The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies; lenders; insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule.

The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used - or expected to be used - in establishing a consumer's eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.

The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to - or use of - information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company's operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company's information security policies or procedures.

Financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires institutions to take steps to protect sensitive customer information, should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires. Information is available at http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html

Identity theft. Credit card fraud. Computer viruses. Concern for the privacy and security of personal information, has never been greater. Our concern for the safety and security of your personal health care information has never been taken more seriously.

While we have always gone to great lengths to ensure the privacy of your personal health information, we will soon be getting additional help from the Federal Government in the form of new regulations. These regulations will help standardize privacy and security requirements across the country and across all different types of health care organizations.

New Regulations Passed
The regulations are part of the Health Insurance Portability and Accountability Act or HIPAA, for short. HIPAA does three primary things:

1. It helps standardize and simplify the way health care organizations exchange electronic health care data.
2. It provides consumers with additional protections for getting and maintaining health insurance coverage; although, it does not guarantee coverage.
3. It creates new security rules to ensure the safety and privacy of individual health information and medical records.

HIPAA Ensures the Privacy and Security of Individual Health Information
Currently, individual state laws govern use and disclosure of this information, creating many inconsistencies and gaps in the way your health information is protected. HIPAA sets minimum security and privacy standards for health care organizations to follow. If a state has more stringent privacy and security laws, then those would be followed instead.

In addition, HIPAA sets heavy penalties for violations of these standards and the misuse of personal health information.

Defining Individual Health Information
Every time you go to see a doctor, are admitted to a hospital, fill a prescription or send a claim to an insurance company, a record is made of your confidential health information. This type of information is referred to as individually identifiable health information and is the type of information regulated by HIPAA. It can be in any format-electronic, paper or oral. Health care organizations that collect and manage this type of information and are therefore covered by these regulations including physicians, physical therapists, mental health professionals, dentists, chiropractors, optometrists, podiatrists, and others; hospitals; health plans; employers; health care clearinghouses such as claims processors; and other health care organizations who conduct administrative and financial transactions.

Added Control Over Health Information
Under HIPAA, you have new rights to understand and control how your health information is used:

Right to education -
Health care providers and health plans are required to provide you with a clear written explanation of how they intend to use and disclose your information.

Right to access medical records-
You have the right to see and get copies of your medical records, request changes and receive a history on non-routine disclosures of your personal health information.

Right to consent-
Health care providers are required to obtain prior consent before sharing personal health information other than treatment, payment and health care operations.

Right to Recourse-
You have the right to file a formal complaint if you believe that violations of the regulations were made.