by Leonard A. Bellavia, Esq.
Recently several doctors in Massachusetts entered into a consent agreement to pay fines totaling $140,000 to the Massachusetts Attorney General’s office over incidents involving improper disposal of patient records covered under the Health Insurance Portability and Accountability Act (or “HIPAA”). HIPAA requires health care professionals to dispose of documents in a manner that protects the nonpublic personal information of patients. Many companies are not aware that a similar requirement exists for them to properly dispose of their customers’ nonpublic personal information. With fines up to $1000 per violation, as well as payment of plaintiffs’ legal fees, companies should take their responsibilities to properly dispose of customer files seriously.
Gone are the days when a business employee could simply throw a completed credit application or “dead deal” folders full of deal paperwork in a garbage can. Now, if companies have any documents that contain nonpublic personal information, such as social security numbers, customers’ date of birth and so on, they must dispose of the information in a way compliant with the Federal Trade Commission’s (or “FTC”) Disposal Rule.
The Disposal Rule requires businesses to maintain “disposal practices that are reasonable to prevent the unauthorized use, or access to, information in a consumer report.” Suggested practices include burning, pulverizing or shredding hard copies containing nonpublic personal information, or, if the information is stored electronically, appropriate erasure or destruction procedures. If companies subcontract document disposal to third parties, they may be liable for failures by the third parties to comply with the Disposal Rule.
In the case cited above, a photographer for the Boston Globe discovered the documents discarded by the doctors and billing practice while dumping his own garbage into a waste receptacle that contained the patients’ information. The photographer then referred the matter to the Attorney General’s office, who later brought suit against the parties. It is easy to image similar discoveries made by employees or customers at a business that fails to comply with the Disposal Rule. A disgruntled employee could report the business to the proper authorities or a consumer could see intact documents in a waste bin and file a complaint. Your Safeguards Rule policy should include your business’s compliance with the Disposal Rule. Protect your business against similar suits by developing processes and training that addresses how your employees will dispose of information in accordance with the Disposal Rule.