Sarbanes-Oxley (SOX) Act of 2002 & HIPAA

What Every IT Person Should Know About SOX and HIPAA

Both the Sarbanes-Oxley (SOX) Act of 2002 and the Health Insurance Portability and Accountability Act (HIPAA) of 1996/2003 require that your IT department put controls in place to comply with these regulations. These regulations sparked renewed interest in best practices like COBIT and ITIL, which have been addressing control issues for years.


SOX requires CEOs and CFOs to certify and provide quarterly and annual reports to the Securities and Exchange Commission. Management must accept responsibility for the effectiveness of its internal controls, evaluate the effectiveness using suitable control criteria and support this evaluation with sufficient evidence. In addition, auditors are required to verity and attest to these controls.

Since the accuracy and timeliness of financial reporting depends on a well-planned and well-controlled IT environment, IT organizations must not only provide various forms of control documentation (in the form of manuals, flowcharts, memoranda, etc.), but also documentation about the effectiveness of those controls. This white paper provides insight into passing your SOX audits.


The final Security Rule on HIPAA Security Standards was enacted in 2003. It complements the Privacy Rule and lays out three types of security safeguards required for compliance:

  • Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the act
  • Physical Safeguards - controlling physical access to protect against inappropriate access to protected data
  • Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing protected health information (PHI) transmitted electronically over open networks from being intercepted by anyone other than the intended recipient

Request a copy of this free white paper to distribute to members of your IT department.


See to access white paper.