Laws and Regulations.
Do you have more questions?

Health Insurance Portability and Accountability Act (HIPAA), was enacted in 1996 and includes provisions intended to safeguard the privacy of patient health records. HIPAA is a significant piece of legislation with onerous penalties.
GLB (Gramm Leach Bliley)
Gramm Leach Bliley (GLB) is another federal law with a much broader scope than HIPAA. This law was designed to compel financial institutions to “respect the privacy of its customers and to protect the security and confidentiality of those customers’ non-public personal information.” This language suggests that paper documents containing such personal information should also be protected when in use and safely destroyed when no longer current and usable.


Sec. 682.3 Proper disposal of consumer information.

(a) Standard. Any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

(b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal would include:

(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.



The Code States: Paper records. Paper records shall be shredded, pulped or incinerated. If paper records are destroyed within an office or agency, records shall be shredded by a mechanical cross-cut shredder that reduces paper to a size no wider than 3/8 inches. The custodian of the records must prepare a certificate of destruction that lists what records have been destroyed, who destroyed the documents, and the date of destruction.

If the shredding is done off site, or by a contractor, locked bins are required to protect the records prior to shredding. Contractors doing the shredding must be bonded. The agency contracting for the shredding retains responsibility for protecting the social security numbers on the records until destruction. A representative of the contracting agency shall witness the destruction.


Chapter 120. Regulations Governing the Destruction of Public Records Containing Social Security Numbers » 17VAC15-120-30. Procedures. 

Get Started

Call Today

(757) 656-4446