Officer, at

To learn more about this regulation, please visit:

Concerns about an increasing misuse of existing consumer information prompted Congress to enact the Gramm-Leach Bliley Act (GLBA) in 2001. The GLBA governs the disclosure of consumer information by financial institutions by:

  • Deterring unsolicited marketing activities,
  • Protecting consumer information from identity theft,
  • Requiring institutions to notify consumers of its information sharing practices; and
  • Prohibiting the sharing of consumer information without a consumer’s knowledge or consent.

Under the GLBA, Experian Health is considered a financial institution. As such, Experian Health has a responsibility to maintain the privacy and security of the consumer information in its care. For more information on GLBA, please visit:

The Fair Credit Reporting Act (FCRA) regulates businesses that provide and use consumer reports. Anyone who uses information in a consumer report is a “user” of consumer reports. Experian Health has products that use this data and should be understood that this regulation is part of these tools.

For more information on this regulation, please visit:

Notice To Users of Consumer Reports: Obligations of users under the FCRA


What is ICD-10?

The Department of Health and Human Services (HHS) announced in 2008 a proposed regulation that would replace the ICD-9 diagnosis code sets with the greatly expanded ICD-10-CM (diagnosis) and ICD-10-PCS (hospital procedure) code sets.

What to Expect

Experian Health implemented the acceptance of ICD-10 within applications that contain diagnosis coding in mid-2011. Although ICD-10 conversion coding is based upon the client hospital information system or practice management system, plans related to assisting clients with the ICD-10 transition will be ongoing. Clients should make Experian Health aware of any changes to HIS or PMS systems related to ICD-10 data elements, as we will want to work with your vendor changes to ensure connections or transfers of data are not interrupted.

Client communication related to this effort is available and we want to ensure that you have everything you need to be successful when these changes arise. Please contact support or the Privacy and Compliance Officer (as listed below) if you have any questions about these changes.

To learn more about this regulation, please visit CMS at

Download our ICD-10 FAQ for answers to common questions