Keeping up with state and federal privacy laws is a challenge for any business. There are a handful of regulations that affect how your company discards sensitive information. In this blog, we discuss how several laws impact your media destruction practices.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers and their business associates to implement physical, administrative and technical safeguards for protected health information (PHI). A key amendment to the law was enacted in 2009. The Health Information Technology for Economic and Clinical Health (HITECH) Act, states that improperly-discarded documents and data are considered a security breach. This means if an organization improperly discards medical data and it results in a breach of PII, the organization can be fined by the Department of Health and Human Services (DHS) Office of Civil Rights (OCR).
If you are audited by OCR, it may be helpful to have written documentation of your shredding practices. Use a media destruction service that issues a Certificate of Destruction each time your documents are destroyed. This document, which notes the time and date of destruction, can be helpful when called upon to prove your due diligence.
The Fair and Accurate Credit Transactions Act (FACTA) requires financial institutions to protect personally identifiable information (PII). The law’s Disposal Rule directly impacts how financial institutions dispose of documents and data. It states, “any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measure to protect against unauthorized access to – or use of – the information in connection with its disposal.”
FACTA non-compliance penalties include civil liability and possible state and federal penalties. If large numbers of consumers are affected, non-compliant organizations may face class action suits. The Federal Trade Commissions’ (FTC) recommendations for due diligence include, “Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media contained consumer information so that the information cannot practicably be read or reconstructed.”
Enacted in 1972, the Family Educational Rights and Privacy Act (FERPA) gives parents access to their children’s educational records. It prevents educational institutions from distributing student records to anyone other than parents or organizations without written permission. If student information is breached, the organization held responsible can be subject to a withholding of federal funds and payments. As a result, educational institutions must dispose of student records securely. If your organization collects confidential student data, a secure media destruction service can make sure it’s disposed of securely.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to develop and maintain a written information security plan for protecting consumer information. The act comprises three sections:
- The Financial Privacy Rule
- The Safeguards Rule
- Pretexting Provisions
The Financial Privacy Rule applies to how information is collected and disclosed, The Safeguards Rule requires financial institutions to have an enforceable security program, and the Pretexting Provisions forbids anyone from gaining access to private information for reasons not fully disclosed. Without a media destruction plan, your company may face civil penalties of up to $100,000 for each violation of GLBA provisions.
For more information about media destruction best practices and how to make sure your organization is compliant with state and federal privacy laws, please contact us by phone or complete the form on this page.
Records Management Center provides businesses throughout Augusta, Evans, Thomson, Martinez, GA, Aiken, SC, as well as the Central Savannah River Area, with professional shredding and destruction solutions.