HIPAA-HITECH rules may put an end to shred companies that
transport whole documents for offsite destruction
There are some new rules regarding the Health Insurance Portability and Accountability Act (HIPAA) that could make Business Associates* (such as document shredding companies) subject to some large fines for violations on "willful neglect". These new penalties can go up to $50,000 per incident, up as much as $1.5 million annually in fines and also include criminal penalties of up to 10 years imprisonment.
On January 17 of 2013 the U.S. Department of Health and Human Services released final modifications of regulations the existing privacy and security rules relating to securing health information (PHI) under HIPAA. The Final Rule, effective March 26 in 2013 will require compliance by “Covered Entities”* and “Business Associates” no later than September 23rd in 2013. Under HITECH (Health Information Technology for Economic and Clinical Health Act) formal unannounced auditing program of both covered entities and business associates will start. HITECH was passed by Congress as part of the 2009 American Recovery and Reinvestment Act, also known as the Stimulus Bill. Surprise audits and fines are expected to increase substantially in 2013.
Any employee finding a weakness that suggests a customer has a potential data breach must report it to management. Management must then report it to the customer. The primary data custodian has to provide the data breach notification, even if caused by the service provider/business associate.
On-site or mobile shredding companies (that destroy documents on the spot) have nothing to worry about in the way of a data breach due to the services witnessed and done in place. Any risk is limited to the distance between the covered entity and the shred truck at the company. But, companies that choose to transport whole documents (often times making many stops, in many cities, over a number of days) to a central based shred destination have multiplied their risk, and increased the exposure.
Covered entities now want service providers to indemnify them for damages they cause. Many contracts and BA Agreements (Business Associate) now contain a clause making the service provider liable for financial damages they cause, including the cost of breach notification!
Due to the many different aspects of these new rules, a lot of companies can get overwhelmed with trying to put the proper processes in place to both secure client or customer information but also the best way to handle the risk and liabilities. We've tried to combine some of the most important information on the regulations, rules, and proper methods that the government mandates in the following PDFs. This is a wide ranging set of rules and procedures so we broke up the information in 6 different documents for your review.
You'll need Adobe Reader to view or print the documents. If you don't have the Adobe Reader installed you can get it here: Adobe Reader Download. Once you have the Adobe Reader you can double click the links below or right click and use the save as to a location on your computer.
Due to the fact that government regulations, laws, and rules can be intimidating we would be happy to provide some assistance to all of our clients in making sure you have done your due diligence and can prove it. It's extremely important to ensure HIPAA compliance since it’s only a matter of time before the Office of Civil Rights, Auditors, and the Media start testing the effectiveness of HIPAA. Public awareness is at an all time high.
Outsourcing document destruction is the most accepted alternative. Call InfoSafe Shredding at 402-891-2688 for more information. or email us: firstname.lastname@example.org.