Document Nation works hard to ensure compliance with the following federal, state and industry specific regulations:
The Sarbanes-Oxley Act of 2002
Sarbanes-Oxley defines which records are to be stored and for how long. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.”
To comply with Section 404, companies have to assess whether their current processes and financial information management systems are established, documented, and structured to contain the necessary controls to prevent against risk. They have to assess whether they have adequate security controls to ward off theft and/or the corruption of data. Finally, they need to determine whether their employees’ roles, responsibilities, access rights, and permissions could allow for material fraud or the misrepresentation of financial data.
Health Insurance Portability and Accountability Act (HIPAA)
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers.
The Privacy Rule allows covered entities to disclose protected health information to “business associates” if the covered entity obtains satisfactory assurances, that the business associate will use the information only for the purposes for which it was engaged by the covered entity, that it will safeguard the information from misuse, and that it will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.
- How the Rule Works
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that they will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. Feel free to ask to see our agreement!
The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
To achieve regulatory compliance, financial service organizations need to apply technology to secure access of data, to ensure the physical protection of data and to create an audit trail showing who has had access to the data.
The Safeguards Rule requires companies to develop a written security plan describing their program to protect customer information. The plan must be appropriate to the company’s size and complexity, explain the nature and scope of the business’ activities, and describe the sensitivity of the customer information it handles.
Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal law that protects the privacy of student education records. The law applies to all schools that receive funding under an applicable program of the U.S. Department of Education. FERPA is designed to ensure that students and parents of students are able to obtain access to the student’s educational records and that they have the right to challenge the content or release of such records to third parties.
Under FERPA, personally identifiable information may be disclosed to other school officials with legitimate educational interests without prior approval or those following recordkeeping requirements. Recognizing that institutional services are often outsourced, the updated rule states that, third parties will be considered “other school officials” if the contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions, is performing said service or function for which the agency or institution would otherwise use its employees.
Red Flags Rule:
The Red Flags Rule requires that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. The Red Flags Rule was intended to ensure that banks, credit card companies, physician practices and certain retailers protect their consumer’s financial information.
According to federal banking agencies, National Credit Union Administration (NCUA) and Federal Trade Commission (FTC), in order to comply, you must have a written program in place that has been implemented by your organization. Once you have created a compliance program, you need to educate your employees. All training should be documented for compliance records. In addition, you must also have a method in place for the detection of Red Flags.
Whenever a service provider is performing an activity in connection with business covered under the Red Flags Rule, it is the business’ responsibility to make sure that the provider has an Identity Theft Prevention Plan, and is following the Identity Theft Prevention Plan in place. The same requirement to detect, prevent and mitigate identity theft as it pertains to covered entities is extended to any service provider who is engaged to perform an activity in connection with the covered entity. Feel free to ask to see our Identity Theft Prevention Plan.
IRS Rev. Proc. 97-22
IRS Rev. Proc. 97-22 provides guidance to taxpayers that maintain books and records using an electronic storage system. The electronic storage system must ensure an exact duplication of the hardcopy books and records. The electronic storage system must also be able to index, store, preserve, retrieve, and reproduce the electronically stored books and records as needed.
Government Paperwork Elimination Paper Act
Simply requires federal agencies to accept electronic information and transactions. The Act also requires that federal agencies maintain electronic records.