Storage & Shredding: Expert Advice

Improper Document Destruction offenders EXPOSED

Posted by Sean Kelly on Mon, Nov 26, 2012 @ 12:33 PM

 

confidential file image

 DO NOT, I repeat, DO NOT let this happen to you! Even though everyone says "oh, it won't happen to me", don't be that person. It can, and will, happen to you. What is 'it' though? 'It' is the heavy imposition of FINES on you for the improper disposal of sensitive information. These fines are imposed by both Massachusetts state laws (93H and 93I which require the proper destruction of information containing social security numbers, driver's license numbers, financial account numbers, and credit or debit card numbers) as well as federal regulations like HIPAA that require the secure destruction of PHI (protected healthcare information)as well as FACTA. If anything is to be taken away from this blog, it should be that the DUMPSTER is NO PLACE for the disposal of any kind of sensitive record. If you even have to question whether or not the information is "sensitive", then it probably is. Too many times companies, large and small, are exposed, and fined heavily, for disposing of sensitive information belonging to their clients, patients, or customers simply into the trash. 

For the companies that don't heed warning and do not take the proper steps to ensure the security and proper disposal of sensitive information, they are used to make examples of what NOT to do. This is done by way of news reporters plastering the names of companies, and what they did, all over the headlines. For example, big corporations like RiteAid, Walgreens, and CVS were all EXPOSED for their improper disposal of private prescription information. Hitting closer to home, St. Elizabeth's Medical Center is investigating how patient financial information was found floating around on the streets outside of a building in Charlestown. Thankfully, the hospital is taking the correct measures to ensure that this does not happen again. Also, the hospital did what it is required to do by law when a data breach of this sort happens and they notified the Massachusetts Attorney General's office. 

Then, we come across a more interesting situation where SHREDDED PAPER was used as confetti in the Macy's Thanksgiving day parade. So what's the big deal? We'll the shreds were very thick and cut perfectly horizontal across the paper so that perfectly clear lines of text were able to be read, including social security numbers, and other sensitive information. It is clear that a typical office shredder was used to shred these documents since that is the common level of "security" that an office shredder provides. The differences between an office shredder and a commercial shredder is the level of security in the 'cut' of the paper. Security levels 1-6 exist with the higher the level, the higher the security of the cut. Office shredders typicall have level 1 or 2 security where the shreds of paper are thick, easy to read and easy to reconstruct. Security levels 3 and 4 give consequtively smaller cuts of paper and allow for cross-cutting, inhibiting the readability of the shreds as well as inhibiting the ability to reconstruct the shreds. Security levels 5 and 6 are recommended for destroying top-secret government or research documents due to the shreds coming from this shredder being like grated-cheese. It is typical of a commercial shredding company to have a shredder with a security level from 3-6. Then, in some instances, a reputable shredding company will go one step further and have your shreds pulverized and recycled. 

The one thing that could have made a huge difference in each of these three situations is if the drug stores, the hospitals, and the police stations had all used a document shredding and storage company for their storage and destruction needs. Although the actions of safe and secure document storage and destruction seem straight forward and simple, they are best to be left in the hands of those companies who make it their sole purpose to protect information (yes, even AFTER it is shredded!). 

Tags: data protection, document shredding services boston, compliance laws, records, Massachusetts State Laws, 93I, Protected health information, 93H, Document Destruction regulations, compliance, privacy, PHI, shredding services

The Information Disposal Training Program for Employees, brought to you by NAID!

Posted by Sean Kelly on Fri, Apr 06, 2012 @ 01:28 PM

Calling all Doctors' offices! Are your data disposal practices HIPAA compliant? Do you feel comfortable with your employees' knowledge of HIPAA? Are you sure that they are following correct protocol? If you have any question in your mind about HIPAA related data disposal, then we have the perfect answer for you. It's called the NAID Employee Information Disposal Training Program. This program was developed by NAID, the National Association of Information Destruction, and is brought to you (Doctors' Offices) by document destruction vendors that are members of NAID. Safeguard Records Management is a document destruction vendor, and member of NAID, who has realized the importance of this training video and has absorbed the costs of the video and training materials to bring this NAID program to you FREE OF CHARGE.

One of the many benefits of this training includes the fact that it is the ULTIMATE RISK MINIMIZER. "How?" you ask... well, NAID has stated that "HIPAA regulators have written that when employees are appropriately trained on proper data disposal, healthcare providers will not be held full responsible for disposal violations". At the same time, NAID also tells us that "HIPAA regulators have stated that failure to provide such training will result in the highest level of mandory fines".

So what do you have to lose? well, a lot if your office doesn't take advantage of this training program that can be completed in only about a half an hour! To learn more, watch the NAID video below and then when you are ready to have your risk minimized, click on the blue button to request more information or to schedule a training session!

NAID training program

Tags: data security, data protection, document shredding services boston, compliance laws, Protected health information, HIPAA, non-compliance, destruction, Document Destruction regulations, compliance, privacy, PHI, document shredding services worcester, Certified document destruction, worcester shredding, Medical, new laws, healthcare

Are your Medical Records Safe? Medical Identity Theft & ill effects

Posted by Sean Kelly on Wed, Jul 27, 2011 @ 08:27 AM

I'm sure a lot of you have heard of identity theft but what about Medical identity theft? Medical Records Storage

It's possible and it's happening. A recent data breach at Beth Israel hospital in Massachusetts has left many of its patients at risk of having their medical identity stolen. Medical identity theft is a spin on regular identity theft as it can affect your finances and credit, but it can also affect your health.

What are the warning signs that someone is trying to steal your medical identity?

1. You get a medical bill for services you did not receive
2. A debt collector contacts you regarding a bill for medical services you did not receive
3. You get a copy of our credit report and you see medical collection notices that you do not recognize
4. You try to make a legitimate insurance claim but your health plan says you have reached our limit
5. You are denied medical insurance coverage because your medical records indicate a condition that you do not have


Not only could your finances be affected by medical identity theft, but your medical records and history could be altered which may lead to you receiving improper treatment which may cause illness or worse.

To stay protected, make sure you do the following...

1. Verify sources before giving out information. Giving out medical or personal information over the phone or through e-mail can be risky business and put you are higher risk of having your medical identity stolen.
2. Safeguard your medical and health insurance information. Make sure that your paper files and any medical information you have is protected either under lock and key by using a secure medical archiving vendor or, if your information is online, make sure it is password protected. Always check the security of a website before entering your social security number or credit card information.
3. Properly dispose of your records. If you keep your medical records for a period of time, when the time comes to get rid of your records, never just toss them in the trash. Make sure they are securely shredded and disposed of afterwards.


For more information on how to protect your medical identity, visit

http://www.worldprivacyforum.org/

http://ihcrp.georgetown.edu/privacy/records.html

and if you think your rights under HIPAA have been violated, please visit

www.hhs.gov/ocr

Tags: stolen identity, HIPAA, privacy, identity theft, health insurance fraud, Medical, wrong medical bill

Why choose Safeguard for you Records Management needs?

Posted by Sean Kelly on Wed, Mar 02, 2011 @ 07:38 AM

The US Department of Health and Human Services (HHS) fined Massachusetts General Hospital $1 million today for losing the medical records of 192 patients, the second ever fine imposed on a healthcare organization for violating the Health Insurance Portability and Accountability Act (HIPAA),

HHS's Office for Civil Rights (OCR) made the following statement in their press release:

"We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The records that were lost in this case were not electronic, but the law and penalties do not differentiate. However, if encrypted electronic records are lost, you are not required to notify HHS or patients of the incident. In other words, encrypt your data!

The first ever fine for HIPAA violations, imposed on Tuesday, was $4.3 million dollars against Cignet Health of Maryland. Cignet had failed to provide patients a copy of their medical records upon request.

The really disturbing part, though, was that, after Cignet attempted to ignore the government's enforcement action, not only did they deliver the 41 patients' records to the Department of Justice, they handed over 59 boxes of patient medical records, including records for 4500 people unrelated to the case.


From time to time, I have asked health care professionals what they are doing to comply with HIPAA. One doctor told me, "When they start putting doctors in jail, I'll worry about encrypting my records." Maybe these enforcement actions by HHS will change his mind.

Data Leakage Prevention tools and encryption can both play a part in being HIPAA and HITECH (Health Information Technology for Economic Clinical Health) compliant. For details on how Sophos can help, browse over to our HIPAA hot topic page.

If you work in the healthcare industry, stop by our booth at the Healthcare Information and Management Systems Society conference in Orlando March 21st to 23rd. You can find us at booth 5178 to learn more about how we can help you secure your patients information.

Tags: data security, data protection, records, HIPAA, privacy, federal regulations, healthcare, wrong medical bill