Any businesses that collects employee and client information has an obligation under federal and state law to take the proper measures to keep that information safe and secure. It has become increasingly difficult to protect sensitive information from data breaches, but health clubs must remain vigilant. Information collected via fitness marketing digital promos, such as email promotions and website ads must be kept collected and stored in secure servers and any hard copies of sensitive data must be properly discarded when no longer needed.
Discarded data on drives as well as improperly discarded hard copy material are one of the major sources of data breaches and identity theft. To ensure that your health club is compliant with privacy laws you should develop a clear information destruction policy to ensure that smart and secure disposal practices are followed for everyone’s safety.
What are the Privacy Laws?
In the United Sates there is not one wholly comprehensive law that controls data privacy. However, the Federal Trade Commission (FTC) have setup a series of polices and regulations to control how commercial businesses should handle private information. These regulations apply to many differencing areas of commerce, including telecommunications, health information, credit information, financial institutions and marketing.
The US does have many sectoral data privacy laws as well has data privacy legislation at the state level. Legislation as the state level has gained a lot of momentum over the past decade once the states identified the gap left by not having comprehensive federal data privacy law. States have also worked with specific industries to develop sets of rules and regulations to control data privacy. These Industry Specific Personal Privacy Regulations include:
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates that healthcare facilities across the US act responsible in the secure electronic transmission of patient data, and the secure storage and disposal of that data.
- The Fair and Accurate Credit Transaction Act (FACTA) of 2003 added new details to the federal Fair Credit Reporting Act, designed primarily to assist consumers combat the growing crime of identity theft. Accuracy, privacy, restrictions on information sharing, and new consumer rights to disclosure are included in FACTA.
- The Gramm-Leach-Bliley Act (GLBA) Established in 1999, this law requires financial institutions throughout the U.S to safeguard the confidentiality and security of consumer data.
- HITECH Business Associates Agreement. This agreement ensures medical offices, doctor’s offices and hospitals are required to have an agreement with their document shredding company, in regard to the disposal of PHI (Protected Health Information). The other key piece of the Business Associates Agreement is the agreement that organizations will take the necessary steps to implement suitable administrative, physical and technical safety processes.
- The Economic Espionage Act (EEA) Established in 1996, this states that the theft of “all types of financial, business, scientific, technical, economic, or engineering information” from a business is deemed a crime. While compliance is not obligatory, should an occurrence take place, your business will be held liable if it cannot prove you took preventative measures in protecting sensitive information.
- The Sarbanes-Oxley Act (SOX) Enforced in 2002, this act (Also known as SOX) states that paper and electronic files must be stored for five years. It also requires that public organizations disclose and evaluate their internal procedures. As a result, this implies that an internal document retention and document destruction policy is vital to compliance.
What Can You Do to Protect Your Health Club?
First step is to make sure that your health club’s website and all of your Landing pages have an active SSL subscription. SSL is the standard for secure online encryptions. SSL certificates are now basically considered mandatory to have your website ranked on Google and your website will be flagged and heavily penalized if you fail to have one. Also, make sure that nay data collected via email is stored on a secure server protected by a secure firewall.
When disposing of any outdated or out of use digital drives, make sure that you use a certified digital data security expert. There are many companies that offer the specialized service of hard drive destruction.
Maintaining an internal document destruction team can be costly undertaking. Often it is much more cost effective and efficient to outsource your paper shredding needs. Factoring in the cost of employee wages and benefits as well as the typical depreciation and maintenance costs on the equipment, in most cases it can cost over $100/month to operate a office quality shredder. Do a search in your local area for professional shredding companies. For example, a company in Austin, TX could do a Google search for Paper Shredding Austin and find a variety of choices with options that may fit your company’s needs.