“What’s the minimum shred size?”
Recently I got a great question from one of my Compliance Helper clients:
“This may seem like a silly question, but is there any type of HIPAA compliance requirements for shredder types? For example, minimum shred size?”
Not a silly question at all! Of the organizations that shred their paper documents (there are still way too many that don’t), a large portion of them are not shredding their documents to a point that they are actually doing so effectively. Here are some points and tips for you to incorporate into your organization’s information security and privacy policies and procedures.
Size counts
The size of the shredded pieces matters when it comes to shredding documents to disallow unauthorized access to the associated information that is on them. There is no specific regulated size that I’m aware of, but you need to make sure you are shredding to small enough pieces so that the documented cannot be put back together again. Think this is a far-fetched idea? Well, consider the following actual cases that represent the ability to put together shredded papers over the past 4+ decades:
- Lewis Perdue described in his 1977 book how his investigative reporting of a Congressional scandal used information obtained after putting together shredded documents.
- Confetti at the 2012 Macy’s Thanksgiving Day Parade in New York was made out of confidential police documents that contained easy-to-read personal information.
- Computer software was used in 2009 to reassemble documents shredded by R. Allen Stanford who was charged with running a $7 billion Ponzi scheme.
Yes, computer software is being used to reconstruct shredded documents if the pieces are not too tiny. I did not contact the company directly, but based upon what they have posted on their site, it looks like it would be very easy for anyone, including crooks, to purchase this software and use it to support their criminal activities. Maybe they will comment to provide more information.
Legal requirements for shredding
Here are just a few legal requirements you should know about:
- FACTA Disposal Rule: Establishes shredding requirements. In particulate it states “shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.” While it does not state this should be a cross-shredder, besides there having been many reports of criminals taking ribbon cut papers and putting them back together again, the new and advancing software tools to reassemble shredded papers is a good enough reason to shred as finely as possible “so that the information cannot practicably be read or reconstructed.”
- Gramm-Leach-Bliley Act: This requires that covered organizations create provisions to protect consumers’ personal financial information. Paper documents containing personal information should be protected when in use and safely destroyed when no longer current and or usable. Destruction options include shredding.
- HIPAA: While HIPAA doesn’t explicitly state how to shred, typically regulators expect long-established other regulations such as this to be used as de facto standards by entities in other industries that don’t fall under those particular regulations.
- California Civil Code – SB 1386 Civil Code Section 1798.81: “A business shall take all reasonable steps to destroy, or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable through any means.“
Finely cross-shredding paper documents has been a long-recognized legally-compliant way to appropriately mitigate the risk of having paper documents being access by criminals and other unauthorized individuals.
Advice from the Department of Health and Human Services (HHS)
To appropriately meet compliance with HIPAA Security Rule safeguards requirements, the HHS provided the following advice with regard to disposal:
“Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.
In general, examples of proper disposal methods may include, but are not limited to:
• For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”
Bottom line for organizations of all sizes…
Every organization, in all industries, of all sizes, in all locations, needs to look at the information they have, identify all types and forms of information that contain personal information and other types of sensitive information, and then establish reasonable procedures to appropriately shred the paper documents to mitigate the risk of someone actually being able to put the tiny pieces of paper back together again.
While doing research for this post, one of my Twitter peeps tweeted, “The next model shredders will singe the paper, wet it and compact it into a ball.” That would surely be a very secure way to dispose of paper without worrying about the re-assemblers! Not sure if it is reality yet, though. In the meantime, use a finely-cross-cut shredder to most securely dispose of paper containing personal information and other types of confidential information.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, disposal, dispose, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, reassemble, Rebecca Herold, risk assessment, risk management, security, shred, shredder, systems security, training, unshred