Round Table Discussion

FACTA, HIPAA, SOX , and GLBA are regulations put into place to keep personal and private information secure, garnering penalties to institutions who do not take precautions in doing so. The Shredding Laws and Regulations Round Table goes in-depth at what each set of regulations entails and the best practices in staying compliant.



Video Transcription

Shredding Laws and Regulations Round Table


Playing by the Rules

Shredding is often a strong suggestion, but in some cases it’s a requirement.

From health care and the financial industry to all public companies, there are specific laws that apply for each:

  • SOX
  • GLBA



The Fair and Accurate Credit Transactions Act (FACTA) was passed and signed in 2003.

With FACTA, this new federal law put protections and penalties for identity theft and consumer fraud in place.


Where FACTA Applies

FACTA applies to any business or industry that maintains or possesses consumer information for a business purpose.

To comply, they must dispose information with reasonable measures to protect against unauthorized access to or use of the information during its disposal.


The FACTA Disposal Rule

The FACTA Disposal Rule places requirements for proper document disposal and destruction when dealing with consumer information.

FACTA defines consumer information as personally identifying information (PII), including:

  • Full names and addresses
  • Phone numbers and e-mail addresses
  • Social security numbers
  • Driver’s license numbers


FACTA Violation Penalties

To comply with FACTA, businesses have to take “reasonable measures” to protect consumer information. Common examples include shredding or pulverizing documents.

FACTA includes both state and federal penalties for violations, and when enforced they apply for each individual violation.

At the federal level, penalties range up to $2,5000, while state FACTA violations have up to $1,000 penalties.



The Health Insurance Portability and Accountability Act (HIPAA) was passed and signed in 1996.

HIPAA is designed to prevent and protect from fraud and abuse of protected health information (PHI) by requiring health care providers to use physical and technical safeguards.

Who’s Affected

No matter how large or small, HIPAA requires all health care providers to document policies on how they’re protecting their PHI.

Common health care providers and organizations affected by HIPAA requirements include:

  • Hospitals and medical centers
  • Insurance companies
  • Physicians and other specialists
  • Dentists
  • Collection agencies


Medical Records Needing Protection

HIPAA lays out a specific list of medical records and PHI relating “to the past, present or future physical or mental health or condition of an individual” that need secure destruction.

Common examples include:

  • Patient histories
  • X-rays and diagnostic images
  • Billing and insurance information
  • Demographic data
  • Medications
  • Legal records such as advanced directives and custodial agreements


HIPAA Retention Requirements

Some of the medical records and PHI affected by HIPAA also have required retention and destruction schedules:

Medical Record Type Retention Period
Master Patient / Person Index Permanently
Patient Medical Records – Adult 10 years after most recent encounter
Patient Medical Records – Minor Age of majority plus statute of limitations
Diagnostic Images – Adult 5 years
Diagnostic Images – Minor 5 years after age of majority
Fetal Heart Monitor Records 10 years after age of majority
Disease Index 10 years
Operative Index 10 years
Physician Index 10 years
Register of Births Permanently
Register of Deaths Permanently
Register of Surgical Procedures Permanently


HIPAA Noncompliance

From accidental to intentional, HIPAA hands out hefty fines for violations:

Violation Type Minimum Penalty Maximum Penalty
Unknowing violation $100 per violation – annual cap of $25,000 for repeats $50,000 per violation – annual cap of $1.5 million for repeats
Violation due to reasonable cause $1,000 per violation – annual cap of $100,000 for repeats $50,000 per violation – annual cap of $1.5 million for repeats
Violation caused by willful neglect – corrected $10,000 per violation – annual cap of $250,000 for repeats $50,000 per violation – annual cap of $1.5 million for repeats
Violation caused by willful neglect – not corrected $50,000 per violation – annual cap of $1,000,000 for repeats $50,000 per violation – annual cap of $1.5 million for repeats



Passed and enacted in 2002, the Sarbanes Oxley Act (SOX) set new standards for preventing corporate and accounting fraud in public companies.

Who SOX affects

Sox applies exclusively to public companies – this includes U.S. public company boards, management, and public accounting firms.

SOX Retention Requirements

One of the most important piece of SOX is the set retention and destruction periods of different records. For a full list of retention times, you can visit Shred Nations’ retention reference information.

Noncompliance Penalties

Failing to adhere to SOX requirements brings both civil and criminal penalties, which can range up to a maximum of $5,000,000 in fines and 20 years in prison.



The Gramm-Leach-Bliley-Act (GLBA), otherwise known as the Financial Modernization Act, was passed in 1999.

GLBA applies specifically to financial institutions and requires them to take measures for protecting consumers’ PII.

The GLBA Safeguards Checklist

The GLBA requires financial institutions to put safeguards in place for protecting customer PII and create procedures for securely destroying that information

  • Develop and document an information security policy
  • Do a self-security audit to identify to identify any weak points in your protections
  • Implement safeguards with a document management policy to limit access to information and track retention periods
  • Use document destruction providers with secure services with safeguards such as locking shred bins and on-site destruction options for witnessed shredding
  • Ensure when you destroy information you receive a certificate of destruction. These formal documents detail chain of custody and give proof of destruction in case of legal action

GLBA Noncompliance

Like SOX violations, GLBA imposes severe civil and criminal penalties with prison times of up to 5 years.

Fines for financial institutions can range up to $100,000 per violation, and officers and directors can be fined up to $10,000 per violation.


Need Secure Destruction to Stay Compliant?

Get the full range of added securities with on-site shredding, locking shred bins, certificates of destruction and other options.

To learn more about our services or find a shredding provider near you, call (800) 747-3365 or fill out the form on the right. You will receive free, no-obligation quotes in just a few minutes.