HIPAA General Overview


Health Insurance Portability and Accountability Act

Who Must Comply Any organization that transmits Protected Health Information (PHI) in electronic form, which includes health plans, health care clearing houses, and health care providers must achieve HIPAA Law compliance. What You Must Do There are two major provisions that you must comply with: A. HIPAA privacy rule: Effective April 14, 2003 Certain provisions of the privacy rule allow for “reasonable efforts” to be made in achieving HIPAA Law compliance in regards to the privacy of PHI. “Reasonable efforts” is a fuzzy concept and large health care organizations must be aware that they will be held to a higher standard than smaller organizations. Limit the acceptable uses and disclosure of PHI Notify individuals of their rights under the HIPAA Law Develop written policies and procedures relating to use and disclosure of PHI Train each member of the work force concerning the HIPAA Law

Key Elements of the Statute. For whom compliance is required. Penalties for Non-Compliance. Methods for Achieving Compliance.

B. HIPAA electronic data security rule: Effective April 21, 2005 This rule covers all PHI electronically maintained and transmitted.

1. Electronic PHI must be kept secure when at rest and in transit
2. Analyze security risks
3. Implement HIPAA procedures for each security standard

How You Must Do It
To retire IT assets, electronic media that contains PHI must have the PHI destroyed in such a manner that it “can not be practicably read or reconstructed.” Organizations must implement a procedure that minimizes any risk of lost electronic PHI. Organizations choices are either to perform proper data destruction in-house or to use a data destruction service. If the organization chooses to perform the data destruction in-house, it must have procedures in place to provide ongoing evaluation and maintenance of the process. If the organization decides to use a data destruction service, it must have a “Business Associates Contract” signed and “due diligence” documentation supporting the vendor’s data destruction service.



Key elements of the statute



Sarbanes-Oxley
Public Company Accounting Reform and Investors Protection Act

One Hundred Seventh Congress of the United States of America

AT THE SECOND SESSION
Begun and held at the City of Washington on Wednesday, the twenty-third day of January, two thousand and two.

An Act
To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress.

TITLE VIII—CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY

SEC. 801. SHORT TITLE.
This title may be cited as the ‘‘Corporate and Criminal Fraud Accountability Act of 2002.”

§ 1519. Destruction, Alteration, or Falsification of Records in Federal Investigations and Bankruptcy.
§ 1520. Destruction of Corporate Audit Records.

SEC. 802. CRIMINAL PENALTIES FOR ALTERING DOCUMENTS.
(a) IN GENERAL.—Chapter 73 of title 18, United States Code, is amended by adding at the end the following:
§ 1519. Destruction, Alteration, or Falsification of Records in Federal Investigations and Bankruptcy.
‘‘Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”

§ 1520. Destruction of Corporate Audit Records. (a)(1) Any accountant who conducts an audit of an issuer of securities to which section 10A (a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j–1(a)) applies, shall maintain all audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded.

(2) The Securities and Exchange Commission shall promulgate, within 180 days, after adequate notice and an opportunity for comment, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review, which is conducted by any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j–1(a)) applies. The Commission may, from time to time, amend or supplement the rules and regulations that it is required to promulgate under this section, after adequate notice and an opportunity for comment, in order to ensure that such rules and regulations adequately comport with the purposes of this section. (b) Whoever knowingly and willfully violates subsection (a)(1), or any rule or regulation promulgated by the Securities and Exchange Commission under subsection (a)(2), shall be fined under this title, imprisoned not more than 10 years, or both.

(c) Nothing in this section shall be deemed to diminish or relieve any person of any other duty or obligation imposed by Federal or State law or regulation to maintain, or refrain from destroying, any document. H. R. 3763—57

(b) CLERICAL AMENDMENT.—The table of sections at the beginning of chapter 73 of title 18, United States Code, is amended by adding at the end the following new items:

TITLE XI—CORPORATE FRAUD ACCOUNTABILITY

SEC. 1101. SHORT TITLE.
This title may be cited as the ‘‘Corporate Fraud Accountability Act of 2002.”

SEC. 1102. TAMPERING WITH A RECORD OR OTHERWISE IMPEDING AN OFFICIAL PROCEEDING.
Section 1512 of title 18, United States Code, is amended—
(1) by redesignating subsections (c) through (i) as subsections (d) through (j), respectively; and
(2) by inserting after subsection (b) the following new subsection: (c) Whoever corruptly—

(1) alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding; or

(2) otherwise obstructs, influences, or impedes any official proceeding, or attempts to do so, shall be fined under this title or imprisoned not more than 20 years, or both.



[ Back to top ]



For Whom Compliance is Required



HIPAA
Public Company Accounting Reform and Investors Protection Act

All public Companies and Corporate Officers are responsible to become compliant.



[ Back to top ]



Penalties for Non-Compliance



HIPAA Public Company Accounting Reform and Investors Protection Act

§ 1519. Destruction, Alteration, or Falsification of Records in Federal Investigations and Bankruptcy.
Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

SEC. 906. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.
(a) IN GENERAL.—Chapter 63 of title 18, United States Code, is amended by inserting after section 1349, as created by this Act, the following:
§ 1350. Failure of Corporate Officers to Certify Financial Reports.
(a) CERTIFICATION OF PERIODIC FINANCIAL REPORTS.—Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a) or 78o(d)) shall be accompanied by a written statement by the chief executive officer and chief financial officer (or equivalent thereof) of the issuer.

(b) CONTENT.—The statement required under subsection (a) shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act pf 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.

(c) CRIMINAL PENALTIES.—Whoever—

(1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or

(2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both.



[ Back to top ]



Achieving Compliance



HIPAA
Public Company Accounting Reform and Investors Protection Act

How to Comply
While Sarbanes-Oxley requires the development and maintenance of detailed corporate financial information, cleansing computer systems of unnecessary files is an essential task. When a plaintiff comes and says "Give me your data, you've got to give them not only paper data but all electronic data. These discovery processes can amount to huge "fishing trips.” If records are destroyed in the normal course of business, it is very difficult to prove that any one is trying to obstruct justice. Properly documented disposal of electronic records is absolutely essential in today's litigious society.

TEN TIPS FOR ELECTRONIC RECORD RETENTION
Sarbanes-Oxley reinforces the reality that electronic data management should garner top priority for corporate leadership, corporate counsel and accounting/auditing professionals. The following 10 tips should be considered when developing and maintaining rules for electronic record retention:

1. Make electronic-data management a business initiative, supported by corporate leadership.
2. Keep records of all types of hardware/software that are in use and the locations of all electronic data.
3. Create a document-review, retention and destruction policy, which includes consideration of backup and archival procedures, any online storage repositories, record custodians and a destroyed documents "log book."
4. Create an employee technology-use program, including procedures for written communication protocols, data security, employee electronic-data storage and employee termination/transfer.
5. Clearly document all company data-retention polices.
6. Document all ways in which data can be transferred to or from the company.
7. Regularly train employees on the company's data-retention policies.
8. Implement a litigation response team, comprised of outside counsel, corporate counsel, the human resources department, business line managers and IT staff that can quickly alter any document-destruction policy.
9. Be aware of electronic "footprints" — delete does not always mean delete, and metadata is a fertile source of information and evidence.
10. Cease document-destruction policies at the first notice of a suit or reasonable anticipation of suit

The National Law Journal
Michael C.S. Lange
1/2/03



[ Back to top ]