Cut Cost
Cut Cost
Save Time
Save Time
Reduce Risk
Reduce Risk
Go Paperless
Go Paperless
Achieve Compliance
A variety of regulations require you to keep different records for differing periods of time under differing levels of security. We stay current with legislation to ensure your records are always compliant with all requirements. BIS provides document imaging and digital storage, and secure shredding and recycling.

Achieve Compliance

Here’s a list of current legislation affecting your company’s records:

Fair and Accurate Credit Transactions Act (FACTA)

FACTA intended primarily to help consumers fight identity theft. Accuracy; privacy; limits on information sharing; and new consumer rights to disclosure are included in FACTA. Companies that maintain consumer information (individually identifiable financial information) must take responsibility for properly disposing of this information through shredding or other means.

For more information visit Fair Credit Reporting Act or Information on the FACTA Disposal Rule.

Gramm/Leach/Bliley Act (GLBA, G/L/B, or G-L-B)

The Gramm-Leach-Bliley Act allowed commercial banks, investment banks, securities firms, and insurance companies to consolidate.

The Gramm-Leach-Bliley Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule applies to information of any consumers past or present of the financial institution’s products or services.) This plan must include:

  • Denoting at least one employee to manage the safeguards,
  • Constructing a thorough [risk management] on each department handling the nonpublic information,
  • Develop, monitor, and test a program to secure the information, and
  • Change the safeguards as needed with the changes in how information is collected, stored, and used.

For more information visit The Gramm-Leach Bliley Act.

Health Information Technology for Economic and Clinical Health Act (HITECH)

The HITECH Act covers regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. This Act was passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). For more information visit Understanding HIPAA for Covered Entities.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is designed to protect patient health information. The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information for whatever period such information is maintained by a covered entity, including through disposal.

The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.  Changes in HIPAA made in 2009 require more extensive policies and procedures than was previously the case.

Information is available concerning HIPAA Compliance at Understanding HIPAA for Covered Entities.

Lilly Ledbetter Fair Pay Act

This legislation is an amendment to the Civil Rights Act of 1964 passed as a result of the U.S. Supreme Court’s decision in Ledbetter vs. Goodyear Tire & Rubber Co. This Act restarts the 180-day statute of limitations for complaints to Equal Employment Opportunity Commission (EEOC) alleging pay discrimination each time a new “discriminatory” paycheck is issued. Retroactively effective to May 28, 2007, the Act holds that discriminatory pay decisions reoccur each time wages, benefits, or other compensation are paid. Therefore the 180-day time period (300 days if charges are also covered by state or local anti-discrimination laws) for employees to file EEOC charges against their employers is restarted each time employees are paid.

For the complete Act visit The Lilly Ledbetter Fair Pay Act.

Payment Card Industry Data Security Standard (PCI)

PCI is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

To find out more about PCI compliance visit the PCI Security Standards Council

Red Flags Rule

The FTC Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. “The Rule requires “financial institutions” and “creditors” that hold consumer accounts designed to permit multiple payments or transactions — or any other account for which there is a reasonably foreseeable risk of identity theft — to develop and implement an Identity Theft Prevention Program for new and existing accounts.” To be in compliance, affected businesses and organizations must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft.

You can find complete details here: Are you complying with the Red Flags Rule? or watch the FTC video.

Sarbanes-Oxley Act of 2002 (SARBOX or SOX)

The primary effect of this legislation is to eliminate the “I didn’t know” defense for management.  Because Sarbanes Oxley mandates management’s periodic duty to accurately report the state of the entity, accurate records must be kept to document management’s understanding of that state.

Compliance is required for audits and reviews completed on or after October 31, 2003.

Accounting firms must retain for seven years certain records relevant to their audits and reviews of issuers’ financial statements. Records to be retained include an accounting firm’s workpapers and certain other documents that contain conclusions, opinions, analyses, or financial data related to the audit or review.

For more information, go to Final Rule: Sarbanes-Oxley Act of 2002.

Uniform Electronic Transactions Act (UETA)

This Act has been adopted by all but three states (New York, Illinois, Washington).  The states that have not adopted the UETA have their own laws relating to the legal status of electronic records.

You can see a copy of the complete Act here.

Contact us for a detailed business records retention scheduled customized for your records.