Briefly described below are several of the federal laws and their requirements.
Health Insurance Portability & Accountability Act (HIPAA)
This Federal Law passed by Congress in 1996 and the accompanying 2002 regulation known as the Privacy Rule, applies to all health care entities and restricts how health care providers may handle and disclose personal Protected Health Information (PHI). PHI is defined as any identifiable health, medical or demographic information that describes the individual’s personal identity. This includes but is NOT limited to name, address, phone number, e-mail, photographs, charts, tests, records etc. In general, health care entities must ensure that only approved personnel handle protected health information and then only for purposes specified in the law and regulation. As of Feb 2010, the administrative, physical, and technical standards and implementation specifications of the Security Rule apply to the Business Associate in the same manner that they apply to the Covered Entity.
For more information about HIPAA click here.
NARA - 36 CFR 1234
Professional Data Storage & Delivery, Inc. is one of a few commercial records management companies whose facilities meet the 36 CFR 1234 compliance standards. Key NARA (National Archives & Records Administration) requirements relate to facility perimeter, entry, and interior security; fire safety and suppression; proven fire safe construction materials; and environmental controls. These federal regulations outline specific requirements for all document centers storing federal records including NARA-operated Federal Records Centers, agency-operated storage centers, and commercial records centers.
For additional information regarding NARA compliance, click here.
The Health Information Technology for Economic and Clinical Health (HITECH) Act
The U.S. Department of Health and Human Services (HHS) issued an interim final rule with request for comments today to strengthen its enforcement of the rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after Feb. 18, 2009. These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for violations of the HIPAA rules and encourage prompt corrective action.
Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.
The interim final rule with request for comments published today conforms the HIPAA enforcement regulations to these revisions made by the HITECH Act. It may be viewed and commented on at: www.regulations.gov. This rulemaking will become effective on Nov. 30, 2009, and HHS will consider all comments received by Dec. 29, 2009.
“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information,” said Georgina Verdugo, the director of HHS Office for Civil Rights (OCR). OCR is responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules.
“This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” said Verdugo. “Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”
This interim final rule with request for comments is the first of several steps HHS is taking to implement the HITECH Act’s enforcement provisions. The remaining provisions, which have yet to become effective, will be addressed in the next few months in forthcoming rulemakings. Additional information about HIPAA and several related rulemakings may be found on OCR’s Web site: http://www.hhs.gov/ocr/privacy/.
Fair and Accurate Credit Transactions Act (FACTA)
Effective June 2005, The Fair and Accurate Credit Transactions Act of 2003 was designed to protect consumers from the increasingly common crime of identity theft. This particular law applies to every business in America that collects customer information to ensure that the information is protected from “unauthorized access or use.” In addition, the Disposal Rule requires that when such information is discarded, it must be appropriately destroyed by shredding, burning or pulverizing.
For more information about FACTA click here.
The RED Flag Rule
Identity thieves use people’s personally identifying information to open new accounts and misuse existing accounts, creating havoc for consumers and businesses. Financial institutions and creditors soon will be required to implement a program to detect, prevent, and mitigate instances of identity theft.
The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
For more information about Red Flag click here
The Gramm-Leach-Bliley Act (GLB)
This 1999 act was instituted to modernize financial institutions, and businesses that receive personal information in the course of conducting business. This law contains the Financial Privacy Rule, which requires financial institutions to provide their clients with comprehensive privacy notices. The act also includes the Safeguards Rule, which requires financial institutions to establish thorough standards and safeguards for the handling and disclosure of that information.
For more information about GLB click here.
The Sarbanes-Oxley Act (SOX)
This act was passed in 2002 in response to many of the corporate and securities fraud violations that were making news at the time. It is extremely detailed, and implements a wide range of requirements that companies must abide by. Within these rules it is clearly defined that the “destruction, alteration, or falsification of records in Federal investigations and bankruptcy,” along with the “destruction of corporate audit records” are illegal, and could possibly result in large fines and as many as 10 years of imprisonment.
Shredding documents is not to be taken lightly – if not carefully considered, shredding information can be a devastating mistake. As Professional Data Storage also specializes in Records Management, we are the perfect source for ensuring that your documents are handled properly. We will even send our experts to your location to handle the filing and purging of your important information.
For more information about Sarbanes-Oxley Act click here
The Economic Espionage Act
This act, passed in 1996, concerns trade secrets and the theft thereof. While it is certain that you would not knowingly try to steal or sell trade secrets, the act does make it clear that large fines and possibly imprisonment await any person or organization who “without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret.” As this applies to throwing a trade secret in a public garbage lot, shredding information related to trade secrets is extremely important. It is also cost-effective, especially considering that organizations that violate this act can be fined as much as 10 million dollars!
For more information about The Economic Espionage Act click here
Identity Theft Enforcement and Protection Act of 2005
The Identity Theft Enforcement and Protection Act (the “ITEP Act”) , mandates that businesses have a legal duty to protect and safeguard sensitive personal information.
Similar to the Gramm-Leach Bliley Act, the ITEP Act requires businesses that collect or maintain sensitive personal information in the regular course of business to implement and maintain reasonable procedures and corrective measures to protect and safeguard sensitive personal information from unlawful use or disclosure. Furthermore, the ITEP Act includes a “Dumpster Diving “provision where companies are required to destroy customer records no longer in use by shredding, erasing modifying the records to make the information unreadable or undecipherable.
The ITEP Act not only allows the Attorney General to seek permanent injunction, but also exposes defendants to a civil penalty of at least 2,000 and up to $50,00 against each defendant.
For more information click here.
Total Security Breaches Nationwide Tops 218 Million
Think a security breach can’t happen to your organization? Think again! Since they began tracking security breaches in Jan. 2005, PrivacyRights.Org reports that over 218 million confidential files, in every imaginable industry, have been compromised!
For a comprehensive list of these information security breaches, click here.