Staying Compliant as a Business

As a business, you are responsible for the protection of any personal or financial information that you collect from your customers or clients – up to, and even after, the disposal of any documents including this information.

Javelin Strategy & Research reports that in 2011 identity fraud increased by 13 percent. More than 11 million adults became a victim of identity fraud in the United States. While a large portion of these cases were the result of high-profile data breaches in computer systems, a significant number of cases are still the result of information contained in paper documents falling into the wrong hands. To combat this growing crime, the Federal government has passed a number of laws.

Records are vulnerable as long as they exist in a form that can be deciphered. Further, sensitive information retained for an unnecessarily long period of time, or disposed of through dumpsters or recycle bins, represents a liability (a recent Supreme Court ruling has classified anything in a dumpster as public property). Below are some guidelines

For All Businesses

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires that all businesses, regardless of size or industry, protect and dispose of sensitive and personal data they collect about their customers. If you are not compliant with FACTA, you are breaking the law.

  • Is your business able to prove that documents are shredded in a FACTA compliant manner? In order to be compliant, your company needs to have documentation of what was shredded and when it was shredded. You can easily achieve this by hiring a professional document shredding service that will provide you with a “Certificate of Destruction” each and every time they shred documents for your company. These certificates should be kept on record.

  • Do you have regularly scheduled shredding occurring on a consistent basis? If not, you could be liable for storing excess personal records. Your company needs to have a consistent and regular schedule set up for shredding sensitive documents, and that schedule should be strongly adhered to.

  • Does your business offer regular training in regards to storage and shredding of documents for all personnel? Everyone in your company should know what to shred and the procedures to make sure it happens within FACTA’s guidelines.

Following the above guidelines will help your business stay FACTA compliant, which is a legal necessity. Take the steps you need to take today to protect your business and your customers. Records related to tax filings should be retained for seven years and transactional information should be retained between three to five years. Documentation related to a legal agreement should be kept indefinitely.

For the Medical Industry

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI) in any form. This includes all health care providers, regardless of practice size. Other affected organizations include pharmacies, medical plans, HMOs, company health plans and billing services.

Covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. The disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant extra care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination or harm to an individual’s reputation. Proper disposal methods include shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed. Shredding is the most economical, timely and environmentally conscious method of those described.

  • May a covered entity dispose of protected health information in dumpsters accessible by the public? No, unless the protected health information (PHI) has been rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed prior to it being placed in a dumpster. In general, a covered entity may not dispose of PHI in paper records, hospital identification bracelets, electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons. Depositing PHI in a trash receptacle generally accessible by the public or other unauthorized persons is not an appropriate privacy or security safeguard according to HIPAA.

  • May a covered entity hire an outside business to dispose of protected health information? Yes, a covered entity may hire an outside business to appropriately dispose of protected health information (PHI) on its behalf. In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires that service provider to appropriately safeguard the PHI through disposal. A covered entity may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and recycle the material or deposit it in a landfill.

  • Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time? No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. According to the Ohio Revised Code, medical records should be retained for at least six years. Services related to Federal Medicaid claims must be kept seven years.

For the Financial Industry

The Gramm-Leach-Bliley Act covers many aspects of operating a financial institution, including the protection of consumer information. The act defines “financial institutions” as not just banks, but also non-bank mortgage lenders, real estate appraisers, loan brokers, financial or investment advisers, debt collectors, tax return preparers, banks, and real estate settlement service providers. While the act does specifically list the requirements for shredding, it does establish the following:

Each organization has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

  • To insure the security and confidentiality of customer records and information

  • To protect against any anticipated threats or hazards to the security or integrity of such records

  • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

It is implied that any material that contains “personal identifiers” should be discarded with the utmost care to preserve its confidentiality. Using a secure shredding service is one of the best ways to do that.

Conclusion and Summary

While destroying sensitive documents is not explicitly mandated law, there are many practical reasons to do so. What damage can be done to your business or organization if a document falls into the wrong hands? What happens if a competitor finds your recent price quote? If an employee finds company payroll information? What if a stranger finds a credit card statement? Worse yet is the legal liability involved with not having a document retention and destruction policy that is closely followed. If you destroy an old document after you might have reason to believe it may be requested in legal proceedings, the consequences may be severe; this would not be the case if the document no longer exists because you were following your retention and destruction policy.

Here are the major points to remember:

  • Identity theft and other fraudulent use of information is a growing crime

  • Laws are becoming much stricter in how organizations handle documents

  • You are responsible for anything that may happen with the information you generate or posses

  • A document retention and destruction policy is highly recommended for your business

  • MOST all documents may be destroyed after seven years; many much sooner

  • A third party document shredding service is the safest and most cost effective way to ensure safety
  • paper shredder