Sarbanes-Oxley Act (SOX)

On July 30th, 2002, President Bush signed the Sarbanes-Oxley Act into law. The most dramatic change to federal securities laws since the 1930s, the SOX Act radically redesigned federal regulation of public company corporate governance and reporting obligations. It also significantly tightened accountability standards for directors and officers, auditors, securities analysts and legal counsel.

SOX applies to publicly held companies and their audit firms, dramatically affects the accounting profession, and impacts not only the accounting firms, but also CPAs actively working as an auditor of, or for, a publicly traded company. Provisions of SOX detail criminal and civil penalties for noncompliance, certification of internal auditing and increased financial disclosure.

Section 404 requires that all annual financial reports must include an Internal Control Report, stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be included in the IRC, and must be reported to the SEC.

Section 802, Regulation SX, Rule 2-06 mandates the retention of documents used for financial audits and reporting, and requires documentation to be centrally controlled and tested to provide management-level visibility to any document retention weaknesses. All audit materials must be retained for a minimum of seven years.

Gramm-Leach Bliley Act

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" (GLB), includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pre-texting provisions.

The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or services any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, and an array of other activities.

Health Insurance Portability and Accountability Act (HIPAA)

Enacted into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) issued regulations relating to the management of medically sensitive documents. The Privacy Rule became effective on April 14, 2003, while the Security Rule deadline was April 21, 2005.

HIPAA affects any organization that creates, receives or maintains healthcare information, including hospitals, health maintenance organizations and healthcare insurers. HIPPA requires that Protected Health Information (PHI) be kept secure for at least six years, or two years after a patient's death. This includes patient medical records, billing records, authorization forms from physicians and all communications between physicians.
Under the act, Business Records Management is considered a "Business Associate." Be assured that we have taken every precaution and followed every guideline to assure strict adherence to these mandates at all levels of our organization.

HIPAA noncompliance can have devastating consequences. Organizations are exposed to severe fines and penalties, as well as litigation and negative publicity. Noncompliance can result in the following:

• Civil fines of up to $25,000 a year
• Criminal penalties reaching $250,000 and up to ten years in prison

HIPAA compliance not only involves direct medical providers (Doctors, Hospitals, Dentists, etc.), but does include any firm paid through billing of Medical Insurance, Medicare, or state medical programs. This can include Medical billing forms, ambulance, medical taxi service, medical supply companies (serving the patient).

SEC Regulation S-P

The Securities and Exchange Commission (SEC) issued Regulation S-P on June 22, 2000 to protect the privacy of financial information. Under this regulation, financial institutions must provide their customers with notice of their privacy policies and practices. These organizations are prohibited from disclosing private personal information about a consumer to nonaffiliated third parties, unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure.

SEC Regulation S-P rules are intended to protect consumers against unauthorized access to information contained in their own consumer reports, and to protect against identity theft and fraud. All financial institutions must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.