Oct 22, 2013

Not an MD? You May Still Be Subject To HIPPA
Last Year’s Audit Won’t Help With This Year’s Rule Changes
The Most Important Recent Change: HITECH
The Alphabet Soup Of Regulation Risk
How Can You Be Sure You’re Complying With Everything You Must Comply With?
How Capsicum Can Help
Who Is Directly and Indirectly Affected?

Between 2009 and 2011, something really shocking happened: there was an almost 50% rise in blind spot car accidents.

No similar statistics exist for regulatory blind spots. But if there were, the rise would probably be far more dramatic.

Regulatory blind spots are bigger than ever, and they’re widening in unexpected ways. It’s easier than ever for a company to run into regulatory trouble, even when everyone involved sincerely believes they are following the rules of the road.

Why? It’s all about data. Today, data is the lifeblood of all industries and flows with few restrictions through corporate activities. “Data Governance” – the regulations, rules, and technologies that govern your data – has become a critical core competence for all companies. Where your data goes, who can view it, and how it is protected have become critically important issues. Companies cannot afford to leave this entirely in the hands of IT. It’s a C-level responsibility, and legal must stay involved.

There is a serious cost for making mistakes here – as Ameriprise Financial Services and its affiliated clearing firm, American Enterprise Investment Services learned earlier this year.  The Financial Industry Regulatory Authority (FINRA) fined them $750,000 for failing to have reasonable supervisory systems in place to monitor wire transfer requests and the transmittal of customer funds to third-party accounts.

In business, we’re accustomed to focusing on the regulations that impact our industries; all successful companies do a good job of complying with those.

But, if you remember only one thing from this email, remember this:

Today, it’s not about the industry you are in.

It’s about the industries your clients are in.

Not an MD? You May Still Be Subject To HIPPA

Since HIPPA is about health care it's fairly obvious that Health Plans, Health Care Providers, and Health Care Clearinghouses must comply with the rules. But are you aware that it can equally apply to companies that HIPPA defines as Business Associates? If you are a data storage company, an accounting firm, a law firm, a temporary employment agency, or even a mobile app developer that does business with a health care provider, you may be just as accountable for HIPPA compliance as your client is. What’s more, you become accountable with the stroke of a pen. As you sign the contract with your new health care client, you can be sure that somewhere buried in a sub-paragraph -- on page 3 or page 32 or page 320 -- you are warranting that you are responsible for complying with all HIPPA regulations.

This has more significance than many executives realize. To put it in clear dollars-and-cents terms, if you win a half-million dollar contract but suffer a security breach you are at risk of losing far more than you gained.  Since 2011, nine out of ten settlements publicly announced by HHS (US Department of Health and Human Services) have involved a security breach. Six have resulted in settlements exceeding $1 million, and the average settlement has exceeded $800,000. (SOURCE: Mondaq.com)

Last Year’s Audit Won’t Help With This Year’s Rule Changes

Even if you’ve been rigorous about compliance issues, don’t forget that these rules change. For example, the latest round of changes to HIPAA patient data privacy rules have a major impact on cloud services. Prior to the rule change, if a cloud service managing patient data suffered a breach, the government would penalize the healthcare organization that outsourced the data management, but not the cloud service provider. Under the new rules, the service provider is also subject to penalties.

The new rules also mean that no matter what your business is, as a Business Associate your subcontractors who receive PHI are now considered Business Associates as well – you are responsible for oversight to ensure that those subcontractors are HIPPA compliant.

The Most Important Recent Change: HITECH

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) offers healthcare providers financial incentives for embracing and using electronic health records (EHR). The incentives are a short-term carrot: after 2015 the government will switch to a stick, with penalties for not getting on-board.

In brief, HITECH means that if you work with any company subject to HIPPA you’ll be dealing with much more data. More important, HITECH significantly expands HIPAA Privacy and Security Rules, with hefty penalties for violations. Remember that these changes apply to Business Associates, too.

Your company can be sued by the State Attorney General, face a class-action lawsuit, or be fined by the HHS for data breaches or other missteps. Companies must take these risks seriously, because there are mandatory penalties of $250,000 to $1,500,000 for what is termed “willful neglect”.

You may not have thought you’re in the healthcare business or the patient privacy data protection business, but if you have customers in the healthcare business you are subject to the same rules.    A small investment to audit your company’s HIPPA and HITECH readiness – including a rigorous examination of policies, procedures, and training – could save you a great deal of disruption and financial loss in the future.

The Alphabet Soup Of Regulation Risk

HIPPA and HITECH are just one of many examples of regulation risk that may lurk where your company does not expect it. Details for FISMA, PCI, Safe Harbor, GLB, and SOX follow.


If your company works with any U.S. Government agency, you are responsible for complying with FISMA (The Federal Information Security Management Act), which requires federal agencies to develop, document, and implement security programs designed to protect their data and information systems, whether managed in-house or by a third party. If your company works for any U.S. government agency, you must comply with FISMA. In fact, if you have a contract of any kind – even if you’re a college receiving federally funded loans or a solar energy company that receives grants – you also must comply. The National Institute of Standards and Technology (NIST) outlines nine steps toward compliance with FISMA:

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls in appropriate information systems.
  6. Assess the effectiveness of the security controls once they have been implemented.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls on a continuous basis.


Whether you’re running a roadside sandwich stand on Route 66, selling online from a tiny antiques store in New Orleans, or are a large manufacturer whose call center sometimes takes credit card information over the phone, your company is subject to PCI -- The Payment Card Industry Data Security Standard.

Compliance can be complex, and according to PCI Standards Council General Manager Bob Russo, your liabilities could change depending on the state of a given organization at the point in time when an actual breach occurs.


Nearly all businesses store customer data, and are responsible for preventing accidental information disclosure or loss. Large companies that do business in Europe need to comply with the EU Directive 95/46/EC on the protection of personal data.

US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive.

Notice - Individuals must be informed that their data is being collected and about how it will be used.

Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.

Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

Security - Reasonable efforts must be made to prevent loss of collected information.

Data Integrity - Data must be relevant and reliable for the purpose it was collected for.

Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

Enforcement - There must be effective means of enforcing these rules.

After opting in, an organization must re-certify every 12 months. It can either perform a self-assessment to verify that it complies with these principles, or hire a third-party to perform the assessment. There are also requirements for ensuring that appropriate employee training and an effective dispute mechanism are in place.


The Gramm–Leach–Bliley Act (GLB), also known as the Financial Services Modernization Act of 1999 enabled commercial banks, investment banks, securities firms, and insurance companies to consolidate.

As part of the act, companies must comply with The Financial Privacy Rule, which governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies, appraisers, and mortgage brokers – that receive customer information from other financial institutions.

Sarbanes Oxley (aka “SOX”)

The Sarbanes–Oxley Act impacts all public company boards, management, and public accounting firms. Top management must individually certify the accuracy of financial data, with stiff penalties for fraud.

Section 404 deals with information security, and requires companies to put in place controls to protect data from all threats (internal and external, including online).

If you do business with a publicly-traded company, you may or may not be subject to SOX as well. In some cases, SSAE16/ISAE3402 may apply to you although the remainder of the SOX act does not. A SSAE16/ISAE3402 audit may be requested to ensure that an independent firm has examined your company’s data control and information security processes and procedures.

How Can You Be Sure You’re Complying With Everything You Must Comply With?

    1. Understand what each regulation is, and who it directly and indirectly affects.
    2. Look at your customer list carefully: you may be subject to new regulations based on new customer wins.
    3. Examine all new contracts carefully to understand what new compliance the company will have agreed to, and ensure that the team working on these projects is aware of what must be done.
    4. Raise management’s awareness of the issue, at the highest levels.
    5. Make regulatory awareness part of employee training and onboarding.
    6. Conduct spot audits.

  • At the start of each new project, ask which regulations must be considered.
  • At the start of each new project, also ask what subcontractors will be involved, and whether they are aware of their compliance duties.


How Capsicum Can Help

Strong compliance is the result of strong processes. Capsicum’s processes for data security and compliance governance are the result of many years of experience and a deep understanding of all of the rules – old and new.

Capsicum can help you conduct yearly, quarterly and spot audits for compliance for HIPPA, HITECH, SOX, FISMA, GLB, PCI and Safe Harbor.

We can also help you establish better data polices and best practices that will help your company be fully ready to take on heavily regulated customers. Many of these will not consider you without knowing that you are certified. You may find the cost of certification is small when compared against the new business you can win.

If you haven’t conducted an audit recently, contact Capsicum today.










Who Is Directly And Indirectly Affected?

Directly affects: US public company boards, Management and Public Accounting Firms
Indirectly affects: Many Data Management companies

Directly affects: Healthcare providers, Benefits management
Indirectly affects: Contractors and companies that view, handle or store healthcare data

Directly affects: Healthcare providers, Benefits management
Indirectly affects: Contractors and companies that view, handle or store healthcare data

Directly affects: Federal agencies
Indirectly affects: Contractors and companies that view, handle or store sensitive data

Directly affects: Retailers, credit card companies, anyone handling credit card information
Indirectly affects: Contractors and companies that view, handle or store sensitive data

Directly affects: U.S. companies doing business in Europe
Indirectly affects: Contractors and companies that serve these international companies

Directly affects: Financial institutions
Indirectly affects: Contractors and companies that serve these international companies

Capsicum Group, LLC is a consulting company dedicated to helping organizations achieve success with complex legal, regulatory and technology projects. We provide comprehensive support in the areas of: computer forensics and investigations, paper and ediscovery, media recovery and restoration, security and regulatory compliance services and technology crime.

Click here for a printable PDF of our Regulatory Quick Guide.

Contact Capsicum today!