It's The Law
Various privacy laws have been enacted to ensure the confidentiality of a client's information. There have been severe penalties for failing to comply with these laws.
HIPAA (Health Insurance Portability and Accountability Act) (Download PDF)
Essentially, this act ensures that patient records remain private and do not become part of the public domain. The government imposes severe penalties for non-compliance with HIPAA.
The HIPAA legislation has four primary objectives:
- Ensure health insurance portability by eliminating job lock due to pre-existing medical conditions
- Reduce healthcare fraud and abuse
- Enforce standards for health information
- Guarantee security and privacy of health information
HIPAA noncompliance can have devastating consequences. It opens you up not only to severe fines and penalties, but also to litigation and negative publicity. Noncompliance can result in the following:
- Civil fines of up to $25,000 a year
- Criminal penalties reaching $250,000 and up to 10 years in prison
Examples of items to shred due to HIPAA:
- Billing Records
- Computer Disks
- Hard Drives
- Insurance records
- Patient Correspondence
- Patient Medical Records
- Prescription Information
- Registration Forms
- Sign-in Sheets
The Health Information Technology for Economic and Clinical Health Act (HITECH Act)
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation created to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA), an economic stimulus bill.
The HITECH act stipulates that, beginning in 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of electronic health records (EHR). Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The Act also establishes grants for training centers for the personnel required to support a health IT infrastructure.
GLB (Gramm Leach Bliley)
GLB places significant restrictions on the use of customer information by those in the financial industry. These restrictions recognize that non-public personal, financial, and health information must be safeguarded and include proper disposal procedures.
Violations of GLB
If you are found noncompliant, you could be vulnerable to severe fines and even subject to class-action lawsuits. Noncompliance can result in the following:
- Institutions can be subjected to civil penalties of up to $100,000 for each violation.
- The officers and directors of the financial institution can be subject to, and personally liable for, a civil penalty of up to $10,000.
- Imprisonment for up to five years is possible.
FACTA (Fair and Accurate Credit Transaction Act) (Download PDF)
A revision of the Fair Credit Recording Act was signed into law December 4, 2003. It contains a number of rules designed to combat consumer fraud, identity theft and similar crimes. This act has provisions designed to help its victims. Generally, the act requires the destruction of sensitive consumer information.
The Fair and Accurate Credit Transactions Act (FACTA) is a broad-sweeping consumer rights bill providing for:
- Notice of consumer rights
- Credit score explanations
- Methods for disputing inaccurate credit reports
- Notice of negative credit reports
- Medical information and consumer reports
- Nationwide specialty consumer reporting agencies
- Workplace investigations
- Information sharing among affiliates
- Opt-out for risk-based pricing
- Disposal of consumer information
- Penalties of FACTA violations
- Disposal of consumer information
A final ruling (issued in November 2004) from FACTA addresses the disposal of consumer information - name, address, SSN, credit information and data compiled from this information. Any person who maintains or otherwise possesses consumer information for a business purpose - in electronic or paper format, must "take reasonable measures to protect against unauthorized access or use of the information in connection with its disposal." FACTA requires disposal to be done properly - burning, pulverizing or shredding.
Violations of FACTA
If you are found noncompliant, you could be vulnerable to severe fines and even subject to class-action lawsuits, including:
- Civil Liability - actual damages sustained if identity is stolen as a result of corporate inaction or statutory damages up to $1,000 per employee.
- Class-Action Lawsuits - if large numbers of employees are affected, they may be able to bring class-action suits and get punitive damages from employers.
- Federal Fines - up to $2,500 for each violation.
- State Fines - up to $1,000 for each violation.
ITPEA (The Identity Theft Penalty Enhancement Act of 2004)
ITPEA was established as a direct result of a new federal crime: aggravated identity theft. The Act states, "Whoever, during and in relation to any felony violation... knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years."
SOX (The Sarbanes-Oxley Act of 2002)
SOX enhances corporate responsibility in financial reporting. Administered by the U.S. Securities and Exchange Commission, SOX includes some of the most far reaching reforms of American business practices since the 1930's.