Regulations
And we stay current on federal regulations, too!
Our process helps our customers remain compliant with the following regulations:
· HIPPA
· Sarbanes-Oxley Act
· Gramm-Leach-Bliley Act
· Bank Secrecy Act
· The Patriot Act
· Identity Theft and Assumption Deterrence Act
· International Safe Harbor Privacy Principles
· Title 21 CFR Part 11 – Code of Federal Regulations (FDA)
· PCI DSS
· FACTA
· Mass. 201 CMR
. NIST 800-88
HIPPA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the U.S. Congress in 1996.
According to the Centers for Medicare and Medicaid Services website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
For more information, please visit the site that provided this definition:
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 (Sarbox or SOX) is a United States federal law enacted in response to high-profile financial scandals, such as Enron and WorldCom, to protect shareholders and the general public from accounting errors and fraudulent practices.
It does not apply to privately held companies.
The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.
For more information, please visit the site that provided this definition:
http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial, or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.
For more information, please visit the site that provided this definition:
http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
For details on how the Gramm-Leach-Bliley Act changed law to allow commercial banks, investment banks, securities firms, and insurance companies to consolidate, please visit:
http://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act
Bank Secrecy Act
The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, is legislation passed by the United States Congress in 1970 that requires U.S. financial institutions to collaborate with the U.S. government in cases of suspected money laundering and fraud.
The purpose of the BSA, aside from making money laundering more difficult to propagate, is to prevent banks from becoming unknowing intermediaries in illicit activity.
In order to help prevent money laundering, the BSA requires banks to report transactions involving more than $10,000 in cash from one customer as a result of a single transaction or two or more related transactions that occur within a 24-hour period.
For more information, please visit the site that provided this definition:
http://searchfinancialsecurity.techtarget.com/definition/Bank-Secrecy-Act-BSA
The Patriot Act
The USA PATRIOT Act (the Patriot Act) is an act of the U.S. Congress that was signed into law by President George W. Bush on October 26, 2001. The acronym stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.
The Act dramatically reduced restrictions on law enforcement agencies' ability to search telephone and e-mail communications and medical, financial, and other records; eased restrictions on foreign intelligence gathering within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and broadened the discretion of law enforcement and immigration authorities in detaining and deporting immigrants suspected of terrorism-related acts.
The act also expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the USA PATRIOT Act’s expanded law enforcement powers can be applied.
The act is currently set to expire May 29, 2011 after a 90 day extension from February 28 by congress.
For more information, please visit the site that provided this definition:
http://en.wikipedia.org/wiki/USA_PATRIOT_Act
Identity Theft and Assumption Deterrence Act of 1998
The Identity Theft and Assumption Deterrence Act of 1998, which became effective October 30, 1998, makes identity theft a Federal crime with penalties up to 15 years imprisonment and a maximum fine of $250,000.
It establishes that the person whose identity was stolen is a true victim. Previously, only the credit grantors who suffered monetary losses were considered victims.
This legislation enables the Secret Service, the Federal Bureau of Investigation, and other law enforcement agencies to combat this crime. It allows for the identity theft victim to seek restitution if there is a conviction.
It also establishes the Federal Trade Commission as a central agency to act as a clearinghouse for complaints (against credit reporting agencies and credit grantors), referrals, and resources for assistance for victims of identity theft.
For more information, please visit the site that provided this definition:
http://www.ckfraud.org/title_18.html
International Safe Harbor Privacy Principles
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data.
Intended for organizations within the EU [European Union] or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the seven principles outlined in the Directive.
The process was developed by the US Department of Commerce in consultation with EU.
For more information, please visit:
http://en.wikipedia.org/wiki/Safe_Harbor_Principles
Title 21 CFR Part 11 – Code of Federal Regulations (FDA)
Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States.
Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable, and equivalent to paper records (Title 21 CFR Part 11 Section 11.1 (a)).
Practically speaking, Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are (a) required to be maintained by the FDA predicate rules or (b) used to demonstrate compliance to a predicate rule.
The rule also applies to submissions made to the FDA in electronic format (e.g., a New Drug Application) but not to paper submissions by electronic methods (i.e., faxes).
For more information, please visit the site that provided this definition:
http://en.wikipedia.org/wiki/Title_21_CFR_Part_11
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council.
The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.
The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually.
For more information, please visit the site that provided this definition:
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
FACTA
The Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA) is a United States federal law, passed by the United States Congress on November 22, 2003 and signed by President George W. Bush on December 4, 2003, as an amendment to the Fair Credit Reporting Act.
The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian, and TransUnion). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, annualcreditreport.com, to provide free access to annual credit reports.
The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult.
Further, it requires secure disposal of consumer information.
For more information, please visit the site that provided this definition:
http://en.wikipedia.org/wiki/Fair_and_Accurate_Credit_Transactions_Act
Mass. 201 CMR 17
The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth [of Massachusetts.]
This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.
The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
Further, it requires secure disposal of consumer information.
For more information, please visit the site that provided this definition:
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
