Home arrow Learn arrow Compliances

HIPAA

Professional backup services can help medical services practitioners reach HIPAA compliance for secure off-site storage of electronic records. ReadySetBackup.com can help you prepare for compliance, today.

HIPAA background 
In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). The legislative goals of HIPAA were to mandate the industry to implement procedures to reduce the administrative costs of healthcare, develop standard transactions for consistency in the industry, promote security and confidentiality of patient records and to provide incentive for the healthcare industry to use electronic communications to make patient records available no matter where the patient was being treated - a process that takes days with manual records - and particularly useful in emergencies. All health care providers, insurance providers, health care clearinghouses or health plans that electronically maintains or transmits health information pertaining to an individual must comply with HIPAA regulations. Failure to comply with the Act's requirements originally had some onerous penalties for disclosure of any element of medical information to sources without need, such as a clerk inadvertently faxing some record to the wrong fax number, would have had both financial and incarceration involved. These penalties have been reduced by interpretation by the Secretary of HHS, who was chartered by the Act to develop the compliance guidelines. All in the healthcare industry are now preparing to comply with the Act.

ReadySetBackup.com Online Backup is the ideal subscription service provider product to enable a service provider to deliver mandated services. You can learn more about the HIPAA requirements by getting a simplified version of the Act's compliance requirements at http://www.cms.hhs.gov .

HIPAA contingency planning
By working with ReadySetBackup.com a medical practice or medical information chain participant has a chance to become in compliance with HIPAA. Services that can support specific areas of contingency planning and compliance, include:

  • Off-site Data backup plan
  • Disaster recovery plan
  • Application and data criticality assessment
  • Emergency operations plan
  • Procedures for above in place

HIPAA requires those in the healthcare industry to have an off-site, encrypted remote electronic data backup and a contingency plan to meet the mandated Administrative Procedures in the Act. Every practitioner, be they doctor, clinic, hospital, testing lab, surgery center, or any of the other organization that provides services to individuals and stores patient medical records, must backup to a secure, encrypted (for privacy) off-site location each day. By working with a professional data backup service provider a healthcare industry participant will be in compliance with HIPAA.

ReadySetbackup.com can assure the medical practitioner of the following:  the stored data is encrypted for privacy, can ease one's compliance with the Act by insuring that the practitioner has a secure data backup solution, automatic backups for data storage and recovery.

SEC/NASD

In 1934, Congress passed the Securities and Exchange Act to regulate the securities industry. Among other things, the Act requires the creation and maintenance of records of securities transactions for the purpose of review and audit in order to better protect investors and the U.S. economy.

SEC Rule 17a-4 is a Rule created by the SEC under the Exchange Act that stipulates specific record keeping requirements for certain exchange members, brokers, and dealers in the securities industry. The Rule was updated in 1997 to expressly allow for the storage, retention, and reproduction of records by means of “electronic storage media,” subject to certain conditions. For example, 17a-4 requires that:

  • members, brokers and dealers “preserve for a period of not less than three years, the first two years in an easily accessible place…. originals of all communications received and copies of all communications sent” related to their business as broker-dealers, including electronic communications such as email and instant messaging.
  • electronic media used to store these records preserve them “exclusively in a non-rewriteable, non-erasable format” such as WORM (Write Once Read Many) technology.
  • the electronic storage media “...verify automatically the quality and accuracy of the storage media recording process.”
  • members, brokers and dealers have specific electronic records available for SEC review “...at all times…for immediate, easily readable projection or production.”
  • the member, broker or dealer “...store separately from the original, a duplicate copy of the record stored on any medium acceptable… for the time required.”

Rule 17a-4 impacts individuals and organizations that trade or act as brokers for traders that sell securities. This includes any financial institution whose business units trade securities regulated by the Securities and Exchange Commission (SEC) and the National Association of Securities Dealers (NASD).

Business Impact

Compliance with Rule 17a-4 requires that members, brokers and dealers carefully evaluate their information management processes and architecture to ensure that the relevant e-records and communications are maintained in a trustworthy state for the duration required by the Rule, and that they are retrievable for review on demand for the time required. In light of this, organizations subject to the Rule’s requirements that do business electronically may need to implement new technologies to comply.

For example, 17a-4 requires responsive e-records and communications to be readily accessible and available for review to allow for a prompt response to SEC inquiries. Organizations need to assess their IT systems to determine whether or not they allow for a timely response to such requests. Are emails to and from clients available for review on demand, or are they stored on backup tapes that can take a great deal of time to search and restore? Simply retaining responsive messages on backup tapes may violate 17a-4’s requirement to retain such messages for “the first two years in an easily accessible place,” and at the very least, will likely hinder the organization’s ability to comply in a timely manner.

Similarly, impacted organizations must consider whether their systems meet the Rule’s mandates to store records in a non-rewriteable, non-erasable format; automatically verify the trustworthiness of the recording process; create and store duplicate copies of records; and accurately index their information, among other things.

Real World Impact

The SEC has imposed fines on broker-dealers under investigation that fail to cooperate in complying with 17a-4 and other rules. For example, one financial institution was fined $10 million by the SEC for multiple failings involving the production of emails. The organization failed to produce the messages in a timely manner, taking two years to produce the emails of seven individuals, and failed to promptly contact the Commission when emails that were thought to be lost were recovered.

In another recent example, a financial institution was fined $2.1 million when it failed to comply with 17a-4’s requirement to retain all email communications sent and received by its employees that related to its business as a broker-dealer. The SEC stated that the organization “lacked adequate systems or procedures for the preservation of electronic mail communications.” The emails in question were stored on backup tapes – some of which went missing, were damaged, contained errors or couldn’t be restored for other reasons. Furthermore, the organization failed to inform the SEC of its failure to preserve these emails.

To read the entire rule, visit http://www.law.uc.edu/CCL/34ActRls/rule17a-4.html.

SOx

The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom (recently MCI and currently now part of Verizon Businesses). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. 

The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.

ReadySetBackup.com's Online Backup is the ideal subscription service provider product to enable a service provider to deliver mandated services under these Federal rules and guidelines. Click the following link to learn more about SOX requirements: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf