Laws & Compliance
Information security and destruction has never been more important than it is right now. Unlike Europe, the United States does not have a comprehensive data protection and privacy law, instead we rely on a diverse and often complicated set of federal and state laws with a mixture of agency and industry regulations in order to define and prosecute violations. This can make it difficult to determine what you must do to fully comply with current provisions. To make matters even more complicated, several states have recently passed or are actively considering new privacy and data protection provisions and in some cases comprehensive privacy laws which may even stretch beyond state borders.
Data protection and privacy legislation provisions can differ widely depending on your state and industry, but the common concepts are due diligence and reasonability. If your company can demonstrate reasonable steps were taken to protect and properly dispose of information, the standard of reasonability standard will protect the company from prosecution and civil liabilities. However, this standard of reasonability can be a moving target, so we encourage our consumers to seriously consider either educating themselves on the regulations they must comply with or using a NAID AAA certified third party for the disposal and storage of their records. Here we will attempt to simplify the key issues by breaking down the main requirements of the most widely cited state and federal laws and then taking a brief look at what the future of privacy and data protection may look like.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by the U.S. Congress in 1996. The goal of the act was to improve the access patients have to their personal medical records by making them easier to share. HIPAA contains several chapters including insurance reform, administrative simplification, and revenue offsets, but more than 20 years later it is the HIPAA Privacy rule that is the most commonly thought of provision in the act. It was inevitable that the issue of privacy would be raised as medical records were made more shareable, and the issues and requirements have only gotten more intense as time has gone on.
HIPAA applies to covered entities such as health plans (insurance providers), health care providers, and health care clearinghouses along with their business associates. Anyone who handles protected health information is most likely under the authority of HIPAA. Protected health information is defined as individually identifiable health information, including demographic data, that relates to an individual’s mental or physical condition, health care provided to an individual, or payments for any health care. Past, present and future information relating to an individual’s medical history are all protected.
Key provisions and requirements of the Privacy Rule
- Minimum Necessary - A covered entity must use the minimum information necessary to carry out operations and health services.
- Access and Uses - Covered entities must develop policies and procedures to limit the internal access to and use of protected health information.
- Disclosures and Disclosure Requests - Policies and procedures must be in place for the routine disclosure of health information which limits the disclosure of the minimum necessary. Criteria must also be designed and reviewed for non-routine disclosures.
- Notices - Most covered entities are required to notify the public of their privacy practices and to receive from their patient's written acknowledgment that they have received a copy of the covered entity’s privacy practices.
- Access - In most situations, individuals have the right to access their personal health information.
- Amendment - Individuals have the right to require covered entities to amend medical records if the information is inaccurate or incomplete.
- Disclosure Accounting - Individuals can require a covered entity to give an accounting of how their personal health information was disclosed.
- Restriction Request - Individuals can request covered entities restrict access to health information or not notify family members about health care procedures.
While it is true that HIPAA does not apply to every business, it does have the most comprehensive privacy considerations of any federal bill. It is very likely that any future privacy bill will borrow from HIPAA’s provisions and expand them to all personal information, not just health information. For more information, you can find all of the HIPAA rules and standards HERE.
The Fair and Accurate Credit Act (FACTA) was passed in 2003 as an amendment to the Fair Credit Reporting Act (FCRA). Its main purpose is to increase consumers’ access and control of their information and to protect consumers from identity theft by stipulating requirements for the privacy, accuracy, and disposal of information as well as limiting how consumer information can be shared.
While FACTA was designed to affect mainly the financial sector, the FACTA Disposal Rule under Title II applies to any organization or individual which possesses consumer information that was derived from consumer reports. Regardless of who you are, if you have information on a consumer, employee or potential employee that was received from a consumer or credit report, meaning from a third party agency and not directly from the consumer themselves, then you must comply with the FACTA Disposal Rule to take reasonable steps to render that information unreadable upon disposal. Find the full text of FACTA HERE.
Texas IDA (H.B. 698)
The Texas Information Disposal Act (IDA), sometimes known as the Texas Shred Law, is a state law that went into effect in 2005. It addresses the disposal of business records that contain personal identifying information. Personal identifying information is defined here as an individual's first name or initial and last name in combination with any of the following:
- Date of birth
- Social security number or other
- Government-issued identification number
- Mother's maiden name
- Unique biometric data including
- Retina or iris image
- Unique electronic identification number
- Address or routing code
- Telecommunication access device including
- Debit and credit card information
- Financial institution account number
- Other financial information.
Requirements and Penalties
IDA does not set guidelines for how long records should be retained or override any other record retention requirements. It simply requires that when a business does dispose of a business record (physical or digital) which contains personally identifying information of a customer of the business, the business must first render that information unreadable or undecipherable. According to the law, this goal can be accomplished by “shredding, erasing or other means.”
A business that fails to comply with the standard, is liable in civil damages for a penalty of up to $500 per record. The state attorney general also has the power to recover the civil penalty, obtain a remedy, including injunctive relief, and recover costs and reasonable attorney’s fees incurred in bringing an action. Read the full text of the act HERE.
The Future of Privacy
As we mentioned at the top of this page, several states have either passed or are actively considering comprehensive privacy laws. These laws are all unique, but unlike the last trend of legislation, this new legislation goes far beyond a simple discussion of preventing identity theft and protecting consumer privacy. The legislative trend takes notes from Europe’s GDPR and tends to place consumers back in control of how their information is used, shared, updated, and disposed of. For a breakdown of terms and an explanation of this trend please watch the video below.
Another way to explain the current legislative trends concerning consumer information is to take a look at recent state laws and bills and breakdown the most common provisions. These provisions highlight a trend of consumer empowerment and increasing business obligations. You can see our breakdown by watching the video below.
NOTE: Since the making of the above videos, the Texas legislature indefinitely tabled H.B. 4518. The state also passed a heavily amended version of H.B. 4390 which instead of including comprehensive privacy provision was made more to expand the states breach notifications requirements and bring them more in line with other standards across the country. You can read the complete text of the bill HERE. We should not see any attempt at a comprehensive privacy bill in Texas until 2021.
The legislative framework in the United States concerning privacy, consumer protection, and the control of information is complicated and evolving. We encourage members of our communities to comply with the highest standards of information protection, management, and destruction. In order to help our clients achieve this goal, we are AAA, third party certified by the National Association of Information Destruction which audits our processes to guarantee they comply with data protection laws and provide our customers with regulatory due diligence.