SIDEBAR
»
S
I
D
E
B
A
R
«
What Does Your IT Team Need to Know About HIPAA Compliance?
Nov 30th, 2015 by aperio

(Part 4 in our series on IT Compliance Concerns.)

In Part 3 of our series, we discussed how the HIPAA Act was created in an effort to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. In this post, we will focus some of the concerns faced by your IT team with regard to HIPAA compliance.

What are some of the Information Technology concerns for HIPAA compliance?
The main issue faced by IT with regard to HIPAA is keeping Protected Health Information (PHI) secure. The HIPAA Security Rule covers what is expected of companies with regard to maintaining the security of PHI in electronic form, but does not state the way that entities must go about providing this protection. Instead, it states the factors that should be considered for security measures. These factors include an entity’s size and capabilities, its information technology infrastructure, costs of security measures, and the chance and magnitude of anticipated risks to the security of PHI.

The Security Rule does specifically require that security measures include: measures to maintain the confidentiality, integrity, and availability of all electronic PHI an entity creates, handles, or transmits; measures to identify and protect against threats to the security or integrity of PHI that can be reasonably anticipated; measures to protect against uses or disclosures of electronic PHI that are prohibited by HIPAA; and efforts to ensure that employees comply with HIPAA requirements.

Some of the areas affected by these security needs include:
●    Data encryption.
●    Email encryption.
●    Multi-factor authentication (a system of security that requires multiple methods of authentication from different categories of credentials in order to identify a user for login purposes or for other transactions).
●    Compliance training.
●    Social engineering awareness. (You can read about social engineering in our blog post, “Technology Alone Is Not Enough for Security”.)

Another point to consider is that any company that allows the uses of mobile devices for business (particularly hospices, which do much of their work in patients’ homes), will need to be aware of and have solutions for mobile devices’ known security issues. As an example, consider the $50,000 penalty paid by the non-profit Hospice of North Idaho. In this case, an unencrypted company laptop was stolen, which contained electronic PHI for 441 patients. The investigation found that the company had not conducted adequate risk analysis.
Additional Concerns for HIPAA Regulations for the Use of PHI
Additionally under HIPAA, certain uses of PHI may be curtailed or prohibited. For instance, HIPAA prohibits the use or disclosure of PHI for marketing to individuals without obtaining an authorization, with only some exceptions. HIPAA also prohibits the receipt of direct or indirect remuneration in exchange for PHI. It also has rules for when PHI can and cannot be used for further research.

Coming soon: Part 5 in our series on IT Compliance Concerns, “Your Company and PCI DSS Compliance.”

Additional HIPAA resources:
●    National Hospice and Palliative Care Organization’s Compliance Tip Sheet.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team
●    Part 3: Making Sure Your Business is HIPAA Compliant

What Does HIPAA Mean?
Nov 25th, 2015 by aperio

(Part 3 in our series on IT Compliance Concerns.)

What company types are affected by HIPAA compliance?

What is the Health Insurance Portability and Accountability (HIPAA) Act?
In the first two parts of this series, we discussed the Sarbanes-Oxley (Sarbox or SOX) Act and what it means in terms of Information Technology concerns. In this article, we’ll look into what  the Health Insurance Portability and Accountability Act is, and what it means to your company.

Enacted in 1996, the main purpose of the Health Insurance Portability and Accountability Act (also known as HIPAA or the Kennedy-Kassebaum Act) is to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. Title I of HIPAA is concerned with protecting health insurance coverage of workers and their families when they change or lose their jobs; Title II requires the establishment of national standards for electronic health care transactions and the establishment of national identifiers for providers, health insurance plans, and employers. (Title II is also referred to as the Administrative Simplification, or AS, provisions.)

What company types are affected by HIPAA compliance?
Covered entities and their business associates are the entities primarily affected by HIPAA.

Under HIPAA, there are three types of covered entities: health care providers, health plans, and health care clearing houses.
●    Examples of health care providers include hospitals, clinics, medical and dental practices, nursing homes, hospices, and pharmacies.
●    Health plans can include HMOs and employee-sponsored health plans.
●    Health care clearinghouses include entities that transmit claims or billing information.

Companies that provide services for covered entities and handle Protected Health Information (also known as Personal Health Information or PHI) can be considered business associates under HIPAA. While it is not always easy to determine if a company is considered a business associate, typical examples can include accounting firms, law firms, consultants, software vendors, ISPs, and cloud storage companies. If such a company works with covered entities, their contracts with those covered entities may require them to be compliant with HIPAA.

What are the penalties for failing to comply with HIPAA?
Penalties for covered entities include monetary fines of $1,000 per violation up to an annual maximum of $25,000. These fines are not the only concern; for criminal violations, the fines can be as high as $250,000 and may include up to ten years in prison. And while business associates cannot be prosecuted under HIPAA, they may still face certain penalties. A violation of a business agreement with a covered entity might lead to termination of contracts, and could lead to the risk of civil lawsuits filed by harmed individuals.

How does the HIPAA Privacy Rule work?
Covered entities and business associates are subject to the HIPAA Privacy Rule, which concerns the use and disclosure of PHI. Types of information covered by this rule include name, address, date of birth, Social Security number, any other information that can be used to identify a patient. It also includes information about: a patient’s past, present, or future health condition; the provision of health care to the patient; the past, present, or future payment for the provision of health care to a patient.

All of these requirements naturally mean challenges for your IT department. We will discuss these in the next part of our series on IT compliance concerns.)

Coming soon: Part 4 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About HIPAA Compliance?”

To learn more about HIPAA and related issues:

●    How companies are (and are not) allowed to use PHI (Protected Health Information).
●    Additional details concerning business associates and subcontractors.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team

What Does Your IT Team Need to Know About SOX Compliance?
Nov 23rd, 2015 by aperio

(Part 2 in our series on IT Compliance Concerns.)

In Part 1 of our series, we discussed how the Sarbanes­Oxley (Sarbox or SOX) Act was created

in response to financial and accounting fraud including the Enron, Worldcom, and Tyco scandals;

who SOX compliance affects; and the possible benefits to non­public companies working toward

becoming SOX compliant. In this part, our focus is on SOX compliance and the concerns it raises

for Information Technology managers and their departments.

What are the primary Information Technology concerns for SOX compliance?

Sarbanes­Oxley compliance focuses on the retention of audit trails, generally in the form of logs

files and electronic records that contain, relate to, or comment on financial data. (These records

often relate to the generation of financial statements that will be submitted to shareholders and

the SEC.) According to SOX regulations, these audit trails may not be destroyed, altered, or

falsified, and must be retained and auditable for five years. Sarbanes­Oxley regulations define

which records to store and how long to store them.

This means that almost every aspect of IT operations will be affected. Messaging, storage,

virtualization, networking, and more can all be involved as long as they relate to any financial data

or activity. Additionally, new platforms for communication such as blogs, wikis, social media, and

more, lead to new compliance concerns. If communication pertains to finance and accounting, IT

professionals must track and archive it in order to be prepared for compliance audits.

This is a sharp contrast to the past, where an IT department’s major focus was usually on being

able to restore failed systems. Now, with the additional regulatory requirements of the Sarbanes-
Oxley Act, IT’s focus must also include data retention and accessibility in the event of an

investigation.

What kinds of information does IT need to store with regard to SOX compliance, and how?

In general, spreadsheets, documents, and emails used to arrive at final financial conclusions.

Electronic media, which can include CD­ROMs and cartridge tapes, are the preferred storage

methods. Just some of the additional data IT needs to store according to SOX data retention

regulations includes:

● Three years ­ Employment applications, general correspondence, credit card receipts, and

employment records.

● Five years ­ Customer invoices, vendor invoices, purchase orders, sales records, state

unemployment tax records, accident records and workers’ unemployment records, and

salary records.

● Seven years ­ Accounts payable ledger, accounts receivable ledger, time cards, product

inventory, payroll and payroll tax records, tax returns, sales tax information and returns,

business expense records, bank statements, earning records. Public companies and

registered public accounting firms must also maintain audit work papers for seven years,

and employee promotion, demotion, or discharge records must be retained for seven

years after employment is terminated.

● Permanent retention ­ Bank statements, contracts and leases, employee payroll records,

legal correspondence, training manuals, union agreements, Articles of Incorporation,

executive/board policies and resolutions, bylaws, chapter charter, state sales returns,

financial statements, depreciation schedules, check registers, payroll registers,

employment and termination agreements, and insurance policies.

Do non­public companies also need to be concerned with SOX compliance?

While the Sarbanes­Oxley Act applies primarily to publicly listed companies, Section 802 of the

act states that private companies can be faced with fines, and their executives with up to twenty

years of imprisonment for the knowing destruction, alteration, or falsification of records with the

intent to impede or influence a federal investigation.

Further, if you do business with a public company, you may have found that some of these

companies require their vendors to become SOX compliant.

Finally, there are advantages to private companies to become SOX compliant. Adopting SOX-
compliance controls and procedures can improve your organization’s overall IT security program.

And working toward SOX compliance can also help an organization make headway in other areas

such as PCI DSS compliance (which we will discuss later in our series on IT compliance

concerns).

Coming soon: Part 3 in our series on IT Compliance Concerns, “Your Company and HIPAA

Compliance.”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

Making sure your business is SOX Compliance
Nov 18th, 2015 by aperio

(Part 1 in our series on IT Compliance Concerns.)

What is the Sarbanes­Oxley (SOX) Act?

The Sarbanes­Oxley Act of 2002 is a federal law that set both new and expanded requirements

for public company boards, management, and public accounting firms in the U.S. It is more

commonly known as Sarbox, or SOX. This act also contains some provisions for private

companies, such as those concerning the willful destruction of evidence to impede a Federal

investigation.

The Sarbanes­Oxley Act was a reaction to corporate and accounting scandals including Enron,

Worldcom, and Tyco. Some of the factors that made these scandals possible, and that the act

attempts to prevent, include auditor conflicts of interest; boardroom failures such as failure to

establish effective oversight mechanisms for financial reporting; conflicts of interest among

securities analysts; and more.

Who is affected by SOX compliance?

Ultimately, responsibility for SOX compliance rests squarely on the shoulders of the leaders of an

organization rather than on the IT department. This means that although the IT department may

prepare SOX audit statements, it will be c­level executives of a company that face fines and

possible imprisonment if penalties are assessed. SOX audit statements must be certified by the

CEO of a corporate entity, reflecting this responsibility.

Section 802 of the Sarbanes­Oxley Act describes penalties for infractions:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false

entry in any record, document, or tangible object with the intent to impede, obstruct, or influence

the investigation or proper administration of any matter within the jurisdiction of any department or

agency of the United States or any case filed under title 11, or in relation to or contemplation of

any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or

both.

For example, in one of the first fines levied under the Sarbanes­Oxley Act, CEO Calixto Chaves of

Rica Foods, Inc., agreed to pay $25,000 in regard to charges that company officials certified the

accuracy of the company’s annual financial statement, while knowing that these statements did

not include the required independent audit report.

Are there advantages to becoming SOX compliant for non­public companies?

According to TechTarget’s e­handbook, The Sox Effect, “Adopting SOX­compliance controls and

procedures can improve your organization’s overall IT security program, even if your company is

not a publicly traded one typically targeted by SOX regulations.” SOX compliance is not

particularly concerned with ensuring the security of data or systems. Rather, it focuses on best

practices for keeping track of who has access to financial data, where that data came from, and

keeping track of whether that data gets changed. For instance, organizations that follow SOX best

practices will perform more regular reviews of user accounts and privileges related to finance

systems and data. While this certainly can require additional IT resources, it can pay off in fewer

costly security incidents. Working toward SOX compliance can also help an organization make

headway in other areas such as PCI DSS compliance (which we will discuss later in our series on

IT compliance concerns).

Coming soon: Part 2 in our series on IT Compliance Concerns, “What Does My IT Team Need to

Know About SOX Compliance?”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

Hiring Small Business IT Support for Any Type of Industry
Nov 13th, 2015 by aperio

Almost all of the companies will have some type of computer system that they are using. It may be something that helps them to keep track of their orders or financial information or could be something that allows them to do business online. Whatever they are doing, they are going to need to hire small business IT support to help them keep everything operating smoothly.

There are many different types of computer software that will be used with each computer system. The number of computers and much more will be very important to consider when they are using these programs. Technology is going to be very useful for a lot of companies.

As a company grows, they may add new computers to their network. They may continually grow and add new products and services also. Their customer base is going to continue to grow also.

There are many different types of things that they will need to consider when hiring an IT support company though. They need to make sure that they are a trusted company. They also have to be available when they are needed.

This is something that is very important because if the computer system goes down, they are going to need someone who will be able to get it up and running very quickly. Not all problems like this are quick to come back up though. They have several different types of things that they will have to upload and check before putting everything back online.

Every company will handle these types of things differently. Whatever they need to consider, they want to make sure that they have someone who is available at all times if they do have a problem. Many companies are going to wait until there is less traffic to their website to work on their equipment as well.

This is something that is going to be beneficial when they have to take orders. Every IT professional is going to handle these things differently though. Sometimes, the proper fix can wait until their next upgrade. Other times, the fix has to be done immediately to get the system up and running.

Keeping computer systems running smoothly is going to be very important. This is why companies will hire an IT technician to be available at all times of the day or night. The company that they hire will have to be up-to-date on all of the systems and software that they are using though.

Everybody has a lot of options for everything that is relating to computers. They have to make sure that they have enough storage space as well. The Cloud software is something that allows them to remotely store their files so that they have a lot more free disk space.

Since technology is always changing, they have to make sure that their programming is going to be compatible with mobile devices and other types of devices that are used in the business world. This is something that is going to allow customers to access the online stores from many different types of devices.

The operating systems that are used need to be carefully considered also. Companies have many different options for every customer and employee. Sometimes, the employees have to be able to access the software in order to get their records as well.

There are many different things that a small business IT support staff is going to offer for their clients. Some of them are going to be available around the clock, while others are going to have set hours that they do this type of work. There are many factors that are going to play into whether or not they are available at certain times of the day.

SIDEBAR
»
S
I
D
E
B
A
R
«
»  Substance:WordPress   »  Style:Ahren Ahimsa