Record Retention Laws & Compliance

HIPAA is a federal law enacted to prevent breaches and abuses, and unauthorized access of private health information. HIPAA puts very strict guidelines on the healthcare industry to ensure that healthcare organizations are responsible for the secure disposal of patient information. HIPAA is administered by the U.S. Department of Health and Human Services, and it is enforced by the U.S. Office of Civil Rights.

HIPAA applies to any and all organizations or individuals who retain or collect health-related information. Failure to destroy health information is no longer reasonable or acceptable and there are significant consequences. All Points Mobile Shredding provides HIPAA compliant destruction of medical records, patient documents, and more. We also provide HIPAA compliance training for you and your office.

For more information on HIPAA, visit https://www.hhs.gov/ocr/privacy/ or download SUMMARY OF THE HIPAA PRIVACY RULE

GLBA includes provisions to protect consumers’ personal financial information held by financial institutions. The term “financial institutions” includes not only banks, securities firms, and insurance companies, but also companies providing other types of financial services and products to consumers. GLBA requires banks to develop privacy notices and provide customers with the option of prohibiting the sharing of their confidential information with third parties.

On July 1, 2001, GLBA was amended to require that financial institutions have a comprehensive, written information security program, which includes the proper destruction of documents. All Points Mobile Shredding provides GLBA-compliant on-site document shredding and can provide related training for your employees.

For more information on The Gramm-Leach-Bliley Act visit https://www.ftc.gov/privacy/privacyinitiatives/glbact.html

FACTA mandates that businesses properly dispose of documents containing consumer information. Businesses are required to take proper and appropriate measures to destroy all consumer reports in such a manner that they can not be reconstructed or reread. Non-compliance with FACTA constitutes a violation of the law and can result in fines, class action lawsuits, and legal enforcement actions brought by federal and state authorities. All Points Mobile Shredding provides FACTA-compliant on-site document shredding and can provide training for your employees.

For more information on FACTA, visit https://www.ftc.gov/news-events/press-releases/2005/06/facta-disposal-rule-goes-effect-june-1

The Red Flags Rule is part of FACTA and is enforced by the Federal Trade Commission. It requires many businesses and organizations to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage. Such a program can help businesses identify suspicious patterns and prevent the costly, long-term consequences of identity theft.

The Red Flags Rule tells you how to develop, implement, and administer an identity theft prevention program. Your program must include four basic elements that create a framework to deal with the threat of identity theft:

1. Reasonable policies and procedures to identify the red flags of identity theft that may occur in your day-to-day operations. Red Flags are suspicious patterns, practices, or specific activities that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that does not look genuine is a “red flag” for your business.
2. Methods for detecting the red flags you’ve identified. If you have identified fake IDs as a red flag, for example, you must outline your techniques for detecting possible fake, forged, or altered identification.
3. Spell out appropriate actions you’ll take when you detect red flags.
4. Detail how you will keep your program current to reflect new threats.

The Red Flags Rule requires “financial institutions” and some “creditors” to conduct a periodic risk assessment to determine if they have “covered accounts.” This determination is not based on the industry or sector, but instead on whether an organization’s activities fall within the relevant definitions. A business must implement a written program only if it has covered accounts.

For more information on the Red Flags Rule, visit https://www.redflagrules.net/General_Requirements.html

The Florida Legislature recently passed the Florida Information Protection Act of 2014 (FIPA). FIPA is effective as of July 1, 2014.

FIPA replaces Florida’s existing data breach notification law. It has a reactive component covering what companies must do after a breach. FIPA also has a proactive component providing what companies must do to protect personally identifiable information within their control regardless of whether they ever suffer a breach. FIPA governs “covered entities.” A covered entity is a commercial entity that acquires, maintains, stores or uses personally identifiable information. A “breach” triggering FIPA is the unauthorized access of data in electronic form containing Personally Identifiable Information (PII). FIPA applies only to PII in electronic form, though an argument can be made that the secure disposal requirement under the FIPA applies to PII in any form given its use of the term “shredding.”

Covered entities are required under FIPA to notify the Florida Office of the Attorney General in the event of a breach. FIPA also requires that notice be given within 30 days to the individuals affected by the breach. A covered entity that does not properly notify affected individuals or the Attorney General may be fined up to $500,000 per breach, depending on the number of days which the covered entity is in violation of the FIPA.

For more information on the FIPA legislation, visit https://www.datasecuritylawjournal.com/files/2014/05/FIPA.pdf

Under FIPA, PII is defined as a first name or first initial and last name in combination with any of the following:

• Social security number
• Driver’s license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
• Financial account number or credit or debit card number, in combination with any security code, access code, or password that is necessary to permit access to an individual’s financial account
• Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
• Individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual

PII also includes a username or email address in combination with a password or security question and answer that would permit access to an online account.

For more information on FIPA visit https://www.datasecuritylawjournal.com/files/2014/05/FIPA.pdf

To learn about the IRS Record Retention Policy click on the link below.

https://www.irs.gov/Businesses/Small-Businesses-&-Self-Employed/How-long-should-I-keep-records

The following link provides information on Florida laws concerning record retention.

https://dos.myflorida.com/library-archives/records-management/general-records-schedules/