There are many laws in effect that require businesses to protect the privacy of their clients. Not knowing these laws is a mistake with legal and financial consequences, which are both easily avoidable. Breaking these laws is as easy as throwing a piece of paper in the trash. Utah Shred can help you establish the correct shredding policies, document retention, and shredding practices for your organization. Managing your document retention needs effectively can eliminate the cost of retaining documents longer than their suggested retention periods.
For your convenience, we have listed the most current suggested retention period guidelines. Please note that this is only a general guide and each state, industry, and company’s actual retention period guidelines must be determined individually.
Considerations should be made to federal and state guidelines, as well as your own operational needs. You should consult your legal advisor for a more detailed retention guide.
Described below are several of the federal laws and their requirements.
Health Insurance Portability & Accountability Act (HIPAA)
This federal law passed by Congress in 1996, and the accompanying 2002 regulation known as the Privacy Rule, applies to all health care entities and restricts how health care providers may handle and disclose personal Protected Health Information (PHI). PHI is defined as any identifiable health, medical, or demographic information that describes the individual’s personal identity. This includes, but is not limited to, name, address, phone number, e-mail, photographs, charts, tests, records, etc. In general, health care entities must ensure that only approved personnel handle protected health information and then only for purposes specified in the law and regulation.
Health Information Technology for Economic and Clinical Health (HITECH)
The Health Information Technology for Economic and Clinical Health (HITECH), enacted by the federal government in 2009, enhances and amplifies the HIPAA laws.
Fair and Accurate Credit Transactions Act (FACTA)
Effective June 2005, the Fair and Accurate Credit Transactions Act of 2003 was designed to protect consumers from the increasingly common crime of identity theft. This particular law applies to every business in America that collects customer information to ensure that the information is protected from unauthorized access or use. In addition, the Disposal Rule requires that when such information is discarded, it must be appropriately destroyed by shredding, burning, or pulverizing.
The Gramm-Leach-Bliley Act
This 1999 act was instituted to modernize financial institutions and businesses that receive personal information in the course of conducting business. This law contains the Financial Privacy Rule, which requires financial institutions to provide their clients with comprehensive privacy notices. The act also includes the Safeguards Rule, which requires most financial institutions to establish thorough standards and safeguards for the handling and disclosure of that information.
The Sarbanes-Oxley Act
This act was passed in 2002 in response to many of the corporate and security fraud violations that were making news at the time. It is extremely detailed and implements a wide range of requirements that companies must abide by. Within these rules, it is clearly defined that the “destruction, alteration, or falsification of records in federal investigations and bankruptcy,” along with the “destruction of corporate audit records,” are illegal and could possibly result in a large fine and as many as 10 years of imprisonment.
The Economic Espionage Act
This act, passed in 1996, concerns trade secrets and the theft thereof. While it is certain that you would not knowingly try to steal or sell trade secrets, the act does make it clear that large fines and possible imprisonment await any person or organization who “without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret.” As this applies to throwing a trade secret in a public garbage lot, shredding information related to trade secrets is extremely important. It is also cost-effective, especially considering that organizations that violate this act can be fined as much as 10 million dollars!
Red Flag Rules
This act requires financial institutions and creditors to develop and implement an identity theft prevention program in connection with both new and existing accounts. This must include reasonable policies and procedures for detecting and preventing identity theft. Financial institutions faced a mandatory deadline of November 1, 2008 to comply.
Federal Privacy Act of 1974
This law was established in 1974 to ensure that government agencies protect the privacy of individuals and businesses with regard to information held by them and to hold these agencies liable for any information released without proper authorization.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal U.S. law that protects the privacy of student education records.
Business Records Retention Schedule
Utah Shred assumes no liability for the information contained therein. It is merely a guide and you are urged to consult your company’s accounting and legal consultants to review and approve your final schedule.
Accident Reports/Claims (Settled Cases): 7 Years
Accounts Payable Ledgers And Schedules: 7 Years
Accounts Receivable Ledgers And Schedules: 8 Years
Audit Reports: Permanently
Bank Statements: 7 Years
Capital Stock And Bond Records: Permanently
Ledgers, Transfer Registers, Stubs Showing Issues, Record of Interest Coupons, Options, Etc: Permanently
Charts Of Accounts: Permanently
Checks (Cancelled Checks For Important Payments, Special Contracts, Purchase Of Assets, Payment Of Taxes, etc. Checks Should Be Filed With The Papers Pertaining To The Underlying Transaction: Permanently
Checks (Cancelled Except Those Noted Above): 7 Years
Contracts And Leases (Expired): 7 Years
Contracts And Leases Still In Effect: Permanently
Correspondence, General And Schedules: 2 Years
Correspondence, Legal And Important Letters: Permanently
Correspondence, Routine With Customers/Vendors: 2 Years
Deeds, Mortgages And Bills Of Sale: Permanently
Depreciation Schedules: Permanently
Employee Personal Records (After Termination): 10 Years
Employment Applications: 3 Years
Financial Statements (Year-end, Other Months Optional): Permanently
General Ledgers, Year-end Trial Balances: 7 Years
Insurance Records, Policies, etc: Permanently
Internal Audit Reports: 7 Years
Inventory Records: 7 Years
Invoices to Customers Or From Vendors: 7 Years
IRA And Keogh Plan Contributions, Rollovers, Transfers And Distribution: Permanently
Minute Books Of Directors, Stockholders, Bylaws & Charter: Permanently
Payroll Records, Summaries And Tax Returns: 7 Years
Petty Cash Vouchers: 7 Years
Property Records, Including Costs, Depreciation Reserves, Year-End Trial Balances, Depreciation Schedules, Blueprints, And Plans: Permanently
Purchase Orders: 7 Years
Receivables records: 7 Years
Safety Records: 10 Years
Sales Records: 7 Years
Stock And Bond Certificates (Cancelled): Permanently
Subsidiary Ledgers: 7 Years
Tax Returns, Revenue Agents' Reports, And Other Documents Relating To Determination Of Income Tax Liability: Permanently
Time Cards And Daily Reports: 7 Years
Trademark Registrations, Patents, And Copyrights: Permanently
Voucher Register And Schedules: 7 Years
Vouchers For Payments To Vendors, Employees, etc. (Includes Allowances & Reimbursements Of Employees, Officers, etc., For Travel & Entertainment Expenses): 7 Years