In order to combat the ever increasing threat of data security breaches, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was created to require CPA firms to protect the information they collect from clients by implementing written information security plans that detail how their CPA firm is equipped to protect their clients’ personal information.

Recently, the IRS initiated the Protect Your Clients; Protect Yourself campaign to educate and inform tax professionals about their responsibilities for compliance.  While the IRS has issued publications that include details and security recommendations as well as requirements, navigating, validating and documenting this information can be difficult.

As a cornerstone of HIPAA, the HIPAA Security Rule requires physicians to protect patients’ electronically stored, protected health information (ePHI) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.  HIPAA defines administrative safeguards as, “Administrative actions, policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information.

Behind every security compliance measure is a documentation requirement. Practically every facet of HIPAA compliance requires that policies and procedures be created and implemented. These documents must be retained for at least six years (and state requirements may mandate longer retention periods). Regulations require periodic review of policies and response to changes in the ePHI environment.

Without a detailed written information security plan, your business runs the risk of being non-compliant and subject to fines, loss of business and loss of reputation in the event of a breach.  Suggested mitigation techniques and policies include: