(Part 4 in our series on IT Compliance Concerns.)

In Part 3 of our series, we discussed how the HIPAA Act was created in an effort to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. In this post, we will focus some of the concerns faced by your IT team with regard to HIPAA compliance.

What are some of the Information Technology concerns for HIPAA compliance?
The main issue faced by IT with regard to HIPAA is keeping Protected Health Information (PHI) secure. The HIPAA Security Rule covers what is expected of companies with regard to maintaining the security of PHI in electronic form, but does not state the way that entities must go about providing this protection. Instead, it states the factors that should be considered for security measures. These factors include an entity’s size and capabilities, its information technology infrastructure, costs of security measures, and the chance and magnitude of anticipated risks to the security of PHI.

The Security Rule does specifically require that security measures include: measures to maintain the confidentiality, integrity, and availability of all electronic PHI an entity creates, handles, or transmits; measures to identify and protect against threats to the security or integrity of PHI that can be reasonably anticipated; measures to protect against uses or disclosures of electronic PHI that are prohibited by HIPAA; and efforts to ensure that employees comply with HIPAA requirements.

Some of the areas affected by these security needs include:
●    Data encryption.
●    Email encryption.
●    Multi-factor authentication (a system of security that requires multiple methods of authentication from different categories of credentials in order to identify a user for login purposes or for other transactions).
●    Compliance training.
●    Social engineering awareness. (You can read about social engineering in our blog post, “Technology Alone Is Not Enough for Security”.)

Another point to consider is that any company that allows the uses of mobile devices for business (particularly hospices, which do much of their work in patients’ homes), will need to be aware of and have solutions for mobile devices’ known security issues. As an example, consider the $50,000 penalty paid by the non-profit Hospice of North Idaho. In this case, an unencrypted company laptop was stolen, which contained electronic PHI for 441 patients. The investigation found that the company had not conducted adequate risk analysis.
Additional Concerns for HIPAA Regulations for the Use of PHI
Additionally under HIPAA, certain uses of PHI may be curtailed or prohibited. For instance, HIPAA prohibits the use or disclosure of PHI for marketing to individuals without obtaining an authorization, with only some exceptions. HIPAA also prohibits the receipt of direct or indirect remuneration in exchange for PHI. It also has rules for when PHI can and cannot be used for further research.

Coming soon: Part 5 in our series on IT Compliance Concerns, “Your Company and PCI DSS Compliance.”

Additional HIPAA resources:
●    National Hospice and Palliative Care Organization’s Compliance Tip Sheet.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team
●    Part 3: Making Sure Your Business is HIPAA Compliant

(Part 3 in our series on IT Compliance Concerns.)

What company types are affected by HIPAA compliance?

What is the Health Insurance Portability and Accountability (HIPAA) Act?
In the first two parts of this series, we discussed the Sarbanes-Oxley (Sarbox or SOX) Act and what it means in terms of Information Technology concerns. In this article, we’ll look into what  the Health Insurance Portability and Accountability Act is, and what it means to your company.

Enacted in 1996, the main purpose of the Health Insurance Portability and Accountability Act (also known as HIPAA or the Kennedy-Kassebaum Act) is to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. Title I of HIPAA is concerned with protecting health insurance coverage of workers and their families when they change or lose their jobs; Title II requires the establishment of national standards for electronic health care transactions and the establishment of national identifiers for providers, health insurance plans, and employers. (Title II is also referred to as the Administrative Simplification, or AS, provisions.)

What company types are affected by HIPAA compliance?
Covered entities and their business associates are the entities primarily affected by HIPAA.

Under HIPAA, there are three types of covered entities: health care providers, health plans, and health care clearing houses.
●    Examples of health care providers include hospitals, clinics, medical and dental practices, nursing homes, hospices, and pharmacies.
●    Health plans can include HMOs and employee-sponsored health plans.
●    Health care clearinghouses include entities that transmit claims or billing information.

Companies that provide services for covered entities and handle Protected Health Information (also known as Personal Health Information or PHI) can be considered business associates under HIPAA. While it is not always easy to determine if a company is considered a business associate, typical examples can include accounting firms, law firms, consultants, software vendors, ISPs, and cloud storage companies. If such a company works with covered entities, their contracts with those covered entities may require them to be compliant with HIPAA.

What are the penalties for failing to comply with HIPAA?
Penalties for covered entities include monetary fines of $1,000 per violation up to an annual maximum of $25,000. These fines are not the only concern; for criminal violations, the fines can be as high as $250,000 and may include up to ten years in prison. And while business associates cannot be prosecuted under HIPAA, they may still face certain penalties. A violation of a business agreement with a covered entity might lead to termination of contracts, and could lead to the risk of civil lawsuits filed by harmed individuals.

How does the HIPAA Privacy Rule work?
Covered entities and business associates are subject to the HIPAA Privacy Rule, which concerns the use and disclosure of PHI. Types of information covered by this rule include name, address, date of birth, Social Security number, any other information that can be used to identify a patient. It also includes information about: a patient’s past, present, or future health condition; the provision of health care to the patient; the past, present, or future payment for the provision of health care to a patient.

All of these requirements naturally mean challenges for your IT department. We will discuss these in the next part of our series on IT compliance concerns.)

Coming soon: Part 4 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About HIPAA Compliance?”

To learn more about HIPAA and related issues:

●    How companies are (and are not) allowed to use PHI (Protected Health Information).
●    Additional details concerning business associates and subcontractors.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team

(Part 2 in our series on IT Compliance Concerns.)

In Part 1 of our series, we discussed how the Sarbanes­Oxley (Sarbox or SOX) Act was created

in response to financial and accounting fraud including the Enron, Worldcom, and Tyco scandals;

who SOX compliance affects; and the possible benefits to non­public companies working toward

becoming SOX compliant. In this part, our focus is on SOX compliance and the concerns it raises

for Information Technology managers and their departments.

What are the primary Information Technology concerns for SOX compliance?

Sarbanes­Oxley compliance focuses on the retention of audit trails, generally in the form of logs

files and electronic records that contain, relate to, or comment on financial data. (These records

often relate to the generation of financial statements that will be submitted to shareholders and

the SEC.) According to SOX regulations, these audit trails may not be destroyed, altered, or

falsified, and must be retained and auditable for five years. Sarbanes­Oxley regulations define

which records to store and how long to store them.

This means that almost every aspect of IT operations will be affected. Messaging, storage,

virtualization, networking, and more can all be involved as long as they relate to any financial data

or activity. Additionally, new platforms for communication such as blogs, wikis, social media, and

more, lead to new compliance concerns. If communication pertains to finance and accounting, IT

professionals must track and archive it in order to be prepared for compliance audits.

This is a sharp contrast to the past, where an IT department’s major focus was usually on being

able to restore failed systems. Now, with the additional regulatory requirements of the Sarbanes-
Oxley Act, IT’s focus must also include data retention and accessibility in the event of an

investigation.

What kinds of information does IT need to store with regard to SOX compliance, and how?

In general, spreadsheets, documents, and emails used to arrive at final financial conclusions.

Electronic media, which can include CD­ROMs and cartridge tapes, are the preferred storage

methods. Just some of the additional data IT needs to store according to SOX data retention

regulations includes:

● Three years ­ Employment applications, general correspondence, credit card receipts, and

employment records.

● Five years ­ Customer invoices, vendor invoices, purchase orders, sales records, state

unemployment tax records, accident records and workers’ unemployment records, and

salary records.

● Seven years ­ Accounts payable ledger, accounts receivable ledger, time cards, product

inventory, payroll and payroll tax records, tax returns, sales tax information and returns,

business expense records, bank statements, earning records. Public companies and

registered public accounting firms must also maintain audit work papers for seven years,

and employee promotion, demotion, or discharge records must be retained for seven

years after employment is terminated.

● Permanent retention ­ Bank statements, contracts and leases, employee payroll records,

legal correspondence, training manuals, union agreements, Articles of Incorporation,

executive/board policies and resolutions, bylaws, chapter charter, state sales returns,

financial statements, depreciation schedules, check registers, payroll registers,

employment and termination agreements, and insurance policies.

Do non­public companies also need to be concerned with SOX compliance?

While the Sarbanes­Oxley Act applies primarily to publicly listed companies, Section 802 of the

act states that private companies can be faced with fines, and their executives with up to twenty

years of imprisonment for the knowing destruction, alteration, or falsification of records with the

intent to impede or influence a federal investigation.

Further, if you do business with a public company, you may have found that some of these

companies require their vendors to become SOX compliant.

Finally, there are advantages to private companies to become SOX compliant. Adopting SOX-
compliance controls and procedures can improve your organization’s overall IT security program.

And working toward SOX compliance can also help an organization make headway in other areas

such as PCI DSS compliance (which we will discuss later in our series on IT compliance

concerns).

Coming soon: Part 3 in our series on IT Compliance Concerns, “Your Company and HIPAA

Compliance.”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

(Part 1 in our series on IT Compliance Concerns.)

What is the Sarbanes­Oxley (SOX) Act?

The Sarbanes­Oxley Act of 2002 is a federal law that set both new and expanded requirements

for public company boards, management, and public accounting firms in the U.S. It is more

commonly known as Sarbox, or SOX. This act also contains some provisions for private

companies, such as those concerning the willful destruction of evidence to impede a Federal

investigation.

The Sarbanes­Oxley Act was a reaction to corporate and accounting scandals including Enron,

Worldcom, and Tyco. Some of the factors that made these scandals possible, and that the act

attempts to prevent, include auditor conflicts of interest; boardroom failures such as failure to

establish effective oversight mechanisms for financial reporting; conflicts of interest among

securities analysts; and more.

Who is affected by SOX compliance?

Ultimately, responsibility for SOX compliance rests squarely on the shoulders of the leaders of an

organization rather than on the IT department. This means that although the IT department may

prepare SOX audit statements, it will be c­level executives of a company that face fines and

possible imprisonment if penalties are assessed. SOX audit statements must be certified by the

CEO of a corporate entity, reflecting this responsibility.

Section 802 of the Sarbanes­Oxley Act describes penalties for infractions:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false

entry in any record, document, or tangible object with the intent to impede, obstruct, or influence

the investigation or proper administration of any matter within the jurisdiction of any department or

agency of the United States or any case filed under title 11, or in relation to or contemplation of

any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or

both.

For example, in one of the first fines levied under the Sarbanes­Oxley Act, CEO Calixto Chaves of

Rica Foods, Inc., agreed to pay $25,000 in regard to charges that company officials certified the

accuracy of the company’s annual financial statement, while knowing that these statements did

not include the required independent audit report.

Are there advantages to becoming SOX compliant for non­public companies?

According to TechTarget’s e­handbook, The Sox Effect, “Adopting SOX­compliance controls and

procedures can improve your organization’s overall IT security program, even if your company is

not a publicly traded one typically targeted by SOX regulations.” SOX compliance is not

particularly concerned with ensuring the security of data or systems. Rather, it focuses on best

practices for keeping track of who has access to financial data, where that data came from, and

keeping track of whether that data gets changed. For instance, organizations that follow SOX best

practices will perform more regular reviews of user accounts and privileges related to finance

systems and data. While this certainly can require additional IT resources, it can pay off in fewer

costly security incidents. Working toward SOX compliance can also help an organization make

headway in other areas such as PCI DSS compliance (which we will discuss later in our series on

IT compliance concerns).

Coming soon: Part 2 in our series on IT Compliance Concerns, “What Does My IT Team Need to

Know About SOX Compliance?”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.