When you consider the amount of data stored in medical and banking/financial industry offices, you realize the potential for data and identity theft is staggering. It’s why a secure document shredding program is of the utmost importance for these types of organizations.
Medical Industry Policies
According to a study in The American Journal of Managed Care, paper and film records are the most common source of data breaches in hospitals. Have you questioned what policies they have in place to ensure that your private paperwork stays secure after it reaches the end of its life?
Doctors’ offices and hospitals must walk a fine line between retaining customer records in case they’re needed for future reference and protecting patient information. There are specific state laws as well as Health Insurance Portability and Accountability Act (HIPAA) laws that outline the rules around retention of sensitive health documents.
HIPAA, for example, requires that medical records be retained for six years from the date they were created or last used. Individual states have their own laws around medical record retention times, but if those times are shorter than the HIPAA period, the latter will preempt the state law.
Once a medical document has reached the designated time period, it must be securely shredded. The types of records and information covered under HIPAA and state privacy laws include:
- Names
- Social Security Numbers
- Account Numbers
- Medical Record Numbers
- Phone Numbers
- Email Addresses
- Full Face Photos
- Health Plan Beneficiary Numbers
- Vehicle Identifiers and Serial Numbers
Financial Industry Policies
Like the medical industry, the banking/financial industry also has laws that govern how long documents must be kept before they are securely destroyed. These laws include:
- The Equal Credit Opportunity Act, which requires financial institutions to store loan application documents for 25 months after the applicant has been notified of the action being taken
- The Electronic Funds Transfer Act, which requires banks to retain evidence of compliance for two years after the date disclosures are given or any sort of action is taken
- The Bank Secrecy Act, which requires a five-year retention of a variety of documents, from CTRs and SARs to records of cashier’s checks of $3,000 or more
It’s a good idea to be aware of these laws and which documents are still being held by the financial institutions you’ve worked with. And, just as with medical offices, have you asked your bank and any financial services companies you work with what their procedures are to ensure that your sensitive information stays secure after it reaches the end of its life?
Insist on Secure Document Shredding
Fast forward. The time has come when your medical and financial service providers no longer need to retain records with your private information. At that stage, all paperwork should be placed in locked paper bins provided by a AAA NAID-certified document solutions company. This will ensure that your documents cannot be tampered with before they are shredded.
If this is how your service providers operate, your paperwork will soon be destroyed — either by a mobile shredding truck that comes to the place of business and destroys the documents on site or in a secure facility where documents are destroyed by professional shredding equipment. What you should also know is that if your medical and financial services providers are using a AAA NAID-certified document solutions company, they can request a certificate of destruction to keep on file to prove that they properly and securely disposed of their clients’ or patients’ sensitive data.
The next time you have an appointment with a doctor or you visit your bank or financial advisor, ask how they manage your sensitive data – both in the office and when it’s time to shred it. If you don’t like the answer, feel free to refer them to Paper Tiger for more information about secure document shredding.
Back to Blog