Differences between HIPAA and SOX

By · March 11, 2013 · Filed in General IT Related, Medical Related

hipaasoxComing from an IT background in the medical field and dealing with HIPAA compliancy issues, I was recently asked about my experience with Sarbanes-Oxley (SOX) regulations and how the two relate.  I had never really put the two side by side and quickly did an analytical comparison.  I started to think about the broad scope and spectrum of the two areas and wanted to share my thoughts with you on this.

In a nutshell, SOX defines which business records that an organization or a company must store and it also dictates how long those records must be stored.  HIPAA, however, breaks down who can view these stored documents and/or records and when the data must be destroyed.

In regards to SOX, an interesting comparison I found explains that “The SEC doesn’t care if you leak the information, you just can’t modify it.”  With database administration it is very important that your data doesn’t get inserted, updated or deleted without somebody knowing about it and having a paper trail or an audit trail to prove everything (event log manager).  On the other side of that coin, HIPAA is mostly concerned about the leaking of that data and the privacy that goes along with it.  Both regulations requires an IT department to lock down their database servers (and all areas of IT, for that matter) so that it is a secure environment with no points of rogue entry.

In the past I have used a couple of software tools that will actually dig deep into the system Oracle or SQL databases (in addition to your servers / Active Directory) and audit settings, polices and procedures that would put you at risk for a bad situation and report deficiencies so that one can act on them.  I also find it important that if you work in one of these highly regulated environments, it is in your best interest to perform these internal audits every couple of months to make sure you stay on top of your “A” game.  Sharing these results and making recommendations with your shareholders and getting their input greatly puts their minds at ease and assures them that you are doing your job.

An additional and yet very important area that one needs to concentrate on would be “change management” and the systems, policies and procedures that need to be in place to make this a reliable and secure part of your business operation.  Secondly, if you live in a disaster prone area, you need to focus in on disaster recovery planning as you need to make sure your required stored documents are safe and secure no matter what event interrupts your workflow.  All of this would be encompassed by your risk management plan and would be an area that would need constant monitoring.  Make sure all the stakeholders are aware of the risks involved with not having a proper system in place and don’t be afraid to report on any deficiencies that you might find.

This is a very large topic and obviously I have only given you a 30,000 foot view.   Those of you who are making a transition between industries where these two regulations apply, hopefully this will give you a quick idea of items you need to start paying attention to and areas of concentration to prepare for you next audit.

 

 

Share

Leave a Comment

*