Security
Future Shredding and the laws.
WHAT IS HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a Federal law to prevent abuses of personal health information (PHI), including unauthorized access. It is administered by the U.S. Department of Health and Human Services (HHS) and it is enforced by the U.S. Office of Civil Rights.
WHO IS A”COVERED ENTITY”?
Institutions that must comply with HIPAA are called Covered Entities. Covered Entities include any and all organizations or individuals who retain or collect health related information. This includes larger institutions such as hospitals, medical centers, and insurance companies.
There are also SMALL COVERED ENTITIES such as:
Doctors – Dentists – Chiropractors
Psychiatrists – Psychologists Counselors – Urgent Care Centers – Billing Centers
Physical Therapists – Collection Agencies
According to HIPAA, EVERY COVERED ENTITY regardless of size, must have documented policies defining reasonable measures they have instituted to prevent unauthorized access.
DESTROYING ALL DISCARDED PATIENT INFORMATION IS A VERY IMPORTANT REQUIREMENT OF HIPAA.
PROTECTED HEALTH INFORMATION … DEFINED
Protected Health Information (PHI) is the classification which the HHS has given to personal patient information for which unauthorized release is now a criminal offense.
PHI includes: Diagnosis – Prescription Billing Information – Medical History Therapeutic Advice – Notes – Appointment Memo – Phone Messages – Sign-in Logs Voice Recorded Transcripts – X-rays and Other Images – Insurance Information Claim Forms – Copies of Forms
DISCARDING PROTECTED HEALTH INFORMATION
EVERY COVERED ENTITY HAS THE NEED TO COLLECT AND DISCARD PROTECTED HEALTH INFORMATON. CASUALLY DISCARDING PHI IN THE TRASH IS NO LONGER REASONABLE OR ACCEPTABLE.
It is only a matter of time before the Office of Civil Rights, Auditors and the Media start testing the effectiveness of HIPAA. Consumer awareness and interest in privacy protection is at an all time high. It is the reason laws such as HIPAA are being created and enforced.
To ensure compliance with HIPAA, many COVERED ENTITIES now destroy all discarded information.
THIS ALSO INCLUDES INFORMATION ON COMPUTERS. DELETING INFORMATION DOES NOT ERASE IT. IT MUST DESTROYED.
FACTA-
What is FACTA?
FACTA is a federal law designed to minimize the risk of identity theft and consumer fraud by enforcing the proper destruction of consumer information. The Federal Trade Commission of the United States (FTC) developed the Disposal Rule in November 2004 to further implement the policies set forth in FACTA. The Disposal Rule applies to businesses that utilize consumer information; however it affects every person and business in the Unites States.
The FACTA Disposal Rule, effective June 1, 2005, states that “any person who maintains or otherwise possesses consumer information for a business purpose” is required to dispose of discarded consumer information, whether in electronic or paper form. The Disposal Rule further clarifies the definition of compliance as “taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” These “reasonable measures” include:
•Burning, pulverizing, or shredding of physical documents.
•Erasure or destruction of all electronic media.
•Entering into a contract with a third party engaged in the business
of information destruction.
•Virtually every company operating in the United States is required, as of June 2005, to securely destroy all documents and material that contain sensitive consumer information. Specifically, this rule applies to:
•Businesses that use consumer information in their everyday operations, such as banks, lenders, insurers, auto dealers, realtors, employers.
•Service providers that store consumer reports and information such as record management and information management companies.
•Service providers that destroy information, such as shredders, recyclers, waste management or technology disposal companies.
The most important fact for any company to know is that your company can be held liable for the loss of information to identity theft or corporate espionage if the data was taken from your company due to your negligence. Privacy laws such as FACTA, HIPAA, GLB, FERPA and Sarbanes-Oxley ensure this. The trash bin, dumpster and other disposal areas are the primary sources of data for information thieves. If the document, film, cd, dvd, disk or tape originated from your company, then you may have to pay up to millions of dollars in liability. It is your company’s responsibility to ensure that all such information are kept completely secure through the implementation of an internal compliance policy. Afterwards, they should be destroyed in a similarly secure manner.
The best way for a company to ensure safe destruction of information is to get the services of another professional company like Future Shredding Inc. In fact, using a professional service will redound to a 25% savings for your company as compared to the use of in-house office shredders. This is because the use of in-house office shredders will require man hours from your existing staff, taking them away from their core duties and responsibilities. It is also an added burden on them, considered drudge work, which may affect their overall morale and productivity. You also have
to take into consideration the cost of equipment acquisition, maintenance, repair and replacement. Furthermore, when you do the document shredding yourself in the office, you will not have a written verification of secure destruction which is required by law for your records and auditing.