knowledge center
>
laws related to records management:
- HIPAA and HITECH
- Gramm-Leach-Bliley Act
- FACTA
- Privacy Act of 1974
- Economic Espionage Act
- Uniform Trade Secrets Act

Did You Know?

In 2009, CVS paid $2.25 million to the U.S. Department of Health and Human Services to settle charges that it violated the HIPAA Security Rule by dumping prescription records in dumpsters.

Information excerpted from this NAID White Paper.

Laws Related to Records Management and Disposal

Numerous data privacy regulations require you to protect certain customer and employee information when it is discarded. Other laws require secure handling and disposal of information to ensure protection of your company's trade secrets. See the following summaries of key laws and regulations, and examples of information you must protect to ensure compliance.

Data Privacy Laws: Protect Your Customer and Employee Information

Health Insurance Portability and Accountability Act (HIPAA) and
Health Information Technology for Economic and Clinical Health Act (HITECH)

The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) 2009/2010 privacy rules protect all "individually identifiable health information" including demographic data.

Examples of individually identifiable health information that must be protected for HIPAA compliance:

Information related to the individual's physical or mental health
Data about providing health care to the individual
Health care payment records

References:

Health Information Privacy. U.S. Department of Health & Human Services.
Health Information Technology for Economic and Clinical Health Act (HITECH). U.S. House of Representatives Committee on Ways and Means. January 2009.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act enacted in 1999 includes a Privacy Rule which protects a consumer's "nonpublic personal information" (NPI) that you collect in connection with providing a financial product or service.

Examples of non-public information that must be protected for Gramm-Leach-Bliley compliance:

Information on an application such as name, address, income, Social Security number, or other information
Information from a transaction, such as the fact that an individual is consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases
Any information you get about an individual in connection with providing a financial product or service, such as information from court records or from a consumer report

References:

How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act. Federal Trade Commission – Facts for Business. July 2002.

Fair and Accurate Credit Transaction Act (FACTA)

FACTA requires businesses and individuals to properly dispose of sensitive information derived from consumer reports. The Disposal Rule defines 'proper' disposal practices that could include establishing and complying with polices to burn, pulverize or shred papers containing consumer report information, and hiring a document disposal company that is certified by a recognized trade association.

Examples of consumer report information that must be properly managed for FACTA compliance:

Credit reports, credit scores, check writing history
Reports related to employment background, residential or tenant history
Insurance claims or medical history

References:

FACTA Disposal Rule Goes into Effect June 1. Federal Trade Commission - News. June 1, 2005.
Disposing of Consumer Report Information? New Rule Tells How. Federal Trade Commission – Business Alert. June 2005.

Privacy Act of 1974

The purpose of the Privacy Act is to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasion of their privacy. The Privacy Act governs the collection, maintenance, use, and dissemination of personally identifiable information maintained by federal agencies.

The Act focuses on four basic policy objectives:

To restrict disclosure of personally identifiable records maintained by agencies.
To grant individuals increased rights of access to agency records maintained on themselves.
To grant individuals the right to seek amendment of agency records maintained on themselves
To establish a code of "fair information practices" regarding the collection, maintenance, and dissemination of records.

Examples of information that must be protected for Privacy Act compliance:

Financial data such as banking information & documents, copies of checks, loan information
Medical & insurance information, including patient names & billing data
Any information containing social security numbers

References:

Overview of the Privacy Act of 1974. U.S. Department of Justice, Office of Privacy and Civil Liberties.
Why Shred? National Association for Information Destruction, Inc., www.naidonline.org. 2002.

Trade Secret Laws: Protect Your Competitive Edge

Economic Espionage Act (EEA)

The Economic Espionage Act of 1996 protects a broad range of trade secret information IF the owner has taken reasonable measures to keep such information secret, and if the information derives independent economic value from not being generally known to or accessible by the public. In other words, if you do not take reasonable precautions, your trade secrets will not be protected, even from a person who uses improper means to obtain them.

Examples of information that must be protected for EEA compliance:

All forms and types of financial, business, scientific, technical, economic, or engineering information, regardless of format
Patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes

References:

The Economic Espionage Act of 1996: An Overview. U.S. Department of Justice, U.S. Attorney's Bulletin. Updated April 26, 2005.
Dumpster Diving and Trade Secrets: Is Your Company Protecting Its Trade Secrets? National Association for Information Destruction, Inc., www.naidonline.org. March 2006.

Uniform Trade Secrets Act (UTSA)

The Uniform Trade Secrets Act (UTSA) was developed as a model law in 1979 and amended in 1985 to provide states with a legal framework for improved trade secret protection for industry.

Examples of information that must be protected for UTSA compliance:

Drafts and obsolete contracts & proposals
Market analysis, customer names & shipping data
Supplier information & purchase orders
Visitor logs & brainstorming notes

References:

Uniform Trade Secrets Act. Uniform Law Commission, The National Conference of Commissioners on Uniform State Laws – Final Acts & Legislation. 2010.
Why Shred? National Association for Information Destruction, Inc., www.naidonline.org. 2002.

Additional References:

Just the Basics: Essential knowledge on U.S. laws promoting information destruction. National Association for Information Destruction, Inc., www.naidonline.org.
The Facts of Life (about proper information destruction). National Association for Information Destruction, Inc., www.naidonline.org, NAIDnews. June 2007.
Why small offices should use a shredding service. National Association for Information Destruction, Inc., www.naidonline.org.
Recent Changes to HIPAA and the Impact on the Information Destruction Industry. National Association for Information Destruction, Inc., www.naidonline.org.
FACTA. National Association for Information Destruction, Inc., www.naidonline.org.
HIPAA. National Association for Information Destruction, Inc., www.naidonline.org.
How Outsourcing Your Shredding is More Secure. National Association for Information Destruction, Inc., www.naidonline.org.

>> back to top

For a free estimate contact:

Off-Site Records Management, LLC

1959 Monterey Road, San Jose, CA 95112 408-971-4200

sales@off-siterecords.com