Compliancy & Penalties

What are the laws related to compliancy and how do they directly affect your organization?

HIPAA

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

So in a nutshell, if your organization gathers PHI (Protected Health Information) as a provider of health services, or for grants, loans, or as a third-party vendor, you are now subject to HIPAA regulations.

The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.

The legislation not only affects the financial side of corporations, it also affects the IT departments whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.” The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.

So, either you have a server that is bombproof, hack proof, and all-weather proof in case of floods, fire, or storms, which is unrealistic, or you save electronic copies off-site. Some companies we work with create tapes and CD’s and rotate these backups daily into our secure vault. This is a physical act of storing electronic copies. MRM provides safe, viable off-site storage for many organizations in a secure vault. The other option is to send your encrypted vital information to a reputable on-line storage facility. Buyer beware of just how secure a company might be that is advertising on the internet to store your confidential information for $9.99 per 2 gigabytes!

FACTA

The Fair and Accurate Credit Transaction Act, or FACTA is another new law enacted in the last couple of years. FACTA applies to virtually every person and business in the US. It requires the destruction of all consumer information before it is discarded! According to the FACTA Disposal Rule, any person who maintains or otherwise possesses consumer information for a business purpose must properly destroy that discarded information. It goes on to state that every person/business must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Reasonable measures are defined by FACTA as “burning, pulverizing, or shredding of papers containing consumer information.

You may enter into a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. Fines vary anywhere from $1000 up to 1,000,000 for statuatory damages. Courts are also authorized to award punitive damages in either an individual suit or a class action suit, plus reasonable attorneys’ fees. So you think the courts are jammed now! There is more; the federal government can bring an action in federal district court for up to $2,500 in penalties for each independent violation of the rule!

What are reasonable measures? According to FACTA, they are defined as burning, pulverizing, or shredding of papers containing consumer information or entering into a “contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule.

The Gramm–Leach–Bliley Act

The Gramm–Leach–Bliley Act allowed commercial banks, investment banks, securities firms, and insurance companies to consolidate. For example, Citicorp (a commercial bank holding company) merged with Travelers Group (an insurance company) in 1998 to form the conglomerate Citigroup, a corporation combining banking, securities and insurance services under a house of brands that included Citibank, Smith Barney, Primerica, and Travelers. We won’t focus on this law here, but you may want to explore this law further to see if it impacts your organization.

The HITECH ACT

The HITECH ACT is more for health providers and is very, very broad in scope and touches on some of the storage and disposal measures of electronic records as well as fines for non compliance too.

Because this legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement. It’s always going to be easier, and usually going to be less expensive, to partner with Montana Records Management if you want to remain in compliance with all these laws.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands. Being PCI DSS compliant doesn’t actually make you more secure, but if you can’t make that bar, and plenty of people would say it’s a pretty low bar, then you are, in the words of the immortal Jessie Ventura, “in a world of hurt”.

All it takes is for any organization that takes credit cards to fill out a form from your provider or merchant and then it might require updating your credit card machine.

HITECH Breach Notification Interim Final Rule

HHS issued regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached.

These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This could be another very costly rule affecting a business with a poor records management policy.

The Red Flag Rule

The Red Flag Rule- is enforced by the Federal Trade Commission and requires organizations extending payment terms to customers and that have personal information on file to have a written program on file and an expectation the organization is executing that program as well.

Are you a BA- AKA Business Associate or a covered entity? Do you posess PHI – Protected Health Information in the course of your work or organization? Does your organization’s network and computers possess encryption abilities? These are questions each one of us needs to ask ourselves as we move forward in today’s business world. While it is quickly changing and complex, we are here to help your organizaion to realize the scope of what you are up against with these new laws and rules and help with a few areas of compliancy today.