Home | Contact Us | Request Info | Clients Only

You have secure access to your file inventory on PRIM's database 24 hours a day, 7 days a week.

>>continue

Information doubles every 2.5 years. The number of pages per employee increases 10% each year
>>continue

Shredding has become a necessary business service to not only comply with regulatory requirements but...
>>continue

Regulatory Compliance

Compliance and peace of mind are all within your reach.

PRIM’s Compliance Division is structured and directed by an In-House Attorney, providing guidance for fulfilling the proper business, legal and regulatory requirements for records and information management, retention and disposition. This department provides our customers with comprehensive compliance support and training relating to the management, preservation and confidentiality of protected information.

We are available to help create an effective records management strategy enabling, among other things, the timely and accurate declaration and classification of all fiduciary, regulatory, or business-specific records, regardless of media type.

Our processes eliminate the risk of noncompliance. The penalty for noncompliance is a cost no organization should be willing to accept. Today the mismanagement of records can significantly damage a company’s reputation, result in sizable penalties, and can even threaten civil and criminal exposure for individuals.

Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transactions Act (FACTA), Gramm-Leach Bliley Act, and Sarbanes-Oxley Act raise concerns among businesses that need to dispose of computers and electronic equipment containing confidential information.

To reduce the risk and liability of noncompliance, entities must ensure complete privacy and confidentiality of all data stored on electronic equipment. By recycling and properly disposing of your equipment, your company can be fully compliant with privacy regulations.

PRIM closely follow these policies and regulations. To learn more, click on each regulation:
FACTA
Federal Rules of Civil Procedure
Gramm-Leach-Bliley Act
HIPAA
IRS Revenue Procedure 98-25
Land Ban Act of 1994
RCRA
Safe Harbor Act
Sarbanes-Oxley Act
SEC Regulation S-P

FACTA

The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. (Pub. L. 108-159, 111 Stat. 1952) The law often directs the appropriate federal agency or agencies to adopt regulations, or rules, that expand upon the provisions included in the law. In most cases, federal agencies publish proposed regulations seeking public comment. Industry representatives, private citizens, other government agencies, consumer organizations, and anyone else with an interest can submit written comments to the agency. After the comment period is completed and the agency has analyzed all the comments, it then issues the final rules. Properly adoptedas a law passed by Congress.

>>go back to top

Federal Rules of Civil Procedure

Rules 26 and 34 of the Federal Rules of Civil Procedure, effective December 1, 2006, require companies to preserve potential electronic evidence in the event that they are sued or in the event they may be sued. Rule 26 - This rule addresses initial disclosure, scope and limits of e-discovery, as well as the limit of claims of privilege on the pretrial materials. Any parties involved must produce electronically-stored information (ESI) that is "relevant, not privileged, and reasonably accessible." The rule recognizes that some production of ESI may be excessively expensive or burdensome. Rule 34 - This rule establishes that ESI holds the same importance as paper documents. It requires that the party must produce documents in the form in which they are ordinarily used in the business or a "reasonably usable" format. The requesting party may specify the form in which it would like to have documents produced. Companies need to know what electronic information they are storing, and where it is. They need policies in place governing the management of electronic information. They need to follow these policies, and they need to be able to prove compliance.

>>go back to top

Gramm-Leach-Bliley Act

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC. For more information on the types of financial activities covered, click here.

The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.

The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."

>>go back to top

HIPAA

"HIPAA" is an acronym for the Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:

  1. Improved efficiency in healthcare delivery by standardizing electronic data interchange
  2. Protection of confidentiality and security of health data through setting and enforcing standards

More specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:

  1. Standardization of electronic patient health, administrative and financial data
  2. Unique health identifiers for individuals, employers, health plans and health care providers
  3. Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

* The bottom line: sweeping changes in most healthcare transaction and administrative information systems.

Who is affected?

Virtually all healthcare organizations – including all healthcare providers, health plans, public health authorities, healthcare clearinghouses, and self-ensured employers – as well as life insurers, information systems vendors, various service organizations, and universities.

Are there penalties?

HIPAA calls for severe civil and criminal penalties for non-compliance, including:

– fines up to $25K for multiple violations of the same standard in a calendar year
– fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

Compliance deadlines?

Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. The Transactions Rule was published on August 17, 2000; the compliance date for that rule was October 16, 2003. The Privacy Rule was published on December 28, 2000, but due to a minor glitch didn't become effective until April 14, 2001. Compliance with the Privacy Rule was required as of April 14, 2003. The final Security Rule was published April 21, 2003, with compliance required as of April 21, 2005. The final Standard Unique Employer Identifier was published on May 31, 2002. Compliance was required by July 30, 2004. The final rule establishing the National Provider Identifier (NPI) rule was published January 23, 2004. The compliance date is May 23, 2007 for most covered entities. Healthcare providers may begin applying for NPIs beginning May 23, 2005. A final stanIdentifier has not yet been published.

>>go back to top

IRS Revenue Procedure 98-25

The record retention requirements established by the Internal Revenue Service in Rev. Proc. 98-25, are the product of a guidance process that responds to technological advances in the business community. The IRS procedure affects how long and in what format businesses must keep records of completed transactions. Failure to abide by the procedure could result in audit adjustments.

SUMMARY: Provides the basic requirements to those institutions that utilize computerized records.

  1. States that computerized records are books and records as defined by the IRS.
  2. States that these rules apply to those institutions or firms who have subcontracted their records management to a third party.
  3. Provides definitions of a computer system, computer records, computer processing, etc.
  4. States that records must be retained to provide a proper audit trail from original entry to the tax return
  5. States that a computer record is sufficient evidence and does not require a duplicate paper record copy
  6. The institution must provide proper documentation of the computer system, file names, indexes, etc.
  7. At the time of an exam, audit, evaluation, etc. by the IRS, resources must be provided to the IRS for retrieval of information.

>>go back to top

Land Ban Act of 1994

Computer monitors and terminals are classified as toxic waste, specifically for their phosphor, mercury, and lead content. The Land Ban Act of 1994 stipulates that the generators of electronic waste dispose of this waste in an environmentally compliant manner. The specific regulations set forth in this act can be found in Parts 260 through 279 of Title 40 of the Code of Federal Regulations (CRF).

Companies are environmentally liable for their surplus electronics and their appropriate disposal. Sensitive and private data on computer hard drives are required by law to be safeguarded and destroyed.

PRIM shields companies from liability by properly destroying computer hard drives and disposing of computer equipment in accordance with all Federal and State environmental laws. Upon completion, PRIM provides a Certificate of Destruction as evidence of services performed.

>>go back to top

RCRA

The Resource Conservation and Recovery Act (RCRA) of 1976 gave the U.S. Environmental Protection Agency (EPA) the authority to control hazardous waste from "cradle-to-grave." This includes the generation, transportation, treatment, storage, and disposal of hazardous waste. RCRA also set forth a framework for the management of non-hazardous wastes.

1986 amendments to RCRA enabled EPA to address environmental problems that could result from underground tanks storing petroleum and other hazardous substances. RCRA focuses only on active and future facilities and does not address abandoned or historical sites (see CERCLA). In 1984 the Hazardous and Solid Waste Amendments (HSWA) were added to RCRA that required phasing out land disposal of hazardous waste. Some of the other mandates of this strict law include increased enforcement authority for EPA, more stringent hazardous waste management standards, and a comprehensive underground storage tank program.

>>go back to top

Safe Harbor Act

The European Commission’s Directive on Data Protection went into effect in October, 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.

>>go back to top

Sarbanes-Oxley Act

The Sarbanes-Oxley Act came into force in July 2002 and introduced major changes to the regulation of corporate governance and financial practice. It is named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects, and it set a number of non-negotiable deadlines for compliance.

The Sarbanes-Oxley Act is arranged into eleven 'titles'. As far as compliance is concerned, the most important sections within these eleven titles are usually considered to be 302, 401, 404, 409, 802 and 906.

An over-arching public company accounting board was also established by the act, which was introduced amidst a host of publicity.

Compliance with this legislation need not be a daunting task. As with other regulatory requirements, it should be addressed methodically, via proper study and analysis. Compliance should be planned and implemented as a normal project.

Also like other regulatory requirements, some sections of the act are more pertinent to compliance than others.

>>go back to top

SEC Regulation S-P

The Securities and Exchange Commission issued a new proposed regulation, Regulation S-P, that contains privacy rules mandated by the Gramm-Leach-Bliley Act. As required by the Gramm-Leach-Bliley Act, proposed Regulation S-P generally requires every broker-dealer, investment company, and investment adviser to: * adopt policies and procedures reasonably designed to: (a) ensure the security and confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The Gramm-Leach-Bliley Act requires the federal financial regulators, including the SEC, to adopt regulations implementing its provisions no later than May 12, 2000. Other federal financial regulators issued privacy rules proposals in late February.

>>go back to top