To the letter of the law

Health Insurance Portability and Accountability Act (HIPAA)
Passed: August 1996
Purpose: To improve the portability while maintaining the privacy and security of patient information.
Types of companies affected: Medical providers, insurance companies, claims clearinghouses, employers that self-insure workers' health benefits.

Gist: The law's "administrative simplification" section enforces a privacy rule, security rule, transaction and code-set standards and identifier standards. These regulations specify what patient information must be kept private; how companies must secure the information; and the standards for electronic communication between medical providers and insurance companies. The deadline for implementing privacy controls was April 15; security is April 21, 2005; transaction and code set standards is Oct. 15, and identifier standards is July 30, 2004.

Effects on IT departments: Unlike some other laws, HIPAA lists very specific technology standards and policies that must be implemented to comply.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Health Insurance Portability and Accountability Act (HIPAA)
Passed: August 1996
Purpose: To improve the portability while maintaining the privacy and security of patient information.
Types of companies affected: Medical providers, insurance companies, claims clearinghouses, employers that self-insure workers' health benefits.

Gist: The law's "administrative simplification" section enforces a privacy rule, security rule, transaction and code-set standards and identifier standards. These regulations specify what patient information must be kept private; how companies must secure the information; and the standards for electronic communication between medical providers and insurance companies. The deadline for implementing privacy controls was April 15; security is April 21, 2005; transaction and code set standards is Oct. 15, and identifier standards is July 30, 2004.

Effects on IT departments: Unlike some other laws, HIPAA lists very specific technology standards and policies that must be implemented to comply.

Opinion: "The scrambling you've heard about is [to comply with HIPAA's] privacy, but the heavy activity in IT departments will be around transactions and code sets." - Dr. Peter Kongstvedt, vice president of Cap Gemini Ernst & Young's managed care practice.

Estimated spending to comply: Research firm Frost & Sullivan estimates that companies spent $270 million in 2002 to comply with HIPAA.

Gramm-Leach-Bliley Act
Passed: November 1999
Purpose: To protect the information financial institutions collect about customers.
Types of companies affected: Mainly financial institutions, but also any company that collects name, Social Security number and bank account number from customers or employees.

Gist: On May 23 the act's Safeguards Rule came into effect, forcing financial institutions to design, implement and maintain safeguards to protect customer information.

Effects on IT departments: All companies that collect financial information must take security measures, such as maintain firewalls, install and update virus protection, and schedule routine security audits, as well as develop and implement privacy policies.

Opinion: "Most IT departments are aware that they must protect customer information, but they aren't specifically aware that there are federal regulations enforcing this." - Michael Scheidell, CEO of Secnap Network Security.

Estimated spending to comply: If a company is already spending the recommended 5% to 8% of their IT budget on security, additional costs will be minimal. Security audits typically can cost $10,000 to $20,000.

Sarbanes-Oxley Act
Passed: August 2002
Purpose: To restore investor confidence in the financial reporting of public companies and hold a company's officers personally responsible for misrepresentation.
Types of companies affected: Any public company. Experts recommend private companies hoping to go public or be acquired by a public company also should abide by the rules.

Gist: Section 302 came into effect on Jan. 1, mandating quarterly reporting on how a company derived its quarterly financial report, including controls and procedures used. Section 404 will kick in June 14, 2004, forcing public companies to have reports of controls and procedures audited by a third party.