Health Insurance Portability and Accountability Act (HIPAA)
Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administrative Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system"
"The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information."
"The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat. 1936, enacted August 21, 1996)
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
Section 802 presents a possible fine of up to $1,000,000 dollars or a prison sentence of up to 20 years for any person who destroys, alters, mutilates or conceals any electronic document in an official investigation. Sarbanes-Oxley specifies minimum retention periods for all accounting records, work papers, communications, file attachments, and documents whether transmitted via email, instant messaging or other message modes.
- Section 302 requires CFO’s and CEO’s to personally certify and be accountable for their firms record retention policies and financial reports.
- Section 404 requires auditors to certify the underlying controls and processes that are used to compile the financial results of a company. Email is a critical component in being able to achieve this certification.
- Section 103(a) and 801(a) require companies to maintain all documents including electronic documents that form the basis of an audit or review for seven years.
The Sarbanes-Oxley Act of 2002 was enacted in the wake of several major corporate and accounting scandals. Its provisions affect email retention, integrity and oversight. Sarbanes-Oxley applies to all publicly traded companies and the CPA’s and attorneys associated with these companies.
Financial Industry Regulatory Authority, Inc. (FINRA)
The Act required member firms to create and maintain transaction records which could be reviewed and audited. In 1997, rule 17a-4 of the Act was amended to provide procedures for storage of electronic records, including emails. This rule has since been interpreted to include instant messages as well.
FINRA (formerly NASD (National Association of Securities Dealers)) applies similar rules to its member firms through NASD 3010.
The provisions of SEC 17a-4 and NASD 3010 apply to all individuals and organizations involved in trading securities. This includes securities firms, stock brokerage firms, banks and any financial institutions that fall under SEC or NASD jurisdiction. They require securities dealers to implement specific, enforceable retention procedures, which include the following:
Archived messages must be stored in duplicate. One copy must be stored in an online archive, and a second copy must be stored offline on permanent, tamperproof media, such as Write-Once-Read-Many (WORM) technology. Storage media must be verified automatically for quality and accuracy.
The Securities Exchange Commission (SEC) originally enacted the Securities Exchange Act in 1934, as a means of protecting investors from fraudulent or misleading claims by securities dealers.
Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.
Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $16,000, so non-compliance can be costly. But following the law isn’t complicated. Here’s a rundown of CAN-SPAM’s main requirements:
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
Let us simplify your life!
Naples | Tampa | Orlando | Chicago | Boston | Atlanta | Houston | Fort Lauderdale | Miami
Exclusive Consulting, Inc. All Rights Reserved.