6. How to comply in HIPAA and Sarbanes Oxley? 1019

How to comply in HIPAA and Sarbanes Oxley? 1019

  • J

    Can We use the same work to comply to HIPAA and Sarbanes Oxley?

    0
  • K

    What does HIPAA have to do with financial reporting?

    0
  • S

    I am curious about this as well. If a compan was to offer an offsite SQL hosting service for financial or medical institutions, what would the company and SQL hosting company need to do to become compliant for these 2?

    0
  • L

    I agree with kymike, HIPAA is not about financial reporting.
    The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 2002. Information must be protected to ensure privacy and confidentiality when electronically stored, maintained, or transmitted.
    Healthcare organizations are:

    1. Providers, such as hospitals.
    2. Payers, such as insurers and government entities
    3. Manufacturers, including pharmaceutical, biotech, and medical device manufacturers
      HIPAA requires all healthcare organizations to make a thorough IT risk assessment, including a privacy assessment.
      As of April 21, 2005, all healthcare organizations (with the exception of small health plans that have until April 2006 to comply) must be in compliance with HIPAA’s Security Rule.
      Many healthcare organizations that are not formally subject to the requirements of SOX are using it as a framework.
      Why?
    4. It is the issue of trust. Investors like SOX and good financial statements. Organizations are called on to be more accountable for their practices and information management
    5. SOX is a competitive advantage.
    6. Organizations believe that in the long term, the technologies and methods they’re implementing now, will be good for business.
      We can combine the Sarbanes Oxley risk assessment with the HIPAA risk assessment. We cannot achieve privacy without security.
    0
  • T

    Hi There,
    Just a clarification on HIPAA. It actually does not apply to ALL healthcare agencies, only those that perform one or more of the electronic transactions specified in the law. The main 2 transactions (although there are more) are claims transmission and eligilibility. If a provider sends all the claims on paper and does eligibility checking over the phone, then that provider does NOT have to comply with HIPAA (any of the HIPAA sections - including Privacy).
    It also does not apply to medical manufacturers (unless they also have a medical practice). Under HIPAA, a healthcare organization is a provider, payer or clearinghouse. A medical manufacture could be a Business Associate of one or more of the covered organizations, but is not a covered entity itself.
    Thanks,
    TJB

    0
  • H

    Good comments by all … I’ve worked in the insurance industry as an IT professional since 1977. I’ve researched both and am generally familiar with both.
    lekatis and TJB are right on point 🙂 … There’s some possible overlap for HIPAA is with SOX 404 and specifically in the area of IT type controls for security and privacy. The following provides some general ideas:
    SOX 404 – You want the best practices in security to ensure sensitive financial records cannot be accessed or altered outside prescribed controls
    HIPAA – You want to protect the patient’s medical records with best practices, so they cannot be accessed or altered outside prescribed controls
    Potential overlap – Certainly medical billing records can be part of the financial data, so I recommend working with Audit (internal or external) so that you have one standard that satisfies both needs (e.g., encryption, network security controls, need-to-know access rights, etc). It’s mostly things you need to be doing anyway and these regulatory requirements are simply to place the emphasis and fiduciary responsibilities on insurers to properly safeguard critical data.

    0
  • H

    Good comments by all … I’ve worked in the insurance industry as an IT professional since 1977. I’ve researched both and am generally familiar with both.
    lekatis and TJB are right on point 🙂 … There’s some possible overlap for HIPAA is with SOX 404 and specifically in the area of IT type controls for security and privacy. The following provides some general ideas:
    SOX 404 – You want the best practices in security to ensure sensitive financial records cannot be accessed or altered outside prescribed controls
    HIPAA – You want to protect the patient’s medical records with best practices, so they cannot be accessed or altered outside prescribed controls
    Potential overlap – Certainly medical billing records can be part of the financial data, so I recommend working with Audit (internal or external) so that you have one standard that satisfies both needs (e.g., encryption, network security controls, need-to-know access rights, etc). It’s mostly things you need to be doing anyway and these regulatory requirements are simply to place the emphasis and fiduciary responsibilities on insurers to properly safeguard critical data.

    0
Log in to reply