DataSite

FACTA (or FACT Act) is the Fair and Accurate Credit Transaction Act, a federal law designed to reduce the risk of consumer fraud and identity theft created by improper disposal of consumer information.

What you should know about the FACTA Disposal Rule:

The Federal Trade Commission (FTC) has issued their FACTA Disposal Rule. And, while the FTC has singled out lenders, insurers, employers, landlords, government agencies, mortgage brokers and automobile dealers; it applies to every individual business subject to their jurisdiction, which includes virtually every person and every business in the United States.

According to the FTC’s FACTA Disposal Rule “any person who maintains or otherwise possesses consumer information for a business purpose” must properly destroy discarded consumer information.

The FTC’s FACTA Disposal Rule further states that every person and/or business “must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”

Reasonable measures are defined in FACTA as “burning, pulverizing, or shredding of papers containing consumer information” or entering into “a contract with another party in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule.

Civil Liability: FACTA provides for substantial civil liability. In some cases, consumers may be entitled to recover their actual damages sustained as a result of a violation of the rule which, in the case of identity theft, could be very large. In other cases, consumers may be able to recover statutory damages of up to $1,000 for each consumer affected by a violation of the rule.

Class Action: Where large numbers of consumers are affected, they may be able to bring class actions seeking potentially massive statutory damages. If 1,000 consumers were affected, for example, a class action might seek up to $1,000,000.00 in statutory damages. Courts are also authorized to award punitive damages in either an individual suit or a class action. Finally, a successful plaintiff, or class of plaintiffs, may recover reasonable attorneys’ fees.

Federal Enforcement: The federal government is also authorized to bring enforcement actions in federal court for violations of the disposal rule. In some cases, the government may bring an action in federal district court for up to $2,500 in penalties for each independent violation of the rule.

State Enforcement: The states are also authorized to bring actions on behalf of their residents and, in appropriate cases, may recover up to $1,000 for each willful or negligent violation of the rule. In cases involving multiple violations, such statutory penalties might quickly add up to very large sums. As with private lawsuits, moreover, the state may recover its attorneys’ fees if successful in such an action.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 specifies a series of administrative, physical and technical safeguards to assure the confidentiality, integrity and availability of protected health information.  Individuals, organizations and agencies that meet the definition of a covered entity must comply with the Rules specified to protect the privacy and security of patient health information.  Providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies are considered a “covered entity” and are required by law to follow the rules of HIPAA.  Any breach of confidentiality such as improperly discarded documents, must be reported to the authorities, and in cases involving over 500 records, to local media as well.

Under HIPAA law, every healthcare provider is required to prevent unauthorized access to Protected Health Information (PHI) at all times.  PHI consists of any information about patients including diagnosis, treatment, x-rays, prescription, billing, address, and virtually anything else pertaining to a patient and/or case.

No healthcare organization is too small for outsourced shredding services.

Small or large, medical organizations benefit greatly from the protection, regulation compliance and indemnification offered by DataSite’s document destruction services. Employees are busy at their jobs and often overlook the importance of taking the time to shred proprietary data.  A discarded document in the trash could lead to heavy regulatory fines, lawsuits and loss of community trust.

But is it only medical organizations that should worry about HIPAA?

No. For a business to assume that HIPAA affects only healthcare service providers and insurers is shortsighted: In addition to the healthcare industry, HIPAA also affects those providing certain information or services to or for healthcare providers. For example, a company that performs medical billing or other services involving “protected information” for healthcare providers is governed by the HIPAA privacy requirements.

After the implementation of HIPAA, much of its regulations were considered ineffective or unenforceable.  Many legislators called for a revision or a new program altogether that would contain strict enforcement laws.  Thus, in 2009, Congress passed a law that would greatly increase the security and enforcement of HIPAA known as the Health Information Technology for Economic and Clinical Health act (HITECH).  As a result of the American Recovery and Revitalization Act, better known as the “stimulus package,” Congress wasted no time in orchestrating ways to recoup some of the billions of dollars fed into the system by heavily fining law breakers.  HITECH is that guard dog.

Here is a partial list of provisions according to HITECH:

Enforcement

As a result of HITECH, State attorneys general are now responsible to enforce HIPAA laws and are additionally eligible to retain fees from fines that are levied.   A Texas based medical facility was recently fined $990,000 for placing medical records in a garbage dumpster.  A 2010 study conducted in Toronto, Canada showed that 3 out of 4 doctors’ offices had not instituted secure shredding programs and thus discarded patient documentation in the trash.