HIPPAA (HIPA) and Sarbanes-Oxley Laws Effect on Record Keeping

HIPPA, Health Insurance Portability and Accountability Act was passed by congress in 1996. "HIPPA is the first federal law to address health privacy in a comprehensive way" (HIPAA and Records Management) It directly affects all doctors, clinics, hospitals, dentists and other healthcare organizations. Employers with over 50 people provided health insurance; IT solutions providers who store patient records (data service providers) and other technical companies down the line (who provide the software) are also directly affected. Industries working with healthcare industries may be required to enter into a 'Business Associates Contract. HIPAA's privacy rules impact all organizations in some way and provide individual patrons new control over their patient records and how that data is used. For the most part HIPAA compliance was mandatory April 14, 2003. A lot of businesses are just beginning to realize that the HIPAA law is something they must comply with.

"According to privacy regulation, documents relating to uses and disclosures, authorization forms, business partner contracts, notices of your information practice, responses to a patient who wants to amend or correct their information, the patient's statement of disagreement, and a complaint record bust be maintained for 6 years (See 64 Fed. Reg. 59994)" (Calloway) Medical records as well as billing records on Medicare and maternal and child health must be retained for 6 years; health records must be retained for 2 years after a patients death. Al hospitals must retain medical records in their original/legally produced form for 5 years. Many healthcare providers maintain records for a longer period, due to statute of limitations (the time for suing) and for minors, until the age of 21.

HIPPA also affects electronic data and record keeping of all individual health info, on disk or electronic tape. The legislation "ensures the integrity and confidentiality of data by eliminating access to it by outside intrusion or by internal, unauthorized personnel." (Crowe) Access to the data must also be track able

Also, health records will be required to utilize "Unique Health Identifiers" to allow anonymity for patient records. "The standards require each person who maintains or transmits health information to maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and the confidentiality of the information. You must also protect against any reasonable anticipated threats or hazards to the security of integrity of the health information, and unauthorized uses or disclosures of the information." (Crowe) There are also rules about "Electronic Signature Standards."

If HIPAA laws aren't followed there are fines and possible imprisonment as penalties for both the individual and organization involved. Fines are from $100 to $250,000 and jail terms to 10 years.

In 2002, the Sarbanes-Oxley Statute was enacted to improve accountability as a result of the scandals with Enron and WorldCom. This law provides that there must be "adequate internal control procedures for financial reporting." It also "extends protection for whistleblowers: no company may 'discharge, suspend, threaten, harass, or in any other manner discriminate against a person because of any lawful provision of information about suspecting fraud." (Economist.com)

A lot of businesses are unhappy due to the bigger than expected initial cost of compliance, and think this law maybe more a way to address symptoms than the cause of the problem. A study by Ivy Xlying Zhang of the William E. Simon Graduate School of Business Administration at the University of Rochester says the net private cost could amount to $1.4 trillion. "Michael Oxley, co-sponsor of the law, himself said earlier this year: "How can you measure the value of knowing that company books are sounder than they were before?" The chairman of the House of Representatives' financial-services acknowledged that the act, names after him and Senator Paul Sarbanes, has real costs on firms. It is, he said, "an investment for the future" (Economist.com)

This Act primarily affects publicly held companies, but parts of the act also affect privately held companies as well as outside accountants. Certain types of transactions are limited or prohibited and revised financial reporting is required. "It is now a felony with penalties of up to 10 years to willfully fail to maintain 'all audit or review work papers for at least 5 years.... It is also a felony with penalties of up to 20 years to destroy documents in a federal or bankruptcy investigation" (AICPA) CPA's need to be certain they are informed of these laws to be sure they are compliant.

Over all both of these newer legislations are to help protect us, financially and personally. They require, what may sometimes seem like a redundant amount of paperwork and obvious disclosure, but the over all affect, the security allotted is worth the effort and compliance.Sources:

AICPA How the Sarbanes-Oxley Act of 2002 Impacts the Accounting Profession AICPA Career Opportunities

www.aicpa.org/info/Sarbanes-Oxley2002.asp

Calloway, Sue Dill RN MSN JD. HIPAAdvisory, Record Retention Periods.

www.hipaadvisory.com/regs/recordretention.htm

Crowe, Dennis, How Will Electronic Data Be Affected By HIPAA? ASPG, Inc

Naples, FL November 13, 2000

www.megacryption.cc/hipaa.htm

Economist.com A price worth paying? May 19, 2005 The Economist print edition

www.economist.com/business/displayStory.cfm?story id=3984019

Gulbransen, David, HIPAA: What it is and Why You Should Care. Peachpit articles

August 6, 2004

www.peachpit.com/articles/article.asp?p=212184&seqNum=2&r1=1

Pauclulo, John W. Why Private Companies Should Be Mindful of Sarbanes-Oxley White and Williams LLP

www.whitewms.com/CM/Publications/Publications326.asp

Somerville, Leigh, Didn't think your firm would be affected by HIPAA? Better check again The Business Journal of the Greater Triad Area December 16, 2002

www.bizjournals.com/triad/stories/2002/12/16/focus1.html