HIPAA-HITECH new rules may put an end to shred companies that
transport whole documents for offsite destruction
There are some new rules regarding the Health Insurance Portability and Accountability Act
(HIPAA) that could make Business Associates* (such as document shredding companies) subject to some large fines for violations on "willful neglect". These new penalties can go up to $50,000 per incident, up as much as $1.5 million annually in fines and also include criminal penalties of up to 10 years imprisonment.
On January 17 of 2013 the U.S. Department of Health and Human Services released final modifications of regulations the existing privacy and security rules relating to securing health information (PHI) under
HIPAA. The Final Rule, effective March 26 in 2013 will require compliance by “Covered Entities”* and “Business Associates”
no later than September 23rd in 2013. Under HITECH (Health Information Technology for Economic and Clinical Health Act) formal unannounced auditing program of both covered entities and business associates will start. HITECH was passed by Congress as part of the 2009 American Recovery and Reinvestment Act, also known as the Stimulus Bill. Surprise audits and fines are expected to increase substantially in 2013.
Any employee finding a weakness that suggests a customer has a potential data breach must report it to management. Management must then report it to the customer. The primary data custodian has to provide the data breach notification, even if caused by the service provider/business associate.
On-site or mobile shredding companies (that destroy documents on the spot) have nothing to worry about in the way of a data breach due to the services witnessed and done in place. Any risk is limited to the distance between the covered entity and the shred truck at the company. But, companies that choose to transport whole documents (often times making many stops, in many cities, over a number of days) to a central based shred destination have multiplied their risk, and increased the exposure.
Covered entities now want service providers to indemnify them for damages they cause. Many contracts and BA Agreements (Business Associate) now contain a clause making the service provider liable for financial damages they cause, including the cost of breach notification!
Due to the many different aspects of these new rules, a lot of
companies can get overwhelmed with trying to put the proper
processes in place to both secure client or customer information
but also the best way to handle the risk and liabilities. We've
tried to combine some of the most important information on the
regulations, rules, and proper methods that the government
mandates in the following PDFs. This is a wide ranging set of
rules and procedures so we broke up the information in 6
different documents for your review.
You'll need Adobe
Reader to view or print the documents. If you don't have the
Adobe Reader installed you can get it here: Adobe
Reader Download. Once you have the Adobe Reader you
can double click the links below or right click and use the save
as to a location on your computer. Here are the documents:
HIPAA Compliance and Document Destruction
HITECH Compliance Checklist
Breach Notification Rule 2014
What constitutes Protected Health Information
HIPAA Business Associate Agreement Template
Business Associates under HITECH Chain of Trust
Due to the fact that government
regulations, laws, and rules can be intimidating we would be
happy to provide some assistance to all of our clients in making
sure you have done your due diligence and can prove it. It's
extremely important to ensure HIPAA compliance since it’s only a matter of time before the Office of Civil Rights, Auditors, and the Media start testing the effectiveness of
HIPAA. Public awareness is at an all time high.
Outsourcing document destruction is the most accepted alternative. Call InfoSafe Shredding at 402-891-2688 for more information. or email