Laws on Secure Information Destruction
Below are some of the laws relating to document destruction. The main theme of these laws is to maintain the safety of sensitive consumer, employee, vendor and proprietary information while in the office, when discarded and awareness of the policies of other firms this information is shared with.
A key aspect of compliance is a written policy dictating how this will be done. Click on our Information Destruction Policy Consulting page for more information on how Shred Aware can assist with writing such policies. Regardless of the size of your organization, Shred Aware staff would be happy to answer any questions you might have about how to maintain the security of your documents.
HIPAA - Health Insurance Portability and Accountability Act of 1996:
HIPAA requires any organization or individual who retains or collects health related information to have a documented policy defining the reasonable measures taken to safeguard Protected Health Information (PHI). Technically, every employer with completed health insurance applications or injury reports on file regardless of the size of the business must have a policy defining what they will do to prevent unauthorized access. Destroying PHI before it is discarded is an important portion of HIPAA compliance. Types of information in need of protection and destruction include X-rays, Insurance Information, Medical History, Billing Information, Notes, Sign-in Logs, other Images and Insurance Claim Forms.
GLBA - Gramm-Leach-Bliley Act of 1999:
GLBA requires banking and financial institutions to design, implement, and maintain methods of protecting consumer information. This law does not just apply to banks and insurance companies but also includes services such as lending, brokering, transferring or safeguarding money, preparing tax returns, and even those who provide financial advice or credit counseling. Again regardless of the size of the institution specific plans must be in place to safeguard this information.
FACTA - Fair and Accurate Credit Transactions Act of 2003:
FACTA is geared towards reducing fraud and identity theft from discarded confidential material. It applies to almost every person and business in the United States. It requires “any person who maintains or otherwise possesses consumer information for a business purpose” to properly destroy consumer information before it is discarded.
Many businesses understand that certain types of documents are confidential and must be shredded rather than just placed in the recycling. Still, many don’t realize how many different types of documents are confidential and that there are laws in place to ensure that confidentiality is maintained.
Why is it important to use a NAID certified company?
NAID sets the standards for the information destruction industry. NAID AAA Certification is a comprehensive audit program that helps organizations meet laws and regulations requiring protection of confidential customer information:
- The FACTA Final Disposal Rule requires the destruction of all consumer information before it is discarded. Covered entities must monitor compliance of any organization contracted to destroy consumer records.
- The FACTA Red Flags Rule requires audits of data-related vendors with access to personal information of customers.
- Under HIPAA, covered entities may be subject to civil penalties for misconduct of its business associates that lead to a security breach. Working with a NAID certified vendor reduces the risk.
- Business associates of covered entities must comply with technical, administrative and physical safeguard requirements under the HIPAA Security Rule.