Shred Compliance
One reason many industries must shred documentation is Federal and State Legislation. Every company, regardless of size, possesses information which must be kept confidential—relating to internal employees and external clients.
The following laws have been enacted which require certain industries to properly destroy and dispose of documentation:
Federal Legislation HIPAA: The Health Insurance Portability and Accountability Act was endorsed by Congress in 1996. It requires that healthcare facilities protect individuals' health information. It is also known as the Standards for Privacy of Individually Identifiable Health Information.
HIPAA: The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.
In general, examples of proper disposal methods may include, but are not limited to:
For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is
rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
FACTA: The Fair and Accurate Credit Transactions Act is one part of the federal Fair Credit Reporting Act and is intended to help consumers fight the growing crime of identity theft. The practice known as "dumpster diving" provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Now under new FACTA provisions, consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal. The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule:
- Lenders
- Insurers
- Employers
- Landlords
- Government agencies
- Mortgage brokers
- Automobile dealers
- Attorneys and private investigators
- Debt collectors
- Individuals who obtain a credit report on prospective nannies, contractors, or tenants
- Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the rule.
Red Flag Rules: The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations-the Red Flags Rules-requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.
The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”
Gramm-Leach-Bliley: Also known as the Financial Services Modernization Act of 1999, this law includes provisions to protect consumers’ personal financial information held by financial institutions.
Sarbanes Oxley: This bill was enacted in 2002 in response to major corporate and accounting scandals, including those affecting Enron and Tyco International. It is also known as the “Public Company Accounting Reform and Investor Protection Act”.