Will New HIPPA-HITECH Rules Put An End To Shred Companies That Transport Whole Documents For Plant Based Destruction_

Text-only Preview

Will New HIPPA-HITECH Rules Put An End To Shred Companies
That Transport Whole Documents For Plant Based Destruction?

New rules regarding the Health Insurance Portability and Accountability Act (HIPPA) may make
Business Associates* (such as document destruction companies) subject to hefty fines for violations
indicating "willful neglect". Penalties can reach up to $50,000 per incident, totaling up to $1.5 million
per year, and criminal penalties of up to 10 years imprisonment.

On January 17, 2013 the U.S. Department of Health and Human Services (HHS) released final
regulations (Final Rule) modifying the existing privacy and security rules relating to protected health
information (PHI) under HIPPA. The Final Rule, effective March 26, 2013 requires compliance by
Covered Entities* and Business Associates no later than September 23, 2013. Under HITECH
(Health Information Technology for Economic and Clinical Health Act) there will be a formal
unannounced auditing program of both covered entities and business associates. HITECH was
passed by Congress as part of the 2009 American Recovery and Reinvestment Act, also known as
the Stimulus Bill. The number of surprise audits and fines are expected to increase substantially in
2013.

Any employee finding a weakness that suggests a customer has a potential data breach must report
it to management. Management must then report it to the customer. The primary data custodian has
to provide the data breach notification, even if caused by the service provider/business associate.

On-site shred companies (those that destroy documents on the spot) have little to worry about in the
way of a data breach. The risk is limited to the distance between the covered entity and the shred
truck at the door. However, companies that choose to transport whole documents (often times making
many stops, in many cities, over a number of days) for eventual delivery to a plant based shred
facility have multiplied the risk, and therefore the exposure.

Covered entities now want service providers to indemnify them for damages they cause. Many
contracts and BA Agreements (Business Associate) now contain a clause making the service
provider liable for financial damages they cause, including the cost of breach notification!

What patient information are we trying so desperately to conceal? Protected Health Information (PHI)
is any information about health status, provision of health care, or payment for health care that can be
linked to a specific individual. This is interpreted rather broadly and includes any part of a patients
medical record or payment history. Under the US Health Insurance Portability and Accountability Act
(HIPPA), PHI that is linked based on any of the following list of 18 identifiers must be treated with
special care:

1.) Names
2.)All geographic identifiers smaller than a state, except for the initial three digits of a zip code if,
according to the current publicly available data from the Bureau of the Census: the geographic unit
formed by combining all zip codes with the same three initial digits contains more than 20,000 people;

and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer
people is changed to 000.
3.) Dates (other than year) directly related to an individual
4.) Phone numbers
5.) Fax numbers
6.) E-mail addresses
7.) Social Security numbers
8.) Medical record numbers
9.) Health insurance beneficiary numbers
10.) Account numbers
11.) Certificate/license numbers
12.) Vehicle identifiers and serial numbers, including license plate numbers
13.) Device identifiers and serial numbers
14.) Web Uniform Resource Locators (URLs)
15.) Internet Protocol (IP) address numbers
16.) Biometric identifiers, including finger, retinal and voice prints
17.) Full face photographic images and any comparable images
18.) Any other unique identifying number, characteristic, or code except the unique code assigned by
the investigator to code the data.

So what is the cost of breach notification? Let's start with a ream of paper: that's 250 sheets and
there are 10 reams to a case. So we have 2,500 sheets of paper per case and shred companies often
place 7 cases in each 64-gallon bin. That's 17,500 clients that require breach notification x's how
many bins fell off the truck or were seen blowing in the wind after the crash...it happens to armored
trucks and yes, it can happen to your PHI (Protected Health Information).

Keep in mind HIPPA requires the prevention of unauthorized access to PHI which ultimately
necessitates destruction. Whether you choose to shred on-site or have whole documents transported
elsewhere for destruction, let the Prudent Man Rule be your guide and make sure you've done your
Due Diligence.

* Business Associate: any person who performs or assists a Covered Entity in the performance of a
function or an activity involving the use or disclosure of PHI.
*Covered Entity: broadly speaking all health plans, health care providers, and health care
clearinghouses.
If you want to learn more about the Federal Laws, recommended schedule of destruction of each type
of documents and important information, you can go to our website here and find the all facts and a
downloadable list of each document and requirements:
http://www.infosafeshredding.com/security.htm.
If better to be safe than sorry when it comes to any government requirements and it is very easy to
implement the proper procedures and document destruction that will keep you out of trouble and in
compliance.

For more information document destruction and liabilities: http://www.infosafeshredding.com


Document Destruction