FACTA, HIPAA, SOX , and GLBA are regulations put into place to keep personal and private information secure, garnering penalties to institutions who do not take precautions in doing so. The Shredding Laws and Regulations Round Table goes in-depth at what each set of regulations entails and the best practices in staying compliant.
Shredding Laws and Regulations Round Table
Playing by the Rules
Shredding is often a strong suggestion, but in some cases it’s a requirement.
From health care and the financial industry to all public companies, there are specific laws that apply for each:
The Fair and Accurate Credit Transactions Act (FACTA) was passed and signed in 2003.
With FACTA, this new federal law put protections and penalties for identity theft and consumer fraud in place.
Where FACTA Applies
FACTA applies to any business or industry that maintains or possesses consumer information for a business purpose.
To comply, they must dispose information with reasonable measures to protect against unauthorized access to or use of the information during its disposal.
The FACTA Disposal Rule
The FACTA Disposal Rule places requirements for proper document disposal and destruction when dealing with consumer information.
FACTA defines consumer information as personally identifying information (PII), including:
- Full names and addresses
- Phone numbers and e-mail addresses
- Social security numbers
- Driver’s license numbers
FACTA Violation Penalties
To comply with FACTA, businesses have to take “reasonable measures” to protect consumer information. Common examples include shredding or pulverizing documents.
FACTA includes both state and federal penalties for violations, and when enforced they apply for each individual violation.
At the federal level, penalties range up to $2,5000, while state FACTA violations have up to $1,000 penalties.
The Health Insurance Portability and Accountability Act (HIPAA) was passed and signed in 1996.
HIPAA is designed to prevent and protect from fraud and abuse of protected health information (PHI) by requiring health care providers to use physical and technical safeguards.
No matter how large or small, HIPAA requires all health care providers to document policies on how they’re protecting their PHI.
Common health care providers and organizations affected by HIPAA requirements include:
- Hospitals and medical centers
- Insurance companies
- Physicians and other specialists
- Collection agencies
Medical Records Needing Protection
HIPAA lays out a specific list of medical records and PHI relating “to the past, present or future physical or mental health or condition of an individual” that need secure destruction.
Common examples include:
- Patient histories
- X-rays and diagnostic images
- Billing and insurance information
- Demographic data
- Legal records such as advanced directives and custodial agreements
HIPAA Retention Requirements
Some of the medical records and PHI affected by HIPAA also have required retention and destruction schedules:
|Medical Record Type||Retention Period|
|Master Patient / Person Index||Permanently|
|Patient Medical Records – Adult||10 years after most recent encounter|
|Patient Medical Records – Minor||Age of majority plus statute of limitations|
|Diagnostic Images – Adult||5 years|
|Diagnostic Images – Minor||5 years after age of majority|
|Fetal Heart Monitor Records||10 years after age of majority|
|Disease Index||10 years|
|Operative Index||10 years|
|Physician Index||10 years|
|Register of Births||Permanently|
|Register of Deaths||Permanently|
|Register of Surgical Procedures||Permanently|
From accidental to intentional, HIPAA hands out hefty fines for violations:
|Violation Type||Minimum Penalty||Maximum Penalty|
|Unknowing violation||$100 per violation – annual cap of $25,000 for repeats||$50,000 per violation – annual cap of $1.5 million for repeats|
|Violation due to reasonable cause||$1,000 per violation – annual cap of $100,000 for repeats||$50,000 per violation – annual cap of $1.5 million for repeats|
|Violation caused by willful neglect – corrected||$10,000 per violation – annual cap of $250,000 for repeats||$50,000 per violation – annual cap of $1.5 million for repeats|
|Violation caused by willful neglect – not corrected||$50,000 per violation – annual cap of $1,000,000 for repeats||$50,000 per violation – annual cap of $1.5 million for repeats|
Passed and enacted in 2002, the Sarbanes Oxley Act (SOX) set new standards for preventing corporate and accounting fraud in public companies.
Who SOX affects
Sox applies exclusively to public companies – this includes U.S. public company boards, management, and public accounting firms.
SOX Retention Requirements
One of the most important piece of SOX is the set retention and destruction periods of different records. For a full list of retention times, you can visit Shred Nations’ retention reference information.
Failing to adhere to SOX requirements brings both civil and criminal penalties, which can range up to a maximum of $5,000,000 in fines and 20 years in prison.
The Gramm-Leach-Bliley-Act (GLBA), otherwise known as the Financial Modernization Act, was passed in 1999.
GLBA applies specifically to financial institutions and requires them to take measures for protecting consumers’ PII.
The GLBA Safeguards Checklist
The GLBA requires financial institutions to put safeguards in place for protecting customer PII and create procedures for securely destroying that information
- Develop and document an information security policy
- Do a self-security audit to identify to identify any weak points in your protections
- Implement safeguards with a document management policy to limit access to information and track retention periods
- Use document destruction providers with secure services with safeguards such as locking shred bins and on-site destruction options for witnessed shredding
- Ensure when you destroy information you receive a certificate of destruction. These formal documents detail chain of custody and give proof of destruction in case of legal action
Like SOX violations, GLBA imposes severe civil and criminal penalties with prison times of up to 5 years.
Fines for financial institutions can range up to $100,000 per violation, and officers and directors can be fined up to $10,000 per violation.
Need Secure Destruction to Stay Compliant?
Get the full range of added securities with on-site shredding, locking shred bins, certificates of destruction and other options.
To learn more about our services or find a shredding provider near you, call (800) 747-3365 or fill out the form on the right. You will receive free, no-obligation quotes in just a few minutes.