As corporate data breaches spiral out of control, consumers are demanding stricter protection standards for their personal, financial, and medical information. This presents a challenge for businesses. Keeping up with an alphabet soup of privacy regulations isn’t easy. In this blog, we highlight several common privacy laws and outline your obligations for meeting each of their requirements.

FACTA

The Fair and Accurate Credit Transaction Act (FACTA) applies to financial institutions and their obligation to protect personally identifiable information (PII). FACTA’s Disposal Rule requires proper disposal of information to protect against “unauthorized access to or use of the information.” Under FACTA’s Red Flags Rule, financial institutions must create and implement a written Identity Theft Prevention Program to help detect and prevent identity theft. Failure to comply with FACTA can lead to fines of up to $1,000 per individual violation, even if a consumer did not suffer damages from identity theft. Since most businesses collect some form of sensitive financial information, such as credit applications, it’s important to maintain a strict chain of custody during the retention lifecycle, including final disposition. Partnering with a records services company significantly reduces your risk of FACTA non-compliance and the associated penalties.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) affects any organization collecting protected health information (PHI). The US Department of Health and Human Services’ Office for Civil Rights (OCR) oversees enforcement of HIPAA, levying fines against organizations that fail to comply with its medical privacy requirements. HIPAA’s Privacy Rule and Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards for PHI, including secure destruction of expired medical records. Keep in mind, primary care providers, hospitals and or other healthcare related organizations aren’t the only entities affected by HIPAA requirements; any business providing services to healthcare organizations must abide by HIPAA rules.

GLBA

The Gramm-Leach-Bliley Act (GLBA) is a consumer protection law requiring companies to protect consumer financial data collected from their customers. GLBA’s Financial Privacy Rule requires businesses to maintain a written privacy policy explaining:

• Data collection purposes
• Data sharing standards and procedures
• Data protection and privacy practices

For help drafting a privacy policy, consult with a lawyer or a qualified records management provider.

CCPA

The California Consumer Privacy Act (CCPA) was passed in 2018 and is scheduled to go into effect in 2020. CCPA is poised to become the nation’s strictest privacy law, requiring companies to be transparent about what consumer data they collect and how they use it. CCPA won’t only apply to California-based businesses. Any organization collecting large amounts of data from California residents will be affected by the law. In the meantime, several other states are considering laws similar in scope to CCPA. In fact, Washington state senators recently passed Senate Bill 5376, which gives consumers greater rights and controls over data collected from businesses. Partnering with a records management vendor who offers breach readiness and reporting services can help your business comply with CCPA, Senate Bill 5376, and other current and future privacy regulations.

DeVries Business Services proudly serves businesses in Spokane, Eastern Washington, and Northern Idaho. For more information about professional records management, please contact us by phone or complete the form on this page.