Document Shredding and HIPAA Compliance

Wednesday, October 16th, 2013

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law mandating higher standards of privacy and security for health-related information. Healthcare offices, including private practices, nursing homes, health insurance offices, hospitals and state supported clinics are all subject to HIPAA regulation. Shredding sensitive documents prior to disposal is a key component of HIPAA compliance.

In the rush to be prepared for the initial compliance dates, many facilities purchased low cost shredders and soon found they could not handle the volume. In reaction, many contracted with outside shredding services. Today, these services are increasingly being called into question due to the high costs involved and whether or not they are truly secure. More and more compliance officers are finding that a centralized shredding program with high quality, industrial grade shredders is the better policy. The initial equipment cost will be quickly offset by no longer having to pay the high (and always increasing) service fees. And because no documents are leaving the facility intact, security is greatly increased.

HITECH HIPAA raises the bar even higher

The Health Information Technology for Economic and Clinical Health (HITECH) provisions to HIPAA were signed into law in February of 2009. The HITECH Act expands HIPAA’s coverage, increases compliance obligations, and greatly strengthens enforcement penalties. The regulations, developed by the Health and Human Services Office for Civil Rights, require HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals (breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis). The regulations also require covered entities to insure that their business associates (including shredding services) fully comply with HIPAA provisions.

Through the $31.2 billion dollar legislation, the HSS is getting more tools and staff to enforce HIPAA, and states’ attorneys general can bring civil actions. If there is a breach of protected health information through “willful neglect,” it could cost $25,000 per incident if the hospital moves to fix the security weakness and $50,000 per incident if it doesn’t, up to a maximum of $1.5 million per year.

The enactment of the HITECH provisions to HIPAA should cause every Healthcare facility in America to closely examine their security policies and procedures. With compliance expenses on the rise and many budgets on the decline, there has never been a better time for Healthcare providers to consider the security and cost-saving advantages of in-house document destruction.

FACTA laws make shredding more important than ever

Shredding documents prior to disposal has always been a vital step in preventing identity theft, but the introduction of the Disposal Rule section of the FACTA security law makes shredding a necessity for businesses of any size, as well as individuals who employ even one person.

 DESTROYIT 2240

FACTA Disposal Rule defined

The Fair and Accurate Credit Transactions Act (FACTA), was enacted by Congress to minimize the risk of identity theft and consumer fraud. The Disposal Rule section of FACTA states that any person who possesses consumer or employee information for a business purpose is required to properly dispose of the information. This includes information used to establish eligibility for credit, insurance, or employment. The Disposal Rule was developed to cut down on identity theft by restricting the ability of thieves to “dumpster dive” for consumer information contained in discarded business records. It goes on to say that all employers must take reasonable measures to protect against unauthorized access to information in connection with its disposal. These measures include the burning, pulverizing, or shredding of physical documents and erasure or destruction of all electronic media. The main difference between FACTA and other security laws such as HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley is that it does not affect a single industry- it affects every business in America.

Back to basics with OPG

In 2011, over 8.1 million people were victims of identity theft. Low-tech methods for stealing personal information are still the most popular for identity thieves. Stolen items and physical documents accounted for 43% of all identity theft, while online methods accounted for only 11%. Getting back to the basics of simply destroying sensitive documents at the source with a reliable paper shredder from OPG makes perfect sense-now more than ever.

 DESTROYIT 2604

© 2013 MBM Corporation

Document Disposal Security

Saturday, June 8th, 2013

MY ShredderYOUR DOCUMENT SHREDDING OPTIONS

(1) Law & Order

Safeguarding the Personal, non-public information of your customers and employees is the Law…..

The Privacy Act
Graham, Leach, Bliley

H.I.P.A.A.
Health Insurance Portability and Accountability Act

F.A.C.T.A.
Fair and Accurate Credit Transactions Act

FTC Disposal Rule

State Laws

Every organization that uses “non-public, private information” is subject to one or more of the laws that regulate data security.

(2) Data Security Options

Shred your Secrets –
Use….

…a Mobile Shredding Service

…a Plant based Shredding Service

…numerous Office Shredders

…an in-house, high-capacity shredder

…a Combination of the above

Determine the most convenient, cost effective solution that meets your security, recycling and financial needs.

(3) Pros & Cons of a Mobile Shredding Service

No equipment to buy or maintain
Convenient
Secure-if you watch it being done

Expensive – 15 – 40 cents per pound
Ambiguous – rates per hour encourage slow work – rates per bin often result in overpaying
Less secure than in-house shredding – liability remains with you

It makes sense only when:
Infrequent, high volume events such as annual file room purges. When you can consolidate the shredding of many people and you don’t have space or budget for a high capacity shredder.

(4) Pros and Cons Of Off Site Shredding Facility

No equipment to buy or maintain
Convenient

Very un-secure – who does the shredding and where? – liability remains with you
Expensive – 15 to 25 cents per pound
Ambiguous – rates per hour encourage slow work – rules per bin often result in overpaying

It makes sense only when:
Medium volume – Lower security concerns – Unable to conveniently consolidate the shredding of many users

(5) Pros and Cons Of In-House Shredders

Wide variety of equipment options
Convenient
Very immediate and secure

Unproductive use of employee time
Difficult to consolidate and recycle
Maintenance, repair and replacement of numerous shredders

It makes sense when:
Small overall volume of shredding
Very high security applications requiring immediate shredding
Not concerned with recycling

(6) Pros And Cons Of In-House High Capacity Shredders

Lowest overall cost of shredding
Convenient
Very immediate and secure

Higher initial equipment cost
Need 220v, 3-phase power
Need appropriate space

It makes sense when:
You have a consistently high volume of shredding – You can consolidate the shredding of many users in a common location – You have the budget, space and power for a high capacity system – You can use a lower cost employee

(7) Cost Analysis

How do the Costs compare?

MOBILE SHREDDING SERVICE – $0.19 Per Pound
PLANT BASED SHREDDING SERVICE – $0.12 Per Pound
OFFICE SHREDDERS – &0.58 Per Pound
IN-HOUSE INDUSTRIAL SHREDDER – $0.08 Per Pound

Costs are based on shredding 1000 lbs of paper. Mobile and plant based shredding service costs are based on mean averages including fuel surcharges, visit charges and actual shredding charge with one visit per week. Office shredder cost is based on 20 office shredders at a cost of $1500 each with shredder using one bag per day 20 days/month and a burdened labor rate of $20/hr or $40,000 per year. Industrial shredder charge is based on using a conveyor fed shredder with a practical capacity of 750 lbs/hr and a burdened labor rate of $12/hr.

(8) Reduction Of Costs

Consolidate the shredding of as many people as possible

Use a high capacity shredder that can shred a days worth of your consolidated shredding in a couple of hours or less

Utilize or hire a low-cost part-time employee to do the shredding

Use office shredders only in high security zones, otherwise use locked boxes.

Recycle! Many recyclers will pick up and pay for shredded and baled paper, creating a revenue stream.

Don’t skimp on your office shredder, most of the cost of shredding is your employees’ time, not the price of the shredder.

Use as few office shredders as reasonably possible

Don’t overdo the security level, buy the capacity and speed, not the smallest shred size

Buy Cross-cut, you’ll use 66% less shredder bags

Make sure your employees know that cross-cut shredders need to be oiled and run in reverse to clean out the cutting heads and make them last

The facts are there, buy the size shredder you need, save money, be secure and recycle!