Education - Resources

Laws and Regulations

Georgia Senate Bill 475
Section 10-15-2 states:“A business may not discard a record containing personal information unless it:

(1) Shreds the customer´s record before discarding the record;

(2) Erases the personal information contained in the customer´s record before discarding the record;

(3) Modifies the customer´s record to make the personal information unreadable before discarding the record; or

(4) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the customer´s record for the period between the record´s disposal and the record´s destruction.”

http://epic.org/privacy/ssn/sb475.html

Health Insurance Portability and Accountability Act (HIPAA)

  • HIPAA went into effect in 1996 and was largely designed to protect patients’ personally identifiable information (PII). Some individuals believe that shredding themselves prevent conflicts with HIPAA from arising. In fact, shredding your documents in-house can create more conflicts with HIPAA. Independent certification of document destruction is not possible.
  • If you take the time to write the necessary policies and procedures, then how likely is it that the proper protocol will actually be followed by your employees? Do you want to bear the full risk? River Mill Data Management can provide you with policies and procedures for document destruction and provide the necessary training to your employees.
  • http://www.hhs.gov/ocr/privacy/

Gramm-Leach-Bliley Act (GLB)

  • GLB went into effect in 1999 and requires financial institutions to take adequate precautions to protect the information on their customers that they hold in their possession. These institutions include any that provide a form of financial product or service. They are required to have a comprehensive, information security program in writing that includes administrative, technical, and physical safety features. When an institution outsources any part of the cycle of information management, they must exercise due diligence in selecting, managing, and monitoring their selection of the service provider.
  • River Mill can provide you with a written information security program for information disposal and provide training to your employees. This will prove that you have taken the necessary steps to show due diligence in your information security program.
  • http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

FTC Act, Section 5

  • “Disposal shall be by means that protect against unauthorized access to the customer information, such as by burning, pulverizing, or shredding any papers, and by erasing or destroying any electronic media, to ensure that the customer information cannot practicably be read or reconstructed.”
  • http://ftc.gov/os/caselist/1023228/120426vpsperryorder.pdf

Fair and Accurate Credit Transactions Act (FACTA)

Safeguards Rule

Disposal Rule

Red Flags Rule

Family Educational Rights and Privacy Act (FERPA) – (20 U.S.C. § 1232g; 34 CFR Part 99)

Trade Organizations

National Association of Information Destruction (NAID)

Professional Records and Information Services Management (PRISM)