Federal Privacy Laws and Your Information Disposal Obligations
Every organization must understand its obligations concerning federal privacy law obligations. Non-compliance carries heavy repercussions, including monetary fines and possible criminal prosecution for corporate officers. In this blog, we provide a summary of several federal privacy laws that may affect your business and how it disposes of information:
The Health Insurance Portability and Accountability Act (HIPAA)
Physicians, hospitals, pharmacies and other organizations that handle and transmit protected health information (PHI) must adhere to HIPAA requirements. HIPAA’s Privacy Rule and Security Rule require business associates to implement physical, administrative, and technical safeguards for PHI. These safeguards extend to the secure destruction of patient records. HIPAA compliance is monitored and enforced by the Department of Health and Human Services’ Office of Civil Rights (OCR). Penalties for lack of compliance include monetary fines as well as possible jail time.
The Fair and Accurate Credit Transactions Act (FACTA)
FACTA requires financial institutions to protect personally identifiable information (PII). FACTA’s Disposal Rule requires proper disposal of information to protect against “unauthorized access to or use of the information.” Therefore, if your business collects consumer data such as credit applications, it should be disposed of according to Disposal Rule guidelines.
Family Educational Rights and Privacy Act (FERPA)
FERPA prevents educational institutions from distributing student records to anyone other than parents or approved organizations without written permission. If student information is breached, the organization held responsible can be subject to a withholding of federal funds and payments. If your organization is an educational institution, it must have a secure disposal solution student records to ensure compliance with FERPA.
Gramm-Leach-Bliley Act (GLBA)
GLBA requires financial institutions and government agencies to protect financial data from unauthorized access. Under the act’s Financial Privacy Rule, consumers must be provided with a privacy notice that explains the following:
- How information is collected
- Where that information is shared
- How the information is used
- How it’s protected
If your business provides financial services, it must maintain a written policy that outlines how consumer records are stored, controlled, accessed, and disposed of. We hope this summary helps you understand your obligations concerning federal privacy regulations. A National Association for Information Destruction (NAID) AAA Certified shredding and destruction company can make sure your information disposal practices align with mandated requirements. Check with your attorney to confirm any additional local, state, and federal obligations.
Richards & Richards offers NAID AAA Certified secure document shredding and media destruction services for businesses throughout Nashville.