| s, you could just hang up a shingle and call | | | | processing agency serving the healthcare industry, |
| yourself a business. As long as you didn't shoot | | | | you'll have to comply with the Health Insurance |
| anyone, you were pretty much left alone. Not so | | | | Portability and Accountability Act (HIPAA). HIPAA |
| any more. A glut of federal and state regulations | | | | calls for any company that handles private patient |
| have come into being, many just over the past | | | | data to guarantee that it is secure and protected |
| few years, and many apply to small businesses. | | | | against unauthorized access. If your company |
| These regulations are meant to accomplish any | | | | handles healthcare information of any sort, for |
| one of several social goods, such as protecting an | | | | any reason, you will have to take technological |
| individual's privacy and preventing identity theft, | | | | steps to ensure that it is secure through |
| preventing corporate financial scandals, or lastly, | | | | measures such as encryption, strong two-factor |
| or so it would seem, just to annoy small | | | | authentication, and adequate firewalling. |
| businesspeople by increasing their paperwork | | | | And if you're in California, or if any of your |
| burden. Fortunately, if you understand these | | | | customers are in California, you'll have to comply |
| regulations, complying doesn't have to be too | | | | with SB 1386 (the California Information Practice |
| difficult or expensive. | | | | Act). This law requires that your company provide |
| If you have a publicly-held company, you'll have to | | | | notice to customers whenever any technological |
| comply with the Sarbanes-Oxley Act, which sets | | | | hack, or other attack has occurred and caused |
| technological standards and reporting requirements | | | | personal information to be exposed and vulnerable |
| for how companies handle their financial reporting. | | | | to theft. Meant to safeguard against identity theft, |
| Passed in response to the recent wave of | | | | this state law also applies to any subcontractors |
| corporate scandals, fiscal mismanagement and | | | | of companies that maintain information about |
| outright theft, Sarbanes-Oxley puts in place a set | | | | California residents. This particular law is |
| of requirements for establishing internal controls | | | | ground-breaking, since although it is on paper just |
| that ensure the integrity of a company's financial | | | | a California law, it has, in reality, become a federal |
| data. Although the requirements are generally the | | | | law. California is the largest state, population-wise, |
| same for companies of all sizes, smaller | | | | in the U.S., and any mid-size company and many |
| companies have been granted some flexibility in | | | | smaller ones have at least a few customers in |
| terms of longer timeframes to become compliant. | | | | California, regardless of where the company is |
| This Act calls for, among other things, | | | | actually located. If, for example, your company is |
| security-related solutions to be put into place to | | | | in Maine, but your mail order division sold some |
| regulate access to financial data, provide an audit | | | | products to someone in California, you must |
| trail, and generate detailed reports for the | | | | comply. Compliance simply means that if your |
| government. The good news is, if you already | | | | network is attacked, you must notify your |
| follow best practices in security, you're already | | | | customers. Although this can be done individually, |
| more than halfway there. | | | | most companies actually make notification on their |
| If you are in the healthcare industry, whether you | | | | Web sites, or through issuing a public press |
| are a healthcare provider, pharmacy, or a data | | | | release. |