WHAT IS HIPAA?

HIPPAHIPAA stands for the Health Insurance Portability and Accountability Act of 1996.  A major component of HIPAA addresses the privacy of individuals’ health information by establishing a nation-wide federal standard concerning the privacy of health information and how it can be used and disclosed.  This federal standard will generally preempt all state privacy laws except for those that establish stronger protections.

The HIPAA privacy laws are effective April 14, 2003.

Generally, HIPAA “covered entities” will have to comply with HIPAA rules for any health or medical information of identifiable individuals, including their medical records, medical billing records, any clinical or research databases, and tissue bank samples.  Covered entities are health care providers, health plans (including employer’s sponsored plans), and healthcare clearing houses (e.g., billing agent).  SU, SHC, and LPCH will be HIPAA covered entities as both health care providers and through their HR sponsored health benefit plans.  Since not all of SU’s functions meet the definition of a covered entity, it will be able to treat itself as a “hybrid” and exclude certain units from HIPAA coverage.  The covered units will, generally, not be able to communicate or transfer protected health information to the non-covered units without violating HIPAA.  SU’s covered units will join with SHC and LPCH to be a single covered entity under HIPAA.

WHAT DOES HIPAA REQUIRE OF COVER ED ENTITIES WHO MAINTAIN SUCH PROTECTED HEALTH INFORMATION?

Essentially, a HIPAA covered entity cannot use or disclose protected health information for any purpose other than treatment, payment, or health care operations without either the authorization of the individual or under an exception in the HIPAA regulations.

Research is not considered to be treatment, payment, or health care operations.

In addition to limiting the use and disclosure of protected health information, HIPAA also gives the patients the right to access this information and to know who the covered entity has disclosed this information to (including investigators’ research files).  It also restricts most disclosures to the minimum to accomplish the intended purpose and establishes criminal and civil penalties and fines for improper use and disclosure by HIPAA covered entities.

HIPAA requires covered entities to do the following:

  1. Institute a required level of security for health information, including limiting  disclosures of information to the minimum required for the activity;
  2. Designate a privacy officer and contact person;
  3. Establish privacy and disclosure policies to comply with HIPAA;
  4. Train employees on privacy policies;
  5. Establish sanctions for employees who violate privacy policies;
  6. Establish administrative systems in relation to the health information that can respond to complaints, respond to requests for corrections of health information by a patient, accept requests not to disclose for certain purposes, track disclosures of health information;
  7. Issue a privacy notice to patients concerning the use and disclosure of their protected health information;
  8. Establish a process through an IRB (or privacy board) for a HIPAA review of research  protocols; and
  9. As a health care provider, include consent for disclosures for treatment, payment, and health care operations in treatment consent form (optional).

Source: http://www.stanford.edu

The Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002 is mandatory. ALL organizations, large and small, MUST comply.

Introduction

Sarbanes - Oxley (SOX)The Sarbanes-Oxley Act came into force in July 2002 and introduced major changes to the regulation of corporate governance and financial practice. It is named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects, and it set a number of non-negotiable deadlines for compliance.

The Sarbanes-Oxley Act is arranged into eleven 'titles'. As far as compliance is concerned, the most important sections within these eleven titles are usually considered to be 302, 401, 404, 409, 802 and 906.

An over-arching public company accounting board was also established by the act, which was introduced amidst a host of publicity.

Sarbanes-Oxley Compliance 

Compliance with the legislation need not be a daunting task. Like every other regulatory requirement, it should be addressed methodically, via proper analysis and study.

Also like other regulatory requirements, some sections of the act are more pertinent to compliance than others. To assist those seeking to meet the demands of this act, the following pages cover the key Sarbanes-Oxley sections:
Summary of Section 302

Periodic statutory financial reports are to include certifications that:

  • The signing officers have reviewed the report
  • The report does not contain any material untrue statements or material omission or be considered misleading
  • The financial statements and related information fairly present the financial condition and the results in all material respects
  • The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
  •  A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
  • Any significant changes in internal controls or related factors that could have a negative impact on the internal controls

Organizations may not attempt to avoid these requirements by reincorporating their activities or transferring their activities outside of the United States

Summary of Section 401

Financial statements are published by issuers are required to be accurate and presented in a manner that does not contain incorrect statements or admit to state material information. These financial statements shall also include all material off-balance sheet liabilities, obligations or transactions. The Commission was required to study and report on the extent of off-balance transactions resulting transparent reporting. The Commission is also required to determine whether generally accepted accounting principals or other regulations result in open and meaningful reporting by issuers.

Summary of Section 404

Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures. The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

Summary of Section 409

Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand supported by trend and qualitative information of graphic presentations as appropriate.

Summary of Section 802

This section imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation. This section also imposes penalties of fines and/or imprisonment up to 10 years on any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years

Miscellaneous
Having studied the above pages, even if you are considering using an external consultant or legal expert, it is well worth taking some basic steps to enhance your position immediately. This not only demonstrates due diligence, but may well reduce the consultancy costs themselves.

One area that perhaps falls into the category is security. In many respects security underpins the requirements of the Sarbanes-Oxley Act. It is therefore important to quickly establish a credible and detailed security policy, which can often be done readily via off the shelf packages.

Finally, perhaps the most important statement on the entire web site: don't put off until tomorrow what can be done today! With other legislation and regulation we have seen far too often organizations leave compliance until the last few days, and subsequently suffer adverse consequences.

Source: http://www.soxlaw.com

FIPS PUB 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors

Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) of 2002.
1. Name of Standard.
FIPS PUB 201: Personal Identity Verification (PIV) of Federal Employees and Contractors.
2. Category of Standard.
Information Security.
3. Explanation.
Homeland Security Presidential Directive 12 (HSPD 12), dated August 27, 2004, entitled “Policy for a Common Identification Standard for Federal Employees and Contractors,” directed the promulgation of a Federal standard for secure and reliable forms of identification for Federal employees and contractors. It further specified secure and reliable identification that—
  • Is issued based on sound criteria for verifying an individual employee’s identity
  • Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation
  • Can be rapidly authenticated electronically
  • Is issued only by providers whose reliability has been established by an official accreditation process.
The directive stipulated that the standard include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. As promptly as possible, but in no case later than eight months after the date of promulgation, executive departments and agencies are required to implement the standard for identification issued to Federal employees and contractors in gaining physical access to controlled facilities and logical access to controlled information systems.
4. Approving Authority.
Secretary of Commerce.
5. Maintenance Agency.
Department of Commerce, NIST, Information Technology Laboratory (ITL).
6. Applicability.
This standard is applicable to identification issued by Federal departments and agencies to Federal employees and contractors (including contractor employees) for gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems except for “national security systems” as defined by 44 U.S.C. 3542(b)(2). Except as provided in HSPD 12, nothing in this standard alters the ability of government entities to use the standard for additional applications.

Special-Risk Security Provision—The U.S. Government has personnel, facilities, and other assets deployed and operating worldwide under a vast range of threats (e.g., terrorist, technical, intelligence), particularly heightened overseas. For those agencies with particularly sensitive OCONUS threats, the issuance, holding, and/or use of PIV credentials with full technical capabilities as described herein may result in unacceptably high risk. In such cases of extant risk (e.g., to facilities, individuals, operations, the national interest, or the national security), by the presence and/or use of full-capability PIV credentials, the head of a Department or independent agency may issue a select number of maximum security credentials that do not contain (or otherwise do not fully support) the wireless and/or biometric capabilities otherwise required/referenced herein.

To the greatest extent practicable, heads of Departments and independent agencies should minimize the issuance of such special-risk security credentials so as to support inter-agency interoperability and the President’s policy. Use of other risk-mitigating technical (e.g., high-assurance on-off switches for the wireless capability) and procedural mechanisms in such situations is preferable, and as such is also explicitly permitted and encouraged. As protective security technology advances, this need for this provision will be re-assessed as the standard undergoes the normal review and update process.
7. Specifications.
Federal Information Processing Standards (FIPS) 201 Personal Identity Verification (PIV) of Federal Employees and Contractors.
8. Implementations.
The PIV standard consists of two parts—PIV-I and PIV-II. PIV-I satisfies the control objectives and meets the security requirements of HSPD 12, while PIV-II meets the technical interoperability requirements of HSPD 12. PIV-II specifies implementation and use of identity credentials on integrated circuit cards for use in a Federal personal identity verification system.

PIV Cards must be personalized with identity information for the individual to whom the card is issued, in order to perform identity verification both by humans and automated systems. Humans can use the physical card for visual comparisons, whereas automated systems can use the electronically stored data on the card to conduct automated identity verification.

Federal departments and agencies may self-accredit, or use other accredited issuers, to issue identity credentials for Federal employees and contractors until a government-wide PIV-II accreditation process is established. The standard also covers security and interoperability requirements for PIV Cards. Funding permitting, NIST plans to develop a PIV Validation Program that will test implementations for conformance with this standard. Additional information on this program will be published at http://csrc.nist.gov/npivp/ as it becomes available.

The respective numbers of agency-issued 1) general credentials and 2) Special-risk credentials (issued under the Special-Risk Security Provision) shall be subject to annual reporting to the Office of Management and Budget (OMB) under the annual reporting process in a manner prescribed by OMB.

9. Effective Date.
This standard is effective immediately. Federal departments and agencies shall meet the requirements of PIV-I no later than October 27, 2005, in accordance with the timetable specified in HSPD 12. The OMB has advised NIST that it plans to issue guidance regarding the transition from PIV-I to PIV-II. It is anticipated that some Federal departments and agencies may begin with PIV-II, which would eliminate the need for such a transition.
10. Qualifications.
The security provided by the PIV system is dependent on many factors outside the scope of this standard. Upon adopting this standard, organizations must be aware that the overall security of the personal identification system relies on—
  • Assurance provided by the issuer of an identity credential that the individual in possession of the credential has been correctly identified
  • Protection provided to an identity credential stored within the PIV Card and transmitted between the card and the PIV issuance and usage infrastructure
  • Protection provided to the identity verification system infrastructure and components throughout the entire life cycle.
Although it is the intent of this standard to specify mechanisms and support systems that provide high assurance personal identity verification, conformance to this standard does not assure that a particular implementation is secure. It is the implementer’s responsibility to ensure that components, interfaces, communications, storage media, managerial processes, and services used within the identity verification system are designed and built in a secure manner.

Similarly, the use of a product that conforms to this standard does not guarantee the security of the overall system in which the product is used. The responsible authority in each department and agency shall ensure that an overall system provides the acceptable level of security.

Because a standard of this nature must be flexible enough to adapt to advancements and innovations in science and technology, the NIST will review this standard within five years to assess its adequacy. NIST plans to seek agency input in one year to see whether a full review of the standard is needed.
11. Waivers.
As per the Federal Information Security Management Act of 2002, waivers to Federal Information Processing Standards are not allowed.
12. Where to Obtain Copies.
This publication is available through the Internet by accessing http://csrc.nist.gov/publications/.

Tags: