Federal, State and Other Professional Regulations 

    CPAs engaged to perform privacy advisory services and attestation engagements must follow the pertinent, laws, rules, and standards. This resource section provides an overview of developments on information privacy in the United States. It reviews the Safe Harbor Agreement with the European Union, Privacy Act of 1974, Electronic Freedom of Information Act 1996, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and Children's Online Privacy Protection Act. It also includes various State regulations and the IRS Code.

    Fair and Accurate Credit Transactions Act of 2003

    Financial document displays Fair Credit reporting ActThe Act which amends the Fair Credit Reporting Act, provides consumers with protections regarding credit reports and other centralized databases of consumer information. The changes improve ways that consumers can increase the accuracy of credit reports, help prevent identity theft, allow consumers to receive a free credit report every year, and restrict the marketing of financial products resulting from the sharing of sensitive information.

    Visit the Fair and Accurate Credit Transactions Act of 2003 page for additional information.

    Health Insurance Portability and Accountability Act (HIPAA)

    Man reviewing Health Insurance Portability and Accountability ActThe Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress on August 21, 1996. Organizations must have become compliant by April 14, 2003 ( April 14, 2004 for small health plans). The law requires any health care provider to meet certain privacy standards with respect to personal health information. The Act specifically states that "a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." The protection given must be for both intentional and unintentional disclosures of personal health information. HIPAA applies to the following: a health plan, which is defined as an individual plan or group health plan that provides, or pays the cost of, medical care; a health care provider which is defined as a provider of medical or health services and any person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business; or a health care clearinghouse which is considered to be a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

    CPA Firms: Are you providing accounting services to health care providers?
    The HITECH Act requires business associates to use or disclose protected health information as obligated under its associate agreement with a covered entity.

    Internal Revenue Code

    Tax form describes the Internal Revenue CodeIRC Section 7216 prohibits anyone who is involved in the preparation of tax returns from knowingly or recklessly disclosing or using the tax-related information provided other than in connection with the preparation of such returns. Anyone who violates this provision may be subject to a fine or even imprisonment. The regulations under Section 7216 provide an exemption from this law for tax return preparers who disclose taxpayer information to a third party for the purpose of having that third party process the return. Nevertheless, members should make third-party providers to which they have supplied protected client information aware of this requirement. Note there is no requirement in Section 7216 or its regulations for a member to inform the client that a third-party provider is being used. In addition, IRC Section 7525 provides a client with a privilege similar to an attorney-client privilege when they make certain tax-related disclosures to, among others, CPAs. Care needs to be taken to assure that a third-party provider does not do anything that adversely affects a client’s rights under this provision.

    Visit the Internal Revenue Code page for additional information.

    Children's Online Privacy Protection Act (COPPA)

    Desktop computer for Children's Online Privacy Protection ActThe Children's Online Privacy Protection Act (COPPA) became effective April 21, 2000. Web sites that are directed to children 12 and under or that "knowingly collect information" from this group must post a notice of their information collection practices that includes: types of personal information they collect from children-for example, name, e-mail and hobbies; how the site will use the information-for example, to market and to notify contest winners; whether the personal information is forwarded to advertisers or other third parties; and a contact at the site. Learn more about COPPA by visiting the sites below.

    FTC—How To Comply With COPPA
    The Federal Trade Commission staff prepared this guide to help you comply with the new requirements for protecting children's privacy online and understand the FTC's enforcement authority.

    Children's Privacy and Safety on the Internet: A Resource Guide for Parents
    The guide provides resources for parents to maximize the benefits of cyberspace for children and minimize the dangers.

    EPIC's COPPA Web site
    This website by the Electronic Privacy Information Center (EPIC) is devoted to kids' privacy issues and the Children's Online Privacy Protection Act (COPPA) of 1998.

    Safe Harbor Agreement

    A globe represents the Safe Harbor AgreementThe European Commission's Directive on Data Protection went into effect in October, 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union (EU) share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.

    In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The safe harbor—approved by the EU in 2000—is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive.

    U.S. Department of Commerce Safe Harbor
    This Web site provides the information an organization should need to evaluate, and then join, the safe harbor.

    Safe Harbor Documents
    The documents listed and published on this Web site constitute the "safe harbor" privacy framework that the Department of Commerce has negotiated with the European Commission.

    Copyright © 2006-2014 American Institute of CPAs.