Business Compliance Tips

Certificate of Good Standing

Confirm your business is in “Good Standing”. Periodically checking and ensuring your business is in good standing is important. This is a document issued by the state that says you are cleared to run your business. Essentially, it’s a document that shares the compliance status of a business.

It’s smart to have this certificate on hand; it will save you time since lenders and other states may require it if you want to do business with them. You may also acquire various fees if you do not have it.

A Certificate of Good Standing, also called a “Certificate of Existence” or “Certificate of Authorization,” “Certificate of Fact” (name may vary by state) is a state-issued document that shows that your corporation or limited liability company (LLC) has met its statutory requirements and is authorized to do business in that state. Think of it as a kind of ‘snapshot’ of your business’s compliance status.

Among other things, a Certificate of Good Standing confirms that your business:

  • Is up-to-date on its state fee payments
  • Has filed an annual report
  • Has paid its franchise taxes

There’s a good chance you’ll need to secure a Certificate of Good Standing from time to time during the life of your business. Many companies request a Certificate of Good Standing occasionally for their own records. A Certificate of Good Standing may also be required by:

  • State governments, if you’re applying for foreign qualification there
  • Lenders, when you’re trying to obtain financing
  • Banks, for certain transactions
  • Potential business partners or investors

You may need to present your Certificate of Good Standing in order to renew specific licenses or permits, and a Certificate of Good Standing is also important evidence when it comes time to sell your business. In addition, if you are looking to register to do business in additional states, those states may ask for a copy of your Certificate of Good Standing.

Be Aware of the Constantly Changing Laws

Business Compliance Tip #2
 
Be Aware of the Constantly Changing Laws
 
It’s vital to have all procedures and processes in place, but that doesn’t mean you’re in the clear. If you’re operating a small business, you’ll need to stay in compliance with federal and state laws to remain up and running. This can seem like a Herculean task, especially if you’re new to leadership or the world of small business.
Knowing and understanding the sheer number of laws can overwhelm even the most seasoned of entrepreneurs—and when those laws are constantly changing, it’s even more challenging. So how can you stay on top of ever-changing regulations and keep your company in compliance?
  1. Gain access to a reliable, trusted Legal Firm and meet with them regularly
  2. Conduct an annual review with your CPA
  3. Stay Informed as the business owner; there are tons of reasons we may give for falling behind, but if you want to see success, you will not make excuses. It is our responsibility to keep up with every new update and make sure to apply it to what we’re doing.
  4. Refer to your city and state websites periodically for new announcements;
  5. Sign up for updates– Sign up for updates on the law-creating entity or enforcement websites to ensure your information is direct from the source.
  6. Automate where possible-small businesses may not have the know-how or the resources to stay up-to-date with changing laws. Look to automation and experts.
  7. Adopt a regulatory Change Management Process-this is required to implement and enforce compliance within the organization. This program ensures that all instructions are complied with and that breaches of the rules can be identified quickly. The objective of this process is to implement and maintain a transparent, unmistakable and clearly understandable culture of compliance.
  8. Keep an Open Mind– These days, there is no one way of doing things, and everything should remain fluid. Adjust and pivot accordingly while staying true to the essence of your business and your core.

Source: Forbes Business Council

Maintaining Records

Business Compliance Tip #3
 
Maintaining Records
One overlooked method of compliance is record keeping. There’s nothing too interesting about having a good filing system.
Throughout my career, I have stressed the point to my staff, “If it is not written down it did not happen”.
Business records prove business transactions and activities. Growing a successful business requires organization on all levels, including your business records.
Use these tips to keep your blood pressure down when record keeping.
  1. Implement a document management system– All business transactions should be documented, whether on paper or electronically. As your business grows, so does the pile of paper and files your business needs to store.
  2. Check for record retention mandates– Record-keeping isn’t just about putting a smile on your tax preparer’s face. It’s also to comply with document retention mandates.
IRS and Department of Labor (DOL) record retention mandates vary between two and six years, depending on the document. Regardless, maintain all business records for at least seven years.
Some business records, like a nonprofit’s tax-exempt certificates or a business tax id, never become irrelevant, so always keep them close at hand.
IRS record retention rules apply to records that helped you calculate or justify business income, tax deductions, or tax credits. The Department of Labor (DOL) requires that you keep any documents that help you do payroll.
The IRS can audit your business’s financial records up to seven years in the past and even further back when you don’t file a tax return or are suspected of fraud. Most CPAs tell you to keep all business documents for at least seven years after they’re no longer relevant.
The most common business records include:
  • Employee names, addresses, and contact information
  • Employee timesheets
  • Employee pay stubs
  • All tax forms submitted to the IRS
  • Bank statements
  • Insurance documents
  • Contracts, including loans and mortgages
  • Purchase receipts
  • Customer invoices
  • Tax returns
  • Financial statements
  • Depreciation schedules
  • Business registration documents
  • Board of Directors meeting minutes
  • Legal files
  • Emails
States can further specify document retention rules, so check your state treasury department’s website for more detailed information.
3.
Back up and secure your records– We live in a time where data breaches and natural disasters are rampant. Take time to back up and secure your records to avoid catastrophe.
Records stored on paper or on a hard drive should be backed up to at least one other location. Digitize all documents to preserve information that could be lost, stolen, or destroyed.
Storing records on cloud-based software lowers the risk of losing them, but it raises the risk of theft. Your business records include sensitive information, like employee Social Security numbers (SSNs).
When storing business records online, secure your account with a unique and strong password, and enable two-factor authentication.
Frequently Asked Questions
4.
Should I save [insert document name here]?– If you ever doubt whether a business record is worth keeping, save it. Ask a tax professional or attorney when you’re unsure if a record is important.
The IRS usually audits less than 1% of individual and corporate returns submitted, so don’t live in fear of an IRS audit. But if your business is chosen, they’ll require proof for all income, deductions, and credits you report on your taxes.
Without the proper documentation, you may face an increased tax liability and a negligence penalty equal to 20% of your underpayment.
5.
Lost, stolen or destroyed records?– When records are lost or stolen, your first reaction should be to inform anyone whose sensitive information may be at risk. For example, if payroll records have gone missing, inform your employees that their SSN might have been exposed.
If your records are unrecoverable, you should do your best to reconstruct all records that justify business tax deductions. Contact your vendors and financial institutions, who should have copies of your business documents.
If the IRS audits your company, you’re still responsible for proving business expenses claimed on your taxes.
6.
Why get rid of anything?– It may seem logical to keep records for as long as you have the storage, but you may delete records that haven’t been relevant to your business for more than seven years.
By downsizing your pile of records, you’re making it easier to search for and review documents you actually need. Consult a legal professional before erasing swaths of business documents.

Create a Safe Online Experience with an SSL Certificate

Business Compliance Tip #4
 
Create a Safe Online Experience with a Secure Sockets Layer (SSL) Certificate
 
Starting a small business is a dream that many have, yet very few get to experience. It’s no secret that it’s a difficult journey, with a low long-term success rate. One of the most challenging aspects of running a small business is operating in a compliant manner.
If you run a small business, you should have a website. And if you have a website there is absolutely no reason that you shouldn’t be using an SSL certificate. A lot of small business owners think they don’t need a secure website if they aren’t selling goods or services online and accepting payments. This is a common misconception because all of the data—even customer names and email addresses—need to be protected.
When you install an SSL certificate on your server, it works by ensuring that any data transferred between users and websites, or between two systems, remains impossible to read. This data includes potentially sensitive information such as names, addresses, credit card numbers, or other financial details. It’s low-cost insurance to make sure all data remains safe and secure.
When a website is secured by an SSL certificate, the acronym HTTPS (which stands for HyperText Transfer Protocol Secure) appears in the URL. Without an SSL certificate, only the letters HTTP – i.e., without the S for Secure – will appear. A padlock icon will also display in the URL address bar. This signals trust and provides reassurance to those visiting the website.
An SSL certificate helps to secure information such as:
  • Login credentials
  • Credit card transactions or bank account information
  • Personally identifiable information — such as full name, address, date of birth, or telephone number
  • Legal documents and contracts
  • Medical records
  • Proprietary information

Ensure you have the Proper Documentation

 

Business Compliance Tip #5
 
Ensure you have proper documentation
 
Business Tip # 3 discussed maintaining records. This tip will discuss what some of those records should be. Documentation in a small business or any business is the most important thing. A lot of small business fail because they do not keep good documentation and records.
When it comes to pitching, litigation, or funding the proper documentation will be pivotal in proving your business operates as a business.

 

  1. Charter Document
    1. LLC – Certificate of Formation aka Articles of Organization
    2. Corporation- Articles of Incorporation

Issued by your respective state when you file and your business is approved as an LLC

 

  1. Internal Operating agreement (LLC) or your company’s bylaws (corp)

Operating Agreement

  1. All members of an LLC enter into a contract when they create an operating agreement.
  2. It governs the company’s internal affairs.
  3. Members usually have a great deal of flexibility in how they manage the LLC.
  4. can be simple or complex, depending on what the members want. It acts as a framework for the business and can set forth initial member contributions and other core operations.

A typical operating agreement may contain the following information:

  • Each member’s ownership percentage
  • Members’ obligations and rights
  • Voting power
  • Distribution of profits
  • Allocation of losses
  • Management details
  • Management responsibilities
  • Members’ financial obligations

Most states don’t require an LLC to file an operating agreement with a state agency, but it still has to conform to state laws.

An operating agreement is mandatory as per laws in only 5 states: California, Delaware, Maine, Missouri, and New York. 

It’s recommended that owners — or members — create an operating agreement because it helps prevent management misunderstandings and adds to the company’s limited liability protection.

Even a single-member LLC should have an operating agreement. This ensures the company is treated as an LLC and not a sole proprietorship in the eyes of the law. It acts as a declaration of the structure you have chosen for the company and sometimes used to prove in court that the LLC structure is separate from that of the individual owner and thus necessary so that the owner has documentation to prove that he or she is indeed separate from the entity itself.

It is needed when applying for certifications and some government programs.

 

Bylaws

  1. similar to an operating agreement as they determine how the corporation’s board of directors will govern the business.
  2. Depending on how many shareholders the corporation anticipates having and the complexity of the business, bylaws may be simple and straightforward or very complex.
    1. Fundamental rules outline operating procedures for everyone from employees and executives to the shareholders.

Typical bylaws include the following information:

  • Name and contact information of the corporation
  • The procedures for director meetings
  • The procedures for shareholder meetings
  • The number of officers and directors in the corporation
  • The types of shares the corporation issues
  • The procedures for keeping corporate records
  • The procedures for making changes to the bylaws

Although bylaws and operating agreements are internal, you should make them as detailed as possible. This helps prevent conflicts in the future since all rules and regulations are clearly outlined.

 

  1. Minutes of Meetings
    1. One thing that you must have in your business are meetings, you have to have an initial meeting after your business is formed and should have annual meetings thereafter.
    2. There should be minutes captured for each of those meetings and kept on record
    3. It captures inputs like date, time, name of attendees, absentees, the agenda of the meeting, further issues, list of tasks to be performed, next meeting schedule, decisions, and suggestions.
    4. If you are in a partnership or have several business partners, every meeting should be captured in meeting minutes.
    5. Even if meeting is recorded someone in your business needs to be responsible for transcribing the meeting into minutes.
    6. Meeting minutes are needed when filing for certifications and contracting programs.

 

  1. Business Plan
    1. It will clarify what your business is, the roadmap you have mapped out to get you to where you want to be. It includes your ideas and strategies in a framework that is easily presented.
    2. It is needed if you choose to seek funding for your business. Investors will require you to have a business plan
    3. Every business needs a business plan. Some will say unless you are seeking funding you have no need for a business plan. The business plan is going to be first and foremost for you. You need to lay out your plan for your business. Failure to plan is a plan to fail. It is not enough to have the plan in your head, you need to put pen to paper and document your plan.
    4. I am a God girl and I believe you have to write the vision and make it plain. So that it is easily understood. And that is exactly what you want when seeking investors. You want them to read your business plan and see your vision.
    5. This is an ever-evolving document, it is not something you write one time and store away. You write it, you should review it often, at least annually but depending on how your business is growing or your plans are shifting you may need to review monthly. There is no limit to how many times your business plan can change or be updated. It’s your call.

 

 

  1. Capability Statement

Your Capability statement is basically your resume for your business and should include:

  1. Company Name & Logo
  2. Mission/Quality Statement
  3. Company Overview
  4. Skills
  5. Experience/Past Performance
  6. Key Accomplishments
  7. NAICS/Commodity Codes
  8. Company Profile
  9. Certifications

 

  1. Non-Disclosure Agreement (NDA)
    1. your business’ first line of defense is the protection of sensitive information
    2. It helps safeguard sensitive information such as financial records, clients, customer details and countless other information that the company deems to be sensitive.
    3. When you work with contractors, freelancers and even employees sometimes you may have to disclose confidential information. It is critical that this information is protected because if it is leaked it could cost your business a fortune.
    4. This is why companies ask employees, contractors, and/or freelancers that may receive confidential information to sign an NDA.
    5. An NDA is legally binding when signed and if the information is leaked your company can bring litigation against the violator.

 

  1. Employee Agreement
    1. Each of your employees has certain obligations and expectations they must fulfil as do you as the employer.
    2. An Employee Agreement is going to lay the ground rules of the employer/employee relationship.
    3. It is not legally required to have an employee agreement, but it is recommended to safeguard the company in the event of a dispute in the expectations of the working relationship.

 

  1. Partnership Agreement
    1. If you have one or more business partners and are considered a partnership, you will want to have a partnership agreement.
    2. This will outline the obligations, legal and operational, debt liability and profit sharing among the partners.
    3. It basically keeps the partners in tandem to the agreed terms

 

  1. Policies and Procedures (High Level)
    1. policy provides guidelines and overall direction for an organization
    2. proceduredescribes how policies should be implemented.
    3. These are what you will provide if an external audit is performed
  • Basic Sections
    • Document Header: Header information, also called meta information, includes the policy title, policy number, revision dates, publication dates, approver’s signature, and department.
    • Purpose: This explains what the policy is about and the reason for having the policy, such as how it promotes compliance with standards or regulations.
    • Policy Statements: Describe the overall framework for the policy and its intent.
    • Definitions: Define terms in your policy, especially words and phrases with multiple meanings. Definitions make policies clearer and can be important if the organization ever faces litigation.
    • Table of Contents: Whether your document is published online, made into a PDF, or printed, a table of contents aids users in quickly finding information. Hyperlinked tables of contents are a helpful feature of electronic documents.
    • Policy and Procedures: Details of the policy and procedures may be included in one document.
    • Scope: This describes the individuals, departments, or groups to whom the policy applies. To increase clarity, describe any employees or others to whom it does not apply.
    • Responsibilities: To ensure compliance, specify which roles are responsible for creating documents and reviewing documentation and activities.
  1. SOPs
    1. SOPs are vital to the growth and development of small businesses,
    2. because theycreate benchmarks for the quality of output for every employee. If management has set high standards for the business, having SOPs in place helps ensure that every team member knows exactly what is expected of them and how to reach those expectations.
    3. They are step-by-step instructions specific to your business that explains how routine operations are performed in your business.
    4. They take the guesswork out of everyday task
    5. While it may look like a lot of work upfront, to create an SOP, you’ll simply document the tasks you already do on a regular basis. Having this documentation will make it way easier to train new employees, automate tasks, and free up your and your team’s time to focus on money-making activities.
    6. Example: What if you were sitting on the runway waiting on your plane to take off, you just happened to look out of the window only to see the crew haphazardly working on random parts of the plan, looking confused about what they are doing. Would you be ok to fly on that plane? Or would you want to get off the plane?
    7. The same can be said about how your customers feel when dealing with your business. They need to know you and your staff have processes in place to keep things flowing smoothly
    8. These are not anything your clients will ever see but for internal use only.
    9. I worked in Corporate America for years before becoming a full-time entrepreneur and I would drill in my employees that every task they completed needed an SOP.
      1. Ultimately, Your SOPs will make you and your employees more productive and inspired to work
      2. They create a more secure workplace
      3. They are used as a source to evaluate your employee’s performance
      4. They Improve communication within your company
      5. And they provide quality control
      6. SOPs should be evaluated at least annually but as often as needed.

If you need access to templates for each of the documents mentioned, templates are available at link below

Business Templates | Aspire 2 Inspire Academy

You must comply with employment regulations.

Business Compliance Tip #6

You must comply with employment regulations.

If you run a small business, you may not have a payroll or human resource expert on staff like a larger organization might, but you still need to comply with employment regulations all the same. Some of the areas important to small business compliance include:

Payroll

To run payroll in full compliance, you may need to:

  • Abide by the minimum wage and overtime pay requirements of the Fair Labor Standards Act (FLSA).
  • Provide equal pay for equal work regardless of gender in accordance with the Equal Pay Act (EPA).
  • Follow state and federal guidelines when using direct deposit and pay cards

Taxes

Whether you file quarterly estimated taxes or an annual tax return for your small business, be aware of filing deadlines and deposit frequencies. Requirements may vary across the local, state and federal levels. 

Benefits

Depending on the size of your organization, you may need to offer these benefits to your employees to maintain small business compliance:

Hiring

Recruitment might be simpler in smaller organizations, but that doesn’t mean the regulations are any less strict. Your hiring practices must comply with Equal Employment Opportunity Commission (EEOC) and Office of Federal Contract Compliance Programs (OFCCP) guidelines. Additionally, all new employees are required to complete a Form I-9 to verify employment eligibility. Some states have also made E-Verify mandatory.

Record keeping

Under the Fair Labor Standards Act (FLSA), you may have to keep certain employee payroll records for a minimum of three years. The information must remain confidential and in a secure location at all times. Depending on where you do business, you might have to abide by state record keeping requirements, as well.

New COVID-related regulations and tax credits

The COVID-19 pandemic has changed the nature of how we work. For updates on COVID-related legislation that impacts payroll, tax filing and employee leaves of absence for small businesses, please visit our ADP Employer Preparedness Toolkit: Coronavirus Disease (COVID-19).

Source: ADP

HIPAA Compliance

Business Compliance Tip #7
HIPAA Compliance
Information privacy requirements in the Health Insurance Portability and Accountability Act (HIPAA) affect most every company regardless of its size.
There are no small business exemptions, so small businesses with no direct connection to the health care industry but that offer employee benefits such as health insurance, a Flexible Spending Account plan, or an employee wellness program generally must comply with HIPAA security and privacy requirements.
There are three types of entities or categories that need to be HIPAA compliant: covered entities (CEs), business associates (BAs), and subcontractors.
CEs must be within one of three categories specified by the HHS:
  • healthcare plans (e.g., insurance carriers, corporate health plans, HMOs)
  • providers (e.g., hospitals, doctors, nurses, pharmacies, dentists)
  • data clearinghouses
Any business employees, vendors (subcontractors), or covered entity who stores patient’s medical records or protected healthcare information or sends this type of information, would be classified as a Business Associate and must abide by the HIPAA Security Rule. Individuals such as billing companies, lawyers, IT professionals, medical transportation services, work with companies that store protected healthcare information, which requires them to meet HIPAA compliance.
It is important for covered entities, business associates, and subcontractors to be HIPAA compliant to protect patients and handle sensitive information with care. Accidentally or purposely exposing such information to outside sources is dangerous. Identity theft or selling medical records and information of a public figure are possible results of protected healthcare information falling into the wrong hands. This is what the Health Insurance Portability and Accountability Act seeks to prevent.

How to Become HIPAA Compliant

Becoming HIPAA compliant requires CEs, BAs, and subcontractors to ensure the following:

  1. Follow administrative, technical, and physical safeguards to protect patient health information.
  2. Share and collect only as much data as is necessary. All collected personal data should serve a specific purpose.
  3. Sign Business Associate Agreements (BAAs) with service providers (also known as Business Associates). This ensures that service providers use, protect, and disclose patient health information correctly.
  4. Create and implement policies to limit access to patient health information, as well as build a training and awareness program to safeguard patient health information.

CE’s, BAA’s, and subcontractors can choose between two ways to become HIPAA compliant:

  • Option 1: Employers can choose to create their own HIPAA requirements. Be sure to check that technical and physical safeguards are built into the infrastructure. It is best to seek assistance from a HIPAA consultant to ensure the implementation of the proper HIPAA requirements.
  • Option 2: There is also the opportunity to outsource your HIPAA compliance. There are automated software programs that will prepare and build a strong foundation for security and compliance.

Earning a certification to become HIPAA compliant can happen in 6 months or in 3+ years. The time frame depends on how big your organization is and how many individuals will need to earn their certification. However, once you are HIPAA compliant, understanding the consequences for violating HIPAA is essential.

There are four rules included in the Health Insurance Portability and Accountability Act (i.e., privacy, security, breach, and enforcement rules). The Enforcement Rule lists how entities and individuals should respond to HIPAA violations and report to the Officer of Civil Rights.

There are four categories of the Health Insurance Portability and Accountability Act violations. These include violations that occur:

  1. without the individual’s knowledge.
  2. due to a reasonable cause, and not as a result of willful neglect.
  3. as a result of willful neglect, but quickly reconciled.
  4. due to willful neglect, and are never resolved or reconciled.

The severity and classification of a violation of HIPPA will inform the amount a violator must pay. There are also tiers for any organization that violates HIPAA to such an extreme that a punishment can include a dire ramification such as jail time.

HIPAA is a federal law that plays an important rule in the integrity of the medical industry. As of 1996, all entities and individuals that handle, maintain or send any client medical records must be HIPAA compliant. No exceptions.

Source: The Ultimate HIPAA Compliance Guide for Small Business

Compliance Risk

Business Compliance Tip #8

Compliance Risk

What is compliance risk?

Compliance risk is an organization’s potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Compliance risk is also known as integrity risk.

Organizations of all types and sizes are exposed to compliance risk, whether they are public or private entities, for-profit or nonprofit, state or federal. An organization’s failure to comply with applicable laws and regulations can affect its revenue, which can lead to loss of reputation, business opportunities and valuation.

Types of compliance risk

An organization may be implicated in the following types of compliance risks:

  • Corrupt and illegal practices. Legal compliance ensures that the organization, its agents and employees are abiding by the laws and regulations of the industry. Common compliance risks involve illegal practices and include fraud, theft, bribery, money laundering and embezzlement.
  • Privacy breaches. A common compliance risk is the violation of privacy laws. Hacking, viruses and malware are some of the cyber risks that affect organizations. Additionally, if a company handles sensitive information, it is required to take the appropriate measures to protect that data and prevent privacy breaches.
  • Environmental concerns. These compliance risks deal with pollution and environmental damage an organization’s operations can cause. Examples include the destruction of natural habitats, use of harmful chemicals, hazardous waste disposal and pollution of groundwater. Many companies are integrating sustainability into their business strategies and are providing their employees with training and resources to help them achieve environmental compliance.
  • Process risks. A process risk is a failure to follow an established procedure for completing a task or a deviation from the standard process. For example, a company must have a documented procedure for accessing its network remotely. If an employee abuses the proper procedure for remote access, it is considered a process risk.
  • Workplace health and safety. Companies are legally required to follow specific health and safety protocols. In the U.S., many of these laws are enforced by federal agencies, such as the Occupational Safety and Health Administration (OSHA) and U.S. Food and Drug Administration (FDA). In Europe, the equivalent regulatory bodies are known as the European Agency for Safety and Health at Work (EU-OSHA) and European Medicines Agency (EMA).

What is compliance risk management?

Compliance risk management is the process of identifying, assessing and mitigating potential losses that may arise from an organization’s noncompliance with laws, regulations, standards, and both internal and external policies and procedures. Management practices are intended to help organizations maintain compliance with various regulations and laws. Organizations may have compliance risk management policies and procedures, which are the framework and mechanisms they implement to control compliance risk. Compliance risk management is a continuous process that involves tracking changes in the regulatory environment to ensure an organization’s compliance is up to date. Compliance policies, procedures and training materials must be revisited on a regular basis in light of new policies, directives and regulations.

Organizations need to be aware of their compliance risk on a number of levels, not just from the perspective of the chief compliance officer (CCO). While the CCO and other compliance staff are responsible for reviewing all aspects of the organization’s compliance risk — including its legal, regulatory, financial and technical risks — the compliance risk extends to all levels of the organization, including information technology (IT). This is why the organization’s IT department must be involved in compliance risk management.

Compliance risk management forms a portion of the collective governance, risk and compliance (GRC) discipline. GRC is a set of management practices and technologies to ensure that an organization is operating in a manner consistent with its values, mission and risk tolerance. GRC policies are mainly seen in the financial industry, but other industries, such as healthcare, are also required by law to adopt risk management and compliance practices.

GRC is designed to help organizations identify and evaluate risks to their business and reputation. The three fields are similar to incident management, operational risk assessment and internal risk.

Fraud in Small Business

Business Compliance Tip #9

Fraud in Small Business

Compliance encompasses several aspects of business, including Fraud.

It can be hard figuring out how con artists may target your small business because different types of fraud exist. Here, we’ve detailed the common types of frauds right now, the potential signs, and how best to mitigate them. Because there are soo many ways fraud can take place, I will break this tip into two tips. 

7 Common Types of Small Business Fraud

Payroll Fraud

Payroll fraud occurs when employees manipulate the payroll system to receive payment for work not done. In fact, 27% of all businesses experience payroll fraud and small businesses are affected twice as often as big corporations. Some potential warning signs include:

  • Flaws in payroll records
  • Employees not taking PTO
  • Employees using duplicate paychecks
  • Employees living way beyond their means

Payroll fraud can be prevented by proper monitoring of payroll reports, payroll auditing, or seeking the services of professional and reputable payroll providers.

Cash Theft

Cash theft is one of the key aspects of asset misappropriation, which may also take the form of check tampering, accounts-receivable skimming, fake billing, and payroll schemes. There are several ways cash disappears in a small business. First, it could be through fraudulent disbursement of cash — cash released by an employee that the owner did not authorize. Sometimes, employees also take the cash that has not been reported into the accounting system and use it for other purposes not related to work. This can harm the business in the long run.

Online Banking Fraud

Cybercrimes are becoming more sophisticated and any little security breach in your online bank details can lead to online banking fraud. Employees who are not trustworthy can use the company’s bank details in their possession for malicious purposes. Scammers can also use high-tech strategies such as phishing, malware (software), and vishing (phone numbers) to tamper with your online banking account details. A red flag is when money goes missing from the account without a trace.

Staying updated with cybersecurity measures is a way to protect your business from online banking fraud. Also, only give sensitive online banking details to trusted employees and ensure to report to the financial institution in charge of your bank account as soon as you notice such unaccounted deductions. Additionally, you can contact the FTC or the FBI for guidance.

Invoice Email

This type of fraud involves employees sending illegal emails to clients informing them of changes in payment details. It is usually not easy to detect this type of fraud as business owners can only be alerted when clients complain of such emails or when they don’t get paid for a service rendered.

Giving your company’s official email access to only trusted employees can go a long way to prevent this scam. You can also do regular account check-ins and create awareness among clients about the official bank account details for payments.

Phishing Emails

Phishing emails are designed to get valuable information about your business bank account details or other sensitive information that can be used to siphon funds from your business bank account.

Always try to verify the genuineness of any email that requests card details or other sensitive information. Additionally, avoid clicking on suspicious links from an unknown email as it may take you to a website that’ll request your credit card numbers or passwords for payment purposes or other reasons. It is also important that you have up-to-date antivirus software and firewalls installed on your office computer to avoid phishing scams.

Insurance Fraud

Employees can sometimes file bogus claims related to fake or mild workplace injuries. They may demand large health care compensation. Installing security cameras in your business location can help. It is also very good to have sufficient health insurance coverage to protect yourself from such fraudulent scenarios. In addition to health insurance fraud, unemployment insurance fraud is another common insurance fraud. However, both the employer and employees are sometimes guilty of this type of fraud.

Bank Account Takeover

Getting access to your online bank details is very dangerous to your business finances; if not noticed on time, your funds can be easily drained. Bank account takeover fraud can be done both by internal and external perpetrators. You should beware of employees continuously asking for your sensitive business bank details or login details. More organized fraudsters can even use malware to try to gain access to your login information. It is safe for you not to log into your bank account using an unsecured network, and don’t ever log in to your bank website without really verifying if it is the genuine one.

 

3 Ways to Protect Your Small Business From Fraudsters

As a small business owner, you are responsible for doing your utmost best to protect your investment against scammers. Some measures you can take include:

  • Educate yourself. Understanding how fraudulent activities impact your business will help you stay updated with the latest tricks con artists may employ to target your business.
  • Educate your staff on how best to protect sensitive company data like trade secrets, intellectual property, and account information, including account number, client information, and other sensitive information. Employees should also be made aware of the potential warning signs or red flags.
  • Integrate a fraud management system into your business to monitor real-time transactions across company users.

Source: Skynova:14 Common Types of Small Business Fraud

Fraud in Small Business

Business Compliance Tip #10

Fraud in Small Business cont’

Compliance encompasses several aspects of business, including Fraud.

It can be hard figuring out how con artists may target your small business because different types of fraud exist. Here, we’ve detailed the common types of frauds right now, the potential signs, and how best to mitigate them. 

8 Common Types of Small Business Fraud

Directory Fraud

Another ploy to scam you into getting your business details and procedures is through directory frauds. You may get a call that your company’s information needs to be updated on a popular online directory to reach more potential customers. Small businesses may easily fall for such fraud schemes since they want to get more customers.

Once payment is made, you will then discover that such a business directory is not real or you are not contacted by the real owners of such directories. Verify the business directory platforms first before engaging in any business.

Intellectual Property (IP) or Trade Secret Fraud

Your company’s IP is perhaps the most valuable intangible asset of your business and is highly vulnerable to theft or leaks. Although IP is protected under patent, copyright, or trade secrets law, it can still be used against you when it ends up in the hands of competitors. Intellectual property fraud can occur in the form of underworld cyber actors breaching your system and stealing it to be sold to your competitors. You can also fall victim to the invention promotion scam.

Identity Theft

With emerging technologies, identity theft is becoming more common among small businesses, and this can cause a lot of reputation damage and loss of valuable resources when not discovered early enough. Identity theft happens when your personal information, such as your Social Security number, credit card information, bank account number, and other account information details, is used for malicious purposes or to steal your funds. The use of data mining is a common way to perpetuate this kind of fraud.

A potential warning sign is when you begin to notice unfamiliar account details on your payroll or credit report or when you get debits that you cannot trace or account for. It can become worse when the IRS notifies you of changes in your tax information. To mitigate this, always evaluate your financial records. Once you notice a red flag, proceed to change your login details, pins, and passwords. For severe cases, notify your financial institution to freeze or close your account to avoid further funds deductions. Furthermore, contact IdentityTheft.gov for more directives.

Stolen Tax Return Fraud

Stolen tax return fraud occurs when your Social Security number is stolen by someone else and used to receive your tax return. You will only discover this when you file the tax return and get rejected by the IRS stating that you are already on the list. To prevent tax fraud, experts recommend filing your taxes early. Additionally, avoid giving out your Social Security number carelessly.

Debit and Credit Card Fraud

This fraud happens when scammers get a hold of your credit or debit card details, such as card numbers, security numbers, expiration dates, and PINs, to carry out transactions that you do not authorize. You start noticing charges for transactions you don’t recognize or you have used in a location you’ve not visited.

Your credit and debit card details should be confidential; report to your bank when you notice unauthorized transactions. A change of your bank card details may be necessary to stop further deductions.

Financial Statement Fraud

Office Supplies Fraud

False Invoice Fraud

3 Ways to Protect Your Small Business From Fraudsters

As a small business owner, you are responsible for doing your utmost best to protect your investment against scammers. Some measures you can take include:

  • Educate yourself. Understanding how fraudulent activities impact your business will help you stay updated with the latest tricks con artists may employ to target your business.
  • Educate your staff on how best to protect sensitive company data like trade secrets, intellectual property, and account information, including account number, client information, and other sensitive information. Employees should also be made aware of the potential warning signs or red flags.
  • Integrate a fraud management system into your business to monitor real-time transactions across company users.

Source: Skynova:14 Common Types of Small Business Fraud

Business Compliance requirement by Entity Type

Business Compliance Tip #11

Business structure affects the filings, reports, and other formalities a company must carry out to legally conduct business. Every state has its own rules, and counties and local municipalities may have regulations, as well. To give you a general idea of what different business structures have to do to stay compliant, I’m going to list compliance formalities by entity type:

Sole Proprietorship and Partnerships

Sole proprietorships and partnerships are considered the same entity as their owners (both legally and from a tax perspective). So, there are no corporate compliance formalities to maintain them. However, that doesn’t mean that entrepreneurs operating as sole proprietorships or partnerships don’t have rules to follow to run their businesses legally! Some of the things that individuals running their businesses as sole props and partnerships must do include:

  • File for and renew their fictitious name (DBA) if they are marketing their business under a name other than one that includes their first and last name.
  • File their personal income tax returns (business income is reported on IRS Form 1040 Schedule C) and pay applicable income tax AND self-employment tax.
  • Apply for and renew any required business licenses and permits.
  • Collect and remit sales tax (if required for the products and services they are selling).
  • Obtain an EIN (Employee Identification Number), if hiring employees.
  • Abide by all employment and labor laws (if the business has employees).

Limited Liability Companies (LLC)

A Limited Liability Company is considered a separate legal entity from its owner(s) (called members). The LLC structure gives members some protection against the legal and financial debts of the business. However, from a tax perspective, an LLC and its owner(s) are treated as the same entity. In other words, taxes flow through to owners’ personal income tax forms.

Some of the compliance requirements LLCs must usually fulfill include:

  • File Articles of Organization to establish the entity with the state.
  • Appoint and maintain a registered agent.
  • Obtain an EIN (Employer Identification Number).
  • File an initial report and annual reports.
  • Create an operating agreement to put forth the company’s major decision-making and operating procedures (generally, it’s not required by the state, but it helps ensure other compliance requirements are addressed properly).
  • Issue member shares and record interest transfers.
  • Hold LLC member meetings (also, prepare minutes and have all members sign to approve them).
  • File their income tax returns and pay applicable income tax (business income is reported on IRS Form 1040 Schedule C) AND self-employment tax).
  • Apply for and renew any required business licenses and permits.
  • Collect and remit sales tax (if required for the products and services they are selling).
  • Abide by all employment and labor laws (if the business has employees).
  • Maintain a bank account solely for business activities. Do not commingle business and personal financial activities and funds.
  • File Articles of Amendment to report any significant business changes.

Corporations

A Corporation (C Corporation or C Corp) is a separate legal and separate tax-paying entity from its owners (called shareholders). With more stakeholders and a higher degree of liability protection for owners and directors, Corporations have stricter compliance requirements than other business entities.

Below are examples of what C Corps may need to do to satisfy their compliance obligations:

  • File Articles of Incorporation to establish the entity with the state.
  • Appoint and maintain a registered agent.
  • Obtain an EIN(Employer Identification Number).
  • File an initial report and annual reports.
  • Adopt corporate bylaws to put forth the company’s major decision-making and operating procedures.
  • Apply for and renew any required business licenses and permits.
  • Appoint and maintain a board of directors
  • Hold board of directors meetings (also prepare minutes afterward, and have all directors sign to approve them).
  • Hold annual shareholder meetings (also prepare minutes and have all directors sign to approve them).
  • Pay taxes and file corporate tax returns.
  • Collect and remit sales tax (if required for the products and services sold).
  • Issue stock to shareholders and record stock transfers.
  • Abide by all employment and labor laws (if the business has employees).
  • Maintain a bank account solely for business activities. Do not commingle business and personal financial activities and funds.
  • File Articles of Amendment to report any significant business changes.

S Corporations

An S Corporation is not a type of business entity but rather a special tax election that eligible LLCs and Corporations may choose. Generally, S Corporation requirements follow what the underlying entity (LLC or Corporation) must fulfill.

 

Tune in tomorrow to find out the consequenses of Non-Compliance

 

Consequences of Non Compliance

Business Compliance Tip #12

Consequences of Noncompliance

Yesterday’s tip discussed some of the typical compliance requirements, let’s get into what could happen when businesses do not follow the rules. The severity of penalties vary, and they often depend on the seriousness of violations. For any business, noncompliance can cause big problems!

Here are some of the possible consequences of noncompliance:

  • Piercing of Corporate Veil –  “Corporate veil” (also called a “corporate shield”) is the legal distinction between an LLC or corporation and its owner(s). It is the legal separation established by keeping a company’s activities, assets and liabilities independent from those of the business owner(s). If an LLC or Corporation fails to fulfill its compliance requirements, a court might decide that the corporate veil has been pierced and that the individuals who own or oversee the business are personally accountable for the debts or legal wrongdoing of the company.
  • Audits – Noncompliance draws closer inspection of a business’s processes and financials. No one likes to hear the word “audit.” That’s no wonder because audits demand a lot of time and money as business owners and employees get pulled away from doing revenue-generating work.
  • Financial penalties – Noncompliance can hit a business’s checking account hard. There may be fines, back taxes, interest, and other financial penalties levied if a company fails to fulfill its compliance requirements.
  • Suspension or termination of the business – If the frequency or severity of noncompliance warrants it, a company may fall out of good standing with the state and be forced to either suspend operations or close its doors entirely. Stating the obvious, this can be fatal for a business.
  • Imprisonment – The LLC and Corporation business entity types provide some liability protection to owners and directors. However, noncompliance may lead to civil or criminal prosecution of owners, officers, and directors if their personal actions were unlawful or negligent.
  • Damaged brand reputation – As word gets out publicly about a company’s noncompliance, it could permanently hurt the business’s reputation. That could destroy customer and vendor confidence as well as make lenders wary of providing financing to the business in the future. The hit to a brand’s reputation can destroy trust in the company and limit future opportunities.

How to Stay Compliant

For some businesses, the compliance requirements may be numerous and complex. Entrepreneurs must understand their obligations so that they don’t suffer the consequences we covered above—especially the increased legal risks associated with piercing the corporate veil. To accomplish that, I recommend seeking mentorship as well as professional legal and accounting expertise.

Source: Corpnet

 

Workplace Policies

Business Compliance Tip #13
 
Workplace Policies
 
WHAT ARE WORKPLACE POLICIES?
A workplace policy is a document of rules or guidelines that communicates your businesses standards and expectations regarding how your employees should behave and conduct themselves.
Your workplace policies can also set out how your business will respond or deal will employees who fail to abide by the rules set by your policies.
All in all, workplace policies for small businesses are there to help create a more structured working environment. They basically state what an employee can and cannot do in your workplace, as well as outline the consequences for non-compliance.
So, they work to inform your employees of their responsibilities and duties to your business and one another.
 
THE BENEFITS OF WORKPLACE POLICIES FOR SMALL BUSINESSES
Implementing the right workplace policies for your small business can have an endless amount of benefits.
Do you want protection? A safe work environment? Informed employees? Well, your workplace can definitely help you achieve these things.
Policies help to manage legal risk and allow you to outline the benefits and opportunities your company provides to its workers – this helps to improve workforce morale, worker retention and job satisfaction.
Benefits of workplace policies include that they:
  • provide workers with knowledge about what is expected of them, e.g., behavior and performance standards.
  • provide rules and guidelines for decision-making in routine situations.
  • provide a consistent and clear response across the company in dealing with situations.
  • demonstrate your good faith that workers will be treated fairly and equally.
  • provide an accepted method of dealing with complaints and misunderstandings to help avoid claims of bias and favoritism;
  • provide a clear framework for the delegation of decision-making.
  • provide a means of communicating information to new workers; and
  • ensure that you are better equipped to defend claims of a breach of employer obligations, e.g. health and safety legislation.

Compliance Policy Must Haves Especially with Employees

Business Compliance Tip #14

Compliance Policy Must Haves Especially with Employees

Having and maintaining certain rules and regulations is one crucial aspect of running a company.

1. Defined Designation Descriptions For All Employees

One of the biggest mistakes that companies may make is going easy on the designations that they assign to their employees.

While they may do this to keep their employees from limiting their potential, in the long run, this can often backfire as well.

Let’s consider a scenario where you hire a new program developer but don’t define their role or their responsibilities for one reason or the other. In the initial days, this can still be fine. However, if the role is assigned even after a few days, your employees may start feeling insecure.

And we all know what happens when employees start feeling insecure. So, don’t let that happen.

Understand the importance of defining roles and designations of all employees that work for you.

2. Working Hours and Days

Even though the idea of flexible work hours is active and effective among employers of this generation, it’s essential to realize that this may require extra efforts from your management teams.

And that’s also fine. The point is that all your employees must know about the working hours (if you have defined them) and the working days that they need to visit the office on.

For example, some companies offer their employees two leaves a week, while others offer only one. Similarly, some companies offer their employees one extra leave once in a month while others may offer only one additional leave in a month.

And the same goes for working hours as well.

So, keep them defined.

3. Remote Work Policies

Well, this is certainly the most important hour to talk about this. The recent coronavirus outbreak has made a large number of organizations to encourage their employees to work from home.

Clearly, there’s a need for you too to consider defining specific work from home policies, so when your employees work remotely, they know what all is expected from them.

For example, if you want them to stay online on the work portal or to stay on the camera for completing their work hours (not the best thing to do, but if your organization requires it).

So, count this in while defining compliance policies for your company.

4. Rules Regarding Company Hierarchy

Organizational hierarchy is one thing that a large number of companies have in common. And if your company is also one of them, it’s important for you to define your organization’s hierarchical rules and regulations to all your employees, whether new or old.

This will make them aware of who their senior managers are and who are working parallel to them so they can know the people who they need to report to and take guidance from.

5. Workplace Discipline

Another set of rules that all organisations must setup is related to workplace discipline.

Basically, you would know how you want your employees to behave when they are in the office. And this doesn’t specifically refer to bad behaviour. Although that must be covered and prevented under this set, the primary aim is to ensure workplace discipline regarding everything from meeting deadlines to working healthily as a team.

So, make sure you define certain rules for that. These compliance policies will help maintain the required discipline.

6. Rules Regarding Employee Training

Guiding your employees about their work responsibilities and several company policies is crucial. But does it come that easy?

Many times your employees may not like the idea of attending a training program.  And this can be for a number of reasons.

Some of them may find it boring. Some of them may be afraid that they’ll have to invest extra time. Some of them may have other priorities. The point is, the process still remains crucial for you.

So, how to implement it?

Well, by setting certain rules and regulations about employee training can help you.

Also, if your employees are finding your training programs boring, you can choose a smarter set of eLearning tools to gamify the program.

7. Privacy Policies

As an employer and as a service or product provider, you hold accountability towards the privacy of your employees and customers.

And so, your company must have certain policies and rules regarding how you take care of and maintain that.

So, make sure you include this one too.

8. Employee Appraisals

It’s a fact that money is one of the primary reasons why your employees work for you. And then there’s another fact that all of them expect appraisal based on their performance.

So, how do you plan on tackling this?

Well, it’d be smart to have a specific plan for promoting and giving hikes to your employees. This will help you ensure that every person that works for you is on the same page and knows the exact definition of adequate performance in your organization.

Setting rules about employee appraisals will also make your appraisal process hassle-free, keeping disputes at bay.

 

9. Protecting Information and Intellectual Properties

Here comes another one of the most important assets that must be protected — your company’s intellectual properties.

Like many other companies, your organization may also have a think-tank that may brainstorm to come up with effective ideas relating to different areas of business.

These ideas are useful for your organization and must not go out of the board-room. However, if they get leaked because of an employee, your organization may have to deal with certain losses.

And the same goes for information as well.

There can be a huge load of information that’s meant to be strictly confidential to your organization. If this gets leaked even in bits and pieces, it can cause harm to your business.

This is the reason why you must have certain laws and regulations regarding how your employees keep your company’s information and intellectual properties safe.

10. Workplace Safety and No Retaliation

Workplace safety is one of the top concerns for nearly all employees of this generation.

This states the fact that a company with poor retaliation policies or poor workplace safety policies is surely going to disturb an organization’s reputation. As a result, you may also have a tough time hiring talented employees.

So, prioritize this one.

It’s important to assure that all your employees have the right to speak up against anything that might be bothering them in the workplace.

Setting up specific rules regarding workplace safety becomes super-important for this reason.

Final words

For running a company successfully, it’s crucial for you to define several rules and regulations and to make your employees aware of the same. 

Source: My Management Guide

Tax Tips for Small Business

Business Compliance Tip #15
 
Tax Tips for Small Business
 
Don’t overlook the importance of managing business taxes each year. You could end up running afoul of the federal, state and local government. That can prove not only inconvenient.
This collection of best practices can help you keep better track of small business tax liabilities and stay on top of your small business tax bill:
  1. Keep good records– 1 out of 4 small businesses lose track of whether or not a customer has paid over the course of the year. Along with accounts receivable and collections, you also need to monitor business cash flow, track your receipts, and keep records of payroll and other payments. 
  2. Separate Business and Personal Accounts– The IRS is always on the hunt for small businesses not paying taxes. If you get audited, one of the first things they will do is review your professional and personal accounts to look for any commingling. They are looking for personal expenses reported as business expenses. 

  3. Claim all your income reported to the IRS– you may want to figure out how to pay no small business taxes, yet small business tax avoidance is not a good idea. Know that the IRS gets a copy of all the 1099-MISC forms you receive. That means they can and will check that the income you claim matches what has been reported.  You should also report income that is not recorded on 1099-MISC forms. It is not adviseable to treat any of your income as if it could be a small business tax shelter. 
  4. Follow small business tax strategies to reduce income tax– There are many ways to reduce taxable income for small businesses. Start by researching tax credits such as the general business credit, investment credit, credit for employer-provided childcare and facilities, the Indian employment credit and more. Also look into Section 179 eligibility, mileage, home office, salaries and wages, furniture and equipment, travel, insurance, professional fees, etc.  
  5. Make charitable contributions– Not only is this a great thing to do from a business sustainability perspective, but it can also cut your tax liability. You can donate cash, merchandise, or other assets and be entitled to a deduction on your taxes. Request a receipt from the 501(c)(3) charitable organization to show you are giving back to your community to get the tax benefit too. 
  6. Hire professional help– It can also help to hire professionals to either manage your payroll or help with your small business tax bull. Bookkeepers and accountants could share small business tax tips that you wouldn’t know about otherwise. It is not all about how to lower your small business taxes. Your accountant should work with you throughout the year to track incom and spending, to make sure you don’t have a cash flow problem, and to monitor your gross and net profits. 

3 Tips for staying HIPAA Compliant with Electronic Documents

Business Compliance Tip #16
 
3 Tips for staying HIPAA Compliant with Electronic Documents
 
Here are three vital tips to help your team stay HIPAA compliant when handling electronic protected health information (ePHI) documents.
In highly regulated industries like Healthcare and Insurance, the consequences for mishandling documents can be dire. Protecting identifiable health information both online and offline is essential for HIPAA compliance. Otherwise, poor document management may put your company at risk of an audit.
If you noticed workflow vulnerabilities during your latest HIPAA risk assessment, now is the time to upgrade your processes. Here are three vital tips to help your team stay HIPAA compliant when handling electronic protected health information (ePHI).
 
  1. Review Electronic Storage Security Regularly

    Your team is responsible for lots of ePHI, which means maintaining regular security practices is a must. Even if you have well-defined processes, you still need to review electronic storage security to guarantee compliance. 

    First, take a look at how your team stores documents with sensitive data. Ask yourself these questions to get started:

    • Is access limited to employees who need it for their work? 
    • Is your data encrypted? 
    • Does your storage solution need two-factor authentication? 

    Next, review the security measures you have in place: 

    • Are antivirus programs current? 
    • Are passwords changed regularly? 
    • Are you recording a document changelog?

    Schedule a monthly or quarterly security review on the calendar to confirm that your data is secure. If you notice vulnerabilities during your review, solve security threats right away to lower security risks.

  2. Record the Audit Trail

    When you’re working with sensitive data, it’s important to know who has access to that information.

    Maintaining an audit trail helps your team know who can access which documents, and how their team members altered those documents. An audit trail contains a full log of every change made to a document, the user who made the change, and when they made it. 

    Keeping up a manual audit trail is challenging, and there are tons of opportunities for information to fall through the cracks. One of the biggest risks happens during the review and approval process, which might happen over email or on the phone. When this information isn’t properly tracked, the audit trail loses its validity. 

    The US Department of Health and Human Services (HHS) recommends monitoring and logging changes automatically to maintain an audit trail. System-level audit trails play an important role in data security and limiting access to the right people. Meanwhile, application audit trails help you complete your entire workflow within one tool by recording changes every step of the way.

  3. Confirm Ongoing Compliance with Checklists

    Many organizations assume that their employees always follow the designated process. So, if your HIPAA risk assessment reveals avoidable human errors, you may feel at a loss to solve these problems and improve accuracy. 

    A checklist can be a valuable quality control tool that encourages team members to double-check their work, reducing the likelihood of small mistakes that can trigger an audit. While checklists may seem simple, they help employees perform their tasks consistently and stay focused on the job at hand.

    While it may seem like following a checklist will slow down your process, it can actually help your team work faster and with better accuracy. Checklists are especially valuable to maintain version control or support the review and approval process. However, keeping track of many checklists for different document types can be daunting. 

Professional Email is Essential

Business Compliance Tip #17
Professional Email is Essential
As a business owner, you should have a professional email address which is [email protected]
Did you know that Gmail can be HIPAA compliant way to send email to clients and share information?
Google’s email, calendar, and productivity tools (recently renamed from G Suite to “Google Workspace”) are absolutely fantastic.  They’re easy to use and very affordable.
Google Workspace is also highly secure, but there are very specific things that you need to do to make Gmail HIPAA compliant.  Here are some big ones…
  1. Become a Google Customer-

    Unfortunately, only the paid version of Gmail can be used for handling PHI, and only if it’s set up the right way.  Why?  Here are a few reasons:

    • Google will only sign a HIPAA BAA with paid customers
    • Google’s computers scan emails for advertising
    • Google’s employees can (though usually don’t) see your emails
    • A patient might notice you’re using insecure email and complain
  2. Sign a HIPAA Business Associate Agreement- Once you’re a customer, Google has a very simple process for executing a HIPAA BAA.  You can do it right online, with no forms to fill out. 
  3. Get Patient Consent- Patient consent is highly recommended.  If you’re in a healthcare practice, get written consent from your patients before you communicate with them via email or text messages.  It’ll save you a world of pain down the line if you get a complaint.
  4. Use Your email signature-

    Add an automatic email signature that reminds people that email is insecure, and to delete email not meant for them.

  5. Carefully plan how you will use PHI in email- Ensuring you are sending PHI information securely
  6. Warn patients about insecure email- You want to inform your patients the danger of sending PHI unsecure. 
  7. Secure connection between HIPAA Complaint Gmail and your computer-

    If you access Gmail in your browser (using Chrome, Internet Explorer, Safari, Firefox, etc.), then you already have this covered.  A secure connection is always on by default.

    If you’re curious, here’s how you can tell.  Look for the green lock and the “https.”

  8. Train your staff-

    If you have any employees (even one), you need to have a clear policy and train them on your expectations of using email and SMS.

    Specifically, train them thoroughly on how to identify PHI, and your expectations of how they should handle PHI in email and SMS.

    You should also train them on how to identify and handle:

    • Emails with viruses
    • Emails with tricky links
    • Emails with unusual attachments
    • Emails from people they don’t recognize

    More info to come regarding email.

     

Professional Email is Essential Cont'

Business Compliance Tip #18
Professional Email is Essential Cont’
As a business owner, you should have a professional email address which is [email protected]
Did you know that Gmail can be HIPAA compliant way to send email to clients and share information?
Google’s email, calendar, and productivity tools (recently renamed from G Suite to “Google Workspace”) are absolutely fantastic. They’re easy to use and very affordable.
Google Workspace is also highly secure, but there are very specific things that you need to do to make Gmail HIPAA compliant. Here are some more big ones…
9. Phishing and Hackers

Ultimately, HIPAA is about keeping medical data from being stolen.

These days, you need to be worried about getting hacked.  Hackers are going after small businesses, and medical records are highly valuable on the black market.

Hackers are using phishing messages (fake emails) to try to trick you.  How?

  • They might try to trick you into giving them your email and passwords.
  • They might make you install a program that will lock you out of your computer and hold it for ransom (called ransomware).
  • They might put a program on your computer that lets them see everything you do, including turning on your webcam without you knowing.
  • They might put a program on your computer that completely drains your bank account.
10. Train your staff about phishing
No matter how good your email scanner is, highly targeted attacks can still get through.  That’s why it’s super important to train your staff about phishing.
11. Make sure every computer and device is secure
To be HIPAA compliant, it’s not enough to just worry about email.  Every computer, mobile phone, and tablet you use must also be secure.
12. Make sure your HIPAA Compliant Gmail password is completely secure
According to the Identiry Theft Resource Center, almost 900 million records have been involved in security breaches.  That’s almost three times the population of the US.
Hackers know that most people reuse the same password over and over.  When they get a password, the first thing they do is to go to other sites and try the username and password to see if they can get in.

If someone gets ahold of your email, they own you.

They can send emails to patients on your behalf.

They can reset the password on your EMR system.

They can email your bank.

Make sure your email password is completely unique.

13. Always use two-factor authentication for your email

You know those codes that get sent to your phone when you try to log on to some sites?

That’s called “two factor authentication,” and it’s incredibly important to keep your data safe and your Gmail HIPAA compliant.

HIPAA Compliant Gmail makes it super easy to use and turn on, and it’s available to everyone

It’s critical to turn this on (go do it now!).  Even if a hacker steals your password, they won’t be able to get to your email or your PHI unless they steal your phone too.

14. Limit file sharing permissions

You can use Google Drive (the document system that comes with Google Workspace) to store and edit files that contain PHI.  However, you are still very much responsible for making sure that nobody accesses PHI that isn’t needed for their job.

The other thing you need to manage is to make sure that your users don’t accidentally share PHI with the public.

16. Monitor user activity
It’s incredibly important to monitor the usage of your Gmail system to watch for any indicators of hacking or breaches.
Thankfully, Google offers some incredibly robust capabilities for this. The most helpful reports that they offer are:
  • External Link Shared Files — any files that are publicly accessible
  • External Apps – any externally linked apps, which can pose a risk
  • Verification in 2 Step Enrollment – making sure users are on 2FA
  • Full email audit log – a full audit log of all emails sent

If you’re a paid Gmail user, log in at least once a month and check these reports for weird or unusual behavior.

17. And Finally, RTFM

RTFM” is a highly technical term that means “Read the Freaking Manual.”  

Thankfully, Google has put together a site to help paying customers fully and completely use Gmail and Google Workspace in a HIPAA-compliant fashion.

It’s called “HIPAA Compliance & Data Protection with Google Workspace.”

Mistakes Add up

Business Compliance Tip #19
 
It’s the little things…
 
Last night I held a Clubhouse room about being proactive v. reactive in our businesses. Sometimes it is the little things we don’t deem, important that can cost us.
Prime example
Practice owners end up paying fines for small mistakes all the time.
Like $111,400 in HIPAA fines for small mistakes.
I don’t think that’s fair, but that’s what a small Colorado hospital ended up paying after HHS slapped them with a fine.
Their mistakes? Simple stuff everyone makes.
First, they NEVER signed a HIPAA business associate agreement (BAA) with Google.
Second, they never set up Google Calendar the right way.
Third, they fired an employee and forgot to close access to the company’s Workspace.
Don’t make the same mistakes. Ensure you are putting systems in place to protect your business.