Understanding the Privacy Laws That Affect Your Information Disposal Practices

Businesses that collect and store vast amounts of personally identifiable information (PII) and protected health information (PHI) must comply with state and federal privacy laws. When PII and PHI is no longer needed, companies must take steps to dispose of it securely. In this blog, we help you understand the privacy regulations that affect your business and its information disposal practices.

The Fair and Accurate Credit Transactions Act (FACTA)

FACTA, directed by the Federal Trade Commission (FTC), applies to any business that collects consumer reports or information derived from consumer reports. This information can apply to:

• Employment background applications
• Insurance claims
• Medical history
• Residential history
• Check writing history

FACTA’s Disposal Rule requires the proper disposal of information to protect against its “unauthorized access or use.” As a result, unwanted or expired consumer data should be destroyed in a prompt and secure manner.

The Gramm-Leach-Bliley Act (GLBA)

Like FACTA, GLBA requires financial institutions and businesses that offer financial services to safeguard their customers’ data. GLBA’s Safeguard Rule requires companies to develop a written information security plan that describes their program to protect customer information. Disposal of financial data must be performed in such a way that the data cannot be read or reconstructed. A shredding service helps your business comply with the Safeguard Rule by offering professional destruction of customer data and a Certificate of Destruction that supports your information security plan.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA, monitored and enforced by the Department of Health and Human Services’ Office of Civil Rights (OCR), affects any organization that handles, stores, and transmits medical records. The law’s Privacy Rule and Security Rule require HIPAA covered entities to implement physical, administrative, and technical safeguards for PHI. These safeguards extend to the final disposition of medical records and patient related data.

HB 1071

Recently passed by the Washington State Legislature, HB 1071 strengthens Washington’s data breach notification law by expanding the definition of “personal information” to include:

• full date of birth
• student, military, or personal identification number
• health insurance policy number or insurance identification number
• certain medical history information
• certain biometric data
• username, password, email address, security questions

Besides notifying the Attorney General of any breach of Washington residents’ personal information, Washington businesses must implement data breach prevention measures, including a secure information disposal plan.

RCW 19.215.020

Washington Revenue Code 19.215.020 applies to Washington businesses. The law states that organizations “must take reasonable steps to destroy, or arrange for the destruction of, personal financial and health information and personal identification numbers issued by government entities in an individual’s records within its custody or control when the entity is disposing of records that it will no longer retain.” Although under RCW 19.215.020 your business may shred records in-house or outsource their destruction, the latter option offers a more comprehensive and secure final disposition solution.

For more information on how to comply with these state and federal privacy regulations, please call us at 509-586-6090 or complete the form on this page.

CI Information Management provides shredding services as well as full-service records and information management in the Tri-Cities, the Yakima Valley, Walla Walla, Hermiston, OR, Moses Lake, Wenatchee, and nearly everywhere in between.