Regulatory Compliance

About WGA | Capabilities | Contact Us | Terms of Use

©2000-2012, WGA Consulting, LLC. All Rights Reserved

The Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted 2002-07-30), also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of the affected companies collapsed, shook public confidence in the nation's securities markets. Named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt."[1] The legislation establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. It does not apply to privately held companies. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Debate continues over the perceived benefits and costs of SOX. Supporters contend that the legislation was necessary and has played a useful role in restoring public confidence in the nation's capital markets by, among other things, strengthening corporate accounting controls. Opponents of the bill claim that it has reduced America's international competitive edge against foreign financial service providers, claiming that SOX has introduced an overly complex and regulatory environment into U.S. financial markets.[2] The Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

Sarbanes-Oxley contains 11 titles that describe specific mandates and requirements for financial reporting. Each title consists of several sections, summarized below. 1) Public Company Accounting Oversight Board (PCAOB) Title I consists of nine sections and establishes the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services ("auditors"). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX. 2) Auditor Independence Title II consists of nine sections, establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation policy, conflict of interest issues and auditor reporting requirements. Section 201 of this title restricts auditing companies from doing other kinds of business apart from auditing with the same clients. 3) Corporate Responsibility Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 implies that the company board (Chief Executive Officer, Chief Financial Officer) should certify and approve the integrity of their company financial reports quarterly in order to establish accountability. 4) Enhanced Financial Disclosures Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports. 5) Analyst Conflicts of Interest Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest. 6) Commission Resources and Authority Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, adviser or dealer. 7) Studies and Reports Title VII consists of five sections and are concerned with conducting research for enforcing actions against violations by the SEC registrants (companies) and auditors. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions. 8) Corporate and Criminal Fraud Accountability Title VIII consists of seven sections and it also referred to as the “Corporate and Criminal Fraud Act of 2002”. It describes specific criminal penalties for fraud by manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers. 9) White Collar Crime Penalty Enhancement Title IX consists of two sections. This section is also called the “White Collar Crime Penalty Enhancement Act of 2002.” This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense. 10) Corporate Tax Returns Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return. 11) Corporate Fraud Accountability Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002”. It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to temporarily freeze large or unusual payments.

A variety of complex factors created the conditions and culture in which a series of large corporate frauds occurred between 2000-2002. The spectacular, highly-publicized frauds at Enron (see Enron scandal), WorldCom, and Tyco exposed significant problems with conflicts of interest and incentive compensation practices. The analysis of their complex and contentious root causes contributed to the passage of SOX in 2002.[3] In a 2004 interview, Senator Paul Sarbanes stated: “ The Senate Banking Committee undertook a series of hearings on the problems in the markets that had led to a loss of hundreds and hundreds of billions, indeed trillions of dollars in market value. The hearings set out to lay the foundation for legislation. We scheduled 10 hearings over a six-week period, during which we brought in some of the best people in the country to testify...The hearings produced remarkable consensus on the nature of the problems: inadequate oversight of accountants, lack of auditor independence, weak corporate governance procedures, stock analysts' conflict of interests, inadequate disclosure provisions, and grossly inadequate funding of the Securities and Exchange Commission.[4] ” Auditor conflicts of interest: Prior to SOX, auditing firms, the primary financial "watchdogs" for investors, were self-regulated. They also performed significant non-audit or consulting work for the companies they audited. Many of these consulting agreements were far more lucrative than the auditing engagement. This presented at least the appearance of a conflict of interest. For example, challenging the company's accounting approach might damage a client relationship, conceivably placing a significant consulting arrangement at risk, damaging the auditing firm's bottom line. Boardroom failures: Boards of Directors, specifically Audit Committees, are charged with establishing oversight mechanisms for financial reporting in U.S. corporations on the behalf of investors. These scandals identified Board members who either did not exercise their responsibilities or did not have the expertise to understand the complexities of the businesses. In many cases, Audit Committee members were not truly independent of management. Securities analysts' conflicts of interest: The roles of securities analysts, who make buy and sell recommendations on company stocks and bonds, and investment bankers, who help provide companies loans or handle mergers and acquisitions, provide opportunities for conflicts. Similar to the auditor conflict, issuing a buy or sell recommendation on a stock while providing lucrative investment banking services creates at least the appearance of a conflict of interest. Inadequate funding of the SEC: The SEC budget has steadily increased to nearly double the pre-SOX level.[5]In the interview cited above, Sarbanes indicated that enforcement and rule-making are more effective post-SOX. Banking practices: Lending to a firm sends signals to investors regarding the firm's risk. In the case of Enron, several major banks provided large loans to the company without understanding, or while ignoring, the risks of the company. Investors of these banks and their clients were hurt by such bad loans, resulting in large settlement payments by the banks. Others interpreted the willingness of banks to lend money to the company as an indication of its health and integrity, and were led to invest in Enron as a result. These investors were hurt as well. Internet bubble: Investors had been stung in 2000 by the sharp declines in technology stocks and to a lesser extent, by declines in the overall market. Certain mutual fund managers were alleged to have advocated the purchasing of particular technology stocks, while quietly selling them. The losses sustained also helped create a general anger among investors. Executive compensation: Stock option and bonus practices, combined with volatility in stock prices for even small earnings "misses," resulted in pressures to manage earnings.[6] Stock options were not treated as compensation expense by companies, encouraging this form of compensation. With a large stock-based bonus at risk, managers were pressured to meet their targets. [edit] Timeline and passage of SoX The House passed Rep. Oxley's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President George W. Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673. Senator Sarbanes’s bill passed the Senate Banking Committee on June 18, 2002, by a vote of 17 to 4. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $3.8 billion during the past five quarters (15 months), primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 97-0 less than three weeks later on July 15, 2002. The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes's bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.) The Committee approved the final conference bill on July 24, 2002, and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." [7] [edit] Analyzing the cost-benefits of Sarbanes-Oxley A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings.[8] Conclusions from several of these studies and related criticism are summarized below: FEI Survey: Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs. For 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million, down 23% from 2005. Cost for decentralized companies (i.e., those with multiple segments or large divisions) were more than twice those of centralized companies. Auditor costs did not decline. When asked whether the benefits of compliance with Section 404 have exceeded their costs, 22 percent, on average, agreed, with 78 percent saying instead that the costs have exceeded the benefits. 34 percent agreed that compliance with Section 404 has helped prevent or detect fraud.[9] Butler/Ribstein: Their book proposed a comprehensive overhaul or repeal of SOX and a variety of other reforms. For example, they indicate that investors could diversify their stock investments, efficiently managing the risk of a few catastrophic corporate failures, whether due to fraud or competition. However, if each company is required to spend a significant amount of money and resources on SOX compliance, this cost is borne across all publicly traded companies and therefore cannot be diversified away by the investor.[10] Institute of Internal Auditors (IIA): The research paper indicates that corporations have improved their internal controls and that financial statements are perceived to be more reliable.[11] Skaife/Collins/Kinney/Lefond: This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).[12] Zhang: This research paper estimated SOX compliance costs as high as $1.4 trillion, by measuring changes in market value around key SOX legislative "events." This number is based on the assumption that SOX was the cause of related short-duration market value changes.[13] However, the S&P 500 index, a broad measure of U.S. stock value, increased 6% the day the law passed in Congress on July 24, 2002, and 1% the day after it was signed into law by President Bush on July 30. It then declined 7% in three trading days thereafter, regaining pre-signature levels by August 8.[14] Measuring short-term fluctuations in market value is an acknowledged drawback in this study. One could have easily argued a $1.4 trillion benefit, using the 7% increase leading up to the day after signature, rather than the following 3-day decline. Iliev: This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reduced -- rightly or wrongly -- stock valuations of small firms.[15] Lower earnings often cause the share price to decrease. The Lord & Benoit Report: Do the Benefits Exceed the Cost? It included a population of nearly 2,500 companies, which represented ALL of the calendar year accelerated filers. Lord & Benoit, a SOX consulting firm, showed that companies with no material weaknesses in their internal controls, or companies who were able to identify and correct material weaknesses in a timely manner, experienced much greater increases in share prices than companies that did not.[16] [17], The report indicated that the benefits to a compliant company in share price (10% above Russell 3000 index) were greater than their SOX Section 404 costs. Lord & Benoit, a SOX compliance company, issued the report on May 8, 2006. It was also published by the Wall Street Journal. [edit] The effect of SOX on non-US companies Some have asserted that Sarbanes-Oxley legislation has helped displace business from New York to London, where the Financial Services Authority regulates the financial sector with a lighter touch. In the UK, the non-statutory Combined Code of Corporate Governance plays a somewhat similar role to SOX. However, a greater amount of resources are dedicated to enforcement of securities laws in the UK than in the US—see Howell E. Jackson & Mark J. Roe, “Public Enforcement of Securities Laws: Preliminary Evidence,” (Working Paper January 16, 2007). The Alternative Investment Market claims that its spectacular growth in listings almost entirely coincided with the Sarbanes Oxley legislation. In December 2006 Michael Bloomberg, New York's mayor, and Charles Schumer, a U.S. senator, expressed their concern.[18] The Sarbanes-Oxley Act's effect on Non-US companies cross-listed in the US is different on firms from developed and well regulated countries than on firms from less developed countries according to Kate Litvak.[19] Companies from badly regulated countries benefit from better credit ratings by complying to regulations in a highly regulated country (USA) that is higher than the cost, but companies from developed countries only incur the cost, since transparency is adequate in their home countries as well. On the other hand, the benefit of better credit rating also comes with listing on other stock exchanges such as the London Stock Exchange. [edit] Implementation of Key Provisions [edit] SOX Section 302: Internal control certifications Under Sarbanes-Oxley, two separate certification sections came into effect—one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision). Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Id.. Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.) External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007. [edit] SOX Section 404: Assessment of internal control The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort. Under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262(a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” To do this, managers are generally adopting an internal control framework such as that described in COSO. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. In late 2006 a new audit standard was proposed by the PCAOB to help alleviate the significant costs of compliance and better focus the assessment on the most critical risk areas. On July 25, 2007, the Public Company Accounting Oversight Board (PCAOB) approved Auditing Standard No. 5 [20] (AS5), which superseded Auditing Standard No 2. (AS2), and has the following key requirements for the external auditor: Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks; Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise; Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework; Perform a fraud risk assessment; Evaluate controls designed to prevent or detect fraud, including management override of controls; Evaluate controls over the period-end financial reporting process; Scale the assessment based on the size and complexity of the company; Rely on management's work based on factors such as competency, objectivity, and risk; The auditor is allowed to rely on knowledge from prior audits; Evaluate controls over the safeguarding of assets; and Conclude on the adequacy of internal control over financial reporting. The SEC guidance [21] released June 27, 2007 is generally consistent with the PCAOB's guidance above, only intended for management. After the release of this guidance, the SEC required smaller public companies to comply with SOX Section 404, companies with year ends after December 15, 2007. Smaller public companies performing their first management assessment under Sarbanes-Oxley Section 404 may find their first year of compliance after December 15, 2007 particularly challenging. [edit] SOX 404 and smaller public companies The cost of complying with SOX 404 impacts smaller companies disproportionately, as there is a significant fixed cost involved in completing the assessment. For example, during 2004 U.S. companies with revenues exceeding $5 billion spent .06% of revenue on SOX compliance, while companies with less than $100 million in revenue spent 2.55%.[22] This disparity is a focal point of 2007 SEC and U.S. Senate action.[23] The PCAOB intends to issue further guidance to help companies scale their assessment based on company size and complexity during 2007. The SEC issued their guidance to management in June, 2007.[3] After the SEC and PCAOB issued their guidance, the SEC required smaller public companies (non-accelerated filers) with fiscal years ending after December 15, 2007 to document a Management Assessment of their Internal Controls over Financial Reporting (ICFR). Outside auditors of non-accelerated filers however opine or test internal controls under PCAOB (Public Company Accounting Oversight Board) Auditing Standards for years ending after December 15, 2008. Another extension was granted by the SEC for the outside auditor assessment until years ending after December 15, 2011. The reason for the timing disparity was to address the House Committee on Small Business concern that the cost of complying with Section 404 of the Sarbanes-Oxley Act of 2002 was still unknown and could therefore be disproportionately high for smaller publicly held companies.[24] [edit] SOX 404 and information technology The financial reporting processes of many companies depend to some extent on IT systems. Therefore, Information technology controls that specifically address financial risks may be within the scope of a SOX 404 assessment. Chief information officers are typically responsible for the IT organization and IT personnel may be directly involved in SOX compliance efforts. The SOX 404 guidance requires the usage of an internal control framework, such as the COSO framework. The IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" is also used by many companies as a framework supporting IT SOX 404 efforts. However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation. IT application controls (i.e., transaction processing controls) that address specific material misstatement risks are a critical part of the SOX 404 assessment. However, the extent of SOX testing to perform related to IT General Controls (ITGC) has been a topic of contention.[25] By its nature, ITGC has an indirect effect on financial statements. The 2007 SEC guidance states: "...management only needs to evaluate those ITGC that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks." ITGC efforts will likely be carefully scrutinized in light of the new guidance, which encourages focus on the most critical financial risks. [edit] SOX Section 802 Criminal Penalties for Violation of SOX Section 802(a) of the SOX, 18 U.S.C. § 1519 states: “ Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both. ” [edit] SOX Section 1107 Criminal Penalties for Retaliation Against Whistleblowers Section 1107 of the SOX 18 U.S.C. § 1513(e) states:[26] “ Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offence, shall be fined under this title, imprisoned not more than 10 years, or both.  Reference Wiki

Title I: Health Care Access, Portability, and Renewability Title I of HIPAA regulates the availability and breadth of group and individual health insurance plans. It amends both the Employee Retirement Income Security Act and the Public Health Service Act. Title I also limits restrictions that a group health plan can place on benefits for preexisting conditions. Group health plans may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment.[1] However, individuals may reduce this exclusion period if they had health insurance prior to enrolling in the plan. Title I allows individuals to reduce the exclusion period by the amount of time that they had “creditable coverage” prior to enrolling in the plan and after any “significant breaks” in coverage.[2] “Creditable coverage” is defined quite broadly and includes nearly all group and individual health plans, Medicare, and Medicaid.[3] A “significant break” in coverage is defined as any 63 days period without any creditable coverage.[4] Some health care plans are exempted from Title I requirements, such as long-term health plans, and limited-scope plans such as dental or vision plans that are offered separately from the general health plan. However, if such benefits are part of the general health plan, then HIPAA still applies to such benefits. For example, if the new plan offers dental benefits, then it must count creditable continuous coverage under the old health plan towards any of its exclusion periods for dental benefits. However, an alternate method of calculating creditable continuous coverage is available to the health plan under Title I. That is, 5 categories of health coverage can be considered separately, including dental and vision coverage. Anything not under those 5 categories must use the general calculation (e.g., the beneficiary may be counted with 18 months of general coverage, but only 6 months of dental coverage, because the beneficiary did not have a general health plan that covered dental until 6 months prior to the application date). Unfortunately, since limited-coverage plans are exempt from HIPAA requirements, the odd case exists in which the applicant to a general group health plan cannot obtain certificates of creditable continuous coverage for independent limited-scope plans such as dental to apply towards exclusion periods of the new plan that does include those coverages. Hidden exclusion periods are not valid under Title I (e.g., "The accident, to be covered, must have occurred while the beneficiary was covered under this exact same health insurance contract." Such clauses must not be acted upon by the health plan and also must be re-written so that they comply with HIPAA. To illustrate, suppose someone enrolls in a group health plan on January 1, 2006. This person had previously been insured from January 1, 2004 until February 1, 2005 and from August 1, 2005 until December 31, 2005. To determine how much coverage can be credited against the exclusion period in the new plan, start at the enrollment date and count backwards until you reach a significant break in coverage. So, the five months of coverage between August 1, 2005 and December 31, 2005 clearly counts against the exclusion period. But the period without insurance between February 1, 2005 and August 1, 2005 is greater than 63 days. Thus, this is a significant break in coverage, and any coverage prior to it cannot be deducted from the exclusion period. So, this person could deduct five months from his or her exclusion period, reducing the exclusion period to seven months. Hence, Title I requires that any preexisting condition begin to be covered on August 1, 2006. [edit] Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform Title II of HIPAA defines numerous offenses relating to health care and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the health care system.[5][6][7] However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information. These rules apply to “covered entities” as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.[8][9] Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. [edit] The Privacy Rule The Privacy Rule took effect on April 14, 2003, with a one-year extension for certain "small plans." It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual.[10] This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request.[11] They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.[12] A covered entity may disclose PHI to facilitate treatment, payment, or health care operations[13] or if the covered entity has obtained authorization from the individual.[14] However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.[15] The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI.[16] It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals.[17] For example, an individual can ask to be called at his or her work number, instead of home or cell phone number. The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures.[18] They must appoint a Privacy Official and a contact person[19] responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.[20] An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).[21][22] However, according to the Wall Street Journal, the OCR has a long backlog and ignores most complaints."Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April 2003 and Nov. 30, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved."[23] [edit] The Transactions and Code Sets Rule The HIPAA/EDI provision was scheduled to take effect from October 16, 2003 with a one-year extension for certain "small plans;" however, due to widespread confusion and difficulty in implementing the rule, CMS granted a one-year extension to all parties. As of October 16, 2004, full implementation was not achieved and CMS began an open-ended "contingency period." Penalties for non-compliance were not levied; however, all parties are expected to make a "good-faith effort" to come into compliance. CMS announced that the Medicare contingency period ended July 1, 2005. After July 1, most medical providers that file electronically will have to file their electronic claims using the HIPAA standards in order to be paid. There are exceptions for doctors that meet certain criteria. Key EDI transactions used for HIPAA compliance are: EDI Health Care Claim Transaction set (837) is used to submit health care claim billing information, encounter information, or both, except for retail pharmacy claims (see EDI Retail Pharmacy Claim Transaction). It can be sent from providers of health care services to payers, either directly or via intermediary billers and claims clearinghouses. It can also be used to transmit health care claims and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the rendering, billing, and/or payment of health care services within a specific health care/insurance industry segment. For example, a state mental health agency may mandate all healthcare claims, Providers and health plans who trade professional (medical) health care claims electronically must use the 837 Health Care Claim: Professional standard to send in claims. As there are many different business applications for the Health Care claim, there can be slight derivations to cover off claims involving unique claims such as for Institutions, Professionals, Chiropractors, and Dentists etc. EDI Retail Pharmacy Claim Transaction (NCPDP Telecommunications Standard version 5.1) is used to submit retail pharmacy claims to payers by health care professionals who dispense medications, either directly or via intermediary billers and claims clearinghouses. It can also be used to transmit claims for retail pharmacy services and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the rendering, billing, and/or payment of retail pharmacy services within the pharmacy health care/insurance industry segment. EDI Health Care Claim Payment/Advice Transaction Set (835) can be used to make a payment, send an Explanation of Benefits (EOB) remittance advice, or make a payment and send an EOB remittance advice only from a health insurer to a health care provider either directly or via a financial institution. EDI Benefit Enrollment and Maintenance Set (834) can be used by employers, unions, government agencies, associations or insurance agencies to enroll members to a payer. The payer is a healthcare organization that pays claims, administers insurance or benefit or product. Examples of payers include an insurance company, health care professional (HMO), preferred provider organization (PPO), government agency (Medicaid, Medicare etc.) on any organization that may be contracted by one of these former groups. EDI Payroll Deducted and other group Premium Payment for Insurance Products (820) this transaction set can be used to make a premium payment for insurance products. It can be used to order a financial institution to make a payment to a payee. EDI Health Care Eligibility/Benefit Inquiry (270) is used to inquire about the health care benefits and eligibility associated with a subscriber or dependent EDI Health Care Eligibility/Benefit Response (271) is used to respond to a request inquire about the health care benefits and eligibility associated with a subscriber or dependent EDI Health Care Claim Status Request (276) this transaction set can be used by a provider, recipient of health care products or services or their authorized agent to request the status of a health care claim. EDI Health Care Claim Status Notification (277) This transaction set can be used by a health care payer or authorized agent to notify a provider, recipient or authorized agent regarding the status of a health care claim or encounter, or to request additional information from the provider regarding a health care claim or encounter. This transaction set is not intended to replace the Health Care Claim Payment/Advice Transaction Set (835) and therefore, is not used for account payment posting. The notification is at a summary or service line detail level. The notification may be solicited or unsolicited. EDI Health Care Service Review Information (278) This transaction set can be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis or treatment data for the purpose of request for review, certification, notification or reporting the outcome of a health care services review. EDI Functional Acknowledgement Transaction Set (997) this transaction set can be used to define the control structures for a set of acknowledgments to indicate the results of the syntactical analysis of the electronically encoded documents. Although it is not specifically named in the HIPAA Legislation or Final Rule, it is necessary for X12 transaction set processing. The encoded documents are the transaction sets, which are grouped in functional groups, used in defining transactions for business data interchange. This standard does not cover the semantic meaning of the information encoded in the transaction sets. [edit] The Security Rule The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for “small plans.” The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The standards and specifications are as follows: Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the act Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls. Procedures should clearly identify employees or classes of employees who will have access to electronic protected health information (EPHI). Access to EPHI must be restricted to only those employees who have a need for it to complete their job function. The procedures must address access authorization, establishment, modification, and termination. Entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions. Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place. A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures. Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based. Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations. Physical Safeguards - controlling physical access to protect against inappropriate access to protected data Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.) Access to equipment containing health information should be carefully controlled and monitored. Access to hardware and software must be limited to properly authorized individuals. Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts. Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public. If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities. Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional. Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity. Covered entities must also authenticate entities it communicates with. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems. Covered entities must make documentation of their HIPAA practices available to the government to determine compliance. In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing. Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.) [edit] The Unique Identifiers Rule (National Provider Identifier) HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the NPI to identify covered healthcare providers in standard transactions by May 23, 2007. Small health plans must use only the NPI by May 23, 2008. Effective from May 2006 (May 2007 for small health plans), all covered entities using electronic communications (e.g., physicians, hospitals, health insurance companies, and so forth) must use a single new National Provider Identifier (NPI). The NPI replaces all other identifiers used by health plans, Medicare (i.e., the UPIN), Medicaid, and other government programs. The NPI does not replace a provider's DEA number however or a provider's state license number or tax identification number. The NPI is 10 digits (may be alphanumeric), the last digit being a checksum. The NPI cannot contain any embedded intelligence; in other words, the NPI is simply a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "subparts" such as a free-standing cancer center or rehab facility. [edit] The Enforcement Rule On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations, however its deterrent effects seems to be negligible with few prosecutions for violations. [1] [edit] Effect on research and clinical care The enactment of the Privacy and Security Rules has caused major changes in the way physicians and medical centers operate. While respect for patient privacy was already informally considered a cornerstone of medical professionalism, the complex legalities and potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers. An August 2006 article in the journal Annals of Internal Medicine detailed some such concerns over the implementation and effects of HIPAA.[24] [edit] Effects on research HIPAA restrictions on researchers have affected their ability to perform retrospective, chart-based research as well as their ability to prospectively evaluate patients by contacting them for follow-up. A study from the University of Michigan demonstrated that implementation of the HIPAA Privacy rule resulted in a drop from 96% to 34% in the proportion of follow-up surveys completed by study patients being followed after a heart attack.[25] Another study, detailing the effects of HIPAA on recruitment for a study on cancer prevention, demonstrated that HIPAA-mandated changes led to a 73% decrease in patient accrual, a tripling of time spent recruiting patients, and a tripling of mean recruitment costs.[26] In addition, informed consent forms for research studies now are required to include extensive detail on how the participant's protected health information will be kept private. While such information is important, the addition of a lengthy, legalistic section on privacy may make these already complex documents even less user-friendly for patients who are asked to read and sign them. These data suggest that the HIPAA privacy rule, as currently implemented, may be having negative impacts on the cost and quality of medical research. Dr. Kim Eagle, professor of internal medicine at the University of Michigan, was quoted in the Annals article as saying, "Privacy is important, but research is also important for improving care. We hope that we will figure this out and do it right."[24] [edit] Effects on clinical care The complexity of HIPAA, combined with potentially stiff penalties for violators, can lead physicians and medical centers to withhold information from those who may have a right to it. A review of the implementation of the HIPAA Privacy Rule by the U.S. Government Accountability Office found that health care providers were "uncertain about their [legal] privacy responsibilities and often responded with an overly guarded approach to disclosing information...than necessary to ensure compliance with the Privacy rule."[24] This uncertainty continues, as evidenced by a New York Times article in July 2007. <“Keeping Patients’ Details Private, Even From Kin,” New York Times, July 3, 2007.> [edit] Costs of Implementation In the period immediately prior to the enactment of the HIPAA Privacy and Security Acts, medical centers and medical practices were charged with getting "into compliance." With an early emphasis on the potentially severe penalties associated with violation, many practices and centers turned to private, for-profit "HIPAA consultants" who were intimately familiar with the details of the legislation and offered their services to ensure that physicians and medical centers were fully "in compliance." In addition to the costs of developing and revamping systems and practices, the increase in paperwork and staff time necessary to meet the legal requirements of HIPAA may impact the finances of medical centers and practices at a time when insurance company and Medicare reimbursement is also declining. [edit] HIPAA and Federal Confidentiality Requirements for Drug and Alcohol Rehabilitation Organizations Special considerations for confidentiality are needed for health care organizations that offer federally-funded drug or alcohol rehabilitation services. Predating HIPAA by over a quarter century are the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970[27] and language amended by the Drug Abuse Office and Treatment Act of 1972.[28] . Reference WIKI

[edit] Changing uses of the SAS 70 Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways. Service organizations providing services to companies in the financial services industry are being required to have a SAS 70 review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements. Service organizations which provide services to healthcare companies are asked by their clients to have a SAS 70 audit conducted to ensure a third party has examined the controls over the processing of healthcare information due to its sensitivity. Some companies utilize the SAS 70 audit to have third party validation of their proposal or marketing material despite the more appropriate application of the Trust Principles in a Systrust or WebTrust audit and seal. [edit] Users of SAS 70 audit reports Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the service organization’s customers can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit. Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not authorized users of the reports, but still use the report as third party independent verification that controls are in place and are operating effectively. Every Service Auditor’s report contains an auditor’s opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers. Typically, a statement in the final paragraph states: “This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations.” On rare occasions, it may be necessary to change this paragraph to limit its use to a specific third party, which may or may not be a user organization. It is never appropriate to modify this statement to include as authorized users of the report the financial statement auditors of the service organization. There are other methods that should be applied for the financial statement auditors to obtain the type of information included in the SAS 70 report about their client, which may include the sharing of workpapers between the financial statement auditors and SAS 70 auditors. [edit] Audit frequency Type 1 audits are typically performed no more than once per year; however, there is no technical reason for this practice. In fact, many companies use the type 1 audit as a primer and tend to move on to a type 2 audit for the purposes of subsequent audits. Sarbanes-Oxley Act (SOX) provisions that require a type 2 audit have made this a very common practice. Type 2 audits are also typically performed once per year; however, a small percentage of companies undergo multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a type 2 audit frequency requirement. It is generally expected that the frequency will be no less than once per year. The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period fall completely within the calendar year. SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit. User organizations will desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often can not satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. For example, a company could have a 12 month type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with 6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs. [edit] Type I and Type II SAS 70 audit differences Type 1 SAS 70 audits opine on controls that are in place as of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type 2 SAS 70 audits opine on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time. [edit] SAS 70 and Sarbanes-Oxley Act With the introduction of the Sarbanes-Oxley Act (SOX), SAS 70 took on increased importance. SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have used since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a Type II SAS 70 report as the only acceptable method for a third party to assure a service organization's controls. Security "certifications" are excluded as acceptable substitutes for a Type II SAS 70 audit report. Audit Standard 2, available on the PCAOB's (www.pcaobus.org) website, details how a SAS 70 audit should be used in relation to SOX. [edit] Section 5970 report In Canada, a similar report known as a Section 5970 report may be issued by a service organization auditor. It usually gives two separate audit opinions on the controls in place. Furthermore, it may also give an opinion on the operating effectiveness over a period. These reports tend to be quite long, with descriptions of the controls in place.