Speaker Topics
HIPAA &
Sarbanes-Oxley
Created by: Dr. Jack Becker
Topic Summary
Compliance Standards
• Health Insurance Portability &
Accountability Act (HIPAA) of 1996
• Sarbanes-Oxley [SOX] Act 2002
Copyright © John Wiley & Sons, Inc.
Slide 9 - 2
1
Health Insurance Portability &
Accountability Act (HIPAA) of 1996
•
Objectives of Legislation
1. Assure health insurance portability by
eliminating job-lock due to pre-existing
medical conditions
2. Reduce healthcare fraud and abuse
3. Enforce standards for health information
4. Guarantee security and privacy of health
information
Copyright © John Wiley & Sons, Inc.
Slide 9 - 3
Other HIPAA Compliance Rules
Not finalized until 2001:
• Standards for Privacy of Individually
Identifiable Health Information
• National Provider Identifier
• Employer Identifier
• Security & Electronic Signatures
Copyright © John Wiley & Sons, Inc.
Slide 9 - 4
2
Implications for IT Directors
• Systems Impacted
• Integration with other departments
– HR, Accounting, Payroll
• Costs
• Effective date of implementations
Copyright © John Wiley & Sons, Inc.
Slide 9 - 5
Sarbanes-Oxley [SOX] Act 2002
• Enacted in response to a number of major US
corporate and accounting scandals
– Enron, WorldCom
• SEC sought to impose greater rigor in the
process that companies follow to produce
financial reports
• SOX applies to all US and non-US companies
listed in US
S
• SOX establishes criminal liability for corporate
wrongdoing
Copyright © John Wiley & Sons, Inc.
Slide 9 - 6
3
SOX Outcomes
• Pubic Company Accounting Oversight Board
(PCAOB) created [2003]
– Oversees activities of internal auditors in public
companies
– Issues auditing standards
• IT Control Objectives for Sarbanes-Oxley
[COSO]
– Identifies Nine (9) specific controls for IT departments
• COBIT: Control Objective for Information and
related Technology
Copyright © John Wiley & Sons, Inc.
Slide 9 - 7
SOX Implications for IT
Departments
• Increase their knowledge of internal
controls,
t l especially
i ll as applicable
li bl tto IT
controls
• Understand what compliance with SOX
means to their organizations
• Develop a compliance plan for IT controls
• Integrate the IT plan into the overall SOX
compliance plan
Copyright © John Wiley & Sons, Inc.
Slide 9 - 8
4
IT Governance Institutes IT COSOs
•
Nine (9) Control objectives:
1.
1
2.
3.
4.
5.
6
6.
7.
8.
9.
Plan & Scope
Perform Risk Assessment
Identify Significant Accounts/Controls
Document Control Design
Evaluate Control Design
Evaluate Operational Effectiveness
Determine Material Weakness
Document Results
Build Sustainability
Copyright © John Wiley & Sons, Inc.
Slide 9 - 9
COSO Overview of Process
Copyright © John Wiley & Sons, Inc.
Slide 9 - 10
5
COSO Framework
… then Standards COBIT
• COBIT: Control Objective for Information
and
d related
l t dT
Technology
h l
– Identifies 34 IT control processes that can be
mapped into the more general COSO
framework
– Allows users to create a “roadmap” for SOX
compliance
Copyright © John Wiley & Sons, Inc.
Slide 9 - 11
IT Control Objectives (samples)
• Plan & Organize
– Iss a st
strategic
ateg c p
plan
a for
o IT in p
place?
ace
– Does the IT staff understand and accept their
responsibilities regarding controls?
• Acquire & Implement
– Is there a process in place to manage changes to
systems functionality?
• Deliver & Support
– Does IT management have a physical & logic security
plan to prevent unauthorized access?
• Monitor & Evaluate
– Does IT management monitor its delivery of services?
Copyright © John Wiley & Sons, Inc.
Slide 9 - 12
6
Questions
•
•
•
•
•
How does SOX impact IT?
Which systems?
Costs?
Examples of Non-compliance?
What is the current state of
implementation?
Slide 9 - 13
Copyright © John Wiley & Sons, Inc.
Sources
• ISRC Sarbanes-Oxley Seminar, 2/16/2005
– Dr. Paul Kendall, Accenture
– Rick Link, Horn Murdock Cole
• HIPPA/HIPAA
– HEP-C Alert; http://www.hep-calert.org/links/hippa.html
– HIPAA Solutions, Enterterprise Group, Inc.
• http://www.hipaaplus.com/abouthippa.htm
Copyright © John Wiley & Sons, Inc.
Slide 9 - 14
7