Regulatory Compliance Info and Links:
FACTA (or FACT Act) is the Fair and Accurate Credit Transaction Act, a federal law designed to reduce the risk of consumer fraud and identity theft created by improper disposal of consumer information.
What you should know about the FACTA Disposal Rule:
- It applies to virtually every person and business in the United States
- It requires the destruction of all consumer information before it is discarded
- Potentially severe penalties await violators
According to the FTC’s FACTA Disposal Rule “any person who maintains or otherwise possesses consumer information for a business purpose” must properly destroy discarded consumer information.
The FTC’s FACTA Disposal Rule further states that every person and/or business “must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
Reasonable measures are defined in FACTA as “burning, pulverizing, or shredding of papers containing consumer information” or entering into “a contract with another party in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule.
Civil Liability: FACTA provides for substantial civil liability. In some cases, consumers may be entitled to recover their actual damages sustained as a result of a violation of the rule which, in the case of identity theft, could be very large. In other cases, consumers may be able to recover statutory damages of up to $1,000 for each consumer affected by a violation of the rule.
Class Action: Where large numbers of consumers are affected, they may be able to bring class actions seeking potentially massive statutory damages. If 1,000 consumers were affected, for example, a class action might seek up to $1,000,000.00 in statutory damages. Courts are also authorized to award punitive damages in either an individual suit or a class action. Finally, a successful plaintiff, or class of plaintiffs, may recover reasonable attorneys’ fees.
Federal Enforcement: The federal government is also authorized to bring enforcement actions in federal court for violations of the disposal rule. In some cases, the government may bring an action in federal district court for up to $2,500 in penalties for each independent violation of the rule.
State Enforcement: The states are also authorized to bring actions on behalf of their residents and, in appropriate cases, may recover up to $1,000 for each willful or negligent violation of the rule. In cases involving multiple violations, such statutory penalties might quickly add up to very large sums. As with private lawsuits, moreover, the state may recover its attorneys’ fees if successful in such an action.
Under HIPAA law, every healthcare provider is required to prevent unauthorized access to Protected Health Information (PHI) at all times. PHI consists of any information about patients including diagnosis, treatment, x-rays, prescription, billing, address, and virtually anything else pertaining to a patient and/or case.
No healthcare organization is too small for outsourced shredding services.
Small or large, medical organizations benefit greatly from the protection, regulation compliance and indemnification offered by DataSite’s document destruction services. Employees are busy at their jobs and often overlook the importance of taking the time to shred proprietary data. A discarded document in the trash could lead to heavy regulatory fines, lawsuits and loss of community trust.
But is it only medical organizations that should worry about HIPAA?
No. For a business to assume that HIPAA affects only healthcare service providers and insurers is shortsighted: In addition to the healthcare industry, HIPAA also affects those providing certain information or services to or for healthcare providers. For example, a company that performs medical billing or other services involving “protected information” for healthcare providers is governed by the HIPAA privacy requirements.
Here is a partial list of provisions according to HITECH:
- Health Data Breach Notification – Requires that healthcare providers notify patients and local authorities when there has been a potential data breach.
- States’ Attorneys General – New training programs are in place educating States’ Attorneys General how to enforce HIPAA laws and methods to collect and retain fines incurred from violators.
- Mandatory Fines – The new laws mandate investigations and fines for offenses that willfully violate information security provisions. Maximum fines have increased from $25,000 to $1,500,000, a 6000% increase from HIPAA’s initial rulings.
As a result of HITECH, State attorneys general are now responsible to enforce HIPAA laws and are additionally eligible to retain fees from fines that are levied. A Texas based medical facility was recently fined $990,000 for placing medical records in a garbage dumpster. A 2010 study conducted in Toronto, Canada showed that 3 out of 4 doctors’ offices had not instituted secure shredding programs and thus discarded patient documentation in the trash.