Industry News

HIPAA Breach Notice Rules Take Effect

The U.S. Department of Health and Human Services (HHS) has issued new regulations requiring health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information (PHI) is breached.

The rules take effect Sept. 23, though a six-month grace period means that HHS will not impose penalties for breaches discovered before Feb. 22, 2010.

The regulations require health care providers and other HIPAA-covered entities to "promptly" notify individuals affected by a data breach in addition to the HHS secretary and the media in cases where more than 500 individuals are affected, according to HHS. Breaches affecting fewer than 500 people must be reported to the HHS secretary annually. Business associates of covered entities must notify the covered entity of data breaches at or by the business associate.

The breach notice regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act that was passed as part of the American Recovery and Reinvestment Act of 2009.

To determine when information is "unsecured" and when HHS and FTC (Federal Trade Commission) rules require notification, HHS, in the same document as the regulations, is issuing an update to its guidance specifying encryption and destruction and technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals.

FTC Further Delays Enforcement of Red Flags Rule

The Federal Trade Commission (FTC) has announced that it will further delay enforcement of the Red Flags Rule until Nov. 1, 2009. Enforcement was to begin Aug. 1. In the meantime, the FTC says it is stepping up its efforts to educate small businesses and other organizations about compliance with the Red Flags Rule and is providing additional resources and guidance to clarify which businesses are covered by the rule and how they can comply.

The Red Flags Rule is an anti-fraud regulation that requires "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect and respond to warning signs, or "red flags," that could point to ID theft. The Fair and Accurate Credit Transactions Act of 2003 (FACTA) mandates the rule. Under FACTA, a "creditor" is defined as any entity that extends or renews credit or arranges for others to do so, and includes all entities that regularly permit deferred payments for goods or services. "Financial institutions" include entities that offer accounts that enable customers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

The FTC’s Red Flags Web Site at www.ftc.gov/redflagsrule, provides resources to help entities determine if they are covered and how to comply with the rule.

NAID Aids in Developing Guidelines for Health Care Organizations

The National Association for Information Destruction (NAID), based in Phoenix, will collaborate with the Ontario Information and Privacy Commissioner’s Office (IPC) to create guidelines to help health care organizations ensure the proper destruction of discarded personal information.

The project was made public in the Ontario IPC’s Order issued July 3, pursuant to the province’s Personal Health Information Protection Act, documenting the investigation into the improper disposal of health information by a high-profile medical services company operating in Canada and the U.S.

Ontario Information and Privacy Commissioner Dr. Ann Cavoukian will unveil the Health Information Destruction Guideline during her keynote speech at the 2009 NAID-Canada Conference Oct. 29 in Toronto.

NAID Executive Director Bob Johnson says the project is significant because it is the first such collaboration between NAID and an independent regulator and because of the world-renowned status of the Ontario IPC.

"Obviously, we welcome being included in such a project with any government body seeking to provide sensible destruction advice to its constituents," Johnson says. "But the fact that this invitation comes from the office of one of the world’s most highly regarded and influential privacy leaders is an honor." He adds, "There is little doubt it will bring needed attention to this often overlooked area of information protection."

Cavoukian has been appointed to an unprecedented third term of service as Ontario information and privacy commissioner. In 2007 she was recognized as the Privacy Professional of the Year by the International Association of Privacy Professionals (IAPP).

Study Reveals Growth Among Destruction Firms

A report released by Shotgun Capital Advisors, Southlake, Texas, identifies continued strong performance in the document destruction industry despite the challenging economy.

"While 2008 had been a terrible year for most industries, the document destruction industry resisted the economic downturn and grew by 20 percent," says Jim McGuire, president of Shotgun Capital Advisors. "Small to medium-sized document destruction companies are continuing to drive the growth of this critical business security service."

More than 240 document destruction companies participated in the Shotgun Capital Advisors survey on which the report is based.

In addition to examining industry trends, the report provides specific metrics on sales, margin, paper tonnage, console and tote counts, fleet size, customer retention and employees.

Shotgun Capital Advisors is a merger and acquisition advisory firm with a focus on the document destruction industry.

The complete report is available for purchase under the "Downloads" section of the Shotgun Capital Advisors Web site at www.shotguncapital.com.

Securit/Shred-it Names New President and CEO

Securit/Shred-it, an international information security company based in Oakville, Ontario, Canada, has announced that its board of directors has named Vincent R. De Palma to serve as the company’s president and CEO. The company had been operating under interim leadership since the death of the company’s founder, Greg Brophy, in September 2007.

De Palma has served as president of Pitney Bowes Management Services since 2005. Prior to joining Pitney Bowes, he had been a corporate officer and president of ADP Benefit Services at Automatic Data Processing (ADP).

De Palma received a bachelor’s degree in chemical engineering from Lafayette College and a master’s of business administration in finance from the University of Pennsylvania.

"The board of directors selected De Palma based on his strong track record leading service-based organizations as well as his impressive executive and personal qualities," says David Samuel, Securit/Shred-it’s chairman of the board. "Our search for a permanent leader to ensure Securit/Shred-it’s continued success has been thorough," adds Samuel. "A screening team, including Tracey Brophy, wife of the late Greg Brophy, interviewed numerous candidates for the position. Vincent’s background and cultural fit with the organization made him an ideal choice for the leadership role."

Storage Firm Expands through Acquisition

Exec-U-Store Records Management Facility, a Lafayette, La.,-based information management business, has acquired the commercial records center and document shredding assets of Celtic Commercial Services of Baton Rouge, La.

The acquisition was completed in June, giving Exec-U-Store a larger footprint in the Gulf area as well as the ability to provide document destruction services. The company previously subcontracted its destruction services.

Read Next

Ad Index

September 2009
Explore the September 2009 Issue

Check out more from this issue and find your next story to read.