Secure Destruction: Eight Reasons You Must Do it
If you are a Health Information Custodian, such as a practitioner, hospital, board of health, community or mental health program, long-term care facility, laboratory or ambulance service, you have a legal responsibility to keep health information secure and private. The Personal Health Information Act of Ontario "…requires health information custodians to take steps to ensure information in their custody is protected against unauthorized use and disclosure."
Unauthorized use and disclosure can include disposing of hard drives without ensuring that the information contained on them is securely destroyed. A majority of identity thefts come from "dumpster diving", or going through garbage seeking personal information that can be used to steal unique identifiers (health card numbers), names, addresses, dates of birth and SINs. If you dispose of old computer equipment by setting it out at the curb, or giving it to a recycler who is not equipped with the necessary protocols for certifying and destroying your patient's electronic information, then you expose your patients to identity theft and you to liability.
Judgements against Health Information Custodians in the Superior Court of Ontario have been awarded for the unauthorised disclosure of health information in the amount of $10,000.
2. Personal Information Protection and Electronic Documents Act (PIPEDA), is a federal act which protects personal information for the entire time it's in the possession of a financial institution, individual person (accountant, lawyer), corporation, association, partnership or trade union. The Act calls for keeping the information only as long as necessary and to destroy, erase or make anonymous that information when the purpose is fulfilled.
3. The National Association for Information Destruction, headquartered out of Phoenix Arizona, has ruled that the only completely safe method of sanitizing information on hard drives and subsequently other data storage media is by physical destruction.
According to NAID, software which can wipe hard drives cannot provide guaranteed erasure such that information cannot be retrieved.
For business and government this means a complete re-thinking of how to ensure your personal information and identity can be protected beyond the life span of the physical media.
4. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has said in Order HO-001, "Let there be no mistake - recycling does not equal secure disposal." Order HO-001 came about after medical records from a Toronto Health Clinic were obtained from a recycling facility and used as a prop for a Touchstone film about the 9/11 Attack on the World Trade Centre.
If you are a Canadian company or organization that does business with or in the United States, you may be subject to the following acts and regulations:
5. HIPAA. This act protects medical information held by HMOs, hospitals or health care providers, and depending on the type of violation, can be fined up to $250,000 and 10 years in prison.
6. Gramm-Leach-Blylie Act. The GLB Act applies to "financial institutions" - companies that offer financial products or services to individuals, like loans, financial or investment advice, insurance, federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, state insurance authorities., non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors.
The law requires that financial institutions protect information collected about individuals. Fines and penalties begin at $100,000 and loss of FDIC insurance.
7. Sarbanes-Oxley (SOX) Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes for compliance with Sarbanes-Oxley Act.
8. The Fair and Accurate Credit Transactions Act (FACTA) Dumpster diving has provided identity thieves with a wealth of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Now, under new FACTA provisions, consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper disposal. This rule applies to people and both large and small organizations. Among those who must comply with the Rule are consumer reporting companies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, attorneys or private investigators, debt collectors, and individuals who obtain a credit report on prospective nannies, contractors, or tenants.
FACTA requires holders of personal consumer information to destroy or erase electronic files or media containing consumer report information so that nothing be read or reconstructed. Failure to comply can result in civil litigation being brought against the company or institution by the Federal Trade Commission.
