Compliance Solutions

Compliance Solutions

The Act, What it Regulates, and the Companies Affected

HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
This act is a two-part bill. Title I protects the healthcare of people who are transitioning between jobs or are laid off. Title II is meant to simplify the healthcare process by shifting to electronic data. It also protects the privacy of individual patients. This was further expanded through the HITECH / Omnibus Rule. Any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers.

PCI-DSS
(Payment Card Industry Data Security Standard)A set of 12 regulations designed to reduce fraud and protect customer credit card information.Companies handling credit card information.

GDPR
(General Data Protection Act)This regulates the data protection and privacy of citizens of the European Union.Any company doing business in the European Union or handling the data of a citizen of the European Union.

AICPA
(American Institute of Certified Public Accountants) SOC2The security, availability, processing integrity, and privacy of systems processing user data and the confidentiality of these systems.Service organizations that process user data.

SOX
(Sarbanes-Oxley Act)This act requires companies to maintain financial records for up to seven years. It was implemented to prevent another Enron scandal. U.S. public company boards, management, and public accounting firms.

COBIT
(Control Objectives for Information and Related Technologies) This framework was developed to help organizations manage information and technology governance by linking business and IT goals. Organizations that are responsible for business processes related to technology and quality control of information. This includes, but is not limited to, areas such as audit and assurance, compliance, IT operations, governance, and security and risk management.

GLBA
(Gramm-Leach-Bliley Act) This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers. This act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”

FISMA
(Federal Information Security Modernization Act of 2014) This act recognizes information security as a matter of national security. Thus, it mandates that all federal agencies develop a method of protecting their information systems. All Federal agencies fall under the range of this bill.

FedRAMP
(Federal Risk and Authorization Management Program) Cloud services across the Federal Government.Executive departments and agencies.

FERPA
(The Family Educational Rights and Privacy Act of 1974) Section 3.1 of the act is concerned with protecting student educational records. Any post-secondary institution including, but not limited to, academies, colleges, seminaries, technical schools, and vocational schools.

ITAR
(International Traffic in Arms Regulations) Controls the sale of defense articles and defense services (providing critical military or intelligence capability). Anyone who produces or sells defense items and defense services.

COPPA
(Children’s Online Privacy Protection Rule) The online collection of personal information about children under 13 years of age. Any Person or entity under U.S. jurisdiction.

NERC CIP Standards
(NERC Critical Infrastructure Protection Standards) Improve the security of North America’s power system. All bulk power system owners and operators.