Friday, February 18, 2011

Legal Requirements of a Registered Office for Your Company

It is a legal requirement for every company which is registered in the UK to provide an official address for the public register. This address is where government organisations such as Companies House, HMRC and UK tax authorities will contact your business with important reminders and serve legal notices. The registered office of a company is displayed on Companies House registers which can be accessed online.

A company's registered office must be able to receive letters and documents related to the company, therefore a Post Office Box can not be used as the official address as it is not permitted by Companies House. This legal address must be situated in England or Wales unless the company is registered in Scotland which would then require the company to provide an address in Scotland as the recorded location.

The registered office address must be displayed on all official stationery and correspondence with the clients such as invoices and letters. The company name must also be displayed outside of the registered office address as a legal requirement. Since the introduction of the Companies Act 2006 it is also a legal requirement to display your registered office address on your websites.

Any changes which are made to the registered address must be recorded at Companies House. This can be done by filing an AD01 form either online using the registrar's online webfiling service or by completing the form and sending it to Companies House by post. This will ensure important documents and notices relating to your company are not sent to the wrong address as this could lead to your company being struck off and dissolved.

A company's trading address does not have to be the same as their registered office address. Therefore using a service provider can be very beneficial for owners of small businesses, particularly those who trade from their home address as it prevents their private details being displayed on Companies House registers. The data on the public register can be accessed online. Using an address service provider may also be useful to business owners who own a UK limited company and live outside of the UK as their company must legally provide a registered office with in the UK.

Using a service provider can also prevent junk mail being forwarded to people's home address as they can filter out obvious junk mail and forward relevant mail such as accounts notices, annual return reminders and HMRC letters. This will ensure your company files the necessary forms to maintain accurate and up to date company records which will prevent penalties being incurred.

How the HITECH Act Impacts a Business Associate

HIPAA compliance requirements have been greatly changed with the American Recovery and Reinvestment Act (ARRA) and its Title XIII called the HITECH (Health Information Technology for Economic and Clinical Health) Act. With the introduction of this new law, business associates are now accountable for the privacy and security requirements that previously were required only by covered entities. In addition, a business associate is now subject to civil and criminal penalties. This also includes a provision that lets patients receive financial compensation for a violation of their privacy.

This new federal law has added strength to the enforcement portion of the law. The significant changes include:

  • Employees and other workforce members, including independent contractors, are now subject to civil penalties. This means that individuals are also now accountable legally.
  • There is a requirement for HHS to formally investigate any complaints and to impose civil penalties for violations of the rules if the violation is due to "willful" neglect.
  • The law requires that any civil monetary penalties or monetary settlements as a result of a violation of the rules be sent to the Office of Civil Rights (OCR) for enforcement of the privacy and security rules.
  • Civil monetary penalties now have a tiered system ranging from $100 to $50,000 depending on the offense.
  • The Secretary of HHS is required to conduct periodic audits to be sure that covered entities and business associates are compliant with the new rules.
  • The State Attorneys General now have the authority to bring suit in district courts for any violation on behalf of the residents of their state.

What Steps Should a Business Associate Take to be sure you are Compliant?

The first step is being sure you are properly classified. For example, if you are an independent contractor working for a service and not directly contracting with a covered entity, that probably means you are not a business associate, but an agent or subcontractor of a business associate. It is important, however, for independent contractors to understand if your contract is directly with the covered entity, that makes you a business associate and all of the new laws do apply to you.

Some things you need to consider include:

  • Assigning responsibility for compliance to one person. While you can have a team working on compliance issues, one person must be named as the compliance officer and be responsible. This does not have to be an employee and you can use a consultant if that works best for you, however, it is critical that you have this person identified.
  • Encryption of all electronic files. The HITECH Act has made the use of encryption the one thing that provides a "safe harbour" for not having a breach. Data that is not encrypted is considered unsecured according to the law. While you may already be using encryption for data transfers, this law also requires that information be encrypted while "at rest." This may require that you add encryption to all electronic files that are stored anywhere on your system. If you are in medical transcription, remember that this will also include the voice files stored on any dictation system. The Secretary of HHS will review these standards annually for any changes.
  • Breach notifications. While HIPAA has always required that a business associate notify their client of any breaches of information, the law now makes you responsible for being sure the notification is done. A breach is defined as acquisition, access, use or disclosure of unsecured PHI that is not permitted under HIPAA and that compromises the privacy or security of the information. Remember that unsecured data means unencrypted. Documentation of breech notifications must be kept for six years.
  • Be sure you are compliant with both the privacy and security rules. There are many points to consider in these rules. You must have written policies and procedures. You must have a written risk analysis done. You also must have a contingency plan in place for any kind of business disruption. Your systems also have to provide audit trails for who accesses protected health information.
  • Realize you are responsible for the actions of your workforce. The rules require training of the workforce, which must be done and documented. If you have remote workers, this can be more of a challenge, but it is possible.
  • Another significant change is that business associates are now responsible for trying to stop any violations by the covered entity (their client). This includes things even up to canceling your contract with a client who refuses to fix a violation or prefers to ignore the law. Both parties are responsible for doing this for the other, and this could very well change some of the relationships you currently have with your clients.
  • Documentation. Remember, it's all about being sure you have things documented. Use the rule of thumb that says "if it's not documented, it wasn't done." It is no longer acceptable to just say you are compliant. You must have written documentation to show that you have done all of the required steps.

The changes that have come as a result of the HITECH Act certainly have a big impact on business associates. The date for compliance is past. If you haven't taken the required steps, now is the time to do it.