So shredding your documents sounds easy, right? Well, part of the process is easy, the part where you find a reputable vendor. There are many shredding companies out there that offer a wide range of services to suit the needs of any size company (and even those who need to have personal shredding done). A reputable vendor can take care of the grunt work for you by performing the hard labor, picking-up your documents and either shredding them or storing them. The not-so-easy part of protecting your sensitive documents is being compliant with data protection laws in ALL facets... having a reputable vendor is just the "tail-end" of compliance.
Before you go looking for a company to shred your information, you need to take a look at the laws that affect you that govern what measures need to be taken in the data protection process. Although reading through each law is important (yes, tedious, but necessary), one important yet ambiguous part of the laws is that they are not specific. In fact, they are not specific for a specific reason. Most laws use terminology such as "reasonable measures" when it comes to what you "must do" in order to protect your clients or patients sensitive information. So what does a "reasonable measure" constitute? Well it depends on a lot. What you must do, though, is to spend time working out what is reasonable cost-wise and effort-wise for your entity and then draft a written policy on the measures that you have decided to implement.
Your written policy should at the very least include the following:
-What your entity considers sensitive information
-What should be done when someone in your entity needs to dispose of sensitive information
-What training will be given to employees to ensure that all sensitive information is disposed of properly
-What vendor you will be using for shredding and document storage
-What your emergency plan is in the event a natural disaster strikes in the area of your office location
-What your plan is in the event of a security breach in your office
Don't know where to start now? Well here's a place, download our Compliance Packet by clicking the button below and get our 11 page packet that includes a summary of Massachusetts Data Protection Laws 93H & 93I, a compliance checklist, and an example of Safeguard's Written Information Security Policy.
Have you made sure your data is safe? If not, there is a chance it will cost you financially. It could ruin your reputation as well.
In a recent news story, MetLife, headquartered in New York City, whose revenues topped $50 million in 2008, felt the effect of laws involving data storage security. Because they failed to use records management as risk management, they were fined $70,000. Apparently, when they moved from one location to the next, they discarded a lot of trash in the dumpsters outside the office. In it were sensitive records containing social security numbers, addresses and financial account information of people who were current and former clients of MetLife. The hard copy files remained in dumpsters outside the building for well over three days. During this time, anyone could have acquired the information and used it for identity theft.
In North Carolina, a news article from 2010 about Prompt Med spoke of a $50,000 fine, from the urgent care unit having thrown into a dumpster sensitive information including financial accounts and identification numbers of over 700 patients. Records management as risk management would have clearly helped here.
The Carolina Center for Development and Rehabilitation was highlighted in this article for having illegally disposed of the financial information of nearly two thousand patients in 2011. The fine for this was $40,000. The senior officers had plenty of warning about records management as risk management from the above previous incidents, but did not learn from it.
More and more information these days must be secured and companies are having to treat records management as risk management. With the advent of identity theft, any written, electronic, or printed records must be protected if they include personal information about a client. And if the records are to be discarded for any reason, they must be destroyed in a proper fashion, so that the information contained within is kept safe. From this was born the idea of records management as risk management.
Risk management rpocedures are extremely important to implement to prevent Identity theft. Identity theft is any person's personal information being used by another to illegally remove money from bank accounts, acquire loans and passports and commit other crimes. Identity theft is now also known as identity fraud.
There are state and federal laws in place across the country to ensure that the destruction of certain files is done so properly, in order to prevent Identity theft. If proper measures are not take, then the company responsible for not following the precautions can be given some fairly big fines.
In Massachusetts, the laws that aid in the prevention of identity theft are called the General Law 93H and 93I, and are applicable to all companies in the state of Massachusetts secure all data that include personal information, such as bank account numbers, credit and debit card numbers, and the like that have the ability to create identity theft opportunities.
In addition, each company must have safeguards, by the employment of valid identification systems, in order to keep non-authorized personnel from gaining access through computers, or in hard copy files. The company must also keep all locations safe from outside the company. On a regular basis, companies shall be audited to ensure they within compliance. According to the 93I, a company must document the policy of their destruction procedures.
The fines for non-compliance of 93H requires for the company to pay five thousand dollars for each record that was not kept safe. For 93I, the fine is one hundred dollars for each record, with a cap of fifty thousand dollars. These ordinances came into law in 2005.
In addition to state laws, The Federal FACTA Disposal Rule maintains any person or business using consumer reports must make sure all the information within those reports remain completely secure when discarded.
In summary,the risks that someone takes for improper document disposal are inexplicable. Primarily, risks cannot be taken anymore because it is the law to practice safe and secure document disposal, but secondly when there are a multitude of risk management strategies available through document shredding and management companies, how can someone not take advantage of a simple way to reduce risk?
Need to start managing your risk? Or change your strategy? We can help... click on any of the buttons below to be on your way to a risk management solution!
Records management may be the most important business service that you've never heard of. In an era of increasing identify theft and more stringent regulations, however, it's time to get the facts on this important industry.
If your company handles or stores customer information like names, addresses, medical records, Social Security or bank account numbers, then finding a safe, secure way to both manage and dispose your office's paperwork isn't optional—it's mandated by law. Depending on your industry, your business may be subject to federal laws like HIPAA or the Gramm-Leach-Bliley Act, but state regulations often also apply. Some regs, like Massachusetts General Laws 93H and 93I, require companies to have written procedures that outline how paper and electronic files are secured on a day-to-day basis, as well as how they will be destroyed once they are no longer needed. When companies fail to meet these basic standards, they can be subject to prosecution and end up paying significant fines—sometimes per record.
Here's where a Records Management System (RMS) comes in. These services come in a variety of shapes and sizes, but their purpose is essentially the same: to help companies manage their paper and electronic records in such a way that sensitive information is secured and properly stored, and remains accessible if needed in the future. A typical Records Management vendor will offer some (if not all) of the following services:
- Site analysis and compliance documentation
- Secure, off-site record storage for paper files
- Online access to storage inventory
- Scheduled document destruction services, one-time or ongoing
- Document imaging for digital storage and retrieval
- Disaster recovery planning
Of course, not all Records Management vendors are created equal. There are any number of companies to choose from—not all of whom can handle the job successfully. Take the time to evaluate each vendor carefully, and consider the following:
The National Association for Information Destruction (NAID) offers training and certification for Records Management professionals. Records Management vendors with this credential have completed extensive training and have pledged to follow the standards and ethical practices of the NAID organization.
A reputable Records Management vendor should know immediately what procedures your business needs to follow to be in compliance with federal and state laws. Educate yourself ahead of time regarding your particular industry so that you know whether their recommendations are on-target.
Learn how the vendor you are considering secures its own facilities. Ask what safeguards are in place for physical files, as well as digitally stored information. Be sure that the company has a definite policy regarding employee background checks. Every employee, but especially those with direct contact with sensitive information, should be thoroughly checked before gaining access to your company's files.
The Records Management vendor you choose should provide evidence of their commitment to customer service. Consider how responsive and flexible the vendor has been during the sales process: Were they easy to reach? Able to offer scalable solutions to your particular company? Was their pricing competitive? Next, ask for references and determine whether or not existing customers are satisfied with their level of service. Finally, determine what procedures are in place to ensure that the vendor is accessible when needed. 24/7 online access to your records is an absolute requirement.
A reputable, service-oriented Records Management vendor will lower your company's risk exposure, reduce document storage costs and allow you to focus on growing your business. Take the time to evaluate your current and future records management needs—and then find the vendor who is right for the job.
It's that time of year again. Time for carving pumpkins, getting out your spookiest decorations and stocking up on candy for the hoards of kids who will soon be roaming the neighborhood.
Halloween has changed a lot over the years. Although it's hard to imagine these days, Halloween or All Hallow's Eve, was not a popular holiday among the early Protestants living in the New England Colonies. It was considered too connected to the religious trappings of the Old World to garner much interest or support. Over time, however, as more and more immigrants brought their All Hallow's Eve traditions with them to their new homeland, the lure of parties, games and costumes proved irresistible, even to our stoic New England ancestors. The holiday we know as Halloween eventually took hold and prospered.
Just as holiday traditions change, so do the rules of how we conduct business. In Massachusetts, companies are subject to a variety of both state and federal laws that mandate how customer information is handled. While business records management used to be something left to the discretion of the individual company, serious concerns about data security and the rise in identify theft have necessitated a more formal approach. It's no longer sufficient, wise or even legal to leave sensitive customer documents lying around the office. It's now a requirement to have a clear, systematic process in place to maintain and manage this type of information.
While federal laws like FACTA, HIPAA and the Gramm-Leach-Bliley Act pertain to specific industries, Massachusetts General Laws 93H and 93I
apply to companies across the board. Under 93H, any business in Massachusetts that retains an individual's name, Social Security number, driver's license number or financial account number (such as a debit or credit card) must have a written plan outlining their data/document security procedures and conduct regular audits to ensure that the procedures are being followed. 93I requires that both documents and electronic files containing sensitive information be destroyed according to a set plan and schedule. Failure to comply with either regulation can cost companies thousands of dollars—per mismanaged record.
Overwhelmed yet? Don't be. At Safeguard Records Management
, we've created a business records management system that will ensure that your company stays in compliance with all federal and state laws requirements. We use the latest technology to maintain, track and secure your sensitive files, and will work with you to develop a customized solution for your unique set of data security needs. We offer a range of services to help businesses manage not only the daily record-keeping process, but the storage and destruction of old company files as well.Safeguard Records Management
prides itself on its comprehensive business records management system and its ongoing commitment to customer service. Contact us
today to learn more about how we can provide your company with a safe, reliable, and economical solution to your data security and storage needs.
Every business and service provider that keeps paper records should be doing a good inventory of their information on a regular basis. It's easier said than done, right? Naturally, one needs to know What should they be cleaning out, When do they need to keep it until, Where are they going to store and/or shred it, Why do they need to store and/or shred it? Get the answers to your 5 W's to make your fall cleaning a breeze!
Who? Who should be taking a look at the records in that stack of boxes building up in their office? Again, any business or service provider that puts information on paper. But for starters, anyone who has yet to do a good clean out this year (2011) should do so. Also, those who are ending, or starting, a fiscal year should start fresh by getting old files into storage and shredding unnecessary files or file duplicates in order to cut down on the amount of paper you have going into storage.
By making sure you go through your files at least once a year, you are able to quickly and efficiently sort through paperwork that is fresh in your mind and you can quickly decide if it is vital to your business or not. If you end up waiting longer than a year, the chances are that when you revisit the files, it will take you longer for you to determine whether or not the records are vital and who wants to waste time? Time equals money so hunker down, and get it done. You will be glad you did it in the end.
*Quick tip- by having a secure destruction container in your office, you can routinely get rid of sensitive information as you come across it in your daily work. A bin for ongoing destruction will decrease the overall amount of information that piles up waiting to be sorted through in a good seasonal cleaning! (See the end of this article for more information on secure bin rotations)
What should you be cleaning out? This question take a little bit more consideration because different industries have different types of files, documents, and records that they need to keep for a certain period of time and thus, this question also requires the When question to be answered too.
- Tax Records- 7 years after the tax year that the records are from.
- Patient/Client Records- Dependent upon what the records are- Medical Records are kept by a care provider for 7 years after last treatment date or 3 years after the patients death. If a patient requests a copy of their medical records, they are entitled to it and may keep it for however long they like. Legal Records-sometimes are kept indefinitely or for a period of at least 7 years. If a client requests a copy of their legal records, they are entitled to it and may keep if for however long they like.
- Financial Documents (Checks, invoices, statements, expenses, donations, cash records, loan records, etc.)- 6 years or until after an audit it performed. After the time period, financial records are to be shredded.
Corporate Records (meeting minutes, reports, articles of association / incorporation)- One copy of corporate records are archived for the life of the company.
Purchase orders- 3 years from date of purchase.
Inventories- Until the next inventory, obsolete inventories should be shredded.
Personnel/HR files- 7 years after the end of employment.
Invoices/Accounts Payable- 6 years from date on invoice.
Accounts Receivable- 6 years from date received.
Contracts- Under seal- 12 years after expiration; not under seal- 6 years after expiration.
Insurance Plans- Policies are kept 3 years after renewal, Settlements- 7 years after claims, schedules- 10 years.
After you have figured out what you need to keep, shred, and store, you need to determine Where you are going to store the information. Naturally, you will want to also shred your necessary documents with the same RM that you chose to store your documents to save time and money. Necessary documents should be kept in filing cabinets in the office. To reduce the risk of having too many unnecessary files in the office, only keep a few filing cabinets. That way, you will be forced to go through your older files in order to put them into long term storage with your RM partner. Your RM partner should also have access rooms available for you to access your boxes of files when necessary to either retrieve files or pick out obsolete files for shredding.
Last but most certainly not least, Why is all of this necessary? Properly storing and shredding of sensitive client, business, and personal information is not only a good practice, it is the law.
Massachusetts data protection laws 93H and 93I require entities to safeguard any and all Social Security numbers, Driver's License Numbers, financial account numbers, and credit or debit card numbers. Entities are required to have a written policy stating how the named documents are safeguarded; the written policy could name your RM as how you go about safeguarding these documents.
Overall, the job might not be pretty, it might not be fun, but a good fall cleaning will not only put your business in a better position, it's good for the mind, body, and wallet! Yes, wallet. By ensuring that you stay on top of your record managing, you will save countless hours of time for those who are fit to do the job (ie. usually executives or higher ups that get paid top dollar). Also, by cutting down the amount of files you put into storage by having them shredded, you are paying a one-time shredding cost rather than additional monthly cost for the space taken up by unnecessary files. Get all of your RM needs squared away before the cold weather and holidays come. You will be glad you did!
Learn what an town hall discovered that they were glad they kept around when they were doing a little records managing of their own.... http://columbiamissourian.com/stories/2009/04/13/court-documents-reveal-sturgeons-past/
If you are looking for more money-saving practices that your business can implement, looking into bin rotations for ongoing destruction might be something to do. By having a secure destruction bin in your office which has a slit-top container, you can routinely get rid of your sensitive documents by placing them in the locked bin. When your container is full, just have the bin rotated... its that simple! No strict rotation schedule, no bin fees, two convenient sizes, and just a one time flat rotation fee only when your bin is full, how can you go wrong?
For more information of Legal records pertaining to Massachusetts residents, please visit:
For more information on the 93H and 93I laws, please visit:
For More information about Safeguard Records Management and how they can provide you with records management solutions, please visit:
The US Department of Health and Human Services (HHS) fined Massachusetts General Hospital $1 million today for losing the medical records of 192 patients, the second ever fine imposed on a healthcare organization for violating the Health Insurance Portability and Accountability Act (HIPAA),
HHS's Office for Civil Rights (OCR) made the following statement in their press release:
"We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”
The records that were lost in this case were not electronic, but the law and penalties do not differentiate. However, if encrypted electronic records are lost, you are not required to notify HHS or patients of the incident. In other words, encrypt your data!
The first ever fine for HIPAA violations, imposed on Tuesday, was $4.3 million dollars against Cignet Health of Maryland. Cignet had failed to provide patients a copy of their medical records upon request.
The really disturbing part, though, was that, after Cignet attempted to ignore the government's enforcement action, not only did they deliver the 41 patients' records to the Department of Justice, they handed over 59 boxes of patient medical records, including records for 4500 people unrelated to the case.
From time to time, I have asked health care professionals what they are doing to comply with HIPAA. One doctor told me, "When they start putting doctors in jail, I'll worry about encrypting my records." Maybe these enforcement actions by HHS will change his mind.
Data Leakage Prevention tools and encryption can both play a part in being HIPAA and HITECH (Health Information Technology for Economic Clinical Health) compliant. For details on how Sophos can help, browse over to our HIPAA hot topic page.
If you work in the healthcare industry, stop by our booth at the Healthcare Information and Management Systems Society conference in Orlando March 21st to 23rd. You can find us at booth 5178 to learn more about how we can help you secure your patients information.
What are 93H & 93I?
Massachusetts General Law 93H
93H requires all businesses in Massachusetts to take serious measures to prevent identity theft. Any business holding the name of a Massachusetts resident and their Social Security Number, Driver’s License Number, or financial account number (including credit or debit card numbers) is subject to this new Massachusetts data protection law.
What are you required to do?
Among the compliance standards for this new data protection law include the following:
A written comprehensive information security program (CISP).
Controls on employees’ access of sensitive information, including physical security safeguards, computer user access levels and user authentication protocols.
Security measures on computer information systems, including data encryption, anti-virus and anti-spyware software, and firewalls.
Periodic review of audit trails and monitoring of systems for unauthorized access.
Proper disposal of sensitive information, as outlined in new Massachusetts data protection laws.
Massachusetts General Law 93I.
93I requires the shredding or destruction of any paper files containing sensitive information and the erasure or destruction of any electronic files or data storage devices containing personal information of employees or customers.
93I also requires a written policy regarding the disposal of sensitive information.
What are the penalties?
A violation of 93H levies fines of up to $5000 per record compromised.
A violation of 93I levies fines of up to $100 per record compromised with a maximum of $50,000.
This does not take into consideration the loss of your company’s hard-earned reputation and the potential loss of credit.
Safeguard can help guide you through compliance. Call Sean at 508.795.1015 for a Free Assessment, email Sean at firstname.lastname@example.org or log onto www.safeguardrecords.com for industry specific information.