DO NOT, I repeat, DO NOT let this happen to you! Even though everyone says "oh, it won't happen to me", don't be that person. It can, and will, happen to you. What is 'it' though? 'It' is the heavy imposition of FINES on you for the improper disposal of sensitive information. These fines are imposed by both Massachusetts state laws (93H and 93I which require the proper destruction of information containing social security numbers, driver's license numbers, financial account numbers, and credit or debit card numbers) as well as federal regulations like HIPAA that require the secure destruction of PHI (protected healthcare information)as well as FACTA. If anything is to be taken away from this blog, it should be that the DUMPSTER is NO PLACE for the disposal of any kind of sensitive record. If you even have to question whether or not the information is "sensitive", then it probably is. Too many times companies, large and small, are exposed, and fined heavily, for disposing of sensitive information belonging to their clients, patients, or customers simply into the trash.
For the companies that don't heed warning and do not take the proper steps to ensure the security and proper disposal of sensitive information, they are used to make examples of what NOT to do. This is done by way of news reporters plastering the names of companies, and what they did, all over the headlines. For example, big corporations like RiteAid, Walgreens, and CVS were all EXPOSED for their improper disposal of private prescription information. Hitting closer to home, St. Elizabeth's Medical Center is investigating how patient financial information was found floating around on the streets outside of a building in Charlestown. Thankfully, the hospital is taking the correct measures to ensure that this does not happen again. Also, the hospital did what it is required to do by law when a data breach of this sort happens and they notified the Massachusetts Attorney General's office.
Then, we come across a more interesting situation where SHREDDED PAPER was used as confetti in the Macy's Thanksgiving day parade. So what's the big deal? We'll the shreds were very thick and cut perfectly horizontal across the paper so that perfectly clear lines of text were able to be read, including social security numbers, and other sensitive information. It is clear that a typical office shredder was used to shred these documents since that is the common level of "security" that an office shredder provides. The differences between an office shredder and a commercial shredder is the level of security in the 'cut' of the paper. Security levels 1-6 exist with the higher the level, the higher the security of the cut. Office shredders typicall have level 1 or 2 security where the shreds of paper are thick, easy to read and easy to reconstruct. Security levels 3 and 4 give consequtively smaller cuts of paper and allow for cross-cutting, inhibiting the readability of the shreds as well as inhibiting the ability to reconstruct the shreds. Security levels 5 and 6 are recommended for destroying top-secret government or research documents due to the shreds coming from this shredder being like grated-cheese. It is typical of a commercial shredding company to have a shredder with a security level from 3-6. Then, in some instances, a reputable shredding company will go one step further and have your shreds pulverized and recycled.
The one thing that could have made a huge difference in each of these three situations is if the drug stores, the hospitals, and the police stations had all used a document shredding and storage company for their storage and destruction needs. Although the actions of safe and secure document storage and destruction seem straight forward and simple, they are best to be left in the hands of those companies who make it their sole purpose to protect information (yes, even AFTER it is shredded!).
One of the biggest changes to the shredding industry over the years is the appearance of the "Mobile Shredding Truck". Usually coming fully equipped with a shredder, tv monitor, and a big bad name, shredding trucks have their good qualities, but poor ones too. A lot of companies seem to enjoy the ability to view in "real time" the shredding of their documents. Unfortunately, what a lot of companies don't know is that on-site shredding can be performed by less than qualified staff and a less than qualified company.
Yes, you heard it right. Anyone with a cell phone, a one page website, and a truck can pass themselves off as a mobile shredding company. Are their services actually helping you become compliant with the laws? Do they have strict information security policies in place? What happens if the truck breaks down (like in the picture below). What is the level of security of the shredder that is being used in the truck? Some mobile shredding trucks have shown to actually let WHOLE CHECKS pass through, unshredder (proof is in the pudding, I mean picture, below). These are some things you need to question before electing to use a mobile shredding company.
How comfortable would you feel if yourdocuments were shredded in that mobile truck?
And then, ask yourself, how comfortable would you feel having a mobile shreddingtruck shred your documents when the shredder lets WHOLE CHECKS pass through?
Off-site shredding is done by a shredding company who has a warehouse (real estate), an industrial shredder, and a bonded and insured warehouse staff, at the very least. Usually, a company that performs off-site shredding also offers and performs other records management related services and they hold certifications and memberships in order to do so, adding to their legitimacy.
I like the analogy of likening an off-site shredding company to a bank. You give the bank your money but you don't see them put it in the vault, so how do you know it is safe and will be there when you need it? Because a bank is insured. With a bonded and insured shredding company, you have the same circumstances. You don't need to watch the shredding be performed to know that your document will be securely and properly disposed of due to associations like NAID, the National Association of Information Destruction. NAID is the association that verifies and puts their "stamp of approval" on those companies who follow the highest security measures in their shredding operations.
We aren't saying that you should not use a mobile shredding company (but you really shouldn't!) but what we are saying is, we don't think this mobile shredding trend is here to stay. What do you think? Feel free to leave you comments in the box below...
So shredding your documents sounds easy, right? Well, part of the process is easy, the part where you find a reputable vendor. There are many shredding companies out there that offer a wide range of services to suit the needs of any size company (and even those who need to have personal shredding done). A reputable vendor can take care of the grunt work for you by performing the hard labor, picking-up your documents and either shredding them or storing them. The not-so-easy part of protecting your sensitive documents is being compliant with data protection laws in ALL facets... having a reputable vendor is just the "tail-end" of compliance.
Before you go looking for a company toshred your information, you need to take a look at the laws that affect you that govern what measures need to be taken in the data protection process. Although reading through each law is important (yes, tedious, but necessary), one important yet ambiguous part of the laws is that they are not specific. In fact, they are not specific for a specific reason. Most laws use terminology such as "reasonable measures" when it comes to what you "must do" in order to protect your clients or patients sensitive information. So what does a "reasonable measure" constitute? Well it depends on a lot. What you must do, though, is to spend time working out what is reasonable cost-wise and effort-wise for your entity and then draft a written policy on the measures that you have decided to implement.
Your written policy should at the very least include the following:
-What your entity considers sensitive information
-What should be done when someone in your entity needs to dispose of sensitive information
-What training will be given to employees to ensure that all sensitive information is disposed of properly
-What vendor you will be using for shredding and document storage
-What your emergency plan is in the event a natural disaster strikes in the area of your office location
-What your plan is in the event of a security breach in your office
Don't know where to start now? Well here's a place, download our Compliance Packet by clicking the button below and get our 11 page packet that includes a summary of Massachusetts Data Protection Laws 93H & 93I, a compliance checklist, and an example of Safeguard's Written Information Security Policy.
It's that time of year again, time for spring cleaning. Usually most people spend daunting days and countless hours organizing their documents every year, but we think that should change. Instead of having everything pile up each year waiting to steal your precious spring days away from you to organize it all, why not implement a plan, a document organization plan, that would allow you to never have to waste spring days again??
We'll do you one better than just telling you that you should formulate a plan, we'll GIVE you the plan! And its SIMPLE! What could be better? If you follow our three-step plan, we know that these three steps will bring you closer to free spring days and futher away from docu-disaster.
Step 1: Digitize. When you come across important documents or files, scan them. Save them on a hard drive, disk, or flash drive. Ensure that these are all secure electronic storage methods by password protecting documents. If you can do this daily or even weekly and get into the habit of it, you will thank yourself in the long-run.
Step 2: Decide. So you've digitized important files. Now you need to decide whether or not the document should have a hard copy stored or if the document is safe to be securely shredded.
Step3: DO! Once you have decided to either store the documents or shred the documents, DO IT!
Having a certified and secure document shredding and archiving vendor can not only help to save you time in that you don't have to shred the documents yourself and office space in not having to store your documents on-site, but a vendor makes it easy to get in the habit of storing and shredding. If you have a box of documents you need to add to your storage account, just give them a call and they should be able to retrieve your box, barcode it, add it to your inventory, and securely store it for you. They should also be able to deliver any documents or files to you upon request. A vendor that stores your documents as well as shreds them is a blessing. Usually, a vendor can provide you with locked, slit-top shredding bins or console that can be placed in your office that you can place sensitive documents into whenever you come across them. Change out of full bin or console for an empty one is just a phone call away.
So now you've got a plan. Give us a call and lets get started!
Right about now there are two types of people in the U.S., those who have done their taxes, and those who haven't. The big deadline is April 17th... a mere weekend and day away. Luckily, for both types of people, there is no deadline for figuring out what in the world to do with all of your tax and related financial documents, past and present. And thus, the question begs to be asked; how long do I need to keep all of my important tax information? And what do I need to keep? We will start with this: three years is the golden standard for some tax documents, since that is the amount of time the IRS has to audit someone, but other documents should be kept forever, as they can come in handy in many future situations. We’ve put a table together below to help sort it all out for you…
How long to keep it?
What to do with it?
(W-2’s, cancelled checks, receipts, bills, etc.)
3 years (minimum)
Securely shred after a minimum of 3 years
The tax return itself
(1040/accompanying forms, etc.)
Ideally, secure storage of the hard copy documents is preferred. If that’s not an option for you, another option is to digitize the documents with a scanner and securely shred the paper documents.
Stock Purchase Receipts
(With the date and price paid for each)
Secure storage or digitize and securely shred
Home Improvement Records
(To help in offsetting taxes if you ever sell your home)
Secure storage or digitize and securely shred
We recommend keeping hard copy files of all of your documents until their retention time is up rather than digitizing them due to the possibility of a data breach that could lead to your digital information being stolen. Identify and credit card theft is all too common these days and any ways to reduce that possibility are always stressed and thus, the secure shredding of all of your tax and financial records once their retention time is up is necessary to keep ensuring that your information has no way of getting into the hands of a thief. The best bet for shredding is always utilizing a shredding company, brownie points if they are NAID members, who use shredders that not only tear the papers into easy to put back together strips, but pulverize the paper, turn it into pulp, and then recycle it.
Tax season already has its drawbacks, so don't let information theft be one of them... request more information on keeping your information secure by clicking any of the buttons below!
Calling all Doctors' offices! Are your data disposal practices HIPAA compliant? Do you feel comfortable with your employees' knowledge of HIPAA? Are you sure that they are following correct protocol? If you have any question in your mind about HIPAA related data disposal, then we have the perfect answer for you. It's called the NAID Employee Information Disposal Training Program. This program was developed by NAID, the National Association of Information Destruction, and is brought to you (Doctors' Offices) by document destruction vendors that are members of NAID. Safeguard Records Management is a document destruction vendor, and member of NAID, who has realized the importance of this training video and has absorbed the costs of the video and training materials to bring this NAID program to you FREE OF CHARGE.
One of the many benefits of this training includes the fact that it is the ULTIMATE RISK MINIMIZER. "How?" you ask... well, NAID has stated that "HIPAA regulators have written that when employees are appropriately trained on proper data disposal, healthcare providers will not be held full responsible for disposal violations". At the same time, NAID also tells us that "HIPAA regulators have stated that failure to provide such training will result in the highest level of mandory fines".
So what do you have to lose? well, a lot if your office doesn't take advantage of this training program that can be completed in only about a half an hour! To learn more, watch the NAID video below and then when you are ready to have your risk minimized, click on the blue button to request more information or to schedule a training session!
Have you made sure your data is safe? If not, there is a chance it will cost you financially. It could ruin your reputation as well.
In a recent news story, MetLife, headquartered in New York City, whose revenues topped $50 million in 2008, felt the effect of laws involving data storage security. Because they failed to use records management as risk management, they were fined $70,000. Apparently, when they moved from one location to the next, they discarded a lot of trash in the dumpsters outside the office. In it were sensitive records containing social security numbers, addresses and financial account information of people who were current and former clients of MetLife. The hard copy files remained in dumpsters outside the building for well over three days. During this time, anyone could have acquired the information and used it for identity theft.
In North Carolina, a news article from 2010 about Prompt Med spoke of a $50,000 fine, from the urgent care unit having thrown into a dumpster sensitive information including financial accounts and identification numbers of over 700 patients. Records management as risk management would have clearly helped here.
The Carolina Center for Development and Rehabilitation was highlighted in this article for having illegally disposed of the financial information of nearly two thousand patients in 2011. The fine for this was $40,000. The senior officers had plenty of warning about records management as risk management from the above previous incidents, but did not learn from it.
More and more information these days must be secured and companies are having to treat records management as risk management. With the advent of identity theft, any written, electronic, or printed records must be protected if they include personal information about a client. And if the records are to be discarded for any reason, they must be destroyed in a proper fashion, so that the information contained within is kept safe. From this was born the idea of records management as risk management.
Risk management rpocedures are extremely important to implement to prevent Identity theft. Identity theft is any person's personal information being used by another to illegally remove money from bank accounts, acquire loans and passports and commit other crimes. Identity theft is now also known as identity fraud.
There are state and federal laws in place across the country to ensure that the destruction of certain files is done so properly, in order to prevent Identity theft. If proper measures are not take, then the company responsible for not following the precautions can be given some fairly big fines.
In Massachusetts, the laws that aid in the prevention of identity theft are called the General Law 93H and 93I, and are applicable to all companies in the state of Massachusetts secure all data that include personal information, such as bank account numbers, credit and debit card numbers, and the like that have the ability to create identity theft opportunities.
In addition, each company must have safeguards, by the employment of valid identification systems, in order to keep non-authorized personnel from gaining access through computers, or in hard copy files. The company must also keep all locations safe from outside the company. On a regular basis, companies shall be audited to ensure they within compliance. According to the 93I, a company must document the policy of their destruction procedures.
The fines for non-compliance of 93H requires for the company to pay five thousand dollars for each record that was not kept safe. For 93I, the fine is one hundred dollars for each record, with a cap of fifty thousand dollars. These ordinances came into law in 2005.
In addition to state laws, The Federal FACTA Disposal Rule maintains any person or business using consumer reports must make sure all the information within those reports remain completely secure when discarded.
In summary,the risks that someone takes for improper document disposal are inexplicable. Primarily, risks cannot be taken anymore because it is the law to practice safe and secure document disposal, but secondly when there are a multitude of risk management strategies available through document shredding and management companies, how can someone not take advantage of a simple way to reduce risk?
Need to start managing your risk? Or change your strategy? We can help... click on any of the buttons below to be on your way to a risk management solution!
As 2011 comes to a close, businesses and offices are wrapping up their yearly doings, taking time to enjoy the holidays with colleagues, and getting ready for the start of the new year. Safeguard is too! Safeguard Records Management has decided to bring TWO exciting new offerings to the table in order better serve our destruction and archive customers.
Our first new offering will allow prospective and current ongoing destruction customers to have choices when it comes to their ongoing destruction bin. We are offering a new, duraflex destruction console in addition to the two convenient sized 35- and 65- gallon bins.This Console has many benefits over our shredding bins for offices looking for a more aesthetically pleasing ongoing destruction solution.
The sleek, clean console with a slit top and locking door allows for the security of a locking bin with the added benefit of looking more like it "belongs". Also, the console stays in place with only the interior insert being emptied rather getting a different bin during every rotation.
If your interested in receiving a shredding console, or switching our your bin for a console, contact Sean Kelly via contact form, phone, or e-mail.
Watch this video in order to get a general idea of what the Compliance Training can do for your office
Our second, most exciting offering that Safeguard has decided to take on and provide to our customers in the healthcare industry is the Doctor's Office Compliance Training Program. This exciting program has been developed by NAID, the National Association for Information Destruction and is applicable to healthcare and dental offices. And the best part... it's free! Yes, FREE! The way NAID gets this compliance training program out to healthcare offices is through certified NAID document destruction providers like Safeguard Records Management.
The program can easily be summarized with the 3 following steps:
Receive the video
Watch & Learn
That's it! Simple and quick and you're compliant, just like that! So what are the benefits of your office completing this compliance training you ask?
The best part about completing the HIPAA compliance training is, primarily, that you are at less risk of a breach of patient information (and yes, there is a but) BUT everyone knows that anything can happen these days and breaches can happen even in the most compliant and secure offices so here is where the training program really gives you a HUGE benefit... even if there is a breach of data or information, YOU ARE NOT HELD FULLY LIABLE BECAUSE YOU TOOK THE NECESSARY STEPS (i.e. the training) IN ORDER TO BE COMPLIANT!
Can it get any better than that? For minimal time and ZERO cost to you, your office can get trained on compliance with the HIPAA regulations for safeguarding healthcare information. With the maximum HIPAA fine going up 6,000% from $25,000 to $1,500,00 you have to ask yourself, can you really afford not to complete this zero cost training? (Click for more information on HIPAA)
2012 is gearing up to be a great year for Safeguard Records Management as we look to expand and improve our services in order to meet and exceed the growing needs of our customers. If you'd like to have Sean Kelly get in touch with you regarding anything you have read, please fill out a Contact Us form and he will respond to your inquiry within a couple of hours. In the mean time, be on the lookout for more information on our shredding consoles and the Doctor's Office Compliance Training Program so you can take advantage of it as soon as the new year rolls in!
Happy Holiday's and Happy New Year from everyone at Safeguard!
Simply put, yes, yes, and YES! Records management might seem more like something a larger company should be concerned about, but even small to mid-sized businesses need to take caution in making sure their records are safe and organized.
Records management for small businesses can range in price and available services, but, if you find a reputable records management company, they can likely give you a customized quote based on the needs and budget of a small business or office. Here are some things to consider first and why records management is so important for all businesses.
Physical or paperless? Record keeping has seen many changes throughout the years and now businesses have the option of going paperless. The term “paperless” is misleading though, because paperless offices will likely still have important physical documents that need to be stored and retained for a certain period of time, some for the life of the business. For what is paperless (i.e.- hard drives, media tapes, etc.), a records management company can keep your digital information safe and secure.
While physical record keeping will likely always be necessary, record keeping without organization can lead to wasted time and money. This is where a reputable records management company can really do wonders for your small (or large!) business.
Organization and archiving It might sound a little cheesy, but; an organized office is a happy office. There is less frustration and stress because everything is where it needs to be and can be found easily--a records management system does just that, even for a smaller business.
Businesses who cannot rely on dozens of employees to keep them organized need to rely on a system that can keep them constantly updated and archive their important records and information. Sometimes, smaller businesses have a bad habit of archiving and saving everything. While a good precaution, this can turn chaotic.
A records management company can help any business make sure all important documents are properly archived and organized and that unnecessary documents are shredded at the end of their retention time. And all this can be done on just about any budget.
Protection and prevention An added benefit of having a records management company is that your documents likely be better protected from naturally occurring disasters, security compromises, and other bad scenarios. A records management company can help protect records from:
Fire, flood, earthquake, or other natural disasters at your office location
Physical Security breaches
Security breaches from an online attack
Even small businesses are liable for the damage that can be done from disaster and security breaches. Every company, whether it is three employees or three thousand, needs to take steps to ensure all information secure and protected.
Final notes All in all, records management isn't just for the big guys in business. Smaller businesses can benefit from companies like Safeguard Records Management because of the specialization it affords to them.
Here's a recap:
Implementing records management means small businesses will save money in the long run.
Everything will be properly archived and easily accessible, saving time and money.
Offsite services can protect and organize your records, letting you manage your business hassle-free.
More work can be done in the time saved and there will be better efficiency in day-to-day tasks.
Don't fall behind simply because of improper record keeping. All types of businesses benefit from properly managed records and having it done properly by professionals, no matter how large or small.
Consider it a requirement for all businesses to run smoothly and provide the best service they can to their customers without worrying about their files being where it they need to be. That only reflects poorly on the business, and no business should look unprofessional because of something that can be simply (and cheaply) fixed.
It's that time of year again. Time for carving pumpkins, getting out your spookiest decorations and stocking up on candy for the hoards of kids who will soon be roaming the neighborhood.
Halloween has changed a lot over the years. Although it's hard to imagine these days, Halloween or All Hallow's Eve, was not a popular holiday among the early Protestants living in the New England Colonies. It was considered too connected to the religious trappings of the Old World to garner much interest or support. Over time, however, as more and more immigrants brought their All Hallow's Eve traditions with them to their new homeland, the lure of parties, games and costumes proved irresistible, even to our stoic New England ancestors. The holiday we know as Halloween eventually took hold and prospered.
Just as holiday traditions change, so do the rules of how we conduct business. In Massachusetts, companies are subject to a variety of both state and federal laws that mandate how customer information is handled. While business records management used to be something left to the discretion of the individual company, serious concerns about data security and the rise in identify theft have necessitated a more formal approach. It's no longer sufficient, wise or even legal to leave sensitive customer documents lying around the office. It's now a requirement to have a clear, systematic process in place to maintain and manage this type of information.
While federal laws like FACTA, HIPAA and the Gramm-Leach-Bliley Act pertain to specific industries, Massachusetts General Laws 93H and 93I apply to companies across the board. Under 93H, any business in Massachusetts that retains an individual's name, Social Security number, driver's license number or financial account number (such as a debit or credit card) must have a written plan outlining their data/document security procedures and conduct regular audits to ensure that the procedures are being followed. 93I requires that both documents and electronic files containing sensitive information be destroyed according to a set plan and schedule. Failure to comply with either regulation can cost companies thousands of dollars—per mismanaged record.
Overwhelmed yet? Don't be. At Safeguard Records Management, we've created a business records management system that will ensure that your company stays in compliance with all federal and state laws requirements. We use the latest technology to maintain, track and secure your sensitive files, and will work with you to develop a customized solution for your unique set of data security needs. We offer a range of services to help businesses manage not only the daily record-keeping process, but the storage and destruction of old company files as well.
Safeguard Records Management prides itself on its comprehensive business records management system and its ongoing commitment to customer service. Contact us today to learn more about how we can provide your company with a safe, reliable, and economical solution to your data security and storage needs.