SIDEBAR
»
S
I
D
E
B
A
R
«
What Does HIPAA Mean?
Nov 25th, 2015 by aperio

(Part 3 in our series on IT Compliance Concerns.)

What company types are affected by HIPAA compliance?

What is the Health Insurance Portability and Accountability (HIPAA) Act?
In the first two parts of this series, we discussed the Sarbanes-Oxley (Sarbox or SOX) Act and what it means in terms of Information Technology concerns. In this article, we’ll look into what  the Health Insurance Portability and Accountability Act is, and what it means to your company.

Enacted in 1996, the main purpose of the Health Insurance Portability and Accountability Act (also known as HIPAA or the Kennedy-Kassebaum Act) is to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. Title I of HIPAA is concerned with protecting health insurance coverage of workers and their families when they change or lose their jobs; Title II requires the establishment of national standards for electronic health care transactions and the establishment of national identifiers for providers, health insurance plans, and employers. (Title II is also referred to as the Administrative Simplification, or AS, provisions.)

What company types are affected by HIPAA compliance?
Covered entities and their business associates are the entities primarily affected by HIPAA.

Under HIPAA, there are three types of covered entities: health care providers, health plans, and health care clearing houses.
●    Examples of health care providers include hospitals, clinics, medical and dental practices, nursing homes, hospices, and pharmacies.
●    Health plans can include HMOs and employee-sponsored health plans.
●    Health care clearinghouses include entities that transmit claims or billing information.

Companies that provide services for covered entities and handle Protected Health Information (also known as Personal Health Information or PHI) can be considered business associates under HIPAA. While it is not always easy to determine if a company is considered a business associate, typical examples can include accounting firms, law firms, consultants, software vendors, ISPs, and cloud storage companies. If such a company works with covered entities, their contracts with those covered entities may require them to be compliant with HIPAA.

What are the penalties for failing to comply with HIPAA?
Penalties for covered entities include monetary fines of $1,000 per violation up to an annual maximum of $25,000. These fines are not the only concern; for criminal violations, the fines can be as high as $250,000 and may include up to ten years in prison. And while business associates cannot be prosecuted under HIPAA, they may still face certain penalties. A violation of a business agreement with a covered entity might lead to termination of contracts, and could lead to the risk of civil lawsuits filed by harmed individuals.

How does the HIPAA Privacy Rule work?
Covered entities and business associates are subject to the HIPAA Privacy Rule, which concerns the use and disclosure of PHI. Types of information covered by this rule include name, address, date of birth, Social Security number, any other information that can be used to identify a patient. It also includes information about: a patient’s past, present, or future health condition; the provision of health care to the patient; the past, present, or future payment for the provision of health care to a patient.

All of these requirements naturally mean challenges for your IT department. We will discuss these in the next part of our series on IT compliance concerns.)

Coming soon: Part 4 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About HIPAA Compliance?”

To learn more about HIPAA and related issues:

●    How companies are (and are not) allowed to use PHI (Protected Health Information).
●    Additional details concerning business associates and subcontractors.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team

What Does Your IT Team Need to Know About SOX Compliance?
Nov 23rd, 2015 by aperio

(Part 2 in our series on IT Compliance Concerns.)

In Part 1 of our series, we discussed how the Sarbanes­Oxley (Sarbox or SOX) Act was created

in response to financial and accounting fraud including the Enron, Worldcom, and Tyco scandals;

who SOX compliance affects; and the possible benefits to non­public companies working toward

becoming SOX compliant. In this part, our focus is on SOX compliance and the concerns it raises

for Information Technology managers and their departments.

What are the primary Information Technology concerns for SOX compliance?

Sarbanes­Oxley compliance focuses on the retention of audit trails, generally in the form of logs

files and electronic records that contain, relate to, or comment on financial data. (These records

often relate to the generation of financial statements that will be submitted to shareholders and

the SEC.) According to SOX regulations, these audit trails may not be destroyed, altered, or

falsified, and must be retained and auditable for five years. Sarbanes­Oxley regulations define

which records to store and how long to store them.

This means that almost every aspect of IT operations will be affected. Messaging, storage,

virtualization, networking, and more can all be involved as long as they relate to any financial data

or activity. Additionally, new platforms for communication such as blogs, wikis, social media, and

more, lead to new compliance concerns. If communication pertains to finance and accounting, IT

professionals must track and archive it in order to be prepared for compliance audits.

This is a sharp contrast to the past, where an IT department’s major focus was usually on being

able to restore failed systems. Now, with the additional regulatory requirements of the Sarbanes-
Oxley Act, IT’s focus must also include data retention and accessibility in the event of an

investigation.

What kinds of information does IT need to store with regard to SOX compliance, and how?

In general, spreadsheets, documents, and emails used to arrive at final financial conclusions.

Electronic media, which can include CD­ROMs and cartridge tapes, are the preferred storage

methods. Just some of the additional data IT needs to store according to SOX data retention

regulations includes:

● Three years ­ Employment applications, general correspondence, credit card receipts, and

employment records.

● Five years ­ Customer invoices, vendor invoices, purchase orders, sales records, state

unemployment tax records, accident records and workers’ unemployment records, and

salary records.

● Seven years ­ Accounts payable ledger, accounts receivable ledger, time cards, product

inventory, payroll and payroll tax records, tax returns, sales tax information and returns,

business expense records, bank statements, earning records. Public companies and

registered public accounting firms must also maintain audit work papers for seven years,

and employee promotion, demotion, or discharge records must be retained for seven

years after employment is terminated.

● Permanent retention ­ Bank statements, contracts and leases, employee payroll records,

legal correspondence, training manuals, union agreements, Articles of Incorporation,

executive/board policies and resolutions, bylaws, chapter charter, state sales returns,

financial statements, depreciation schedules, check registers, payroll registers,

employment and termination agreements, and insurance policies.

Do non­public companies also need to be concerned with SOX compliance?

While the Sarbanes­Oxley Act applies primarily to publicly listed companies, Section 802 of the

act states that private companies can be faced with fines, and their executives with up to twenty

years of imprisonment for the knowing destruction, alteration, or falsification of records with the

intent to impede or influence a federal investigation.

Further, if you do business with a public company, you may have found that some of these

companies require their vendors to become SOX compliant.

Finally, there are advantages to private companies to become SOX compliant. Adopting SOX-
compliance controls and procedures can improve your organization’s overall IT security program.

And working toward SOX compliance can also help an organization make headway in other areas

such as PCI DSS compliance (which we will discuss later in our series on IT compliance

concerns).

Coming soon: Part 3 in our series on IT Compliance Concerns, “Your Company and HIPAA

Compliance.”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

Making sure your business is SOX Compliance
Nov 18th, 2015 by aperio

(Part 1 in our series on IT Compliance Concerns.)

What is the Sarbanes­Oxley (SOX) Act?

The Sarbanes­Oxley Act of 2002 is a federal law that set both new and expanded requirements

for public company boards, management, and public accounting firms in the U.S. It is more

commonly known as Sarbox, or SOX. This act also contains some provisions for private

companies, such as those concerning the willful destruction of evidence to impede a Federal

investigation.

The Sarbanes­Oxley Act was a reaction to corporate and accounting scandals including Enron,

Worldcom, and Tyco. Some of the factors that made these scandals possible, and that the act

attempts to prevent, include auditor conflicts of interest; boardroom failures such as failure to

establish effective oversight mechanisms for financial reporting; conflicts of interest among

securities analysts; and more.

Who is affected by SOX compliance?

Ultimately, responsibility for SOX compliance rests squarely on the shoulders of the leaders of an

organization rather than on the IT department. This means that although the IT department may

prepare SOX audit statements, it will be c­level executives of a company that face fines and

possible imprisonment if penalties are assessed. SOX audit statements must be certified by the

CEO of a corporate entity, reflecting this responsibility.

Section 802 of the Sarbanes­Oxley Act describes penalties for infractions:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false

entry in any record, document, or tangible object with the intent to impede, obstruct, or influence

the investigation or proper administration of any matter within the jurisdiction of any department or

agency of the United States or any case filed under title 11, or in relation to or contemplation of

any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or

both.

For example, in one of the first fines levied under the Sarbanes­Oxley Act, CEO Calixto Chaves of

Rica Foods, Inc., agreed to pay $25,000 in regard to charges that company officials certified the

accuracy of the company’s annual financial statement, while knowing that these statements did

not include the required independent audit report.

Are there advantages to becoming SOX compliant for non­public companies?

According to TechTarget’s e­handbook, The Sox Effect, “Adopting SOX­compliance controls and

procedures can improve your organization’s overall IT security program, even if your company is

not a publicly traded one typically targeted by SOX regulations.” SOX compliance is not

particularly concerned with ensuring the security of data or systems. Rather, it focuses on best

practices for keeping track of who has access to financial data, where that data came from, and

keeping track of whether that data gets changed. For instance, organizations that follow SOX best

practices will perform more regular reviews of user accounts and privileges related to finance

systems and data. While this certainly can require additional IT resources, it can pay off in fewer

costly security incidents. Working toward SOX compliance can also help an organization make

headway in other areas such as PCI DSS compliance (which we will discuss later in our series on

IT compliance concerns).

Coming soon: Part 2 in our series on IT Compliance Concerns, “What Does My IT Team Need to

Know About SOX Compliance?”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

Hiring Small Business IT Support for Any Type of Industry
Nov 13th, 2015 by aperio

Almost all of the companies will have some type of computer system that they are using. It may be something that helps them to keep track of their orders or financial information or could be something that allows them to do business online. Whatever they are doing, they are going to need to hire small business IT support to help them keep everything operating smoothly.

There are many different types of computer software that will be used with each computer system. The number of computers and much more will be very important to consider when they are using these programs. Technology is going to be very useful for a lot of companies.

As a company grows, they may add new computers to their network. They may continually grow and add new products and services also. Their customer base is going to continue to grow also.

There are many different types of things that they will need to consider when hiring an IT support company though. They need to make sure that they are a trusted company. They also have to be available when they are needed.

This is something that is very important because if the computer system goes down, they are going to need someone who will be able to get it up and running very quickly. Not all problems like this are quick to come back up though. They have several different types of things that they will have to upload and check before putting everything back online.

Every company will handle these types of things differently. Whatever they need to consider, they want to make sure that they have someone who is available at all times if they do have a problem. Many companies are going to wait until there is less traffic to their website to work on their equipment as well.

This is something that is going to be beneficial when they have to take orders. Every IT professional is going to handle these things differently though. Sometimes, the proper fix can wait until their next upgrade. Other times, the fix has to be done immediately to get the system up and running.

Keeping computer systems running smoothly is going to be very important. This is why companies will hire an IT technician to be available at all times of the day or night. The company that they hire will have to be up-to-date on all of the systems and software that they are using though.

Everybody has a lot of options for everything that is relating to computers. They have to make sure that they have enough storage space as well. The Cloud software is something that allows them to remotely store their files so that they have a lot more free disk space.

Since technology is always changing, they have to make sure that their programming is going to be compatible with mobile devices and other types of devices that are used in the business world. This is something that is going to allow customers to access the online stores from many different types of devices.

The operating systems that are used need to be carefully considered also. Companies have many different options for every customer and employee. Sometimes, the employees have to be able to access the software in order to get their records as well.

There are many different things that a small business IT support staff is going to offer for their clients. Some of them are going to be available around the clock, while others are going to have set hours that they do this type of work. There are many factors that are going to play into whether or not they are available at certain times of the day.

How a Managed IT Services provider in Sacramento can help you
Nov 4th, 2015 by aperio

There are many different types of things that are going to be important when considering the computer systems of any type of business. There will be a lot of different types of information that is going to be stored on these, including business plans and confidential information for employees. IT managed services are going to continually track what is going on with each system to ensure that everything is working smoothly.

The team will also be able to install programs and update the system when necessary. Many companies are using The Cloud for storage options. This is because it frees up storage space on their computer systems that they are currently using.

One problem with this is that they need to make sure that their systems are secure. This is something that can be hacked without anyone knowing about it. It is not something that should be taken lightly either.

This is why companies are hiring the IT managed services to help them to complete this. The companies are going to make sure that the computer systems are functioning properly and not allowing hackers to get the information. This is going to require monitoring and continual updating to the software.

Another advantage to having the IT managed services is that there will be someone that is available for support at all times of the day. There are many different types of things that can be a problem for a user. These systems could freeze or just not function properly.

When this happens, it is important to call someone who understands how the system operates. Sometimes, this can happen due to the temperature of the hard drive though. If there is not sufficient cooling systems in place for the size of the computer system, the company can risk a lot.

They need to make sure that they have the proper equipment in place as well as having the programs that will work best for their type of company. Not every company is going to benefit from the same types of programs. This should be taken into consideration before any recommendations are being made.

There are many different reasons why certain types of companies will use the same types of programs though. They want to make sure that everything is going to be compatible with their customers’ systems. This is especially true of mobile devices.

There are a lot of people who are accessing the web using their mobile phones and tablets. Not all of these are able to open certain types of programming. This is why it is important to make sure that the system is mobile friendly as well.

There can be a lot of things that customers need to know about and will be posted online. Social media websites and much more are going to allow for unhappy customers to let others know about their experiences too. This is why it is going to be very important to make sure that everyone is able to do what they need to do.

There are many different types of programs that are used for every type of computer system. It will be important to use security software as well. This is going to be something that will need to be done to the computer even if it is only used for general business for the company.

There are a lot of hackers and viruses that can harm these computers. When a company takes advantage of IT managed services, they can make sure that their computers are set up properly as well as take care of any problems that occur very quickly. This is something that is going to be beneficial to the employees as well as to the entire company.

SIDEBAR
»
S
I
D
E
B
A
R
«
»  Substance:WordPress   »  Style:Ahren Ahimsa