HIPPA and FACTA are Federally mandated legislative acts intended to protect patients and consumers from identity theft.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law mandating higher standards of privacy and security for health-related information. Healthcare offices, including private practices, nursing homes, health insurance offices, hospitals and state supported clinics are all subject to HIPAA regulation. Shredding sensitive documents prior to disposal is a key component of HIPAA compliance.
In the rush to be prepared for the initial compliance dates, many facilities purchased low cost shredders and soon found they could not handle the volume. In reaction, many contracted with outside shredding services. Today, these services are increasingly being called into question due to the high costs involved and whether or not they are truly secure. More and more compliance officers are finding that a centralized shredding program with high quality, industrial grade shredders is the better policy. The initial equipment cost will be quickly offset by no longer having to pay the high (and always increasing) service fees. And because no documents are leaving the facility intact, security is greatly increased.
HITECH HIPAA raises the bar even higher
The Health Information Technology for Economic and Clinical Health (HITECH) provisions to HIPAA were signed into law in February of 2009. The HITECH Act expands HIPAA’s coverage, increases compliance obligations, and greatly strengthens enforcement penalties. The regulations, developed by the Health and Human Services Office for Civil Rights, require HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals (breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis). The regulations also require covered entities to insure that their business associates (including shredding services) fully comply with HIPAA provisions.
Through the $31.2 billion dollar legislation, the HSS is getting more tools and staff to enforce HIPAA, and states’ attorneys general can bring civil actions. If there is a breach of protected health information through “willful neglect,” it could cost $25,000 per incident if the hospital moves to fix the security weakness and $50,000 per incident if it doesn’t, up to a maximum of $1.5 million per year.
The enactment of the HITECH provisions to HIPAA should cause every Healthcare facility in America to closely examine their security policies and procedures. With compliance expenses on the rise and many budgets on the decline, there has never been a better time for Healthcare providers to consider the security and cost-saving advantages of in-house document destruction.
FACTA laws make shredding more important than ever
Shredding documents prior to disposal has always been a vital step in preventing identity theft, but the introduction of the Disposal Rule section of the FACTA security law makes shredding a necessity for businesses of any size, as well as individuals who employ even one person.
FACTA Disposal Rule defined
The Fair and Accurate Credit Transactions Act (FACTA), was enacted by Congress to minimize the risk of identity theft and consumer fraud. The Disposal Rule section of FACTA states that any person who possesses consumer or employee information for a business purpose is required to properly dispose of the information. This includes information used to establish eligibility for credit, insurance, or employment. The Disposal Rule was developed to cut down on identity theft by restricting the ability of thieves to “dumpster dive” for consumer information contained in discarded business records. It goes on to say that all employers must take reasonable measures to protect against unauthorized access to information in connection with its disposal. These measures include the burning, pulverizing, or shredding of physical documents and erasure or destruction of all electronic media. The main difference between FACTA and other security laws such as HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley is that it does not affect a single industry—it affects every business in America.