Several federal and state regulations require companies to protect their clients’ and/or employees’ confidential information. The most common ones are HIPAA and FACTA, but others exist as well. Below you will find a breakdown of some of the more common regulations to help you make sense of it all.

Compliant with Shred a Box

Will I Achieve Compliance with Shred a Box?

Yes! Utilizing a 3rd party destruction vendor is one way to establish corporate compliance to these regulations. Plus, the tracking and accountability built into the Shred a Box process offers a more robust compliance option than many other services. Destruction at a secure facility, destruction videos, certificates of destruction, and online order history are just some of the ways we’ll help your company meet its compliance needs.


HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 and establishes national standards for the security of protected health information. Part of the language in the act requires that covered entities take appropriate and reasonable safeguards to prevent unintended use of this protected data.

Medical Records
Entities that are likely covered by this act include:
Health Care Providers:
  • Doctors
  • Dentists
  • Hospitals
  • Psychologists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
Health Plans:
  • Insurance companies
  • HMOs
  • Government programs
  • Company health plans
For more information on HIPAA, please visit


FACTA stands for the Fair and Accurate Credit Transactions Act of 2003 and requires that entities use reasonable and appropriate measures to dispose of information derived from consumer reports. Examples of this type of information include but are not limited to credit reports, credit scores, employment background, residential history and medical history.

Employees Personnel File
Entities that likely require compliance include:
  • Employers
  • Landlords
  • Small Business Owners
  • Banking Institutions
  • Financial Investment Firms
  • Government Agencies
  • State and Municipal Offices
  • Mortgage Brokerage Firms
  • Accounting Firms
  • Law Firms
  • Insurance Agencies
  • Retailers
  • Auto Dealerships
  • Hotels
  • Law Enforcement
  • Correctional Facilities
  • School Districts
  • Colleges


GLBA stands for the Gramm-Leach-Bliley Financial Modernization Act of 1999 and requires financial institutions to provide customers with privacy notices explaining the organization’s information-sharing policies. It also allows consumers to opt out of this information sharing in most instances. The institution must adopt appropriate standards to protect consumer information as well. For more information on GLBA, please visit

FTC Red Flag Rule

The Red Flag Rule is enforced by the Federal Trade Commission and requires many organizations to implement a written “Identity Theft Prevention Program” to detect the warning signs or “red flags” of identity theft in their ongoing operations. For more information on the Red Flag Rule, please visit

Massachusetts 201 CMR 17.00

Massachusetts 201 CMR 17.00 requires any person or entity with access to personal information of a Massachusetts resident to protect that information, including the development of a Written Information Security Program. For more information on Massachusetts 201 CMR 17.00, please visit

Sarbanes Oxley

The Public Company Accounting Reform and Investor Protection Act of 2002 (aka Sarbanes Oxley) is a federal law which mandates a number of reforms in order to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud. It includes a provision requiring public companies to evaluate and disclose the effectiveness of their internal control systems. This law was passed in an effort to improve corporate responsibility in response to scandals and fraudulent activity. For more information, please visit


NAID is the National Association of Information Destruction and serves as the leading international trade association for the information destruction industry. NAID-compliance indicates that an organization adheres to NAID’s required standards and ethics and is therefore considered a certified service provider. For more information about NAID, please visit their website at