Here’s a list of current legislation affecting your company’s records:
FACTA intended primarily to help consumers fight identity theft. Accuracy; privacy; limits on information sharing; and new consumer rights to disclosure are included in FACTA. Companies that maintain consumer information (individually identifiable financial information) must take responsibility for properly disposing of this information through shredding or other means.
For more information visit Fair Credit Reporting Act or Information on the FACTA Disposal Rule.
The Gramm-Leach-Bliley Act allowed commercial banks, investment banks, securities firms, and insurance companies to consolidate.
The Gramm-Leach-Bliley Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule applies to information of any consumers past or present of the financial institution’s products or services.) This plan must include:
For more information visit The Gramm-Leach Bliley Act.
The HITECH Act covers regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. This Act was passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). For more information visit Understanding HIPAA for Covered Entities.
HIPAA is designed to protect patient health information. The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information for whatever period such information is maintained by a covered entity, including through disposal.
The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. Changes in HIPAA made in 2009 require more extensive policies and procedures than was previously the case.
Information is available concerning HIPAA Compliance at Understanding HIPAA for Covered Entities.
This legislation is an amendment to the Civil Rights Act of 1964 passed as a result of the U.S. Supreme Court’s decision in Ledbetter vs. Goodyear Tire & Rubber Co. This Act restarts the 180-day statute of limitations for complaints to Equal Employment Opportunity Commission (EEOC) alleging pay discrimination each time a new “discriminatory” paycheck is issued. Retroactively effective to May 28, 2007, the Act holds that discriminatory pay decisions reoccur each time wages, benefits, or other compensation are paid. Therefore the 180-day time period (300 days if charges are also covered by state or local anti-discrimination laws) for employees to file EEOC charges against their employers is restarted each time employees are paid.
For the complete Act visit The Lilly Ledbetter Fair Pay Act.
PCI is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
To find out more about PCI compliance visit the PCI Security Standards Council
The FTC Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. “The Rule requires “financial institutions” and “creditors” that hold consumer accounts designed to permit multiple payments or transactions — or any other account for which there is a reasonably foreseeable risk of identity theft — to develop and implement an Identity Theft Prevention Program for new and existing accounts.” To be in compliance, affected businesses and organizations must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft.
You can find complete details here: Are you complying with the Red Flags Rule? or watch the FTC video.
The primary effect of this legislation is to eliminate the “I didn’t know” defense for management. Because Sarbanes Oxley mandates management’s periodic duty to accurately report the state of the entity, accurate records must be kept to document management’s understanding of that state.
Compliance is required for audits and reviews completed on or after October 31, 2003.
Accounting firms must retain for seven years certain records relevant to their audits and reviews of issuers’ financial statements. Records to be retained include an accounting firm’s workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.
For more information, go to Final Rule: Sarbanes-Oxley Act of 2002.
This Act has been adopted by all but three states (New York, Illinois, Washington). The states that have not adopted the UETA have their own laws relating to the legal status of electronic records.
You can see a copy of the complete Act here.
Contact us for a detailed business records retention scheduled customized for your records.
