The Laws Affecting Your Information Destruction Practices
Every business should destroy expired documents and data, but in many industries, information disposal is the law. Non-compliance can damage your bottom line and ruin your business reputation. Here’s an overview of several federal regulations that may affect your business:
The Fair and Accurate Credit Transactions Act (FACTA)
FACTA, one of America’s oldest privacy laws, was established in 1970 to protect consumers from identity theft. Financial institutions and creditors are required to create and implement a written Identity Theft Prevention Program to help detect and prevent identity theft. FACTA’s Disposal Rule requires businesses to take “reasonable measures to protect against unauthorized access to or use of consumer information,” including during disposal.
Family Educational Rights and Privacy Act (FERPA)
Enacted in 1972, FERPA prevents educational institutions from distributing student records to anyone other than parents or approved organizations without written permission. If student information is breached, an organization held responsible can be subject to a withholding of federal funds and payments. As a result, educational institutions must dispose of student records in a secure and verifiable manner.
Gramm-Leach-Bliley Act (GLBA)
Like FACTA, GLBA requires financial institutions to develop and maintain a written information security plan for protecting consumer information. GLBA requirements include:
- Designation of at least one employee to manage safeguards
- Risk analysis plans for each department handling personal information
- Developing, testing and monitoring an information security program
- Changing safeguards as needed
To meet these requirements, your business should have a clear and concise plan for how records are stored, controlled, accessed and destroyed.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was enacted in 1996, establishing rules for protecting patient privacy. The law affects any organization storing, handling, and/or transmitting protected health information (PHI). HIPAA compliance is monitored and enforced by the Department of Health and Human Services’ Office of Civil Rights (OCR).
Hospitals, pharmacies, primary care providers, medical clinics are considered HIPAA “covered entities.” Organizations providing services to covered entities are considered “business associates.” Both must comply with HIPAA’s Privacy Rule and Security Rule by implementing physical, administrative and technical safeguards for PHI. Penalties for lack of compliance, including improper disposal of PHI, may result in monetary fines and possible jail time for corporate officers.
Land Shark Shredding offers NAID AAA Certified shredding and destruction services in Bowling Green and throughout southwest Kentucky. For more information, please contact us by phone or complete the form on this page.