When Ollie North and his secretary Fawn Hall did it in their National Security office years ago, the press was in an uproar. After Enron employees engaged in it on a grand scale as their company collapsed, the FBI stepped in, and Congress eventually held hearings on it.
What is the once deceitful business practice that today is effectively mandated by the U.S. Government? Shredding.
With the implementation of relatively new government regulations, shredding is not only regarded today as a best business practice, there are huge penalties for not effectively destroying data and sensitive paper.
Just ask Mic Sager, while he stands in the parking lot of the Olympic Medical Center watching a huge, high tech truck shred away his worries as the center’s compliance officer. “We witness the destruction and they provide us with written assurance of the destruction.” According to “Report on Patient Privacy,”
Sager’s desire to see documents shredded on site and requirement of written documentation are not unfounded. Examples of medical records destined for destruction, yet ending up in a landfill, instead are not unheard of.
Documents security is a huge concern for U.S. organizations today. Such worries are not only fueled by new or expanded government regulation, but also the tremendous problem of identity theft. According to the U.S. Federal Trade Commission, identity theft has become the world’s fastest-growing crime. Consumers bear the emotional costs, but companies bear the bulk of the financial costs. The regulatory landscape is as obscure as it is growing. While the penalties for violations are relatively clear, exactly what to do to avoid them is not.
First, the pain: Two major laws and the liabilities related to a national identity theft problem are forcing a number of businesses to reassess the way they handle and discard sensitive documents. The penalties associated with violations of the Healthcare Information Portability and Accountability Act (HIPAA) and the Gram, Leech, Bliley (G-L-B) Act are significant and affect a wide range of business practices, including legal, financial services, health care and (potentially) the vendors who service those types of businesses as well. Civil money penalties can be $100 per violation; up to $25,000 per person, per year for each requirement or prohibition violated. Criminal penalties are also possible up to $50,000 and one year in prison for obtaining or disclosing protected health information. Any wonder why Sager is standing in the parking lot watching his documents be destroyed?
Although the search for compliance is not quite as complicated as the search for the Holy Grail, the road to the former is fraught with just as many perils as the latter. The best advice includes the pursuit and, in fact, embracing, of best business practices to inoculate an organization from the viral-like spread of unprofessional document destruction. This quest starts with employee education. They must know exactly what to do when faced with the destruction of what may be a sensitive document. Also, policies and training programs regarding handling and destruction of sensitive documents should be in writing.
Second, some accounting firms are now recommending outsourced document destruction for some very pragmatic reasons. “Companies are increasingly using the services of professional security/shredding firms, which have several advantages over in-house shredding, archive storage, or recycling,” states The CPA Journal. “These include the high level of security, no investment in shredding machines, access to specialized equipment for shredding tapes, film, and other media, no space for shredding operation, and generally a lower cost than in-house solutions.”
The onsite professional shredding approach ensures that documents are destroyed before leaving the client site, thereby eliminating the potential liability for those documents as well as the need to further monitor discarded confidential information. Document security experts suggest that companies that use haul-away shredding services – basically recycling companies – face increased risk and liability due to a broken chain of custody of those documents. Even self-shredding cannot produce the same level of security as professional, on-site document destruction. Such an approach leaves ‘to shred, or not to shred’ decisions up to employees and does not provide any independent certification that the sensitive documents have been properly destroyed.
Also, supporting documentation is critical for demonstrating best business practices should a company experience an alleged document security breech in the future.
Here are some ‘Dos’ and ‘Don’ts’ to help protect your organization. First, all media (meaning all methods and channels of communication, i.e., E-mail, correspondence, facsimile, copy, et al) that has not been released to the public is to be considered proprietary information. When in doubt, shred!
- All accounting and financial documentation
- All customer support documentation
- All human resource documentation
- All sales and marketing documentation
- All operations and technical support documentation
- Any material that includes your company name or customer information
- Correspondence such as memos, letters, business cards, credit cards
- Reports, records, files, studies, analyses, bids, budgets, forecasts, blueprints, associate files and records, support and training material, diskettes, video tapes, CD’s, microfiche, transparencies, photos, carbon paper, etc.
Special ‘Dos’ for Hospitals and Medical Practices. In addition to this proprietary information, additional protected healthcare information (PHI) should be considered confidential:
- IV Bag label with patient’s name and name of drug
- Daily patient lists maintained by floor nurses
- Drug Vials and prescriptions
- Databases maintained in Research Labs
- Billing information and Registration records
- Lab Report Slips
- Printout outs from EKGs, EEGs, and other medical devices
- MRI and Radiology Film
- Ultrasound Results
- All Medical Testing that refers to specific patients and specific tests
It is critical to keep normal office waste and sensitive documents that need to be destroyed separate. Mixing these two waste products not only sends the wrong message to your employees, it also can impact adversely on your regulatory compliance efforts!
And remember: Recycling documents is not secure document destruction. The chain of custody is broken and that puts your business at risk. Shred onsite first, recycle later!
Do Not Include These Items In Your Secure Shredding Containers:
- Any food items or food containers or wrappers including plates, cans, cups, drink containers, etc.
- Packaging or wrapping materials such as copy paper wrapping, etc.
- Glass, metal, solid wood products, solid plastics, polystyrene and Styrofoam
- Toner cartridges
- Wet waste, liquids, paper towels, and tissues o All materials in general circulation such as newspapers, magazines, etc.
By following these rules of the road, you can help keep your company in compliance and out of trouble.