CSO Regulatory Compliance Calendar Staring down the barrel of multiple regulatory deadlines? This calendar view will help you keep the dates straight. April 2004 HIPAA Privacy Standards, small health plans (4/14) Who’s affected: Healthcare organizations Brief: Passed in 1996, HIPAA (the Health Insurance Portability and Accountability Act) increases customer data privacy requirements for healthcare companies, including relevant insurance companies and pharmacies. Full text: www.hhs.gov/ocr/hipaa Administered or enforced by: The HHS Office for Civil Rights (OCR) will enforce HIPAA privacy standards. The Centers for Medicare & Medicaid Services (CMS) will be responsible for enforcing the transaction and code set standards that are part of the administrative simplification provisions of HIPAA. Past due HIPAA deadlines April 2003: Electronic Health Care Transactions and Code Sets requirements in effect. Upcoming deadlines July 2004: Employer Identifier Standard, all covered entities except small health plans April 2005: Security Standards, all covered entities except small health plans August 2005: Employer Identifier Standard, small health plans April 2006: Security Standards, small health plans May 2007: National Provider Identifier, all covered entities except small health plans May 2008: National Provider Identitier, small health plans May 2004 Sarbanes-Oxley Who’s affected: Publicly traded companies Brief: In response to high profile financial scandals, this law intends to protect shareholders and the general public from accounting errors and fraudulent pactices in the enterprise. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. Full text: news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf Administered or enforced by: U.S. Securities and Exchange Commision (www.sec.gov) Past due HIPAA deadlines April 2003: Electronic Health Care Transactions and Code Sets requirements in effect. Sarbanes-Oxley deadlines November 2004: Additional disclosures for accelerated filers, generally U.S. companies with equity market capitalization greater than $75 million that file at least one annual report with the SEC. July 2005: Additional disclosures for non-accelerated filers, beginning with fiscal years ending on or after July 15, 2005. June 2004 Sarbanes-Oxley, additional disclosures July 2004 HIPAA, Employer Identifier Standard, all covered entities except small health plans April 2005 HIPAA, Security Standards, all covered entities except small health plans August 2005 HIPAA, Employer Identifier Standard, small health plans Past Due FISMA (Federal Information Security Act) Requires federal agencies to apply risk management techniques to make their computer information systems more secure. The agency director must report to Congress no later than March 1 of each year on agency compliance. California Privacy Law SB 1386 This law requires companies with California customers to notify those people of computer security breaches that may result in the theft of personal information about them. If third-party vendors hold customer data, they are also responsible for compliance. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe