Security Shredding News Fall 2019 by Downing and Associates

Volume 16, Issue 3

fall 2019

Security Shredding News Serving the Security Shredding & Records Storage Markets

Visit us online at www.SecurityShreddingNews.com

Building Bridges

Electronics recyclers encounter numerous obstacles in their efforts to refurbish and resell electronics, but they hope to work with manufacturers, not against them, to achieve mutual goals.

dvances in electronic product design have given the public astonishingly small, fast, and powerful digital tools in the past few years. These advances have given electronics recyclers something else, too—headaches. Electronic devices can present numerous barriers to repair or refurbishment as well as to recycling. It’s not necessarily intentional, says Billy Johnson, Institute of Scrap Recycling Industries (ISRI), chief lobbyist and liaison to ISRI’s Electronics Division. “We understand [original equipment manufacturers] were not designing with recycling first and foremost. Yet when a product gets broken, it comes to us.” Recyclers and electronics manufacturers have a symbiotic relationship, Johnson says. The OEMs often hire recyclers to perform warranty repairs or ensure their products are recycled in ways that maximize material value, control hazards, and minimize waste. As OEMs have received negative publicity for some practices—their use of hazardous substances, batteries that catch fire, and so forth—and as they have become more environmentally and socially aware, they have become more receptive to recycler suggestions, Johnson says. “We’ve opened up a lot of lines of communication with them that we haven’t had in the past. … We’re telling them, ‘We want to help you. How can we figure out some answers?’ We can help OEMs create devices which are more recyclable and repairable.” Increasingly the two groups are trying to work together to resolve these issues. This is good for the OEMs’ image, and it’s essential for many recyclers’ bottom lines. With electronic products getting smaller and containing fewer metals—especially precious metals—“we’re seeing the value proposition change,” explains Darrell Kendall, executive director of the Recycling Industry Operating Standard, a management system ISRI founded for quality, environment, health, and safety management in recycling operations. “The scrap value of a phone is less than a couple of dollars,” he says. “If you wipe the data, unlock a phone, and refurbish it, you can sell it for between $250 and $300. Secondhand phones may have another five

By Jessica Zimmer years of life. Recyclers are looking to have a fair make batteries easier to replace, which might shake of maximizing the value and minimizing require a smaller battery, resulting in shorter the cost of repair.” run time.” Re m a i n i n g b a r r i e r s t o re p a i r a n d Kendall notes that “when [electronics r e f u r b i s h m e n t a r e p hy s i c a l , manufacturers] glue or wedge a battery informational, and technological. in, or build components around or “Working Recyclers say they use patience on top of it, they’re showing that and creativity to surmount they think this is the best place on these devices these obstacles, and they for the battery.” They use in a safe and effective work with ISRI to advocate glue and other materials in for solutions, whether ways that reflect their focus manner takes training, voluntary or through laws “on creating a quality supervision, and continuous or regulations. While a product they can sell for nascent right-to-repair a maximum profit.” They change based on the design movement in the United also respond to customer and material composition States also is working demands, from batteries that of particular toward increasing everyone’s don’t come loose when the a c c e s s t o p a r t s, r e p a i r device is dropped to creating devices.” information, and increased legal a “glass sandwich” so a phone is rights to repair and modify electronic waterproof, stylish, and light, he says. products, ISRI and some recyclers draw a Glued-down parts, fragile parts, and distinction between that group’s goals and those thin separators between battery components of professional recyclers. present significant challenges for recyclers, however. Excess glue makes it hard to open up the device and reach its components, particularly Repair barriers the motherboard, without causing damage. lectronics manufacturers say they make Fragile plastic and aluminum parts inside a design decisions to innovate or improve device can bend or break off during repair. performance. In comments Microsoft submitted “The shinier, the smaller, the prettier it is, the to a Federal Trade Commission-hosted event harder it is to take apart,” says Jim Levine, in July called “Nixing the Fix: A Workshop on president of Regency Technologies (Twinsburg, Repair Restrictions,” it stated that design choices Ohio). “While [design for recycling] has come a “that incidentally impact reparability can also be long way with certain products, like LED TVs, innovative responses to consumer preferences smaller devices such as cellphones, tablets, and and may form the basis on which companies wearables have become more of a challenge than compete. … For example, one company may ever before. Working on these devices in a safe choose to affix a battery in a certain way in order and effective manner takes training, supervision, to maximize its size and power, enabling longer Continued on page 3 device run time; while another company may

Have you started shredding hard drives and SSD’s yet?

The future is here. Everything needs to be destroyed. No better time than now to create new revenue stream for your business

LLEGHENY MANUFACTURES a complete line of powerful hard drive shredders, providing everything from 3 HP shredders for those companies just entering into this thriving business, to 20 HP fully automated E-scrap destruction systems. All of our Hard Drive Shredders can be equipped for mobile on-site shredding, giving you the option to shred at your place…or theirs!

Securely Shred SSDs and Rotary HDs

Don’t forget about Allegheny’s SelecShred™ Hard Drive Shredder! Manufactured with a split head cutting assembly, this shredder allows for solid state drives and rotary hard drives, as

well as cell phones, USB drives, CD’s, and many other e-scrap products to be destroyed on the SAME machine.

We’ll help get you started!

Don’t fall behind the times! Our experts will help you launch your own hard drive destruction service right away, so you can reap the benefits of this growing and critical niche in information destruction.

call us today

800-245-2497

alleghenyshredders.com

12HD20 SELECSHREDTM HARD DRIVE SHREDDER

Old William Penn Hwy E, Delmont, PA 15626 ■ 800-245-2497 toll free alleghenyshredders.com Old William Penn Hwy East, Delmont PA 15626 ■

2 Security Shredding News Fall 2019

Security Shredding News

Building Bridges Continued from page 1

and continuous change based on the design and material composition of particular devices,” he says. The careful work this requires increases labor costs, recyclers say. It can take 15 to 20 minutes to get a device open, which means one employee could end up working on fewer than 30 units a day, one recycler notes. “It’s a real concern when the processor chip is glued to the motherboard” in phones and tablets, for example, says Adam Shine, vice president of Sunnking (Brockport, N.Y.). “It makes it very difficult and labor-intensive to process these units.” Typically, you have to heat the device to loosen the glue, he explains, then you have the “arduous process” of removing the chip or other glued-down components without damaging them or anything around them. “It presents challenges to replace a battery, for

PUBLICATION STAFF Publisher / Editor Rick Downing Contributing Editors / Writers Jessica Zimmer • Sandy Woodthorpe Production / Layout Barb Fontanelle • Christine Mantush Advertising Sales Rick Downing Subscription / Circulation Donna Downing Editorial, Circulation & Advertising Office 6075 Hopkins Rd., Mentor, OH 44060 Ph: 440-257-6453 • Fax: 440-257-6459 Email: downassoc2@oh.rr.com www.securityshreddingnews.com For subscription information, please call 440-257-6453 Security Shredding News (ISSN #15498654) is published bimonthly by Downing & Associates. Reproductions or transmission of Security Shredding News, in whole or in part, without written permission of the publisher is prohibited. Annual subscription rate U.S. is $19.95. Outside of the U.S. add $10.00 ($29.95). Contact our main office, or mail-in the subscription form with payment.

instance, and could lead to further damage, requiring the phone or tablet to be recycled when it could otherwise be repurposed.” Recyclers address physical repair difficulties by hiring skilled technicians, training them extensively, and setting safety rules for the workplace. They also require technicians to watch repair videos and repeat certain tasks. “Each one of our team members sits through a rigorous training course,” says Chris Ko, managing partner of ER2 (Mesa, Ariz.). The company’s certifications testify to its controls for quality, environment, health, and safety, he notes. “We’re ISO:9001, ISO:14001, and OHSAS:18001 certified. We have videos, pictures, and physical product demos in the workplaces available as well.” Recyclers that have a contract to repair devices for brand owners can get repair instructions from the product’s source. When they can’t access official repair instructions, they sometimes turn to the Internet, they say. The online repair clearinghouse iFixit has been helpful in providing guides, tools, and forums, Shine says. “It’s given us much more access to manufacturer manuals and repair guides. We also go to YouTube for repair videos.” When it comes to finding parts, professional recyclers that handle thousands or millions of electronic products have one advantage: They often can harvest reusable parts from the end-oflife products they handle. That’s what happens at Sims Recycling Solutions (Roseville, Calif.), says Doug Buffenbarger, global product sales manager. Sims builds a “bank” of original parts recovered from disassembled devices, he says. HOBI International (Dallas) does that as well, says Craig Boswell, president and co-founder. HOBI also buys parts from online sellers, but it puts in a lot of effort to make sure the parts are high-quality, he notes. It tests 100% of the parts it recovers for reuse and a sample of those it purchases new.

Breaking locks

echnological barriers can prevent otherwise T functioning mobile devices from being erased, refurbished, and resold. Security locks like those in Apple’s “Find My iPhone” feature allow owners to remotely disable, or “brick,” a device that’s been lost or stolen. Devices with that feature activated can legitimately end up at a recycling facility: The owner might replace the device and then later find and recycle the one that went missing, for example. And some device owners wrongly believe using that feature to erase a device is necessary to ensure data security when they recycle old devices. Unfortunately, when recyclers receive bricked devices, it’s impossible to disassociate the device from the owner to clear the data and allow it to function again, Boswell says. The same is true when the device is locked to a specific cellphone carrier,

such as AT&T or Verizon. Boswell would like the carriers to aid recyclers with bulk unlocking. Regulatory changes related to the Digital Millennium Copyright Act have reduced some technological barriers to the repair and resale of electronic devices. The U.S. Copyright Office, which must review the DMCA’s provisions every three years, had previously approved “unlocking” some used wireless devices from their original network provider and “jailbreaking,” or using third-party software (such as data erasure software) on these devices. In 2018, it expanded the range of devices it’s legal to unlock or jailbreak to cover not just cellphones and tablets, but also mobile hot spots, wearables, and voice-activated devices like smart speakers. Also notable was its expansion of these permissions, which previously applied only to used devices, to any “lawfully acquired” devices in those categories, whether new or used. ISRI and others had petitioned for that change to allow recyclers to refurbish and resell surplus new devices, such as those a manufacturer might want to retire when introducing a new model. Some technology barriers remain, such as those that tie a device to a specific organization— for example, a university or company—and BIOS locks, which requires a user login to the computer’s basic input/output system before the machine will boot up. BIOS locks can be broken but doing so limits the degree to which the recycler can customize the device, which is not acceptable to most clients, Ko says. Clients that sell him devices for refurbishment must provide the information to unlock them. “Many times devices are locked because the customer owes the carrier money. In that case, we go back to the client,” he says. Manufacturers and software security firms also can break enterprise and BIOS locks when the recycler has authorization from the device seller but doing so costs additional time and money.

Right to reuse vs. right to repair position on right to reuse, which the IlawsSRI’s Board of Directors adopted in 2016, supports and regulations that allow recyclers to reuse

and remarket electronic products. This includes policies that allow them to bypass technological protection measures (such as by unlocking and jailbreaking); give them access to repair manuals, parts, tools, and diagnostic software; and provide recyclers with the right to market used products without warranty. ISRI’s support for right to reuse applies to professional recyclers, Johnson says. “If you’re a genuine recycler, even if you’re a one- to twoperson shop, you have safety standards, liability insurance, and a business license. You’re in compliance with OSHA regulations and the Fair Labor Standards Act,” he says. Professional recyclers’ interests overlap with, but also differ from, the wider right-to-repair movement, which advocates for broader rights for anyone—device owners and third parties—to access repair manuals and parts and to legally open, repair, and modify devices. ISRI’s concern is that Continued on page 4

Security Shredding News Fall 2019

Security Shredding News

Building Bridges Continued from page 3

www.youtube.com/keithmfgco

www.keithwalkingfloor.com

4 Security Shredding News Fall 2019

“individuals often don’t have the competencies nor the proper facilities to perform these processes safely,” Johnson says. Currently, ISRI members’ goals are more closely aligned with those of the OEMs than with right-to-repair advocates, Johnson says. “OEMs don’t want a product to go on the market if it’s not in compliance” with regulatory requirements and quality-control standards, and recyclers want the devices they sell to meet those standards as well, he says. “Our recyclers repair devices in big factories, not in-home kitchens. … We’re not sure the average person is qualified to fix the devices OEMs make.” For example, wireless devices must comply with Federal Communications Commission regulations for electromagnetic interference to ensure their signals don’t crowd out signals on the Emergency Alert System, he says. Kendall notes that if customers and small repair operations have more access to devices, this might negatively impact the quality of products recyclers receive. Individuals who “Frankenstein” their devices, “altering the equipment to do different things than the purpose for which they were intended,” create “greater risk for the recycler that someone’s done something to mess up the phone’s function,” he says. This might include using substandard parts—with substandard batteries being the most worrisome. Some right-to-repair legislation could force recyclers to share proprietary repair methods, Boswell adds. “We devised our own methods with our engineering team to repair devices more quickly and more safely [than other recyclers]. … There is a line where we cross into intellectual property.” He supports broader access to a limited amount of additional repair information when a repair can be done in a “straightforward fashion,” but not to more complex work. “For example, a customer shouldn’t be able to take a Tesla battery and make it into a power wall for their house. There’s a safety concern. Where does the liability fall?” One particular concern is the lithium-ion battery most devices contain. These batteries can explode if the thin plastic separator between the cathode and anode is breached. This poses a danger to anyone fixing a device without the proper training or safety precautions. These recyclers differ as to what criteria should decide who gets greater access and information—in other words, who’s a professional recycler? Certification might be the best measure, Shine says. “Flyby-night companies which haven’t invested in certification shouldn’t have access to manuals. There is a cost associated with doing things the right way.” Certification programs for electronics recyclers include the Responsible Recycling (R2) standard from Sustainable Electronics Recycling International (Hastings, Minn.), R2/RIOS, e-Stewards from the Basel Action Network (Seattle), and AAA certification for information destruction from the National Association for Information Destruction (Phoenix), in addition to the various ISO standards that apply to a wide range of businesses. Buffenbarger suggests that trade association membership or qualification from OEMs, such as becoming a Microsoft Authorized Refurbisher, might be worthwhile criteria as well. Some professional recyclers are more supportive of the right-to-repair movement’s broader goals. “Anybody should be able to repair electronic products if they have the mind to do it,” Ko says. “We have to be better than the guy in the workshop. That’s our business.” Sims Recycling Solutions’ Buffenbarger agrees. “The interests of large recyclers and small repair shops are relatively closely aligned.” If the right-to-repair movement made gains, “that would make it easier for us to repair devices, too.” As ISRI continues its dialogue with electronics manufacturers on how they can facilitate repair and recycling, Johnson emphasizes that ISRI members want to do repair properly, and OEMs feel pressure from their customers and shareholders to ensure their recycled products operate properly and safely. “Hopefully, with that pressure, together we should be able to make progress” on expanding recyclers’ right to reuse, he says. Jessica Zimmer is a freelance writer based in Santa Rosa, Calif. Reprinted with permission from the September/October 2019 issue of Scrap. © Institute of Scrap Recycling Industries, Inc. All rights reserved.

Est. 1991

YOU BUY IT, WEâ&#x20AC;&#x2122;LL HELP YOU FINANCE IT

WE PROVIDE A CONVENIENT AND COST-EFFECTIVE SOLUTION! Lease or Loan Financing Simple Application Process Low Initial Investment

Financing new or pre-owned equipment Serving the US & Canada Competitive Rate Structure

FINANCING THE WORLD OF TRANSPORTATION TERRY LEE

DOUG FERRANTE

Eastern States 303-301-7651 tlee@transleaseinc.com

Western States 509-389-1267 doug.ferrante@transleaseinc.com

www.transleaseinc.com WWW.TRANSLEASEINC.COM Security Shredding News Fall 2019

Security Shredding News

HHS Lowers Penalties for “Unintentional” Data Breaches

ccording to a Dark Daily article, a move by Health and Human Services to revise its Civil Money Penalties (CMPs) for patient data breaches will help delineate persistent patterns of Health Insurance Portability and Accountability Act (HIPAA) failures from unintentional types. Earlier this year, HHS released a “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.” The penalty revisions represent how the agency deals with covered entities and their business associates. The new annual limits recognize ‘unintentional’ violations. Organizations that have taken measures to meet HIPAA requirements will suffer lower penalties than those who are found neglectful. Here are the new penalties presented in ranges, with annual limits: • No Knowledge, $100-$50,000 fine, $25,000 annual limit. • Reasonable Cause, $1,000-$50,000 fine, $100,000 annual limit. • Willful Neglect-Corrected, $10,000-$50,000, $250,000 annual limit. • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit. Previously, fines were as follows: No Knowledge, $100-$50,000 fine, $1.5 mil annual limit. Reasonable Cause, $1,000-$50,000 fine, $1.5 mil annual limit. Willful Neglect-Corrected, $10,000-$50,000, $1.5 annual limit. Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit.

• • • •

COMMITTED TO MAKING THE INDUSTRY STRONGER

Standards • Grade specifications • Bale loading standard • Contract standards

Make your voice heard: join the PSI today. PaperStockIndustries.org | Email: PSI@isri.org www.paperstockindustries.org committed to providing a safe and healthful workplace

6 Security Shredding News Fall 2019

New York Lawmakers Increase Privacy Protections for Residents

ew York, NY – As of October 23, 2019, new legislation signed by Governor Andrew Cuomo in July written will add a state-level layer of protections for privacy and data breach notifications, according to a media release. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act holds businesses more accountable for the data for which they are responsible and gives individuals more control into how their private data is used. Under SHIELD, a breach is defined as “unauthorized access to or acquisition of, or access to or acquisition of without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.” However, the act allows that “Good faith access or acquisition of private information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.” SHIELD also expands the definitions of personal private data to include any data concerning a natural person that can be used to identify the individual, such as: Social Security numbers, driver’s license number or identification card numbers, account numbers, credit or debit card numbers, in combination with any required security code, access code, [or] password or other information (including biometric information) that would permit access to an individual’s financial account, account number, credit or debit card number are protected whether encrypted or not. Among other provisions of the law are detailed standards and procedures for handling different types of private\ information, as well as parameters and timelines for breach reporting and notifications. In addition, SHIELD applies notification rules beyond the state of New York to any person or entity with private information of a New York resident, not just those who conduct business in New York State.

News Team Finds Boxes of Medical Records

ollowing a tip, the NBC New York I-Team found more than a hundred medical files in boxes stacked next to a trash bin outside an Upper East Side office building in September. The boxes of records had been removed from an office previously shared by Dr. Jonathan Warman and Dr. Alexander Chun who have offices in a building near Lennox Hill Hospital. The files contained patient names, social security numbers and sensitive medical diagnoses. The Chun & Warman Medical Group specializes in Gastroenterology and Internal Medicine. Dr. Warman explained to the NBC I-Team news reporter that the doctors had moved their practices to new offices down the hall in the same building. The doctors’ office staff had contracted a shredding company to dispose of patient files, and the boxes had been left in the vacated office awaiting disposal. He said the office had been locked. Dr. Warman believes that their cleaning crew may have accidentally thrown out the patient files without permission from the doctors. According to a JDSupra.com article, the doctors’ attorney stated that the doctors, “categorically deny disposing of any of their patients’ protected health information. They have policies and procedures in place regarding the safeguarding and/or disposal of their patients’ protected health information. The investigation thus far seems to indicate that the records were improperly taken and removed from a locked premises without our clients’ permission.” The doctors requested that the I-Team return their patient files so that they may dispose of them properly.

Security Shredding News

OCR Settles First Case in HIPAA Right of Access Initiative

Sharp Increase in Healthcare Data Breaches Spikes Security Concern

ashington, D.C. – In September, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced its first enforcement action and settlement in its Right of Access Initiative. Earlier this year, OCR promised to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee. Bayfront Health St. Petersburg (Bayfront), which paid $85,000 to OCR and adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules after Bayfront failed to provide a mother timely access to records about her unborn child. Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR initiated its investigation based on a complaint from the mother. The right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child. As a result of the OCR action, Bayfront directly provided the individual with the requested health 2019than nine months after the initial request. information more In addition to the Shreddiong monetary settlement, Bayfront will undertake a Security & Storage News corrective action plan that includes one year of monitoring by OCR. Combo The resolution agreement and corrective action plan may be found at: Half Horizontal - 8-3/8” x 5-1/8” https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/ agreements/bayfront/index.html.

ccording to report in HIPAA Journal and Healio.com, healthcare data breaches this year are up significantly - averaging more than 1.5 per day, doubling the 2018 average of 29.5 breaches per month and contributing to a trend of substantially increasing risk. So far in 2019, more than 35 million individuals are known to have had their health care records “compromised, exposed, or impermissibly disclosed.” This number is higher than the previous three full years combined. Notably, the recent major spike in the breach total reported to Health and Human Services (HHS) is mostly due to the massive data breach at American Medical Collection Agency, a contractor to LabCorp and Quest Diagnostics, involving the potential data exposure of close to 20 million patients. Phishing, hacking and ransomware dominate the types of IT incidents causing breaches. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in August. The average breach size was 18,833 records and the median breach size was 5,248 records, the HIPAA Journal article states. Of the 49 reported breaches reported for August, 23 involved PHI stored in email accounts. The majority of those email breaches were due to phishing attacks. Ransomware was associated with 9 breaches reported in 2019 and involved PHI stored on network servers. There were 7 breaches involving paper records/films, highlighting the need for enhanced physical security and administrative controls. Breaches involving portable electronic devices such as zip drives and laptop computers are much lower, thanks to the use of encryption. All breaches reported to HHS are posted on the Office for Civil Rights portal.

INDUSTRIAL PAPER SHREDDERS MOBILE SHREDDING SYSTEMS CDL • NON-CDL • PIERCE-&-TEAR • SINGLE-SHAFT

(336) 285-0021 • 5708 UwHARRIE ROAD, ARCHDALE, NC 27263 • www.vECOPLANLLC.COM Security Shredding News Fall 2019

Security Shredding News

Business Associates and Direct Liability Under HIPAA – OCR Enforcement Actions

ccording to a blog article by Hinshaw & Culbertson LLP published on JDSupra.com, OCR enforcement actions against business associates are increasing. The three examples below demonstrate OCR’s seriousness about enforcing HIPAA privacy and security requirements. 2019: Medical Informatics Engineering Inc. (“MIE”), a software and medical records service, agreed to pay a $100,000 settlement to OCR and enter into a corrective action plan following a username and password cyber attack that allowed hackers to access to the PHI of at least 3.5 million people. Under the corrective action plan, MIE was required to conduct a security risk assessment and implement a security risk management plan. 2018: Filefax, Inc., a medical records storage company, agreed to pay a $100,000 settlement to OCR for leaving PHI for 2,150 patients in an unlocked truck in a parking lot and failure to properly dispose of PHI documents. 2016: Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), an information technology company, agreed to pay a $650,000 settlement to OCR and enter into a corrective action plan after an employee’s unencrypted iPhone was stolen, thereby exposing the PHI of 412 nursing home residents. Under the corrective action plan, CHCS was required to conduct a risk analysis/risk management plan, develop and implement written HIPAA policies and procedures, train the CHCS workforce on the new HIPAA policies and procedures, and to submit HIPAA compliance documentation reports to OCR for two years. The Hinshaw blog article reminds covered entities to “perform due diligence on potential business associates and monitor and audit business associate compliance and to consider including indemnification provisions in business associate agreements to require the business associate to indemnify the covered entity for losses incurred due to the business associate’s failure to comply with the HIPAA Privacy and Security rules.”

Federal Lawmaker Opinions Differ on National Patient ID

provision of the Health Insurance Portability and Accountability Act (HIPAA), which paves the way merging health records into a national database has lawmakers divided, reports WUKY.org. While Kentucky Senator Rand Paul calls the National Patient ID a “dangerous idea” and vows to block implementation, Representative Bill Foster, argues that merging health records from different systems, when done carefully, could prevent many medical mistakes. While Senator Paul points to the dangers presented by security breaches and state surveillance, National Patient ID proponents suggest the identifier would enable more timely, accurate care while cutting down on medical errors and redundant costs. Paul warned in a news release that the recent removal of language banning federal funds intended for the development of the ID could “open the floodgates for a government-issued ID to be linked with the private medical history of every man, woman, and child in America.” The senator is working toward introducing a standalone law repealing the original authority to create the ID under HIPAA. Ireland, which implemented its NPI in less than three years in 2016 and is joined by England, Scotland, France and Nordic countries has managed to overcome privacy and commercial competition issues blocking centralized patient records. A 2018 New England Journal of Medicine (NEJM) article notes that, despite the $30+ billion capital investment in mandated electronic patient records in the U.S., the persistent fragmentation of data prevents easy access to information by patients themselves and increases the risk of medical mistakes. “The NHS [National Health Service] number, which does not itself carry any information about a person, allows clinicians to accurately convey information about patients to other health care providers, and simplifies many common tasks,” the NEJM article authors said.

We’re in Your Corner There’s more to NAID than its widelyrecognized data destruction operational certification. Revenue from annual dues, its successful conference, and global certification program are used to:

We are Member-Owned & Member-Accountable. Association Dollars are Controlled and Spent to Benefit Members & the Industry.

• Engage in Regulatory Advocacy for Laws that Promote and Protect Secure Data Destruction Services

• Conduct Research to Help Members and

Join NAID today! Let us fight for you too!

• Educate Organizations on the

www.naidonline.org

Customers Make Better Decisions

Importance of Using a Service Provider

8 Security Shredding News Fall 2019

Security Shredding News

OCR Issues Guidance on Direct Liability for Business Associates Under HIPAA

ashington, D.C. – In its most recent guidance, the HHS Office of Civil Rights (OCR) clarifies direct liability of business associates HIPAA covered entities and provides instructions for developing, maintaining and monitoring their compliance programs. The agency also reminds covered entities to perform due diligence on potential business associates and monitor and audit business associate compliance to avoid enforcement actions. In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. In 2013, consistent with the HITECH Act, the OCR issued a final rule to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. As set forth in HITECH and OCR’s 2013 final rule, business associates are directly liable for HIPAA violations as follows: • Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance. •

Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

•

Failure to comply with the requirements of the Security Rule.

•

Failure to provide breach notification to a covered entity or another business associate.

•

Impermissible uses and disclosures of PHI.

•

Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.

•

Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

•

Failure, in certain circumstances, to provide an accounting of disclosures.

•

Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

•

Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

www.bomaccarts.com sales@bomaccarts.com

Schedule Your Company/Logo Listing in Our 2019 Buyers’ Guide. Deadline is November 22. Contact Rick at 440-257-6453.

www.paperstockreport.com ken@paperstockreport.com

Security Shredding News Fall 2019

Security Shredding News

ADVERTISER NEWS The Heico Companies, LLC. Acquires Shred-Tech Corporation

Vecoplan, LLC Breaks Ground on Shred Truck Plant Expansion

he Heico Companies, L.L.C. announced recently that it has completed the acquisition of a majority interest in ShredTech Corporation, manufacturer of mobile and stationary shredding equipment for the document destruction and recycling industries. Based in Cambridge, ON, Shred-Tech also has operations in the U.S., U.K. and Thailand. Heico has partnered in the acquisition with Rob Glass, Shred-Tech’s President and CEO, who will continue to lead the Company. Emily Heisley Stoeckel, Heico’s Chairman said, “Rob Glass and his terrific team have built a high-class company that is a leader in its field; we are excited to work with them to take the Company to its next level. We are optimistic that Heico’s array of global resources will help Shred-Tech continue to grow and expand its offering of exceptional products and services to customers worldwide.” In turn, Rob Glass commented, “We reached a time when some of our founding shareholders were ready to exit the business, and we went on a search for a partner that would provide both a strong, long-term home for the Company and its many valued employees and also the resources to continue our growth and development. With its deep operating expertise, global network of businesses, and long-term investing approach, Heico fits that requirement very well, and we are excited to work with it for years to come.”

ecoplan LLC recently broke ground on their latest plant expansion in Archdale, NC. Equipped with state-of-theart machinery, the plant will be committed solely to the manufacture of shred trucks for the secure information destruction industry. Luke James, Vecoplan LLC Sales Manager-Mobile Division, cited increased customer demand as the driving force behind the expansion. “We’re going to deliver what our customers have been asking for, by investing in cutting edge equipment and highly skilled personnel we will double our production capacity and cut lead times to an absolute minimum.” Once completed Vecoplan will have 50,000 square feet of dedicated manufacturing space at its U.S. headquarters in Archdale, NC. The new factory will utilize streamlined modular assembly lines that maximize production efficiency and facilitate future expansions. During the groundbreaking ceremony, Vecoplan CSO Bob Gilmore welcomed attendees and reiterated Vecoplan’s intent to continue leading the market with innovation, quality and rapid response to customer’s needs. Gilmore added, “This facility and the very significant investment further solidifies our ongoing commitment to the information management and secure destruction market. When complete, this expansion will put Vecoplan in a better position to provide quick delivery of the products the market is demanding.”

Product/Equipment Profiles Compact Industrial Shredder Destroys HDDs, SSDs and More

ladiator™ Hard Drive Shredders from Intimus are high torque, low-speed shredders designed specifically for the physical destruction of a wide range of digital storage media. These compact yet powerful devices feature specially hardened cutters that rip items into small shreds. The shredder is equipped with two separate cutting chambers, each with its own clearly labeled feed chute. This dual chamber design allows the Gladiator to be used for both HDD and SSD media. Large cutters on the HDD side destroy conventional hard drives including chassis, platters and circuit boards. Smaller cutters on the SSD side destroy solid state drives, optical media including CDs, DVDs, and Blu-Ray, as well as tape media including credit cards, ID badges, floppy discs, VHS, and computer tape. The relative DIN levels met for each type of media are H-4, E-2, 0-2, and T-2. Operating the Gladiator is simple. A master control panel mounted to the front of the unit controls all machine functions. At 41” wide x 33” deep, the Gladiator requires only minimal floorspace. The unit is powered by a robust 4.5 HP motor and is available in 220V/60 Hz and 400V/50 Hz electrical configurations. For more information, contact Peter Dempsey, Intimus International, 251 Wedcor Avenue, Wabash, IN 46992, TEL: 800-775-2122, www.intimus.com.

10 Security Shredding News Fall 2019

Save the Date April 27-30

Mandalay Bay Resort and Casino, Las Vegas, NV The ISRI Convention and Exposition is the Largest Event in the Recycling Industry Year After Year! Join recyclers from across the globe for ISRI2020 | Las Vegas

For more information visit www.isri2020.org ISRI2020.ORG Security Shredding News Fall 2019 11

PRSRT STD U.S. Postage

PAID

Cleveland, OH Permit #1737

6075 Hopkins Rd • Mentor, OH 44060 • Ph: 440-257-6453 • Fx: 440-257-6459 • Email: downassoc2@oh.rr.com

Inside This Issue

VOL. 16 NO. 3

FALL 2019

Building Bridges PAGE 1 HHS Lowers Penalties for “Unintentional” Data Breaches PAGE 6 OCR Settles First Case in HIPAA Right of Access Initiative PAGE 7 Federal Lawmaker Opinions Differ on National Patient ID PAGE 8 OCR Issues Guidance on Direct Liability for Business Associates Under HIPAA PAGE 9

HIGH PERFORMANCE SHREDDERS

Let us design a shredding system to meet your specific needs. Solving problems and creating opportunities processing a wide range of materials is what we do best. Everything from e-waste, metals, tires, confidential documents, medical waste, plastics, wood and packaged products can be destroyed, size reduced and separated. Contact us today:

Research & Development Engineering Manufacturing Parts and Service

www.shred-tech.com

1.800.465.3214